* [bitcoin-dev] Drivechain -- Request for Discussion @ 2017-05-22 6:17 Paul Sztorc 2017-05-22 13:33 ` Peter Todd ` (2 more replies) 0 siblings, 3 replies; 43+ messages in thread From: Paul Sztorc @ 2017-05-22 6:17 UTC (permalink / raw) To: Bitcoin Dev Dear list, I've been working on "drivechain", a sidechain enabling technology, for some time. * The technical info site is here: www.drivechain.info * The changes to Bitcoin are here: https://github.com/drivechain-project/bitcoin/tree/mainchainBMM * A Blank sidechain template is here: https://github.com/drivechain-project/bitcoin/tree/sidechainBMM As many of you know, I've been seeking feedback in person, at various conferences and meetups over the past year, most prominently Scaling Milan. And I intend to continue to seek feedback at Consensus2017 this week, so if you are in NYC please just walk up and start talking to me! But I also wanted to ask the list for feedback. Initially, I was hesitant because I try not to consume reviewers' scarce time until the author has put in a serious effort. However, I may have waiting too long, as today it is actually quite close to a working release. Scaling Implications --------------------- This upgrade would have significant scaling implications. Since it is the case that sidechains can be added by soft fork, and since each of these chains will have its own blockspace, this theoretically removes the blocksize limit from "the Bitcoin system" (if one includes sidechains as part of such a system). People who want a LargeBlock bitcoin can just move their BTC over to such a network [1], and their txns will have no longer have an impact on "Bitcoin Core". Thus, even though this upgrade does not actually increase "scalability" per se, it may in fact put an end to the scalability debate...forever. This work includes the relatively new concept of "Blind Merged Mining" [2] which I developed in January to allow SHA256^2 miners to merge-mine these "drivechains", even if these miners aren't running the actual sidechain software. The goal is to prevent sidechains from affecting the levelness of the mining "playing field". BMM is conceptually similar to ZooKeeV [3] which Peter Todd sketched out in mid-2013. BMM is not required for drivechain, but it would address some of the last remaining concerns. Total Transaction Fees in the Far Future ----------------------------------------- Some people feel that a maximum blocksize limit is needed to ensure that future total equilibrium transaction fees are non-negligible. I presented [4] on why I don't agree, 8 months ago. The reviewers I spoke to over the last year have stopped bringing this complaint up, but I am not sure everyone feels that way. Juxtaposition with a recent "Scaling Compromise" ------------------------------------------------- Recently, a scalability proposal began to circulate on social media. As far as I could tell, it goes something like "immediately activate SegWit, and then HF to double the nonwitness blockspace to 2MB within 12 months". But such a proposal is quite meager, compared to a "LargeBlock Drivechain". The drivechain is better on both fronts, as it would not require a hardfork, and could *almost immediately* add _any_ amount of extra blockspace (specifically, I might expect a BIP101-like LargeBlock chain that has an 8 MB maxblocksize, which doubles every two years). In other words, I don't know why anyone would support that proposal over mine. The only reasons would be either ignorance (ie, unfamiliarity with drivechain) or because there are still nagging unspoken complaints about drivechain which I apparently need to hear and address. Other Thoughts --------------- Unfortunately, anyone who worked on the "first generation" of sidechain technology (the skiplist) or the "second generation" (federated / Liquid), will find that this is very different. I will admit that I am very pessimistic about any conversation that involves scalability. It is often said that "talking politics lowers your IQ by 25 points". Bitcoin scalability conversations seem to drain 50 points. (Instead of conversing, I think people should quietly work on whatever they are passionate about until their problem either is solved, or it goes away for some other reason, or until we all agree to just stop talking about it.) Cheers, Paul [1] http://www.drivechain.info/faq/#can-sidechains-really-help-with-scaling [2] http://www.truthcoin.info/blog/blind-merged-mining/ [3] https://s3.amazonaws.com/peter.todd/bitcoin-wizards-13-10-17.log [4] https://www.youtube.com/watch?v=YErLEuOi3xU&list=PLw8-6ARlyVciNjgS_NFhAu-qt7HPf_dtg&index=4 ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-22 6:17 [bitcoin-dev] Drivechain -- Request for Discussion Paul Sztorc @ 2017-05-22 13:33 ` Peter Todd 2017-05-22 15:30 ` Paul Sztorc 2017-05-22 14:39 ` ZmnSCPxj 2017-06-10 17:04 ` [bitcoin-dev] Drivechain RfD -- Follow Up Paul Sztorc 2 siblings, 1 reply; 43+ messages in thread From: Peter Todd @ 2017-05-22 13:33 UTC (permalink / raw) To: Paul Sztorc; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 1741 bytes --] On Mon, May 22, 2017 at 02:17:07AM -0400, Paul Sztorc via bitcoin-dev wrote: > This work includes the relatively new concept of "Blind Merged Mining" > [2] which I developed in January to allow SHA256^2 miners to merge-mine > these "drivechains", even if these miners aren't running the actual > sidechain software. The goal is to prevent sidechains from affecting the > levelness of the mining "playing field". BMM is conceptually similar to > ZooKeeV [3] which Peter Todd sketched out in mid-2013. BMM is not > required for drivechain, but it would address some of the last remaining > concerns. Thanks for the credit, although I think the security properties of what you're proposing are very different - and much weaker - than what I proposed in Zookeyv. As you state in [2] "if miners never validate sidechains at all, whoever bids the most for the chain (on a continuous basis), can spam a 3-month long stream of invalid headers, and then withdraw all of the coins deposited to the sidechain." and "Since the mining is blind, and the sidechain-withdrawal security-level is SPV, miners who remain blind forever have no way of telling who “should” really get the funds." Finally, you suggest that in this event, miners *do* have to upgrade to a full node, an expensive and time-consuming operation (and one that may be impossible for some miners if necessary data isn't available). It's unclear to me what the incentive is for miners to do any of this. Could you explain in more detail what that incentive is? > [2] http://www.truthcoin.info/blog/blind-merged-mining/ > [3] https://s3.amazonaws.com/peter.todd/bitcoin-wizards-13-10-17.log -- https://petertodd.org 'peter'[:-1]@petertodd.org [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 455 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-22 13:33 ` Peter Todd @ 2017-05-22 15:30 ` Paul Sztorc 2017-05-28 21:07 ` Peter Todd 0 siblings, 1 reply; 43+ messages in thread From: Paul Sztorc @ 2017-05-22 15:30 UTC (permalink / raw) To: Peter Todd; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 3749 bytes --] Charlie, I'll be mostly in the tech track, of course. And I've already planned to meet RSK guys after their event tomorrow. Ryan, the more review the better. We aren't in any direct rush, other than the natural desire to have cool things as early as possible. Peter, responses below: On May 22, 2017 9:33 AM, "Peter Todd" <pete@petertodd•org> wrote: On Mon, May 22, 2017 at 02:17:07AM -0400, Paul Sztorc via bitcoin-dev wrote: > This work includes the relatively new concept of "Blind Merged Mining" > [2] which I developed in January to allow SHA256^2 miners to merge-mine > these "drivechains", even if these miners aren't running the actual > sidechain software. The goal is to prevent sidechains from affecting the > levelness of the mining "playing field". BMM is conceptually similar to > ZooKeeV [3] which Peter Todd sketched out in mid-2013. BMM is not > required for drivechain, but it would address some of the last remaining > concerns. Thanks for the credit, although I think the security properties of what you're proposing are very different - and much weaker - than what I proposed in Zookeyv. As you state in [2] "if miners never validate sidechains at all, whoever bids the most for the chain (on a continuous basis), can spam a 3-month long stream of invalid headers, and then withdraw all of the coins deposited to the sidechain." and "Since the mining is blind, and the sidechain-withdrawal security-level is SPV, miners who remain blind forever have no way of telling who “should” really get the funds." Finally, you suggest that in this event, miners *do* have to upgrade to a full node, an expensive and time-consuming operation (and one that may be impossible for some miners if necessary data isn't available). Surprisingly, this requirement (or, more precisely, this incentive) does not effect miners relative to each other. The incentive to upgrade is only for the purpose of preventing a "theft" -- defined as: an improper withdrawal from a sidechain. It is not about miner revenues or the ability to mine generally (or conduct BMM specifically). The costs of such a theft (decrease in market price, decrease in future transaction fee levels) would be shared collectively by all future miners. Therefore, it would have no effect on miners relative to each other. Moreover, miners have other recourse if they are unable to run the node. They can adopt a policy of simply rejecting ("downvoting") any withdrawals that they don't understand. This would pause the withdraw process until enough miners understand enough of what is going on to proceed with it. Finally, the point in dispute is a single, infrequent, true/false question. So miners may resort to semi-trusted methods to supplement their decision. In other words, they can just ask people they trust, if the withdrawal is correct or not. It is up to users to decide if they are comfortable with these risks, if/when they decide to deposit to a sidechain. It's unclear to me what the incentive is for miners to do any of this. Could you explain in more detail what that incentive is? It is a matter of comparing the costs and benefits. Ignoring theft, the costs are near-zero, and the benefits are >0. Specifically, they are: a higher BTC price and greater transaction fees. Theft is discouraged by attempting to tie a theft to a loss of confidence in the miners, as described in the spec/website. In general the incentives are very similar to those of Bitcoin itself. Paul > [2] http://www.truthcoin.info/blog/blind-merged-mining/ > [3] https://s3.amazonaws.com/peter.todd/bitcoin-wizards-13-10-17.log -- https://petertodd.org 'peter'[:-1]@petertodd.org [-- Attachment #2: Type: text/html, Size: 5724 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-22 15:30 ` Paul Sztorc @ 2017-05-28 21:07 ` Peter Todd [not found] ` <CAJowKgJjNaoWVc=QXfOqH3OdBPoKm3qkfUNpKV6oKLSRx_fD0g@mail.gmail.com> 2017-05-30 5:11 ` Paul Sztorc 0 siblings, 2 replies; 43+ messages in thread From: Peter Todd @ 2017-05-28 21:07 UTC (permalink / raw) To: Paul Sztorc; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 3494 bytes --] On Mon, May 22, 2017 at 05:30:46PM +0200, Paul Sztorc wrote: > Surprisingly, this requirement (or, more precisely, this incentive) does > not effect miners relative to each other. The incentive to upgrade is only > for the purpose of preventing a "theft" -- defined as: an improper > withdrawal from a sidechain. It is not about miner revenues or the ability > to mine generally (or conduct BMM specifically). The costs of such a theft > (decrease in market price, decrease in future transaction fee levels) would > be shared collectively by all future miners. Therefore, it would have no > effect on miners relative to each other. That's not at all true. If I'm a miner with a better capability than another miner to prevent that theft, I have reasons to induce it to happen to give me political cover to pushing that other miner off the network. This is a very similar problem to what we had with zeroconf double-spending, where entities such as Coinbase tried to pay off miners to guarantee something that wasn't possible in a geninely decrentralized system: safe zeroconf transactions. > Moreover, miners have other recourse if they are unable to run the node. > They can adopt a policy of simply rejecting ("downvoting") any withdrawals > that they don't understand. This would pause the withdraw process until > enough miners understand enough of what is going on to proceed with it. Why are you forcing miners to run this code at all? Equally, you're opening up miners to huge political risks, as rejecting all withdrawals is preventing users' from getting their money, which gives other miners a rational for kicking those miners off of Bitcoin entirely. > Finally, the point in dispute is a single, infrequent, true/false question. > So miners may resort to semi-trusted methods to supplement their decision. > In other words, they can just ask people they trust, if the withdrawal is > correct or not. It is up to users to decide if they are comfortable with > these risks, if/when they decide to deposit to a sidechain. Why do you think this will be infrequent? Miners with a better ability to validate the drivechain have every reason to make these events more frequent. > It is a matter of comparing the costs and benefits. Ignoring theft, the > costs are near-zero, and the benefits are >0. Specifically, they are: a > higher BTC price and greater transaction fees. Theft is discouraged by > attempting to tie a theft to a loss of confidence in the miners, as > described in the spec/website. > In general the incentives are very similar to those of Bitcoin itself. This is also a very dubious security model - I would argue that Bitcoin is much *more* valuable if miners do everything they can to ensure that drivechains fail, given the huge risks involved. I would also argue that users should do user-activated-soft-forks to ensure they fail. By comparison, note Adam Back and my own efforts to ensure miners have a smaller part in the ecosystem, with things like committed (encrypted) transactions and my closed-seal-set/truth-list approach(1). We want to involve miners as little as possible in the consensus, not more. I have to ask: What use-cases do you actually see for drivechains? Why can't those use-cases be done in the much safer client-side validation fashion? 1) https://petertodd.org/2016/closed-seal-sets-and-truth-lists-for-privacy -- https://petertodd.org 'peter'[:-1]@petertodd.org [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 455 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
[parent not found: <CAJowKgJjNaoWVc=QXfOqH3OdBPoKm3qkfUNpKV6oKLSRx_fD0g@mail.gmail.com>]
[parent not found: <CAJowKgKFMXDE-yzEqYkY7c+80Mgn+iL9ZRNJbv9WhUBR32EvRg@mail.gmail.com>]
* Re: [bitcoin-dev] Drivechain -- Request for Discussion [not found] ` <CAJowKgKFMXDE-yzEqYkY7c+80Mgn+iL9ZRNJbv9WhUBR32EvRg@mail.gmail.com> @ 2017-05-29 5:54 ` Erik Aronesty 0 siblings, 0 replies; 43+ messages in thread From: Erik Aronesty @ 2017-05-29 5:54 UTC (permalink / raw) To: Peter Todd; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 3964 bytes --] Seems to me an obvious use case for drive chains are to have high speed small transactions on a side chain, eventually cleared to the main chain. Not sure why miners would want this to fail any more than any other side chain, like Liquid or lightning. On May 28, 2017 5:23 PM, "Peter Todd via bitcoin-dev" < bitcoin-dev@lists•linuxfoundation.org> wrote: On Mon, May 22, 2017 at 05:30:46PM +0200, Paul Sztorc wrote: > Surprisingly, this requirement (or, more precisely, this incentive) does > not effect miners relative to each other. The incentive to upgrade is only > for the purpose of preventing a "theft" -- defined as: an improper > withdrawal from a sidechain. It is not about miner revenues or the ability > to mine generally (or conduct BMM specifically). The costs of such a theft > (decrease in market price, decrease in future transaction fee levels) would > be shared collectively by all future miners. Therefore, it would have no > effect on miners relative to each other. That's not at all true. If I'm a miner with a better capability than another miner to prevent that theft, I have reasons to induce it to happen to give me political cover to pushing that other miner off the network. This is a very similar problem to what we had with zeroconf double-spending, where entities such as Coinbase tried to pay off miners to guarantee something that wasn't possible in a geninely decrentralized system: safe zeroconf transactions. > Moreover, miners have other recourse if they are unable to run the node. > They can adopt a policy of simply rejecting ("downvoting") any withdrawals > that they don't understand. This would pause the withdraw process until > enough miners understand enough of what is going on to proceed with it. Why are you forcing miners to run this code at all? Equally, you're opening up miners to huge political risks, as rejecting all withdrawals is preventing users' from getting their money, which gives other miners a rational for kicking those miners off of Bitcoin entirely. > Finally, the point in dispute is a single, infrequent, true/false question. > So miners may resort to semi-trusted methods to supplement their decision. > In other words, they can just ask people they trust, if the withdrawal is > correct or not. It is up to users to decide if they are comfortable with > these risks, if/when they decide to deposit to a sidechain. Why do you think this will be infrequent? Miners with a better ability to validate the drivechain have every reason to make these events more frequent. > It is a matter of comparing the costs and benefits. Ignoring theft, the > costs are near-zero, and the benefits are >0. Specifically, they are: a > higher BTC price and greater transaction fees. Theft is discouraged by > attempting to tie a theft to a loss of confidence in the miners, as > described in the spec/website. > In general the incentives are very similar to those of Bitcoin itself. This is also a very dubious security model - I would argue that Bitcoin is much *more* valuable if miners do everything they can to ensure that drivechains fail, given the huge risks involved. I would also argue that users should do user-activated-soft-forks to ensure they fail. By comparison, note Adam Back and my own efforts to ensure miners have a smaller part in the ecosystem, with things like committed (encrypted) transactions and my closed-seal-set/truth-list approach(1). We want to involve miners as little as possible in the consensus, not more. I have to ask: What use-cases do you actually see for drivechains? Why can't those use-cases be done in the much safer client-side validation fashion? 1) https://petertodd.org/2016/closed-seal-sets-and-truth-lists-for-privacy -- https://petertodd.org 'peter'[:-1]@petertodd.org _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists•linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev [-- Attachment #2: Type: text/html, Size: 5436 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-28 21:07 ` Peter Todd [not found] ` <CAJowKgJjNaoWVc=QXfOqH3OdBPoKm3qkfUNpKV6oKLSRx_fD0g@mail.gmail.com> @ 2017-05-30 5:11 ` Paul Sztorc 2017-06-09 21:54 ` Sergio Demian Lerner 1 sibling, 1 reply; 43+ messages in thread From: Paul Sztorc @ 2017-05-30 5:11 UTC (permalink / raw) To: Peter Todd; +Cc: Bitcoin Dev Hi Peter, Responses below. On 5/28/2017 5:07 PM, Peter Todd wrote: > On Mon, May 22, 2017 at 05:30:46PM +0200, Paul Sztorc wrote: >> Surprisingly, this requirement (or, more precisely, this incentive) does >> not effect miners relative to each other. The incentive to upgrade is only >> for the purpose of preventing a "theft" -- defined as: an improper >> withdrawal from a sidechain. It is not about miner revenues or the ability >> to mine generally (or conduct BMM specifically). The costs of such a theft >> (decrease in market price, decrease in future transaction fee levels) would >> be shared collectively by all future miners. Therefore, it would have no >> effect on miners relative to each other. > > That's not at all true. If I'm a miner with a better capability than another > miner to prevent that theft, I have reasons to induce it to happen to give me > political cover to pushing that other miner off the network. Miners can abstain from 'voting', which is politically neutral. Or, if they wish, smaller miners could acquiesce to the coercion and just copy the votes of the attacking 51% group. For users who are only running Bitcoin Core, there is nothing bad about that. As you say, a 51% group can arbitrarily start orphaning the blocks that are mined by non-member rivals. This _may_ be a problem, or it may not, but it is not exacerbated by drivechain. So, what exactly is "not at all true"? > > This is a very similar problem to what we had with zeroconf double-spending, > where entities such as Coinbase tried to pay off miners to guarantee something > that wasn't possible in a geninely decrentralized system: safe zeroconf > transactions. I don't see what you mean here. You can't stop Coinbase from donating BTC to a subset of miners. That will always be possible, and it has nothing to do with drivechain (as I see it). > >> Moreover, miners have other recourse if they are unable to run the node. >> They can adopt a policy of simply rejecting ("downvoting") any withdrawals >> that they don't understand. This would pause the withdraw process until >> enough miners understand enough of what is going on to proceed with it. > > Why are you forcing miners to run this code at all? Could we not say the same thing about the code behind CLTV? The nature of a contract, is that people are happier to be bound by some rules that they themselves construct (for example, a nuclear non-proliferation treaty). In this case, miners prefer sidechains to exist (as existence makes the BTC they mine more valuable, and provides additional tx fee revenues), and so they would like to run code which makes them possible. > > Equally, you're opening up miners to huge political risks, as rejecting all > withdrawals is preventing users' from getting their money, which gives other > miners a rational for kicking those miners off of Bitcoin entirely. As I explained above, miners can abstain from voting, which is politically neutral, or else they can delegate their vote to an aggressive miner. The "51% can orphan" concern could be raised, even in a world without drivechain. All that is required, is for the miners to be anonymous, or in private 'dark' pools (and to thereby escape censure). But there is a much bigger issue here, which is that our threat models are different. As you may know, my threat model [1] does not include miners "pushing each other off". It only cares about the miner-experience, to the extent that it impacts the user-experience. Moreover, I reject [2] the premise that we can even measure "miner centralization", or even that such a concept exists. If someone has a definition of this concept, which is both measurable and useful, I would be interested to read it. ( For what it's worth, Satoshi did not care about this, either. For example: "If a greedy attacker is able to assemble more CPU power than all the honest nodes, he...ought to find it more profitable to play by the rules." which implies robustness to 51% owned by one entity. ) [1] http://www.truthcoin.info/blog/mining-threat-equilibrium/ [2] http://www.truthcoin.info/blog/mirage-miner-centralization/ > >> Finally, the point in dispute is a single, infrequent, true/false question. >> So miners may resort to semi-trusted methods to supplement their decision. >> In other words, they can just ask people they trust, if the withdrawal is >> correct or not. It is up to users to decide if they are comfortable with >> these risks, if/when they decide to deposit to a sidechain. > > Why do you think this will be infrequent? Miners with a better ability to > validate the drivechain have every reason to make these events more frequent. It is part of the spec. These timing parameters must be agreed upon when the sidechain is added, ie _before_ users deposit to the sidechain. Once the sidechain is created, the timing is enforced by nodes, the same as with any other protocol rules. Miner-validation-ability has no effect on the frequency. > >> It is a matter of comparing the costs and benefits. Ignoring theft, the >> costs are near-zero, and the benefits are >0. Specifically, they are: a >> higher BTC price and greater transaction fees. Theft is discouraged by >> attempting to tie a theft to a loss of confidence in the miners, as >> described in the spec/website. >> In general the incentives are very similar to those of Bitcoin itself. > > This is also a very dubious security model - I would argue that Bitcoin is much > *more* valuable if miners do everything they can to ensure that drivechains > fail, given the huge risks involved. I don't see how. Users are free to ignore the sidechain, so it can only benefit them. Fortunately for you, if that is actually what miners believe, then there will be no problem, as miners will just filter out drivechains (so that Bitcoin will be "much *more* valuable"), which they can easily do. > I would also argue that users should do > user-activated-soft-forks to ensure they fail. Again, I don't think that kind of UASF can succeed, because one option strictly dominates the other. But the users get the final say, of course. Empirically, I have observed overwhelming support for sidechains among users, business, and other developers. The btc-investors I spoke to were all very excited about the prospect of sidechains, even more so than they were excited about SegWit. > > By comparison, note Adam Back and my own efforts to ensure miners have a > smaller part in the ecosystem, with things like committed (encrypted) > transactions and my closed-seal-set/truth-list approach(1). We want to involve > miners as little as possible in the consensus, not more. I agree that miners should have as little influence as possible (and they probably agree, as well). But a 51% group can filter any message they like from the blockchain. For sidechains, there will need to be two public networks, so concealment is not an option. And, I repeat, for regular users of Bitcoin Core, drivechain does not make a 51% group more dangerous than they already are. Moreover, there are cases [1] where miner-involvement can make a big _positive_ impact. Just as it can be beneficial (essential, in fact) for Bitcoin to filter out harmful interactions among txns (in other words, good for miners to filter out double spends), I have discovered situations where it is beneficial and essential for miners to filter out harmful interactions among multiple chains. So I think I am actually hitting the "as little as possible" target. [1] http://www.truthcoin.info/blog/wise-contracts/#wise-contracts > > I have to ask: What use-cases do you actually see for drivechains? Why can't Here is a tentative project list: http://www.drivechain.info/projects/index.html And, as I say on the FAQ, "If each individual user is free to sell his/her BTC in exchange for an Altcoin (or for fiat), we can hardly deny users the opportunity to move their money between two sidechains." So, in a strong way, the entire altcoin market makes the case for a usefulness of sidechains. Bitcoin is a form of money, and only one form of money can exist per currency area. So, if Bitcoin is not the winner, it will eventually cease to exist altogether. Altcoin-competition is an existential threat to Bitcoin, one which is far more relevant than anything you've presented so far. Secondly, one important value of permissionless innovation is that one doesn't really know, today, what cool ideas other people are going to come up with tomorrow. If you did, they'd be today's ideas. Third, Core's review process has two opposite problems: on one hand it is slow and grueling, and on the other it is fraught with the possibility of catastrophic error. It would be better, for everyone, to allow people to try their own (non-aggressive) experiments, and to make their own mistakes. Already, I have seen the review process abused to create/maintain fiefdoms of expertise, so that the abusers can extract money from clients/employers/VCs. Just think of all of the free time you would have, Peter, if you didn't have to spend it all reviewing these projects! > those use-cases be done in the much safer client-side validation fashion? ? How is drivechain _not_ within the category of client-side validation? With BMM, validation is only performed by those users ("clients") who opt-in to the new features. The economic model of BMM is directly comparable to that of Bitcoin's PoW -- the highest-bid chain should be the healthiest one. Can you post the Github link for your most up-to-date client-side validation work so that we can compare the safety and other features? Thanks, Paul > > 1) https://petertodd.org/2016/closed-seal-sets-and-truth-lists-for-privacy > ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-30 5:11 ` Paul Sztorc @ 2017-06-09 21:54 ` Sergio Demian Lerner 2017-06-10 16:28 ` Paul Sztorc 0 siblings, 1 reply; 43+ messages in thread From: Sergio Demian Lerner @ 2017-06-09 21:54 UTC (permalink / raw) To: Paul Sztorc; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 11534 bytes --] I'm a bit late to this party. I just want to add that there exists an hybrid model where both a federation and the miners provide acknowledges (sometimes known as "votes" in drivechain terms and "multi-signatures" in a federation) of the sidechain state. My Drivechain proposal (Feb 2016) was tailored to enable this particular use-case, which I'm not sure Paul's proposal enable. The proposal is on this list under the following subject: Drivechain proposal using OP_COUNT_ACKS BIP (draft): https://github.com/rootstock/bips/blob/master/BIP-R10.md Code & Test cases: https://github.com/rootstock/bitcoin/tree/op-count-acks_devel In this proposal, the "poll" time is sidechain-configurable, and I proposed a few days delay was enough. Some have said that a longer times are needed, such as 2 months. So if you want to have a 2 month dalay for sidechain->mainchain transfers in this code, you still can. However a better dynamic cache of acks/nacks would be needed. However, for the hybrid use-case, one day is more than enough. Regards On Tue, May 30, 2017 at 2:11 AM, Paul Sztorc via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > Hi Peter, > > Responses below. > > On 5/28/2017 5:07 PM, Peter Todd wrote: > > On Mon, May 22, 2017 at 05:30:46PM +0200, Paul Sztorc wrote: > >> Surprisingly, this requirement (or, more precisely, this incentive) does > >> not effect miners relative to each other. The incentive to upgrade is > only > >> for the purpose of preventing a "theft" -- defined as: an improper > >> withdrawal from a sidechain. It is not about miner revenues or the > ability > >> to mine generally (or conduct BMM specifically). The costs of such a > theft > >> (decrease in market price, decrease in future transaction fee levels) > would > >> be shared collectively by all future miners. Therefore, it would have no > >> effect on miners relative to each other. > > > > That's not at all true. If I'm a miner with a better capability than > another > > miner to prevent that theft, I have reasons to induce it to happen to > give me > > political cover to pushing that other miner off the network. > > Miners can abstain from 'voting', which is politically neutral. Or, if > they wish, smaller miners could acquiesce to the coercion and just copy > the votes of the attacking 51% group. For users who are only running > Bitcoin Core, there is nothing bad about that. > > As you say, a 51% group can arbitrarily start orphaning the blocks that > are mined by non-member rivals. This _may_ be a problem, or it may not, > but it is not exacerbated by drivechain. > > So, what exactly is "not at all true"? > > > > > > This is a very similar problem to what we had with zeroconf > double-spending, > > where entities such as Coinbase tried to pay off miners to guarantee > something > > that wasn't possible in a geninely decrentralized system: safe zeroconf > > transactions. > > I don't see what you mean here. You can't stop Coinbase from donating > BTC to a subset of miners. That will always be possible, and it has > nothing to do with drivechain (as I see it). > > > > > >> Moreover, miners have other recourse if they are unable to run the node. > >> They can adopt a policy of simply rejecting ("downvoting") any > withdrawals > >> that they don't understand. This would pause the withdraw process until > >> enough miners understand enough of what is going on to proceed with it. > > > > Why are you forcing miners to run this code at all? > > Could we not say the same thing about the code behind CLTV? > > The nature of a contract, is that people are happier to be bound by some > rules that they themselves construct (for example, a nuclear > non-proliferation treaty). > > In this case, miners prefer sidechains to exist (as existence makes the > BTC they mine more valuable, and provides additional tx fee revenues), > and so they would like to run code which makes them possible. > > > > > > Equally, you're opening up miners to huge political risks, as rejecting > all > > withdrawals is preventing users' from getting their money, which gives > other > > miners a rational for kicking those miners off of Bitcoin entirely. > > As I explained above, miners can abstain from voting, which is > politically neutral, or else they can delegate their vote to an > aggressive miner. The "51% can orphan" concern could be raised, even in > a world without drivechain. All that is required, is for the miners to > be anonymous, or in private 'dark' pools (and to thereby escape censure). > > But there is a much bigger issue here, which is that our threat models > are different. > > As you may know, my threat model [1] does not include miners "pushing > each other off". It only cares about the miner-experience, to the extent > that it impacts the user-experience. > > Moreover, I reject [2] the premise that we can even measure "miner > centralization", or even that such a concept exists. If someone has a > definition of this concept, which is both measurable and useful, I would > be interested to read it. > > ( For what it's worth, Satoshi did not care about this, either. For > example: "If a greedy attacker is able to assemble more CPU power than > all the honest nodes, he...ought to find it more profitable to play by > the rules." which implies robustness to 51% owned by one entity. ) > > [1] http://www.truthcoin.info/blog/mining-threat-equilibrium/ > [2] http://www.truthcoin.info/blog/mirage-miner-centralization/ > > > > > >> Finally, the point in dispute is a single, infrequent, true/false > question. > >> So miners may resort to semi-trusted methods to supplement their > decision. > >> In other words, they can just ask people they trust, if the withdrawal > is > >> correct or not. It is up to users to decide if they are comfortable with > >> these risks, if/when they decide to deposit to a sidechain. > > > > Why do you think this will be infrequent? Miners with a better ability to > > validate the drivechain have every reason to make these events more > frequent. > > It is part of the spec. These timing parameters must be agreed upon when > the sidechain is added, ie _before_ users deposit to the sidechain. Once > the sidechain is created, the timing is enforced by nodes, the same as > with any other protocol rules. Miner-validation-ability has no effect on > the frequency. > > > > > >> It is a matter of comparing the costs and benefits. Ignoring theft, the > >> costs are near-zero, and the benefits are >0. Specifically, they are: a > >> higher BTC price and greater transaction fees. Theft is discouraged by > >> attempting to tie a theft to a loss of confidence in the miners, as > >> described in the spec/website. > >> In general the incentives are very similar to those of Bitcoin itself. > > > > This is also a very dubious security model - I would argue that Bitcoin > is much > > *more* valuable if miners do everything they can to ensure that > drivechains > > fail, given the huge risks involved. > > I don't see how. Users are free to ignore the sidechain, so it can only > benefit them. > > Fortunately for you, if that is actually what miners believe, then there > will be no problem, as miners will just filter out drivechains (so that > Bitcoin will be "much *more* valuable"), which they can easily do. > > > > I would also argue that users > should do > > user-activated-soft-forks to ensure they fail. > > Again, I don't think that kind of UASF can succeed, because one option > strictly dominates the other. But the users get the final say, of course. > > Empirically, I have observed overwhelming support for sidechains among > users, business, and other developers. The btc-investors I spoke to were > all very excited about the prospect of sidechains, even more so than > they were excited about SegWit. > > > > > > By comparison, note Adam Back and my own efforts to ensure miners have a > > smaller part in the ecosystem, with things like committed (encrypted) > > transactions and my closed-seal-set/truth-list approach(1). We want to > involve > > miners as little as possible in the consensus, not more. > > I agree that miners should have as little influence as possible (and > they probably agree, as well). But a 51% group can filter any message > they like from the blockchain. For sidechains, there will need to be two > public networks, so concealment is not an option. > > And, I repeat, for regular users of Bitcoin Core, drivechain does not > make a 51% group more dangerous than they already are. > > Moreover, there are cases [1] where miner-involvement can make a big > _positive_ impact. Just as it can be beneficial (essential, in fact) for > Bitcoin to filter out harmful interactions among txns (in other words, > good for miners to filter out double spends), I have discovered > situations where it is beneficial and essential for miners to filter out > harmful interactions among multiple chains. > > So I think I am actually hitting the "as little as possible" target. > > [1] http://www.truthcoin.info/blog/wise-contracts/#wise-contracts > > > > > > I have to ask: What use-cases do you actually see for drivechains? Why > can't > > Here is a tentative project list: > http://www.drivechain.info/projects/index.html > > And, as I say on the FAQ, "If each individual user is free to sell > his/her BTC in exchange for an Altcoin (or for fiat), we can hardly deny > users the opportunity to move their money between two sidechains." > > So, in a strong way, the entire altcoin market makes the case for a > usefulness of sidechains. Bitcoin is a form of money, and only one form > of money can exist per currency area. So, if Bitcoin is not the winner, > it will eventually cease to exist altogether. Altcoin-competition is an > existential threat to Bitcoin, one which is far more relevant than > anything you've presented so far. > > Secondly, one important value of permissionless innovation is that one > doesn't really know, today, what cool ideas other people are going to > come up with tomorrow. If you did, they'd be today's ideas. > > Third, Core's review process has two opposite problems: on one hand it > is slow and grueling, and on the other it is fraught with the > possibility of catastrophic error. It would be better, for everyone, to > allow people to try their own (non-aggressive) experiments, and to make > their own mistakes. Already, I have seen the review process abused to > create/maintain fiefdoms of expertise, so that the abusers can extract > money from clients/employers/VCs. > > Just think of all of the free time you would have, Peter, if you didn't > have to spend it all reviewing these projects! > > > > those use-cases be done in the much safer client-side validation fashion? > > ? How is drivechain _not_ within the category of client-side validation? > With BMM, validation is only performed by those users ("clients") who > opt-in to the new features. The economic model of BMM is directly > comparable to that of Bitcoin's PoW -- the highest-bid chain should be > the healthiest one. > > Can you post the Github link for your most up-to-date client-side > validation work so that we can compare the safety and other features? > > Thanks, > Paul > > > > > 1) https://petertodd.org/2016/closed-seal-sets-and-truth- > lists-for-privacy > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 14824 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-06-09 21:54 ` Sergio Demian Lerner @ 2017-06-10 16:28 ` Paul Sztorc 0 siblings, 0 replies; 43+ messages in thread From: Paul Sztorc @ 2017-06-10 16:28 UTC (permalink / raw) To: Sergio Demian Lerner; +Cc: Bitcoin Dev Hi Sergio / everyone, As some of you may know, Sergio and I each did an implementation of drivechain. I started working on mine, and he started working on his, and then I didn't hear from him for awhile about what he was doing. Anyways, with two versions, we each have an opportunity to double-check our work. For example, this already happened wrt the "ACK size". Let me share from his linked BIP: "By allowing miners to refer to transaction candidates by transaction id prefixes, the space consumption for a single ack can be as low as 2 bytes." Sergio shared this with me last October at Scaling Milan. After listening to him, we saw an opportunity to improve our design: now, our miners can conjecture that miners will grant ACKs in a few simple ways [always honest, honest+ignore some, ignore all], and it will precompute these possibilities (guessing what rival miners will do, even before they find and broadcast a new block). Therefore, in all honest cases, our ACK-counting now requires zero (0) bytes to be sent over the network. In dishonest cases it requires only a few bits per sidechain, because we also maintain a deterministically ordered list, both of sidechains and withdrawal attempts -- therefore it can just be a string of binary information. This is not part of consensus, and so can be further improved over time. I'm sure there are still a few opportunities for mutual improvements going forward. In general, Sergio and I disagree over the withdrawal-frequency. a major difference of opinion is over the withdrawal-frequency. I view infrequent withdrawal as essential to the security model, but Sergio does not. In both our designs, the withdrawal-time is configurable, but Sergio's design seems to be optimized for cases with frequent withdrawal attempts, whereas mine is optimized for cases with very infrequent withdrawal attempts. Another difference is that, as a direct result of earlier peer review, I have been integrating 'blind merged mining' into my version. It may be easy for Sergio to add BMM to his version, or it may not. It is true that I am not interested in the hybrid model. I would not make use of the multisig / centralized part, and so for me it complicates the security properties for no benefit. I see why some people are interested in it, though. Paul On 6/9/2017 5:54 PM, Sergio Demian Lerner wrote: > I'm a bit late to this party. I just want to add that there exists an > hybrid model where both a federation and the miners provide acknowledges > (sometimes known as "votes" in drivechain terms and "multi-signatures" > in a federation) of the sidechain state. > > My Drivechain proposal (Feb 2016) was tailored to enable this particular > use-case, which I'm not sure Paul's proposal enable. > > > The proposal is on this list under the following subject: Drivechain > proposal using OP_COUNT_ACKS > > BIP (draft): > https://github.com/rootstock/bips/blob/master/BIP-R10.md > <https://github.com/rootstock/bips/blob/master/BIP-R10.md> > > Code & Test cases: > https://github.com/rootstock/bitcoin/tree/op-count-acks_devel > <https://github.com/rootstock/bitcoin/tree/op-count-acks_devel> > > In this proposal, the "poll" time is sidechain-configurable, and I > proposed a few days delay was enough. > Some have said that a longer times are needed, such as 2 months. > So if you want to have a 2 month dalay for sidechain->mainchain > transfers in this code, you still can. However a better dynamic cache of > acks/nacks would be needed. However, for the hybrid use-case, one day is > more than enough. > > Regards > > > > > On Tue, May 30, 2017 at 2:11 AM, Paul Sztorc via bitcoin-dev > <bitcoin-dev@lists•linuxfoundation.org > <mailto:bitcoin-dev@lists•linuxfoundation.org>> wrote: > > Hi Peter, > > Responses below. > > On 5/28/2017 5:07 PM, Peter Todd wrote: > > On Mon, May 22, 2017 at 05:30:46PM +0200, Paul Sztorc wrote: > >> Surprisingly, this requirement (or, more precisely, this incentive) does > >> not effect miners relative to each other. The incentive to upgrade is only > >> for the purpose of preventing a "theft" -- defined as: an improper > >> withdrawal from a sidechain. It is not about miner revenues or the ability > >> to mine generally (or conduct BMM specifically). The costs of such a theft > >> (decrease in market price, decrease in future transaction fee levels) would > >> be shared collectively by all future miners. Therefore, it would have no > >> effect on miners relative to each other. > > > > That's not at all true. If I'm a miner with a better capability than another > > miner to prevent that theft, I have reasons to induce it to happen to give me > > political cover to pushing that other miner off the network. > > Miners can abstain from 'voting', which is politically neutral. Or, if > they wish, smaller miners could acquiesce to the coercion and just copy > the votes of the attacking 51% group. For users who are only running > Bitcoin Core, there is nothing bad about that. > > As you say, a 51% group can arbitrarily start orphaning the blocks that > are mined by non-member rivals. This _may_ be a problem, or it may not, > but it is not exacerbated by drivechain. > > So, what exactly is "not at all true"? > > > > > > This is a very similar problem to what we had with zeroconf double-spending, > > where entities such as Coinbase tried to pay off miners to guarantee something > > that wasn't possible in a geninely decrentralized system: safe zeroconf > > transactions. > > I don't see what you mean here. You can't stop Coinbase from donating > BTC to a subset of miners. That will always be possible, and it has > nothing to do with drivechain (as I see it). > > > > > >> Moreover, miners have other recourse if they are unable to run the node. > >> They can adopt a policy of simply rejecting ("downvoting") any withdrawals > >> that they don't understand. This would pause the withdraw process until > >> enough miners understand enough of what is going on to proceed with it. > > > > Why are you forcing miners to run this code at all? > > Could we not say the same thing about the code behind CLTV? > > The nature of a contract, is that people are happier to be bound by some > rules that they themselves construct (for example, a nuclear > non-proliferation treaty). > > In this case, miners prefer sidechains to exist (as existence makes the > BTC they mine more valuable, and provides additional tx fee revenues), > and so they would like to run code which makes them possible. > > > > > > Equally, you're opening up miners to huge political risks, as rejecting all > > withdrawals is preventing users' from getting their money, which gives other > > miners a rational for kicking those miners off of Bitcoin entirely. > > As I explained above, miners can abstain from voting, which is > politically neutral, or else they can delegate their vote to an > aggressive miner. The "51% can orphan" concern could be raised, even in > a world without drivechain. All that is required, is for the miners to > be anonymous, or in private 'dark' pools (and to thereby escape > censure). > > But there is a much bigger issue here, which is that our threat models > are different. > > As you may know, my threat model [1] does not include miners "pushing > each other off". It only cares about the miner-experience, to the extent > that it impacts the user-experience. > > Moreover, I reject [2] the premise that we can even measure "miner > centralization", or even that such a concept exists. If someone has a > definition of this concept, which is both measurable and useful, I would > be interested to read it. > > ( For what it's worth, Satoshi did not care about this, either. For > example: "If a greedy attacker is able to assemble more CPU power than > all the honest nodes, he...ought to find it more profitable to play by > the rules." which implies robustness to 51% owned by one entity. ) > > [1] http://www.truthcoin.info/blog/mining-threat-equilibrium/ > <http://www.truthcoin.info/blog/mining-threat-equilibrium/> > [2] http://www.truthcoin.info/blog/mirage-miner-centralization/ > <http://www.truthcoin.info/blog/mirage-miner-centralization/> > > > > > >> Finally, the point in dispute is a single, infrequent, true/false question. > >> So miners may resort to semi-trusted methods to supplement their decision. > >> In other words, they can just ask people they trust, if the withdrawal is > >> correct or not. It is up to users to decide if they are comfortable with > >> these risks, if/when they decide to deposit to a sidechain. > > > > Why do you think this will be infrequent? Miners with a better ability to > > validate the drivechain have every reason to make these events more frequent. > > It is part of the spec. These timing parameters must be agreed upon when > the sidechain is added, ie _before_ users deposit to the sidechain. Once > the sidechain is created, the timing is enforced by nodes, the same as > with any other protocol rules. Miner-validation-ability has no effect on > the frequency. > > > > > >> It is a matter of comparing the costs and benefits. Ignoring theft, the > >> costs are near-zero, and the benefits are >0. Specifically, they are: a > >> higher BTC price and greater transaction fees. Theft is discouraged by > >> attempting to tie a theft to a loss of confidence in the miners, as > >> described in the spec/website. > >> In general the incentives are very similar to those of Bitcoin itself. > > > > This is also a very dubious security model - I would argue that Bitcoin is much > > *more* valuable if miners do everything they can to ensure that drivechains > > fail, given the huge risks involved. > > I don't see how. Users are free to ignore the sidechain, so it can only > benefit them. > > Fortunately for you, if that is actually what miners believe, then there > will be no problem, as miners will just filter out drivechains (so that > Bitcoin will be "much *more* valuable"), which they can easily do. > > > > I would also argue that users should do > > user-activated-soft-forks to ensure they fail. > > Again, I don't think that kind of UASF can succeed, because one option > strictly dominates the other. But the users get the final say, of > course. > > Empirically, I have observed overwhelming support for sidechains among > users, business, and other developers. The btc-investors I spoke to were > all very excited about the prospect of sidechains, even more so than > they were excited about SegWit. > > > > > > By comparison, note Adam Back and my own efforts to ensure miners have a > > smaller part in the ecosystem, with things like committed (encrypted) > > transactions and my closed-seal-set/truth-list approach(1). We want to involve > > miners as little as possible in the consensus, not more. > > I agree that miners should have as little influence as possible (and > they probably agree, as well). But a 51% group can filter any message > they like from the blockchain. For sidechains, there will need to be two > public networks, so concealment is not an option. > > And, I repeat, for regular users of Bitcoin Core, drivechain does not > make a 51% group more dangerous than they already are. > > Moreover, there are cases [1] where miner-involvement can make a big > _positive_ impact. Just as it can be beneficial (essential, in fact) for > Bitcoin to filter out harmful interactions among txns (in other words, > good for miners to filter out double spends), I have discovered > situations where it is beneficial and essential for miners to filter out > harmful interactions among multiple chains. > > So I think I am actually hitting the "as little as possible" target. > > [1] http://www.truthcoin.info/blog/wise-contracts/#wise-contracts > <http://www.truthcoin.info/blog/wise-contracts/#wise-contracts> > > > > > > I have to ask: What use-cases do you actually see for drivechains? Why can't > > Here is a tentative project list: > http://www.drivechain.info/projects/index.html > <http://www.drivechain.info/projects/index.html> > > And, as I say on the FAQ, "If each individual user is free to sell > his/her BTC in exchange for an Altcoin (or for fiat), we can hardly deny > users the opportunity to move their money between two sidechains." > > So, in a strong way, the entire altcoin market makes the case for a > usefulness of sidechains. Bitcoin is a form of money, and only one form > of money can exist per currency area. So, if Bitcoin is not the winner, > it will eventually cease to exist altogether. Altcoin-competition is an > existential threat to Bitcoin, one which is far more relevant than > anything you've presented so far. > > Secondly, one important value of permissionless innovation is that one > doesn't really know, today, what cool ideas other people are going to > come up with tomorrow. If you did, they'd be today's ideas. > > Third, Core's review process has two opposite problems: on one hand it > is slow and grueling, and on the other it is fraught with the > possibility of catastrophic error. It would be better, for everyone, to > allow people to try their own (non-aggressive) experiments, and to make > their own mistakes. Already, I have seen the review process abused to > create/maintain fiefdoms of expertise, so that the abusers can extract > money from clients/employers/VCs. > > Just think of all of the free time you would have, Peter, if you didn't > have to spend it all reviewing these projects! > > > > those use-cases be done in the much safer client-side validation fashion? > > ? How is drivechain _not_ within the category of client-side validation? > With BMM, validation is only performed by those users ("clients") who > opt-in to the new features. The economic model of BMM is directly > comparable to that of Bitcoin's PoW -- the highest-bid chain should be > the healthiest one. > > Can you post the Github link for your most up-to-date client-side > validation work so that we can compare the safety and other features? > > Thanks, > Paul > > > > > 1) > https://petertodd.org/2016/closed-seal-sets-and-truth-lists-for-privacy > <https://petertodd.org/2016/closed-seal-sets-and-truth-lists-for-privacy> > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > <mailto:bitcoin-dev@lists•linuxfoundation.org> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev> > > ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-22 6:17 [bitcoin-dev] Drivechain -- Request for Discussion Paul Sztorc 2017-05-22 13:33 ` Peter Todd @ 2017-05-22 14:39 ` ZmnSCPxj 2017-05-22 16:19 ` Paul Sztorc 2017-06-10 17:04 ` [bitcoin-dev] Drivechain RfD -- Follow Up Paul Sztorc 2 siblings, 1 reply; 43+ messages in thread From: ZmnSCPxj @ 2017-05-22 14:39 UTC (permalink / raw) To: Paul Sztorc; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 7715 bytes --] Good morning Paul, I read only http://www.truthcoin.info/blog/blind-merged-mining/ From just this document, I can't see a good justification for believing that a main->side locking transaction can be safely spent into a side->main unlocking transaction. Do you have a better explanation? OP_is_h_in_coinbase, as described, does not seem to protect against a sidechain reorg in your next section of the document. If I attempt to spend a main->side locking transaction on the basis of a "mistaken" side block #49, what prevents me from this sequence: 1. Put a side:side->main transaction into a block together with TheDAO's hacked money. 2. Wait for a reorg to revert TheDAO. 3. Spend my now-free-in-the-reorg funds on Lightning Network to get mainchain funds. 4. Create a main:side->main transaction with the side:side->main transaction in the TheDAO-hacked block as witness. 5. Get another set of mainchain funds from the same sidechain funds. So far, the only good side->main transfer I know of is in Blockstream's original sidechains paper, with the main:side->main transaction spending into a timelocked transaction that may be burned if a reorg proof is submitted (i.e. you try to create a main:side->main transaction with the side:side->main transaction in the mistaken #49 and #50 as your proof, but someone else can come along and show a corrected #49, #50, #51 without your side:side->main transaction and burn your funds). Is your proposal at the technical level actually similar, or does it truly seem to be riskier? It seems to me that your OP_is_h_in_coinbase should scan a series of sidechain block headers backed by mainchain (meaning at the minimum that sidechains should have some common header format prefix), rather than just mainchain depth as your article seems to imply. Also, blinded merge mining seems strictly inferior to proof-of-burn: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2014-December/007012.html Proof-of-burn integrates a lottery to reduce the ability of a mainchain-rich attacker to reorg the sidechain by burning its greater funds. However it still seems to me that a rich attacker can simply make more bets in that scheme by some trivial modification of the side block. Blind merged mining seems strictly inferior as a rich attacker can simply reorg the sidechain outright without playing such games. Or is your proposal strictly for centralized sidechains, where only one entity creates side blocks? How does your proposal handle multiple side block creators on the same sidechain, with the possibility that chain splits occur? Regarding your dig about people who dislike data centers, the main issue with miners blindly accepting sidechain commitments is that it violates "Don't trust, verify", not that allows datacenters to be slightly smaller by not including side:nodes. Regards, ZmnSCPxj Sent with ProtonMail Secure Email. -------- Original Message -------- Subject: [bitcoin-dev] Drivechain -- Request for Discussion Local Time: May 22, 2017 6:17 AM UTC Time: May 22, 2017 6:17 AM From: bitcoin-dev@lists•linuxfoundation.org To: Bitcoin Dev <bitcoin-dev@lists•linuxfoundation.org> Dear list, I've been working on "drivechain", a sidechain enabling technology, for some time. * The technical info site is here: www.drivechain.info * The changes to Bitcoin are here: https://github.com/drivechain-project/bitcoin/tree/mainchainBMM * A Blank sidechain template is here: https://github.com/drivechain-project/bitcoin/tree/sidechainBMM As many of you know, I've been seeking feedback in person, at various conferences and meetups over the past year, most prominently Scaling Milan. And I intend to continue to seek feedback at Consensus2017 this week, so if you are in NYC please just walk up and start talking to me! But I also wanted to ask the list for feedback. Initially, I was hesitant because I try not to consume reviewers' scarce time until the author has put in a serious effort. However, I may have waiting too long, as today it is actually quite close to a working release. Scaling Implications --------------------- This upgrade would have significant scaling implications. Since it is the case that sidechains can be added by soft fork, and since each of these chains will have its own blockspace, this theoretically removes the blocksize limit from "the Bitcoin system" (if one includes sidechains as part of such a system). People who want a LargeBlock bitcoin can just move their BTC over to such a network [1], and their txns will have no longer have an impact on "Bitcoin Core". Thus, even though this upgrade does not actually increase "scalability" per se, it may in fact put an end to the scalability debate...forever. This work includes the relatively new concept of "Blind Merged Mining" [2] which I developed in January to allow SHA256^2 miners to merge-mine these "drivechains", even if these miners aren't running the actual sidechain software. The goal is to prevent sidechains from affecting the levelness of the mining "playing field". BMM is conceptually similar to ZooKeeV [3] which Peter Todd sketched out in mid-2013. BMM is not required for drivechain, but it would address some of the last remaining concerns. Total Transaction Fees in the Far Future ----------------------------------------- Some people feel that a maximum blocksize limit is needed to ensure that future total equilibrium transaction fees are non-negligible. I presented [4] on why I don't agree, 8 months ago. The reviewers I spoke to over the last year have stopped bringing this complaint up, but I am not sure everyone feels that way. Juxtaposition with a recent "Scaling Compromise" ------------------------------------------------- Recently, a scalability proposal began to circulate on social media. As far as I could tell, it goes something like "immediately activate SegWit, and then HF to double the nonwitness blockspace to 2MB within 12 months". But such a proposal is quite meager, compared to a "LargeBlock Drivechain". The drivechain is better on both fronts, as it would not require a hardfork, and could *almost immediately* add _any_ amount of extra blockspace (specifically, I might expect a BIP101-like LargeBlock chain that has an 8 MB maxblocksize, which doubles every two years). In other words, I don't know why anyone would support that proposal over mine. The only reasons would be either ignorance (ie, unfamiliarity with drivechain) or because there are still nagging unspoken complaints about drivechain which I apparently need to hear and address. Other Thoughts --------------- Unfortunately, anyone who worked on the "first generation" of sidechain technology (the skiplist) or the "second generation" (federated / Liquid), will find that this is very different. I will admit that I am very pessimistic about any conversation that involves scalability. It is often said that "talking politics lowers your IQ by 25 points". Bitcoin scalability conversations seem to drain 50 points. (Instead of conversing, I think people should quietly work on whatever they are passionate about until their problem either is solved, or it goes away for some other reason, or until we all agree to just stop talking about it.) Cheers, Paul [1] http://www.drivechain.info/faq/#can-sidechains-really-help-with-scaling [2] http://www.truthcoin.info/blog/blind-merged-mining/ [3] https://s3.amazonaws.com/peter.todd/bitcoin-wizards-13-10-17.log [4] https://www.youtube.com/watch?v=YErLEuOi3xU&list=PLw8-6ARlyVciNjgS_NFhAu-qt7HPf_dtg&index=4 _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists•linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev [-- Attachment #2: Type: text/html, Size: 10034 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-22 14:39 ` ZmnSCPxj @ 2017-05-22 16:19 ` Paul Sztorc 2017-05-22 19:12 ` Tier Nolan 2017-05-23 0:13 ` ZmnSCPxj 0 siblings, 2 replies; 43+ messages in thread From: Paul Sztorc @ 2017-05-22 16:19 UTC (permalink / raw) To: ZmnSCPxj; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 8214 bytes --] On May 22, 2017 10:39 AM, "ZmnSCPxj" <ZmnSCPxj@protonmail•com> wrote: Good morning Paul, I read only http://www.truthcoin.info/blog/blind-merged-mining/ From just this document, I can't see a good justification for believing that a main->side locking transaction can be safely spent into a side->main unlocking transaction. Do you have a better explanation? Yes, a better explanation is in the drivechain spec, at: http://www.truthcoin.info/blog/drivechain/ What you read is only an introduction of BMM. You may also consult the notes (at the bottom of the BMM post) or the code, although this is time consuming of course. If I attempt to spend a main->side locking transaction on the basis of a "mistaken" side block #49, what prevents me from this sequence: The literal answer to your question is that mainchain Bitcoin will notice that, for the second withdrawal, the sum of the inputs is less than the sum of the outputs and they the transaction is therefore invalid. 1. Put a side:side->main transaction into a block together with TheDAO's hacked money. So far, the only good side->main transfer I know of is in Blockstream's original sidechains paper, with the main:side->main transaction ... Is your proposal at the technical level actually similar, or does it truly seem to be riskier? I feel that my proposal is more secure, as it can operate healthily and quickly while using spv proofs which are much slower and much much easier to audit. seems to me that your OP_is_h_in_coinbase should scan a series of sidechain block headers backed by mainchain (meaning at the minimum that sidechains should have some common header format prefix), rather than just mainchain depth as your article seems to imply. How would security be improved as a result? In either case, 51% of hashrate can cause a reorg. The sidechain software itself does scan block headers, of course. Blind merged mining seems strictly inferior ... a rich attacker can simply reorg the sidechain outright without playing such games. In the future, when there is no block subsidy, a rich attacker can also do that in mainchain Bitcoin. Or is your proposal strictly for centralized sidechains, where only one entity creates side blocks? Not at all. How does your proposal handle multiple side block creators on the same sidechain, with the possibility that chain splits occur? The side block is only "mined" if it is committed to in a mainchain Bitcoin blog, and each mainchain block can only contain one block per sidechain. In this way, drivechain sidechains are different from classical Namecoin merged mining (where one _could_ run the entire system, mining included, without interfacing with Bitcoin at all). Regarding your dig about people who dislike data centers, the main issue with miners blindly accepting sidechain commitments is that it violates "Don't trust, verify", not that allows datacenters to be slightly smaller by not including side:nodes. As I explain early on, in earlier rounds of peer review, the focus was on harms the sidechain technology might do to mainchain Bitcoin, and the "datacenter point" was specifically the chief objection raised. So I am afraid you are entirely incorrect. In point of fact, the transactions *are* validated...by sidechain full nodes, same as Bitcoin proper. Paul Regards, ZmnSCPxj Sent with ProtonMail Secure Email. -------- Original Message -------- Subject: [bitcoin-dev] Drivechain -- Request for Discussion Local Time: May 22, 2017 6:17 AM UTC Time: May 22, 2017 6:17 AM From: bitcoin-dev@lists•linuxfoundation.org To: Bitcoin Dev <bitcoin-dev@lists•linuxfoundation.org> Dear list, I've been working on "drivechain", a sidechain enabling technology, for some time. * The technical info site is here: www.drivechain.info * The changes to Bitcoin are here: https://github.com/drivechain-project/bitcoin/tree/mainchainBMM * A Blank sidechain template is here: https://github.com/drivechain-project/bitcoin/tree/sidechainBMM As many of you know, I've been seeking feedback in person, at various conferences and meetups over the past year, most prominently Scaling Milan. And I intend to continue to seek feedback at Consensus2017 this week, so if you are in NYC please just walk up and start talking to me! But I also wanted to ask the list for feedback. Initially, I was hesitant because I try not to consume reviewers' scarce time until the author has put in a serious effort. However, I may have waiting too long, as today it is actually quite close to a working release. Scaling Implications --------------------- This upgrade would have significant scaling implications. Since it is the case that sidechains can be added by soft fork, and since each of these chains will have its own blockspace, this theoretically removes the blocksize limit from "the Bitcoin system" (if one includes sidechains as part of such a system). People who want a LargeBlock bitcoin can just move their BTC over to such a network [1], and their txns will have no longer have an impact on "Bitcoin Core". Thus, even though this upgrade does not actually increase "scalability" per se, it may in fact put an end to the scalability debate...forever. This work includes the relatively new concept of "Blind Merged Mining" [2] which I developed in January to allow SHA256^2 miners to merge-mine these "drivechains", even if these miners aren't running the actual sidechain software. The goal is to prevent sidechains from affecting the levelness of the mining "playing field". BMM is conceptually similar to ZooKeeV [3] which Peter Todd sketched out in mid-2013. BMM is not required for drivechain, but it would address some of the last remaining concerns. Total Transaction Fees in the Far Future ----------------------------------------- Some people feel that a maximum blocksize limit is needed to ensure that future total equilibrium transaction fees are non-negligible. I presented [4] on why I don't agree, 8 months ago. The reviewers I spoke to over the last year have stopped bringing this complaint up, but I am not sure everyone feels that way. Juxtaposition with a recent "Scaling Compromise" ------------------------------------------------- Recently, a scalability proposal began to circulate on social media. As far as I could tell, it goes something like "immediately activate SegWit, and then HF to double the nonwitness blockspace to 2MB within 12 months". But such a proposal is quite meager, compared to a "LargeBlock Drivechain". The drivechain is better on both fronts, as it would not require a hardfork, and could *almost immediately* add _any_ amount of extra blockspace (specifically, I might expect a BIP101-like LargeBlock chain that has an 8 MB maxblocksize, which doubles every two years). In other words, I don't know why anyone would support that proposal over mine. The only reasons would be either ignorance (ie, unfamiliarity with drivechain) or because there are still nagging unspoken complaints about drivechain which I apparently need to hear and address. Other Thoughts --------------- Unfortunately, anyone who worked on the "first generation" of sidechain technology (the skiplist) or the "second generation" (federated / Liquid), will find that this is very different. I will admit that I am very pessimistic about any conversation that involves scalability. It is often said that "talking politics lowers your IQ by 25 points". Bitcoin scalability conversations seem to drain 50 points. (Instead of conversing, I think people should quietly work on whatever they are passionate about until their problem either is solved, or it goes away for some other reason, or until we all agree to just stop talking about it.) Cheers, Paul [1] http://www.drivechain.info/faq/#can-sidechains-really-help-with-scaling [2] http://www.truthcoin.info/blog/blind-merged-mining/ [3] https://s3.amazonaws.com/peter.todd/bitcoin-wizards-13-10-17.log [4] https://www.youtube.com/watch?v=YErLEuOi3xU&list=PLw8- 6ARlyVciNjgS_NFhAu-qt7HPf_dtg&index=4 _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists•linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev [-- Attachment #2: Type: text/html, Size: 14442 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-22 16:19 ` Paul Sztorc @ 2017-05-22 19:12 ` Tier Nolan 2017-05-22 20:00 ` Paul Sztorc 2017-05-23 0:13 ` ZmnSCPxj 1 sibling, 1 reply; 43+ messages in thread From: Tier Nolan @ 2017-05-22 19:12 UTC (permalink / raw) Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 2158 bytes --] On Mon, May 22, 2017 at 5:19 PM, Paul Sztorc via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > > In the future, when there is no block subsidy, a rich attacker can also do > that in mainchain Bitcoin. > I don't think they are the same. With Bitcoin, you only get to reverse recent transactions. If you actually reversed 2-3 weeks of transactions, then the Bitcoin price would fall, destroying the value of the additional coins you managed to obtain. Even if their was no price fall, you can only get a fraction of the total. With BMM, you can "buy" the entire reserve of the sidechain by paying (timeout) * (average tx fees). If you destroy a side-chain's value, then that doesn't affect the value of the bitcoins you manage to steal. The incentive could be eliminated by restricting the amount of coin that can be transferred from the side chain to the main chain to a fraction of the transaction fee pay to the bitcoin miners. If the side chain pays x in fees, then at most x/10 can be transferred from the side chain to the main chain. This means that someone who pays for block creation can only get 10% of that value transferred to the main chain. Main-chain miners could support fraud proofs. A pool could easily run an archive node for the side chain in a different data center. This wouldn't harm the performance of their main operations, but would guarantee that the side chain data is available for side chain validators. The sidechain to main-chain timeout would be more than enough for fraud proofs to be constructed. This means that the miners would need to know what the rules are for the side chain, so that they can process the fraud proofs. They would also need to run SPV nodes for the side chain, so they know which sidechain headers to blacklist. > In point of fact, the transactions *are* validated...by sidechain full > nodes, same as Bitcoin proper. > > The big difference is that Bitcoin holds no assets on another chain. A side-chain's value is directly linked to the fact that it has 100% reserves on the Bitcoin main chain. That can be targeted for theft. > Paul > > > Regards, > ZmnSCPxj > > [-- Attachment #2: Type: text/html, Size: 3855 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-22 19:12 ` Tier Nolan @ 2017-05-22 20:00 ` Paul Sztorc 2017-05-23 9:51 ` Tier Nolan 0 siblings, 1 reply; 43+ messages in thread From: Paul Sztorc @ 2017-05-22 20:00 UTC (permalink / raw) To: Tier Nolan; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 1932 bytes --] On May 22, 2017 3:13 PM, "Tier Nolan via bitcoin-dev" <bitcoin-dev@lists. linuxfoundation.org> wrote: On Mon, May 22, 2017 at 5:19 PM, Paul Sztorc via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > > In the future, when there is no block subsidy, a rich attacker can also do > that in mainchain Bitcoin. > I don't think they are the same. With Bitcoin, you only get to reverse recent transactions. If you actually reversed 2-3 weeks of transactions, then the Bitcoin price would fall, destroying the value of the additional coins you managed to obtain. Even if their was no price fall, you can only get a fraction of the total. I would replace "Bitcoins you manage to steal" with "Bitcoins you manage to double-spend". Then, it still seems the same to me. With BMM, you can "buy" the entire reserve of the sidechain by paying (timeout) * (average tx fees). If you destroy a side-chain's value, then that doesn't affect the value of the bitcoins you manage to steal. It may destroy great value if it shakes confidence in the sidechain infrastructure. Thus, the value of the stolen BTC may decrease, in addition to the lost future tx fee revenues of the attacked chain. http://www.truthcoin.info/blog/drivechain/#drivechains-security In my view, sidechains should only exist at all if they positively impact Bitcoin's value. It is therefore desirable for miners to steal from chains that provide no value-add. > In point of fact, the transactions *are* validated...by sidechain full > nodes, same as Bitcoin proper. > > The big difference is that Bitcoin holds no assets on another chain. A side-chain's value is directly linked to the fact that it has 100% reserves on the Bitcoin main chain. That can be targeted for theft. Again, I don't really think it is that different. One could interchange "recent txns" (those which could be double-spent within 2-3 weeks) with "sidechain deposit tnxs". [-- Attachment #2: Type: text/html, Size: 4725 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-22 20:00 ` Paul Sztorc @ 2017-05-23 9:51 ` Tier Nolan 2017-05-23 14:22 ` Paul Sztorc 0 siblings, 1 reply; 43+ messages in thread From: Tier Nolan @ 2017-05-23 9:51 UTC (permalink / raw) Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 3102 bytes --] On Mon, May 22, 2017 at 9:00 PM, Paul Sztorc <truthcoin@gmail•com> wrote: > I would replace "Bitcoins you manage to steal" with "Bitcoins you manage > to double-spend". Then, it still seems the same to me. > > With double spending, you can only get ownership of coins that you owned at some point in the past. Coins that are owned by someone else from coinbase to their current owners cannot be stolen by a re-org (though they can be moved around). With BMM, you can take the entire reserve. Creating a group of double spenders can help increase the reward. > > It may destroy great value if it shakes confidence in the sidechain > infrastructure. Thus, the value of the stolen BTC may decrease, in addition > to the lost future tx fee revenues of the attacked chain. > > http://www.truthcoin.info/blog/drivechain/#drivechains-security > > That is a fair point. If sidechains are how Bitcoin is scaled, then shaking confidence in a side-chain would shake confidence in Bitcoin's future. I wasn't thinking of a direct miner 51% attack. It is enough to assume that a majority of the miners go with the highest bidder each time. If (average fees) * (timeout) is less than the total reserves, then it is worth it for a 3rd party to just bid for his theft fork. Miners don't have to be assumed to be coordinating, they just have to be assumed to take the highest bid. Again, I don't really think it is that different. One could interchange > "recent txns" (those which could be double-spent within 2-3 weeks) with > "sidechain deposit tnxs". > It is not "recent txns", it is recent txns that you (or your group) have the key for. No coordination is required to steal the entire reserve from the sidechain. Recent txns and money on the sidechain have the property that they are riskier than money deep on the main chain. This is the inherent point about sidechains, so maybe not that big a deal. My concern is that you could have a situation where an attack is possible and only need to assume that the miners are indifferent. If the first attacker who tries it fails (say after creating a fork that is 90% of the length required, so losing a lot of money), then it would discourage others. If he succeeds, then it weakens sidechains as a concept and that creates the incentive for miners to see that he fails. I wonder how the incentives work out. If a group had 25% of the money on the sidechain, they could try to outbid the attacker. In fact, since the attacker, by definition, creates an illegal fork, the effect is that he reduces the block rate for the side chain (possibly to zero, if he wins every auction). This means that there are more transactions per block, if there is space, or more fees per transaction, if the blocks are full. In both cases, this pushes up the total fees per block, so he has to pay more per block, weakening his attack. This is similar to where transaction spam on Bitcoin is self-correcting by increasing the fees required to keep the spam going. Is there a description of the actual implementation you decided to go with, other than the code? [-- Attachment #2: Type: text/html, Size: 4489 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-23 9:51 ` Tier Nolan @ 2017-05-23 14:22 ` Paul Sztorc 2017-05-24 8:50 ` Tier Nolan 0 siblings, 1 reply; 43+ messages in thread From: Paul Sztorc @ 2017-05-23 14:22 UTC (permalink / raw) To: Tier Nolan; +Cc: Bitcoin Dev On 5/23/2017 5:51 AM, Tier Nolan via bitcoin-dev wrote: > On Mon, May 22, 2017 at 9:00 PM, Paul Sztorc <truthcoin@gmail•com > <mailto:truthcoin@gmail•com>> wrote: > > I would replace "Bitcoins you manage to steal" with "Bitcoins you > manage to double-spend". Then, it still seems the same to me. > > > With double spending, you can only get ownership of coins that you owned > at some point in the past. Coins that are owned by someone else from > coinbase to their current owners cannot be stolen by a re-org (though > they can be moved around). I'm not sure it makes much of a difference. First of all, in point of fact, the miners themselves own the coins from the coinbase. But more importantly, even if miners did not explicitly own the coins, they might profit by being bribed -- these bribes would come from people who did own the coins. The principle is that value "v' has been taken from A and given to B. This is effectively coercive activity, and therefore itself has value proportional to 'v'. > > With BMM, you can take the entire reserve. Creating a group of double > spenders can help increase the reward. > > > > It may destroy great value if it shakes confidence in the sidechain > infrastructure. Thus, the value of the stolen BTC may decrease, in > addition to the lost future tx fee revenues of the attacked chain. > > http://www.truthcoin.info/blog/drivechain/#drivechains-security > <http://www.truthcoin.info/blog/drivechain/#drivechains-security> > > > That is a fair point. If sidechains are how Bitcoin is scaled, then > shaking confidence in a side-chain would shake confidence in Bitcoin's > future. Yes. The more value _on_ the sidechain, the more abhorrent the malfeasance. > > I wasn't thinking of a direct miner 51% attack. It is enough to assume > that a majority of the miners go with the highest bidder each time. What do you think of my argument, that we already labor under such an assumption? An attacker could pay fees today equal to greater than sum(blockreward_(last N block)). According to you this would force a reorg, even on mainchain (pre-sidechain) Bitcoin. Yet this has never happened. It seems that this argument fully reduces to the "what will happen when the block subsidy falls to zero" question. > > If (average fees) * (timeout) is less than the total reserves, then it > is worth it for a 3rd party to just bid for his theft fork. Miners > don't have to be assumed to be coordinating, they just have to be > assumed to take the highest bid. > > Again, I don't really think it is that different. One could > interchange "recent txns" (those which could be double-spent within > 2-3 weeks) with "sidechain deposit tnxs". > > > It is not "recent txns", it is recent txns that you (or your group) have > the key for. No coordination is required to steal the entire reserve > from the sidechain. See above (?) for why I still feel they are comparable, if not identical. > > Recent txns and money on the sidechain have the property that they are > riskier than money deep on the main chain. This is the inherent point > about sidechains, so maybe not that big a deal. Yes. Sidechains have newer, more interesting features, and simultaneously more risk. > > My concern is that you could have a situation where an attack is > possible and only need to assume that the miners are indifferent. Again, I think that we _already_ need to eliminate any assumption of "charitable miners". > > If the first attacker who tries it fails (say after creating a fork that > is 90% of the length required, so losing a lot of money), then it would > discourage others. If he succeeds, then it weakens sidechains as a > concept and that creates the incentive for miners to see that he fails. > > I wonder how the incentives work out. If a group had 25% of the money > on the sidechain, they could try to outbid the attacker. Yes, we may see interesting behavior where people buy up these liabilities using the LN. In my original post, I mention that miners themselves may purchase these liabilities (at competitive rates, even if these arent the idealized 1:1). At this point, miners would be paying themselves and there would be no agency problem. > > In fact, since the attacker, by definition, creates an illegal fork, the > effect is that he reduces the block rate for the side chain (possibly to > zero, if he wins every auction). This means that there are more > transactions per block, if there is space, or more fees per transaction, > if the blocks are full. > > In both cases, this pushes up the total fees per block, so he has to pay > more per block, weakening his attack. This is similar to where > transaction spam on Bitcoin is self-correcting by increasing the fees > required to keep the spam going. > > Is there a description of the actual implementation you decided to go > with, other than the code? If you haven't seen http://www.truthcoin.info/blog/drivechain/ , that is probably the most human-readable description. Cheers, Paul ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-23 14:22 ` Paul Sztorc @ 2017-05-24 8:50 ` Tier Nolan 2017-05-24 10:05 ` Tier Nolan 2017-06-18 14:36 ` Chris Stewart 0 siblings, 2 replies; 43+ messages in thread From: Tier Nolan @ 2017-05-24 8:50 UTC (permalink / raw) Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 2942 bytes --] On Tue, May 23, 2017 at 3:22 PM, Paul Sztorc <truthcoin@gmail•com> wrote: > > If you haven't seen http://www.truthcoin.info/blog/drivechain/ , that is > probably the most human-readable description. > I guess I was looking for the detail you get in the code, but without having to read the code. My quick reading gives that the sidechain codes (critical hashes) are added when a coinbase is processed. Any coinbase output that has the form "OP_RETURN <32 byte push>" counts as a potential critical hash. When the block is processed, the key value pair (hash, block_height) is added to a hash map. The OP_BRIBE opcode checks that the given hash is in the hash map and replaces the top element on the stack with the pass/fail result. It doesn't even check that the height matches the current block, though there is a comment that that is a TODO. I agree with ZmnSCPxj, when updating a nop, you can't change the stack. It has to fail the script or do nothing. OP_BRIBE_VERIFY would cause the script to fail if the hash wasn't in the coinbase, or cause a script failure otherwise. Another concern is that you could have multiple bribes for the same chain in a single coinbase. That isn't fair and arguably what the sidechain miner is paying for is to get his hash exclusively into the block. I would suggest that the output is OP_RETURN <sidechain_id> <critical hash> Then add the rule that only the first hash with a particular sidechain id actually counts. This forces the miner to only accept the bribe from 1 miner for each sidechain for each block. If he tries to accept 2, then only the first one counts. OP_BRIBE_VERIFY could then operate as follows <block height> <sidechain_id> <critical hash> OP_BRIBE_VERIFY This causes the script to fail if <block height> does not match the block height, or <critical hash> is not the hash for the sidechain with <sidechain_id>, or there is no hash for that sidechain in the block's coinbase If you want reduce the number of drops, you could serialize the info into a single push. This has the advantage that a sidechain miner only has to pay if his block is accepted in the next bitcoin block. Since he is the only miner for that sidechain that gets into the main bitcoin block, he is pretty much guaranteed to form the longest chain. Without that rule, sidechain miners could end up having to pay even though it doesn't make their chain the longest. How are these transactions propagated over the network? For relaying, you could have the rule that the opcode passes as long as <block height> is near the current block height. Maybe require that they are in the future. They should be removed from the memory pool once the block height has arrived, so losing miners can re-spend those outputs. This opcode can be validated without needing to look at other blocks, which is good for validating historical blocks. I am still looking at the deposit/withdrawal code. [-- Attachment #2: Type: text/html, Size: 4543 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-24 8:50 ` Tier Nolan @ 2017-05-24 10:05 ` Tier Nolan 2017-05-24 17:32 ` CryptAxe 2017-06-18 14:36 ` Chris Stewart 1 sibling, 1 reply; 43+ messages in thread From: Tier Nolan @ 2017-05-24 10:05 UTC (permalink / raw) Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 1656 bytes --] On Wed, May 24, 2017 at 9:50 AM, Tier Nolan <tier.nolan@gmail•com> wrote: > OP_BRIBE_VERIFY could then operate as follows > > <block height> <sidechain_id> <critical hash> OP_BRIBE_VERIFY > > This causes the script to fail if > <block height> does not match the block height, or > <critical hash> is not the hash for the sidechain with <sidechain_id>, or > there is no hash for that sidechain in the block's coinbase > > I was thinking more on the process for these transactions. I assume that the process is - sidechain miner broadcasts transaction with OP_BRIBE output - this transaction ends up in the memory pool of miners - Miners add the transaction to their next block - Miners add a transaction which spends the output to one of their own addresses I think you need an additional rule that OP_BRIBE checks fails unless the output is locked 100 or more blocks. The output script would end up something like IF <block height> <chain_id> <critical hash> OP_BRIBE_VERIFY ELSE <public key> OP_CHECKSIG ENDIF This output acts like "anyone can spend" for the one block height. Otherwise, only the sidechain miner can spend the output. This allows the sidechain miner to reclaim their coins if the transaction ends up in a different block. OP_BRIBE_VERIFY would have an additional rule The script to fails if one or more of the transaction outputs start with something other than the template <block height> does not match the block height, or <critical hash> is not the hash for the sidechain with <sidechain_id>, or there is no hash for that sidechain in the block's coinbase The template is <100> OP_CHECKSEQUENCE_VERIFY [-- Attachment #2: Type: text/html, Size: 3092 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-24 10:05 ` Tier Nolan @ 2017-05-24 17:32 ` CryptAxe 2017-05-25 22:08 ` Tier Nolan 0 siblings, 1 reply; 43+ messages in thread From: CryptAxe @ 2017-05-24 17:32 UTC (permalink / raw) To: bitcoin-dev [-- Attachment #1: Type: text/plain, Size: 3797 bytes --] Your assumptions of the bribe process are indeed correct you seem to have a pretty good handle on all of that. Hopefully I can clear up a few things. BMM among other things is still a work in progress so you'll have to wait a bit longer before any reorg code is on github. The "ratchet" system on github right now just has the block hash part of the critical hash script. The completed version needs to check the sidechain number (ID) and the sidechain block number in the script. Also the block number can only change by +1 or -1, so when a new h* is added to the queue it must be compared to the most recent h* in the queue. std::abs(queue.back().nHeight - ToAdd.nHeight) must equal 1. Here's what the script looks like on github: Note that the h* is just a block hash. script << OP_RETURN << ToByteVector(h*); Here's what I'm testing right now as I'm working on BMM: script << OP_RETURN << CScriptNum::serialize(nSidechain) << CScriptNum(nSidechainHeight) << ToByteVector(sidechain blinded block hash h*) One other thing I want to make sure is clear enough is that the block number in the critical hash script is a sidechain block number, not a mainchain block number. That might mess up the new format you have suggested for bribes. And the reason a sidechain miner would want to refund their bribe is if the h* doesn't end up in a coinbase after a number of blocks, making their blinded block on the sidechain invalid as tx's will be spent in other blocks that do get their h* in a coinbase. We were thinking about making bribe outputs have a maturity period like generated coins. You think that they should be locked for >100 blocks by having OP_BRIBE also check the lock time? I like all of your suggestions so far, thank you for taking a look! On 05/24/2017 03:05 AM, Tier Nolan via bitcoin-dev wrote: > On Wed, May 24, 2017 at 9:50 AM, Tier Nolan <tier.nolan@gmail•com > <mailto:tier.nolan@gmail•com>> wrote: > > OP_BRIBE_VERIFY could then operate as follows > > <block height> <sidechain_id> <critical hash> OP_BRIBE_VERIFY > > This causes the script to fail if > <block height> does not match the block height, or > <critical hash> is not the hash for the sidechain with > <sidechain_id>, or > there is no hash for that sidechain in the block's coinbase > > > I was thinking more on the process for these transactions. > > I assume that the process is > > - sidechain miner broadcasts transaction with OP_BRIBE output > - this transaction ends up in the memory pool of miners > - Miners add the transaction to their next block > - Miners add a transaction which spends the output to one of their own > addresses > > I think you need an additional rule that OP_BRIBE checks fails unless > the output is locked 100 or more blocks. > > The output script would end up something like > > IF > <block height> <chain_id> <critical hash> OP_BRIBE_VERIFY > ELSE > <public key> OP_CHECKSIG > ENDIF > > This output acts like "anyone can spend" for the one block height. > Otherwise, only the sidechain miner can spend the output. > > This allows the sidechain miner to reclaim their coins if the > transaction ends up in a different block. > > OP_BRIBE_VERIFY would have an additional rule > > The script to fails if > one or more of the transaction outputs start with something other > than the template > <block height> does not match the block height, or > <critical hash> is not the hash for the sidechain with > <sidechain_id>, or > there is no hash for that sidechain in the block's coinbase > > The template is > <100> OP_CHECKSEQUENCE_VERIFY > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev [-- Attachment #2: Type: text/html, Size: 7553 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-24 17:32 ` CryptAxe @ 2017-05-25 22:08 ` Tier Nolan 0 siblings, 0 replies; 43+ messages in thread From: Tier Nolan @ 2017-05-25 22:08 UTC (permalink / raw) Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 4260 bytes --] On Wed, May 24, 2017 at 6:32 PM, CryptAxe via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > Also the block number can only change by +1 or -1, so when a new h* is > added to the > queue it must be compared to the most recent h* in the queue. > std::abs(queue.back().nHeight - ToAdd.nHeight) must equal 1. > I think it is better to have it locked to a particular bitcoin height and if it doesn't get included in that block, the sidechain miner can re-claim it. This could be taken to the extreme where the sidechain miner specifies a particular parent of the claiming block. The output should have a standard template, so miners can easily find bids. The template on my previous post was: IF <block height> <chain_id> <critical hash> OP_BRIBE_VERIFY ELSE <public key> OP_CHECKSIG ENDIF If the output is spent by the miner for block <block height>, then the sidechain miner has spent the funds. Otherwise, the sidechain miner can use the else branch to reclaim his money. The sidechain miner could also reclaim his money if the transaction was included in an earlier block. That would defeat the purpose of the bribe. Bitcoin miners would have a (justified) incentive to not allow Bribe outputs to be spent "early". The bribe transactions could be created with no fees. This would mean that it is pointless for bitcoin miners to include them in blocks unless they are claiming the outputs. The relay rules would need to be modified to handle that. Pools could allow bids to be made directly, but that is less decentralized. Here's what I'm testing right now as I'm working on BMM: > > script << OP_RETURN << CScriptNum::serialize(nSidechain) << > CScriptNum(nSidechainHeight) << ToByteVector(sidechain blinded block hash > h*) > I don't think OP_BRIBE should care about info for the side chain. The only thing that is necessary is to indicate which sidechain. You could just define the critical hash as Hash( SideChainHeight | blinded h* ) For bribe payout release, it needs to give that particular miner an advantage over all competitors, so their block forms the longest chain on the sidechain (assuming their block is actually valid). > One other thing I want to make sure is clear enough is that the block > number in the critical hash script is > a sidechain block number, not a mainchain block number. > The sidechain miner is saying that they will pay the bribe but only if their block is included in the main chain. The means that main chain height is important. They are paying for their block to be placed ahead of all competing blocks for their chain. It does mean that the side-chain can have at most the same number of blocks as bitcoin. > > We were thinking about making bribe outputs have a maturity period like > generated coins. You > think that they should be locked for >100 blocks by having OP_BRIBE also > check the lock time? > Well, it depends on the exact rules for OP_BRIBE. The process I see is: - sidechain miner submits a bribe transaction which pays to op bribe - bitcoin miner includes that transaction in his block (or it could be included in a previous block) - bitcoin miner includes a claim transaction in his block The claim transaction spends the outputs from the bribe transaction. If the claim transaction is block height locked, then it violates the rules that previous soft-forks have followed. For previous opcode changes there was a requirement that if a transaction was accepted into block N, then it must also be acceptable in block (N+1). The only (unavoidable) exceptions were double spends and coinbases outputs. This means that the same protection should be added to your claim transaction. You could do it by requiring all outputs of the claim transaction to start with <100> CHECK_SEQUENCE_VERIFY DROP ... This is only a few bytes extra at the start of the output script. This means you can't use witness or P2SH output types for any of the outputs, but that isn't that important. The point of the transaction is to make a payment. An alternative would be to just add the rule as part of soft-fork definition. You could define a claim transaction as one that spends at least one OP_BRIBE output and therefore, all its outputs have a 100 block delay. [-- Attachment #2: Type: text/html, Size: 6133 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-24 8:50 ` Tier Nolan 2017-05-24 10:05 ` Tier Nolan @ 2017-06-18 14:36 ` Chris Stewart 2017-06-18 21:27 ` CryptAxe 1 sibling, 1 reply; 43+ messages in thread From: Chris Stewart @ 2017-06-18 14:36 UTC (permalink / raw) To: Tier Nolan; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 4981 bytes --] >OP_RETURN <sidechain_id> <critical hash> I think it is redundant here to have the <sidechain id>, we can implicitly assume what the sidechain_id is since we have a fixed set of drivechains. I.e. mining reward is index 0, mimblewimble sidechain is index 1, etc. CryptAxe has specific indexes defined already in his implementation: https://github.com/drivechain-project/bitcoin/blob/mainchainBMM/src/sidechain.h#L26-L30 . I think it would be wise to include a version byte to allow us to upgrade this commitment structure in the future. Similar to how witness program's are now versioned. ><block height> <sidechain_id> <critical hash> OP_BRIBE_VERIFY If <block height> is an argument that OP_BRIBE_VERIFY takes, doesn't that mean the mainchain miner has to validate this *is* the actual block height on the sidechain? Does that take the 'blindness' away from BMM? Overall, I think we need to work on the commitment structure to the coinbase tx. If I understand the current implementation correctly we can have up to 256 OP_RETURNs embedded in the coinbase tx signifying new blocks mined on drivechains.. this seems less than ideal. It might be prudent to make these outputs ANYONECANSPEND, and then have miners spending these outputs to themselves for every block mined.. maybe this doesn't have a benefit over using OP_RETURNs though? The structure could be something like: <version> <critical hash> and then in a subsequent block the miner spends that output to themselves. I will admit I'm not super familiar with how OP_RETURNs work with the UTXO set -- maybe this scheme doesn't have any benefit. -Chris On Wed, May 24, 2017 at 3:50 AM, Tier Nolan via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > On Tue, May 23, 2017 at 3:22 PM, Paul Sztorc <truthcoin@gmail•com> wrote: > >> >> If you haven't seen http://www.truthcoin.info/blog/drivechain/ , that is >> probably the most human-readable description. >> > > I guess I was looking for the detail you get in the code, but without > having to read the code. > > My quick reading gives that the sidechain codes (critical hashes) are > added when a coinbase is processed. > > Any coinbase output that has the form "OP_RETURN <32 byte push>" counts as > a potential critical hash. > > When the block is processed, the key value pair (hash, block_height) is > added to a hash map. > > The OP_BRIBE opcode checks that the given hash is in the hash map and > replaces the top element on the stack with the pass/fail result. > > It doesn't even check that the height matches the current block, though > there is a comment that that is a TODO. > > I agree with ZmnSCPxj, when updating a nop, you can't change the stack. > It has to fail the script or do nothing. > > OP_BRIBE_VERIFY would cause the script to fail if the hash wasn't in the > coinbase, or cause a script failure otherwise. > > Another concern is that you could have multiple bribes for the same chain > in a single coinbase. That isn't fair and arguably what the sidechain > miner is paying for is to get his hash exclusively into the block. > > I would suggest that the output is > > OP_RETURN <sidechain_id> <critical hash> > > Then add the rule that only the first hash with a particular sidechain id > actually counts. > > This forces the miner to only accept the bribe from 1 miner for each > sidechain for each block. If he tries to accept 2, then only the first one > counts. > > OP_BRIBE_VERIFY could then operate as follows > > <block height> <sidechain_id> <critical hash> OP_BRIBE_VERIFY > > This causes the script to fail if > <block height> does not match the block height, or > <critical hash> is not the hash for the sidechain with <sidechain_id>, or > there is no hash for that sidechain in the block's coinbase > > If you want reduce the number of drops, you could serialize the info into > a single push. > > This has the advantage that a sidechain miner only has to pay if his block > is accepted in the next bitcoin block. Since he is the only miner for that > sidechain that gets into the main bitcoin block, he is pretty much > guaranteed to form the longest chain. > > Without that rule, sidechain miners could end up having to pay even though > it doesn't make their chain the longest. > > How are these transactions propagated over the network? For relaying, you > could have the rule that the opcode passes as long as <block height> is > near the current block height. Maybe require that they are in the future. > They should be removed from the memory pool once the block height has > arrived, so losing miners can re-spend those outputs. > > This opcode can be validated without needing to look at other blocks, > which is good for validating historical blocks. > > I am still looking at the deposit/withdrawal code. > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > [-- Attachment #2: Type: text/html, Size: 7372 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-06-18 14:36 ` Chris Stewart @ 2017-06-18 21:27 ` CryptAxe [not found] ` <CAGL6+mGZZ=wG8P_DNj3PXVf==mLjJwA_bESh0_UdH2iVBY7GQA@mail.gmail.com> 0 siblings, 1 reply; 43+ messages in thread From: CryptAxe @ 2017-06-18 21:27 UTC (permalink / raw) To: bitcoin-dev > >OP_RETURN <sidechain_id> <critical hash> > > I think it is redundant here to have the <sidechain id>, we can > implicitly assume what the sidechain_id is since we have a fixed set > of drivechains. I.e. mining reward is index 0, mimblewimble sidechain > is index 1, etc. CryptAxe has specific indexes defined already in his > implementation: > https://github.com/drivechain-project/bitcoin/blob/mainchainBMM/src/sidechain.h#L26-L30. > Since the sidechain has the sidechain BMM headers that they want the LD (bribe) data for, I think that they could specifically request LD data relevant only to that sidechain by providing a list of hashes to the mainchain, and the mainchain can return a list of boolean values telling the sidechain if the LD data exists. That way the data never even has to go over the network, just a verification that it exists on the mainchain and we can drop the sidechain_id from the script. > I think it would be wise to include a version byte to allow us to > upgrade this commitment structure in the future. Similar to how > witness program's are now versioned. Agreed, we need that. > > ><block height> <sidechain_id> <critical hash> OP_BRIBE_VERIFY > > If <block height> is an argument that OP_BRIBE_VERIFY takes, doesn't > that mean the mainchain miner has to validate this *is* the actual > block height on the sidechain? Does that take the 'blindness' away > from BMM? No, OP_BRIBE (the old version) didn't care about the block height. Where the blockheight was relevant is when bribe data is added to LD. In order to be added to LD, the bribe needed to either be a fork (block height less than the sidechain tip height) or extending the current side-chain (block height = sidechain tip height + 1). The goal of this was to allow for reorgs, and also make it so that people cannot skip forward (which would never be valid so it's a waste of time and space) so that the sidechain makes progress. With the new design that we have been talking about, I think that we will need to drop this requirement from the mainchain, and have the sidechain handle filtering out invalid LD data / only requesting the verification of LD data that they know to be valid as far as chain order goes. > > Overall, I think we need to work on the commitment structure to the > coinbase tx. Agreed. It might be helpful if you outlined the idea you had on IRC to the mailing list. > If I understand the current implementation correctly we can have up to > 256 OP_RETURNs embedded in the coinbase tx signifying new blocks mined > on drivechains.. this seems less than ideal. It might be prudent to > make these outputs ANYONECANSPEND, and then have miners spending these > outputs to themselves for every block mined.. maybe this doesn't have > a benefit over using OP_RETURNs though? > > The structure could be something like: > <version> <critical hash> > > and then in a subsequent block the miner spends that output to > themselves. I will admit I'm not super familiar with how OP_RETURNs > work with the UTXO set -- maybe this scheme doesn't have any benefit. > > -Chris I might be wrong but I thought that OP_RETURN outputs do not go into the UTXO set. Anyone else want to chime in? ^ permalink raw reply [flat|nested] 43+ messages in thread
[parent not found: <CAGL6+mGZZ=wG8P_DNj3PXVf==mLjJwA_bESh0_UdH2iVBY7GQA@mail.gmail.com>]
* Re: [bitcoin-dev] Drivechain -- Request for Discussion [not found] ` <CAGL6+mGZZ=wG8P_DNj3PXVf==mLjJwA_bESh0_UdH2iVBY7GQA@mail.gmail.com> @ 2017-06-19 15:41 ` Chris Stewart 0 siblings, 0 replies; 43+ messages in thread From: Chris Stewart @ 2017-06-19 15:41 UTC (permalink / raw) To: CryptAxe; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 8787 bytes --] > > Since the sidechain has the sidechain BMM headers that they want the LD > (bribe) data for, I think that they could specifically request LD data > relevant only to that sidechain by providing a list of hashes to the > mainchain, and the mainchain can return a list of boolean values telling > the sidechain if the LD data exists. That way the data never even has to > go over the network, just a verification that it exists on the mainchain > and > Since you seem to be talking about the initial block download process for the drivechain. It seems that we might as well request the set of *valid* blocks from a bitcoin peer first, since at the end of the day they are in control of the mining process on the sidechain. Here is what I envision: 1. Request all hashes for sidechain from a bitcoin peer 2. Request all sidechain block header's for the hashes the bitcoin peer gave us 3. Order the set of sidechain block headers by looking at hashPrevBlock. 4. Request full sidechain blocks and start validating against the consensus rule set of the sidechain we can drop the sidechain_id from the script. I agree the 'sidechain_id' is unneeded in the coinbase tx output. We should just fix these based on index. This should be reflected in my latest commit if we are talking about the same thing: https://github.com/Christewart/bitcoin/blob/c355e39fbe2ea48856ea86b25cb8a97710feb032/src/script/script.cpp#L254 and have the sidechain handle filtering out invalid LD data / > only requesting the verification of LD data that they know to be valid > as far as chain order goes. > I agree, the whole point of BMM is to have bitcoin miners indifferent to what happens in the sidechain (although Paul argues in a wonky way they do care sort of). If there is an invalid (in the sense the block it represents does *not* follow the sidechain's consensus rule set) OP_BRIBEVERIFY that pays *more* money than a valid OP_BRIBEVERIFY output, we need to assume that a 'blind' bitcoin miner will choose the one that pays them the most money. >I might be wrong but I thought that OP_RETURN outputs do not go into the UTXO set. Anyone else want to chime in? I'm fairly certain you are right. It just feels like we should be able to exploit the fact that *only* miners can claim these OP_BRIBEVERIFY outputs. I'll have to think about this more, maybe some one else can come up with something clever that exploits that fact. On Mon, Jun 19, 2017 at 10:24 AM, Chris Stewart <stewart.chris1234@gmail•com > wrote: > Since the sidechain has the sidechain BMM headers that they want the LD >> (bribe) data for, I think that they could specifically request LD data >> relevant only to that sidechain by providing a list of hashes to the >> mainchain, and the mainchain can return a list of boolean values telling >> the sidechain if the LD data exists. That way the data never even has to >> go over the network, just a verification that it exists on the mainchain >> and >> > > Since you seem to be talking about the initial block download process for > the drivechain. It seems that we might as well request the set of *valid* > blocks from a bitcoin peer first, since at the end of the day they are in > control of the mining process on the sidechain. Here is what I envision: > > 1. Request all hashes for sidechain from a bitcoin peer > 2. Request all sidechain block header's for the hashes the bitcoin > peer gave us > 3. Order the set of sidechain block headers by looking at > hashPrevBlock. > 4. Request full sidechain blocks and start validating against the > consensus rule set of the sidechain > > > we can drop the sidechain_id from the script. > > I agree the 'sidechain_id' is unneeded in the coinbase tx output. We > should just fix these based on index. This should be reflected in my latest > commit if we are talking about the same thing: https://github.com/ > Christewart/bitcoin/blob/c355e39fbe2ea48856ea86b25cb8a9 > 7710feb032/src/script/script.cpp#L254 > > > and have the sidechain handle filtering out invalid LD data / >> only requesting the verification of LD data that they know to be valid >> as far as chain order goes. >> > > I agree, the whole point of BMM is to have bitcoin miners indifferent to > what happens in the sidechain (although Paul argues in a wonky way they do > care sort of). If there is an invalid (in the sense the block it represents > does *not* follow the sidechain's consensus rule set) OP_BRIBEVERIFY that > pays *more* money than a valid OP_BRIBEVERIFY output, we need to assume > that a 'blind' bitcoin miner will choose the one that pays them the most > money. > > >I might be wrong but I thought that OP_RETURN outputs do not go into the > UTXO set. Anyone else want to chime in? > > I'm fairly certain you are right. It just feels like we should be able to > exploit the fact that *only* miners can claim these OP_BRIBEVERIFY outputs. > I'll have to think about this more, maybe some one else can come up with > something clever that exploits that fact. > > On Sun, Jun 18, 2017 at 4:27 PM, CryptAxe via bitcoin-dev < > bitcoin-dev@lists•linuxfoundation.org> wrote: > >> > >OP_RETURN <sidechain_id> <critical hash> >> > >> > I think it is redundant here to have the <sidechain id>, we can >> > implicitly assume what the sidechain_id is since we have a fixed set >> > of drivechains. I.e. mining reward is index 0, mimblewimble sidechain >> > is index 1, etc. CryptAxe has specific indexes defined already in his >> > implementation: >> > https://github.com/drivechain-project/bitcoin/blob/mainchain >> BMM/src/sidechain.h#L26-L30. >> > >> >> Since the sidechain has the sidechain BMM headers that they want the LD >> (bribe) data for, I think that they could specifically request LD data >> relevant only to that sidechain by providing a list of hashes to the >> mainchain, and the mainchain can return a list of boolean values telling >> the sidechain if the LD data exists. That way the data never even has to >> go over the network, just a verification that it exists on the mainchain >> and we can drop the sidechain_id from the script. >> >> >> > I think it would be wise to include a version byte to allow us to >> > upgrade this commitment structure in the future. Similar to how >> > witness program's are now versioned. >> >> Agreed, we need that. >> >> >> > >> > ><block height> <sidechain_id> <critical hash> OP_BRIBE_VERIFY >> > >> > If <block height> is an argument that OP_BRIBE_VERIFY takes, doesn't >> > that mean the mainchain miner has to validate this *is* the actual >> > block height on the sidechain? Does that take the 'blindness' away >> > from BMM? >> >> No, OP_BRIBE (the old version) didn't care about the block height. Where >> the blockheight was relevant is when bribe data is added to LD. In order >> to be added to LD, the bribe needed to either be a fork (block height >> less than the sidechain tip height) or extending the current side-chain >> (block height = sidechain tip height + 1). The goal of this was to allow >> for reorgs, and also make it so that people cannot skip forward (which >> would never be valid so it's a waste of time and space) so that the >> sidechain makes progress. With the new design that we have been talking >> about, I think that we will need to drop this requirement from the >> mainchain, and have the sidechain handle filtering out invalid LD data / >> only requesting the verification of LD data that they know to be valid >> as far as chain order goes. >> >> >> > >> > Overall, I think we need to work on the commitment structure to the >> > coinbase tx. >> >> Agreed. It might be helpful if you outlined the idea you had on IRC to >> the mailing list. >> >> >> > If I understand the current implementation correctly we can have up to >> > 256 OP_RETURNs embedded in the coinbase tx signifying new blocks mined >> > on drivechains.. this seems less than ideal. It might be prudent to >> > make these outputs ANYONECANSPEND, and then have miners spending these >> > outputs to themselves for every block mined.. maybe this doesn't have >> > a benefit over using OP_RETURNs though? >> > >> > The structure could be something like: >> > <version> <critical hash> >> > >> > and then in a subsequent block the miner spends that output to >> > themselves. I will admit I'm not super familiar with how OP_RETURNs >> > work with the UTXO set -- maybe this scheme doesn't have any benefit. >> > >> > -Chris >> >> I might be wrong but I thought that OP_RETURN outputs do not go into the >> UTXO set. Anyone else want to chime in? >> >> >> >> >> >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists•linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > > [-- Attachment #2: Type: text/html, Size: 11848 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-22 16:19 ` Paul Sztorc 2017-05-22 19:12 ` Tier Nolan @ 2017-05-23 0:13 ` ZmnSCPxj 2017-05-23 14:12 ` Paul Sztorc 1 sibling, 1 reply; 43+ messages in thread From: ZmnSCPxj @ 2017-05-23 0:13 UTC (permalink / raw) To: Paul Sztorc; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 5447 bytes --] Good morning, >What you read is only an introduction of BMM. You may also consult the notes (at the bottom of the BMM post) or the code, although this is time consuming of course. Looking over the code, I have a question: Is OP_BRIBE supposed to be softforked in, or hardforked? From my understanding, the code as published in your linked github cannot be softforked in, since it is not a softfork-compatible replacement for OP_NOP: it replaces the stack top value with a 0/1 value. Both CLTV and CSV do not touch the stack, only flag an error if they fail. (What happens if the h* to be put in the coinbase, by chance - even very unlikely chance - is 0? Then <h*> OP_NOP4 is not the same as <h*> OP_BRIBE scripts in result - the former will be rejected by old nodes, the latter will be accepted by new nodes) Does Drivechain require a hardfork? My understanding is that you want to use some kind of softforked anyone-can-spend transaction to use Drivechain. So I don't quite understand why OP_BRIBE is written the way it is. Is OP_BRIBE the same as the OP_h_is_in_coinbase operation you described? How is OP_BRIBE superior to just using a <h*> OP_RETURN script? Cannot a sidechain scan the block for OP_RETURN attesting that the block hash is present in the block? OP_BRIBE encodes <h*> twice (once in the transaction, once in the coinbase), OP_RETURN encodes it once (once in the transaction) >The literal answer to your question is that mainchain Bitcoin will notice that, for the second withdrawal, the sum of the inputs is less than the sum of the outputs and they the transaction is therefore invalid. You misunderstand. The first withdrawal was done by double-spending, and exchanging your sidechain funds for mainchain funds using some off-chain method. The second withdrawal is done on-chain. That said, I confused OP_h_is_in_coinbase as your method of getting out of the sidechain into the mainchain. It seems, OP_h_is_in_coinbase is only for blind mining? >I feel that my proposal is more secure, as it can operate healthily and quickly while using spv proofs which are much slower and much much easier to audit. I don't quite understand how Drivechain handles sidechain reorgs, while keeping Bitcoin miners blinded. It seems sidechains need to be known ("seen") by the miner, so I don't see what is being blinded by blinded merge mining. >>seems to me that your OP_is_h_in_coinbase should scan a series of sidechain block headers backed by mainchain (meaning at the minimum that sidechains should have some common header format prefix), rather than just mainchain depth as your article seems to imply. > >How would security be improved as a result? In either case, 51% of hashrate can cause a reorg. The sidechain software itself does scan block headers, of course. I misunderstand the purpose of your OP_is_h_in_coinbase, sorry. >>Blind merged mining seems strictly inferior ... a rich attacker can simply reorg the sidechain outright without playing such games. > >In the future, when there is no block subsidy, a rich attacker can also do that in mainchain Bitcoin. I see. However, block subsidies will drop far in the future, do you mean to say, that sidechains will be used only in the far future? >>How does your proposal handle multiple side block creators on the same sidechain, with the possibility that chain splits occur? > >The side block is only "mined" if it is committed to in a mainchain Bitcoin blog, and each mainchain block can only contain one block per sidechain. In this way, drivechain sidechains are different from classical Namecoin merged mining (where one _could_ run the entire system, mining included, without interfacing with Bitcoin at all). I assume you mean "mainchain Bitcoin block" here. What mechanism ensures only one mainchain block can contain only one sidechain block? It seems, this isn't implemented by OP_BRIBE yet. Can you elaborate on this mechanism? >>Regarding your dig about people who dislike data centers, the main issue with miners blindly accepting sidechain commitments is that it violates "Don't trust, verify", not that allows datacenters to be slightly smaller by not including side:nodes. > >As I explain early on, in earlier rounds of peer review, the focus was on harms the sidechain technology might do to mainchain Bitcoin, and the "datacenter point" was specifically the chief objection raised. So I am afraid you are entirely incorrect. I see. It seems, the main problem, is that sidechains can be used to sneak in block size increases. Of course, the advantage of sidechains, is that when it increases block size irresponsibly, only those who participated in the sidechain will suffer. >In point of fact, the transactions *are* validated...by sidechain full nodes, same as Bitcoin proper. But from blind merge mining by itself, how would the blinded merge miner know that there exists an actual sidechain full node that actually did validation? It seems, that the "blinding" in merge mining does not seem to be at all useful without the miner actually seeing the sidechain. If you want miners to upgrade to side:fullnode as well, what would then be the point of blinding? Why not just ordinary merge mining? Perhaps the datacenter point is simply that your proposal suggests to reduce the size of the datacenter by removing surge suppressors and UPS's, to avoid some definition of "datacenter is a room with >$XXX of equipment". Regards, ZmnSCPxj [-- Attachment #2: Type: text/html, Size: 6646 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-23 0:13 ` ZmnSCPxj @ 2017-05-23 14:12 ` Paul Sztorc 2017-05-23 23:26 ` ZmnSCPxj 0 siblings, 1 reply; 43+ messages in thread From: Paul Sztorc @ 2017-05-23 14:12 UTC (permalink / raw) To: ZmnSCPxj; +Cc: Bitcoin Dev On 5/22/2017 8:13 PM, ZmnSCPxj wrote: > Good morning, > > > >>What you read is only an introduction of BMM. You may also consult the > notes (at the bottom of the BMM post) or the code, although this is time > consuming of course. > > Looking over the code, I have a question: Is OP_BRIBE supposed to be > softforked in, or hardforked? Softforked, of course. From my understanding, the code as > published in your linked github cannot be softforked in, since it is not > a softfork-compatible replacement for OP_NOP: it replaces the stack top > value with a 0/1 value. Both CLTV and CSV do not touch the stack, only > flag an error if they fail. Your understanding may exceed my own. I don't understand the principle of your distinction, as it seems to me that one could add a new protocol rule which says that the block is invalid unless the OP Code does results in arbitrary-item-x. The intent is to mimic CLTV or CSV behavior, by causing something that would otherwise succeed, to fail, if arbitrary new conditions are met. > > (What happens if the h* to be put in the coinbase, by chance - even very > unlikely chance - is 0? Then <h*> OP_NOP4 is not the same as <h*> > OP_BRIBE scripts in result - the former will be rejected by old nodes, > the latter will be accepted by new nodes) That would indeed be a bug, if it happened as you described. I will check when I get the chance, thanks. > > Is OP_BRIBE the same as the OP_h_is_in_coinbase operation you described? Yes. Sorry if that was confusing. > > How is OP_BRIBE superior to just using a <h*> OP_RETURN script? Cannot > a sidechain scan the block for OP_RETURN attesting that the block hash > is present in the block? The sidechain software can indeed, but the mainchain software cannot (without making validation of both chains part of the mainchain, which defeats the original purpose of sidechains). The purpose of OP_BRIBE is to allow "Sam" (on the sidechain) and "Mary" (a mainchain miner) to work together. Sam would pay X BTC to Mary, if Mary could provide Sam with some guarantee that Sam's sidechain block [defined by h*] would make it into the largest chain. So, as I see it, this needs to be a mainchain consensus rule, but one which enforces the bare minimum criteria. > >>The literal answer to your question is that mainchain Bitcoin will > notice that, for the second withdrawal, the sum of the inputs is less > than the sum of the outputs and they the transaction is therefore invalid. > > You misunderstand. The first withdrawal was done by double-spending, > and exchanging your sidechain funds for mainchain funds using some > off-chain method. The second withdrawal is done on-chain. If A, B, and C are transacting, and each has an account on both chains. Then your example would be something like: 1. main:A sends 100 to side:A, then transfers 100 to side:B in exchange for B's good or service (provided on the sidechain) 2. side:B attempts to move side-to-main with the 100 BTC, using the lightning network. He swaps 100 side:BTC for 100 of C's main:BTC. 3. C attempts to move side-to-main, using the slow, settlement method. 4. C's side-to-main sidechain tx (wt) is bundled with others and becomes a withdrawal attempt (WT^) 5. The WT^ attempt is initiated on the mainchain. 6. After a waiting period, the WT^ begins to accumulate ACKs or NACKs (upvotes / downvotes), on the mainchain. 7. The transaction either succeeds or fails. I'm not sure, but your question seems to concern B, who exploits a reorg that happens just after step 2. After the reorg, the sidechain chain history will have a different side-to-main withdrawal in part 3. The time between each of these step is very long, on the order of weeks (summing to a length of time totaling months), for exactly this reason (as well as to encourage people to avoid using this 'formal' method, in favor of the cooperative LN and Atomic Swaps). I think that this principle of scale (ie, very VERY slow withdrawals) is important and actually makes the security categorically different. For extraordinary DAO-like situations, disinterested mainchain miners merely need a single bit of information (per sidechain), which is "distress=true", and indicates to them to temporarily stop ACKing withdrawals from the sidechain. This alone is enough to give the reorg an unlimited amount of time to work itself out. > > That said, I confused OP_h_is_in_coinbase as your method of getting out > of the sidechain into the mainchain. It seems, OP_h_is_in_coinbase is > only for blind mining? Correct > > > >>I feel that my proposal is more secure, as it can operate healthily and > quickly while using spv proofs which are much slower and much much > easier to audit. > > I don't quite understand how Drivechain handles sidechain reorgs, while > keeping Bitcoin miners blinded. It seems sidechains need to be known > ("seen") by the miner, so I don't see what is being blinded by blinded > merge mining. Mainchain miners do need to maintain some data about the sidechains, but this is very minimal, and certainly does not include the transaction data (or arbitrary messages) of the sidechain. > > >>>seems to me that your OP_is_h_in_coinbase should scan a series of > sidechain block headers backed by mainchain (meaning at the minimum that > sidechains should have some common header format prefix), rather than > just mainchain depth as your article seems to imply. >> >>How would security be improved as a result? In either case, 51% of > hashrate can cause a reorg. The sidechain software itself does scan > block headers, of course. > > I misunderstand the purpose of your OP_is_h_in_coinbase, sorry. > No problem. > >>>Blind merged mining seems strictly inferior ... a rich attacker can > simply reorg the sidechain outright without playing such games. >> >>In the future, when there is no block subsidy, a rich attacker can also > do that in mainchain Bitcoin. > > I see. However, block subsidies will drop far in the future, do you > mean to say, that sidechains will be used only in the far future? In one sense, I mean "you have already endorsed this 'fees only will work' premise, by endorsing Bitcoin". In another sense I mean "isn't it great that you will get a tiny preview, today, of future-Bitcoin's behavior?". > >>>How does your proposal handle multiple side block creators on the same > sidechain, with the possibility that chain splits occur? >> >>The side block is only "mined" if it is committed to in a mainchain > Bitcoin blog, and each mainchain block can only contain one block per > sidechain. In this way, drivechain sidechains are different from > classical Namecoin merged mining (where one _could_ run the entire > system, mining included, without interfacing with Bitcoin at all). > > I assume you mean "mainchain Bitcoin block" here. > > What mechanism ensures only one mainchain block can contain only one > sidechain block? It seems, this isn't implemented by OP_BRIBE yet. Can > you elaborate on this mechanism? That mechanism is enforced by drivechain itself, not OP_BRIBE. (OP Bribe is itself only ~half of BMM. I admit it is getting a little confusing.) Drivechain requires a soft fork to add each new sidechain. It requires this literally for a few good reasons...but the best is: there is an implicit requirement that the miners not steal from the sidechain anyway. In this way drivechain knows how to keep track of what it should expect. > > >>>Regarding your dig about people who dislike data centers, the main > issue with miners blindly accepting sidechain commitments is that it > violates "Don't trust, verify", not that allows datacenters to be > slightly smaller by not including side:nodes. >> >>As I explain early on, in earlier rounds of peer review, the focus was > on harms the sidechain technology might do to mainchain Bitcoin, and the > "datacenter point" was specifically the chief objection raised. So I am > afraid you are entirely incorrect. > > I see. It seems, the main problem, is that sidechains can be used to > sneak in block size increases. Of course, the advantage of sidechains, > is that when it increases block size irresponsibly, only those who > participated in the sidechain will suffer. Precisely. > >>In point of fact, the transactions *are* validated...by sidechain full > nodes, same as Bitcoin proper. > > But from blind merge mining by itself, how would the blinded merge miner > know that there exists an actual sidechain full node that actually did > validation? > > It seems, that the "blinding" in merge mining does not seem to be at all > useful without the miner actually seeing the sidechain. If you want > miners to upgrade to side:fullnode as well, what would then be the point > of blinding? Why not just ordinary merge mining? > > Perhaps the datacenter point is simply that your proposal suggests to > reduce the size of the datacenter by removing surge suppressors and > UPS's, to avoid some definition of "datacenter is a room with >$XXX of > equipment". I hope that my replies above already help with these. If not, let me know. Thanks for your attention, Paul ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain -- Request for Discussion 2017-05-23 14:12 ` Paul Sztorc @ 2017-05-23 23:26 ` ZmnSCPxj 0 siblings, 0 replies; 43+ messages in thread From: ZmnSCPxj @ 2017-05-23 23:26 UTC (permalink / raw) To: Paul Sztorc; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 8113 bytes --] Good morning, >> (What happens if the h* to be put in the coinbase, by chance - even very >> unlikely chance - is 0? Then <h*> OP_NOP4 is not the same as <h*> >> OP_BRIBE scripts in result - the former will be rejected by old nodes, >> the latter will be accepted by new nodes) > >That would indeed be a bug, if it happened as you described. I will >check when I get the chance, thanks. Indeed, this is the reason why CLTV and CSV do not pop off their parameters when executed, and require a subsequent OP_DROP. I suggest, that OP_BRIBE should not manipulate stack (pop, then push 0/1); my understanding is that this requirement is necessary for compatibility with old nodes, which will not manipulate stack on OP_NOP4. Instead, OP_BRIBE should imitate CLTV and CSV code, and raise an error in script execution if the check fails. >> >> How is OP_BRIBE superior to just using a <h*> OP_RETURN script? Cannot >> a sidechain scan the block for OP_RETURN attesting that the block hash >> is present in the block? > >The sidechain software can indeed, but the mainchain software cannot >(without making validation of both chains part of the mainchain, which >defeats the original purpose of sidechains). > >The purpose of OP_BRIBE is to allow "Sam" (on the sidechain) and "Mary" >(a mainchain miner) to work together. Sam would pay X BTC to Mary, if >Mary could provide Sam with some guarantee that Sam's sidechain block >[defined by h*] would make it into the largest chain. Regarding "largest chain", do you mean mainchain or sidechain? An OP_RETURN is still some guarantee that it will make it into the longest mainchain. If OP_RETURN tx is in a shorter mainchain but not on the longer mainchain, then on the longer mainchain, the utxo's funding the OP_RETURN tx is still unspent and the OP_RETURN tx will still be mineable by any miner following the longer mainchain. The X BTC would be the OP_RETURN transaction's fee, which Mary would still want to mine into the longest mainchain, as it is still money on the table if it is not mined on the longest mainchain. Or, does OP_BRIBE somehow assure that Sam's block goes onto the longer sidechain? But then, do not side blocks refer to their previous side block to define the sidechain? >1. main:A sends 100 to side:A, then transfers 100 to side:B in exchange >for B's good or service (provided on the sidechain) >2. side:B attempts to move side-to-main with the 100 BTC, using the >lightning network. He swaps 100 side:BTC for 100 of C's main:BTC. >3. C attempts to move side-to-main, using the slow, settlement method. >4. C's side-to-main sidechain tx (wt) is bundled with others and becomes >a withdrawal attempt (WT^) >5. The WT^ attempt is initiated on the mainchain. >6. After a waiting period, the WT^ begins to accumulate ACKs or NACKs >(upvotes / downvotes), on the mainchain. >7. The transaction either succeeds or fails. > >I'm not sure, but your question seems to concern B, who exploits a reorg >that happens just after step 2. After the reorg, the sidechain chain >history will have a different side-to-main withdrawal in part 3. The >time between each of these step is very long, on the order of weeks >(summing to a length of time totaling months), for exactly this reason >(as well as to encourage people to avoid using this 'formal' method, in >favor of the cooperative LN and Atomic Swaps). > >I think that this principle of scale (ie, very VERY slow withdrawals) is >important and actually makes the security categorically different. I see. Is there some predictable schedule for side->main withdrawals? If a withdrawal is imminent, or if some actor can get "insider information" about whether a withdrawal is imminent, cannot some actor induce the above, with potentially shorter time to reach step 3? From my reading, Blockstream's sidechains proposal supports a reorg proof after a side->main withdrawal on the mainchain side, with a reorg proof burn window after the main:side->main withdrawal, preventing its utxo from being used. If the reorg proof is published and shows that a sidechain reorg invalidates a particular side->main withdrawal, then the main:side->main withdrawal's utxo is burned. >For extraordinary DAO-like situations, disinterested mainchain miners >merely need a single bit of information (per sidechain), which is >"distress=true", and indicates to them to temporarily stop ACKing >withdrawals from the sidechain. This alone is enough to give the reorg >an unlimited amount of time to work itself out. Do you have some document containing these details? I cannot find this in the blog posts I've read so far. >>>I feel that my proposal is more secure, as it can operate healthily and >> quickly while using spv proofs which are much slower and much much >> easier to audit. >> >> I don't quite understand how Drivechain handles sidechain reorgs, while >> keeping Bitcoin miners blinded. It seems sidechains need to be known >> ("seen") by the miner, so I don't see what is being blinded by blinded >> merge mining. > >Mainchain miners do need to maintain some data about the sidechains, but >this is very minimal, and certainly does not include the transaction >data (or arbitrary messages) of the sidechain. As above, do you have document containing what data mainchain needs to track? >>>>Blind merged mining seems strictly inferior ... a rich attacker can >> simply reorg the sidechain outright without playing such games. >>> >>>In the future, when there is no block subsidy, a rich attacker can also >> do that in mainchain Bitcoin. >> >> I see. However, block subsidies will drop far in the future, do you >> mean to say, that sidechains will be used only in the far future? > >In one sense, I mean "you have already endorsed this 'fees only will >work' premise, by endorsing Bitcoin". I endorse this on the basis of Greg Maxwell's analysis that a block size limit is necessary to have a fee market. >That mechanism is enforced by drivechain itself, not OP_BRIBE. (OP Bribe >is itself only ~half of BMM. I admit it is getting a little confusing.) Can you provide the details of this mechanism? For example, does h* actually include some information identifying the sidechain and OP_BRIBE is supposed to do some additional checking not shown in your current code, or ....? >Drivechain requires a soft fork to add each new sidechain Oh. My understanding is that with Blockstream's zk-SNARKs, a new sidechain would not require a soft fork at all (or even miner voting on the validity of WT^: the validity of side:side->main transactions is assured by proof that the zk-SNARK checking that transaction was executed correctly, and the lack of a reorg proof during the burn window after the main:side->main). Is your model then, that each sidechain maintainer has to maintain a patchset or some plugin system to Core? And miners who want to support particular sidechains to modify their software, applying the patch for each sidechain they want to support? It seems this is somewhat brittle and may cause sidechain coding problems to leak into mainchain. I think, it is much less interesting to have to softfork in every sidechain, rather than to support a general mechanism (zk-SNARK) to allow sidechains to be launched without any modification to Core code. >. It requires >this literally for a few good reasons...but the best is: there is an >implicit requirement that the miners not steal from the sidechain >anyway. In this way drivechain knows how to keep track of what it should >expect. It seems to be, more of "completely sighted merged mining" than "blind merge mining". >> Perhaps the datacenter point is simply that your proposal suggests to >> reduce the size of the datacenter by removing surge suppressors and >> UPS's, to avoid some definition of "datacenter is a room with >$XXX of >> equipment". > >I hope that my replies above already help with these. If not, let me know. I find this point now moot, as drivechains require a softfork for each sidechain, and the size of the datacenter is pointless if there is some need to softfork in every sidechain. Regards, ZmnXCPxj [-- Attachment #2: Type: text/html, Size: 10691 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* [bitcoin-dev] Drivechain RfD -- Follow Up 2017-05-22 6:17 [bitcoin-dev] Drivechain -- Request for Discussion Paul Sztorc 2017-05-22 13:33 ` Peter Todd 2017-05-22 14:39 ` ZmnSCPxj @ 2017-06-10 17:04 ` Paul Sztorc 2017-06-18 21:30 ` Tao Effect 2 siblings, 1 reply; 43+ messages in thread From: Paul Sztorc @ 2017-06-10 17:04 UTC (permalink / raw) To: Bitcoin Dev Hi everyone, It has been 3 weeks -- responses so far have been really helpful. People jumped right in, and identified unfinished or missing parts much faster than I thought they would (ie, ~two days). Very impressive. Currently, we are working on the sidechain side of blind merged mining. As you know, most of the Bitcoin cryptosystem is about finding the longest chain, and displaying information about this chain. CryptAxe is editing the sidechain code to handle reorganizations in a new way (an even bigger departure than Namecoin's, imho). I believe that I have responded to all the on-list objections that were raised. I will 1st summarize the on-list objections, and 2nd summarize the off-list discussion (focusing on three key themes). On-List Objection Summary --------------------------- In general, they were: * Peter complained about the resources required for the BMM 'crisis audit', I pointed out that it is actually optional (and, therefore, free), and that it doesn't affect miners relative to each other, and that it can be done in an ultra-cheap semi-trusted way with high reliability. * Peter also asked about miner incentives, I replied that it is profit maximizing to BMM sidechains, because the equation (Tx Fees - Zero Cost) is always positive. * ZmnSCPxj asked a long series of clarifying questions, and I responded. * Tier Nolan complained about my equivocation of the "Bitcoin: no block subsidy" case and the "sidechain" case. He cites the asymmetry I point out below (in #2). I replied, and I give an answer below. * ZmnSCPxj pointed out an error in our OP Code (that we will fix). * ZmnSCPxj also asked a number of new questions, I responded. Then he responded again, in general he seemed to raise many of the points addressed in #1 (below). * ZmnSCPxj wanted reorg proofs, to punish reorgers, but I pointed out that if 51% can reorg, they can also filter out the reorg proof. We are at their mercy in all cases (for better or worse). * ZmnSCPxj also brought up the fact that a block size limit is necessary for a fee market, I pointed out that this limit does not need to be imposed on miners by nodes...miners would be willing-and-able to self-impose such a limit, as it maximizes their revenues. * ZmnSCPxj also protested the need to soft fork in each individual sidechain, I pointed out my strong disagreement ("Unrestrained smart contract execution will be the death of most of the interesting applications...[could] destabilize Bitcoin itself") and introduced my prion metaphor. * ZmnSCPxj and Tier Nolan both identified the problem solved by our 'ratchet' concept. I explained it to ZmnSCPxj in my reply. We had not coded it at the time, but there is code for it now [1]. Tier proposed a rachet design, but I think ours is better (Tier did not find ours at all, because it is buried in obscure notes, because I didn't think anyone would make it this far so quickly). * Tier also advised us on how to fix the problem that ZmnSCPxj had identified with our NOP earlier. * Tier also had a number of suggestions about the real-time negotiation of the OP Bribe amount between nodes and miners. I'm afraid I mostly ignored these for now, as we aren't there yet. * Peter complained that ACKing the sidechain could be exploited for political reasons, and I responded that in such a case, miners are free to simply avoid ACKing, or to acquiesce to political pressure. Neither affect the mainchain. * Peter complained that sidechains might provide some miners with the opportunity to create a pretext to kick other miners off the network. I replied that it would not, and I also brought up the fact that my Bitcoin security model was indifferent to which people happened to be mining at any given time. I continue to believe that "mining centralization" does not have a useful definition. * Peter questioned whether or not sidechains would be useful. I stated my belief that they would be useful, and linked to my site (drivechain.info/projects) which contains a number of sidechain use-cases, and cited my personal anecdotal experiences. * Peter wanted to involve miners "as little as possible", I pointed out that I felt that I had indeed done this minimization. My view is that Peter felt erroneously that it was possible to involve miners less, because he neglected [1] that a 51% miner group is already involved maximally, as they can create most messages and filter any message, and [2] that there are cases where we need miners to filter out harmful interactions among multiple chains (just as they filter out harmful interactions among multiple txns [ie, "double spends"]). Peter has not yet responded to this rebuttal. * Peter also suggested client-side validation as "safer", and I pointed out that sidechains+BMM _is_ client-side validation. I asked Peter for CS-V code, so that we can compare the safety and other features. * Sergio reminded us of his version of drivechain. Sergio and I disagree over the emphasis on frequency/speed of withdrawals. Also Sergio emphasizes a hybrid model, which does not interest me. If I missed any objections, I hope someone will point them out. Off-List / Three Points of Ongoing Confusion --------------------------------------------- Off list, I have repeated the a similar conversation perhaps 6-10 times over the past week. There is a cluster of remaining objections which centers around three topics -- speed, theft, and antifragility. I will reply here, and add the answers to my FAQ (drivechain.info/faq). 1. Speed This objection is voiced after I point out that side-to-main transfers ("withdrawals") will probably take a long time, for example 5 months each ( these are customizable parameters, and open for debate -- but if withdrawals are every x=3 months, and only x=1 withdrawal can make forward progress [on the mainchain] at a time, and only x=1 prospective withdrawal can be assembled [by the sidechain] at a time, then we can expect total withdrawal time to average 4.5 months [(.5)*3+3] ). The response is something like "won't such a system be too slow, and therefore unusable?". Imho, replies of this kind disregard the effect of atomic cross-chain swaps, which are instant. ( In addition, while side-to-main transfers are slow, main-to-side transfers are quite fast, x~=10 confirmations. I would go as far as to say that, just as the Lightning Network is enabled by SegWit and CSV, Drivechain is enabled by the atomic swaps and of Counterparty-like embedded consensus. ) Thanks to atomic swaps, someone can act as an investment banker or custodian, and purchase side:BTC at a (tiny, competitive discount) and then transfer those side-to-main at a minimal inconvenience (comparable to that of someone who buys a bank CD). Through market activities, the _entire system_ becomes exactly as patient as its most-patient members. As icing on the cake, people who aren't planning on using their BTC anytime soon (ie "the patient") can even get a tiny investment yield, in return for providing this service. 2. Security This objection usually says something like "Aren't you worried that 51% [hashrate] will steal the coins, given that mining is so centralized these days?" The logic of drivechain is to take a known fact -- that miners do not steal from exchanges (by coordinating to doublespend deposits to those exchanges) -- and generalize it to a new situation -- that [hopefully] miners will not steal from sidechains (by coordinating to make 'invalid' withdrawals from them). My generalization is slightly problematic, because "a large mainchain reorg today" would hit the entire Bitcoin system and de-confirm *all* of the network's transactions, whereas a sidechain-theft would hit only a small portion of the system. This asymmetry is a problem because of the 1:1 peg, which is explicitly symmetrical -- the thief makes off coins that are worth _just as much_ as those coins that he did _not_ attack. The side:BTC are therefore relatively more vulnerable to theft, which harms the generalization. As I've just explained, to correct this relative deficiency, we add extra inconvenience for any sidechain thievery, which is in this case the long long withdrawal time of several months. (Which is also the main distinction between DC and extension blocks). I cannot realistically imagine an erroneous withdrawal persisting for several weeks, let alone several months. First, over a timeframe of this duration, there can be no pretense of 'we made an innocent mistake', nor one that 'it is too inconvenient for us to fix this problem'. This requires the attacker to be part of an explicitly malicious conspiracy. Even in the conspiring case, I do not understand how miners would coordinate the distribution of the eventual "theft" payout, ~3 months from now -- if new hashrate comes online between now and then, does it get a portion? -- if today's hashrate closes down, does it get a reduced portion? -- who decides? I don't think that an algorithm can decide (without creating a new mechanism, which -I believe- would have to be powered by ongoing sustainable theft [which is impossible]), because the withdrawal (ie the "theft") has to be initiated, with a known destination, *before* it accumulates 3 months worth of acknowledgement. Even if hashrate were controlled exclusively by one person, such a theft would obliterate the sidechain-tx-fee revenue from all sidechains, for a start. It would also greatly reduce the market price of [mainchain] BTC, I feel, as it ends the sidechain experiment more-or-less permanently. And even _that_ dire situation can be defeated by UASF-style maneuvers, such as checkpointing. Even the threat of such maneuvers can be persuasive enough for them never to be needed (especially over long timeframes, which make these maneuvers convenient). A slightly more realistic worst-case scenario is that a monopolist imposes large fees on side-to-main transfers (which he contrives so that only he can provide). Unless the monopoly is permanent, market forces (atomic swaps) will still lower the fee to ultra-competitive levels, making this mostly pointless. 3. Antifragility There is an absolutely crucial distinction of "layers", which is often overlooked. Which is a shame, because its importance really cannot be understated. Taleb's concept of antifragility is explicitly fractal -- it has layers, and an upper layer can only be antifragile if it is composed of individual members of a lower layer who are each *fragile*. In one of my videos I give the example of NYC food providers -- it is _because_ the competition is so brutal, and because each individual NYC restaurant/supermarket/food-truck is so likely to fail, (and because there is no safety net to catch them if they do fail), that the consumer's experience is so positive (in NYC, you can find almost any kind of food, at any hour of the day, at any price, despite the fact that a staggering ~15 million people will be eating there each day). By this, I mean there is an absolutely crucial distinction between: 1. A problem with a sidechain that negatively impacts its parent chain. 2. A problem with a sidechain that only impacts the sidechain users. The first type of problem is unacceptable, but the second type of problem is actually _desirable_. If we wanted to have the best BTC currency unit possible, we would want everyone to try all kinds of things out, _especially_ the things that we think are terrible. We'd want lots of things to be tried, and for the losers to "fail fast". In practice I highly doubt the sidechain ecosystem would be anywhere near as dynamic as NYC or Silicon Valley. But certain questions, such as "What if a sidechain breaks / has DAO-like problems?"; "What if the sidechain has only a few nodes? Who will run them?"; "Who will maintain these projects?"; -- really just miss the point, I think. Ultimately, users can vote with their feet -- if the benefits of a sidechain outweigh its risks, some users will send some BTC there. It is a strict improvement over the current situation, where users would need to use an Altcoin to achieve as much. Users who aren't comfortable with the risks of new chains / new features, can simply decline to use them. Another Objection ------------------ Finally, two people raised an objection which I will call the "too popular" objection or "too big to fail (tbtf)". Something like "what if a *majority* of BTC is moved to one sidechain, and then that sidechain has some kind of problem?". One simple step would be to cap the quantity of BTC that can be moved to each sidechain, (at x=10% ? aka 210,000). Other than that, I would point out that Bitcoin has always been the "money of principle", and that we survived the MtGox announcement (in which ~850,000/12,400,000 = 6.85% of the total BTC were assumed to be stolen). I look forward to the continued feedback! Thank you all very much! Paul [1] https://github.com/drivechain-project/bitcoin/commit/c4beef5c2aa8e52d2c1e11de7c044528bbde6c60 On 5/22/2017 2:17 AM, Paul Sztorc wrote: > Dear list, > > I've been working on "drivechain", a sidechain enabling technology, for > some time. > > * The technical info site is here: www.drivechain.info > * The changes to Bitcoin are here: > https://github.com/drivechain-project/bitcoin/tree/mainchainBMM > * A Blank sidechain template is here: > https://github.com/drivechain-project/bitcoin/tree/sidechainBMM > > As many of you know, I've been seeking feedback in person, at various > conferences and meetups over the past year, most prominently Scaling > Milan. And I intend to continue to seek feedback at Consensus2017 this > week, so if you are in NYC please just walk up and start talking to me! > > But I also wanted to ask the list for feedback. Initially, I was > hesitant because I try not to consume reviewers' scarce time until the > author has put in a serious effort. However, I may have waiting too > long, as today it is actually quite close to a working release. > > > Scaling Implications > --------------------- > > This upgrade would have significant scaling implications. Since it is > the case that sidechains can be added by soft fork, and since each of > these chains will have its own blockspace, this theoretically removes > the blocksize limit from "the Bitcoin system" (if one includes > sidechains as part of such a system). People who want a LargeBlock > bitcoin can just move their BTC over to such a network [1], and their > txns will have no longer have an impact on "Bitcoin Core". Thus, even > though this upgrade does not actually increase "scalability" per se, it > may in fact put an end to the scalability debate...forever. > > This work includes the relatively new concept of "Blind Merged Mining" > [2] which I developed in January to allow SHA256^2 miners to merge-mine > these "drivechains", even if these miners aren't running the actual > sidechain software. The goal is to prevent sidechains from affecting the > levelness of the mining "playing field". BMM is conceptually similar to > ZooKeeV [3] which Peter Todd sketched out in mid-2013. BMM is not > required for drivechain, but it would address some of the last remaining > concerns. > > > Total Transaction Fees in the Far Future > ----------------------------------------- > > Some people feel that a maximum blocksize limit is needed to ensure that > future total equilibrium transaction fees are non-negligible. I > presented [4] on why I don't agree, 8 months ago. The reviewers I spoke > to over the last year have stopped bringing this complaint up, but I am > not sure everyone feels that way. > > > Juxtaposition with a recent "Scaling Compromise" > ------------------------------------------------- > > Recently, a scalability proposal began to circulate on social media. As > far as I could tell, it goes something like "immediately activate > SegWit, and then HF to double the nonwitness blockspace to 2MB within 12 > months". But such a proposal is quite meager, compared to a "LargeBlock > Drivechain". The drivechain is better on both fronts, as it would not > require a hardfork, and could *almost immediately* add _any_ amount of > extra blockspace (specifically, I might expect a BIP101-like LargeBlock > chain that has an 8 MB maxblocksize, which doubles every two years). > > In other words, I don't know why anyone would support that proposal over > mine. The only reasons would be either ignorance (ie, unfamiliarity with > drivechain) or because there are still nagging unspoken complaints about > drivechain which I apparently need to hear and address. > > > Other Thoughts > --------------- > > Unfortunately, anyone who worked on the "first generation" of sidechain > technology (the skiplist) or the "second generation" (federated / > Liquid), will find that this is very different. > > I will admit that I am very pessimistic about any conversation that > involves scalability. It is often said that "talking politics lowers > your IQ by 25 points". Bitcoin scalability conversations seem to drain > 50 points. (Instead of conversing, I think people should quietly work on > whatever they are passionate about until their problem either is solved, > or it goes away for some other reason, or until we all agree to just > stop talking about it.) > > Cheers, > Paul > > [1] http://www.drivechain.info/faq/#can-sidechains-really-help-with-scaling > [2] http://www.truthcoin.info/blog/blind-merged-mining/ > [3] https://s3.amazonaws.com/peter.todd/bitcoin-wizards-13-10-17.log > [4] > https://www.youtube.com/watch?v=YErLEuOi3xU&list=PLw8-6ARlyVciNjgS_NFhAu-qt7HPf_dtg&index=4 > ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up 2017-06-10 17:04 ` [bitcoin-dev] Drivechain RfD -- Follow Up Paul Sztorc @ 2017-06-18 21:30 ` Tao Effect 2017-06-19 16:04 ` Paul Sztorc 0 siblings, 1 reply; 43+ messages in thread From: Tao Effect @ 2017-06-18 21:30 UTC (permalink / raw) To: Paul Sztorc; +Cc: Bitcoin Dev [-- Attachment #1.1: Type: text/plain, Size: 22361 bytes --] In Drivechain, 51% of miners have total control and ownership over all of the sidechain coins. The vision of Drivechain is to have many blockchains "plugged in" to the main chain. Today, well over 51% of miners are under the jurisdiction of a single government. Thus the effect of Drivechain appears to be the creation of a new kind of digital border imposed onto the network where everyone hands over ownership of their Bitcoins to a /single/ mining cartel when they wish to interact with /any/ sidechain. Drivechain would be a reasonable idea if that weren't the case, but since it is, Drivechain now introduces a very real possible future where Bitcoins can be confiscated by the Chinese government in exactly the same manner that the Chinese government today confiscates financial assets in other financial networks within China. One argument is that the psuedo-anonymity granted by Bitcoin addresses could theoretically make this less likely to happen, and while that is true, it is also true that every day Bitcoin becomes less and less psuedo-anonymous as governments invest in blockchain analysis tech [1]. How many high-profile confiscations — now via the Bitcoin-blockchain itself (no longer being able to blame a 3rd-party exchange) — is Bitcoin willing to tolerate and open itself up to? In a world before Drivechain: the worst that a 51% coalition can do is prevent you from spending your coins (censorship). In a world with Drivechain three things become true: 1. The Bitcoin network centralizes more, because more power (both financial power and power in terms of capability/control) is granted to miners. This is likely to have secondary consequences on the main-chain network as well (in terms of its price and ability to evolve). 2. A 51% coalition — and/or the government behind it — is now able to financially profit by confiscating coins. No longer is it just censorship, "asset forfeiture" — theft — becomes a real possibility for day-to-day Bitcoin users. 3. Drivechain limits user's existing choice when it comes to who is acting as custodian of their Bitcoins, from any trustworthy exchange, down to a single mining cartel under the control of a single set of laws. The argument given to this is that a UASF could be initiated to wrest control away from this cartel. I do not believe this addresses the concern at all. A UASF is a very big deal and extremely difficult to pull off correctly. Even when you have users behind you, it *requires* significant support from the miners themselves [2]. Therefore, I do not believe a UASF is a realistic possibility for recovery. I would only support Drivechain if all of these issue were addressed. Kind regards, Greg Slepak [1] EU Commits €5 Million to Fund Blockchain Surveillance Research — http://www.coindesk.com/eu-commits-e5-million-fund-blockchain-surveillance-research/ <http://www.coindesk.com/eu-commits-e5-million-fund-blockchain-surveillance-research/> [2] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-June/014497.html <https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-June/014497.html> -- Please do not email me anything that you are not comfortable also sharing with the NSA. > On Jun 10, 2017, at 10:04 AM, Paul Sztorc via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org <mailto:bitcoin-dev@lists•linuxfoundation.org>> wrote: > > Hi everyone, > > It has been 3 weeks -- responses so far have been really helpful. People > jumped right in, and identified unfinished or missing parts much faster > than I thought they would (ie, ~two days). Very impressive. > > Currently, we are working on the sidechain side of blind merged mining. > As you know, most of the Bitcoin cryptosystem is about finding the > longest chain, and displaying information about this chain. CryptAxe is > editing the sidechain code to handle reorganizations in a new way (an > even bigger departure than Namecoin's, imho). > > I believe that I have responded to all the on-list objections that were > raised. I will 1st summarize the on-list objections, and 2nd summarize > the off-list discussion (focusing on three key themes). > > > On-List Objection Summary > --------------------------- > > In general, they were: > > * Peter complained about the resources required for the BMM 'crisis > audit', I pointed out that it is actually optional (and, therefore, > free), and that it doesn't affect miners relative to each other, and > that it can be done in an ultra-cheap semi-trusted way with high > reliability. > * Peter also asked about miner incentives, I replied that it is profit > maximizing to BMM sidechains, because the equation (Tx Fees - Zero Cost) > is always positive. > * ZmnSCPxj asked a long series of clarifying questions, and I responded. > * Tier Nolan complained about my equivocation of the "Bitcoin: no block > subsidy" case and the "sidechain" case. He cites the asymmetry I point > out below (in #2). I replied, and I give an answer below. > * ZmnSCPxj pointed out an error in our OP Code (that we will fix). > * ZmnSCPxj also asked a number of new questions, I responded. Then he > responded again, in general he seemed to raise many of the points > addressed in #1 (below). > * ZmnSCPxj wanted reorg proofs, to punish reorgers, but I pointed out > that if 51% can reorg, they can also filter out the reorg proof. We are > at their mercy in all cases (for better or worse). > * ZmnSCPxj also brought up the fact that a block size limit is necessary > for a fee market, I pointed out that this limit does not need to be > imposed on miners by nodes...miners would be willing-and-able to > self-impose such a limit, as it maximizes their revenues. > * ZmnSCPxj also protested the need to soft fork in each individual > sidechain, I pointed out my strong disagreement ("Unrestrained smart > contract execution will be the death of most of the interesting > applications...[could] destabilize Bitcoin itself") and introduced my > prion metaphor. > * ZmnSCPxj and Tier Nolan both identified the problem solved by our > 'ratchet' concept. I explained it to ZmnSCPxj in my reply. We had not > coded it at the time, but there is code for it now [1]. Tier proposed a > rachet design, but I think ours is better (Tier did not find ours at > all, because it is buried in obscure notes, because I didn't think > anyone would make it this far so quickly). > * Tier also advised us on how to fix the problem that ZmnSCPxj had > identified with our NOP earlier. > * Tier also had a number of suggestions about the real-time negotiation > of the OP Bribe amount between nodes and miners. I'm afraid I mostly > ignored these for now, as we aren't there yet. > * Peter complained that ACKing the sidechain could be exploited for > political reasons, and I responded that in such a case, miners are free > to simply avoid ACKing, or to acquiesce to political pressure. Neither > affect the mainchain. > * Peter complained that sidechains might provide some miners with the > opportunity to create a pretext to kick other miners off the network. I > replied that it would not, and I also brought up the fact that my > Bitcoin security model was indifferent to which people happened to be > mining at any given time. I continue to believe that "mining > centralization" does not have a useful definition. > * Peter questioned whether or not sidechains would be useful. I stated > my belief that they would be useful, and linked to my site > (drivechain.info/projects <http://drivechain.info/projects>) which contains a number of sidechain > use-cases, and cited my personal anecdotal experiences. > * Peter wanted to involve miners "as little as possible", I pointed out > that I felt that I had indeed done this minimization. My view is that > Peter felt erroneously that it was possible to involve miners less, > because he neglected [1] that a 51% miner group is already involved > maximally, as they can create most messages and filter any message, and > [2] that there are cases where we need miners to filter out harmful > interactions among multiple chains (just as they filter out harmful > interactions among multiple txns [ie, "double spends"]). Peter has not > yet responded to this rebuttal. > * Peter also suggested client-side validation as "safer", and I pointed > out that sidechains+BMM _is_ client-side validation. I asked Peter for > CS-V code, so that we can compare the safety and other features. > * Sergio reminded us of his version of drivechain. Sergio and I disagree > over the emphasis on frequency/speed of withdrawals. Also Sergio > emphasizes a hybrid model, which does not interest me. > > If I missed any objections, I hope someone will point them out. > > > Off-List / Three Points of Ongoing Confusion > --------------------------------------------- > > Off list, I have repeated the a similar conversation perhaps 6-10 times > over the past week. There is a cluster of remaining objections which > centers around three topics -- speed, theft, and antifragility. I will > reply here, and add the answers to my FAQ (drivechain.info/faq <http://drivechain.info/faq>). > > 1. Speed > > This objection is voiced after I point out that side-to-main transfers > ("withdrawals") will probably take a long time, for example 5 months > each ( these are customizable parameters, and open for debate -- but if > withdrawals are every x=3 months, and only x=1 withdrawal can make > forward progress [on the mainchain] at a time, and only x=1 prospective > withdrawal can be assembled [by the sidechain] at a time, then we can > expect total withdrawal time to average 4.5 months [(.5)*3+3] ). The > response is something like "won't such a system be too slow, and > therefore unusable?". > > Imho, replies of this kind disregard the effect of atomic cross-chain > swaps, which are instant. > > ( In addition, while side-to-main transfers are slow, main-to-side > transfers are quite fast, x~=10 confirmations. I would go as far as to > say that, just as the Lightning Network is enabled by SegWit and CSV, > Drivechain is enabled by the atomic swaps and of Counterparty-like > embedded consensus. ) > > Thanks to atomic swaps, someone can act as an investment banker or > custodian, and purchase side:BTC at a (tiny, competitive discount) and > then transfer those side-to-main at a minimal inconvenience (comparable > to that of someone who buys a bank CD). Through market activities, the > _entire system_ becomes exactly as patient as its most-patient members. > As icing on the cake, people who aren't planning on using their BTC > anytime soon (ie "the patient") can even get a tiny investment yield, in > return for providing this service. > > > 2. Security > > This objection usually says something like "Aren't you worried that 51% > [hashrate] will steal the coins, given that mining is so centralized > these days?" > > The logic of drivechain is to take a known fact -- that miners do not > steal from exchanges (by coordinating to doublespend deposits to those > exchanges) -- and generalize it to a new situation -- that [hopefully] > miners will not steal from sidechains (by coordinating to make 'invalid' > withdrawals from them). > > My generalization is slightly problematic, because "a large mainchain > reorg today" would hit the entire Bitcoin system and de-confirm *all* of > the network's transactions, whereas a sidechain-theft would hit only a > small portion of the system. This asymmetry is a problem because of the > 1:1 peg, which is explicitly symmetrical -- the thief makes off coins > that are worth _just as much_ as those coins that he did _not_ attack. > The side:BTC are therefore relatively more vulnerable to theft, which > harms the generalization. > > As I've just explained, to correct this relative deficiency, we add > extra inconvenience for any sidechain thievery, which is in this case > the long long withdrawal time of several months. (Which is also the main > distinction between DC and extension blocks). > > I cannot realistically imagine an erroneous withdrawal persisting for > several weeks, let alone several months. First, over a timeframe of this > duration, there can be no pretense of 'we made an innocent mistake', nor > one that 'it is too inconvenient for us to fix this problem'. This > requires the attacker to be part of an explicitly malicious conspiracy. > Even in the conspiring case, I do not understand how miners would > coordinate the distribution of the eventual "theft" payout, ~3 months > from now -- if new hashrate comes online between now and then, does it > get a portion? -- if today's hashrate closes down, does it get a reduced > portion? -- who decides? I don't think that an algorithm can decide > (without creating a new mechanism, which -I believe- would have to be > powered by ongoing sustainable theft [which is impossible]), because the > withdrawal (ie the "theft") has to be initiated, with a known > destination, *before* it accumulates 3 months worth of acknowledgement. > > Even if hashrate were controlled exclusively by one person, such a theft > would obliterate the sidechain-tx-fee revenue from all sidechains, for a > start. It would also greatly reduce the market price of [mainchain] BTC, > I feel, as it ends the sidechain experiment more-or-less permanently. > > And even _that_ dire situation can be defeated by UASF-style maneuvers, > such as checkpointing. Even the threat of such maneuvers can be > persuasive enough for them never to be needed (especially over long > timeframes, which make these maneuvers convenient). > > A slightly more realistic worst-case scenario is that a monopolist > imposes large fees on side-to-main transfers (which he contrives so that > only he can provide). Unless the monopoly is permanent, market forces > (atomic swaps) will still lower the fee to ultra-competitive levels, > making this mostly pointless. > > > 3. Antifragility > > There is an absolutely crucial distinction of "layers", which is often > overlooked. Which is a shame, because its importance really cannot be > understated. > > Taleb's concept of antifragility is explicitly fractal -- it has layers, > and an upper layer can only be antifragile if it is composed of > individual members of a lower layer who are each *fragile*. In one of my > videos I give the example of NYC food providers -- it is _because_ the > competition is so brutal, and because each individual NYC > restaurant/supermarket/food-truck is so likely to fail, (and because > there is no safety net to catch them if they do fail), that the > consumer's experience is so positive (in NYC, you can find almost any > kind of food, at any hour of the day, at any price, despite the fact > that a staggering ~15 million people will be eating there each day). > > By this, I mean there is an absolutely crucial distinction between: > > 1. A problem with a sidechain that negatively impacts its parent chain. > 2. A problem with a sidechain that only impacts the sidechain users. > > The first type of problem is unacceptable, but the second type of > problem is actually _desirable_. > > If we wanted to have the best BTC currency unit possible, we would want > everyone to try all kinds of things out, _especially_ the things that we > think are terrible. We'd want lots of things to be tried, and for the > losers to "fail fast". > > In practice I highly doubt the sidechain ecosystem would be anywhere > near as dynamic as NYC or Silicon Valley. But certain questions, such as > "What if a sidechain breaks / has DAO-like problems?"; "What if the > sidechain has only a few nodes? Who will run them?"; "Who will maintain > these projects?"; -- really just miss the point, I think. > > Ultimately, users can vote with their feet -- if the benefits of a > sidechain outweigh its risks, some users will send some BTC there. It is > a strict improvement over the current situation, where users would need > to use an Altcoin to achieve as much. Users who aren't comfortable with > the risks of new chains / new features, can simply decline to use them. > > > Another Objection > ------------------ > > Finally, two people raised an objection which I will call the "too > popular" objection or "too big to fail (tbtf)". Something like "what if > a *majority* of BTC is moved to one sidechain, and then that sidechain > has some kind of problem?". > > One simple step would be to cap the quantity of BTC that can be moved to > each sidechain, (at x=10% ? aka 210,000). > > Other than that, I would point out that Bitcoin has always been the > "money of principle", and that we survived the MtGox announcement (in > which ~850,000/12,400,000 = 6.85% of the total BTC were assumed to be > stolen). > > I look forward to the continued feedback! Thank you all very much! > > Paul > > [1] > https://github.com/drivechain-project/bitcoin/commit/c4beef5c2aa8e52d2c1e11de7c044528bbde6c60 <https://github.com/drivechain-project/bitcoin/commit/c4beef5c2aa8e52d2c1e11de7c044528bbde6c60> > > > On 5/22/2017 2:17 AM, Paul Sztorc wrote: >> Dear list, >> >> I've been working on "drivechain", a sidechain enabling technology, for >> some time. >> >> * The technical info site is here: www.drivechain.info >> * The changes to Bitcoin are here: >> https://github.com/drivechain-project/bitcoin/tree/mainchainBMM >> * A Blank sidechain template is here: >> https://github.com/drivechain-project/bitcoin/tree/sidechainBMM >> >> As many of you know, I've been seeking feedback in person, at various >> conferences and meetups over the past year, most prominently Scaling >> Milan. And I intend to continue to seek feedback at Consensus2017 this >> week, so if you are in NYC please just walk up and start talking to me! >> >> But I also wanted to ask the list for feedback. Initially, I was >> hesitant because I try not to consume reviewers' scarce time until the >> author has put in a serious effort. However, I may have waiting too >> long, as today it is actually quite close to a working release. >> >> >> Scaling Implications >> --------------------- >> >> This upgrade would have significant scaling implications. Since it is >> the case that sidechains can be added by soft fork, and since each of >> these chains will have its own blockspace, this theoretically removes >> the blocksize limit from "the Bitcoin system" (if one includes >> sidechains as part of such a system). People who want a LargeBlock >> bitcoin can just move their BTC over to such a network [1], and their >> txns will have no longer have an impact on "Bitcoin Core". Thus, even >> though this upgrade does not actually increase "scalability" per se, it >> may in fact put an end to the scalability debate...forever. >> >> This work includes the relatively new concept of "Blind Merged Mining" >> [2] which I developed in January to allow SHA256^2 miners to merge-mine >> these "drivechains", even if these miners aren't running the actual >> sidechain software. The goal is to prevent sidechains from affecting the >> levelness of the mining "playing field". BMM is conceptually similar to >> ZooKeeV [3] which Peter Todd sketched out in mid-2013. BMM is not >> required for drivechain, but it would address some of the last remaining >> concerns. >> >> >> Total Transaction Fees in the Far Future >> ----------------------------------------- >> >> Some people feel that a maximum blocksize limit is needed to ensure that >> future total equilibrium transaction fees are non-negligible. I >> presented [4] on why I don't agree, 8 months ago. The reviewers I spoke >> to over the last year have stopped bringing this complaint up, but I am >> not sure everyone feels that way. >> >> >> Juxtaposition with a recent "Scaling Compromise" >> ------------------------------------------------- >> >> Recently, a scalability proposal began to circulate on social media. As >> far as I could tell, it goes something like "immediately activate >> SegWit, and then HF to double the nonwitness blockspace to 2MB within 12 >> months". But such a proposal is quite meager, compared to a "LargeBlock >> Drivechain". The drivechain is better on both fronts, as it would not >> require a hardfork, and could *almost immediately* add _any_ amount of >> extra blockspace (specifically, I might expect a BIP101-like LargeBlock >> chain that has an 8 MB maxblocksize, which doubles every two years). >> >> In other words, I don't know why anyone would support that proposal over >> mine. The only reasons would be either ignorance (ie, unfamiliarity with >> drivechain) or because there are still nagging unspoken complaints about >> drivechain which I apparently need to hear and address. >> >> >> Other Thoughts >> --------------- >> >> Unfortunately, anyone who worked on the "first generation" of sidechain >> technology (the skiplist) or the "second generation" (federated / >> Liquid), will find that this is very different. >> >> I will admit that I am very pessimistic about any conversation that >> involves scalability. It is often said that "talking politics lowers >> your IQ by 25 points". Bitcoin scalability conversations seem to drain >> 50 points. (Instead of conversing, I think people should quietly work on >> whatever they are passionate about until their problem either is solved, >> or it goes away for some other reason, or until we all agree to just >> stop talking about it.) >> >> Cheers, >> Paul >> >> [1] http://www.drivechain.info/faq/#can-sidechains-really-help-with-scaling >> [2] http://www.truthcoin.info/blog/blind-merged-mining/ >> [3] https://s3.amazonaws.com/peter.todd/bitcoin-wizards-13-10-17.log >> [4] >> https://www.youtube.com/watch?v=YErLEuOi3xU&list=PLw8-6ARlyVciNjgS_NFhAu-qt7HPf_dtg&index=4 >> > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev [-- Attachment #1.2: Type: text/html, Size: 29311 bytes --] [-- Attachment #2: Message signed with OpenPGP --] [-- Type: application/pgp-signature, Size: 801 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up 2017-06-18 21:30 ` Tao Effect @ 2017-06-19 16:04 ` Paul Sztorc [not found] ` <CAJowKgLJW=kJhcN4B7TbWXLb7U51tzYU3PFOy1m8JqKXqFsU4A@mail.gmail.com> 2017-07-12 22:43 ` Tao Effect 0 siblings, 2 replies; 43+ messages in thread From: Paul Sztorc @ 2017-06-19 16:04 UTC (permalink / raw) To: Tao Effect; +Cc: Bitcoin Dev Hi Greg, Responses below: On 6/18/2017 5:30 PM, Tao Effect wrote: > In Drivechain, 51% of miners have total control and ownership over all > of the sidechain coins. It would not be accurate to say that miners have "total" control. Miners do control the destination of withdrawals, but they do not control the withdrawal-duration nor the withdrawal-frequency. So, if miners wish to 'steal' from a sidechain, they _can_ initiate a theft, but they can not change the fact that their malfeasance will be [a] obvious, and [b] on display for a long period of time. We might draw a comparison between: 1. Classic Theft -- A majority hashrate reorganizes the main Bitcoin chain to double-spend funds (or coordinate with someone who is double-spending). This is prevented/discouraged by waiting for many confirmations. 2. Channel Theft -- A majority hashrate assists a Lightning-Network thief, by censoring the punitive audit txn (possibly by exploiting some excuse regarding fullness of blocks, or possibly induced to do so by the thief provably splitting the proceeds with miners). This is prevented/discouraged by using lengthy custodial periods, paying high fees with your attacker's money, and using fungibility/non-communication to interact with miners as little as possible (so as to frame LN-theft as undermining the entire LN system, and not merely a single tragedy). 3. Drivechain Theft -- A majority hashrate initiates an unrepresentative withdrawal from some sidechain. This is prevented/discouraged by only using 'popular' sidechains (those that [a] increase the usefulness ("market price") of bitcoin, and [b] generate tx fees for miners). It is also discouraged by the fact that egregious theft would probably end the sidechain experiment, meaning that all present and future sidechains would be forever unavailable (and unable to buoy the price or the tx revenues). I do not think that any of the three stands out as being categorically worse than the others, especially when we consider the heterogeneity of use-cases and preferences. As Luke-Jr has been pointing out on social media recently, the very group which is more associated with miners (and explicitly more willing to trust them, ie Bitcoin Unlimited et al), happens to be the same group that would be expected to make use of a LargeBlock drivechain. Some can argue that one type of security is more "cryptographic" than others, but I think this is misguided (how many 'bits' of security does each have?) -- imho, all three security models are 'game theoretic' (neither computer scientific, nor cryptographic). More importantly, before a miner has any "control" over the sidechain coins, users must voluntarily agree to subject themselves to these new rules. This is similar to how an arbitrary piece of (open source) software can have "total" control over your computer...if you choose to install it. > Thus the effect of Drivechain appears to be the creation of a new kind > of digital border imposed onto the network ... I'm not sure it would "create a border", given that sidechains are currently not accessible at all. If anything drivechain cuts a door into an existing impassible border. > ... where everyone hands over ownership of their Bitcoins to a > /single/ mining cartel when they wish to interact with /any/ sidechain. The qualifier "/any/ sidechain" would seem to imply that there is a way to do sidechains that does not involve handing over some control to 51% hashrate...I think this is false (even in the fabled case of ZK-SNARKS). The first thing I do in the drivechain spec ( truthcoin.info/blog/drivechain ) is explain why. > Drivechain would be a reasonable idea if that weren't the case, but > since it is, Drivechain now introduces a very real possible future > where Bitcoins can be confiscated by the Chinese government in exactly > the same manner that the Chinese government today confiscates > financial assets in other financial networks within China. Yes, but money could also be confiscated from _any_ Bitcoin users (Chinese or otherwise) using any of the three methods I mentioned above. And confiscation could strike Chinese Bitcoin users if they decided to sell their Bitcoin for Chinese Yuan, which they then deposited in a Chinese bank. Or if they sold their Bitcoin for an Altcoin controlled by the Chinese govt in some other way. It is not up to the members of this list to decide, USSR style, what other people are allowed to do with their own money. The exceptions to this rule would be (ie, "bitcoin-dev should care about what users are doing when..."): 1. [Unreasonable use of Reviewer Time] The user's use-case is either nonexistent (ie "no one wants that"), or totally unachievable ("we can't do that") thus rendering the conversation a complete waste of time / reviewer attention. 2. [Harmful Interference] The user's use-case would impose harm on some existing use-case(s). No reasonable person will claim the first, given today's scaling debate (not to mention today's 'bitcoin dominance index'). Therefore, critics must claim the second (as, for example, Peter Todd has been doing on this list). Which is why I narrowly focus on inter-chain harms [1], leading ultimately to a focus on the mining ecosystem [2,3] and the development of Blind Merged Mining [4]. [1] https://www.youtube.com/watch?v=0goYH2sDw0w&list=PLw8-6ARlyVciNjgS_NFhAu-qt7HPf_dtg&index=1 [2] http://www.truthcoin.info/blog/mirage-miner-centralization/ [3] http://www.truthcoin.info/blog/mining-threat-equilibrium/ [4] http://www.truthcoin.info/blog/blind-merged-mining/ [5] http://www.truthcoin.info/blog/measuring-decentralization/ > 1. The Bitcoin network centralizes more, because more power (both > financial power and power in terms of capability/control) is granted > to miners. I think that one has some duty to very clearly define something (like "mining centralization" [2] or "centralization" [5]) before complaining about it. I feel that people will occasionally use selfless complaints to accomplish a selfish goal...especially when the artificial selfless part is hard to discuss by virtue of its being poorly defined (especially vague or abstract items like "the company", "our country", etc). For example, those who take it upon themselves to "defend" "the Bitcoin community" may have exactly that in mind as their primary goal...but they may also end up with more visibility (and with it: more influence, more job offers, more conference invites, more friends, etc) and they may also end up with a megaphone for which to broadcast their other views, or just a defend-able excuse for bragging loudly about how great cypherpunks are and/or how devoted they-in-particular are to the cypherpunk tribe, et cetera. To avoid this problem in my own technical discourse, I try to avoid abstractions like "centralization" until I have defined them [2,5]. You have defined centralization above, but the definition is itself vague to the point where I do not think even you actually endorse it. For example, you would need to say that Bitcoin centralizes whenever the exchange rate increases (as this grants additional financial power to miners) or when any new user joins Bitcoin, or when tx fee revenues increase for any reason. You might also be forced to say that LN centralizes Bitcoin (as LN grants new capability/control to miners), and probably even that Bitcoin becomes more centralized when developers release new software (as this grants new capability to miners, specifically the ability to deny upgrades). This probably isn't what you meant, but since you did not clearly explain what you meant we have no way of knowing for sure. It seems to me that you reject the premise that BMM [4] addresses these issues. This is probably because BMM only addresses miner's interactions with each other, and it does not address miner abilities as a group in relation to other groups (for example, vs. users, developers, investors). But, as I consistently emphasize, these groups of people are free to ignore any sidechains that they do not like. In law there is a saying 'volenti non fit injuria' which I would translate as "he who volunteers cannot claim later to have been injured". This is a legal theory, because otherwise everyone would be arbitrarily liable for choices beyond their control (ie, responsible for decisions of other unrelated people), which would be nonsense. > 3. Drivechain limits user's existing choice when it comes to who is > acting as custodian of their Bitcoins, from any trustworthy exchange, > down to a single mining cartel under the control of a single set of laws. Currently no (P2P) sidechains exist, and therefore the set of choices today would seem to be more "limited" than in a post-sidechain future. (The set of options may decrease later, for ecological reasons, if and only if 'exchanges' are a strictly inferior option to 'sidechains' for some reason...I don't see why this would be the case. I also don't understand the emphasis on "exchanges" [SCs are much more like Altcoins, than exchanges] in the first place, nor the dubious qualifier "trustworthy".) --Paul ^ permalink raw reply [flat|nested] 43+ messages in thread
[parent not found: <CAJowKgLJW=kJhcN4B7TbWXLb7U51tzYU3PFOy1m8JqKXqFsU4A@mail.gmail.com>]
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up [not found] ` <CAJowKgLJW=kJhcN4B7TbWXLb7U51tzYU3PFOy1m8JqKXqFsU4A@mail.gmail.com> @ 2017-06-20 11:54 ` Paul Sztorc 2017-06-20 13:38 ` Erik Aronesty 0 siblings, 1 reply; 43+ messages in thread From: Paul Sztorc @ 2017-06-20 11:54 UTC (permalink / raw) To: Erik Aronesty; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 12948 bytes --] Hi Erik, As you know: 1. If a sidechain is merged mined it basically grows out of the existing Bitcoin mining network. If it has a different PoW algorithm it is a new mining network. 2. The security (ie, hashrate) of any mining network would be determined by the total economic value of the block. In Bitcoin this is (subsidy+tx_fees)*price, but since a sidechain cannot issue new tokens it would only be (tx_fees)*price. Unfortunately the two have a nasty correlation which can lead to a disastrous self-fulfilling prophecy: users will avoid a network that is too insecure; and if users avoid using a network, they will stop paying txn fees and so the quantity (tx_fees)*price falls toward zero, erasing the network's security. So it is quite problematic and I recommend just biting the bullet and going with merged mining instead. And, the point may be moot. Bitcoin miners may decide that, given their expertise in seeking out cheap sources of power/cooling, they might as well mine both/all chains. So your suggestion may not achieve your desired result (and would, meanwhile, consume more of the economy's resources -- some of these would not contribute even to a higher hashrate). Paul On 6/19/2017 1:11 PM, Erik Aronesty wrote: > It would be nice to be able to enforce that a drivechain *not* have > the same POW as bitcoin. > > I suspect this is the only way to be sure that a drivechain doesn't > destabilize the main chain and push more power to miners that already > have too much power. > > > On Mon, Jun 19, 2017 at 12:04 PM, Paul Sztorc via bitcoin-dev > <bitcoin-dev@lists•linuxfoundation.org > <mailto:bitcoin-dev@lists•linuxfoundation.org>> wrote: > > Hi Greg, > > Responses below: > > On 6/18/2017 5:30 PM, Tao Effect wrote: > > In Drivechain, 51% of miners have total control and ownership > over all > > of the sidechain coins. > > It would not be accurate to say that miners have "total" control. > Miners > do control the destination of withdrawals, but they do not control the > withdrawal-duration nor the withdrawal-frequency. > > So, if miners wish to 'steal' from a sidechain, they _can_ initiate a > theft, but they can not change the fact that their malfeasance will be > [a] obvious, and [b] on display for a long period of time. > > We might draw a comparison between: > > 1. Classic Theft -- A majority hashrate reorganizes the main Bitcoin > chain to double-spend funds (or coordinate with someone who is > double-spending). This is prevented/discouraged by waiting for many > confirmations. > 2. Channel Theft -- A majority hashrate assists a Lightning-Network > thief, by censoring the punitive audit txn (possibly by exploiting > some > excuse regarding fullness of blocks, or possibly induced to do so > by the > thief provably splitting the proceeds with miners). This is > prevented/discouraged by using lengthy custodial periods, paying high > fees with your attacker's money, and using > fungibility/non-communication > to interact with miners as little as possible (so as to frame LN-theft > as undermining the entire LN system, and not merely a single tragedy). > 3. Drivechain Theft -- A majority hashrate initiates an > unrepresentative > withdrawal from some sidechain. This is prevented/discouraged by only > using 'popular' sidechains (those that [a] increase the usefulness > ("market price") of bitcoin, and [b] generate tx fees for miners). > It is > also discouraged by the fact that egregious theft would probably > end the > sidechain experiment, meaning that all present and future sidechains > would be forever unavailable (and unable to buoy the price or the tx > revenues). > > I do not think that any of the three stands out as being categorically > worse than the others, especially when we consider the > heterogeneity of > use-cases and preferences. As Luke-Jr has been pointing out on social > media recently, the very group which is more associated with > miners (and > explicitly more willing to trust them, ie Bitcoin Unlimited et al), > happens to be the same group that would be expected to make use of a > LargeBlock drivechain. Some can argue that one type of security is > more > "cryptographic" than others, but I think this is misguided (how many > 'bits' of security does each have?) -- imho, all three security models > are 'game theoretic' (neither computer scientific, nor cryptographic). > > More importantly, before a miner has any "control" over the sidechain > coins, users must voluntarily agree to subject themselves to these new > rules. This is similar to how an arbitrary piece of (open source) > software can have "total" control over your computer...if you > choose to > install it. > > > Thus the effect of Drivechain appears to be the creation of a > new kind > > of digital border imposed onto the network ... > > I'm not sure it would "create a border", given that sidechains are > currently not accessible at all. If anything drivechain cuts a > door into > an existing impassible border. > > > ... where everyone hands over ownership of their Bitcoins to a > > /single/ mining cartel when they wish to interact with /any/ sidechain. > > The qualifier "/any/ sidechain" would seem to imply that there is > a way > to do sidechains that does not involve handing over some control > to 51% > hashrate...I think this is false (even in the fabled case of > ZK-SNARKS). > The first thing I do in the drivechain spec ( > truthcoin.info/blog/drivechain > <http://truthcoin.info/blog/drivechain> ) is explain why. > > > Drivechain would be a reasonable idea if that weren't the case, but > > since it is, Drivechain now introduces a very real possible future > > where Bitcoins can be confiscated by the Chinese government in > exactly > > the same manner that the Chinese government today confiscates > > financial assets in other financial networks within China. > > Yes, but money could also be confiscated from _any_ Bitcoin users > (Chinese or otherwise) using any of the three methods I mentioned > above. > And confiscation could strike Chinese Bitcoin users if they decided to > sell their Bitcoin for Chinese Yuan, which they then deposited in a > Chinese bank. Or if they sold their Bitcoin for an Altcoin > controlled by > the Chinese govt in some other way. > > It is not up to the members of this list to decide, USSR style, what > other people are allowed to do with their own money. > > The exceptions to this rule would be (ie, "bitcoin-dev should care > about > what users are doing when..."): > > 1. [Unreasonable use of Reviewer Time] The user's use-case is either > nonexistent (ie "no one wants that"), or totally unachievable ("we > can't > do that") thus rendering the conversation a complete waste of time / > reviewer attention. > 2. [Harmful Interference] The user's use-case would impose harm on > some > existing use-case(s). > > No reasonable person will claim the first, given today's scaling > debate > (not to mention today's 'bitcoin dominance index'). Therefore, critics > must claim the second (as, for example, Peter Todd has been doing on > this list). > > Which is why I narrowly focus on inter-chain harms [1], leading > ultimately to a focus on the mining ecosystem [2,3] and the > development > of Blind Merged Mining [4]. > > [1] > https://www.youtube.com/watch?v=0goYH2sDw0w&list=PLw8-6ARlyVciNjgS_NFhAu-qt7HPf_dtg&index=1 > <https://www.youtube.com/watch?v=0goYH2sDw0w&list=PLw8-6ARlyVciNjgS_NFhAu-qt7HPf_dtg&index=1> > [2] http://www.truthcoin.info/blog/mirage-miner-centralization/ > <http://www.truthcoin.info/blog/mirage-miner-centralization/> > [3] http://www.truthcoin.info/blog/mining-threat-equilibrium/ > <http://www.truthcoin.info/blog/mining-threat-equilibrium/> > [4] http://www.truthcoin.info/blog/blind-merged-mining/ > <http://www.truthcoin.info/blog/blind-merged-mining/> > [5] http://www.truthcoin.info/blog/measuring-decentralization/ > <http://www.truthcoin.info/blog/measuring-decentralization/> > > > 1. The Bitcoin network centralizes more, because more power (both > > financial power and power in terms of capability/control) is granted > > to miners. > > I think that one has some duty to very clearly define something (like > "mining centralization" [2] or "centralization" [5]) before > complaining > about it. I feel that people will occasionally use selfless complaints > to accomplish a selfish goal...especially when the artificial selfless > part is hard to discuss by virtue of its being poorly defined > (especially vague or abstract items like "the company", "our country", > etc). For example, those who take it upon themselves to "defend" "the > Bitcoin community" may have exactly that in mind as their primary > goal...but they may also end up with more visibility (and with it: > more > influence, more job offers, more conference invites, more friends, > etc) > and they may also end up with a megaphone for which to broadcast their > other views, or just a defend-able excuse for bragging loudly > about how > great cypherpunks are and/or how devoted they-in-particular are to the > cypherpunk tribe, et cetera. To avoid this problem in my own technical > discourse, I try to avoid abstractions like "centralization" until I > have defined them [2,5]. > > You have defined centralization above, but the definition is itself > vague to the point where I do not think even you actually endorse it. > For example, you would need to say that Bitcoin centralizes > whenever the > exchange rate increases (as this grants additional financial power to > miners) or when any new user joins Bitcoin, or when tx fee revenues > increase for any reason. You might also be forced to say that LN > centralizes Bitcoin (as LN grants new capability/control to > miners), and > probably even that Bitcoin becomes more centralized when developers > release new software (as this grants new capability to miners, > specifically the ability to deny upgrades). This probably isn't > what you > meant, but since you did not clearly explain what you meant we have no > way of knowing for sure. > > It seems to me that you reject the premise that BMM [4] addresses > these > issues. This is probably because BMM only addresses miner's > interactions > with each other, and it does not address miner abilities as a group in > relation to other groups (for example, vs. users, developers, > investors). But, as I consistently emphasize, these groups of > people are > free to ignore any sidechains that they do not like. In law there is a > saying 'volenti non fit injuria' which I would translate as "he who > volunteers cannot claim later to have been injured". This is a legal > theory, because otherwise everyone would be arbitrarily liable for > choices beyond their control (ie, responsible for decisions of other > unrelated people), which would be nonsense. > > > 3. Drivechain limits user's existing choice when it comes to who is > > acting as custodian of their Bitcoins, from any trustworthy > exchange, > > down to a single mining cartel under the control of a single set > of laws. > > Currently no (P2P) sidechains exist, and therefore the set of choices > today would seem to be more "limited" than in a post-sidechain future. > (The set of options may decrease later, for ecological reasons, if and > only if 'exchanges' are a strictly inferior option to 'sidechains' for > some reason...I don't see why this would be the case. I also don't > understand the emphasis on "exchanges" [SCs are much more like > Altcoins, > than exchanges] in the first place, nor the dubious qualifier > "trustworthy".) > > --Paul > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > <mailto:bitcoin-dev@lists•linuxfoundation.org> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev> > > [-- Attachment #2: Type: text/html, Size: 18050 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up 2017-06-20 11:54 ` Paul Sztorc @ 2017-06-20 13:38 ` Erik Aronesty 2017-06-22 13:27 ` Paul Sztorc 0 siblings, 1 reply; 43+ messages in thread From: Erik Aronesty @ 2017-06-20 13:38 UTC (permalink / raw) To: Paul Sztorc; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 12510 bytes --] - a proof-of-burn sidechain is the ultimate two-way peg. you have to burn bitcoin *or* side-chain tokens to mine the side chain. the size of the burn is the degree of security. i actually wrote code to do randomized blind burns where you have a poisson distribution (non-deterministic selected burn). there is no way to game it... it's very similar to algorand - but it uses burns instead of staking - you can then have a secure sidechain that issues a mining reward in sidechain tokens, which can be aggrregated and redeemed for bitcoins. the result of this is that any bitcoins held in the sidechain depreciate in value at a rate of X% per year. this deflation rate pays for increased security - logically this functions like an alt coin, with high inflation and cheap transactions. but the altcoin is pegged to bitcoin's price because of the pool of unredeemed bitcoins held within the side chain. On Tue, Jun 20, 2017 at 7:54 AM, Paul Sztorc <truthcoin@gmail•com> wrote: > Hi Erik, > > As you know: > > 1. If a sidechain is merged mined it basically grows out of the existing > Bitcoin mining network. If it has a different PoW algorithm it is a new > mining network. > 2. The security (ie, hashrate) of any mining network would be determined > by the total economic value of the block. In Bitcoin this is > (subsidy+tx_fees)*price, but since a sidechain cannot issue new tokens it > would only be (tx_fees)*price. > > Unfortunately the two have a nasty correlation which can lead to a > disastrous self-fulfilling prophecy: users will avoid a network that is too > insecure; and if users avoid using a network, they will stop paying txn > fees and so the quantity (tx_fees)*price falls toward zero, erasing the > network's security. So it is quite problematic and I recommend just biting > the bullet and going with merged mining instead. > > And, the point may be moot. Bitcoin miners may decide that, given their > expertise in seeking out cheap sources of power/cooling, they might as well > mine both/all chains. So your suggestion may not achieve your desired > result (and would, meanwhile, consume more of the economy's resources -- > some of these would not contribute even to a higher hashrate). > > Paul > > > > > On 6/19/2017 1:11 PM, Erik Aronesty wrote: > > It would be nice to be able to enforce that a drivechain *not* have the > same POW as bitcoin. > > I suspect this is the only way to be sure that a drivechain doesn't > destabilize the main chain and push more power to miners that already have > too much power. > > > On Mon, Jun 19, 2017 at 12:04 PM, Paul Sztorc via bitcoin-dev < > bitcoin-dev@lists•linuxfoundation.org> wrote: > >> Hi Greg, >> >> Responses below: >> >> On 6/18/2017 5:30 PM, Tao Effect wrote: >> > In Drivechain, 51% of miners have total control and ownership over all >> > of the sidechain coins. >> >> It would not be accurate to say that miners have "total" control. Miners >> do control the destination of withdrawals, but they do not control the >> withdrawal-duration nor the withdrawal-frequency. >> >> So, if miners wish to 'steal' from a sidechain, they _can_ initiate a >> theft, but they can not change the fact that their malfeasance will be >> [a] obvious, and [b] on display for a long period of time. >> >> We might draw a comparison between: >> >> 1. Classic Theft -- A majority hashrate reorganizes the main Bitcoin >> chain to double-spend funds (or coordinate with someone who is >> double-spending). This is prevented/discouraged by waiting for many >> confirmations. >> 2. Channel Theft -- A majority hashrate assists a Lightning-Network >> thief, by censoring the punitive audit txn (possibly by exploiting some >> excuse regarding fullness of blocks, or possibly induced to do so by the >> thief provably splitting the proceeds with miners). This is >> prevented/discouraged by using lengthy custodial periods, paying high >> fees with your attacker's money, and using fungibility/non-communication >> to interact with miners as little as possible (so as to frame LN-theft >> as undermining the entire LN system, and not merely a single tragedy). >> 3. Drivechain Theft -- A majority hashrate initiates an unrepresentative >> withdrawal from some sidechain. This is prevented/discouraged by only >> using 'popular' sidechains (those that [a] increase the usefulness >> ("market price") of bitcoin, and [b] generate tx fees for miners). It is >> also discouraged by the fact that egregious theft would probably end the >> sidechain experiment, meaning that all present and future sidechains >> would be forever unavailable (and unable to buoy the price or the tx >> revenues). >> >> I do not think that any of the three stands out as being categorically >> worse than the others, especially when we consider the heterogeneity of >> use-cases and preferences. As Luke-Jr has been pointing out on social >> media recently, the very group which is more associated with miners (and >> explicitly more willing to trust them, ie Bitcoin Unlimited et al), >> happens to be the same group that would be expected to make use of a >> LargeBlock drivechain. Some can argue that one type of security is more >> "cryptographic" than others, but I think this is misguided (how many >> 'bits' of security does each have?) -- imho, all three security models >> are 'game theoretic' (neither computer scientific, nor cryptographic). >> >> More importantly, before a miner has any "control" over the sidechain >> coins, users must voluntarily agree to subject themselves to these new >> rules. This is similar to how an arbitrary piece of (open source) >> software can have "total" control over your computer...if you choose to >> install it. >> >> > Thus the effect of Drivechain appears to be the creation of a new kind >> > of digital border imposed onto the network ... >> >> I'm not sure it would "create a border", given that sidechains are >> currently not accessible at all. If anything drivechain cuts a door into >> an existing impassible border. >> >> > ... where everyone hands over ownership of their Bitcoins to a >> > /single/ mining cartel when they wish to interact with /any/ sidechain. >> >> The qualifier "/any/ sidechain" would seem to imply that there is a way >> to do sidechains that does not involve handing over some control to 51% >> hashrate...I think this is false (even in the fabled case of ZK-SNARKS). >> The first thing I do in the drivechain spec ( >> truthcoin.info/blog/drivechain ) is explain why. >> >> > Drivechain would be a reasonable idea if that weren't the case, but >> > since it is, Drivechain now introduces a very real possible future >> > where Bitcoins can be confiscated by the Chinese government in exactly >> > the same manner that the Chinese government today confiscates >> > financial assets in other financial networks within China. >> >> Yes, but money could also be confiscated from _any_ Bitcoin users >> (Chinese or otherwise) using any of the three methods I mentioned above. >> And confiscation could strike Chinese Bitcoin users if they decided to >> sell their Bitcoin for Chinese Yuan, which they then deposited in a >> Chinese bank. Or if they sold their Bitcoin for an Altcoin controlled by >> the Chinese govt in some other way. >> >> It is not up to the members of this list to decide, USSR style, what >> other people are allowed to do with their own money. >> >> The exceptions to this rule would be (ie, "bitcoin-dev should care about >> what users are doing when..."): >> >> 1. [Unreasonable use of Reviewer Time] The user's use-case is either >> nonexistent (ie "no one wants that"), or totally unachievable ("we can't >> do that") thus rendering the conversation a complete waste of time / >> reviewer attention. >> 2. [Harmful Interference] The user's use-case would impose harm on some >> existing use-case(s). >> >> No reasonable person will claim the first, given today's scaling debate >> (not to mention today's 'bitcoin dominance index'). Therefore, critics >> must claim the second (as, for example, Peter Todd has been doing on >> this list). >> >> Which is why I narrowly focus on inter-chain harms [1], leading >> ultimately to a focus on the mining ecosystem [2,3] and the development >> of Blind Merged Mining [4]. >> >> [1] >> https://www.youtube.com/watch?v=0goYH2sDw0w&list=PLw8-6ARlyV >> ciNjgS_NFhAu-qt7HPf_dtg&index=1 >> [2] http://www.truthcoin.info/blog/mirage-miner-centralization/ >> [3] http://www.truthcoin.info/blog/mining-threat-equilibrium/ >> [4] http://www.truthcoin.info/blog/blind-merged-mining/ >> [5] http://www.truthcoin.info/blog/measuring-decentralization/ >> >> > 1. The Bitcoin network centralizes more, because more power (both >> > financial power and power in terms of capability/control) is granted >> > to miners. >> >> I think that one has some duty to very clearly define something (like >> "mining centralization" [2] or "centralization" [5]) before complaining >> about it. I feel that people will occasionally use selfless complaints >> to accomplish a selfish goal...especially when the artificial selfless >> part is hard to discuss by virtue of its being poorly defined >> (especially vague or abstract items like "the company", "our country", >> etc). For example, those who take it upon themselves to "defend" "the >> Bitcoin community" may have exactly that in mind as their primary >> goal...but they may also end up with more visibility (and with it: more >> influence, more job offers, more conference invites, more friends, etc) >> and they may also end up with a megaphone for which to broadcast their >> other views, or just a defend-able excuse for bragging loudly about how >> great cypherpunks are and/or how devoted they-in-particular are to the >> cypherpunk tribe, et cetera. To avoid this problem in my own technical >> discourse, I try to avoid abstractions like "centralization" until I >> have defined them [2,5]. >> >> You have defined centralization above, but the definition is itself >> vague to the point where I do not think even you actually endorse it. >> For example, you would need to say that Bitcoin centralizes whenever the >> exchange rate increases (as this grants additional financial power to >> miners) or when any new user joins Bitcoin, or when tx fee revenues >> increase for any reason. You might also be forced to say that LN >> centralizes Bitcoin (as LN grants new capability/control to miners), and >> probably even that Bitcoin becomes more centralized when developers >> release new software (as this grants new capability to miners, >> specifically the ability to deny upgrades). This probably isn't what you >> meant, but since you did not clearly explain what you meant we have no >> way of knowing for sure. >> >> It seems to me that you reject the premise that BMM [4] addresses these >> issues. This is probably because BMM only addresses miner's interactions >> with each other, and it does not address miner abilities as a group in >> relation to other groups (for example, vs. users, developers, >> investors). But, as I consistently emphasize, these groups of people are >> free to ignore any sidechains that they do not like. In law there is a >> saying 'volenti non fit injuria' which I would translate as "he who >> volunteers cannot claim later to have been injured". This is a legal >> theory, because otherwise everyone would be arbitrarily liable for >> choices beyond their control (ie, responsible for decisions of other >> unrelated people), which would be nonsense. >> >> > 3. Drivechain limits user's existing choice when it comes to who is >> > acting as custodian of their Bitcoins, from any trustworthy exchange, >> > down to a single mining cartel under the control of a single set of >> laws. >> >> Currently no (P2P) sidechains exist, and therefore the set of choices >> today would seem to be more "limited" than in a post-sidechain future. >> (The set of options may decrease later, for ecological reasons, if and >> only if 'exchanges' are a strictly inferior option to 'sidechains' for >> some reason...I don't see why this would be the case. I also don't >> understand the emphasis on "exchanges" [SCs are much more like Altcoins, >> than exchanges] in the first place, nor the dubious qualifier >> "trustworthy".) >> >> --Paul >> >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists•linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > > > [-- Attachment #2: Type: text/html, Size: 19667 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up 2017-06-20 13:38 ` Erik Aronesty @ 2017-06-22 13:27 ` Paul Sztorc 2017-06-22 13:45 ` Erik Aronesty 0 siblings, 1 reply; 43+ messages in thread From: Paul Sztorc @ 2017-06-22 13:27 UTC (permalink / raw) To: Erik Aronesty; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 3025 bytes --] Hi Erik, I don't think that your design is competitive. Why would users tolerate a depreciation of X% per year, when there are alternatives which do not require such depreciation? It seems to me that none would. Paul On 6/20/2017 9:38 AM, Erik Aronesty wrote: > - a proof-of-burn sidechain is the ultimate two-way peg. you have to > burn bitcoin *or* side-chain tokens to mine the side chain. the size > of the burn is the degree of security. i actually wrote code to do > randomized blind burns where you have a poisson distribution > (non-deterministic selected burn). there is no way to game it... > it's very similar to algorand - but it uses burns instead of staking > > - you can then have a secure sidechain that issues a mining reward in > sidechain tokens, which can be aggrregated and redeemed for bitcoins. > the result of this is that any bitcoins held in the sidechain > depreciate in value at a rate of X% per year. this deflation rate > pays for increased security > > - logically this functions like an alt coin, with high inflation and > cheap transactions. but the altcoin is pegged to bitcoin's price > because of the pool of unredeemed bitcoins held within the side chain. > > > > On Tue, Jun 20, 2017 at 7:54 AM, Paul Sztorc <truthcoin@gmail•com > <mailto:truthcoin@gmail•com>> wrote: > > Hi Erik, > > As you know: > > 1. If a sidechain is merged mined it basically grows out of the > existing Bitcoin mining network. If it has a different PoW > algorithm it is a new mining network. > 2. The security (ie, hashrate) of any mining network would be > determined by the total economic value of the block. In Bitcoin > this is (subsidy+tx_fees)*price, but since a sidechain cannot > issue new tokens it would only be (tx_fees)*price. > > Unfortunately the two have a nasty correlation which can lead to a > disastrous self-fulfilling prophecy: users will avoid a network > that is too insecure; and if users avoid using a network, they > will stop paying txn fees and so the quantity (tx_fees)*price > falls toward zero, erasing the network's security. So it is quite > problematic and I recommend just biting the bullet and going with > merged mining instead. > > And, the point may be moot. Bitcoin miners may decide that, given > their expertise in seeking out cheap sources of power/cooling, > they might as well mine both/all chains. So your suggestion may > not achieve your desired result (and would, meanwhile, consume > more of the economy's resources -- some of these would not > contribute even to a higher hashrate). > > Paul > > > > > On 6/19/2017 1:11 PM, Erik Aronesty wrote: >> It would be nice to be able to enforce that a drivechain *not* >> have the same POW as bitcoin. >> >> I suspect this is the only way to be sure that a drivechain >> doesn't destabilize the main chain and push more power to miners >> that already have too much power. >> >> > > [-- Attachment #2: Type: text/html, Size: 5585 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up 2017-06-22 13:27 ` Paul Sztorc @ 2017-06-22 13:45 ` Erik Aronesty 2017-06-22 20:30 ` Paul Sztorc 0 siblings, 1 reply; 43+ messages in thread From: Erik Aronesty @ 2017-06-22 13:45 UTC (permalink / raw) To: Paul Sztorc; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 3544 bytes --] Users would tolerate depreciation because the intention is to have a cheap way of transacting using a two-way pegged chain that isn't controlled by miners. Who cares about some minor depreciation when the purpose of the chain is to do cheap secure transactions forever? Add in UTXO commitments and you've got a system that is cheap and secure-enough for transfer. storage and accumulation of a ledger... before moving in to the main chain. Seems better to me than messing with the main chain's incentive structure via merged mining. On Thu, Jun 22, 2017 at 9:27 AM, Paul Sztorc <truthcoin@gmail•com> wrote: > Hi Erik, > > I don't think that your design is competitive. Why would users tolerate a > depreciation of X% per year, when there are alternatives which do not > require such depreciation? It seems to me that none would. > > Paul > > On 6/20/2017 9:38 AM, Erik Aronesty wrote: > > - a proof-of-burn sidechain is the ultimate two-way peg. you have to > burn bitcoin *or* side-chain tokens to mine the side chain. the size of > the burn is the degree of security. i actually wrote code to do > randomized blind burns where you have a poisson distribution > (non-deterministic selected burn). there is no way to game it... it's > very similar to algorand - but it uses burns instead of staking > > - you can then have a secure sidechain that issues a mining reward in > sidechain tokens, which can be aggrregated and redeemed for bitcoins. the > result of this is that any bitcoins held in the sidechain depreciate in > value at a rate of X% per year. this deflation rate pays for increased > security > > - logically this functions like an alt coin, with high inflation and cheap > transactions. but the altcoin is pegged to bitcoin's price because of the > pool of unredeemed bitcoins held within the side chain. > > > > On Tue, Jun 20, 2017 at 7:54 AM, Paul Sztorc <truthcoin@gmail•com> wrote: > >> Hi Erik, >> >> As you know: >> >> 1. If a sidechain is merged mined it basically grows out of the existing >> Bitcoin mining network. If it has a different PoW algorithm it is a new >> mining network. >> 2. The security (ie, hashrate) of any mining network would be determined >> by the total economic value of the block. In Bitcoin this is >> (subsidy+tx_fees)*price, but since a sidechain cannot issue new tokens it >> would only be (tx_fees)*price. >> >> Unfortunately the two have a nasty correlation which can lead to a >> disastrous self-fulfilling prophecy: users will avoid a network that is too >> insecure; and if users avoid using a network, they will stop paying txn >> fees and so the quantity (tx_fees)*price falls toward zero, erasing the >> network's security. So it is quite problematic and I recommend just biting >> the bullet and going with merged mining instead. >> >> And, the point may be moot. Bitcoin miners may decide that, given their >> expertise in seeking out cheap sources of power/cooling, they might as well >> mine both/all chains. So your suggestion may not achieve your desired >> result (and would, meanwhile, consume more of the economy's resources -- >> some of these would not contribute even to a higher hashrate). >> >> Paul >> >> >> >> >> On 6/19/2017 1:11 PM, Erik Aronesty wrote: >> >> It would be nice to be able to enforce that a drivechain *not* have the >> same POW as bitcoin. >> >> I suspect this is the only way to be sure that a drivechain doesn't >> destabilize the main chain and push more power to miners that already have >> too much power. >> >> >> >> > > [-- Attachment #2: Type: text/html, Size: 6670 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up 2017-06-22 13:45 ` Erik Aronesty @ 2017-06-22 20:30 ` Paul Sztorc 2017-06-23 14:19 ` Erik Aronesty 0 siblings, 1 reply; 43+ messages in thread From: Paul Sztorc @ 2017-06-22 20:30 UTC (permalink / raw) To: Erik Aronesty; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 5034 bytes --] Responses inline. On 6/22/2017 9:45 AM, Erik Aronesty wrote: > Users would tolerate depreciation because the intention is to have a > cheap way of transacting using a two-way pegged chain that isn't > controlled by miners. Who cares about some minor depreciation when > the purpose of the chain is to do cheap secure transactions forever? Thus far you've claimed that these transactions would be "cheap", "[not] controlled by miners", and "secure". They would certainly not be cheap, because they are relatively more expensive due to the extra depreciation cost. I also doubt that they would be free of control by miners. 51% hashrate can always filter out any message they want from anywhere. For the same reason, I don't understand why they would be any more or less secure. So I think your way is just a more expensive way of accomplishing basically the same result. > > Add in UTXO commitments and you've got a system that is cheap and > secure-enough for transfer. storage and accumulation of a ledger... > before moving in to the main chain. As I posted to bitcoin-discuss last week, I support UTXO commitments for sidechains. > Seems better to me than messing with the main chain's incentive > structure via merged mining. I don't think that blind merged mining messes with the main chain's incentive structure. Miners are free to ignore the sidechain (and yet still get paid the same as other miners), as are all mainchain users. Paul > > On Thu, Jun 22, 2017 at 9:27 AM, Paul Sztorc <truthcoin@gmail•com > <mailto:truthcoin@gmail•com>> wrote: > > Hi Erik, > > I don't think that your design is competitive. Why would users > tolerate a depreciation of X% per year, when there are > alternatives which do not require such depreciation? It seems to > me that none would. > > Paul > > On 6/20/2017 9:38 AM, Erik Aronesty wrote: >> - a proof-of-burn sidechain is the ultimate two-way peg. you >> have to burn bitcoin *or* side-chain tokens to mine the side >> chain. the size of the burn is the degree of security. i >> actually wrote code to do randomized blind burns where you have a >> poisson distribution (non-deterministic selected burn). there >> is no way to game it... it's very similar to algorand - but it >> uses burns instead of staking >> >> - you can then have a secure sidechain that issues a mining >> reward in sidechain tokens, which can be aggrregated and redeemed >> for bitcoins. the result of this is that any bitcoins held in >> the sidechain depreciate in value at a rate of X% per year. >> this deflation rate pays for increased security >> >> - logically this functions like an alt coin, with high inflation >> and cheap transactions. but the altcoin is pegged to bitcoin's >> price because of the pool of unredeemed bitcoins held within the >> side chain. >> >> >> >> On Tue, Jun 20, 2017 at 7:54 AM, Paul Sztorc <truthcoin@gmail•com >> <mailto:truthcoin@gmail•com>> wrote: >> >> Hi Erik, >> >> As you know: >> >> 1. If a sidechain is merged mined it basically grows out of >> the existing Bitcoin mining network. If it has a different >> PoW algorithm it is a new mining network. >> 2. The security (ie, hashrate) of any mining network would be >> determined by the total economic value of the block. In >> Bitcoin this is (subsidy+tx_fees)*price, but since a >> sidechain cannot issue new tokens it would only be >> (tx_fees)*price. >> >> Unfortunately the two have a nasty correlation which can lead >> to a disastrous self-fulfilling prophecy: users will avoid a >> network that is too insecure; and if users avoid using a >> network, they will stop paying txn fees and so the quantity >> (tx_fees)*price falls toward zero, erasing the network's >> security. So it is quite problematic and I recommend just >> biting the bullet and going with merged mining instead. >> >> And, the point may be moot. Bitcoin miners may decide that, >> given their expertise in seeking out cheap sources of >> power/cooling, they might as well mine both/all chains. So >> your suggestion may not achieve your desired result (and >> would, meanwhile, consume more of the economy's resources -- >> some of these would not contribute even to a higher hashrate). >> >> Paul >> >> >> >> >> On 6/19/2017 1:11 PM, Erik Aronesty wrote: >>> It would be nice to be able to enforce that a drivechain >>> *not* have the same POW as bitcoin. >>> >>> I suspect this is the only way to be sure that a drivechain >>> doesn't destabilize the main chain and push more power to >>> miners that already have too much power. >>> >>> >> >> > > [-- Attachment #2: Type: text/html, Size: 10669 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up 2017-06-22 20:30 ` Paul Sztorc @ 2017-06-23 14:19 ` Erik Aronesty 2017-06-23 14:51 ` Moral Agent 2017-06-23 18:11 ` Paul Sztorc 0 siblings, 2 replies; 43+ messages in thread From: Erik Aronesty @ 2017-06-23 14:19 UTC (permalink / raw) To: Paul Sztorc; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 6945 bytes --] > They would certainly not be cheap, because they are relatively more expensive due to the extra depreciation cost. This depends on how long you expect to keep money on a side chain and how many transactions you plan on doing. Inflation is a great way of paying PoS / PoB miners - that cannot introduce issues with consolidation. If you design the inflation schedule correctly, it should be balance transaction costs *precisely*. Indeed, you can calculate the exact amount of inflation needed to guarantee that a side chain is always exactly 10 times cheaper than bitcoin. >As I posted to bitcoin-discuss last week, I support UTXO commitments for sidechains. Indeed, I think side chain nodes should always be fast-synced from 6 month old commitments and thus be ephemeral, cheap, and *never *appropriate for long term storage. This would provide the best possible incentive structure to keep the main chain secure, paid for with high clearing fees, etc. > I don't think that blind merged mining messes with the main chain's incentive structure The critical issue is that we cannot introduce protocol changes that *further *incentivize geographical and institutional consolidation. Miners who are able to deal with the bandwidth caused by drivechain coffee transactions will profit from these transactions, whereas smaller and more geographically distributed miners will not. Those miners will, in turn, build faster ASICs and buy more electricity and drive out smaller players. I think this is *abundantly *clear, and is the primary motivation behind preserving block size limits. If this premise is false (which it may be), or is skewed so as to damage bitcoin as a whole (could be as well), then that needs to be demonstrated *first*. The lightning model does the opposite of this. Miners watch fees increase and coming from an *orthoganal* protocol that cannot cause further centralization. One problem is that the main chain also *must* grow in response to bandwidth, or the disadvantages of using the main chain will weaken financial support and hashrate securing it. I believe this is also true, and that a "balancing act" will be Bitcoin's norm until we adopt something like BIP103 - which provides a steady and appropriate growth. On Thu, Jun 22, 2017 at 4:30 PM, Paul Sztorc <truthcoin@gmail•com> wrote: > Responses inline. > > On 6/22/2017 9:45 AM, Erik Aronesty wrote: > > Users would tolerate depreciation because the intention is to have a cheap > way of transacting using a two-way pegged chain that isn't controlled by > miners. Who cares about some minor depreciation when the purpose of the > chain is to do cheap secure transactions forever? > > > Thus far you've claimed that these transactions would be "cheap", "[not] > controlled by miners", and "secure". > > They would certainly not be cheap, because they are relatively more > expensive due to the extra depreciation cost. > > I also doubt that they would be free of control by miners. 51% hashrate > can always filter out any message they want from anywhere. > > For the same reason, I don't understand why they would be any more or less > secure. > > So I think your way is just a more expensive way of accomplishing > basically the same result. > > > Add in UTXO commitments and you've got a system that is cheap and > secure-enough for transfer. storage and accumulation of a ledger... before > moving in to the main chain. > > > As I posted to bitcoin-discuss last week, I support UTXO commitments for > sidechains. > > Seems better to me than messing with the main chain's incentive structure > via merged mining. > > > I don't think that blind merged mining messes with the main chain's > incentive structure. Miners are free to ignore the sidechain (and yet still > get paid the same as other miners), as are all mainchain users. > > Paul > > > On Thu, Jun 22, 2017 at 9:27 AM, Paul Sztorc <truthcoin@gmail•com> wrote: > >> Hi Erik, >> >> I don't think that your design is competitive. Why would users tolerate a >> depreciation of X% per year, when there are alternatives which do not >> require such depreciation? It seems to me that none would. >> >> Paul >> >> On 6/20/2017 9:38 AM, Erik Aronesty wrote: >> >> - a proof-of-burn sidechain is the ultimate two-way peg. you have to >> burn bitcoin *or* side-chain tokens to mine the side chain. the size of >> the burn is the degree of security. i actually wrote code to do >> randomized blind burns where you have a poisson distribution >> (non-deterministic selected burn). there is no way to game it... it's >> very similar to algorand - but it uses burns instead of staking >> >> - you can then have a secure sidechain that issues a mining reward in >> sidechain tokens, which can be aggrregated and redeemed for bitcoins. the >> result of this is that any bitcoins held in the sidechain depreciate in >> value at a rate of X% per year. this deflation rate pays for increased >> security >> >> - logically this functions like an alt coin, with high inflation and >> cheap transactions. but the altcoin is pegged to bitcoin's price because >> of the pool of unredeemed bitcoins held within the side chain. >> >> >> >> On Tue, Jun 20, 2017 at 7:54 AM, Paul Sztorc <truthcoin@gmail•com> wrote: >> >>> Hi Erik, >>> >>> As you know: >>> >>> 1. If a sidechain is merged mined it basically grows out of the existing >>> Bitcoin mining network. If it has a different PoW algorithm it is a new >>> mining network. >>> 2. The security (ie, hashrate) of any mining network would be determined >>> by the total economic value of the block. In Bitcoin this is >>> (subsidy+tx_fees)*price, but since a sidechain cannot issue new tokens it >>> would only be (tx_fees)*price. >>> >>> Unfortunately the two have a nasty correlation which can lead to a >>> disastrous self-fulfilling prophecy: users will avoid a network that is too >>> insecure; and if users avoid using a network, they will stop paying txn >>> fees and so the quantity (tx_fees)*price falls toward zero, erasing the >>> network's security. So it is quite problematic and I recommend just biting >>> the bullet and going with merged mining instead. >>> >>> And, the point may be moot. Bitcoin miners may decide that, given their >>> expertise in seeking out cheap sources of power/cooling, they might as well >>> mine both/all chains. So your suggestion may not achieve your desired >>> result (and would, meanwhile, consume more of the economy's resources -- >>> some of these would not contribute even to a higher hashrate). >>> >>> Paul >>> >>> >>> >>> >>> On 6/19/2017 1:11 PM, Erik Aronesty wrote: >>> >>> It would be nice to be able to enforce that a drivechain *not* have the >>> same POW as bitcoin. >>> >>> I suspect this is the only way to be sure that a drivechain doesn't >>> destabilize the main chain and push more power to miners that already have >>> too much power. >>> >>> >>> >>> >> >> > > [-- Attachment #2: Type: text/html, Size: 13550 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up 2017-06-23 14:19 ` Erik Aronesty @ 2017-06-23 14:51 ` Moral Agent 2017-06-23 18:11 ` Paul Sztorc 1 sibling, 0 replies; 43+ messages in thread From: Moral Agent @ 2017-06-23 14:51 UTC (permalink / raw) To: Erik Aronesty; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 8718 bytes --] >Miners who are able to deal with the bandwidth caused by drivechain coffee transactions will profit from these transactions, whereas smaller and more geographically distributed miners will not. Those miners will, in turn, build faster ASICs and buy more electricity and drive out smaller players. I think you are conflating 3 different (though overlapping) groups: 1. Block header generators. These need 'good internet' meaning very low latency, reasonable bandwidth, good place in network (e.g. FIBRE or mining backbone). They need reliable computers with enough RAM and CPU to validate prior blocks promptly and immediately assemble new blocks. 2. Hashers. These need cheap electricity, access to economical uses of waste heat, cheap mining hardware. e.g. IOT electric water heater. 3. ASIC manufacturers. These need lots of capital, etc. It might be helpful to keep these three groups distinct in your mind and conversation, and to use the protocol as a crowbar to pry them into separate people, or at a minimum make it economically possible to participate in one role without needing to participate in the other two. If different, geographically and politically dispersed groups are helping perform these functions, it aids decentralization. On Fri, Jun 23, 2017 at 10:19 AM, Erik Aronesty via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > > They would certainly not be cheap, because they are relatively more > expensive due to the extra depreciation cost. > > This depends on how long you expect to keep money on a side chain and how > many transactions you plan on doing. Inflation is a great way of paying > PoS / PoB miners - that cannot introduce issues with consolidation. If > you design the inflation schedule correctly, it should be balance > transaction costs *precisely*. Indeed, you can calculate the exact amount > of inflation needed to guarantee that a side chain is always exactly 10 > times cheaper than bitcoin. > > >As I posted to bitcoin-discuss last week, I support UTXO commitments for > sidechains. > > Indeed, I think side chain nodes should always be fast-synced from 6 month > old commitments and thus be ephemeral, cheap, and *never *appropriate for > long term storage. This would provide the best possible incentive > structure to keep the main chain secure, paid for with high clearing fees, > etc. > > > I don't think that blind merged mining messes with the main chain's > incentive structure > > The critical issue is that we cannot introduce protocol changes that > *further *incentivize geographical and institutional consolidation. > Miners who are able to deal with the bandwidth caused by drivechain coffee > transactions will profit from these transactions, whereas smaller and more > geographically distributed miners will not. Those miners will, in turn, > build faster ASICs and buy more electricity and drive out smaller players. > I think this is *abundantly *clear, and is the primary motivation > behind preserving block size limits. > > If this premise is false (which it may be), or is skewed so as to damage > bitcoin as a whole (could be as well), then that needs to be demonstrated > *first*. > > The lightning model does the opposite of this. Miners watch fees > increase and coming from an *orthoganal* protocol that cannot cause further > centralization. > > One problem is that the main chain also *must* grow in response to > bandwidth, or the disadvantages of using the main chain will weaken > financial support and hashrate securing it. I believe this is also true, > and that a "balancing act" will be Bitcoin's norm until we adopt something > like BIP103 - which provides a steady and appropriate growth. > > > > > > On Thu, Jun 22, 2017 at 4:30 PM, Paul Sztorc <truthcoin@gmail•com> wrote: > >> Responses inline. >> >> On 6/22/2017 9:45 AM, Erik Aronesty wrote: >> >> Users would tolerate depreciation because the intention is to have a >> cheap way of transacting using a two-way pegged chain that isn't controlled >> by miners. Who cares about some minor depreciation when the purpose of the >> chain is to do cheap secure transactions forever? >> >> >> Thus far you've claimed that these transactions would be "cheap", "[not] >> controlled by miners", and "secure". >> >> They would certainly not be cheap, because they are relatively more >> expensive due to the extra depreciation cost. >> >> I also doubt that they would be free of control by miners. 51% hashrate >> can always filter out any message they want from anywhere. >> >> For the same reason, I don't understand why they would be any more or >> less secure. >> >> So I think your way is just a more expensive way of accomplishing >> basically the same result. >> >> >> Add in UTXO commitments and you've got a system that is cheap and >> secure-enough for transfer. storage and accumulation of a ledger... before >> moving in to the main chain. >> >> >> As I posted to bitcoin-discuss last week, I support UTXO commitments for >> sidechains. >> >> Seems better to me than messing with the main chain's incentive structure >> via merged mining. >> >> >> I don't think that blind merged mining messes with the main chain's >> incentive structure. Miners are free to ignore the sidechain (and yet still >> get paid the same as other miners), as are all mainchain users. >> >> Paul >> >> >> On Thu, Jun 22, 2017 at 9:27 AM, Paul Sztorc <truthcoin@gmail•com> wrote: >> >>> Hi Erik, >>> >>> I don't think that your design is competitive. Why would users tolerate >>> a depreciation of X% per year, when there are alternatives which do not >>> require such depreciation? It seems to me that none would. >>> >>> Paul >>> >>> On 6/20/2017 9:38 AM, Erik Aronesty wrote: >>> >>> - a proof-of-burn sidechain is the ultimate two-way peg. you have to >>> burn bitcoin *or* side-chain tokens to mine the side chain. the size of >>> the burn is the degree of security. i actually wrote code to do >>> randomized blind burns where you have a poisson distribution >>> (non-deterministic selected burn). there is no way to game it... it's >>> very similar to algorand - but it uses burns instead of staking >>> >>> - you can then have a secure sidechain that issues a mining reward in >>> sidechain tokens, which can be aggrregated and redeemed for bitcoins. the >>> result of this is that any bitcoins held in the sidechain depreciate in >>> value at a rate of X% per year. this deflation rate pays for increased >>> security >>> >>> - logically this functions like an alt coin, with high inflation and >>> cheap transactions. but the altcoin is pegged to bitcoin's price because >>> of the pool of unredeemed bitcoins held within the side chain. >>> >>> >>> >>> On Tue, Jun 20, 2017 at 7:54 AM, Paul Sztorc <truthcoin@gmail•com> >>> wrote: >>> >>>> Hi Erik, >>>> >>>> As you know: >>>> >>>> 1. If a sidechain is merged mined it basically grows out of the >>>> existing Bitcoin mining network. If it has a different PoW algorithm it is >>>> a new mining network. >>>> 2. The security (ie, hashrate) of any mining network would be >>>> determined by the total economic value of the block. In Bitcoin this is >>>> (subsidy+tx_fees)*price, but since a sidechain cannot issue new tokens it >>>> would only be (tx_fees)*price. >>>> >>>> Unfortunately the two have a nasty correlation which can lead to a >>>> disastrous self-fulfilling prophecy: users will avoid a network that is too >>>> insecure; and if users avoid using a network, they will stop paying txn >>>> fees and so the quantity (tx_fees)*price falls toward zero, erasing the >>>> network's security. So it is quite problematic and I recommend just biting >>>> the bullet and going with merged mining instead. >>>> >>>> And, the point may be moot. Bitcoin miners may decide that, given their >>>> expertise in seeking out cheap sources of power/cooling, they might as well >>>> mine both/all chains. So your suggestion may not achieve your desired >>>> result (and would, meanwhile, consume more of the economy's resources -- >>>> some of these would not contribute even to a higher hashrate). >>>> >>>> Paul >>>> >>>> >>>> >>>> >>>> On 6/19/2017 1:11 PM, Erik Aronesty wrote: >>>> >>>> It would be nice to be able to enforce that a drivechain *not* have the >>>> same POW as bitcoin. >>>> >>>> I suspect this is the only way to be sure that a drivechain doesn't >>>> destabilize the main chain and push more power to miners that already have >>>> too much power. >>>> >>>> >>>> >>>> >>> >>> >> >> > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > [-- Attachment #2: Type: text/html, Size: 16476 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up 2017-06-23 14:19 ` Erik Aronesty 2017-06-23 14:51 ` Moral Agent @ 2017-06-23 18:11 ` Paul Sztorc 1 sibling, 0 replies; 43+ messages in thread From: Paul Sztorc @ 2017-06-23 18:11 UTC (permalink / raw) To: Erik Aronesty; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 6488 bytes --] On 6/23/2017 10:19 AM, Erik Aronesty wrote: > > They would certainly not be cheap, because they are relatively more expensive due to the > extra depreciation cost. > > If you design the inflation schedule correctly, it should be balance > transaction costs *precisely*. You have not explained how your scheme would cause a relative decrease in transaction costs. The way I see it, tx costs would be exactly the same, so it would in fact be impossible to design an inflation schedule to "balance" these costs (other than inflation of zero as I suggest). > > > I don't think that blind merged mining messes with the main chain's > incentive structure > > Miners who are able to deal with the bandwidth caused by drivechain > coffee transactions There is no additional bandwidth requirement. That is the point of BMM. They do not even need to run a sidechain node (to be paid just as much as if they had). --Paul > > On Thu, Jun 22, 2017 at 4:30 PM, Paul Sztorc <truthcoin@gmail•com > <mailto:truthcoin@gmail•com>> wrote: > > Responses inline. > > On 6/22/2017 9:45 AM, Erik Aronesty wrote: >> Users would tolerate depreciation because the intention is to >> have a cheap way of transacting using a two-way pegged chain that >> isn't controlled by miners. Who cares about some minor >> depreciation when the purpose of the chain is to do cheap secure >> transactions forever? > > Thus far you've claimed that these transactions would be "cheap", > "[not] controlled by miners", and "secure". > > They would certainly not be cheap, because they are relatively > more expensive due to the extra depreciation cost. > > I also doubt that they would be free of control by miners. 51% > hashrate can always filter out any message they want from anywhere. > > For the same reason, I don't understand why they would be any more > or less secure. > > So I think your way is just a more expensive way of accomplishing > basically the same result. > >> >> Add in UTXO commitments and you've got a system that is cheap and >> secure-enough for transfer. storage and accumulation of a >> ledger... before moving in to the main chain. > > As I posted to bitcoin-discuss last week, I support UTXO > commitments for sidechains. > >> Seems better to me than messing with the main chain's incentive >> structure via merged mining. > > I don't think that blind merged mining messes with the main > chain's incentive structure. Miners are free to ignore the > sidechain (and yet still get paid the same as other miners), as > are all mainchain users. > > Paul >> >> On Thu, Jun 22, 2017 at 9:27 AM, Paul Sztorc <truthcoin@gmail•com >> <mailto:truthcoin@gmail•com>> wrote: >> >> Hi Erik, >> >> I don't think that your design is competitive. Why would >> users tolerate a depreciation of X% per year, when there are >> alternatives which do not require such depreciation? It seems >> to me that none would. >> >> Paul >> >> On 6/20/2017 9:38 AM, Erik Aronesty wrote: >>> - a proof-of-burn sidechain is the ultimate two-way peg. >>> you have to burn bitcoin *or* side-chain tokens to mine the >>> side chain. the size of the burn is the degree of >>> security. i actually wrote code to do randomized blind >>> burns where you have a poisson distribution >>> (non-deterministic selected burn). there is no way to >>> game it... it's very similar to algorand - but it uses burns >>> instead of staking >>> >>> - you can then have a secure sidechain that issues a mining >>> reward in sidechain tokens, which can be aggrregated and >>> redeemed for bitcoins. the result of this is that any >>> bitcoins held in the sidechain depreciate in value at a rate >>> of X% per year. this deflation rate pays for increased >>> security >>> >>> - logically this functions like an alt coin, with high >>> inflation and cheap transactions. but the altcoin is >>> pegged to bitcoin's price because of the pool of unredeemed >>> bitcoins held within the side chain. >>> >>> >>> >>> On Tue, Jun 20, 2017 at 7:54 AM, Paul Sztorc >>> <truthcoin@gmail•com <mailto:truthcoin@gmail•com>> wrote: >>> >>> Hi Erik, >>> >>> As you know: >>> >>> 1. If a sidechain is merged mined it basically grows out >>> of the existing Bitcoin mining network. If it has a >>> different PoW algorithm it is a new mining network. >>> 2. The security (ie, hashrate) of any mining network >>> would be determined by the total economic value of the >>> block. In Bitcoin this is (subsidy+tx_fees)*price, but >>> since a sidechain cannot issue new tokens it would only >>> be (tx_fees)*price. >>> >>> Unfortunately the two have a nasty correlation which can >>> lead to a disastrous self-fulfilling prophecy: users >>> will avoid a network that is too insecure; and if users >>> avoid using a network, they will stop paying txn fees >>> and so the quantity (tx_fees)*price falls toward zero, >>> erasing the network's security. So it is quite >>> problematic and I recommend just biting the bullet and >>> going with merged mining instead. >>> >>> And, the point may be moot. Bitcoin miners may decide >>> that, given their expertise in seeking out cheap sources >>> of power/cooling, they might as well mine both/all >>> chains. So your suggestion may not achieve your desired >>> result (and would, meanwhile, consume more of the >>> economy's resources -- some of these would not >>> contribute even to a higher hashrate). >>> >>> Paul >>> >>> >>> >>> >>> On 6/19/2017 1:11 PM, Erik Aronesty wrote: >>>> It would be nice to be able to enforce that a >>>> drivechain *not* have the same POW as bitcoin. >>>> >>>> I suspect this is the only way to be sure that a >>>> drivechain doesn't destabilize the main chain and push >>>> more power to miners that already have too much power. >>>> >>>> >>> >>> >> >> > > [-- Attachment #2: Type: text/html, Size: 17036 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up 2017-06-19 16:04 ` Paul Sztorc [not found] ` <CAJowKgLJW=kJhcN4B7TbWXLb7U51tzYU3PFOy1m8JqKXqFsU4A@mail.gmail.com> @ 2017-07-12 22:43 ` Tao Effect 2017-07-13 0:26 ` Paul Sztorc 1 sibling, 1 reply; 43+ messages in thread From: Tao Effect @ 2017-07-12 22:43 UTC (permalink / raw) To: Paul Sztorc; +Cc: Bitcoin Dev [-- Attachment #1.1: Type: text/plain, Size: 3742 bytes --] Paul, I'm assuming it's OK with you that I pick up from where we left off in the "Scaling Roadmap" thread [1], so as to be on-topic per your request. (For others reading, part of my reply to the previous email in this thread is here [2]). For reference, I said: > Isn't it different in the case of P2SH and SegWit, don't full nodes validate the script? > > In other words, miners don't have complete control over the coins, full nodes keep a check on them. > > At least that was my understanding, and if that's not the case then it doesn't make sense to me why Pieter would earlier in this thread object to Drivechain on the grounds that it's a different security model. CryptAxe's response was in part: > You guys are both right that it is a different security model, with the important distinction that it is opt-in. What I disagree with about what you said is only that we are encouraging more risky behavior by adding consensus rules via softfork. There are additional risks with drivechains, but not because of how the new consensus rules would be added (it would be the same risk as the P2SH softfork). I am now looking closer again at step number 4 in the Drivechain specification [2]: 4. Everyone waits for a period of, say, 3 days. This gives everyone an opportunity to make sure the same WT^ is in both the Bitcoin coinbase and the Sidechain header. If they’re different, everyone has plenty of time to contact each other, figure out what is going on, and restart the process until its right. It seems to me that where our disagreement lies is in this point. The Drivechain spec seems to claim that its use of anyone-can-pay is the same as P2SH (and in later emails you reference SegWit as well). Is this really true? The following suggests to me it isn't: 1. Pieter Wuille's email suggests he disagrees [4] 2. Per the question in [1], it's my understanding that P2SH transactions contain all of the information within themselves for full nodes to act as a check on miners mishandling the anyone-can-spend nature of P2SH transactions. However, that does not seem to be the case with WT^ transactions. In P2SH txns, there is no need for anyone to, as the Drivechain spec says, "to contact each other, figure out what is going on". Everything just automatically works. If the security of WT^ transactions could be brought up to actually be in line with the security of P2SH and SegWit transactions, then I would have far less to object to. Kind regards, Greg Slepak [1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-July/014763.html <https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-July/014763.html> [2] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-July/014745.html <https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-July/014745.html> [3] http://www.truthcoin.info/blog/drivechain/ <http://www.truthcoin.info/blog/drivechain/> [4] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-July/014721.html <https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-July/014721.html> -- Please do not email me anything that you are not comfortable also sharing with the NSA. > On Jun 19, 2017, at 9:04 AM, Paul Sztorc <truthcoin@gmail•com <mailto:truthcoin@gmail•com>> wrote: > > Hi Greg, > > Responses below: > > On 6/18/2017 5:30 PM, Tao Effect wrote: >> In Drivechain, 51% of miners have total control and ownership over all >> of the sidechain coins. > > It would not be accurate to say that miners have "total" control. Miners > do control the destination of withdrawals, but they do not control the > withdrawal-duration nor the withdrawal-frequency. > [ ...snip.. ] [-- Attachment #1.2: Type: text/html, Size: 8221 bytes --] [-- Attachment #2: Message signed with OpenPGP --] [-- Type: application/pgp-signature, Size: 801 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up 2017-07-12 22:43 ` Tao Effect @ 2017-07-13 0:26 ` Paul Sztorc 2017-07-13 1:15 ` Tao Effect 0 siblings, 1 reply; 43+ messages in thread From: Paul Sztorc @ 2017-07-13 0:26 UTC (permalink / raw) To: Tao Effect; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 3301 bytes --] The confusion below stems from his conflation of several different ideas. I will try to explicitly clarify a distinction between several types of user (or, "modes" of use if you prefer): [DC#0] -- Someone who does not upgrade their Bitcoin software (and is running, say, 0.13). However, they experience the effects of the new rules which miners add (as per the soft fork[s] to add drivechain functionality and individual drivechains). [DC#1] -- Someone who always upgrades to the latest version of the Bitcoin software, but otherwise has no interest in running/using sidechains. [DC#2] -- Someone who upgrades to the latest Bitcoin version, and decides to also become a full node of one or more sidechains, but who ever actually uses the sidechains. [DC#3] -- Someone who upgrades their software, runs sidechain full nodes, and actively moves money to and from these. On 7/12/2017 6:43 PM, Tao Effect wrote: > > I am now looking closer again at step number 4 in the Drivechain > specification [2]: > > 4. Everyone waits for a period of, say, 3 days. This gives > everyone an opportunity to make sure the same WT^ is in both the > Bitcoin coinbase and the Sidechain header. If they’re different, > everyone has plenty of time to contact each other, figure out what > is going on, and restart the process until its right. > > It seems to me that where our disagreement lies is in this point. > The Drivechain spec seems to claim that its use of anyone-can-pay is > the same as P2SH (and in later emails you reference SegWit as well). > Is this really true? FYI that document is nearly two years old, and although it is still overwhelmingly accurate, new optimizations allow us (I think) to push the waiting period to several weeks and the total ACK counting period up to several months. [DC#0] Yes [DC#1] Yes [DC#2] Yes [DC#3] Yes Because if a node doesn't have the sidechain's information, it will just assume every withdrawal is valid. This is comparable to someone who still hasn't upgraded to support P2SH, in cases [DC#0] and [#1]. (And this is the main advantage of DC over extension blocks). > 2. Per the question in [1], it's my understanding that P2SH > transactions contain all of the information within themselves for full > nodes to act as a check on miners mishandling the anyone-can-spend > nature of P2SH transactions. However, that does not seem to be the > case with WT^ transactions. [DC#0] They do. [DC#1] They do. [DC#2] They do. [DC#3] They do. Again, from the perspective of a mainchain user, every withdrawal is valid. > In P2SH txns, there is no need for anyone to, as the Drivechain spec > says, "to contact each other, figure out what is going on". Everything > just automatically works. There is no *need* to this in Drivechain, either, for [DC#0] or [DC#1]. [DC#2] and [DC#3] would certainly have an interest in understanding what is going on, but that has absolutely nothing whatsoever to do with Bitcoin Core and so is off-topic for this mailing list. > If the security of WT^ transactions could be brought up to actually be > in line with the security of P2SH and SegWit transactions, then I > would have far less to object to. Somehow I doubt it. Paul [-- Attachment #2: Type: text/html, Size: 4978 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up 2017-07-13 0:26 ` Paul Sztorc @ 2017-07-13 1:15 ` Tao Effect 2017-07-13 2:58 ` Paul Sztorc 0 siblings, 1 reply; 43+ messages in thread From: Tao Effect @ 2017-07-13 1:15 UTC (permalink / raw) To: Paul Sztorc; +Cc: Bitcoin Dev [-- Attachment #1.1: Type: text/plain, Size: 5410 bytes --] Paul, > The confusion below stems from his conflation of several different ideas. I'm right here, are you having a conversation with me or are you on a stage talking to an audience? > FYI that document is nearly two years old, and although it is still overwhelmingly accurate, new optimizations allow us (I think) to push the waiting period to several weeks and the total ACK counting period up to several months. What does that have to do with my question? The counting period, if I understood correctly, is something miners do, not full nodes. Also, if the document is old and/or outdated, do you happen to have a link to a more update-to-date version of the spec? It would be helpful for review. > Because if a node doesn't have the sidechain's information, it will just assume every withdrawal is valid. This is comparable to someone who still hasn't upgraded to support P2SH, in cases [DC#0] and [#1]. Right, for [DC#0] and [DC#1], but for [DC#2] an [DC#3] you marked it as "Yes" without substantiating why you did so. > Again, from the perspective of a mainchain user, every withdrawal is valid. And that is not how P2SH works. > [DC#2] and [DC#3] would certainly have an interest in understanding what is going on, but that has absolutely nothing whatsoever to do with Bitcoin Core and so is off-topic for this mailing list. How is that an answer to my question? What does "[DC#2] and [DC#3] would certainly have an interest in understanding what is going on" mean? In P2SH, all upgraded nodes will reject invalid P2SH transactions, period. What exactly would [DC#2] and [DC#3] nodes do when faced with an invalid WT^ transaction — invalid in the sense that it contains funds which miners are stealing? Again, in P2SH miners cannot steal funds, because all full nodes have a fully automatic enforcement policy. Kind regards, Greg Slepak -- Please do not email me anything that you are not comfortable also sharing with the NSA. > On Jul 12, 2017, at 5:26 PM, Paul Sztorc <truthcoin@gmail•com <mailto:truthcoin@gmail•com>> wrote: > > The confusion below stems from his conflation of several different ideas. > > I will try to explicitly clarify a distinction between several types of user (or, "modes" of use if you prefer): > > [DC#0] -- Someone who does not upgrade their Bitcoin software (and is running, say, 0.13). However, they experience the effects of the new rules which miners add (as per the soft fork[s] to add drivechain functionality and individual drivechains). > [DC#1] -- Someone who always upgrades to the latest version of the Bitcoin software, but otherwise has no interest in running/using sidechains. > [DC#2] -- Someone who upgrades to the latest Bitcoin version, and decides to also become a full node of one or more sidechains, but who ever actually uses the sidechains. > [DC#3] -- Someone who upgrades their software, runs sidechain full nodes, and actively moves money to and from these. > > > On 7/12/2017 6:43 PM, Tao Effect wrote: >> >> I am now looking closer again at step number 4 in the Drivechain specification [2]: >> >> 4. Everyone waits for a period of, say, 3 days. This gives everyone an opportunity to make sure the same WT^ is in both the Bitcoin coinbase and the Sidechain header. If they’re different, everyone has plenty of time to contact each other, figure out what is going on, and restart the process until its right. >> It seems to me that where our disagreement lies is in this point. >> The Drivechain spec seems to claim that its use of anyone-can-pay is the same as P2SH (and in later emails you reference SegWit as well). Is this really true? > FYI that document is nearly two years old, and although it is still overwhelmingly accurate, new optimizations allow us (I think) to push the waiting period to several weeks and the total ACK counting period up to several months. > > [DC#0] Yes > [DC#1] Yes > [DC#2] Yes > [DC#3] Yes > > Because if a node doesn't have the sidechain's information, it will just assume every withdrawal is valid. This is comparable to someone who still hasn't upgraded to support P2SH, in cases [DC#0] and [#1]. > > (And this is the main advantage of DC over extension blocks). > > >> 2. Per the question in [1], it's my understanding that P2SH transactions contain all of the information within themselves for full nodes to act as a check on miners mishandling the anyone-can-spend nature of P2SH transactions. However, that does not seem to be the case with WT^ transactions. > [DC#0] They do. > [DC#1] They do. > [DC#2] They do. > [DC#3] They do. > > Again, from the perspective of a mainchain user, every withdrawal is valid. > > >> In P2SH txns, there is no need for anyone to, as the Drivechain spec says, "to contact each other, figure out what is going on". Everything just automatically works. > There is no *need* to this in Drivechain, either, for [DC#0] or [DC#1]. > > [DC#2] and [DC#3] would certainly have an interest in understanding what is going on, but that has absolutely nothing whatsoever to do with Bitcoin Core and so is off-topic for this mailing list. > > >> If the security of WT^ transactions could be brought up to actually be in line with the security of P2SH and SegWit transactions, then I would have far less to object to. > Somehow I doubt it. > > > Paul [-- Attachment #1.2: Type: text/html, Size: 11403 bytes --] [-- Attachment #2: Message signed with OpenPGP --] [-- Type: application/pgp-signature, Size: 801 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up 2017-07-13 1:15 ` Tao Effect @ 2017-07-13 2:58 ` Paul Sztorc 2017-07-13 3:24 ` Tao Effect 2017-07-13 13:17 ` Hampus Sjöberg 0 siblings, 2 replies; 43+ messages in thread From: Paul Sztorc @ 2017-07-13 2:58 UTC (permalink / raw) Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 9708 bytes --] I will repeat that Drivechain can sometimes be confusing because it is different things to different people. Here is my attempt to break it down into different modes: [DC#0] -- Someone who does not upgrade their Bitcoin software (and is running, say, 0.13). However, they experience the effects of the new rules which miners add (as per the soft fork[s] to add drivechain functionality and individual drivechains). [DC#1] -- Someone who always upgrades to the latest version of the Bitcoin software, but otherwise has no interest in running/using sidechains. [DC#2] -- Someone who upgrades to the latest Bitcoin version, and decides to also become a full node of one or more sidechains, but who ever actually uses the sidechains. [DC#3] -- Someone who upgrades their software, runs sidechain full nodes, and actively moves money to and from these. Greg is still conflating modes [DC#1] and [DC#3]. Specifically, he equivocates on the team "steal", using it to mean two different things: [a] spending an invalid transaction, and [b] a withdrawal that would not match the report given by a sidechain node. The two are quite different, see my comments below: On 7/12/2017 9:15 PM, Tao Effect wrote: >> FYI that document is nearly two years old, and although it is still >> overwhelmingly accurate, new optimizations allow us (I think) to push >> the waiting period to several weeks and the total ACK counting period >> up to several months. > What does that have to do with my question? The counting period, if I > understood correctly, is something miners do, not full nodes. Greg quoted a passage that contained an older parameter estimate of "a few days", and I thought it would be helpful and informative if I clarified that the parameter estimate had been updated to a new (more secure) value. In point of fact, he is wrong, because nodes do the counting. When miners find a block, they can choose to move the counter up, down, or not at all. But nodes do the counting. > Also, if the document is old and/or outdated, do you happen to have a > link to a more update-to-date version of the spec? It would be helpful > for review. As I stated above, the document is mostly accurate. There is no other more up to date version. >> Because if a node doesn't have the sidechain's information, it will >> just assume every withdrawal is valid. This is comparable to someone >> who still hasn't upgraded to support P2SH, in cases [DC#0] and [#1]. > > Right, for [DC#0] and [DC#1], but for [DC#2] an [DC#3] you marked it > as "Yes" without substantiating why you did so. Above, Greg omitted his original question. For reference, it was: > The Drivechain spec seems to claim that its use of anyone-can-pay is the same as P2SH The answer is that both DC and P2SH use transactions which are 'always valid' to some group of people (un-upgraded users) but which are sometimes invalid to new users. So the only difference would be for [DC#0] vs other versions, but this difference is trivial as miners will censor invalid txns. It is your classic soft fork situation. >> Again, from the perspective of a mainchain user, every withdrawal is >> valid. > And that is not how P2SH works. Again, keep in mind that Greg continually conflates two different things: 1. Whether the soft fork rules have been followed, and 2. Whether the WT^ submitted by a majority hashrate matches the one calculated by sidechain nodes. The first case is exactly equal to P2SH. Just as old nodes accept every P2SH transaction, so too will [DC#0] users accept every WT^ transaction. In the second case, it so happens that [DC#1], [DC#2], and [DC#3] would also accept any WT^ *that followed the Drivechain rules*, even if they did not like the outcome (because the outcome in question was arbitrarily designated as a "theft" of funds -- again, see the second case in the list above). In this way, it is exactly similar to P2SH because nodes will accept *any* p2sh txn **that follows the p2sh rules**, even if they don't "like" the specific script contained within (for example, because it is a theft of "their" BitFinex funds, or a donation to a political candidate they dislike, etc). >> [DC#2] and [DC#3] would certainly have an interest in understanding >> what is going on, but that has absolutely nothing whatsoever to do >> with Bitcoin Core and so is off-topic for this mailing list. > How is that an answer to my question? Greg is, of course, not entitled to an answer to irrelevant questions -- just as he would not be entitled to an answer if he asked for my favorite color or my home address. And such answers would needlessly consume the mailing list's scarce time. > What does "[DC#2] and [DC#3] would certainly have an interest in > understanding what is going on" mean? It is clear to me that, if we are not clear on the basics first, we cannot hope to tackle anything intermediate. We will come back to this after clearing up soft fork part. > In P2SH, all upgraded nodes will reject invalid P2SH transactions, period. In DC, all upgraded nodes will reject invalid DC transactions, period. > What exactly would [DC#2] and [DC#3] nodes do when faced with an > invalid WT^ transaction — invalid in the sense that it contains funds > which miners are stealing? The [DC#2] and [DC#3] nodes would do exactly what the [DC#0] and [DC#1] nodes do. This is what I mean by "every withdrawal is valid". > Again, in P2SH miners cannot steal funds, because all full nodes have > a fully automatic enforcement policy. In DC, miners cannot steal funds, because all full nodes have a fully automatic enforcement policy. However, DC *allows* users to choose to place some of their BTC at the relative mercy of the miners in creative ways, if they wish (as does P2SH -- someone could write a script which donates funds to miners, and then fund it... "paying" to that script). This is another example of conflating [DC#1] and [DC#3]. Paul >> On Jul 12, 2017, at 5:26 PM, Paul Sztorc <truthcoin@gmail•com >> <mailto:truthcoin@gmail•com>> wrote: >> >> The confusion below stems from his conflation of several different ideas. >> >> I will try to explicitly clarify a distinction between several types >> of user (or, "modes" of use if you prefer): >> >> [DC#0] -- Someone who does not upgrade their Bitcoin software (and is >> running, say, 0.13). However, they experience the effects of the new >> rules which miners add (as per the soft fork[s] to add drivechain >> functionality and individual drivechains). >> [DC#1] -- Someone who always upgrades to the latest version of the >> Bitcoin software, but otherwise has no interest in running/using >> sidechains. >> [DC#2] -- Someone who upgrades to the latest Bitcoin version, and >> decides to also become a full node of one or more sidechains, but who >> ever actually uses the sidechains. >> [DC#3] -- Someone who upgrades their software, runs sidechain full >> nodes, and actively moves money to and from these. >> >> >> On 7/12/2017 6:43 PM, Tao Effect wrote: >>> >>> I am now looking closer again at step number 4 in the Drivechain >>> specification [2]: >>> >>> 4. Everyone waits for a period of, say, 3 days. This gives >>> everyone an opportunity to make sure the same WT^ is in both the >>> Bitcoin coinbase and the Sidechain header. If they’re different, >>> everyone has plenty of time to contact each other, figure out >>> what is going on, and restart the process until its right. >>> >>> It seems to me that where our disagreement lies is in this point. >>> The Drivechain spec seems to claim that its use of anyone-can-pay is >>> the same as P2SH (and in later emails you reference SegWit as well). >>> Is this really true? >> FYI that document is nearly two years old, and although it is still >> overwhelmingly accurate, new optimizations allow us (I think) to push >> the waiting period to several weeks and the total ACK counting period >> up to several months. >> >> [DC#0] Yes >> [DC#1] Yes >> [DC#2] Yes >> [DC#3] Yes >> >> Because if a node doesn't have the sidechain's information, it will >> just assume every withdrawal is valid. This is comparable to someone >> who still hasn't upgraded to support P2SH, in cases [DC#0] and [#1]. >> >> (And this is the main advantage of DC over extension blocks). >> >> >>> 2. Per the question in [1], it's my understanding that P2SH >>> transactions contain all of the information within themselves for >>> full nodes to act as a check on miners mishandling the >>> anyone-can-spend nature of P2SH transactions. However, that does not >>> seem to be the case with WT^ transactions. >> [DC#0] They do. >> [DC#1] They do. >> [DC#2] They do. >> [DC#3] They do. >> >> Again, from the perspective of a mainchain user, every withdrawal is >> valid. >> >> >>> In P2SH txns, there is no need for anyone to, as the Drivechain spec >>> says, "to contact each other, figure out what is going on". >>> Everything just automatically works. >> There is no *need* to this in Drivechain, either, for [DC#0] or [DC#1]. >> >> [DC#2] and [DC#3] would certainly have an interest in understanding >> what is going on, but that has absolutely nothing whatsoever to do >> with Bitcoin Core and so is off-topic for this mailing list. >> >> >>> If the security of WT^ transactions could be brought up to actually >>> be in line with the security of P2SH and SegWit transactions, then I >>> would have far less to object to. >> Somehow I doubt it. >> >> >> Paul > [-- Attachment #2: Type: text/html, Size: 17864 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up 2017-07-13 2:58 ` Paul Sztorc @ 2017-07-13 3:24 ` Tao Effect 2017-07-13 15:39 ` Paul Sztorc 2017-07-13 13:17 ` Hampus Sjöberg 1 sibling, 1 reply; 43+ messages in thread From: Tao Effect @ 2017-07-13 3:24 UTC (permalink / raw) To: Paul Sztorc, Bitcoin Protocol Discussion [-- Attachment #1.1: Type: text/plain, Size: 10033 bytes --] Dear Paul, > In point of fact, he is wrong, because nodes do the counting. When miners find a block, they can choose to move the counter up, down, or not at all. But nodes do the counting. I may very well have confused who counts what, but for this discussion on *theft* it's irrelevant, so I won't push further on this. Let's move on to the theft. > Again, keep in mind that Greg continually conflates two different things: > 1. Whether the soft fork rules have been followed, and > 2. Whether the WT^ submitted by a majority hashrate matches the one calculated by sidechain nodes. > > The first case is exactly equal to P2SH. Just as old nodes accept every P2SH transaction, so too will [DC#0] users accept every WT^ transaction. To be crystal clear: I am entirely uninterested in the un-upgraded nodes, what you call [DC#0]. They are irrelevant to my argument. > In the second case, it so happens that [DC#1], [DC#2], and [DC#3] would also accept any WT^ *that followed the Drivechain rules*, even if they did not like the outcome (because the outcome in question was arbitrarily designated as a "theft" of funds -- again, see the second case in the list above). In this way, it is exactly similar to P2SH because nodes will accept *any* p2sh txn **that follows the p2sh rules**, even if they don't "like" the specific script contained within (for example, because it is a theft of "their" BitFinex funds, or a donation to a political candidate they dislike, etc). This is false. For miners to steal P2SH funds, the P2SH script would have to be coded to explicitly allow them to do it. How many P2SH scripts are you aware of that are used for the purpose of facilitating such theft? I know of none, and I bet there are none. Whereas in DC, every single usage of DC allows miners to steal funds. >> In P2SH, all upgraded nodes will reject invalid P2SH transactions, period. > > In DC, all upgraded nodes will reject invalid DC transactions, period. It appears you are playing games with the meaning of "invalid" here, so that sentence is invalid. I was very clear what I meant by "invalid" in my email: WT^ transactions that represent miners stealing funds. Please stick to that and do not play word games. > The [DC#2] and [DC#3] nodes would do exactly what the [DC#0] and [DC#1] nodes do. This is what I mean by "every withdrawal is valid". So, here you are again re-affirming that WT^ transactions representing stolen funds are allowed in DC, and by tying them all together you are also affirming that the SPV proofs mentioned in DC are completely irrelevant / pointless / unused. >> Again, in P2SH miners cannot steal funds, because all full nodes have a fully automatic enforcement policy. > > In DC, miners cannot steal funds, because all full nodes have a fully automatic enforcement policy. > > However, DC *allows* users to choose to place some of their BTC at the relative mercy of the miners in creative ways, if they wish (as does P2SH -- someone could write a script which donates funds to miners, and then fund it... "paying" to that script). This is another example of conflating [DC#1] and [DC#3]. So in the first sentence you say they "cannot steal funds", but everything else you've said, including the following paragraph, and your specification, indicates they can. I've finally collected all my thoughts / concerns and have also summarized them in this document: https://gist.github.com/taoeffect/9ff64cf78cf1408ec29f13ed39e534c9 <https://gist.github.com/taoeffect/9ff64cf78cf1408ec29f13ed39e534c9> Kind regards, Greg Slepak -- Please do not email me anything that you are not comfortable also sharing with the NSA. > On Jul 12, 2017, at 7:58 PM, Paul Sztorc via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org <mailto:bitcoin-dev@lists•linuxfoundation.org>> wrote: > > I will repeat that Drivechain can sometimes be confusing because it is different things to different people. > > Here is my attempt to break it down into different modes: > > [DC#0] -- Someone who does not upgrade their Bitcoin software (and is running, say, 0.13). However, they experience the effects of the new rules which miners add (as per the soft fork[s] to add drivechain functionality and individual drivechains). > [DC#1] -- Someone who always upgrades to the latest version of the Bitcoin software, but otherwise has no interest in running/using sidechains. > [DC#2] -- Someone who upgrades to the latest Bitcoin version, and decides to also become a full node of one or more sidechains, but who ever actually uses the sidechains. > [DC#3] -- Someone who upgrades their software, runs sidechain full nodes, and actively moves money to and from these. > > Greg is still conflating modes [DC#1] and [DC#3]. Specifically, he equivocates on the team "steal", using it to mean two different things: [a] spending an invalid transaction, and [b] a withdrawal that would not match the report given by a sidechain node. > > The two are quite different, see my comments below: > > > On 7/12/2017 9:15 PM, Tao Effect wrote: >>> FYI that document is nearly two years old, and although it is still overwhelmingly accurate, new optimizations allow us (I think) to push the waiting period to several weeks and the total ACK counting period up to several months. >> >> What does that have to do with my question? The counting period, if I understood correctly, is something miners do, not full nodes. > > Greg quoted a passage that contained an older parameter estimate of "a few days", and I thought it would be helpful and informative if I clarified that the parameter estimate had been updated to a new (more secure) value. > > In point of fact, he is wrong, because nodes do the counting. When miners find a block, they can choose to move the counter up, down, or not at all. But nodes do the counting. > > >> Also, if the document is old and/or outdated, do you happen to have a link to a more update-to-date version of the spec? It would be helpful for review. > > As I stated above, the document is mostly accurate. There is no other more up to date version. > > >>> Because if a node doesn't have the sidechain's information, it will just assume every withdrawal is valid. This is comparable to someone who still hasn't upgraded to support P2SH, in cases [DC#0] and [#1]. >> >> Right, for [DC#0] and [DC#1], but for [DC#2] an [DC#3] you marked it as "Yes" without substantiating why you did so. > > > Above, Greg omitted his original question. For reference, it was: > >> The Drivechain spec seems to claim that its use of anyone-can-pay is the same as P2SH > > The answer is that both DC and P2SH use transactions which are 'always valid' to some group of people (un-upgraded users) but which are sometimes invalid to new users. So the only difference would be for [DC#0] vs other versions, but this difference is trivial as miners will censor invalid txns. > > It is your classic soft fork situation. > > >>> Again, from the perspective of a mainchain user, every withdrawal is valid. >> >> And that is not how P2SH works. > > Again, keep in mind that Greg continually conflates two different things: > 1. Whether the soft fork rules have been followed, and > 2. Whether the WT^ submitted by a majority hashrate matches the one calculated by sidechain nodes. > > The first case is exactly equal to P2SH. Just as old nodes accept every P2SH transaction, so too will [DC#0] users accept every WT^ transaction. > > In the second case, it so happens that [DC#1], [DC#2], and [DC#3] would also accept any WT^ *that followed the Drivechain rules*, even if they did not like the outcome (because the outcome in question was arbitrarily designated as a "theft" of funds -- again, see the second case in the list above). In this way, it is exactly similar to P2SH because nodes will accept *any* p2sh txn **that follows the p2sh rules**, even if they don't "like" the specific script contained within (for example, because it is a theft of "their" BitFinex funds, or a donation to a political candidate they dislike, etc). > > >>> [DC#2] and [DC#3] would certainly have an interest in understanding what is going on, but that has absolutely nothing whatsoever to do with Bitcoin Core and so is off-topic for this mailing list. >> >> How is that an answer to my question? > > Greg is, of course, not entitled to an answer to irrelevant questions -- just as he would not be entitled to an answer if he asked for my favorite color or my home address. And such answers would needlessly consume the mailing list's scarce time. > > >> What does "[DC#2] and [DC#3] would certainly have an interest in understanding what is going on" mean? > > It is clear to me that, if we are not clear on the basics first, we cannot hope to tackle anything intermediate. We will come back to this after clearing up soft fork part. > > >> In P2SH, all upgraded nodes will reject invalid P2SH transactions, period. > > In DC, all upgraded nodes will reject invalid DC transactions, period. > > >> What exactly would [DC#2] and [DC#3] nodes do when faced with an invalid WT^ transaction — invalid in the sense that it contains funds which miners are stealing? > > The [DC#2] and [DC#3] nodes would do exactly what the [DC#0] and [DC#1] nodes do. This is what I mean by "every withdrawal is valid". > > >> Again, in P2SH miners cannot steal funds, because all full nodes have a fully automatic enforcement policy. > > In DC, miners cannot steal funds, because all full nodes have a fully automatic enforcement policy. > > However, DC *allows* users to choose to place some of their BTC at the relative mercy of the miners in creative ways, if they wish (as does P2SH -- someone could write a script which donates funds to miners, and then fund it... "paying" to that script). This is another example of conflating [DC#1] and [DC#3]. > > Paul [-- Attachment #1.2: Type: text/html, Size: 45345 bytes --] [-- Attachment #2: Message signed with OpenPGP --] [-- Type: application/pgp-signature, Size: 801 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up 2017-07-13 3:24 ` Tao Effect @ 2017-07-13 15:39 ` Paul Sztorc 0 siblings, 0 replies; 43+ messages in thread From: Paul Sztorc @ 2017-07-13 15:39 UTC (permalink / raw) To: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 6908 bytes --] Greg is still conflating two different usages of the word "theft": 1. Whether the soft fork rules have been followed, and 2. Whether the WT^ submitted by a majority hashrate matches the one calculated by sidechain nodes. In his message he claims to uniquely adopt definition #2, saying (emphasis added): > I was very clear what I meant by "invalid" in my email: WT^ > transactions that represent miners stealing funds. **Please stick to > that** and do not play word games. ...however, he revokes that commitment below when it suits his purposes. Since Greg's message is probably too confusing to be helpful, I will first clarify both cases: Case 1 -- soft fork rules -- all "invalid_1" txns are regarded as "theft_1" and are rejected. Case 2 -- sidechain's unique consensus rules -- all WT^ are accepted (if these WT^ are valid_1 under the Case 1 rules), whether they match the sidechain's reported WT^ or not (in other words, whether they are valid_2 or not). In Case 2, the mainchain accepts all WT^ transactions as "valid", in that they can be included in a block, whether or not they are "valid_2". By design, sidechains make no effort to validate the rules specific to each sidechain, just as they make no effort to validate the rules of Altcoins. In this way, a WT^ transaction is comparable to someone who is selling an Altcoin to purchase some Bitcoin -- Bitcoin doesn't care how they got the Altcoin. On 7/12/2017 11:24 PM, Tao Effect wrote: > Dear Paul, > >> In point of fact, he is wrong, because nodes do the counting. When >> miners find a block, they can choose to move the counter up, down, or >> not at all. But nodes do the counting. > > I may very well have confused who counts what To be clear: yes, Greg did get it confused. And it is very important, because a neglect of the node-enforced rules is a neglect of **both** theft_1 and theft_2 simultaneously, making it easier to conflate the both of them as Greg is still doing. >> In the second case, it so happens that [DC#1], [DC#2], and [DC#3] >> would also accept any WT^ *that followed the Drivechain rules*, even >> if they did not like the outcome (because the outcome in question was >> arbitrarily designated as a "theft" of funds -- again, see the second >> case in the list above). In this way, it is exactly similar to P2SH >> because nodes will accept *any* p2sh txn **that follows the p2sh >> rules**, even if they don't "like" the specific script contained >> within (for example, because it is a theft of "their" BitFinex funds, >> or a donation to a political candidate they dislike, etc). > > This is false. > > For miners to steal P2SH funds, the P2SH script would have to be coded > to explicitly allow them to do it. > > How many P2SH scripts are you aware of that are used for the purpose > of facilitating such theft? > > I know of none, and I bet there are none. This is the instance I mentioned above -- despite committing to only discussing theft_2, Greg has secretly switched back to theft_1, when he talks about a "P2SH script...used for the purpose of facilitating theft". Under theft_2, there is no way to infer the theft-ness of the transaction from the script itself. For example, if someone made a 2-of-3 multisig with a third party escrow , and these funds were "stolen", this would be an example of funds "stolen" from a P2SH under "theft_2". At which point Greg would angrily say that whoever wrote P2SH was reckless and...allowed Bitcoins to be "stolen". Or perhaps he would switch definitions yet again, and say that "that doesn't count as theft". blah blah blah yada yada yada It is true that moving from pre-P2SH to post-P2SH has not --yet-- enabled any theft_2 as a result. But P2SH has also failed to enable sidechains. Sidechains logically must open the door to theft_2, else they will regress to the undesirable cases of hard/evil fork (as I explain in the spec). Empirically, we do not know how much theft_2 will be enabled by drivechain. Theoretically, it is possible that there will never be a theft_2 on drivechain. >> The [DC#2] and [DC#3] nodes would do exactly what the [DC#0] and >> [DC#1] nodes do. This is what I mean by "every withdrawal is valid". > > So, here you are again re-affirming that WT^ transactions representing > stolen funds are allowed in DC, and by tying them all together you are > also affirming that the SPV proofs mentioned in DC are completely > irrelevant / pointless / unused. I do not affirm the latter. The SPV proofs in DC are very important, as they are what allow nodes to enforce the delayed withdrawal upon miners. In fact, this is exactly what Greg admits to being confused about above. He is correct that he is confused. Experts including Adam Back (co-author of original sidechains paper, CEO of Blockstream which started the sidechains conversation) have publicly stated that they share my belief that this delayed withdrawal technique is likely to mitigate the threat of theft_2. Greg S is free to hold a different opinion. >>> Again, in P2SH miners cannot steal funds, because all full nodes >>> have a fully automatic enforcement policy. >> >> In DC, miners cannot steal funds, because all full nodes have a fully >> automatic enforcement policy. >> >> However, DC *allows* users to choose to place some of their BTC at >> the relative mercy of the miners in creative ways, if they wish (as >> does P2SH -- someone could write a script which donates funds to >> miners, and then fund it... "paying" to that script). This is another >> example of conflating [DC#1] and [DC#3]. > > So in the first sentence you say they "cannot steal funds", but > everything else you've said, including the following paragraph, and > your specification, indicates they can. Greg did not specify which theft so I had to guess in the above case. Above, I refer to "theft_1", the [DC#0] style theft. As always, no one can "steal_1" funds in that case. The reason I assumed Greg was talking about theft_1 and not theft_2, is because he mentioned P2SH and the fact that full nodes automatically enforce the network's rules. Drivechain's rules impose a new format, like P2SH, and have new rules which are automatically enforced by nodes. Greg's style is basically to confuse two things, ask unclear questions about them, and then try to discover "contradictions" in the mess that follows. But it is all a function of his conflation of terminology and nothing else. > I've finally collected all my thoughts / concerns and have also > summarized them in this document: > > https://gist.github.com/taoeffect/9ff64cf78cf1408ec29f13ed39e534c9 Given how little Greg understands, even after being hand-fed by me for days and weeks, I admit a totally nonexistent interest in reading it. Paul [-- Attachment #2: Type: text/html, Size: 11922 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up 2017-07-13 2:58 ` Paul Sztorc 2017-07-13 3:24 ` Tao Effect @ 2017-07-13 13:17 ` Hampus Sjöberg 2017-07-13 17:04 ` Paul Sztorc 1 sibling, 1 reply; 43+ messages in thread From: Hampus Sjöberg @ 2017-07-13 13:17 UTC (permalink / raw) To: Paul Sztorc, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 11339 bytes --] In softforks, I would argue that 100% of all nodes and miners need to upgrade to the new rules. This makes sure that trying to incorrectly spend an "AnyOneCanSpend" will result in a hardfork, instead of a temporary (or permanent) chainsplit. With drivechains, it seems like the current plan is to only let the nodes that are interested in the drivechain validate the other chain, and not necessarily 100% of the network. I guess this could be any percentage of the network, which could lead to a temporary/permanent chainsplit depending on how many percentage of the miners are also validating the other chain (am I missing something here?). I have no way to evaluate if this is an okay trade-off. It seems like major disruption could very likely happen if say only 5% of all fullnodes validate the drivechain. To be fully secure, it seems like 100% of all nodes should also have a fullnode for the drivechain as well... This is one of the reasons I don't advocate sidechains/drivechains as a scaling solution, it looks like it would have to the same outcome as a blocksize increase on the mainchain, but with more complexity. I think sidechains/drivechains could be useful for other things though. Thanks for all your work so far Paul. Hampus 2017-07-13 4:58 GMT+02:00 Paul Sztorc via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org>: > I will repeat that Drivechain can sometimes be confusing because it is > different things to different people. > > Here is my attempt to break it down into different modes: > > [DC#0] -- Someone who does not upgrade their Bitcoin software (and is > running, say, 0.13). However, they experience the effects of the new rules > which miners add (as per the soft fork[s] to add drivechain functionality > and individual drivechains). > [DC#1] -- Someone who always upgrades to the latest version of the Bitcoin > software, but otherwise has no interest in running/using sidechains. > [DC#2] -- Someone who upgrades to the latest Bitcoin version, and decides > to also become a full node of one or more sidechains, but who ever actually > uses the sidechains. > [DC#3] -- Someone who upgrades their software, runs sidechain full nodes, > and actively moves money to and from these. > > Greg is still conflating modes [DC#1] and [DC#3]. Specifically, he > equivocates on the team "steal", using it to mean two different things: [a] > spending an invalid transaction, and [b] a withdrawal that would not match > the report given by a sidechain node. > > The two are quite different, see my comments below: > > > On 7/12/2017 9:15 PM, Tao Effect wrote: > > FYI that document is nearly two years old, and although it is still > overwhelmingly accurate, new optimizations allow us (I think) to push the > waiting period to several weeks and the total ACK counting period up to > several months. > > What does that have to do with my question? The counting period, if I > understood correctly, is something miners do, not full nodes. > > > Greg quoted a passage that contained an older parameter estimate of "a few > days", and I thought it would be helpful and informative if I clarified > that the parameter estimate had been updated to a new (more secure) value. > > In point of fact, he is wrong, because nodes do the counting. When miners > find a block, they can choose to move the counter up, down, or not at all. > But nodes do the counting. > > > Also, if the document is old and/or outdated, do you happen to have a link > to a more update-to-date version of the spec? It would be helpful for > review. > > > As I stated above, the document is mostly accurate. There is no other more > up to date version. > > > Because if a node doesn't have the sidechain's information, it will just > assume every withdrawal is valid. This is comparable to someone who still > hasn't upgraded to support P2SH, in cases [DC#0] and [#1]. > > > Right, for [DC#0] and [DC#1], but for [DC#2] an [DC#3] you marked it as > "Yes" without substantiating why you did so. > > > > Above, Greg omitted his original question. For reference, it was: > > The Drivechain spec seems to claim that its use of anyone-can-pay is the same as P2SH > > > The answer is that both DC and P2SH use transactions which are 'always > valid' to some group of people (un-upgraded users) but which are sometimes > invalid to new users. So the only difference would be for [DC#0] vs other > versions, but this difference is trivial as miners will censor invalid txns. > > It is your classic soft fork situation. > > > Again, from the perspective of a mainchain user, every withdrawal is valid. > > And that is not how P2SH works. > > > Again, keep in mind that Greg continually conflates two different things: > 1. Whether the soft fork rules have been followed, and > 2. Whether the WT^ submitted by a majority hashrate matches the one > calculated by sidechain nodes. > > The first case is exactly equal to P2SH. Just as old nodes accept every > P2SH transaction, so too will [DC#0] users accept every WT^ transaction. > > In the second case, it so happens that [DC#1], [DC#2], and [DC#3] would > also accept any WT^ *that followed the Drivechain rules*, even if they did > not like the outcome (because the outcome in question was arbitrarily > designated as a "theft" of funds -- again, see the second case in the list > above). In this way, it is exactly similar to P2SH because nodes will > accept *any* p2sh txn **that follows the p2sh rules**, even if they don't > "like" the specific script contained within (for example, because it is a > theft of "their" BitFinex funds, or a donation to a political candidate > they dislike, etc). > > > [DC#2] and [DC#3] would certainly have an interest in understanding what > is going on, but that has absolutely nothing whatsoever to do with Bitcoin > Core and so is off-topic for this mailing list. > > How is that an answer to my question? > > > Greg is, of course, not entitled to an answer to irrelevant questions -- > just as he would not be entitled to an answer if he asked for my favorite > color or my home address. And such answers would needlessly consume the > mailing list's scarce time. > > > What does "[DC#2] and [DC#3] would certainly have an interest in > understanding what is going on" mean? > > > It is clear to me that, if we are not clear on the basics first, we cannot > hope to tackle anything intermediate. We will come back to this after > clearing up soft fork part. > > > In P2SH, all upgraded nodes will reject invalid P2SH transactions, period. > > > In DC, all upgraded nodes will reject invalid DC transactions, period. > > > What exactly would [DC#2] and [DC#3] nodes do when faced with an invalid > WT^ transaction — invalid in the sense that it contains funds which miners > are stealing? > > > The [DC#2] and [DC#3] nodes would do exactly what the [DC#0] and [DC#1] > nodes do. This is what I mean by "every withdrawal is valid". > > > Again, in P2SH miners cannot steal funds, because all full nodes have a > fully automatic enforcement policy. > > > In DC, miners cannot steal funds, because all full nodes have a fully > automatic enforcement policy. > > However, DC *allows* users to choose to place some of their BTC at the > relative mercy of the miners in creative ways, if they wish (as does P2SH > -- someone could write a script which donates funds to miners, and then > fund it... "paying" to that script). This is another example of conflating > [DC#1] and [DC#3]. > > Paul > > > > > On Jul 12, 2017, at 5:26 PM, Paul Sztorc <truthcoin@gmail•com> wrote: > > The confusion below stems from his conflation of several different ideas. > > I will try to explicitly clarify a distinction between several types of > user (or, "modes" of use if you prefer): > > [DC#0] -- Someone who does not upgrade their Bitcoin software (and is > running, say, 0.13). However, they experience the effects of the new rules > which miners add (as per the soft fork[s] to add drivechain functionality > and individual drivechains). > [DC#1] -- Someone who always upgrades to the latest version of the Bitcoin > software, but otherwise has no interest in running/using sidechains. > [DC#2] -- Someone who upgrades to the latest Bitcoin version, and decides > to also become a full node of one or more sidechains, but who ever actually > uses the sidechains. > [DC#3] -- Someone who upgrades their software, runs sidechain full nodes, > and actively moves money to and from these. > > > On 7/12/2017 6:43 PM, Tao Effect wrote: > > > I am now looking closer again at step number 4 in the Drivechain > specification [2]: > > 4. Everyone waits for a period of, say, 3 days. This gives everyone an > opportunity to make sure the same WT^ is in both the Bitcoin coinbase and > the Sidechain header. If they’re different, everyone has plenty of time to > contact each other, figure out what is going on, and restart the process > until its right. > > It seems to me that where our disagreement lies is in this point. > The Drivechain spec seems to claim that its use of anyone-can-pay is the > same as P2SH (and in later emails you reference SegWit as well). Is this > really true? > > FYI that document is nearly two years old, and although it is still > overwhelmingly accurate, new optimizations allow us (I think) to push the > waiting period to several weeks and the total ACK counting period up to > several months. > > [DC#0] Yes > [DC#1] Yes > [DC#2] Yes > [DC#3] Yes > > Because if a node doesn't have the sidechain's information, it will just > assume every withdrawal is valid. This is comparable to someone who still > hasn't upgraded to support P2SH, in cases [DC#0] and [#1]. > > (And this is the main advantage of DC over extension blocks). > > > 2. Per the question in [1], it's my understanding that P2SH transactions > contain all of the information within themselves for full nodes to act as a > check on miners mishandling the anyone-can-spend nature of P2SH > transactions. However, that does not seem to be the case with WT^ > transactions. > > [DC#0] They do. > [DC#1] They do. > [DC#2] They do. > [DC#3] They do. > > Again, from the perspective of a mainchain user, every withdrawal is valid. > > > In P2SH txns, there is no need for anyone to, as the Drivechain spec says, > "to contact each other, figure out what is going on". Everything just > automatically works. > > There is no *need* to this in Drivechain, either, for [DC#0] or [DC#1]. > > [DC#2] and [DC#3] would certainly have an interest in understanding what > is going on, but that has absolutely nothing whatsoever to do with Bitcoin > Core and so is off-topic for this mailing list. > > > If the security of WT^ transactions could be brought up to actually be in > line with the security of P2SH and SegWit transactions, then I would have > far less to object to. > > Somehow I doubt it. > > > Paul > > > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > [-- Attachment #2: Type: text/html, Size: 18339 bytes --] ^ permalink raw reply [flat|nested] 43+ messages in thread
* Re: [bitcoin-dev] Drivechain RfD -- Follow Up 2017-07-13 13:17 ` Hampus Sjöberg @ 2017-07-13 17:04 ` Paul Sztorc 0 siblings, 0 replies; 43+ messages in thread From: Paul Sztorc @ 2017-07-13 17:04 UTC (permalink / raw) To: Hampus Sjöberg, Bitcoin Protocol Discussion Hello, On 7/13/2017 9:17 AM, Hampus Sjöberg wrote: > In softforks, I would argue that 100% of all nodes and miners need to > upgrade to the new rules. > This makes sure that trying to incorrectly spend an "AnyOneCanSpend" > will result in a hardfork, instead of a temporary (or permanent) > chainsplit. > > With drivechains, it seems like the current plan is to only let the > nodes that are interested in the drivechain validate the other chain, > and not necessarily 100% of the network. Correct. > I guess this could be any percentage of the network, which could lead > to a temporary/permanent chainsplit depending on how many percentage > of the miners are also validating the other chain (am I missing > something here?). > I have no way to evaluate if this is an okay trade-off. > It seems like major disruption could very likely happen if say only 5% > of all fullnodes validate the drivechain. You are correct that some % of the network would be validating both chains. However, if miners improperly withdraw from a sidechain, it --by design-- does not lead to any chainsplit of any kind. Instead, the sidechain in question just dies a painful death (notice that, if any withdrawals are improper, it is quite as bad as if all of the sidechain funds were withdrawn improperly -- this is because the sidechain would instantly have a bunch of problems, including that it would be something-like 'fractional reserve' which would lead to an immediate bank run of withdrawals [none of which could have any real expectation of success, in my view]). In practice, a concern of mine is that people *would* try to turn a sidechain-theft even into some kind of grand UASF-style campaign. I would prefer for people not to do this. Then again, I do not hold this preference unconditionally -- I see it as comparable to Bitcoin's commitment to "the code is the spec". Which is to say that this commitment is overwhelmingly held, but not dogmatically as in exceptional cases such as theValue overflow incident [1]. I think that in such ambiguous cases, we must rely on [a] the miner's desire to maximize the purchasing power of each Bitcoin, and [b] the technical wisdom of Bitcoin's future leaders in helping miners to achieve this goal. [1] https://en.bitcoin.it/wiki/Value_overflow_incident > To be fully secure, it seems like 100% of all nodes should also have a > fullnode for the drivechain as well... Perhaps, but this is exactly what I am trying to avoid. The design goal, in some sense, is to have "half security", ie <100%. This is because the only way to achieve "full" 100% security is with full enforcement of all rules. Full enforcement of the rules, in turn, means either that we are exactly where we are right now (where we only add compatible rules, aka the traditional "soft fork") or we are [also] exactly where we are right now (in that if we add an incompatible rule, it results in a "hard fork"). I would like to build something new, which trades off on the qualities of each, and therefore lies (intentionally) somewhere in between. > This is one of the reasons I don't advocate sidechains/drivechains as > a scaling solution, it looks like it would have to the same outcome as > a blocksize increase on the mainchain, but with more complexity. Keep in mind that, if some people leave the small chain (what you might call the "Core" chain, although some disagree with summarizing it this way) for some other chain, it does free up more space on this chain. I'm not really sure the extent to which that "counts" as increasing capacity. Also, I agree that sc/dc do not help with "scalability", if that problem is defined as "better technology" or as "how to do more with less". Actually my full view is a little nuanced and it is here: http://www.drivechain.info/faq/index.html#can-sidechains-really-help-with-scaling > Thanks for all your work so far Paul. You're welcome! Paul ^ permalink raw reply [flat|nested] 43+ messages in thread
end of thread, other threads:[~2017-07-13 17:04 UTC | newest] Thread overview: 43+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-05-22 6:17 [bitcoin-dev] Drivechain -- Request for Discussion Paul Sztorc 2017-05-22 13:33 ` Peter Todd 2017-05-22 15:30 ` Paul Sztorc 2017-05-28 21:07 ` Peter Todd [not found] ` <CAJowKgJjNaoWVc=QXfOqH3OdBPoKm3qkfUNpKV6oKLSRx_fD0g@mail.gmail.com> [not found] ` <CAJowKgKFMXDE-yzEqYkY7c+80Mgn+iL9ZRNJbv9WhUBR32EvRg@mail.gmail.com> 2017-05-29 5:54 ` Erik Aronesty 2017-05-30 5:11 ` Paul Sztorc 2017-06-09 21:54 ` Sergio Demian Lerner 2017-06-10 16:28 ` Paul Sztorc 2017-05-22 14:39 ` ZmnSCPxj 2017-05-22 16:19 ` Paul Sztorc 2017-05-22 19:12 ` Tier Nolan 2017-05-22 20:00 ` Paul Sztorc 2017-05-23 9:51 ` Tier Nolan 2017-05-23 14:22 ` Paul Sztorc 2017-05-24 8:50 ` Tier Nolan 2017-05-24 10:05 ` Tier Nolan 2017-05-24 17:32 ` CryptAxe 2017-05-25 22:08 ` Tier Nolan 2017-06-18 14:36 ` Chris Stewart 2017-06-18 21:27 ` CryptAxe [not found] ` <CAGL6+mGZZ=wG8P_DNj3PXVf==mLjJwA_bESh0_UdH2iVBY7GQA@mail.gmail.com> 2017-06-19 15:41 ` Chris Stewart 2017-05-23 0:13 ` ZmnSCPxj 2017-05-23 14:12 ` Paul Sztorc 2017-05-23 23:26 ` ZmnSCPxj 2017-06-10 17:04 ` [bitcoin-dev] Drivechain RfD -- Follow Up Paul Sztorc 2017-06-18 21:30 ` Tao Effect 2017-06-19 16:04 ` Paul Sztorc [not found] ` <CAJowKgLJW=kJhcN4B7TbWXLb7U51tzYU3PFOy1m8JqKXqFsU4A@mail.gmail.com> 2017-06-20 11:54 ` Paul Sztorc 2017-06-20 13:38 ` Erik Aronesty 2017-06-22 13:27 ` Paul Sztorc 2017-06-22 13:45 ` Erik Aronesty 2017-06-22 20:30 ` Paul Sztorc 2017-06-23 14:19 ` Erik Aronesty 2017-06-23 14:51 ` Moral Agent 2017-06-23 18:11 ` Paul Sztorc 2017-07-12 22:43 ` Tao Effect 2017-07-13 0:26 ` Paul Sztorc 2017-07-13 1:15 ` Tao Effect 2017-07-13 2:58 ` Paul Sztorc 2017-07-13 3:24 ` Tao Effect 2017-07-13 15:39 ` Paul Sztorc 2017-07-13 13:17 ` Hampus Sjöberg 2017-07-13 17:04 ` Paul Sztorc
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox