public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Ariel Luaces <arielluaces@gmail•com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists•linuxfoundation.org>
Subject: [bitcoin-dev] Supermajority then simple majority Taproot Activation
Date: Fri, 5 Mar 2021 15:39:24 -0800	[thread overview]
Message-ID: <CAOv1TniX-tkGQuLvHB23QcUSJ+VwzzopTnEgchVYDDGuLbB92w@mail.gmail.com> (raw)

I found a hint of common ground in reddit that I absolutely loves and
just had to share here on the ML to discuss


Luke's suggestion: To minimise the signal from 90% to 50%+1 during the
MUST_SIGNAL phase.
https://www.reddit.com/r/Bitcoin/comments/lwvg78/making_the_case_for_flag_day_activation_of_taproot/gpkbdcg/


I think this proposal is a natural evolution:
From the creation of BIP9 to enable soft fork activations with low
risk under widespread miner support
https://github.com/bitcoin/bips/blob/master/bip-0009.mediawiki
To miner aggression against segwit, resulting in shaolinfry's
releasing the BIP148 and BIP91 proposals and a UASF client, resulting
in the Bitcoin civil war, resulting in settlement through economic
pressure.
To shaolinfry's creation of BIP8 to force a soft fork when
encountering minority miner apathy/malice and a desire for the majoity
of users to deploy
https://github.com/bitcoin/bips/blob/master/bip-0008.mediawiki
To Greg Maxwell's suggestion of two round activation with BIP9
followed by a flag-day activation (couldn't find the link, it's
mention in Matt's Modern Soft Fork Activation proposal)
To Matt Corallo's suggestion to do a BIP9 deployment followed by a
BIP8 deployment with a six month waiting period in between (Modern
Soft Fork Activation)
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-January/017547.html
To Luke Dashjr's addition of lockinontimeout to BIP8 to consolidate
the functionality of BIP8 and BIP9
https://github.com/bitcoin/bips/pull/550
To AJ Towns' suggestion of a gradually decreasing activation threshold
and a user configurable option between conditional activation and
guaranteed activation at the end
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-July/018043.html
To Gregorio Guidi's suggestion of decreasing the threshold to 1.2% as
the locked in date approaches, allowing for activation failure and
removing of the LOT flag
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-February/018476.html
To Ariel Lorenzo-Luaces' (me)  suggestion of switching the final
threshold to 50% to pose a reorg threat to non-upgraded miners instead
of risking a minority fork
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-March/018529.html
To Luke Dashjr's suggestion of switching thresholds to 51% during the
MUST_SIGNAL phase instead of a gradualy decreasing threshold
https://old.reddit.com/r/Bitcoin/comments/lwvg78/making_the_case_for_flag_day_activation_of_taproot/gpkejqt/
(I hope I'm not missing anything)
To Matt Corallo seemingly liking the idea? It's hard to tell.


I think Luke's proposal fixes a lot of concerns on both sides of the
LOT discussion.
I went through all the Taproot activation discussion I could find, as
well as some old segwit activation discussions, and here I summarize
points that will hopefully convince all supporters from all sides of
the Taproot activation discussion.
Some points are repeated but framed differently based on the reader's
predisposition (LOT=true or LOT=false or flag day).
Something to note is that this is not a compromise, I mention it at the bottom.


The case for this new proposal for supporters of LOT=true first:
1. no veto bug) Miners wouldn't have veto power. If 51% of miners are
signaling during MUST_SIGNAL phase Taproot activates. This proposal
follows the will of the community. (point 5 on Matt's Modern Soft Fork
Activation proposal
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-January/017547.html)
2. signaling used for coordination instead of voting) The requirement
for a 95% supermajority vote disappears since those, what would have
previously been seen as, votes are irrelevant during the MUST_SIGNAL
phase. The 51% threshold is also seen as a coordination mechanism for
users to gauge miner support to automatically split from an unupgraded
miner minority.
4. low threshold UASF) It's much much easier to do a UASF marketing
blitz since only 51% of mining power needs to enforce the new rules
and the supermajority is not required. Mining power (51% of it needed)
will probably be convinced if exchanges, wallet software, and a
moderate number of users are on the Taproot activation side
(significant economic activity). This was a major problem in 2017
because it was uncertain whether signaling miners were running BIP9 or
UASF.
5. no UASF minority chain) If LOT=true is released and it never
achieves 50% signaling then there would be a fork and the UASF chain
will be exposed to attacks or destabilization due to miners switching
between chains. This proposal avoids that situation because it
guarantees that a majority of mining power is supporting Taproot so
the chain can't be attacked. You never really wanted to fork off from
your friends right?
3. nodes stay in consensus) If Taproot does not achieve a
supermajority but does achieve a simple majority (>51% PoW) at the end
of activation then upgraded users, upgraded miners, and non-upgraded
will all follow the taproot-active ruleset, leaving a minority of
miners to be exposed to reorgs if they don't enforce the new Taproot
rules. At this point the economic majority will very clearly be in the
taproot-activated chain so this creates strong pressure for the
minority of miners to capitulate or hard/soft fork off. (I imagine
they will capitulate... unless they want to have fun being poor)
6. no double spends) No need to stress about writing code to prevent
double spends the chain will stay together.
7. no PoW change) No need to stress about changing the PoW unless the
miner majority doesn't signal. In that case a flag day is needed with
a PoW change so the forked chain is safe. It's too risky to have to
re-upgrade, in the middle of Taproot deployment, to a new client to
deploy a PoW change in the event that the majority mining power is not
on board.
7. minority miners forced to comply or fork off) Zealous miners
against the proposed feature are forced to hard fork with an
anti-Taproot fork if signaling is greater than 51%. The hard fork will
have 49% in the worst case, probably much less if we assume humans are
greedy. The miner minority may attack if they are confident they will
succeed. But their success is unlikely due Nakamoto consensus.
8. no early adopter dilema) There is no reluctance of upgrading
because it's more likely the new version will be on the chain with the
most PoW. This fixes the early adopter dilemma.
9. no late adopter stress) Since the result of activation keeps all
users together and minority miners are forced off, late adopters don't
need to worry about upgrading their client to not risk being reorged.
They will be on the taproot activated chain.
10. majority attracts the undecided) At 51% of mining power and an
economic majority I would say Greg Maxwell's "opposed unless there is
clear consensus on LOT=true" is very well satisfied. (paraphrase
provided by michaelfolkson
http://gnusha.org/taproot-activation/2021-02-16.log)
11. discovered bugs can back out deployment) With forced activation
there is no way to back out activation unless all users revert to
using a previous version or upgrade to using a new fixed version. But
it's not guaranteed that all users will revert or upgrade. This
proposal allows a cancelation if we force the majority of miners to
not signal.
12. no alt-nodes) A UASF media blitz can achieve activation with 51%
miner support and can be executed with a client released by core
instead of an alt-node.
13. no dev+miner forced changes) Users maintain sovereignty in future
soft forks by maintaining the option of creating anti-feature hard
fork or soft fork movements as long as they have enough mining power
to maintain a safe chain. Miners and devs don't have ultimate power.
(unless a supermajority of both groups agree to an anti-user feature
but I find that unthinkable right now since the economic majority
wouldn't comply easily, may happen in the future, who knows)
14. no dev forced changes) Avoid a power grab from core developers and
a minority of users. They can't force a feature change because miners
and an economic majority together can veto. At minimum the forced
feature requires 51% mining power and zero user support, even in that
case majority users still have options. (point 10)
15. less miner polling pre-deployment) One of the rationales to lower
the activation threshold from 95% to 90% is due to 89% verbal miner
support https://taprootactivation.com/ . I saw some people wanted to
go as low as 85% or 80%, hell someone on the ##uasf channel wanted to
drop threshold to 65% to incentivize non-upgraded nodes to join the
UASF alt-node http://gnusha.org/uasf/2021-03-04.log . With this
proposal it doesn't matter if miners don't overwhelmingly support the
feature so their verbal input is less significant. Deployment can
happen as soon as 51% of mining power express verbal support, unlike
what's happening right now where miner apathy is delaying deployment
because no one is sure whether a supermajority is achievable.
16. new status quo) I'm not sure I understand when Luke says LOT=true
is status quo but this proposal probably fixes that too? This proposal
kind of acts like a flag day with the protection of a majority PoW.


The case for this new proposal for supporters of LOT=false first:
1. discovered bugs can back out deployment) The activation can be
canceled and the chain will remain united if any problem is found.
(point 1 on Matt's Modern Soft Fork Activation proposal
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-January/017547.html)
2. miner minority can't cancel) Only 51% of mining power can cancel if
a bug is found so a minority of miners can't abuse the threat of
canceling for political reasons.
3. no need for miner promises) In the back of the minds of LOT=false
supporters there is always the doubt of "what if we really can't trust
miners?". We can ask them and make them promise that they will support
the upgrade but we can never really know. With this proposal we don't
need to worry about a miner minority promising to signal and then
breaking the promise.
4. no UASF aggression at the start) Miners aren't antagonized because
they are still part of the signaling process and they keep their right
to run any client they want without the threat of a UASF. Though they
will eventually mine orphan blocks if they don't upgrade, which is
probably true for a handful of miners even today.
5. UASF is optional) If miners seem to be stalling or not signaling
users have the option of running a media blitz without having to
coordinate the release of a new UASF client. This removes the
complications of multiple client releases interacting to activate the
same feature.
6. UASF is reactive) Forcing miners to upgrade with a media blitz and
a threat to create a hard fork later will be after miners are shown to
be apathetic or malicious. Users have time to gather information while
the MUST_SIGNAL period approaches.
7. no user forced changes) Removes the precedent of users forcing
changes on miners because they must attain 51% miner support. If users
have less than 51% miner support they must hard fork instead.
8. safe supermajority activation) The threshold will remain in
supermajority territory 95% before the MUST_SIGNAL phase. When a
supermajority is achieved there will be minimal disruption and minimal
detriment to Bitcoin's security. (point 3 on Matt's Modern Soft Fork
Activation proposal
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-January/017547.html)
9. users have time to upgrade) Users will have an appropriate amount
of time to upgrade. (whatever time it takes to achieve supermajority)
(point 2 on Matt's Modern Soft Fork Activation proposal
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-January/017547.html)
10. no long deployments) In case of miners not reaching a
supermajority due to apathy we won't have to wait six months and then
another release and another long deployment.
11. no UASF minority chain) Users won't be reorged because if at the
end of activation support is below 51% taproot wont activate and users
will stay together.
12. no big reorgs) If more than 51% of miners support Taproot then
upgraded users, non-upgraded users, and minority miners will stay on
the same chain. Some non-upgraded users and miners will be at risk of
creating and following orphan blocks. But the likelihood is that the
miner minority will upgrade if we assume that they are self-interested
and don't want to mine orphan blocks. This results in a small risk of
chain split and small risk of big reorgs. (point 4 on Matt's Modern
Soft Fork Activation proposal
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2020-January/017547.html)
13. no late adopter stress) If mining power majority is not achieved
during activation then all miners stay on the same chain and late
adopters don't need to worry about the risk of some UASF chain
overtaking theirs.
14. no divergent consensus rules) The chain can stay together and our
friends won't fork off because we will all be running the same client
and the client will be backwards compatible.
15. no need for redeployment) If activation fails it's clear that it
happened due to a lack of a majority of clients supporting the change
and a lack of a strong enough economic group to force miners to
upgrade. So if activation fails we can be sure that we won't be
releasing the feature again or the feature must be released as a hard
fork if a group of users really really want it.
16. no co-optable deployment) No more LOT flag so code can't be easily
modified to create divergent consensus from a core release.
17. no incentive to force signaling) A big reason for users to force
signaling is for reorg protection in case they are in a minority
chain. With this proposal the UASF chain is protected from reorgs by a
miner majority so no need to force signaling.
18. no configurable consensus) No more LOT flag so no need for a
parameter/config value to force users to pick a side on upgrade.
Forcing the choice on users guarantees there will be users running a
UASF but at the same time reduces the likelihood of a successful UASF
due to other users running LOT=false.
19. no alt-nodes) If this proposal gains consensus and it can be
released in core then we will avoid the issue of fracturing groups of
core forks jockeying for user support.
20. miners can test features before deployment) If changes can be
written to core without contention or risk of divergent consensus.
Core can release RCs for miners and users to test the feature. I think
it would have helped to know the segwit-ASIC boost conflict before
segwit signaling even though there is no guarantee that it would have
been disclosed. But maybe having this ability will be useful for other
features.
21. no false flagging interference) No need for two activation periods
so no need to worry about buggy miner signaling software (false
flagging) that may continue to signal for the prior deployment. This
is a potential issue for modern soft fork activation. (this issue is
mentioned by AJ Towns in the decreasing threshold proposal
https://github.com/ajtowns/bips/blob/202007-activation-dec-thresh/bip-decthresh.mediawiki)
22. no dev vilification) Core developers can't be portrayed as having
ultimate power because they at least require 51% miner support.
23. safe supermajority threshold) Since the threshold will drop to 51%
during MUST_SIGNAL we could take the luxury of raising the
supermajority threshold back to 95% instead of 90%. This increases the
risk of miner stalling but that's the worst that could happen, which
is pretty good IMO.
24. no flag day) Avoids the pressure of devs pulling the trigger on a
flag day because this proposal removes (reduces?) the likelihood that
there will be a future chain split. This takes a lot of pressure off
of devs releasing this deployment.
25. no Taproot death) If we go with LOT=false first and it fails,
there is no getting around the fact that one group will want LOT=true
and the other group will want to drop Taproot altogether. I think devs
will still have a hard time deploying LOT=true after LOT=false.
26. no procrastinating) Since the deployment period doesn't need to be
too long for a safe LOT=true (after a failed LOT=false signaling
period) then there isn't a risk of users and miners procrastinating
upgrades until the last 3 or so months before the flag day.
27. another activation failure does not kill the MASF method) If
LOT=false fails again it was likely we would have never used it again.
That would be the death of quick MASF. But with this proposal the only
way to fail is if a majority of miners are against the feature and
have been unconvinced by an economic minority media blitz. In which
case the feature is contentious but the activation method remains
intact.


The case for this proposal for supporters of a straight flag-day:
1. no divergent consensus rules) all nodes will be compatible and
backwards compatible so they will all stay with the same consensus
rules.
2. discovered bugs can back out deployment) A flag day can't be
canceled. With this proposal if we find a bug it's easy for miners to
revert to an old version to get signaling below 51%.
3. signaling is available) With signaling we can all see the progress
of the activation. We will know if it's near a supermajority, we will
know if it's near the 51% milestone. Without signaling we might fail
to gather adoption and not even know which miners were actually
running the new version.
4. majority hash power will stay together) All users and the majority
mining power will stay on the same chain. It's possible that a
minority of mining power will fall out of consensus if they don't
enforce Taproot rules but if we assume they will act in their best
interest then they will upgrade once the simple majority of mining
power is signaling. Minority miners that are staunchly against
upgrading or are just really really really lazy and maybe take mining
as a hobby will fork off. But It's not possible to force those
minority miners anyway. For example there could be a minority of
miners running pre-segwit software today.
5. no redeploy to move the date) With a 95% threshold and a 51% at the
end we can be certain that the change will or won't activate. So no
need to scramble to move dates or potentially release a LOT=false
client earler than the flag day. Any of that scrambing is gone because
we just wait. The worst that could happen is a 6% miner minority can
delay the change until the MUST_SIGNAL period.
6. it's clear who wins under contention) Flag day activations need as
much economic adoption as any other method. With a flag day, any
contention in the feature will lead to entrenched groups and a split
is inevitable. With this proposal the economic majority decides by
forcing miners to signal one way or another by threatening a hard
fork. But with this proposal it's clear that who wins the debate is
who wins 51% miner support so the economic majority (if it's very
small will likely reconsider not forking off). With a flag day, who
wins the debate is only clear years after the flag day based on market
capitalization.
7. can start building early) Developers will have high assurance that
the change will activate after the 51% threshold is reached so they
can start building after 51% and don't need to wait until the
supermajority.
8. MASF is available) Activation can happen very early with a
supermajority since Taproot is not contentious. (still the most likely
outcome, by far!)
9. no dev forced changes) Avoid a power grab from core developers to
rush a flag day that doesn't have enough economic majority. Once the
client is released the chain split is nearly guaranteed. With this
proposal devs would need a miner majority and a supporting economic
majority or an apathetic economy supermajority.


The case for this new proposal for supporters of gradual decreasing
activation threshold:
1. no gaming thresholds) Miners can't suddenly signal at 55% threshold
to force 45% of non-signaling miners to scramble an update.


The case for this new proposal for supporters on all sides:
1. conservative enough for core) If we can fix all the kinks and
achieve some consensus I think this proposal will be safe enough to be
supported by core devs.
2. remove activation contention) If things go well we might get a few
more rounds of soft fork activation without contention.
3. no ambiguity on which chain is bitcoin) If there is a minority
group that forks off then the chain called Bitcoin will be the one
with the most economic support and miner support. With this come the
benefits that 21 million stays 21 million and $1 trillion stays $1
trillion. Unless a majority of mining power is trying to force a soft
fork that antagonizes the economic majority. Tthis miner oppression
would then be considered a 51% attack and maybe a PoW change is in
order.
4. *this is a real solution not a compromise*) I think this solution
fixes so many issues on both sides of the LOT debate that I see it as
better than either solution independently. This is a real solution and
the added benefit is that it's a solution that coincidentally brings
both sides of the debate together.
5. only contentious changes make contentious activation) Contentious
activations will be ones that have near 50/50 miner support. Features
like that will probably never even get to the activation stage and
Taproot is not one of them.
6. no LOT drama) The LOT flag is removed so no more default to argue
over. No more drama. And no cover for social attacks on bitcoin.
7. no mid-deployment changes) Deployment is on complete autopilot so
users don't need to change any configuration in the middle of
deployment period.


Leave it to bitcoiners to turn bitcoin's biggest flaw (51% attacks)
into a feature (51% upgrade pressure). The Bitcoin space is so
fascinating.
I hope there isn't some giant obvious flaw I'm missing. Please tell me
if I am. Or add to the arguments if you'd like.


Cheers
Ariel Lorenzo-Luaces


                 reply	other threads:[~2021-03-05 23:39 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAOv1TniX-tkGQuLvHB23QcUSJ+VwzzopTnEgchVYDDGuLbB92w@mail.gmail.com \
    --to=arielluaces@gmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox