Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id F10C35A9 for ; Sat, 10 Jun 2017 16:28:14 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-qt0-f178.google.com (mail-qt0-f178.google.com [209.85.216.178]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 73A41D0 for ; Sat, 10 Jun 2017 16:28:13 +0000 (UTC) Received: by mail-qt0-f178.google.com with SMTP id c10so97822463qtd.1 for ; Sat, 10 Jun 2017 09:28:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=8MxPFGL3n7G2hq2PqSxLe/1nYYjCdEI1OEgAo7+GV4U=; b=XJGlB/3fUJ99HalYiA9S0rD0h1+hzQ866DoILZELpMkPLAphfVoP4hf/lhZOu2hpfm 00T7xUnX+svquHon4BgUkcBpQIY3sojwps3VsMvsE4HDDbmHqTu6a/5btYYQaq7STjcy xipvp3VRXoUsd1cT4ps1UYEu9ZkesXk9Rlb2AnsyPgVy97Bdo3IvpH4PbEu0q1/o1q+y QhpTAnauVYRcc5YQEzk3dTs/mDTGMUVVRGXdkVZs54NBRs0Wr9JCxsJx6oJjOt45GuT4 DIrzSKYcPc4eh/zNs7X1v+D4P3lg9fZjfVYWCEEkgSxAmUKvsZNA6d1yNuf7HOeiuUQf mqaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=8MxPFGL3n7G2hq2PqSxLe/1nYYjCdEI1OEgAo7+GV4U=; b=Xl+swRlcZGBKel7C/XQ6FnWgoR7I/FILZCE+5cvnWFxcAno7LwodI5vXV96jjkWzdS 7Rf9wo8LFlDUOesKMsiGtfdXmICOJl9FxG31F+GuULuSJgFkcraemY/m1pVBQGN3D3ON wEP/v9+2WJXE74lWZs0dnl4u9iBrooJpHirr0sUg3MEZtEDwTP4GvuYn2u4xMZCwjq7Q kRwxZr8lwgagxj4ZsciN/rwg9wbEwIyWHOLuaRn6KNSHxnh3WTlnEprZjruYnnx2qlZO sc45QD6hChtNaVEd42jj8yfL7JcsdftcoAnNpoQjUjQNVivhLD0ZOoo2Ge0Xiudk0Pvc Z9mA== X-Gm-Message-State: AODbwcCawDqrP2djY4g2J1Gi2T0sQXVKKOeHRFq881AdMxPZ0t1PuvpW uV5MK2QjRqnUvJTTaLU= X-Received: by 10.200.11.202 with SMTP id p10mr11495538qti.221.1497112091590; Sat, 10 Jun 2017 09:28:11 -0700 (PDT) Received: from [192.168.1.101] (ool-45726efb.dyn.optonline.net. [69.114.110.251]) by smtp.googlemail.com with ESMTPSA id m22sm3070555qkl.49.2017.06.10.09.28.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 10 Jun 2017 09:28:10 -0700 (PDT) To: Sergio Demian Lerner References: <24f2b447-a237-45eb-ef9f-1a62533fad5c@gmail.com> <20170522133335.GA17194@fedora-23-dvm> <20170528210757.GA19450@fedora-23-dvm> From: Paul Sztorc Message-ID: <64177e57-1a30-c8c1-4743-01558b4e2369@gmail.com> Date: Sat, 10 Jun 2017 12:28:09 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Bitcoin Dev Subject: Re: [bitcoin-dev] Drivechain -- Request for Discussion X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jun 2017 16:28:15 -0000 Hi Sergio / everyone, As some of you may know, Sergio and I each did an implementation of drivechain. I started working on mine, and he started working on his, and then I didn't hear from him for awhile about what he was doing. Anyways, with two versions, we each have an opportunity to double-check our work. For example, this already happened wrt the "ACK size". Let me share from his linked BIP: "By allowing miners to refer to transaction candidates by transaction id prefixes, the space consumption for a single ack can be as low as 2 bytes." Sergio shared this with me last October at Scaling Milan. After listening to him, we saw an opportunity to improve our design: now, our miners can conjecture that miners will grant ACKs in a few simple ways [always honest, honest+ignore some, ignore all], and it will precompute these possibilities (guessing what rival miners will do, even before they find and broadcast a new block). Therefore, in all honest cases, our ACK-counting now requires zero (0) bytes to be sent over the network. In dishonest cases it requires only a few bits per sidechain, because we also maintain a deterministically ordered list, both of sidechains and withdrawal attempts -- therefore it can just be a string of binary information. This is not part of consensus, and so can be further improved over time. I'm sure there are still a few opportunities for mutual improvements going forward. In general, Sergio and I disagree over the withdrawal-frequency. a major difference of opinion is over the withdrawal-frequency. I view infrequent withdrawal as essential to the security model, but Sergio does not. In both our designs, the withdrawal-time is configurable, but Sergio's design seems to be optimized for cases with frequent withdrawal attempts, whereas mine is optimized for cases with very infrequent withdrawal attempts. Another difference is that, as a direct result of earlier peer review, I have been integrating 'blind merged mining' into my version. It may be easy for Sergio to add BMM to his version, or it may not. It is true that I am not interested in the hybrid model. I would not make use of the multisig / centralized part, and so for me it complicates the security properties for no benefit. I see why some people are interested in it, though. Paul On 6/9/2017 5:54 PM, Sergio Demian Lerner wrote: > I'm a bit late to this party. I just want to add that there exists an > hybrid model where both a federation and the miners provide acknowledges > (sometimes known as "votes" in drivechain terms and "multi-signatures" > in a federation) of the sidechain state. > > My Drivechain proposal (Feb 2016) was tailored to enable this particular > use-case, which I'm not sure Paul's proposal enable. > > > The proposal is on this list under the following subject: Drivechain > proposal using OP_COUNT_ACKS > > BIP (draft): > https://github.com/rootstock/bips/blob/master/BIP-R10.md > > > Code & Test cases: > https://github.com/rootstock/bitcoin/tree/op-count-acks_devel > > > In this proposal, the "poll" time is sidechain-configurable, and I > proposed a few days delay was enough. > Some have said that a longer times are needed, such as 2 months. > So if you want to have a 2 month dalay for sidechain->mainchain > transfers in this code, you still can. However a better dynamic cache of > acks/nacks would be needed. However, for the hybrid use-case, one day is > more than enough. > > Regards > > > > > On Tue, May 30, 2017 at 2:11 AM, Paul Sztorc via bitcoin-dev > > wrote: > > Hi Peter, > > Responses below. > > On 5/28/2017 5:07 PM, Peter Todd wrote: > > On Mon, May 22, 2017 at 05:30:46PM +0200, Paul Sztorc wrote: > >> Surprisingly, this requirement (or, more precisely, this incentive) does > >> not effect miners relative to each other. The incentive to upgrade is only > >> for the purpose of preventing a "theft" -- defined as: an improper > >> withdrawal from a sidechain. It is not about miner revenues or the ability > >> to mine generally (or conduct BMM specifically). The costs of such a theft > >> (decrease in market price, decrease in future transaction fee levels) would > >> be shared collectively by all future miners. Therefore, it would have no > >> effect on miners relative to each other. > > > > That's not at all true. If I'm a miner with a better capability than another > > miner to prevent that theft, I have reasons to induce it to happen to give me > > political cover to pushing that other miner off the network. > > Miners can abstain from 'voting', which is politically neutral. Or, if > they wish, smaller miners could acquiesce to the coercion and just copy > the votes of the attacking 51% group. For users who are only running > Bitcoin Core, there is nothing bad about that. > > As you say, a 51% group can arbitrarily start orphaning the blocks that > are mined by non-member rivals. This _may_ be a problem, or it may not, > but it is not exacerbated by drivechain. > > So, what exactly is "not at all true"? > > > > > > This is a very similar problem to what we had with zeroconf double-spending, > > where entities such as Coinbase tried to pay off miners to guarantee something > > that wasn't possible in a geninely decrentralized system: safe zeroconf > > transactions. > > I don't see what you mean here. You can't stop Coinbase from donating > BTC to a subset of miners. That will always be possible, and it has > nothing to do with drivechain (as I see it). > > > > > >> Moreover, miners have other recourse if they are unable to run the node. > >> They can adopt a policy of simply rejecting ("downvoting") any withdrawals > >> that they don't understand. This would pause the withdraw process until > >> enough miners understand enough of what is going on to proceed with it. > > > > Why are you forcing miners to run this code at all? > > Could we not say the same thing about the code behind CLTV? > > The nature of a contract, is that people are happier to be bound by some > rules that they themselves construct (for example, a nuclear > non-proliferation treaty). > > In this case, miners prefer sidechains to exist (as existence makes the > BTC they mine more valuable, and provides additional tx fee revenues), > and so they would like to run code which makes them possible. > > > > > > Equally, you're opening up miners to huge political risks, as rejecting all > > withdrawals is preventing users' from getting their money, which gives other > > miners a rational for kicking those miners off of Bitcoin entirely. > > As I explained above, miners can abstain from voting, which is > politically neutral, or else they can delegate their vote to an > aggressive miner. The "51% can orphan" concern could be raised, even in > a world without drivechain. All that is required, is for the miners to > be anonymous, or in private 'dark' pools (and to thereby escape > censure). > > But there is a much bigger issue here, which is that our threat models > are different. > > As you may know, my threat model [1] does not include miners "pushing > each other off". It only cares about the miner-experience, to the extent > that it impacts the user-experience. > > Moreover, I reject [2] the premise that we can even measure "miner > centralization", or even that such a concept exists. If someone has a > definition of this concept, which is both measurable and useful, I would > be interested to read it. > > ( For what it's worth, Satoshi did not care about this, either. For > example: "If a greedy attacker is able to assemble more CPU power than > all the honest nodes, he...ought to find it more profitable to play by > the rules." which implies robustness to 51% owned by one entity. ) > > [1] http://www.truthcoin.info/blog/mining-threat-equilibrium/ > > [2] http://www.truthcoin.info/blog/mirage-miner-centralization/ > > > > > > >> Finally, the point in dispute is a single, infrequent, true/false question. > >> So miners may resort to semi-trusted methods to supplement their decision. > >> In other words, they can just ask people they trust, if the withdrawal is > >> correct or not. It is up to users to decide if they are comfortable with > >> these risks, if/when they decide to deposit to a sidechain. > > > > Why do you think this will be infrequent? Miners with a better ability to > > validate the drivechain have every reason to make these events more frequent. > > It is part of the spec. These timing parameters must be agreed upon when > the sidechain is added, ie _before_ users deposit to the sidechain. Once > the sidechain is created, the timing is enforced by nodes, the same as > with any other protocol rules. Miner-validation-ability has no effect on > the frequency. > > > > > >> It is a matter of comparing the costs and benefits. Ignoring theft, the > >> costs are near-zero, and the benefits are >0. Specifically, they are: a > >> higher BTC price and greater transaction fees. Theft is discouraged by > >> attempting to tie a theft to a loss of confidence in the miners, as > >> described in the spec/website. > >> In general the incentives are very similar to those of Bitcoin itself. > > > > This is also a very dubious security model - I would argue that Bitcoin is much > > *more* valuable if miners do everything they can to ensure that drivechains > > fail, given the huge risks involved. > > I don't see how. Users are free to ignore the sidechain, so it can only > benefit them. > > Fortunately for you, if that is actually what miners believe, then there > will be no problem, as miners will just filter out drivechains (so that > Bitcoin will be "much *more* valuable"), which they can easily do. > > > > I would also argue that users should do > > user-activated-soft-forks to ensure they fail. > > Again, I don't think that kind of UASF can succeed, because one option > strictly dominates the other. But the users get the final say, of > course. > > Empirically, I have observed overwhelming support for sidechains among > users, business, and other developers. The btc-investors I spoke to were > all very excited about the prospect of sidechains, even more so than > they were excited about SegWit. > > > > > > By comparison, note Adam Back and my own efforts to ensure miners have a > > smaller part in the ecosystem, with things like committed (encrypted) > > transactions and my closed-seal-set/truth-list approach(1). We want to involve > > miners as little as possible in the consensus, not more. > > I agree that miners should have as little influence as possible (and > they probably agree, as well). But a 51% group can filter any message > they like from the blockchain. For sidechains, there will need to be two > public networks, so concealment is not an option. > > And, I repeat, for regular users of Bitcoin Core, drivechain does not > make a 51% group more dangerous than they already are. > > Moreover, there are cases [1] where miner-involvement can make a big > _positive_ impact. Just as it can be beneficial (essential, in fact) for > Bitcoin to filter out harmful interactions among txns (in other words, > good for miners to filter out double spends), I have discovered > situations where it is beneficial and essential for miners to filter out > harmful interactions among multiple chains. > > So I think I am actually hitting the "as little as possible" target. > > [1] http://www.truthcoin.info/blog/wise-contracts/#wise-contracts > > > > > > > I have to ask: What use-cases do you actually see for drivechains? Why can't > > Here is a tentative project list: > http://www.drivechain.info/projects/index.html > > > And, as I say on the FAQ, "If each individual user is free to sell > his/her BTC in exchange for an Altcoin (or for fiat), we can hardly deny > users the opportunity to move their money between two sidechains." > > So, in a strong way, the entire altcoin market makes the case for a > usefulness of sidechains. Bitcoin is a form of money, and only one form > of money can exist per currency area. So, if Bitcoin is not the winner, > it will eventually cease to exist altogether. Altcoin-competition is an > existential threat to Bitcoin, one which is far more relevant than > anything you've presented so far. > > Secondly, one important value of permissionless innovation is that one > doesn't really know, today, what cool ideas other people are going to > come up with tomorrow. If you did, they'd be today's ideas. > > Third, Core's review process has two opposite problems: on one hand it > is slow and grueling, and on the other it is fraught with the > possibility of catastrophic error. It would be better, for everyone, to > allow people to try their own (non-aggressive) experiments, and to make > their own mistakes. Already, I have seen the review process abused to > create/maintain fiefdoms of expertise, so that the abusers can extract > money from clients/employers/VCs. > > Just think of all of the free time you would have, Peter, if you didn't > have to spend it all reviewing these projects! > > > > those use-cases be done in the much safer client-side validation fashion? > > ? How is drivechain _not_ within the category of client-side validation? > With BMM, validation is only performed by those users ("clients") who > opt-in to the new features. The economic model of BMM is directly > comparable to that of Bitcoin's PoW -- the highest-bid chain should be > the healthiest one. > > Can you post the Github link for your most up-to-date client-side > validation work so that we can compare the safety and other features? > > Thanks, > Paul > > > > > 1) > https://petertodd.org/2016/closed-seal-sets-and-truth-lists-for-privacy > > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > >