1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
|
Return-Path: <mappum@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 59AA43B09
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 21 Jan 2019 18:47:27 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-qk1-f175.google.com (mail-qk1-f175.google.com
[209.85.222.175])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 4B474603
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 21 Jan 2019 18:47:26 +0000 (UTC)
Received: by mail-qk1-f175.google.com with SMTP id o8so12796492qkk.11
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 21 Jan 2019 10:47:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=pHkFRnWf5L9HiNJdSEhvLSv08JKUyh9DeNPWXRLlyss=;
b=n2rrNpbuRIckiBz+AtQBjh5DO3mGQ6+BpYhUdBkXqFNPLZ+AtjYSUH5tiLyn/9vHOe
ow2SDyJbQClj7yDF9veMFRU1LTS3VVgMXrHBHjQsexJ8ZVF2VCNQFrIizso2AKgasqpT
SzTlf47ecTJIbSDuWWeWSZLxTKME64PqMnyHmp+EbgyOsIlE8U86Jg1z0LG28h401r+O
+QgMa7slEhnJbU0DFbCAVaoEod2lxOvgEa4kntZkE7nJWKZvHaUIxPpWYyhMKvXDlPJh
6oSpUqkS09QPdVxU8QuoEukESESP5YCYUYrRm1suNcFTT61aYUzAsBaq51KUvvivbqkB
JPBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=pHkFRnWf5L9HiNJdSEhvLSv08JKUyh9DeNPWXRLlyss=;
b=uhpJEuxYXOkav4DmSjqjpO1ZtL7gzHTwwTXmTE7VMmfM31vaPtZqTEEpoAx6N0FM8/
+A9qA6d+3Sk82a3QMiHdtZ922JsHInuPtqp/iRcHmZqB6EhFfim0oYp+jsen53zkcMxt
kSkeFBkd7Tns8h7p0+yFHu7rZ6Sgzk98NIa5oO6R02/BF7EdU3ZC1Et7DGzkwqHYOfxK
GkOWgeik5Fh0cFvv5VlhMOZZqXAziFaGabw+F1vbHQdTyh5GRVlOBcw3iKd8WVU4w56f
cLONQ9gVCI19uMn7fJ4KMoilpyNV3sIUubCKaFm75slcy9uZRJ4jYKF72HCaXXAVtBzQ
xyqw==
X-Gm-Message-State: AJcUukdPWRpoUuZOlKYM/a4vCre6s2+yNSP+6ihy3BSo7TXXETCito1l
8ZHq11JHaM61pg3v2dA/eQrgJUXSuYpRNIZ4ntw=
X-Google-Smtp-Source: ALg8bN7X123MKWa8urUJIODrgza/nUEnD/SGeSju65NUXJSRdF3ZlkhNEcHnVm/b3pbqwJfkq3Kf4YWxdHLdWLrAeVM=
X-Received: by 2002:a37:d204:: with SMTP id f4mr25486289qkj.311.1548096445230;
Mon, 21 Jan 2019 10:47:25 -0800 (PST)
MIME-Version: 1.0
References: <CACV3+OU1ynRuR2SioW+O+CAp5M7ZQA6af_hEY5JZCVrXpqjtKQ@mail.gmail.com>
<BTyUDt_7oOQmFj_V61w2eUJ7rfi-eOuNphy5nN0xNAhY4sUHnR2-0U9m-ZEKip4YjFi2-hGBtucvFv7nCTVo3aBxZ94VQCa1Kx2pP_zgdxU=@protonmail.com>
<CACV3+OWjszx6istHo7yaNxiS22kyhHQhcPxGT3QLDx3KPUMU6g@mail.gmail.com>
<nq9NDv6z-EJuJ9jGMWdlIZbpVM6Rm8QyuWL3nRYtXWF90I-cErA_WS1ib28kt950bZYyfF1_eP153aDjhUy523wYSM9TVaeHqeZdp3xJpsk=@protonmail.com>
In-Reply-To: <nq9NDv6z-EJuJ9jGMWdlIZbpVM6Rm8QyuWL3nRYtXWF90I-cErA_WS1ib28kt950bZYyfF1_eP153aDjhUy523wYSM9TVaeHqeZdp3xJpsk=@protonmail.com>
From: Matt Bell <mappum@gmail.com>
Date: Mon, 21 Jan 2019 10:47:13 -0800
Message-ID: <CACV3+OXQsUsgquJWZ9o8tTtak=axnbsdiNgLzF-j6yz1dDv4bA@mail.gmail.com>
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Content-Type: multipart/alternative; boundary="000000000000b23452057ffc4af7"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Mon, 21 Jan 2019 21:28:26 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Proof-of-Stake Bitcoin Sidechains
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jan 2019 18:47:27 -0000
--000000000000b23452057ffc4af7
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
ZmnSCPxj,
I'm intrigued by this mechanism of using fixed R values to prevent multiple
signatures, but how do we derive the R values in a way where they are
unique for each blockheight but still can be used to create signatures or
verify?
Thanks,
Matt
On Sat, Jan 19, 2019 at 6:06 PM ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
> Good Morning Matt,
>
> It seems to me that double signing can be punished by requiring that R be
> a trivial function on the blockheight of the block being signed on the
> sidechain network. Then a validator who signs multiple versions of histor=
y
> at a particular blockheight reveals their privkey. Since the privkey also
> protects their Bitcoin stake UTXO, they risk loss of their Bitcoin stake.=
A
> similar idea is used by Discrete Log Contracts to ensure Oracles do not
> sign multiple values at a particular time.
>
> Regards,
> ZmnSCPxj
>
>
> Sent with ProtonMail Secure Email.
>
> =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original =
Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90
> On Saturday, January 19, 2019 1:35 PM, Matt Bell <mappum@gmail.com> wrote=
:
>
> > Hi ZmnSCPxj,
> >
> > Just to clarify, my design does not specify the source of voting power,
> so it is agnostic to whatever system you want to derive stake or valdiato=
r
> set membership from.
> >
> > Your idea of timelocking Bitcoin is interesting, I am eager to find a
> solution where holding Bitcoin is enough to get voting power. It's possib=
le
> there may be an issue with the fact that the Bitcoin is not slashable
> (although their voting power is), meaning a validator who double-signs
> cannot have their Bitcoin removed from them. However their UTXO can be
> blacklisted which does make their attack costly since they lose out on th=
e
> time-value of their stake.
> >
> > Our current thinking for the source of stake is to pay out stake to
> Bitcoin merged-miners although I'll definitely do some more thinking abou=
t
> timelocked Bitcoin as stake.
> >
> > On Fri, Jan 18, 2019, 5:42 PM ZmnSCPxj <ZmnSCPxj@protonmail.com wrote:
> >
> > > Good morning Matt,
> > >
> > > It seems to me much more interesting if the stakes used to weigh
> voting power are UTXOs on the Bitcoin blockchain.
> > > This idea is what I call "mainstake"; rather than a blockchain having
> its own token that is self-attesting (which is insecure).
> > > It seems to me, naively, that the same script you propose here can be
> used for mainstake.
> > >
> > > For instance, the sidechain network might accept potential stakers on
> the mainchain, if the staker proves the existence of a mainchain
> transaction whose output is for example:
> > >
> > > <sidechain identifier> OP_DROP
> > > "1 year" OP_CHECKSEQUENCEVERIFY OP_DROP
> > > <pubkey> OP_CHECKSIG
> > >
> > > The sidechain network could accept this and use the value of the
> output as the weight of the vote of that stake.
> > >
> > > Regards,
> > > ZmnSCPxj
> > >
> > > Sent with ProtonMail Secure Email.
> > >
> > > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Origi=
nal Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90
> > > On Saturday, January 19, 2019 6:59 AM, Matt Bell via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
> > >
> > > > I have been working on a design for Bitcoin sidechains using the
> Tendermint BFT consensus protocol, which is commonly used to build
> proof-of-stake networks (Cosmos is the notable one).
> > > >
> > > > The design ends up being very similar to Blockstream's Liquid
> sidechain, since Tendermint consensus is not far off from Liquid's "stron=
g
> federation" consensus.
> > > >
> > > > Any feedback about improvements or critical flaws would be greatly
> appreciated. The design document is here:
> https://github.com/mappum/bitcoin-peg/blob/master/bitcoinPeg.md (that
> repo also contains a simplified implementation of this sidechain design).
> > > >
> > > > Thanks for your feedback,
> > > > Matt Bell
>
>
>
--000000000000b23452057ffc4af7
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr"><h3 class=3D"gmail-iw" style=3D"overflow:=
hidden;white-space:nowrap;font-size:0.75rem;margin:inherit;text-overflow:el=
lipsis;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;letter-spa=
cing:0.3px;color:rgb(95,99,104);line-height:20px"><span style=3D"font-weigh=
t:400">ZmnSCPxj,</span></h3><div><span style=3D"font-weight:400"><br></span=
></div><div><span style=3D"font-weight:400">I'm intrigued by this mecha=
nism of using fixed R values to prevent multiple signatures, but how do we =
derive the R values in a way where they are unique for each blockheight but=
still can be used to create signatures or verify?</span></div><div><span s=
tyle=3D"font-weight:400"><br></span></div><div><span style=3D"font-weight:4=
00">Thanks,</span></div><div><span style=3D"font-weight:400">Matt</span></d=
iv></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_att=
r">On Sat, Jan 19, 2019 at 6:06 PM ZmnSCPxj <<a href=3D"mailto:ZmnSCPxj@=
protonmail.com">ZmnSCPxj@protonmail.com</a>> wrote:<br></div><blockquote=
class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px so=
lid rgb(204,204,204);padding-left:1ex">Good Morning Matt,<br>
<br>
It seems to me that double signing can be punished by requiring that R be a=
trivial function on the blockheight of the block being signed on the sidec=
hain network. Then a validator who signs multiple versions of history at a =
particular blockheight reveals their privkey. Since the privkey also protec=
ts their Bitcoin stake UTXO, they risk loss of their Bitcoin stake. A simil=
ar idea is used by Discrete Log Contracts to ensure Oracles do not sign mul=
tiple values at a particular time.<br>
<br>
Regards,<br>
ZmnSCPxj<br>
<br>
<br>
Sent with ProtonMail Secure Email.<br>
<br>
=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me=
ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90<br>
On Saturday, January 19, 2019 1:35 PM, Matt Bell <<a href=3D"mailto:mapp=
um@gmail.com" target=3D"_blank">mappum@gmail.com</a>> wrote:<br>
<br>
> Hi ZmnSCPxj,<br>
><br>
> Just to clarify, my design does not specify the source of voting power=
, so it is agnostic to whatever system you want to derive stake or valdiato=
r set membership from.<br>
><br>
> Your idea of timelocking Bitcoin is interesting, I am eager to find a =
solution where holding Bitcoin is enough to get voting power. It's poss=
ible there may be an issue with the fact that the Bitcoin is not slashable =
(although their voting power is), meaning a validator who double-signs cann=
ot have their Bitcoin removed from them. However their UTXO can be blacklis=
ted which does make their attack costly since they lose out on the time-val=
ue of their stake.<br>
><br>
> Our current thinking for the source of stake is to pay out stake to Bi=
tcoin merged-miners although=C2=A0I'll definitely do some more thinking=
about timelocked Bitcoin as stake.<br>
><br>
> On Fri, Jan 18, 2019, 5:42 PM ZmnSCPxj <<a href=3D"mailto:ZmnSCPxj@=
protonmail.com" target=3D"_blank">ZmnSCPxj@protonmail.com</a> wrote:<br>
><br>
> > Good morning Matt,<br>
> ><br>
> > It seems to me much more interesting if the stakes used to weigh =
voting power are UTXOs on the Bitcoin blockchain.<br>
> > This idea is what I call "mainstake"; rather than a blo=
ckchain having its own token that is self-attesting (which is insecure).<br=
>
> > It seems to me, naively, that the same script you propose here ca=
n be used for mainstake.<br>
> ><br>
> > For instance, the sidechain network might accept potential staker=
s on the mainchain, if the staker proves the existence of a mainchain trans=
action whose output is for example:<br>
> ><br>
> > <sidechain identifier> OP_DROP<br>
> > "1 year" OP_CHECKSEQUENCEVERIFY OP_DROP<br>
> > <pubkey> OP_CHECKSIG<br>
> ><br>
> > The sidechain network could accept this and use the value of the =
output as the weight of the vote of that stake.<br>
> ><br>
> > Regards,<br>
> > ZmnSCPxj<br>
> ><br>
> > Sent with ProtonMail Secure Email.<br>
> ><br>
> > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 O=
riginal Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=
=80=90<br>
> > On Saturday, January 19, 2019 6:59 AM, Matt Bell via bitcoin-dev =
<<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_bla=
nk">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br>
> ><br>
> > > I have been working on a design for Bitcoin sidechains using=
the Tendermint BFT consensus protocol, which is commonly used to build pro=
of-of-stake networks (Cosmos is the notable one).<br>
> > ><br>
> > > The design ends up being very similar to Blockstream's L=
iquid sidechain, since Tendermint consensus is not far off from Liquid'=
s "strong federation" consensus.<br>
> > ><br>
> > > Any feedback about improvements or critical flaws would be g=
reatly appreciated. The design document is here: <a href=3D"https://github.=
com/mappum/bitcoin-peg/blob/master/bitcoinPeg.md" rel=3D"noreferrer" target=
=3D"_blank">https://github.com/mappum/bitcoin-peg/blob/master/bitcoinPeg.md=
</a> (that repo also contains a simplified implementation of this sidechain=
design).<br>
> > ><br>
> > > Thanks for your feedback,<br>
> > > Matt Bell<br>
<br>
<br>
</blockquote></div></div>
--000000000000b23452057ffc4af7--
|