Return-Path: Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 86295C001A for ; Sat, 26 Feb 2022 05:38:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 73BD384015 for ; Sat, 26 Feb 2022 05:38:23 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp1.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EeU9b8xAyHeZ for ; Sat, 26 Feb 2022 05:38:22 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) by smtp1.osuosl.org (Postfix) with ESMTPS id E544683F18 for ; Sat, 26 Feb 2022 05:38:21 +0000 (UTC) Received: by mail-ej1-x631.google.com with SMTP id a23so14673158eju.3 for ; Fri, 25 Feb 2022 21:38:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cCSw3yd0971mpqL440EiqZtZd5c/PaqNYPGFhoJUg7s=; b=DSwQv1lE1leLoDsmrvSkIjQhEKnnSNixiQ+naFVMvJ9nBg60AE5TDMJakjMJKdq7mS OZ3Y6MMEz3oyret9ak1etZya/ArihbKdFkRoSqKOeJ4dej3S4L3ZsKx3L782kvlsfzNO j8cNlYVKGkmNBa8oxfeY1Lo2NJ8QwXD924xOwNyu38SGjn0kYRhA2foumFv3pcpHoyUR GKQ2/mfDPihW42TqXised5wOcuzQwCpI7emeoZsToRJRlcVq+uXlpmXjGlMAHJwbxSjp MOvebvlQf5y1foQ/LdjebTbjhIfUvN1uchjFfUZUcMWkWUFmJV7PIFxyN7paxBSZc/UL R56g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cCSw3yd0971mpqL440EiqZtZd5c/PaqNYPGFhoJUg7s=; b=a50//mq1x7u4JemMnRXjwF4/ibjcKMIhP0iqjPJPoY0M87G4GMehOI+mJrnrgPN0e5 PYt7ytC3bZYIclO56TiM1x6QohvJpmhULqeGUQ/0AR51tAri3lsjxeHKNxr5FA7bgCI6 T4GS/KxobzJ/OYaqB/XI33HKMo77ow1YP+dHDZO5+vp484Ayg71L7uu7WrJAYLrGmwWx PiEBdJ1Oju1ba/o/sxJ1kmxXpeoVpwM8BfEUKEzy1m19Wqt+iSqZeS2qwcvSXWIbGk3T qDBwVH2uoVP9QTVghzG0Ztkf8xrMxcKSoCovBkvWleSI3iX/uSHu3x79il2dEvP75nve ZS9A== X-Gm-Message-State: AOAM530QnuZhz1ruZCGPkXka87DjxD9gooF4pTD8CHB63b9OnoI71JqI ADwadnpfdTBh7jtOi2kp7Ij4RDIaNDAdt70L0an7OkmE X-Google-Smtp-Source: ABdhPJwXT5LaEp4SteOqSvB12uULLwRw058oKFAGoqNVSGcQoDR6vQJo0/DmWl7bjzlTQDwZCodWvfyLCTeMU5kNSmc= X-Received: by 2002:a17:906:130a:b0:6b7:5e48:350a with SMTP id w10-20020a170906130a00b006b75e48350amr8371955ejb.184.1645853900049; Fri, 25 Feb 2022 21:38:20 -0800 (PST) MIME-Version: 1.0 References: <87leymuiu8.fsf@rustcorp.com.au> <0100017ee6472e02-037d355d-4c16-43b0-81d2-4a82b580ba99-000000@email.amazonses.com> <20220224065305.GB1965@erisian.com.au> In-Reply-To: From: Billy Tetrud Date: Fri, 25 Feb 2022 23:38:03 -0600 Message-ID: To: ZmnSCPxj , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="0000000000001092ad05d8e539d0" X-Mailman-Approved-At: Sat, 26 Feb 2022 08:34:24 +0000 Cc: Anthony Towns Subject: Re: [bitcoin-dev] Recursive covenant opposition, or the absence thereof, was Re: TXHASH + CHECKSIGFROMSTACKVERIFY in lieu of CTV and ANYPREVOUT X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Feb 2022 05:38:23 -0000 --0000000000001092ad05d8e539d0 Content-Type: text/plain; charset="UTF-8" @ZmnSCPxj > we have already rejected Drivechains I also think this is kind of dubious. I don't remember consensus being to "reject" drivechains, as much as consensus was that it wasn't a priority and there wasn't a lot of interest in doing on it from many people (I'm sure Paul could comment further on that). > sidechains on Drivechains become a block size increase. While this would be true for those who opt into a particular drivechain, I think its important to note that it would *not* be identical to a main-chain block size increase in a very important way: normal bitcoin miners and nodes nodes that don't care about drivechains would not see a blocksize increase. But even in the hypothetical scenario where *all* mainchain miners expand their business to sidechains, it still does not negatively affect normal bitcoin nodes that don't care about drivechains. The important things about a "normal" blocksize increase are: A. It increases the machine resources necessary for IBD, transaction relay, and validation B. It probably increases the growth rate of the UTXO set, increasing memory necessary to store that. C. It increases the cost of storing the blockchain on non-pruned nodes D. It increases the average propagation time of new blocks, which increases miner centralization pressure. The existence of drivechains with every miner opted into (some of) them would only negatively impact item D. Normal bitcoin nodes wouldn't need to use any extra resources if they don't care about drivechains. And miners would only have additional centralization pressure proportional to what drivechains they're opted into. The reason for that is that if a miner is opted into drivechain X, and propagation of transaction data for drivechain X is significantly slower than the normal bitcoin network, a miner may not have the latest drivechain X block to merge mine on top of. However that miner can still mine bitcoin with no additional latency, and so that centralization pressure is minimal unless a significant fraction of the miner's revenue comes from drivechains with slow data propagation. Beyond that, by my calculations, miner centralization is quite far from being significantly affected by blocksize increases. So unless drivechains become the dominant use case of the bitcoin blockchain, this really isn't something that I expect to cause any substantial miner centralization or other blocksize related problems. ZmnSCPaj, are you arguing that drivechains are bad for bitcoin or are you arguing that it would be unwise to opt into a drivechain? Those are very different arguments. If drivechains compromised things for normal bitcoin nodes that ignore drivechains, then I agree that would be serious reason to reject drivechains outright and reject things that allow it to happen. However, if all you're saying is that people can shoot themselves in the foot with drivechains, then avoiding drivechains should not be a significant design consideration for bitcoin but rather for those who might consider spending their time working on drivechains. On Thu, Feb 24, 2022 at 6:03 AM ZmnSCPxj via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Good morning aj, > > > > Logically, if the construct is general enough to form Drivechains, and > > > we rejected Drivechains, we should also reject the general construct. > > > > Not providing X because it can only be used for E, may generalise to not > > providing Y which can also only be used for E, but it doesn't necessarily > > generalise to not providing Z which can be used for both G and E. > > Does this not work only if the original objection to merging in BIP-300 > was of the form: > > * X implements E. > * Z implements G and E. > * Therefore, we should not merge in X and instead should merge in the more > general construct Z. > > ? > > Where: > > * E = Drivechains > * X = BIP-300 > * Z = some general computation facility > * G = some feature. > > But my understanding is that most of the NACKs on the BIP-300 were of the > form: > > * X implements E. > * E is bad. > * Therefore, we should not merge in X. > > If the above statement "E is bad" holds, then: > > * Z implements G and E. > * Therefore, we should not merge in Z. > > Where Z = something that implements recursive covenants. > > I think we really need someone who NACKed BIP-300 to speak up. > If my understanding is correct and that the original objection was > "Drivechains are bad for reasons R[0], R[1]...", then: > > * You can have either of these two positions: > * R[0], R[1] ... are specious arguments and Drivechains are not bad, > therefore we can merge in a feature that enables Recursive Covenants -> > Turing-Completeness -> Drivechains. > * Even if you NACKed before, you *are* allowed to change your mind and > move to this position. > * R[0], R[1] ... are valid arguments are Drivechains are bad, therefore > we should **NOT** merge in a feature that implements Recursive Covenants -> > Turing-Completeness -> Drivechains. > > You cannot have it both ways. > Admittedly, there may be some set of restrictions that prevent > Turing-Completeness from implementing Drivechains, but you have to > demonstrate a proof of that set of restrictions existing. > > > I think it's pretty reasonable to say: > > > > a) adding dedicated consensus features for drivechains is a bad idea > > in the absence of widespread consensus that drivechains are likely > > to work as designed and be a benefit to bitcoin overall > > > > b) if you want to risk your own funds by leaving your coins on an > > exchange or using lightning or eltoo or tumbling/coinjoin or payment > > pools or drivechains or being #reckless in some other way, and aren't > > asking for consensus changes, that's your business > > *Shrug* I do not really see the distinction here --- in a world with > Drivechains, you are free to not put your coins in a Drivechain-backed > sidechain, too. > > (Admittedly, Drivechains does get into a Mutually Assured Destruction > argument, so that may not hold. > But if Drivechains going into a MAD argument is an objection, then I do > not see why covenant-based Drivechains would also not get into the same MAD > argument --- and if you want to avoid the MADness, you cannot support > recursive covenants, either. > Remember, 51% attackers can always censor the blockchain, regardless of > whether you put the Drivechain commitments into the coinbase, or in an > ostensibly-paid-by-somebody-else transaction.) > > > Regards, > ZmnSCPxj > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --0000000000001092ad05d8e539d0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
@ZmnSCPxj
> we have already rejected Drivechains
=
I also think this is kind of dubious. I don't remember consensus be= ing to "reject" drivechains, as much as consensus was that it was= n't a priority and there wasn't a lot of interest in doing on it fr= om many people (I'm sure Paul could comment further on that).

&= gt; sidechains on Drivechains become a block size increase.

While th= is would be true for those who opt into a particular drivechain, I think it= s important to note that it would *not* be identical to a main-chain block = size increase in a very important way: normal bitcoin miners and nodes node= s that don't care about drivechains=C2=A0would not see a blocksize=C2= =A0increase.=C2=A0

But even in the hypothetical scenario= where *all* mainchain miners expand their business to sidechains, it still= does not negatively affect normal bitcoin nodes that don't care about = drivechains. The important things about a "normal"= ; blocksize increase are:

A. It increases the machine resourc= es necessary for IBD, transaction relay, and validation
B. It pro= bably increases the growth rate of the UTXO set, increasing memory necessar= y to store that.
C. It increases the cost of storing the blockcha= in on non-pruned nodes
D. It increases the average propagation ti= me of new blocks, which increases miner centralization pressure.=C2=A0

The existence of drivechains=C2=A0with every miner opt= ed into (some of) them would only negatively impact item D. Normal bitcoin = nodes wouldn't need to use any extra resources if they don't care a= bout drivechains. And miners would only have additional centralization pres= sure proportional to what drivechains they're opted into. The reason fo= r that is that if a miner is opted into drivechain=C2=A0X, and propagation = of transaction data for drivechain=C2=A0X is significantly slower than the = normal bitcoin network, a miner may not have the latest drivechain=C2=A0X b= lock to merge mine on top of. However that miner can still mine bitcoin wit= h no additional latency, and so that centralization pressure is minimal unl= ess a significant fraction of the miner's revenue comes from drivechain= s with slow data propagation. Beyond that, by my calculations, miner centra= lization is quite far from being significantly affected by blocksize increa= ses. So unless drivechains become the dominant use case of the bitcoin bloc= kchain, this really isn't something that I expect to cause any substant= ial miner centralization or other blocksize related problems.

ZmnSCPaj, are you arguing that drivechains=C2=A0are bad fo= r bitcoin or are you arguing that it would be unwise to opt into a drivecha= in? Those are very different arguments. If drivechains=C2=A0compromised thi= ngs for normal bitcoin nodes that ignore drivechains, then I agree that wou= ld be serious=C2=A0reason to reject drivechains=C2=A0outright and reject th= ings that allow it to happen. However, if all you're saying is that peo= ple can shoot themselves in the foot with drivechains, then avoiding drivec= hains=C2=A0should not be a significant design consideration for bitcoin but= rather for those who might consider spending their time working on drivech= ains.=C2=A0

On Thu, Feb 24, 2022 at 6:03 AM ZmnSCPxj via bitcoin= -dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
Good morning aj,

> > Logically, if the construct is general enough to form Drivechains= , and
> > we rejected Drivechains, we should also reject the general constr= uct.
>
> Not providing X because it can only be used for E, may generalise to n= ot
> providing Y which can also only be used for E, but it doesn't nece= ssarily
> generalise to not providing Z which can be used for both G and E.

Does this not work only if the original objection to merging in BIP-300 was= of the form:

* X implements E.
* Z implements G and E.
* Therefore, we should not merge in X and instead should merge in the more = general construct Z.

?

Where:

* E =3D Drivechains
* X =3D BIP-300
* Z =3D some general computation facility
* G =3D some feature.

But my understanding is that most of the NACKs on the BIP-300 were of the f= orm:

* X implements E.
* E is bad.
* Therefore, we should not merge in X.

If the above statement "E is bad" holds, then:

* Z implements G and E.
* Therefore, we should not merge in Z.

Where Z =3D something that implements recursive covenants.

I think we really need someone who NACKed BIP-300 to speak up.
If my understanding is correct and that the original objection was "Dr= ivechains are bad for reasons R[0], R[1]...", then:

* You can have either of these two positions:
=C2=A0 * R[0], R[1] ... are specious arguments and Drivechains are not bad,= therefore we can merge in a feature that enables Recursive Covenants ->= Turing-Completeness -> Drivechains.
=C2=A0 =C2=A0 * Even if you NACKed before, you *are* allowed to change your= mind and move to this position.
=C2=A0 * R[0], R[1] ... are valid arguments are Drivechains are bad, theref= ore we should **NOT** merge in a feature that implements Recursive Covenant= s -> Turing-Completeness -> Drivechains.

You cannot have it both ways.
Admittedly, there may be some set of restrictions that prevent Turing-Compl= eteness from implementing Drivechains, but you have to demonstrate a proof = of that set of restrictions existing.

> I think it's pretty reasonable to say:
>
> a) adding dedicated consensus features for drivechains is a bad idea > in the absence of widespread consensus that drivechains are likely
> to work as designed and be a benefit to bitcoin overall
>
> b) if you want to risk your own funds by leaving your coins on an
> exchange or using lightning or eltoo or tumbling/coinjoin or payment > pools or drivechains or being #reckless in some other way, and aren= 9;t
> asking for consensus changes, that's your business

*Shrug* I do not really see the distinction here --- in a world with Drivec= hains, you are free to not put your coins in a Drivechain-backed sidechain,= too.

(Admittedly, Drivechains does get into a Mutually Assured Destruction argum= ent, so that may not hold.
But if Drivechains going into a MAD argument is an objection, then I do not= see why covenant-based Drivechains would also not get into the same MAD ar= gument --- and if you want to avoid the MADness, you cannot support recursi= ve covenants, either.
Remember, 51% attackers can always censor the blockchain, regardless of whe= ther you put the Drivechain commitments into the coinbase, or in an ostensi= bly-paid-by-somebody-else transaction.)


Regards,
ZmnSCPxj
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--0000000000001092ad05d8e539d0--