* [bitcoin-dev] Coins: A trustless sidechain protocol
@ 2020-01-12 18:54 Robin Linus
2020-01-13 0:21 ` ZmnSCPxj
2020-01-13 18:06 ` Joachim Strömbergson
0 siblings, 2 replies; 22+ messages in thread
From: Robin Linus @ 2020-01-12 18:54 UTC (permalink / raw)
To: bitcoin-dev
[-- Attachment #1: Type: text/plain, Size: 1182 bytes --]
Hi all,
I've been working on a sidechain protocol with no trusted third party. You can find the [whitepaper here](http://coins.github.io/coins.pdf).
Abstract. Coins is a Bitcoin extension designed for payments at scale. We propose an efficient solution to the double-spending problem using a bitcoin-backed proof-of-stake. Validators vote on sidechain blocks with one-time signatures, forming a record that cannot be changed without destroying their collateral. Every user can become a validator by locking bitcoins. One-time signatures guarantee that validators loose their stake for publishing conflicting histories. Checkpoints can be additionally secured with a bitcoin-backed proof-of-burn. Assuming a rational majority of validators, the sidechain provides safety and liveness. The sidechain’s footprint within bitcoin’s blockchain is minimal. The protocol is a generic consensus mechanism allowing for arbitrary sidechain assets. Spawning multiple, independent instances scales horizontally.
Feedback is highly appreciated!
Thank you
- Robin
PS: [Here on Github you can find further research on scalability and usability](https://github.com/coins/coins.github.io).
[-- Attachment #2: Type: text/html, Size: 6119 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-12 18:54 [bitcoin-dev] Coins: A trustless sidechain protocol Robin Linus
@ 2020-01-13 0:21 ` ZmnSCPxj
2020-01-13 2:02 ` Robin Linus
2020-01-13 18:06 ` Joachim Strömbergson
1 sibling, 1 reply; 22+ messages in thread
From: ZmnSCPxj @ 2020-01-13 0:21 UTC (permalink / raw)
To: Robin Linus, Bitcoin Protocol Discussion
Good morning Robin,
The reason why I stopped considering sidechains for scaling and have since moved to Lightning Network development was that, on reflection, I realized sidechains *still* do not scale, even with stakes anchored on the mainchain.
The issue is that sidechains, like any blockchain, still require that everyone interested in it to propagate all their transaction to everyone else interested in it.
Contrast this with Lightning Network, where you select only a tiny handful of nodes to inform about your payment, even if you have a gigantic Lightning Network.
Or, more blithely: Let me get this straight, you already know blockchains cannot scale, so your scaling proposal involves making ***more*** blockchains?
You might point to the use of large numbers of sidechains with limited userbase, and the use of cross-chain atomic swaps to convert between sidecoins.
I would then point out that Lightning Network channel are cryptocurrency systems with two users (with significantly better security than a 2-user sidechain would have), and that Lightning Network payment routing is just the use of cross-channel atomic swaps to convert between channelcoins.
Indeed, with a multiparticipant offchain updateable cryptocurrency system mechanism, like Decker-Wattenhofer or Decker-Russell-Osuntokun ("eltoo"), you could entirely replace sidechains with a mechanism that does not give custody to your funds to anyone else, since you can always insist on using n-of-n signing with you included in the signer set to prevent state changes that do not have your approval.
---
You could implement the collateral contract with a simple `<one year> OP_CHECKSEQUENCEVERIFY OP_DROP <A> OP_CHECKSIG`, with a single-sign signature used at the consensus layer for your sidechain.
`OP_CHECKSEQUENCEVERIFY` ensures, as a side effect, that the spending transaction opts in to RBF.
Thus, if the pubkey `<A>` is used in a single-sign signature scheme (which reveals the privkey if double-signed), then at the end of the period, anyone who saw the double-signing can claim that fund and thus act as "Bob".
Indeed, many "Bob"s will act and claim this fund, increasing the fee each time to try to get their version onchain.
Eventually, some "Bob" will just put the entire fund as fee and put a measly `OP_RETURN` as single output.
This "burns" the funds by donating it to miners.
From the point of view of Alice this is hardly distinguishable from losing the fund right now, since Alice will have a vanishingly low chance of spending it after the collateral period ends, and Alice still cannot touch the funds now anyway.
Alice also cannot plausibly bribe a miner, since the miner could always get more funds by replacing the transaction internally with a spend-everything-on-fees `OP_RETURN` output transaction, and can only persuade the miner not to engage in this behavior by offering more than the collateral is worth (which is always worse than just losing the collateral).
A `OP_CHECKTEMPLATEVERIFY` would work better for this use-case, but even without it you do not need a *single* *tr\*sted* Bob to implement the collateral contract.
Regards,
ZmnSCPxj
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-13 0:21 ` ZmnSCPxj
@ 2020-01-13 2:02 ` Robin Linus
2020-01-13 2:33 ` ZmnSCPxj
0 siblings, 1 reply; 22+ messages in thread
From: Robin Linus @ 2020-01-13 2:02 UTC (permalink / raw)
To: ZmnSCPxj; +Cc: Bitcoin Protocol Discussion
Good morning ZmnSCPxj,
Thank you for your detailed feedback! Two topics:
## Lightning vs Sidechains
Why an either-or-solution, if we can connect sidechains via the LN to get the best of both worlds?
The LN works exceptionally great under the following conditions:
- you're always online
- you have BTC to manage your channels' inbound-capacity
- you can afford BTC transactions
- in your channel is much more than the minimum on-chain TX fees
The next Billion users do not fit that category. They are on unreliable cell phone connections and do not have any BTC yet.
And the more popular Bitcoin becomes, the fewer people can afford LN channels. Even Eltoo requires your funds to be significantly higher than Bitcoin's TX fees, right?
Already today, more and more services like tippin.me, BlueWallet, etc, provide custodial solutions.
For small amounts, custody is an acceptable workaround. And I love their usability. Install it and immediately I can send you $0.01. Yet, scaling their approach globally does not lead to desirable outcomes, since we'd be back to trusting banks with their Excel sheets.
So let's make their internal ledgers public and trustless, via independent sidechains. Decentralized Blockchains do scale decently up to a couple Million UTXOs. So a couple thousand Sidechains is probably sufficient for a global medium of exchange. Cross-chain communication without requiring cross-chain validation is possible via atomic swaps and through Bitcoin's LN. That scales because it separates chain-validators from swap-validators.
Bitcoin's LN acts as the central settlement layer for efficient cross-chain transactions between all sidechains.
So Endusers "living" in sidechains instead of directly in the LN has many advantages:
- no bitcoin blockspace required for on-boarding new users
- no need to lock funds to provide inbound-capacity
- no need to stay online or pay watch towers
- no need to store channel histories
- account balances can be much smaller than BTC TX fees
Those are the exact same reasons why BlueWallet built their LndHub. But sidechains can be trustless. Also a generic protocol provides flexibility for sidechain innovations with arbitrary digital assets and consensus rules.
## Collateral Contract
Thanks for mentioning that! I like the simplicity of your variant! It's better than my workarounds. I'll add it to the paper. However, in the long term, the cleanest solution is to destroy the funds. Giving it to miners assumes Alice does not control much Hash power, which is harder to reason about.
Regards,
robin
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, January 13, 2020 1:21 AM, ZmnSCPxj <ZmnSCPxj@protonmail•com> wrote:
> Good morning Robin,
>
> The reason why I stopped considering sidechains for scaling and have since moved to Lightning Network development was that, on reflection, I realized sidechains still do not scale, even with stakes anchored on the mainchain.
> The issue is that sidechains, like any blockchain, still require that everyone interested in it to propagate all their transaction to everyone else interested in it.
> Contrast this with Lightning Network, where you select only a tiny handful of nodes to inform about your payment, even if you have a gigantic Lightning Network.
>
> Or, more blithely: Let me get this straight, you already know blockchains cannot scale, so your scaling proposal involves making more blockchains?
>
> You might point to the use of large numbers of sidechains with limited userbase, and the use of cross-chain atomic swaps to convert between sidecoins.
> I would then point out that Lightning Network channel are cryptocurrency systems with two users (with significantly better security than a 2-user sidechain would have), and that Lightning Network payment routing is just the use of cross-channel atomic swaps to convert between channelcoins.
> Indeed, with a multiparticipant offchain updateable cryptocurrency system mechanism, like Decker-Wattenhofer or Decker-Russell-Osuntokun ("eltoo"), you could entirely replace sidechains with a mechanism that does not give custody to your funds to anyone else, since you can always insist on using n-of-n signing with you included in the signer set to prevent state changes that do not have your approval.
>
>
>
> Regards,
> ZmnSCPxj
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-13 2:02 ` Robin Linus
@ 2020-01-13 2:33 ` ZmnSCPxj
2020-01-13 17:34 ` Joachim Strömbergson
2020-01-16 1:21 ` Angel Leon
0 siblings, 2 replies; 22+ messages in thread
From: ZmnSCPxj @ 2020-01-13 2:33 UTC (permalink / raw)
To: Robin Linus; +Cc: Bitcoin Protocol Discussion
Good morning Robin,
> Good morning ZmnSCPxj,
>
> Thank you for your detailed feedback! Two topics:
>
> Lightning vs Sidechains
>
> ------------------------
>
> Why an either-or-solution, if we can connect sidechains via the LN to get the best of both worlds?
>
> The LN works exceptionally great under the following conditions:
>
> - you're always online
> - you have BTC to manage your channels' inbound-capacity
> - you can afford BTC transactions
> - in your channel is much more than the minimum on-chain TX fees
>
> The next Billion users do not fit that category. They are on unreliable cell phone connections and do not have any BTC yet.
> And the more popular Bitcoin becomes, the fewer people can afford LN channels. Even Eltoo requires your funds to be significantly higher than Bitcoin's TX fees, right?
>
> Already today, more and more services like tippin.me, BlueWallet, etc, provide custodial solutions.
> For small amounts, custody is an acceptable workaround. And I love their usability. Install it and immediately I can send you $0.01. Yet, scaling their approach globally does not lead to desirable outcomes, since we'd be back to trusting banks with their Excel sheets.
>
> So let's make their internal ledgers public and trustless, via independent sidechains. Decentralized Blockchains do scale decently up to a couple Million UTXOs. So a couple thousand Sidechains is probably sufficient for a global medium of exchange. Cross-chain communication without requiring cross-chain validation is possible via atomic swaps and through Bitcoin's LN. That scales because it separates chain-validators from swap-validators.
> Bitcoin's LN acts as the central settlement layer for efficient cross-chain transactions between all sidechains.
>
> So Endusers "living" in sidechains instead of directly in the LN has many advantages:
>
> - no bitcoin blockspace required for on-boarding new users
> - no need to lock funds to provide inbound-capacity
> - no need to stay online or pay watch towers
> - no need to store channel histories
> - account balances can be much smaller than BTC TX fees
>
> Those are the exact same reasons why BlueWallet built their LndHub. But sidechains can be trustless. Also a generic protocol provides flexibility for sidechain innovations with arbitrary digital assets and consensus rules.
Which is why I brought up multiparticipant offchain updateable cryptocurrency systems.
The "channel factories" concepts does what you are looking for, except with better trust-minimization than sidechains can achieve.
Just replace "sidechain" with either Decker-Wattenhofer or Decker-Russell-Osuntokun constructions.
You can even use the Somsen "statechain" mechanism, which rides a Decker-Wattenhofer/Decker-Russell-Osuntokun construction, though its trust-minimization is only very very slightly better than federated sidechains.
It is helpful to remember that Poon-Dryja, Decker-Wattenhofer, Decker-Russell-Osuntokun, and all other future such constructions, can host any contract that its lower layer can support.
So if you ride a Poon-Dryja on top of the Bitcoin blockchain, you can host HTLCs inside the Poon-Dryja, since the Bitcoin blockchain can host HTLCs.
Similarly, if you ride a Decker-Wattenhofer on top of the Bitcoin blockchain, you can host a Poon-Dryja inside the Decker-Wattenhofer, since the Bitcoin blockchain can host Poon-Dryja channels.
This central insight leads one to conclude that anything you can put onchain, you an generally also put offchain, so why use a chain at all except as an ultimate anchor to reality?
Poon-Dryja is strictly two-participant, while Decker-Wattenhofer limits the practical number of updates due to its use of decrementing relative timelocks: so you put the payment layer in a bunch of Poon-Dryja channels which support tons of updates each but only two participants per channel, and create a layer that supports changes to the channel topology (where changes to the channel connectivity are expected to be much rarer than payments) and is multiparticipant so you can *actually* scale.
Instead of using sidechains, just use channel factories.
You do not need to broadcast the entire internal ledgers of those services, only their customers need to know those internal ledgers, and sign off on the updates of those ledgers.
Regards,
ZmnSCPxj
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-13 2:33 ` ZmnSCPxj
@ 2020-01-13 17:34 ` Joachim Strömbergson
2020-01-13 22:05 ` Jeremy
2020-01-16 1:21 ` Angel Leon
1 sibling, 1 reply; 22+ messages in thread
From: Joachim Strömbergson @ 2020-01-13 17:34 UTC (permalink / raw)
To: ZmnSCPxj, Bitcoin Protocol Discussion
> Instead of using sidechains, just use channel factories.
I am not familiar enough with the latest advancements in this field. Is it possible using LN/channel factories to achieve off-line-like participation user experience without previous registration with any kind of gateway provider? For example, can you go online, join the network [somehow instantly], generate address/invoice and then put it somewhere for others to later use it when you are off-line? Can you also participate while being off-line for very long periods of time without relying on third party providers to secure your channels? If not, is using sidechains really equally replaceable with LN/CF constructions?
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, January 13, 2020 2:33 AM, ZmnSCPxj via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> wrote:
> Good morning Robin,
>
> > Good morning ZmnSCPxj,
> > Thank you for your detailed feedback! Two topics:
> > Lightning vs Sidechains
> >
> > Why an either-or-solution, if we can connect sidechains via the LN to get the best of both worlds?
> > The LN works exceptionally great under the following conditions:
> >
> > - you're always online
> >
> > - you have BTC to manage your channels' inbound-capacity
> >
> > - you can afford BTC transactions
> > - in your channel is much more than the minimum on-chain TX fees
> > The next Billion users do not fit that category. They are on unreliable cell phone connections and do not have any BTC yet.
> > And the more popular Bitcoin becomes, the fewer people can afford LN channels. Even Eltoo requires your funds to be significantly higher than Bitcoin's TX fees, right?
> > Already today, more and more services like tippin.me, BlueWallet, etc, provide custodial solutions.
> > For small amounts, custody is an acceptable workaround. And I love their usability. Install it and immediately I can send you $0.01. Yet, scaling their approach globally does not lead to desirable outcomes, since we'd be back to trusting banks with their Excel sheets.
> > So let's make their internal ledgers public and trustless, via independent sidechains. Decentralized Blockchains do scale decently up to a couple Million UTXOs. So a couple thousand Sidechains is probably sufficient for a global medium of exchange. Cross-chain communication without requiring cross-chain validation is possible via atomic swaps and through Bitcoin's LN. That scales because it separates chain-validators from swap-validators.
> > Bitcoin's LN acts as the central settlement layer for efficient cross-chain transactions between all sidechains.
> > So Endusers "living" in sidechains instead of directly in the LN has many advantages:
> >
> > - no bitcoin blockspace required for on-boarding new users
> >
> > - no need to lock funds to provide inbound-capacity
> >
> > - no need to stay online or pay watch towers
> >
> > - no need to store channel histories
> >
> > - account balances can be much smaller than BTC TX fees
> > Those are the exact same reasons why BlueWallet built their LndHub. But sidechains can be trustless. Also a generic protocol provides flexibility for sidechain innovations with arbitrary digital assets and consensus rules.
> >
>
> Which is why I brought up multiparticipant offchain updateable cryptocurrency systems.
> The "channel factories" concepts does what you are looking for, except with better trust-minimization than sidechains can achieve.
> Just replace "sidechain" with either Decker-Wattenhofer or Decker-Russell-Osuntokun constructions.
> You can even use the Somsen "statechain" mechanism, which rides a Decker-Wattenhofer/Decker-Russell-Osuntokun construction, though its trust-minimization is only very very slightly better than federated sidechains.
>
> It is helpful to remember that Poon-Dryja, Decker-Wattenhofer, Decker-Russell-Osuntokun, and all other future such constructions, can host any contract that its lower layer can support.
> So if you ride a Poon-Dryja on top of the Bitcoin blockchain, you can host HTLCs inside the Poon-Dryja, since the Bitcoin blockchain can host HTLCs.
> Similarly, if you ride a Decker-Wattenhofer on top of the Bitcoin blockchain, you can host a Poon-Dryja inside the Decker-Wattenhofer, since the Bitcoin blockchain can host Poon-Dryja channels.
> This central insight leads one to conclude that anything you can put onchain, you an generally also put offchain, so why use a chain at all except as an ultimate anchor to reality?
> Poon-Dryja is strictly two-participant, while Decker-Wattenhofer limits the practical number of updates due to its use of decrementing relative timelocks: so you put the payment layer in a bunch of Poon-Dryja channels which support tons of updates each but only two participants per channel, and create a layer that supports changes to the channel topology (where changes to the channel connectivity are expected to be much rarer than payments) and is multiparticipant so you can actually scale.
>
> Instead of using sidechains, just use channel factories.
> You do not need to broadcast the entire internal ledgers of those services, only their customers need to know those internal ledgers, and sign off on the updates of those ledgers.
>
> Regards,
> ZmnSCPxj
>
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-12 18:54 [bitcoin-dev] Coins: A trustless sidechain protocol Robin Linus
2020-01-13 0:21 ` ZmnSCPxj
@ 2020-01-13 18:06 ` Joachim Strömbergson
2020-01-13 19:47 ` Robin Linus
1 sibling, 1 reply; 22+ messages in thread
From: Joachim Strömbergson @ 2020-01-13 18:06 UTC (permalink / raw)
To: Robin Linus, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 3896 bytes --]
While I haven't rejected sidechains entirely yet, this particular proposal seems uninteresting, especially for two reasons.
One – it introduces a new token for each sidechain and suggests atomic swaps to be used for the exchange of the mainchain token with the sidechain token. Such a model seems nonsensical to me because there seems to be excessive number of blockchain projects that can be used similarly just as the sidechain in this proposal. Pick almost any altcoin out there and you can atomic swap it with Bitcoin. The fact that your sidechain is somehow mathematically bound to Bitcoin seems arbitrary because at the end you have a new token and a new issuance model. Therefore this is not extending Bitcoin economy, which is strictly limited by its convergence to zero inflation. This proposal is inflating the supply with a new token, which goes against what many people consider as a pillar of Bitcoin's value proposal. I think if you implement this proposal, you are going not to be considered as a Bitcoin sidechain, but you will be, from certain point of view, indistinguishable from any other altcoin. At the level of my current understanding, the only interesting sidechain model is the [theoretical] one with a two way peg with Bitcoin, preserving the issuance policy of Bitcoin.
Two – the security of the proposed system seems to be very fragile, unless I have missed something. When I think about sidechains, I expect that it should be possible to create a niche chain which is used by few participants while the security of the chain is somehow guaranteed from its bind to the mainchain. If this was not the case, such a niche sidechain could easily be attacked, even if just stalled/censored for a long period time, with just a small [absolute] investment from an attacker, although this investment might be large if taken relatively to the utility of this niche sidechain. So if we speak concretely about your proposal, you assume honest majority of validators. But in your system the validators come from locking of stake on Bitcoin chain by nodes that are interested in a particular sidechain. If you put this model on a niche chain where only few participants are interested in it, it's trivial for an attacker to be stronger [have more Bitcoin to lock] than all legitimate users together. You should only use honest majority assumption where the scope is global, where it is very hard and very expensive to obtain majority.
Sent with [ProtonMail](https://protonmail.com) Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, January 12, 2020 6:54 PM, Robin Linus via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> wrote:
> Hi all,
>
> I've been working on a sidechain protocol with no trusted third party. You can find the [whitepaper here](http://coins.github.io/coins.pdf).
>
> Abstract. Coins is a Bitcoin extension designed for payments at scale. We propose an efficient solution to the double-spending problem using a bitcoin-backed proof-of-stake. Validators vote on sidechain blocks with one-time signatures, forming a record that cannot be changed without destroying their collateral. Every user can become a validator by locking bitcoins. One-time signatures guarantee that validators loose their stake for publishing conflicting histories. Checkpoints can be additionally secured with a bitcoin-backed proof-of-burn. Assuming a rational majority of validators, the sidechain provides safety and liveness. The sidechain’s footprint within bitcoin’s blockchain is minimal. The protocol is a generic consensus mechanism allowing for arbitrary sidechain assets. Spawning multiple, independent instances scales horizontally.
>
> Feedback is highly appreciated!
>
> Thank you
>
> - Robin
>
> PS: [Here on Github you can find further research on scalability and usability](https://github.com/coins/coins.github.io).
[-- Attachment #2: Type: text/html, Size: 8691 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-13 18:06 ` Joachim Strömbergson
@ 2020-01-13 19:47 ` Robin Linus
2020-01-13 20:49 ` Joachim Strömbergson
0 siblings, 1 reply; 22+ messages in thread
From: Robin Linus @ 2020-01-13 19:47 UTC (permalink / raw)
To: Joachim Strömbergson; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 5634 bytes --]
Hi Joachim,
Thank you for your detailed feedback!
Regarding Reason #1:
This proposal is less like Bitcoin vs. Altcoins and much more like Ethereum vs. ERC20 tokens, because the derivatives are not in competition with BTC, but depend on it heavily. You support Bitcoin's growth by supporting such a sidechain.
Also, they won't work as separate currencies. For endusers you can abstract away all underlying complexities such that they have to think only in BTC. Exchanges rates can be hidden in TX fees. The sidechain derivatives would be nothing but a means of transfer. The unit of account is still BTC.
Regarding Reason #2:
In the "Limitations" section I discuss the cost of halting the chain:
Time value of locked bitcoins might be too cheap to protect the chain. We can introduce an additional cost and let validators burn bitcoins for every on-chain vote. This is much more robust because there is an ongoing cost for halting the system. Proof-of-burn has recently been formally analysed [16]. The economic implications of burning significant amounts of Bitcoin are questionable. A level of security comparable to Bitcoin requires the system’s BTC burn rate to be equal to Bitcoin’s infaltion rate.
Also remember, time value of Bitcoins is indeed a value. Even without a proof of burn, I'd consider such sidechains much more secure than those custodial lightning wallets which become more and more popular to circumvent the usability hurdles of the LN.
Thanks again,
- Robin
Sent with [ProtonMail](https://protonmail.com) Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, January 13, 2020 7:06 PM, Joachim Strömbergson <joachimstr@protonmail•com> wrote:
> While I haven't rejected sidechains entirely yet, this particular proposal seems uninteresting, especially for two reasons.
>
> One – it introduces a new token for each sidechain and suggests atomic swaps to be used for the exchange of the mainchain token with the sidechain token. Such a model seems nonsensical to me because there seems to be excessive number of blockchain projects that can be used similarly just as the sidechain in this proposal. Pick almost any altcoin out there and you can atomic swap it with Bitcoin. The fact that your sidechain is somehow mathematically bound to Bitcoin seems arbitrary because at the end you have a new token and a new issuance model. Therefore this is not extending Bitcoin economy, which is strictly limited by its convergence to zero inflation. This proposal is inflating the supply with a new token, which goes against what many people consider as a pillar of Bitcoin's value proposal. I think if you implement this proposal, you are going not to be considered as a Bitcoin sidechain, but you will be, from certain point of view, indistinguishable from any other altcoin. At the level of my current understanding, the only interesting sidechain model is the [theoretical] one with a two way peg with Bitcoin, preserving the issuance policy of Bitcoin.
>
> Two – the security of the proposed system seems to be very fragile, unless I have missed something. When I think about sidechains, I expect that it should be possible to create a niche chain which is used by few participants while the security of the chain is somehow guaranteed from its bind to the mainchain. If this was not the case, such a niche sidechain could easily be attacked, even if just stalled/censored for a long period time, with just a small [absolute] investment from an attacker, although this investment might be large if taken relatively to the utility of this niche sidechain. So if we speak concretely about your proposal, you assume honest majority of validators. But in your system the validators come from locking of stake on Bitcoin chain by nodes that are interested in a particular sidechain. If you put this model on a niche chain where only few participants are interested in it, it's trivial for an attacker to be stronger [have more Bitcoin to lock] than all legitimate users together. You should only use honest majority assumption where the scope is global, where it is very hard and very expensive to obtain majority.
>
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Sunday, January 12, 2020 6:54 PM, Robin Linus via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> wrote:
>
>> Hi all,
>>
>> I've been working on a sidechain protocol with no trusted third party. You can find the [whitepaper here](http://coins.github.io/coins.pdf).
>>
>> Abstract. Coins is a Bitcoin extension designed for payments at scale. We propose an efficient solution to the double-spending problem using a bitcoin-backed proof-of-stake. Validators vote on sidechain blocks with one-time signatures, forming a record that cannot be changed without destroying their collateral. Every user can become a validator by locking bitcoins. One-time signatures guarantee that validators loose their stake for publishing conflicting histories. Checkpoints can be additionally secured with a bitcoin-backed proof-of-burn. Assuming a rational majority of validators, the sidechain provides safety and liveness. The sidechain’s footprint within bitcoin’s blockchain is minimal. The protocol is a generic consensus mechanism allowing for arbitrary sidechain assets. Spawning multiple, independent instances scales horizontally.
>>
>> Feedback is highly appreciated!
>>
>> Thank you
>>
>> - Robin
>>
>> PS: [Here on Github you can find further research on scalability and usability](https://github.com/coins/coins.github.io).
[-- Attachment #2: Type: text/html, Size: 11146 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-13 19:47 ` Robin Linus
@ 2020-01-13 20:49 ` Joachim Strömbergson
2020-01-13 22:22 ` Robin Linus
0 siblings, 1 reply; 22+ messages in thread
From: Joachim Strömbergson @ 2020-01-13 20:49 UTC (permalink / raw)
To: Robin Linus; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 7001 bytes --]
Hi Robin,
inline...
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, January 13, 2020 7:47 PM, Robin Linus <robinlinus@protonmail•com> wrote:
> Hi Joachim,
>
> Thank you for your detailed feedback!
>
> Regarding Reason #1:
> This proposal is less like Bitcoin vs. Altcoins and much more like Ethereum vs. ERC20 tokens, because the derivatives are not in competition with BTC, but depend on it heavily. You support Bitcoin's growth by supporting such a sidechain.
> Also, they won't work as separate currencies. For endusers you can abstract away all underlying complexities such that they have to think only in BTC. Exchanges rates can be hidden in TX fees. The sidechain derivatives would be nothing but a means of transfer. The unit of account is still BTC.
I can't see any difference and advantage over doing the same with say Litecoin. All you need is to create a special wallet which offers atomic swaps LTC-BTC and its unit of account displayed to user is going to be BTC. All you say will work perfectly with this special LTC wallet. Therefore your idea is as good as any other altcoin. In your case, someone else should indeed be able to create such a wallet in which the unit of account will be the new token, thus emulating the current LTC wallets. So the only difference in Litecoin is that the special wallet with BTC as unit is going to be created after the native one, while in your case it is vice versa.
I simply can't see why I'd call this construction of yours a Bitcoin sidechain and any other altcoin not. So I'd call both altcoins.
> Regarding Reason #2:
> In the "Limitations" section I discuss the cost of halting the chain:
>
> Time value of locked bitcoins might be too cheap to protect the chain. We can introduce an additional cost and let validators burn bitcoins for every on-chain vote. This is much more robust because there is an ongoing cost for halting the system. Proof-of-burn has recently been formally analysed [16]. The economic implications of burning significant amounts of Bitcoin are questionable. A level of security comparable to Bitcoin requires the system’s BTC burn rate to be equal to Bitcoin’s infaltion rate.
>
> Also remember, time value of Bitcoins is indeed a value. Even without a proof of burn, I'd consider such sidechains much more secure than those custodial lightning wallets which become more and more popular to circumvent the usability hurdles of the LN.
Comparison to other models is not relevant to my claim that such construction is insecure for small sidechains. And for big sidechains the reason #1 prefers any other altcoin. Even if you introduce proof of burn, the final attack cost is small for an attacker in absolute numbers, despite the fact that in the relative numbers the cost is huge.
> Thanks again,
> - Robin
>
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Monday, January 13, 2020 7:06 PM, Joachim Strömbergson <joachimstr@protonmail•com> wrote:
>
>> While I haven't rejected sidechains entirely yet, this particular proposal seems uninteresting, especially for two reasons.
>>
>> One – it introduces a new token for each sidechain and suggests atomic swaps to be used for the exchange of the mainchain token with the sidechain token. Such a model seems nonsensical to me because there seems to be excessive number of blockchain projects that can be used similarly just as the sidechain in this proposal. Pick almost any altcoin out there and you can atomic swap it with Bitcoin. The fact that your sidechain is somehow mathematically bound to Bitcoin seems arbitrary because at the end you have a new token and a new issuance model. Therefore this is not extending Bitcoin economy, which is strictly limited by its convergence to zero inflation. This proposal is inflating the supply with a new token, which goes against what many people consider as a pillar of Bitcoin's value proposal. I think if you implement this proposal, you are going not to be considered as a Bitcoin sidechain, but you will be, from certain point of view, indistinguishable from any other altcoin. At the level of my current understanding, the only interesting sidechain model is the [theoretical] one with a two way peg with Bitcoin, preserving the issuance policy of Bitcoin.
>>
>> Two – the security of the proposed system seems to be very fragile, unless I have missed something. When I think about sidechains, I expect that it should be possible to create a niche chain which is used by few participants while the security of the chain is somehow guaranteed from its bind to the mainchain. If this was not the case, such a niche sidechain could easily be attacked, even if just stalled/censored for a long period time, with just a small [absolute] investment from an attacker, although this investment might be large if taken relatively to the utility of this niche sidechain. So if we speak concretely about your proposal, you assume honest majority of validators. But in your system the validators come from locking of stake on Bitcoin chain by nodes that are interested in a particular sidechain. If you put this model on a niche chain where only few participants are interested in it, it's trivial for an attacker to be stronger [have more Bitcoin to lock] than all legitimate users together. You should only use honest majority assumption where the scope is global, where it is very hard and very expensive to obtain majority.
>>
>> Sent with [ProtonMail](https://protonmail.com) Secure Email.
>>
>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>> On Sunday, January 12, 2020 6:54 PM, Robin Linus via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> wrote:
>>
>>> Hi all,
>>>
>>> I've been working on a sidechain protocol with no trusted third party. You can find the [whitepaper here](http://coins.github.io/coins.pdf).
>>>
>>> Abstract. Coins is a Bitcoin extension designed for payments at scale. We propose an efficient solution to the double-spending problem using a bitcoin-backed proof-of-stake. Validators vote on sidechain blocks with one-time signatures, forming a record that cannot be changed without destroying their collateral. Every user can become a validator by locking bitcoins. One-time signatures guarantee that validators loose their stake for publishing conflicting histories. Checkpoints can be additionally secured with a bitcoin-backed proof-of-burn. Assuming a rational majority of validators, the sidechain provides safety and liveness. The sidechain’s footprint within bitcoin’s blockchain is minimal. The protocol is a generic consensus mechanism allowing for arbitrary sidechain assets. Spawning multiple, independent instances scales horizontally.
>>>
>>> Feedback is highly appreciated!
>>>
>>> Thank you
>>>
>>> - Robin
>>>
>>> PS: [Here on Github you can find further research on scalability and usability](https://github.com/coins/coins.github.io).
[-- Attachment #2: Type: text/html, Size: 12997 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-13 17:34 ` Joachim Strömbergson
@ 2020-01-13 22:05 ` Jeremy
0 siblings, 0 replies; 22+ messages in thread
From: Jeremy @ 2020-01-13 22:05 UTC (permalink / raw)
To: Joachim Strömbergson, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 1052 bytes --]
https://utxos.org/uses/
Yes, you should check out the material at the link above. Specifically non
interactive channels solve this problem of one sided opens, where the other
party is passive/offline.
On Mon, Jan 13, 2020, 12:42 PM Joachim Strömbergson via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> > Instead of using sidechains, just use channel factories.
>
> I am not familiar enough with the latest advancements in this field. Is it
> possible using LN/channel factories to achieve off-line-like participation
> user experience without previous registration with any kind of gateway
> provider? For example, can you go online, join the network [somehow
> instantly], generate address/invoice and then put it somewhere for others
> to later use it when you are off-line? Can you also participate while being
> off-line for very long periods of time without relying on third party
> providers to secure your channels? If not, is using sidechains really
> equally replaceable with LN/CF constructions?
>
[-- Attachment #2: Type: text/html, Size: 1403 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-13 20:49 ` Joachim Strömbergson
@ 2020-01-13 22:22 ` Robin Linus
2020-01-14 0:53 ` ZmnSCPxj
2020-01-14 15:06 ` Joachim Strömbergson
0 siblings, 2 replies; 22+ messages in thread
From: Robin Linus @ 2020-01-13 22:22 UTC (permalink / raw)
To: Joachim Strömbergson; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 9697 bytes --]
Hi Joachim,
>> Regarding Reason #1:
>> This proposal is less like Bitcoin vs. Altcoins and much more like Ethereum vs. ERC20 tokens, because the derivatives are not in competition with BTC, but depend on it heavily. You support Bitcoin's growth by supporting such a sidechain.
>> Also, they won't work as separate currencies. For endusers you can abstract away all underlying complexities such that they have to think only in BTC. Exchanges rates can be hidden in TX fees. The sidechain derivatives would be nothing but a means of transfer. The unit of account is still BTC.
>
> I can't see any difference and advantage over doing the same with say Litecoin. All you need is to create a special wallet which offers atomic swaps LTC-BTC and its unit of account displayed to user is going to be BTC. All you say will work perfectly with this special LTC wallet. Therefore your idea is as good as any other altcoin. In your case, someone else should indeed be able to create such a wallet in which the unit of account will be the new token, thus emulating the current LTC wallets. So the only difference in Litecoin is that the special wallet with BTC as unit is going to be created after the native one, while in your case it is vice versa.
>
> I simply can't see why I'd call this construction of yours a Bitcoin sidechain and any other altcoin not. So I'd call both altcoins.
Let me try to explain where I am coming from: Whenever I want to onboard a not-so-techy friend to Bitcoin by sending him $5 worth of BTC, I don't have many good options. Usually we end up using BlueWallet. It works great. Though it only works so well because it is fully custodial. That is how they solve all the tough LN problems like inbound-capacity of new users, watchtowers and channel backends. Their service is just an Excel table connect to the LN. Unfortunately, that is the best UX we can currently offer to endusers. To me that's unsatisfying. Is that how we want to enter the emerging markets and on-board the next Billion users? I like that BlueWallet gives me the option to run my own LndHub for my friends. Still, does that scale globally? More importantly, do we want that?
Now let's think about the altcoins argument. We want to serve a billion users. Blockchains do scale well to about a couple Million UTXOs, so we require a network of a couple thousand altcoins to serve our users.
We know how to build a nice LN for all of our altcoins with a star-shaped topology around Bitcoin as the central settlement layer. Atomic swaps FTW. We can abstract away their native currencies. We display to our users only BTC, hide the exchange rates in the TX fees and we're done. That is actually a scalability solution. So why don't we do that?
The problem here is, that In the long term, the market of PoW blockchains should be a winner-takes-all market, right? So all PoW chains but Bitcoin will eventually die because they're wasting lots of value on their energy. So actually we don't want a couple thousand altcoins wasting resources on pointlessly weak PoW chains. We want a single PoW chain which is as strong as possible.
That's why I'd argue it makes sense to consider a bitcoin-backed PoS and build a LN of thousands of nameless altcoins.
Regarding sidechain security: Burning BTC is almost equivalent to burning energy. You might argue that people won't burn BTC, but it is hard to argue against the strong theoretical security properties of proof-of-burn.
Furthermore, even without burning BTC, using only proof-of-stake I can guarantee doublespending is impossible. There is a very low incentive to risk your BTC's time value. You can only halt a sidechain. And you can halt the sidechain only for as long as you maintain the staking majority. Once you start an attack, you increase the incentive for others to increase their stake. Staking happens in bitcoin's blockchain, which you can't halt. Once the rational stakers regain 51% you've lost a year of time value of your BTC. Note that you can easily enforce stakers having to stake per chain. This guarantees attackers can use their BTC only to attack one chain per year.
Thus, the security of such a bitcoin-based PoS is stronger then one might suspect.
Thanks again,
- Robin
>> Regarding Reason #2:
>> In the "Limitations" section I discuss the cost of halting the chain:
>>
>> Time value of locked bitcoins might be too cheap to protect the chain. We can introduce an additional cost and let validators burn bitcoins for every on-chain vote. This is much more robust because there is an ongoing cost for halting the system. Proof-of-burn has recently been formally analysed [16]. The economic implications of burning significant amounts of Bitcoin are questionable. A level of security comparable to Bitcoin requires the system’s BTC burn rate to be equal to Bitcoin’s infaltion rate.
>>
>> Also remember, time value of Bitcoins is indeed a value. Even without a proof of burn, I'd consider such sidechains much more secure than those custodial lightning wallets which become more and more popular to circumvent the usability hurdles of the LN.
>
> Comparison to other models is not relevant to my claim that such construction is insecure for small sidechains. And for big sidechains the reason #1 prefers any other altcoin. Even if you introduce proof of burn, the final attack cost is small for an attacker in absolute numbers, despite the fact that in the relative numbers the cost is huge.
>
>> Thanks again,
>> - Robin
>>
>> Sent with [ProtonMail](https://protonmail.com) Secure Email.
>>
>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>> On Monday, January 13, 2020 7:06 PM, Joachim Strömbergson <joachimstr@protonmail•com> wrote:
>>
>>> While I haven't rejected sidechains entirely yet, this particular proposal seems uninteresting, especially for two reasons.
>>>
>>> One – it introduces a new token for each sidechain and suggests atomic swaps to be used for the exchange of the mainchain token with the sidechain token. Such a model seems nonsensical to me because there seems to be excessive number of blockchain projects that can be used similarly just as the sidechain in this proposal. Pick almost any altcoin out there and you can atomic swap it with Bitcoin. The fact that your sidechain is somehow mathematically bound to Bitcoin seems arbitrary because at the end you have a new token and a new issuance model. Therefore this is not extending Bitcoin economy, which is strictly limited by its convergence to zero inflation. This proposal is inflating the supply with a new token, which goes against what many people consider as a pillar of Bitcoin's value proposal. I think if you implement this proposal, you are going not to be considered as a Bitcoin sidechain, but you will be, from certain point of view, indistinguishable from any other altcoin. At the level of my current understanding, the only interesting sidechain model is the [theoretical] one with a two way peg with Bitcoin, preserving the issuance policy of Bitcoin.
>>>
>>> Two – the security of the proposed system seems to be very fragile, unless I have missed something. When I think about sidechains, I expect that it should be possible to create a niche chain which is used by few participants while the security of the chain is somehow guaranteed from its bind to the mainchain. If this was not the case, such a niche sidechain could easily be attacked, even if just stalled/censored for a long period time, with just a small [absolute] investment from an attacker, although this investment might be large if taken relatively to the utility of this niche sidechain. So if we speak concretely about your proposal, you assume honest majority of validators. But in your system the validators come from locking of stake on Bitcoin chain by nodes that are interested in a particular sidechain. If you put this model on a niche chain where only few participants are interested in it, it's trivial for an attacker to be stronger [have more Bitcoin to lock] than all legitimate users together. You should only use honest majority assumption where the scope is global, where it is very hard and very expensive to obtain majority.
>>>
>>> Sent with [ProtonMail](https://protonmail.com) Secure Email.
>>>
>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>> On Sunday, January 12, 2020 6:54 PM, Robin Linus via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I've been working on a sidechain protocol with no trusted third party. You can find the [whitepaper here](http://coins.github.io/coins.pdf).
>>>>
>>>> Abstract. Coins is a Bitcoin extension designed for payments at scale. We propose an efficient solution to the double-spending problem using a bitcoin-backed proof-of-stake. Validators vote on sidechain blocks with one-time signatures, forming a record that cannot be changed without destroying their collateral. Every user can become a validator by locking bitcoins. One-time signatures guarantee that validators loose their stake for publishing conflicting histories. Checkpoints can be additionally secured with a bitcoin-backed proof-of-burn. Assuming a rational majority of validators, the sidechain provides safety and liveness. The sidechain’s footprint within bitcoin’s blockchain is minimal. The protocol is a generic consensus mechanism allowing for arbitrary sidechain assets. Spawning multiple, independent instances scales horizontally.
>>>>
>>>> Feedback is highly appreciated!
>>>>
>>>> Thank you
>>>>
>>>> - Robin
>>>>
>>>> PS: [Here on Github you can find further research on scalability and usability](https://github.com/coins/coins.github.io).
[-- Attachment #2: Type: text/html, Size: 15901 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-13 22:22 ` Robin Linus
@ 2020-01-14 0:53 ` ZmnSCPxj
2020-01-14 2:19 ` Robin Linus
2020-01-14 15:06 ` Joachim Strömbergson
1 sibling, 1 reply; 22+ messages in thread
From: ZmnSCPxj @ 2020-01-14 0:53 UTC (permalink / raw)
To: Robin Linus, Bitcoin Protocol Discussion
Good morning Robin,
> Hi Joachim,
>
> > > Regarding Reason #1:
> > > This proposal is less like Bitcoin vs. Altcoins and much more like Ethereum vs. ERC20 tokens, because the derivatives are not in competition with BTC, but depend on it heavily. You support Bitcoin's growth by supporting such a sidechain.
> > > Also, they won't work as separate currencies. For endusers you can abstract away all underlying complexities such that they have to think only in BTC. Exchanges rates can be hidden in TX fees. The sidechain derivatives would be nothing but a means of transfer. The unit of account is still BTC.
> >
> > I can't see any difference and advantage over doing the same with say Litecoin. All you need is to create a special wallet which offers atomic swaps LTC-BTC and its unit of account displayed to user is going to be BTC. All you say will work perfectly with this special LTC wallet. Therefore your idea is as good as any other altcoin. In your case, someone else should indeed be able to create such a wallet in which the unit of account will be the new token, thus emulating the current LTC wallets. So the only difference in Litecoin is that the special wallet with BTC as unit is going to be created after the native one, while in your case it is vice versa.
> >
> > I simply can't see why I'd call this construction of yours a Bitcoin sidechain and any other altcoin not. So I'd call both altcoins.
>
> Let me try to explain where I am coming from: Whenever I want to onboard a not-so-techy friend to Bitcoin by sending him $5 worth of BTC, I don't have many good options. Usually we end up using BlueWallet. It works great. Though it only works so well because it is fully custodial. That is how they solve all the tough LN problems like inbound-capacity of new users, watchtowers and channel backends. Their service is just an Excel table connect to the LN. Unfortunately, that is the best UX we can currently offer to endusers. To me that's unsatisfying. Is that how we want to enter the emerging markets and on-board the next Billion users? I like that BlueWallet gives me the option to run my own LndHub for my friends. Still, does that scale globally? More importantly, do we want that?
>
> Now let's think about the altcoins argument. We want to serve a billion users. Blockchains do scale well to about a couple Million UTXOs, so we require a network of a couple thousand altcoins to serve our users.
> We know how to build a nice LN for all of our altcoins with a star-shaped topology around Bitcoin as the central settlement layer. Atomic swaps FTW. We can abstract away their native currencies. We display to our users only BTC, hide the exchange rates in the TX fees and we're done. That is actually a scalability solution. So why don't we do that?
Because Lightning remains a superior *scalability* solution to microchains.
(The below is a Fermi estimate; it is intended to give an intuition on the rough orders of magnitude that we are discussing, not strict predictions of how the world works)
Let us suppose that N users would produce N * t bytes of transactions.
Under Lightning, that data is sent to a tiny subset of the entire LN.
As Lightning limits routes to at most 20 hops, let us take the worst case and say that under Lightning, those users will force 20 * N * t bytes to be processed globally.
If all users were to use a *single* blockchain, because all users must process all transactions within the blockchain, that will mean everyone has to process N * N * t bytes.
Now the microchain concept is that, we can split the N in half, so instead of a single N * N * t bytes being processed, we get two (N / 2) * (N / 2) * t, or more generally, if there are c chains: c * ((N / c) ^ 2) * t or N * N * t / c.
So for microchains to beat Lightning, you would have to make N * N * t / c < 20 * N * t, or equivalently N / c < 20, i.e. 20 users per sidechain.
If you have as low as 20 users per sidechain, you might as well just use channel factories to host Lightning channels, so channel factories + channels (i.e. Lightning Network) is probably better than having tiny sidechaisn with 20 users each.
Again the above is a very rough Fermi estimate, but it gives you a hint on the orders of magnitude you should consider, i.e. about a few dozen users per sidechain, and a few dozens users in a sidechain is probably not a lot to give security to that sidechain, whereas with Lightning channel factories you can drop onchain any time to upgrade your security to the full mining hashpower (and we hope that the threat of being able to do so is enough to discourage attempts at theft).
What Lightning cannot do is add certain kinds of features other than scalability, for example Turing-complete disasters (RSK) or confidential assets (LBTC).
Sidechains are for features, not scale, so your proposed sidechain concept remains of interest at least as a possible way to anchor sidechains with new features.
Regards,
ZmnSCPxj
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-14 0:53 ` ZmnSCPxj
@ 2020-01-14 2:19 ` Robin Linus
2020-01-14 2:59 ` ZmnSCPxj
0 siblings, 1 reply; 22+ messages in thread
From: Robin Linus @ 2020-01-14 2:19 UTC (permalink / raw)
To: ZmnSCPxj; +Cc: Bitcoin Protocol Discussion
> because all users must process all transactions within the blockchain
Reality shows, that's wrong. Bitcoin's security doesn't require verification to scale quadratically with users. Since the whitepaper, Satoshi was explicit about that phenomena. We can discuss nuances, yet it's overall plausible and empirically it's true: Only a tiny minority of users ever verifies the blockchain, still bitcoin works perfectly well. An honest economic majority is sufficient.
Yes, if you can, run your own node. Let's lower the barriers and let's help others to run their own nodes. Let's keep the blocks small and bitcoin's UTXOs set verifiable with consumer hardware. That's the core of decentralized security.
But let's face it: most people on this planet will never run a bitcoin full node. And it is not required.
Bitcoin-backed PoS-sidechains scale in terms of verification and storage just like any other blockchain. However, security is strictly better because double-spends are impossible. A single honest validating user guarantees that attackers cannot do more harm than halting a sidechain. Thus, endusers won't have to validate all of each others' transactions at all.
For most endusers such sidechains' security is strictly superior to today's LN experience.
Let's face it: The most popular LN apps are fully custodial.
They have to be custodial because there is no way to make LN usable for regular users on unreliable phones.
Any payment channel which requires you to be always online excludes 99% of the world's population.
Any payment channel which potentially requires you to be able to pay high on-chain fees excludes most people, too. And on-chain fees keep rising.
Thus, no matter what Channel Factory constructions we build, they will not match most people's requirements. We will keep falling back to custodial solutions.
Excel tables connected to the LN. The LN is awesome as a settlement layer. In particular for anything like bitcoin banks that have been discussed since the beginning.
But why 1000 trusted Excel tables if we can have 1000 trustless sidechains?
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-14 2:19 ` Robin Linus
@ 2020-01-14 2:59 ` ZmnSCPxj
2020-01-14 4:12 ` Robin Linus
0 siblings, 1 reply; 22+ messages in thread
From: ZmnSCPxj @ 2020-01-14 2:59 UTC (permalink / raw)
To: Robin Linus; +Cc: Bitcoin Protocol Discussion
Good morning Robin,
> > because all users must process all transactions within the blockchain
>
> Reality shows, that's wrong. Bitcoin's security doesn't require verification to scale quadratically with users. Since the whitepaper, Satoshi was explicit about that phenomena. We can discuss nuances, yet it's overall plausible and empirically it's true: Only a tiny minority of users ever verifies the blockchain, still bitcoin works perfectly well. An honest economic majority is sufficient.
>
> Yes, if you can, run your own node. Let's lower the barriers and let's help others to run their own nodes. Let's keep the blocks small and bitcoin's UTXOs set verifiable with consumer hardware. That's the core of decentralized security.
>
> But let's face it: most people on this planet will never run a bitcoin full node. And it is not required.
>
> Bitcoin-backed PoS-sidechains scale in terms of verification and storage just like any other blockchain. However, security is strictly better because double-spends are impossible. A single honest validating user guarantees that attackers cannot do more harm than halting a sidechain. Thus, endusers won't have to validate all of each others' transactions at all.
>
> For most endusers such sidechains' security is strictly superior to today's LN experience.
>
> Let's face it: The most popular LN apps are fully custodial.
> They have to be custodial because there is no way to make LN usable for regular users on unreliable phones.
>
> Any payment channel which requires you to be always online excludes 99% of the world's population.
> Any payment channel which potentially requires you to be able to pay high on-chain fees excludes most people, too. And on-chain fees keep rising.
>
> Thus, no matter what Channel Factory constructions we build, they will not match most people's requirements. We will keep falling back to custodial solutions.
> Excel tables connected to the LN. The LN is awesome as a settlement layer. In particular for anything like bitcoin banks that have been discussed since the beginning.
> But why 1000 trusted Excel tables if we can have 1000 trustless sidechains?
First:
> A single honest validating user guarantees that attackers cannot do more harm than halting a sidechain.
Is not compatible with:
> 1000 trustless sidechains
You are *tr\*sting* that there exists at least ***one*** ***honest*** user per sidechain.
Thus it is not a trustless solution, but a tr\*sted one.
Replacing 1000 tr\*sted Excel tables with 1000 tr\*sted blockchains is the same class of error as replacing the banking system with centralized large-scale blockchains: you gain the drawbacks of blockchains without gaining its benefits.
The security, integrity, and censorship-resistance of Bitcoin is dependent on there existing some sophisticated actors ("persons") who are willing to take on the risk of running fullnodes and providing hashpower.
This is the Risk-Sharing principle, by which the risk of keeping Bitcoin running is spread out among many persons who are willing to keep Bitcoin alive.
The existence of such actors cannot be assured, but it seems to me that fragmenting the entire community of such limited number of actors would not give good risk-sharing within a sidechain.
Regards,
ZmnSCPxj
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-14 2:59 ` ZmnSCPxj
@ 2020-01-14 4:12 ` Robin Linus
0 siblings, 0 replies; 22+ messages in thread
From: Robin Linus @ 2020-01-14 4:12 UTC (permalink / raw)
To: ZmnSCPxj; +Cc: Bitcoin Protocol Discussion
Good morning ZmnSCPxj,
> > > because all users must process all transactions within the blockchain
> >
> > Reality shows, that's wrong. Bitcoin's security doesn't require verification to scale quadratically with users. Since the whitepaper, Satoshi was explicit about that phenomena. We can discuss nuances, yet it's overall plausible and empirically it's true: Only a tiny minority of users ever verifies the blockchain, still bitcoin works perfectly well. An honest economic majority is sufficient.
> > Yes, if you can, run your own node. Let's lower the barriers and let's help others to run their own nodes. Let's keep the blocks small and bitcoin's UTXOs set verifiable with consumer hardware. That's the core of decentralized security.
> > But let's face it: most people on this planet will never run a bitcoin full node. And it is not required.
> > Bitcoin-backed PoS-sidechains scale in terms of verification and storage just like any other blockchain. However, security is strictly better because double-spends are impossible. A single honest validating user guarantees that attackers cannot do more harm than halting a sidechain. Thus, endusers won't have to validate all of each others' transactions at all.
> > For most endusers such sidechains' security is strictly superior to today's LN experience.
> > Let's face it: The most popular LN apps are fully custodial.
> > They have to be custodial because there is no way to make LN usable for regular users on unreliable phones.
> > Any payment channel which requires you to be always online excludes 99% of the world's population.
> > Any payment channel which potentially requires you to be able to pay high on-chain fees excludes most people, too. And on-chain fees keep rising.
> > Thus, no matter what Channel Factory constructions we build, they will not match most people's requirements. We will keep falling back to custodial solutions.
> > Excel tables connected to the LN. The LN is awesome as a settlement layer. In particular for anything like bitcoin banks that have been discussed since the beginning.
> > But why 1000 trusted Excel tables if we can have 1000 trustless sidechains?
>
> First:
>
> > A single honest validating user guarantees that attackers cannot do more harm than halting a sidechain.
>
> Is not compatible with:
>
> > 1000 trustless sidechains
>
> You are *tr\sting that there exists at least one honest user per sidechain.
> Thus it is not a trustless solution, but a tr\*sted one.
> Replacing 1000 tr\*sted Excel tables with 1000 tr\*sted blockchains is the same class of error as replacing the banking system with centralized large-scale blockchains: you gain the drawbacks of blockchains without gaining its benefits.
Agreed. Still, let's discuss a solution that meets the requirements of billions of average users with unreliable mobile devices.
Endusers payment experience should be insanely simple.
The LN currently offers regular users mostly custodial services. Is there a foreseeable roadmap to meet endusers' simplicity requirements with non-custodial constructions?
Bitcoin-backed PoS sidechains are strictly superior to custodial hubs. They provide all hub features such as being able to pay merchants in BTC, plus many clear advantages such as better security including public auditability and decentralized data storage. And they do not require any consensus changes.
> The security, integrity, and censorship-resistance of Bitcoin is dependent on there existing some sophisticated actors ("persons") who are willing to take on the risk of running fullnodes and providing hashpower.
> This is the Risk-Sharing principle, by which the risk of keeping Bitcoin running is spread out among many persons who are willing to keep Bitcoin alive.
> The existence of such actors cannot be assured, but it seems to me that fragmenting the entire community of such limited number of actors would not give good risk-sharing within a sidechain.
Indeed, a highly fragmented market would be inefficient and insecure. However, I'd assume a free market of sidechains is intelligent enough to use its resources efficiently.
Thanks again for your detailed feedback,
-Robin
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-13 22:22 ` Robin Linus
2020-01-14 0:53 ` ZmnSCPxj
@ 2020-01-14 15:06 ` Joachim Strömbergson
2020-01-14 15:26 ` ZmnSCPxj
2020-01-17 4:17 ` Robin Linus
1 sibling, 2 replies; 22+ messages in thread
From: Joachim Strömbergson @ 2020-01-14 15:06 UTC (permalink / raw)
To: Robin Linus; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 10787 bytes --]
Hi Robin.
While your motivation seems reasonable, your solution is not. It is not enough that a problem exists. Although the solution must be technically sound for the proposal to be interesting. So I agree it makes sense to consider Bitcoin sidechains, not sure if with PoS consensus or other, but no one yet proposed a viable solution, other than Federation based sidechains. Your proposal explored a single specific PoS sidechain, which to me does not sound interesting. Maybe you can improve it, maybe not.
I also disagree that it is okay if anyone can halt operation of a sidechain with just tiny investment. For me that is critical security flaw of your proposal. By enforcing stakers having to stake per chain you have actually lowered the cost for the attacker to attack each specific chain.
Sent with [ProtonMail](https://protonmail.com) Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, January 13, 2020 10:22 PM, Robin Linus <robinlinus@protonmail•com> wrote:
> Hi Joachim,
>
>>> Regarding Reason #1:
>>> This proposal is less like Bitcoin vs. Altcoins and much more like Ethereum vs. ERC20 tokens, because the derivatives are not in competition with BTC, but depend on it heavily. You support Bitcoin's growth by supporting such a sidechain.
>>> Also, they won't work as separate currencies. For endusers you can abstract away all underlying complexities such that they have to think only in BTC. Exchanges rates can be hidden in TX fees. The sidechain derivatives would be nothing but a means of transfer. The unit of account is still BTC.
>>
>> I can't see any difference and advantage over doing the same with say Litecoin. All you need is to create a special wallet which offers atomic swaps LTC-BTC and its unit of account displayed to user is going to be BTC. All you say will work perfectly with this special LTC wallet. Therefore your idea is as good as any other altcoin. In your case, someone else should indeed be able to create such a wallet in which the unit of account will be the new token, thus emulating the current LTC wallets. So the only difference in Litecoin is that the special wallet with BTC as unit is going to be created after the native one, while in your case it is vice versa.
>>
>> I simply can't see why I'd call this construction of yours a Bitcoin sidechain and any other altcoin not. So I'd call both altcoins.
>
> Let me try to explain where I am coming from: Whenever I want to onboard a not-so-techy friend to Bitcoin by sending him $5 worth of BTC, I don't have many good options. Usually we end up using BlueWallet. It works great. Though it only works so well because it is fully custodial. That is how they solve all the tough LN problems like inbound-capacity of new users, watchtowers and channel backends. Their service is just an Excel table connect to the LN. Unfortunately, that is the best UX we can currently offer to endusers. To me that's unsatisfying. Is that how we want to enter the emerging markets and on-board the next Billion users? I like that BlueWallet gives me the option to run my own LndHub for my friends. Still, does that scale globally? More importantly, do we want that?
>
> Now let's think about the altcoins argument. We want to serve a billion users. Blockchains do scale well to about a couple Million UTXOs, so we require a network of a couple thousand altcoins to serve our users.
> We know how to build a nice LN for all of our altcoins with a star-shaped topology around Bitcoin as the central settlement layer. Atomic swaps FTW. We can abstract away their native currencies. We display to our users only BTC, hide the exchange rates in the TX fees and we're done. That is actually a scalability solution. So why don't we do that?
> The problem here is, that In the long term, the market of PoW blockchains should be a winner-takes-all market, right? So all PoW chains but Bitcoin will eventually die because they're wasting lots of value on their energy. So actually we don't want a couple thousand altcoins wasting resources on pointlessly weak PoW chains. We want a single PoW chain which is as strong as possible.
>
> That's why I'd argue it makes sense to consider a bitcoin-backed PoS and build a LN of thousands of nameless altcoins.
>
> Regarding sidechain security: Burning BTC is almost equivalent to burning energy. You might argue that people won't burn BTC, but it is hard to argue against the strong theoretical security properties of proof-of-burn.
>
> Furthermore, even without burning BTC, using only proof-of-stake I can guarantee doublespending is impossible. There is a very low incentive to risk your BTC's time value. You can only halt a sidechain. And you can halt the sidechain only for as long as you maintain the staking majority. Once you start an attack, you increase the incentive for others to increase their stake. Staking happens in bitcoin's blockchain, which you can't halt. Once the rational stakers regain 51% you've lost a year of time value of your BTC. Note that you can easily enforce stakers having to stake per chain. This guarantees attackers can use their BTC only to attack one chain per year.
> Thus, the security of such a bitcoin-based PoS is stronger then one might suspect.
>
> Thanks again,
> - Robin
>
>>> Regarding Reason #2:
>>> In the "Limitations" section I discuss the cost of halting the chain:
>>>
>>> Time value of locked bitcoins might be too cheap to protect the chain. We can introduce an additional cost and let validators burn bitcoins for every on-chain vote. This is much more robust because there is an ongoing cost for halting the system. Proof-of-burn has recently been formally analysed [16]. The economic implications of burning significant amounts of Bitcoin are questionable. A level of security comparable to Bitcoin requires the system’s BTC burn rate to be equal to Bitcoin’s infaltion rate.
>>>
>>> Also remember, time value of Bitcoins is indeed a value. Even without a proof of burn, I'd consider such sidechains much more secure than those custodial lightning wallets which become more and more popular to circumvent the usability hurdles of the LN.
>>
>> Comparison to other models is not relevant to my claim that such construction is insecure for small sidechains. And for big sidechains the reason #1 prefers any other altcoin. Even if you introduce proof of burn, the final attack cost is small for an attacker in absolute numbers, despite the fact that in the relative numbers the cost is huge.
>>
>>> Thanks again,
>>> - Robin
>>>
>>> Sent with [ProtonMail](https://protonmail.com) Secure Email.
>>>
>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>> On Monday, January 13, 2020 7:06 PM, Joachim Strömbergson <joachimstr@protonmail•com> wrote:
>>>
>>>> While I haven't rejected sidechains entirely yet, this particular proposal seems uninteresting, especially for two reasons.
>>>>
>>>> One – it introduces a new token for each sidechain and suggests atomic swaps to be used for the exchange of the mainchain token with the sidechain token. Such a model seems nonsensical to me because there seems to be excessive number of blockchain projects that can be used similarly just as the sidechain in this proposal. Pick almost any altcoin out there and you can atomic swap it with Bitcoin. The fact that your sidechain is somehow mathematically bound to Bitcoin seems arbitrary because at the end you have a new token and a new issuance model. Therefore this is not extending Bitcoin economy, which is strictly limited by its convergence to zero inflation. This proposal is inflating the supply with a new token, which goes against what many people consider as a pillar of Bitcoin's value proposal. I think if you implement this proposal, you are going not to be considered as a Bitcoin sidechain, but you will be, from certain point of view, indistinguishable from any other altcoin. At the level of my current understanding, the only interesting sidechain model is the [theoretical] one with a two way peg with Bitcoin, preserving the issuance policy of Bitcoin.
>>>>
>>>> Two – the security of the proposed system seems to be very fragile, unless I have missed something. When I think about sidechains, I expect that it should be possible to create a niche chain which is used by few participants while the security of the chain is somehow guaranteed from its bind to the mainchain. If this was not the case, such a niche sidechain could easily be attacked, even if just stalled/censored for a long period time, with just a small [absolute] investment from an attacker, although this investment might be large if taken relatively to the utility of this niche sidechain. So if we speak concretely about your proposal, you assume honest majority of validators. But in your system the validators come from locking of stake on Bitcoin chain by nodes that are interested in a particular sidechain. If you put this model on a niche chain where only few participants are interested in it, it's trivial for an attacker to be stronger [have more Bitcoin to lock] than all legitimate users together. You should only use honest majority assumption where the scope is global, where it is very hard and very expensive to obtain majority.
>>>>
>>>> Sent with [ProtonMail](https://protonmail.com) Secure Email.
>>>>
>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>>> On Sunday, January 12, 2020 6:54 PM, Robin Linus via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I've been working on a sidechain protocol with no trusted third party. You can find the [whitepaper here](http://coins.github.io/coins.pdf).
>>>>>
>>>>> Abstract. Coins is a Bitcoin extension designed for payments at scale. We propose an efficient solution to the double-spending problem using a bitcoin-backed proof-of-stake. Validators vote on sidechain blocks with one-time signatures, forming a record that cannot be changed without destroying their collateral. Every user can become a validator by locking bitcoins. One-time signatures guarantee that validators loose their stake for publishing conflicting histories. Checkpoints can be additionally secured with a bitcoin-backed proof-of-burn. Assuming a rational majority of validators, the sidechain provides safety and liveness. The sidechain’s footprint within bitcoin’s blockchain is minimal. The protocol is a generic consensus mechanism allowing for arbitrary sidechain assets. Spawning multiple, independent instances scales horizontally.
>>>>>
>>>>> Feedback is highly appreciated!
>>>>>
>>>>> Thank you
>>>>>
>>>>> - Robin
>>>>>
>>>>> PS: [Here on Github you can find further research on scalability and usability](https://github.com/coins/coins.github.io).
[-- Attachment #2: Type: text/html, Size: 17348 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-14 15:06 ` Joachim Strömbergson
@ 2020-01-14 15:26 ` ZmnSCPxj
2020-01-15 1:43 ` Robin Linus
2020-01-17 4:17 ` Robin Linus
1 sibling, 1 reply; 22+ messages in thread
From: ZmnSCPxj @ 2020-01-14 15:26 UTC (permalink / raw)
To: Joachim Strömbergson, Bitcoin Protocol Discussion
As well I would like to point out that in order to receive funds, *something* has to be online to get the message that receives the data.
In the blockchain layer this is diffused among all fullnodes.
At the Lightning layer, your direct peer could hold off on failing an incoming payment while you are offline.
Instead, it could simply stall until the outgoing HTLC would reach its timelock anyway.
Then you can come online and then the peer can send the HTLC to you and you can claim it.
This remains noncustodial as the direct peer cannot steal the funds from you.
I believe there was some discussion regarding this on lightning-dev in the past few months.
However, it does require that the peer know that *you* are the final recipient (if not, it would be unable to fail the HTLC as quickly as possible), thus a privacy leak.
In any case *some* node has to be online in order for anyone to receive funds, whether onchain or not: it is simply that a widespread blcokchain is very very likely to have some online node capable of storing the payment until you can come online to process it.
What you propose splits up the fullnodes into many tiny sidechains, such that a sidechain may get stalled and you would be unable to receive a payment anyway while you are offline, because there are far fewer nodes per sidechain in order for such mass sidechains to start beating the raw scaling Lightning brings.
Regards,
ZmnSCPxj
> Hi Robin.
>
> While your motivation seems reasonable, your solution is not. It is not enough that a problem exists. Although the solution must be technically sound for the proposal to be interesting. So I agree it makes sense to consider Bitcoin sidechains, not sure if with PoS consensus or other, but no one yet proposed a viable solution, other than Federation based sidechains. Your proposal explored a single specific PoS sidechain, which to me does not sound interesting. Maybe you can improve it, maybe not.
>
> I also disagree that it is okay if anyone can halt operation of a sidechain with just tiny investment. For me that is critical security flaw of your proposal. By enforcing stakers having to stake per chain you have actually lowered the cost for the attacker to attack each specific chain.
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Monday, January 13, 2020 10:22 PM, Robin Linus <robinlinus@protonmail•com> wrote:
>
> > Hi Joachim,
> >
> > > > Regarding Reason #1:
> > > > This proposal is less like Bitcoin vs. Altcoins and much more like Ethereum vs. ERC20 tokens, because the derivatives are not in competition with BTC, but depend on it heavily. You support Bitcoin's growth by supporting such a sidechain.
> > > > Also, they won't work as separate currencies. For endusers you can abstract away all underlying complexities such that they have to think only in BTC. Exchanges rates can be hidden in TX fees. The sidechain derivatives would be nothing but a means of transfer. The unit of account is still BTC.
> > >
> > > I can't see any difference and advantage over doing the same with say Litecoin. All you need is to create a special wallet which offers atomic swaps LTC-BTC and its unit of account displayed to user is going to be BTC. All you say will work perfectly with this special LTC wallet. Therefore your idea is as good as any other altcoin. In your case, someone else should indeed be able to create such a wallet in which the unit of account will be the new token, thus emulating the current LTC wallets. So the only difference in Litecoin is that the special wallet with BTC as unit is going to be created after the native one, while in your case it is vice versa.
> > >
> > > I simply can't see why I'd call this construction of yours a Bitcoin sidechain and any other altcoin not. So I'd call both altcoins.
> >
> > Let me try to explain where I am coming from: Whenever I want to onboard a not-so-techy friend to Bitcoin by sending him $5 worth of BTC, I don't have many good options. Usually we end up using BlueWallet. It works great. Though it only works so well because it is fully custodial. That is how they solve all the tough LN problems like inbound-capacity of new users, watchtowers and channel backends. Their service is just an Excel table connect to the LN. Unfortunately, that is the best UX we can currently offer to endusers. To me that's unsatisfying. Is that how we want to enter the emerging markets and on-board the next Billion users? I like that BlueWallet gives me the option to run my own LndHub for my friends. Still, does that scale globally? More importantly, do we want that?
> >
> > Now let's think about the altcoins argument. We want to serve a billion users. Blockchains do scale well to about a couple Million UTXOs, so we require a network of a couple thousand altcoins to serve our users.
> > We know how to build a nice LN for all of our altcoins with a star-shaped topology around Bitcoin as the central settlement layer. Atomic swaps FTW. We can abstract away their native currencies. We display to our users only BTC, hide the exchange rates in the TX fees and we're done. That is actually a scalability solution. So why don't we do that?
> > The problem here is, that In the long term, the market of PoW blockchains should be a winner-takes-all market, right? So all PoW chains but Bitcoin will eventually die because they're wasting lots of value on their energy. So actually we don't want a couple thousand altcoins wasting resources on pointlessly weak PoW chains. We want a single PoW chain which is as strong as possible.
> >
> > That's why I'd argue it makes sense to consider a bitcoin-backed PoS and build a LN of thousands of nameless altcoins.
> >
> > Regarding sidechain security: Burning BTC is almost equivalent to burning energy. You might argue that people won't burn BTC, but it is hard to argue against the strong theoretical security properties of proof-of-burn.
> >
> > Furthermore, even without burning BTC, using only proof-of-stake I can guarantee doublespending is impossible. There is a very low incentive to risk your BTC's time value. You can only halt a sidechain. And you can halt the sidechain only for as long as you maintain the staking majority. Once you start an attack, you increase the incentive for others to increase their stake. Staking happens in bitcoin's blockchain, which you can't halt. Once the rational stakers regain 51% you've lost a year of time value of your BTC. Note that you can easily enforce stakers having to stake per chain. This guarantees attackers can use their BTC only to attack one chain per year.
> > Thus, the security of such a bitcoin-based PoS is stronger then one might suspect.
> >
> > Thanks again,
> > - Robin
> >
> > > > Regarding Reason #2:
> > > > In the "Limitations" section I discuss the cost of halting the chain:
> > > >
> > > > Time value of locked bitcoins might be too cheap to protect the chain. We can introduce an additional cost and let validators burn bitcoins for every on-chain vote. This is much more robust because there is an ongoing cost for halting the system. Proof-of-burn has recently been formally analysed [16]. The economic implications of burning significant amounts of Bitcoin are questionable. A level of security comparable to Bitcoin requires the system’s BTC burn rate to be equal to Bitcoin’s infaltion rate.
> > > >
> > > > Also remember, time value of Bitcoins is indeed a value. Even without a proof of burn, I'd consider such sidechains much more secure than those custodial lightning wallets which become more and more popular to circumvent the usability hurdles of the LN.
> > >
> > > Comparison to other models is not relevant to my claim that such construction is insecure for small sidechains. And for big sidechains the reason #1 prefers any other altcoin. Even if you introduce proof of burn, the final attack cost is small for an attacker in absolute numbers, despite the fact that in the relative numbers the cost is huge.
> > >
> > > > Thanks again,
> > > > - Robin
> > > >
> > > > Sent with ProtonMail Secure Email.
> > > >
> > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > > On Monday, January 13, 2020 7:06 PM, Joachim Strömbergson <joachimstr@protonmail•com> wrote:
> > > >
> > > > > While I haven't rejected sidechains entirely yet, this particular proposal seems uninteresting, especially for two reasons.
> > > > >
> > > > > One – it introduces a new token for each sidechain and suggests atomic swaps to be used for the exchange of the mainchain token with the sidechain token. Such a model seems nonsensical to me because there seems to be excessive number of blockchain projects that can be used similarly just as the sidechain in this proposal. Pick almost any altcoin out there and you can atomic swap it with Bitcoin. The fact that your sidechain is somehow mathematically bound to Bitcoin seems arbitrary because at the end you have a new token and a new issuance model. Therefore this is not extending Bitcoin economy, which is strictly limited by its convergence to zero inflation. This proposal is inflating the supply with a new token, which goes against what many people consider as a pillar of Bitcoin's value proposal. I think if you implement this proposal, you are going not to be considered as a Bitcoin sidechain, but you will be, from certain point of view, indistinguishable from any other altcoin. At the level of my current understanding, the only interesting sidechain model is the [theoretical] one with a two way peg with Bitcoin, preserving the issuance policy of Bitcoin.
> > > > >
> > > > > Two – the security of the proposed system seems to be very fragile, unless I have missed something. When I think about sidechains, I expect that it should be possible to create a niche chain which is used by few participants while the security of the chain is somehow guaranteed from its bind to the mainchain. If this was not the case, such a niche sidechain could easily be attacked, even if just stalled/censored for a long period time, with just a small [absolute] investment from an attacker, although this investment might be large if taken relatively to the utility of this niche sidechain. So if we speak concretely about your proposal, you assume honest majority of validators. But in your system the validators come from locking of stake on Bitcoin chain by nodes that are interested in a particular sidechain. If you put this model on a niche chain where only few participants are interested in it, it's trivial for an attacker to be stronger [have more Bitcoin to lock] than all legitimate users together. You should only use honest majority assumption where the scope is global, where it is very hard and very expensive to obtain majority.
> > > > >
> > > > > Sent with ProtonMail Secure Email.
> > > > >
> > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > > > On Sunday, January 12, 2020 6:54 PM, Robin Linus via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> wrote:
> > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > I've been working on a sidechain protocol with no trusted third party. You can find thewhitepaper here.
> > > > > >
> > > > > > Abstract.Coins is a Bitcoin extension designed for payments at scale. We propose an efficient solution to the double-spending problem using a bitcoin-backed proof-of-stake. Validators vote on sidechain blocks with one-time signatures, forming a record that cannot be changed without destroying their collateral. Every user can become a validator by locking bitcoins. One-time signatures guarantee that validators loose their stake for publishing conflicting histories. Checkpoints can be additionally secured with a bitcoin-backed proof-of-burn. Assuming a rational majority of validators, the sidechain provides safety and liveness. The sidechain’s footprint within bitcoin’s blockchain is minimal. The protocol is a generic consensus mechanism allowing for arbitrary sidechain assets. Spawning multiple, independent instances scales horizontally.
> > > > > >
> > > > > > Feedback is highly appreciated!
> > > > > >
> > > > > > Thank you
> > > > > >
> > > > > > - Robin
> > > > > >
> > > > > > PS:Here on Github you can find further research on scalability and usability.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-14 15:26 ` ZmnSCPxj
@ 2020-01-15 1:43 ` Robin Linus
2020-01-15 5:46 ` ZmnSCPxj
0 siblings, 1 reply; 22+ messages in thread
From: Robin Linus @ 2020-01-15 1:43 UTC (permalink / raw)
To: ZmnSCPxj; +Cc: Bitcoin Protocol Discussion
Good morning everybody!
Thanks again for your detailed feedback.
Maybe you're right and my solution is just crap :) So back to the drafting table!
It seems to be a good idea to separate problem definition and solution. Here I tried to nail down LN's usability issue:
https://github.com/coins/coins.github.io/blob/master/notes/lightning-network.md
Would be great to hear your thoughts on that. Do we generally agree that Bitcoin has to work well on mobiles? Where do your opinions differ?
If you are open to sidechains in general, we are discussing mostly consensus mechanisms.
The consensus mechanism of custodial LN services is some trusted server somewhere, with a single hot key and no public auditability.
That's state of the art LN experience on mobile. And it's worse than fiat banks.
Yes, Liquid's trusted federation is much better than such custodial services. Still, how does it scale globally? Lots of trusted federations?
Probably, we all favor a more trust-minimized sidechain consensus mechanism.
Most likely, it is impossible to produce decentralized consensus without consuming an external resource.
Furthermore, decentralized consensus requires an honest majority. Thus, fragmenting the consumption of the available resources over multiple chains weakens every chain proportionally. Therefore, whatever consensus mechanism we choose, the number of sidechains should be as small as possible. By implication, sidechains have to be as large as possible.
The market simply has no capacity to secure thousands of chains, if they don't have millions of users each.
Consensus resource consumption is a winner takes all market, until a sidechain becomes so full, that a further chain becomes profitable. Secure and profitable sidechains require strong network effects. Otherwise, there's a downwards spiral of no users which leads to no stakers and vice versa. Needless sidechains die off quickly.
Regarding proof-of-burn: In theory, you could build a pure proof-of-burn sidechain which is literally as secure as Bitcoin's consensus. If you burn about 12.5 BTC for every sidechain block, then the sidechain is exactly as costly to produce as Bitcoins blockchain. So regardless of the practicality, the theoretical security argument of PoB is very sound, or am I missing something?
If it is, then can't we build some PoS / PoB construction to secure sidechains?
Regarding 2-way peg and "a new asset for every chain is bad". Let's look at my real world bank account. There are no real dollars in it. No legal tender.
It's just my bank's derivative of the Dollar, representing their promise to give me my Dollars whenever I want.
Note that my bank's altcoin is not pegged 1:1 to the legal tender issued by the central bank. In the background they're balancing their books.
All that is hidden from me as a customer. They know, I just want to facilitate payments in USD. As a customer I do not care about their underlying financial instruments. That's why I'd assume, that sidechain assets can be used as an instrument of BTC value transfer, without a 1:1-peg to BTC.
The only thing that really matters, is liquidity for atomic swaps to pay LN invoices denominated in BTC. That again, is a matter of network effects of a sidechain.
Thanks again,
-Robin
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, January 14, 2020 4:26 PM, ZmnSCPxj <ZmnSCPxj@protonmail•com> wrote:
> As well I would like to point out that in order to receive funds, something has to be online to get the message that receives the data.
> In the blockchain layer this is diffused among all fullnodes.
>
> At the Lightning layer, your direct peer could hold off on failing an incoming payment while you are offline.
> Instead, it could simply stall until the outgoing HTLC would reach its timelock anyway.
> Then you can come online and then the peer can send the HTLC to you and you can claim it.
> This remains noncustodial as the direct peer cannot steal the funds from you.
> I believe there was some discussion regarding this on lightning-dev in the past few months.
> However, it does require that the peer know that you are the final recipient (if not, it would be unable to fail the HTLC as quickly as possible), thus a privacy leak.
>
> In any case some node has to be online in order for anyone to receive funds, whether onchain or not: it is simply that a widespread blcokchain is very very likely to have some online node capable of storing the payment until you can come online to process it.
> What you propose splits up the fullnodes into many tiny sidechains, such that a sidechain may get stalled and you would be unable to receive a payment anyway while you are offline, because there are far fewer nodes per sidechain in order for such mass sidechains to start beating the raw scaling Lightning brings.
>
> Regards,
> ZmnSCPxj
>
> > Hi Robin.
> > While your motivation seems reasonable, your solution is not. It is not enough that a problem exists. Although the solution must be technically sound for the proposal to be interesting. So I agree it makes sense to consider Bitcoin sidechains, not sure if with PoS consensus or other, but no one yet proposed a viable solution, other than Federation based sidechains. Your proposal explored a single specific PoS sidechain, which to me does not sound interesting. Maybe you can improve it, maybe not.
> > I also disagree that it is okay if anyone can halt operation of a sidechain with just tiny investment. For me that is critical security flaw of your proposal. By enforcing stakers having to stake per chain you have actually lowered the cost for the attacker to attack each specific chain.
> > Sent with ProtonMail Secure Email.
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Monday, January 13, 2020 10:22 PM, Robin Linus robinlinus@protonmail•com wrote:
> >
> > > Hi Joachim,
> > >
> > > > > Regarding Reason #1:
> > > > > This proposal is less like Bitcoin vs. Altcoins and much more like Ethereum vs. ERC20 tokens, because the derivatives are not in competition with BTC, but depend on it heavily. You support Bitcoin's growth by supporting such a sidechain.
> > > > > Also, they won't work as separate currencies. For endusers you can abstract away all underlying complexities such that they have to think only in BTC. Exchanges rates can be hidden in TX fees. The sidechain derivatives would be nothing but a means of transfer. The unit of account is still BTC.
> > > >
> > > > I can't see any difference and advantage over doing the same with say Litecoin. All you need is to create a special wallet which offers atomic swaps LTC-BTC and its unit of account displayed to user is going to be BTC. All you say will work perfectly with this special LTC wallet. Therefore your idea is as good as any other altcoin. In your case, someone else should indeed be able to create such a wallet in which the unit of account will be the new token, thus emulating the current LTC wallets. So the only difference in Litecoin is that the special wallet with BTC as unit is going to be created after the native one, while in your case it is vice versa.
> > > > I simply can't see why I'd call this construction of yours a Bitcoin sidechain and any other altcoin not. So I'd call both altcoins.
> > >
> > > Let me try to explain where I am coming from: Whenever I want to onboard a not-so-techy friend to Bitcoin by sending him $5 worth of BTC, I don't have many good options. Usually we end up using BlueWallet. It works great. Though it only works so well because it is fully custodial. That is how they solve all the tough LN problems like inbound-capacity of new users, watchtowers and channel backends. Their service is just an Excel table connect to the LN. Unfortunately, that is the best UX we can currently offer to endusers. To me that's unsatisfying. Is that how we want to enter the emerging markets and on-board the next Billion users? I like that BlueWallet gives me the option to run my own LndHub for my friends. Still, does that scale globally? More importantly, do we want that?
> > > Now let's think about the altcoins argument. We want to serve a billion users. Blockchains do scale well to about a couple Million UTXOs, so we require a network of a couple thousand altcoins to serve our users.
> > > We know how to build a nice LN for all of our altcoins with a star-shaped topology around Bitcoin as the central settlement layer. Atomic swaps FTW. We can abstract away their native currencies. We display to our users only BTC, hide the exchange rates in the TX fees and we're done. That is actually a scalability solution. So why don't we do that?
> > > The problem here is, that In the long term, the market of PoW blockchains should be a winner-takes-all market, right? So all PoW chains but Bitcoin will eventually die because they're wasting lots of value on their energy. So actually we don't want a couple thousand altcoins wasting resources on pointlessly weak PoW chains. We want a single PoW chain which is as strong as possible.
> > > That's why I'd argue it makes sense to consider a bitcoin-backed PoS and build a LN of thousands of nameless altcoins.
> > > Regarding sidechain security: Burning BTC is almost equivalent to burning energy. You might argue that people won't burn BTC, but it is hard to argue against the strong theoretical security properties of proof-of-burn.
> > > Furthermore, even without burning BTC, using only proof-of-stake I can guarantee doublespending is impossible. There is a very low incentive to risk your BTC's time value. You can only halt a sidechain. And you can halt the sidechain only for as long as you maintain the staking majority. Once you start an attack, you increase the incentive for others to increase their stake. Staking happens in bitcoin's blockchain, which you can't halt. Once the rational stakers regain 51% you've lost a year of time value of your BTC. Note that you can easily enforce stakers having to stake per chain. This guarantees attackers can use their BTC only to attack one chain per year.
> > > Thus, the security of such a bitcoin-based PoS is stronger then one might suspect.
> > > Thanks again,
> > >
> > > - Robin
> > >
> > > > > Regarding Reason #2:
> > > > > In the "Limitations" section I discuss the cost of halting the chain:
> > > > > Time value of locked bitcoins might be too cheap to protect the chain. We can introduce an additional cost and let validators burn bitcoins for every on-chain vote. This is much more robust because there is an ongoing cost for halting the system. Proof-of-burn has recently been formally analysed [16]. The economic implications of burning significant amounts of Bitcoin are questionable. A level of security comparable to Bitcoin requires the system’s BTC burn rate to be equal to Bitcoin’s infaltion rate.
> > > > > Also remember, time value of Bitcoins is indeed a value. Even without a proof of burn, I'd consider such sidechains much more secure than those custodial lightning wallets which become more and more popular to circumvent the usability hurdles of the LN.
> > > >
> > > > Comparison to other models is not relevant to my claim that such construction is insecure for small sidechains. And for big sidechains the reason #1 prefers any other altcoin. Even if you introduce proof of burn, the final attack cost is small for an attacker in absolute numbers, despite the fact that in the relative numbers the cost is huge.
> > > >
> > > > > Thanks again,
> > > > >
> > > > > - Robin
> > > > >
> > > > > Sent with ProtonMail Secure Email.
> > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > > > On Monday, January 13, 2020 7:06 PM, Joachim Strömbergson joachimstr@protonmail•com wrote:
> > > > >
> > > > > > While I haven't rejected sidechains entirely yet, this particular proposal seems uninteresting, especially for two reasons.
> > > > > > One – it introduces a new token for each sidechain and suggests atomic swaps to be used for the exchange of the mainchain token with the sidechain token. Such a model seems nonsensical to me because there seems to be excessive number of blockchain projects that can be used similarly just as the sidechain in this proposal. Pick almost any altcoin out there and you can atomic swap it with Bitcoin. The fact that your sidechain is somehow mathematically bound to Bitcoin seems arbitrary because at the end you have a new token and a new issuance model. Therefore this is not extending Bitcoin economy, which is strictly limited by its convergence to zero inflation. This proposal is inflating the supply with a new token, which goes against what many people consider as a pillar of Bitcoin's value proposal. I think if you implement this proposal, you are going not to be considered as a Bitcoin sidechain, but you will be, from certain point of view, indistinguishable from any other altcoin. At the level of my current understanding, the only interesting sidechain model is the [theoretical] one with a two way peg with Bitcoin, preserving the issuance policy of Bitcoin.
> > > > > > Two – the security of the proposed system seems to be very fragile, unless I have missed something. When I think about sidechains, I expect that it should be possible to create a niche chain which is used by few participants while the security of the chain is somehow guaranteed from its bind to the mainchain. If this was not the case, such a niche sidechain could easily be attacked, even if just stalled/censored for a long period time, with just a small [absolute] investment from an attacker, although this investment might be large if taken relatively to the utility of this niche sidechain. So if we speak concretely about your proposal, you assume honest majority of validators. But in your system the validators come from locking of stake on Bitcoin chain by nodes that are interested in a particular sidechain. If you put this model on a niche chain where only few participants are interested in it, it's trivial for an attacker to be stronger [have more Bitcoin to lock] than all legitimate users together. You should only use honest majority assumption where the scope is global, where it is very hard and very expensive to obtain majority.
> > > > > > Sent with ProtonMail Secure Email.
> > > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > > > > On Sunday, January 12, 2020 6:54 PM, Robin Linus via bitcoin-dev bitcoin-dev@lists•linuxfoundation.org wrote:
> > > > > >
> > > > > > > Hi all,
> > > > > > > I've been working on a sidechain protocol with no trusted third party. You can find thewhitepaper here.
> > > > > > > Abstract.Coins is a Bitcoin extension designed for payments at scale. We propose an efficient solution to the double-spending problem using a bitcoin-backed proof-of-stake. Validators vote on sidechain blocks with one-time signatures, forming a record that cannot be changed without destroying their collateral. Every user can become a validator by locking bitcoins. One-time signatures guarantee that validators loose their stake for publishing conflicting histories. Checkpoints can be additionally secured with a bitcoin-backed proof-of-burn. Assuming a rational majority of validators, the sidechain provides safety and liveness. The sidechain’s footprint within bitcoin’s blockchain is minimal. The protocol is a generic consensus mechanism allowing for arbitrary sidechain assets. Spawning multiple, independent instances scales horizontally.
> > > > > > > Feedback is highly appreciated!
> > > > > > > Thank you
> > > > > > >
> > > > > > > - Robin
> > > > > > >
> > > > > > > PS:Here on Github you can find further research on scalability and usability.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-15 1:43 ` Robin Linus
@ 2020-01-15 5:46 ` ZmnSCPxj
0 siblings, 0 replies; 22+ messages in thread
From: ZmnSCPxj @ 2020-01-15 5:46 UTC (permalink / raw)
To: Robin Linus; +Cc: Bitcoin Protocol Discussion
Good morning Robin,
> Good morning everybody!
>
> Thanks again for your detailed feedback.
>
> Maybe you're right and my solution is just crap :) So back to the drafting table!
>
> It seems to be a good idea to separate problem definition and solution. Here I tried to nail down LN's usability issue:
> https://github.com/coins/coins.github.io/blob/master/notes/lightning-network.md
> Would be great to hear your thoughts on that. Do we generally agree that Bitcoin has to work well on mobiles? Where do your opinions differ?
>
> If you are open to sidechains in general, we are discussing mostly consensus mechanisms.
> The consensus mechanism of custodial LN services is some trusted server somewhere, with a single hot key and no public auditability.
> That's state of the art LN experience on mobile. And it's worse than fiat banks.
>
> Yes, Liquid's trusted federation is much better than such custodial services. Still, how does it scale globally? Lots of trusted federations?
> Probably, we all favor a more trust-minimized sidechain consensus mechanism.
>
> Most likely, it is impossible to produce decentralized consensus without consuming an external resource.
> Furthermore, decentralized consensus requires an honest majority. Thus, fragmenting the consumption of the available resources over multiple chains weakens every chain proportionally. Therefore, whatever consensus mechanism we choose, the number of sidechains should be as small as possible. By implication, sidechains have to be as large as possible.
>
> The market simply has no capacity to secure thousands of chains, if they don't have millions of users each.
> Consensus resource consumption is a winner takes all market, until a sidechain becomes so full, that a further chain becomes profitable. Secure and profitable sidechains require strong network effects. Otherwise, there's a downwards spiral of no users which leads to no stakers and vice versa. Needless sidechains die off quickly.
Again, please refer to the previous Fermi estimate: blockchains have bad scaling precisely because every fullnode must know every transaction.
With blockchains, anything that is not a fullnode is trusting something, and the issue of custodiality is always and has always been an issue of trust.
>
> Regarding proof-of-burn: In theory, you could build a pure proof-of-burn sidechain which is literally as secure as Bitcoin's consensus. If you burn about 12.5 BTC for every sidechain block, then the sidechain is exactly as costly to produce as Bitcoins blockchain. So regardless of the practicality, the theoretical security argument of PoB is very sound, or am I missing something?
Locking coins is equivalent to burning them, as you are "burning" the opportunity to use those coins elsewhere, e.g. in a JoinMarket maker or Lightning forwarding node.
Proof of locked coins is therefore indistinguishable from proof-of-burn in this sense, and your original proposal is proof-of-locked-coins.
Burning coins is effectively a donation to all HODLers, while locking coins is effectively a donation to all JoinMarket makers and Lightning forwarding nodes (i.e. HODLers too).
Something I have been playing with mentally would be a unidirectional peg in a sidechain.
Burn funds in the mainchain and build a block with equivalent amount in the coinbase of a sidechain.
But I stopped working on sidechains due to the aforementioned lack of scaling they produce: sidechains are for features, and federated sidechains are fine for new features.
>
> If it is, then can't we build some PoS / PoB construction to secure sidechains?
>
> Regarding 2-way peg and "a new asset for every chain is bad". Let's look at my real world bank account. There are no real dollars in it. No legal tender.
> It's just my bank's derivative of the Dollar, representing their promise to give me my Dollars whenever I want.
> Note that my bank's altcoin is not pegged 1:1 to the legal tender issued by the central bank. In the background they're balancing their books.
....
The "balancing their books" **is** the peg.
Consider that for example that a sidechain may have 21 million bitcoins instantiated in it, but locked.
In order to unlock *part* of that supply, you have to provably lock funds in the mainchain.
This "moves" coins from mainchain to sidechain, but in reality there are still 21 million maincoins and 21 million separate sidecoins.
What matters is that there are only 21 million ***user-controllable*** coins in total, some in the mainchain and some in the sidechain.
That is enough for this to be a peg.
Thus, everything the bank does to "balance their books" is in fact a peg to the central-bank issued currency.
> All that is hidden from me as a customer. They know, I just want to facilitate payments in USD. As a customer I do not care about their underlying financial instruments. That's why I'd assume, that sidechain assets can be used as an instrument of BTC value transfer, without a 1:1-peg to BTC.
> The only thing that really matters, is liquidity for atomic swaps to pay LN invoices denominated in BTC. That again, is a matter of network effects of a sidechain.
Why would accept a sidecoin with degraded security and accepted by fewer people if it is not pegged to BTC?
That immediately kills any network effects you are targeting.
--
In any case, a project I have been playing with (which I am not pursuing in seriousness and which I will not seriously support, because LN > sidechains) is to combine the mainchain-staking with https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-January/016611.html
Basically, on the mainchain, the sidechain is represented by single UTXO that contains all the funds in the sidechain.
That UTXO would then have the same SCRIPT as described in the above linked post.
Mainchain coin owners that want to be included in the staker set can put their staked amount into a UTXO.
The sidechain stakers then confirm the addition of this staker to the staker set by spending the sidechain single UTXO and the entering staker, putting the funds into a new sidechain single UTXO that now includes the entering staker in the signing set.
Sidechain stakers can also redeem their stake back by requesting the staker set, so that the sidechain single UTXO is consumed and spent into a new sidechain single UTXO that removes the leaving staker in the signing set, plus a second UTXO containing the money that the leaving sidechain staker is reclaiming from stake.
Withdraws and deposits into the sidechain use a similar mechanism, except the depositor does not get its pubkey added to the signer set, but its funds are instantiated into the sidechain (the stakers do not have their funds instantiated into the sidechain: the mainchain staked funds and the sidechain "live" funds are thus separated, even though on the mainchain they are combined within the sidechain single UTXO).
Like all federated sidechains this assumes a federation can be formed that can be trusted to not just spend the entire sidechain single UTXO on other funds.
In particular, if the federation is taken over, it can deny the entry of new stakers that would want to evict them.
Thus the security is significantly lower.
(proof-of-work allows existing miners to be evicted, at cost, by deploying more hashpower than the existing miners have: this is central to censorship-resistance on the main blockchain layer)
The stakers that sign on the sidechain single UTXO that appears on the mainchain need not be the same set that determines consensus on the sidechain.
In terms of the Liquid blockchain, the signers on the sidechain single UTXO are the watchmen (who ensure the peg is correct), and need not be the same set as the blocksigners (who advance the sidechain state by authorizing valid blocks).
Regards,
ZmnSCPxj
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-13 2:33 ` ZmnSCPxj
2020-01-13 17:34 ` Joachim Strömbergson
@ 2020-01-16 1:21 ` Angel Leon
1 sibling, 0 replies; 22+ messages in thread
From: Angel Leon @ 2020-01-16 1:21 UTC (permalink / raw)
To: ZmnSCPxj, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 5271 bytes --]
> Instead of using sidechains, just use channel factories.
> You do not need to broadcast the entire internal ledgers of those
services, only their customers need to know those internal ledgers, and
sign off on the updates of those ledgers.
That's right, all you need to broadcast is a small proof, a non-interactive
blockchain suffix proof
https://eprint.iacr.org/2017/963.pdf
On Sun, Jan 12, 2020 at 7:33 PM ZmnSCPxj via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> Good morning Robin,
>
>
> > Good morning ZmnSCPxj,
> >
> > Thank you for your detailed feedback! Two topics:
> >
> > Lightning vs Sidechains
> >
> > ------------------------
> >
> > Why an either-or-solution, if we can connect sidechains via the LN to
> get the best of both worlds?
> >
> > The LN works exceptionally great under the following conditions:
> >
> > - you're always online
> > - you have BTC to manage your channels' inbound-capacity
> > - you can afford BTC transactions
> > - in your channel is much more than the minimum on-chain TX fees
> >
> > The next Billion users do not fit that category. They are on
> unreliable cell phone connections and do not have any BTC yet.
> > And the more popular Bitcoin becomes, the fewer people can
> afford LN channels. Even Eltoo requires your funds to be significantly
> higher than Bitcoin's TX fees, right?
> >
> > Already today, more and more services like tippin.me,
> BlueWallet, etc, provide custodial solutions.
> > For small amounts, custody is an acceptable workaround. And I
> love their usability. Install it and immediately I can send you $0.01. Yet,
> scaling their approach globally does not lead to desirable outcomes, since
> we'd be back to trusting banks with their Excel sheets.
> >
> > So let's make their internal ledgers public and trustless, via
> independent sidechains. Decentralized Blockchains do scale decently up to a
> couple Million UTXOs. So a couple thousand Sidechains is probably
> sufficient for a global medium of exchange. Cross-chain communication
> without requiring cross-chain validation is possible via atomic swaps and
> through Bitcoin's LN. That scales because it separates chain-validators
> from swap-validators.
> > Bitcoin's LN acts as the central settlement layer for efficient
> cross-chain transactions between all sidechains.
> >
> > So Endusers "living" in sidechains instead of directly in the LN
> has many advantages:
> >
> > - no bitcoin blockspace required for on-boarding new users
> > - no need to lock funds to provide inbound-capacity
> > - no need to stay online or pay watch towers
> > - no need to store channel histories
> > - account balances can be much smaller than BTC TX fees
> >
> > Those are the exact same reasons why BlueWallet built their LndHub.
> But sidechains can be trustless. Also a generic protocol provides
> flexibility for sidechain innovations with arbitrary digital assets and
> consensus rules.
>
>
> Which is why I brought up multiparticipant offchain updateable
> cryptocurrency systems.
> The "channel factories" concepts does what you are looking for, except
> with better trust-minimization than sidechains can achieve.
> Just replace "sidechain" with either Decker-Wattenhofer or
> Decker-Russell-Osuntokun constructions.
> You can even use the Somsen "statechain" mechanism, which rides a
> Decker-Wattenhofer/Decker-Russell-Osuntokun construction, though its
> trust-minimization is only very very slightly better than federated
> sidechains.
>
> It is helpful to remember that Poon-Dryja, Decker-Wattenhofer,
> Decker-Russell-Osuntokun, and all other future such constructions, can host
> any contract that its lower layer can support.
> So if you ride a Poon-Dryja on top of the Bitcoin blockchain, you can host
> HTLCs inside the Poon-Dryja, since the Bitcoin blockchain can host HTLCs.
> Similarly, if you ride a Decker-Wattenhofer on top of the Bitcoin
> blockchain, you can host a Poon-Dryja inside the Decker-Wattenhofer, since
> the Bitcoin blockchain can host Poon-Dryja channels.
> This central insight leads one to conclude that anything you can put
> onchain, you an generally also put offchain, so why use a chain at all
> except as an ultimate anchor to reality?
> Poon-Dryja is strictly two-participant, while Decker-Wattenhofer limits
> the practical number of updates due to its use of decrementing relative
> timelocks: so you put the payment layer in a bunch of Poon-Dryja channels
> which support tons of updates each but only two participants per channel,
> and create a layer that supports changes to the channel topology (where
> changes to the channel connectivity are expected to be much rarer than
> payments) and is multiparticipant so you can *actually* scale.
>
> Instead of using sidechains, just use channel factories.
> You do not need to broadcast the entire internal ledgers of those
> services, only their customers need to know those internal ledgers, and
> sign off on the updates of those ledgers.
>
> Regards,
> ZmnSCPxj
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 6395 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-14 15:06 ` Joachim Strömbergson
2020-01-14 15:26 ` ZmnSCPxj
@ 2020-01-17 4:17 ` Robin Linus
2020-01-17 13:54 ` ZmnSCPxj
1 sibling, 1 reply; 22+ messages in thread
From: Robin Linus @ 2020-01-17 4:17 UTC (permalink / raw)
To: Joachim Strömbergson; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 11501 bytes --]
Hi Joachim,
> if anyone can halt operation of a sidechain with just tiny investment.
It'll be impossible to halt a healthy chain with a tiny investment because halting a chain costs you at least as much as the side chain rewards. The "invested time value per block" of all honest stakers converges against the block reward. If imbalanced, someone will stake more bitcoin to get the cheap sidechain rewards. Exactly the same market mechanism secures PoW.
For a decentralized consensus via resource consumption it doesn't matter which limited resource you consume. The only relevant factor is that the value of the block reward is sufficient to motivate people to invest a lot of that resource. To motivate them to invest so much that an attacker cannot invest more. Independently of the resource, the amount of honestly invested resources converges against the value of the block reward.
Thus, I would even go further with my claim and argue that the security of bitcoin-backed PoS is exactly as strong as PoW because in both cases their security is proportionally to the dollar value of their block reward. PoS sidechain security depends only on a sufficient userbase and thus, block reward value.
Thanks again for your detailed feedback,
-Robin
> For me that is critical security flaw of your proposal. By enforcing stakers having to stake per chain you have actually lowered the cost for the attacker to attack each specific chain.
>
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Monday, January 13, 2020 10:22 PM, Robin Linus <robinlinus@protonmail•com> wrote:
>
>> Hi Joachim,
>>
>>>> Regarding Reason #1:
>>>> This proposal is less like Bitcoin vs. Altcoins and much more like Ethereum vs. ERC20 tokens, because the derivatives are not in competition with BTC, but depend on it heavily. You support Bitcoin's growth by supporting such a sidechain.
>>>> Also, they won't work as separate currencies. For endusers you can abstract away all underlying complexities such that they have to think only in BTC. Exchanges rates can be hidden in TX fees. The sidechain derivatives would be nothing but a means of transfer. The unit of account is still BTC.
>>>
>>> I can't see any difference and advantage over doing the same with say Litecoin. All you need is to create a special wallet which offers atomic swaps LTC-BTC and its unit of account displayed to user is going to be BTC. All you say will work perfectly with this special LTC wallet. Therefore your idea is as good as any other altcoin. In your case, someone else should indeed be able to create such a wallet in which the unit of account will be the new token, thus emulating the current LTC wallets. So the only difference in Litecoin is that the special wallet with BTC as unit is going to be created after the native one, while in your case it is vice versa.
>>>
>>> I simply can't see why I'd call this construction of yours a Bitcoin sidechain and any other altcoin not. So I'd call both altcoins.
>>
>> Let me try to explain where I am coming from: Whenever I want to onboard a not-so-techy friend to Bitcoin by sending him $5 worth of BTC, I don't have many good options. Usually we end up using BlueWallet. It works great. Though it only works so well because it is fully custodial. That is how they solve all the tough LN problems like inbound-capacity of new users, watchtowers and channel backends. Their service is just an Excel table connect to the LN. Unfortunately, that is the best UX we can currently offer to endusers. To me that's unsatisfying. Is that how we want to enter the emerging markets and on-board the next Billion users? I like that BlueWallet gives me the option to run my own LndHub for my friends. Still, does that scale globally? More importantly, do we want that?
>>
>> Now let's think about the altcoins argument. We want to serve a billion users. Blockchains do scale well to about a couple Million UTXOs, so we require a network of a couple thousand altcoins to serve our users.
>> We know how to build a nice LN for all of our altcoins with a star-shaped topology around Bitcoin as the central settlement layer. Atomic swaps FTW. We can abstract away their native currencies. We display to our users only BTC, hide the exchange rates in the TX fees and we're done. That is actually a scalability solution. So why don't we do that?
>> The problem here is, that In the long term, the market of PoW blockchains should be a winner-takes-all market, right? So all PoW chains but Bitcoin will eventually die because they're wasting lots of value on their energy. So actually we don't want a couple thousand altcoins wasting resources on pointlessly weak PoW chains. We want a single PoW chain which is as strong as possible.
>>
>> That's why I'd argue it makes sense to consider a bitcoin-backed PoS and build a LN of thousands of nameless altcoins.
>>
>> Regarding sidechain security: Burning BTC is almost equivalent to burning energy. You might argue that people won't burn BTC, but it is hard to argue against the strong theoretical security properties of proof-of-burn.
>>
>> Furthermore, even without burning BTC, using only proof-of-stake I can guarantee doublespending is impossible. There is a very low incentive to risk your BTC's time value. You can only halt a sidechain. And you can halt the sidechain only for as long as you maintain the staking majority. Once you start an attack, you increase the incentive for others to increase their stake. Staking happens in bitcoin's blockchain, which you can't halt. Once the rational stakers regain 51% you've lost a year of time value of your BTC. Note that you can easily enforce stakers having to stake per chain. This guarantees attackers can use their BTC only to attack one chain per year.
>> Thus, the security of such a bitcoin-based PoS is stronger then one might suspect.
>>
>> Thanks again,
>> - Robin
>>
>>>> Regarding Reason #2:
>>>> In the "Limitations" section I discuss the cost of halting the chain:
>>>>
>>>> Time value of locked bitcoins might be too cheap to protect the chain. We can introduce an additional cost and let validators burn bitcoins for every on-chain vote. This is much more robust because there is an ongoing cost for halting the system. Proof-of-burn has recently been formally analysed [16]. The economic implications of burning significant amounts of Bitcoin are questionable. A level of security comparable to Bitcoin requires the system’s BTC burn rate to be equal to Bitcoin’s infaltion rate.
>>>>
>>>> Also remember, time value of Bitcoins is indeed a value. Even without a proof of burn, I'd consider such sidechains much more secure than those custodial lightning wallets which become more and more popular to circumvent the usability hurdles of the LN.
>>>
>>> Comparison to other models is not relevant to my claim that such construction is insecure for small sidechains. And for big sidechains the reason #1 prefers any other altcoin. Even if you introduce proof of burn, the final attack cost is small for an attacker in absolute numbers, despite the fact that in the relative numbers the cost is huge.
>>>
>>>> Thanks again,
>>>> - Robin
>>>>
>>>> Sent with [ProtonMail](https://protonmail.com) Secure Email.
>>>>
>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>>> On Monday, January 13, 2020 7:06 PM, Joachim Strömbergson <joachimstr@protonmail•com> wrote:
>>>>
>>>>> While I haven't rejected sidechains entirely yet, this particular proposal seems uninteresting, especially for two reasons.
>>>>>
>>>>> One – it introduces a new token for each sidechain and suggests atomic swaps to be used for the exchange of the mainchain token with the sidechain token. Such a model seems nonsensical to me because there seems to be excessive number of blockchain projects that can be used similarly just as the sidechain in this proposal. Pick almost any altcoin out there and you can atomic swap it with Bitcoin. The fact that your sidechain is somehow mathematically bound to Bitcoin seems arbitrary because at the end you have a new token and a new issuance model. Therefore this is not extending Bitcoin economy, which is strictly limited by its convergence to zero inflation. This proposal is inflating the supply with a new token, which goes against what many people consider as a pillar of Bitcoin's value proposal. I think if you implement this proposal, you are going not to be considered as a Bitcoin sidechain, but you will be, from certain point of view, indistinguishable from any other altcoin. At the level of my current understanding, the only interesting sidechain model is the [theoretical] one with a two way peg with Bitcoin, preserving the issuance policy of Bitcoin.
>>>>>
>>>>> Two – the security of the proposed system seems to be very fragile, unless I have missed something. When I think about sidechains, I expect that it should be possible to create a niche chain which is used by few participants while the security of the chain is somehow guaranteed from its bind to the mainchain. If this was not the case, such a niche sidechain could easily be attacked, even if just stalled/censored for a long period time, with just a small [absolute] investment from an attacker, although this investment might be large if taken relatively to the utility of this niche sidechain. So if we speak concretely about your proposal, you assume honest majority of validators. But in your system the validators come from locking of stake on Bitcoin chain by nodes that are interested in a particular sidechain. If you put this model on a niche chain where only few participants are interested in it, it's trivial for an attacker to be stronger [have more Bitcoin to lock] than all legitimate users together. You should only use honest majority assumption where the scope is global, where it is very hard and very expensive to obtain majority.
>>>>>
>>>>> Sent with [ProtonMail](https://protonmail.com) Secure Email.
>>>>>
>>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>>>> On Sunday, January 12, 2020 6:54 PM, Robin Linus via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I've been working on a sidechain protocol with no trusted third party. You can find the [whitepaper here](http://coins.github.io/coins.pdf).
>>>>>>
>>>>>> Abstract. Coins is a Bitcoin extension designed for payments at scale. We propose an efficient solution to the double-spending problem using a bitcoin-backed proof-of-stake. Validators vote on sidechain blocks with one-time signatures, forming a record that cannot be changed without destroying their collateral. Every user can become a validator by locking bitcoins. One-time signatures guarantee that validators loose their stake for publishing conflicting histories. Checkpoints can be additionally secured with a bitcoin-backed proof-of-burn. Assuming a rational majority of validators, the sidechain provides safety and liveness. The sidechain’s footprint within bitcoin’s blockchain is minimal. The protocol is a generic consensus mechanism allowing for arbitrary sidechain assets. Spawning multiple, independent instances scales horizontally.
>>>>>>
>>>>>> Feedback is highly appreciated!
>>>>>>
>>>>>> Thank you
>>>>>>
>>>>>> - Robin
>>>>>>
>>>>>> PS: [Here on Github you can find further research on scalability and usability](https://github.com/coins/coins.github.io).
[-- Attachment #2: Type: text/html, Size: 18290 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-17 4:17 ` Robin Linus
@ 2020-01-17 13:54 ` ZmnSCPxj
2020-01-18 8:21 ` Robin Linus
0 siblings, 1 reply; 22+ messages in thread
From: ZmnSCPxj @ 2020-01-17 13:54 UTC (permalink / raw)
To: Robin Linus, Bitcoin Protocol Discussion
Good morning Robin,
> Hi Joachim,
>
> > if anyone can halt operation of a sidechain with just tiny investment.
>
> It'll be impossible to halt a healthy chain with a tiny investment because halting a chain costs you at least as much as the side chain rewards. The "invested time value per block" of all honest stakers converges against the block reward. If imbalanced, someone will stake more bitcoin to get the cheap sidechain rewards. Exactly the same market mechanism secures PoW.
>
> For a decentralized consensus via resource consumption it doesn't matter which limited resource you consume. The only relevant factor is that the value of the block reward is sufficient to motivate people to invest a lot of that resource. To motivate them to invest so much that an attacker cannot invest more. Independently of the resource, the amount of honestly invested resources converges against the value of the block reward.
Also known as MC = MR.
This is in fact the core of the argument *against* this kind of global microchain system: each individual chain will either:
* Pay ridiculously high fees per transaction, because the microchain has a small number of transactions because that is the entire *point* of microchains.
* Pay insufficient fees per block, making it easy to attack, meaning the security of the chain has to be centralized around a few actors anyway (e.g. checkpoints, like what every altcoin implements), which is not much better than the custodial case you are complaining against.
In order to have a sidechain that is as secure as Bitcoin today, you need:
* Sidechain fees to cover both *current Bitcoin fees* plus *current Bitcoin block rewards*.
Consequently, the sidechain has to have either *more* users than Bitcoin today, or *higher* fees than Bitcoin today.
Unless of course you propose to have the sidechain issue its own coin, in which case it is not much more than an altcoin.
Still, the real-world value of the total block rewards for that altcoin will have to match the real-world value of the total block rewards of Bitcoin in order to have security even approaching Bitcoin.
>
> Thus, I would even go further with my claim and argue that the security of bitcoin-backed PoS is exactly as strong as PoW because in both cases their security is proportionally to the dollar value of their block reward. PoS sidechain security depends only on a sufficient userbase and thus, block reward value.
Only if the consumed resource matches what is consumed under PoW.
Otherwise it is not much better than a low-PoW altcoin, i.e. easily attackable unless it centralizes around the developers.
I understand the desire to smoothen the experience of onboarding new users to Bitcoin.
But this path is not much better than the custodial solutions you are trying to avoid anyway.
Regards,
ZmnSCPxj
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [bitcoin-dev] Coins: A trustless sidechain protocol
2020-01-17 13:54 ` ZmnSCPxj
@ 2020-01-18 8:21 ` Robin Linus
0 siblings, 0 replies; 22+ messages in thread
From: Robin Linus @ 2020-01-18 8:21 UTC (permalink / raw)
To: ZmnSCPxj; +Cc: Bitcoin Protocol Discussion
Goog morning ZmnSCPxj,
> Unless of course you propose to have the sidechain issue its own coin, in which case it is not much more than an altcoin.
Okay, call it an altcoin consensus mechanism. Because sidechains do have to issue their own coins.
Still, I am not proposing independent altcoins. Bitcoin is the only unit of account. I am proposing bitcoin derivatives only as means of bitcoin transfer. Think of gold vs cash.
> Still, the real-world value of the total block rewards for that altcoin will have to match the real-world value of the total block rewards of Bitcoin in order to have security even approaching Bitcoin.
My point is that, assuming equal rewards, PoW and bitcoin-backed PoS do offer the same level of security.
So in theory, you are right. In practice, a sidechain does not need to be as secure as bitcoin. It requires only a sufficient user base.
Thanks again for your detailed answer,
-Robin
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2020-01-18 8:21 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-12 18:54 [bitcoin-dev] Coins: A trustless sidechain protocol Robin Linus
2020-01-13 0:21 ` ZmnSCPxj
2020-01-13 2:02 ` Robin Linus
2020-01-13 2:33 ` ZmnSCPxj
2020-01-13 17:34 ` Joachim Strömbergson
2020-01-13 22:05 ` Jeremy
2020-01-16 1:21 ` Angel Leon
2020-01-13 18:06 ` Joachim Strömbergson
2020-01-13 19:47 ` Robin Linus
2020-01-13 20:49 ` Joachim Strömbergson
2020-01-13 22:22 ` Robin Linus
2020-01-14 0:53 ` ZmnSCPxj
2020-01-14 2:19 ` Robin Linus
2020-01-14 2:59 ` ZmnSCPxj
2020-01-14 4:12 ` Robin Linus
2020-01-14 15:06 ` Joachim Strömbergson
2020-01-14 15:26 ` ZmnSCPxj
2020-01-15 1:43 ` Robin Linus
2020-01-15 5:46 ` ZmnSCPxj
2020-01-17 4:17 ` Robin Linus
2020-01-17 13:54 ` ZmnSCPxj
2020-01-18 8:21 ` Robin Linus
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox