Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 01385955 for ; Tue, 5 Sep 2017 17:06:47 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from so254-16.mailgun.net (so254-16.mailgun.net [198.61.254.16]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6D1D73D4 for ; Tue, 5 Sep 2017 17:06:46 +0000 (UTC) DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=suredbits.com; q=dns/txt; s=mailo; t=1504631205; h=Content-Type: To: Subject: Message-ID: Date: From: References: In-Reply-To: MIME-Version: Sender; bh=twq/03GEVRDLDxZEas8JsnshCtlfhKCSqgAj+zPyjRI=; b=hYSwY3+k09aFekS8YKvI+QsF0ZUos2QGENL3BPKQPDtyfHqXbMrqNqzqv2HD/oKz5nNwARfv doXiHBd9dcRYq2SIqZ7Pz3ykmoEN1om9+8WeA4qrt29p1l7P8IwuhOcW0+i9LETwjnkSU/gA J7T5rzlPMqDp9byxy9zBd/yoKS0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=suredbits.com; s=mailo; q=dns; h=Sender: MIME-Version: In-Reply-To: References: From: Date: Message-ID: Subject: To: Content-Type; b=Zoq5RZvqETth+w0OwsBfN60I0bP7cWSn10zw0QYHFGEd96q0pKYVWNu6fCA1zpP91EkDf6 GKnv8pjBlI92qKLS8+xK5xNHo3ruYbKEjVMZc9nS6QYknx3VFG0mTjUcUKp7xsXdYHEAu17A UvqzWzVDFZgxkFtfT30U2PPZ+GFW8= Sender: chris@suredbits.com X-Mailgun-Sending-Ip: 198.61.254.16 X-Mailgun-Sid: WyI5MGYzNyIsICJiaXRjb2luLWRldkBsaXN0cy5saW51eGZvdW5kYXRpb24ub3JnIiwgIjJjMTQxIl0= Received: from mail-io0-f181.google.com (mail-io0-f181.google.com [209.85.223.181]) by mxa.mailgun.org with ESMTP id 59aed999.7f3ae4506970-smtp-out-n02; Tue, 05 Sep 2017 17:06:33 -0000 (UTC) Received: by mail-io0-f181.google.com with SMTP id z67so18871146iof.3 for ; Tue, 05 Sep 2017 10:06:33 -0700 (PDT) X-Gm-Message-State: AHPjjUg8Q4Gq9SKHsnmf+sKqJ6Tz3z5TWYPKSM7fm37YkQLKAW4afn/z iJKSqNHYZj41ZQjD5QLNh9EZfdlUNg== X-Google-Smtp-Source: ADKCNb5K6bwhK07Pkq+2/2qZ1lD/6B9x9Ma6mG5UyJL8FAKUjLfY0rtUvsQocJkTPumlaglF3u2CPv8wNplRlBNqacc= X-Received: by 10.107.147.9 with SMTP id v9mr4981313iod.92.1504631193026; Tue, 05 Sep 2017 10:06:33 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.10.20 with HTTP; Tue, 5 Sep 2017 10:06:32 -0700 (PDT) In-Reply-To: References: From: Chris Stewart Date: Tue, 5 Sep 2017 12:06:32 -0500 X-Gmail-Original-Message-ID: Message-ID: To: ZmnSCPxj , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="94eb2c056162c74caa0558743fad" X-Spam-Status: No, score=0.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Tue, 05 Sep 2017 17:08:37 +0000 Subject: Re: [bitcoin-dev] Sidechain headers on mainchain (unification of drivechains and spv proofs) X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2017 17:06:47 -0000 --94eb2c056162c74caa0558743fad Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi ZmnSCPxj, Basically, in case of a sidechain fork, the mainchain considers the longest > chain to be valid if it is longer by the SPV proof required length. In t= he > above, at mainchain block 10, the sidechain H is now 4 blocks (H,G,F,E) > longer than the other sidechain fork that ended at d. > > Mainchain nodes can validate this rule because the sidechain headers are > embedded in the mainchain block's coinbase. Thus, mainchain fullnodes ca= n > validate this part of the sidechain rule of "longest work chain". > What happens in the case that the provided merkle tree hash has a invalid transaction in it? Wouldn't this mean that the mainchain nodes would think the longest work chain is the valid chain, and it would kill off any consensus valid chain that sidechain miners are trying to construct? It seems that a malicious miner could extend the chain to whatever the SPV proof block height is and make it impossible for the chain to reorg after that. I guess if that is a sufficiently long block waiting period it may not be a realistic concern, but something to think about any way. Just a side note -- I think it should be highly recommended that the coinbase maturity period on the sidechain to be longer than 288 (or whatever we decide on the parameter). This incentivizes the s:miners to work together to extend the chain by working with other s:miners (otherwise they won't be able to claim their bribes). If they do not work together they will not be able to spend their s:coinbase_tx outputs until they extend their own sidechain by 288 blocks meaning they need to tie up a large amount of capital to go rogue on their fork. Another interesting thing might be to use the OP_WITHDRAWPROOFVERIFY op cod= e used in the elements project. Since the cannonical merkle root hashes are included in the mainchain, we can provide a merkle proof to the bitcoin blockchain to initiate a withdrawl from the sidechain. I wrote up a blog post on how OP_WPV works here . This allows us to prove that a transaction occurred on the sidechain to lock up those funds. -Chris =E2=80=8B --94eb2c056162c74caa0558743fad Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi ZmnSCPxj,

Basically, = in case of a sidechain fork, the mainchain considers the longest chain to be valid if it is longer by the SPV proof required=20 length.=C2=A0 In the above, at mainchain block 10, the sidechain H is now 4= =20 blocks (H,G,F,E) longer than the other sidechain fork that ended at d.
<= /div>

Mainchain nodes can validate this rule because the sidechain headers are embedded in the mainchain block's coinbase.=C2=A0 Thus, mainchain fullnodes can= =20 validate this part of the sidechain rule of "longest work chain".=

What happens in the case that the provided merkl= e tree hash has a invalid transaction in it? Wouldn't this mean that th= e mainchain nodes would think the longest work chain is the valid chain, an= d it would kill off any consensus valid chain that sidechain miners are try= ing to construct? It seems that a malicious miner could extend the chain to= whatever the SPV proof block height is and make it impossible for the chai= n to reorg after that. I guess if that is a sufficiently long block waiting= period it may not be a realistic concern, but something to think about any= way.

Just a side note -- I think it should be highly r= ecommended that the coinbase maturity period on the sidechain to be longer = than 288 (or whatever we decide on the parameter). This incentivizes the s:= miners to work together to extend the chain by working with other s:miners = (otherwise they won't be able to claim their bribes). If they do not wo= rk together they will not be able to spend their s:coinbase_tx outputs unti= l they extend their own sidechain by 288 blocks meaning they need to tie up= a large amount of capital to go rogue on their fork.

Another = interesting thing might be to use the OP= _WITHDRAWPROOFVERIFY op code used in the elements project. Since the ca= nnonical merkle root hashes are included in the mainchain, we can provide a= merkle proof to the bitcoin blockchain to initiate a withdrawl from the si= dechain. I wrote up a blog post on how OP_WPV works here. This allows us = to prove that a transaction occurred on the sidechain to lock up those fund= s.

-Chris
=E2=80=8B
--94eb2c056162c74caa0558743fad--