> For those following this thread, we have now written a paper > describing the side-chains, 2-way pegs and compact SPV proofs. > (With additional authors Andrew Poelstra & Andrew Miller). > > http://blockstream.com/sidechains.pdf Haven't seen any material discussion of this paper in this mailing list, so I'll start. (Otherwise, I've seen Peter Todd's reaction on reddit.) This paper fails to demonstrate that sidechains are anything more than a wishful thinking. It can be distilled down to this: "We want such and such features, hence we'll use DMMS, the same thing Bitcoin uses, thus it will be secure!" Um, no. Alt-coins also use DMMS, but aren't as secure as Bitcoin. So DMMS does not work by itself, it is a mechanism to secure a blockchain using economic incentives. The sidechains paper does not mention this, as far as I can tell. In my opinion, this is not acceptable. If you're making a proposal, you need to describe what conditions are required for it to work. Authors are clearly aware of the problem and mention it in section 6 "Future directions" 6.1. "Hashpower attack resistance". The problem is they do not make it clear that the proposal just makes no sense until this is solved. In the discussions on reddit I've noticed that pretty much everybody believes that release of sidechains paper implies that the proposal is complete and now we are just waiting the implementation. It doesn't help that the paper itself tries to sweep the problem under the rug and has misleading statements. Particularly, I'm talking about section "4.2. Fraudulent transfers": "Reorganisations of arbitrary depth are in principle possible, which could allow an attacker to completely transfer coins between sidechains before causing a reorganisation longer than the contest period on the sending chain to undo its half of the transfer. ... If the attacker is allowed to return the transferred coins to the original chain, he would increase the number of coins in his possession at the expense of other users of the sidechain. Before discussing how to handle this, we observe that this risk can be made arbitrarily small by simply increasing the contest period for transfers." Wow, really? Is this risk stochastic? The first sentence implies that attacker is able to cause a reorganization of an arbitrary depth, but the rest of the section implies that reorganizations are a naturally occurring phenomenon. All in all, I find this paper really disappointing. It's going to be influential (9 co-authors, many of which are regarded as Bitcoin core developers, must be good!) and hyped, and thus might focus research on an area which is fundamentally flawed.