Return-Path: <james.hilliard1@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 5D83D941
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed,  7 Jun 2017 10:13:46 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-ot0-f178.google.com (mail-ot0-f178.google.com
	[74.125.82.178])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 435461BB
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed,  7 Jun 2017 10:13:45 +0000 (UTC)
Received: by mail-ot0-f178.google.com with SMTP id a2so4480142oth.2
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed, 07 Jun 2017 03:13:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to
	:cc; bh=C0mmvA9poNgmVEDH7CisHTlToEpF2AaBAmlcgPC1LIc=;
	b=u2LbQpRQRIJ2W7h7Kx/PhbudbZjhYQMnDcpn/GbQzAMfDOcafv8rWed0PrLMB/K6hr
	nCEojbUR2Hdky6hyEjyrWhff0/ObqcHDu5gbRKoCxWfd+A5EZmw9M0uDfYp1OJ3xKxlk
	uxjjvlCLoKDLukymPomAV6VpigDkxt5dQYrPd4Oje56HOzsjsiM5NhpQEOPZ6ZDAxqBo
	ZqMpsUQJEV7ciwlk5Zy3p5cbUZh8FAhP3c4aXJuj1xKUkIkM/bZ5I6cb37fG6AX1O89x
	8acfF6+S3UUg0Pg8Co9uUktRbsNEZLjq/l+jvtAUicKEhPuASZ0O0iu6QG9eic0xuebV
	DWZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:cc;
	bh=C0mmvA9poNgmVEDH7CisHTlToEpF2AaBAmlcgPC1LIc=;
	b=h2CHxgemZluWpW382BUGBDZmg22kD+BVu/+yqXNKcF5lMV6mJJ7ul+7B3LlOX9NYH2
	tNaw6ypkYFk8FSqZ/2RI0odAFtyOGfW72L5qOw/IW/EMoFNIxMFMAhKkgJNdldT8/r0q
	BcEsLCpIJ5TtT4IYdwBluRuch47jC1TYpHSkbPa3crKfQcOmtyf3CbQ5e8JZOsuyP5S4
	Nf456F1p8NnL25IqTaG8r1/VSLifa8cj8zLfu+MjWfZfg46FzHZ+LIma/2m/Bk6ROjeS
	0yUkvK4yJopVetpDghNnGEG0/09t3BL/IldJGe8Ipm8RdzFnrGTEjxVn3a7mTYGPgyqZ
	3wYg==
X-Gm-Message-State: AODbwcBLj2PB6CcwxvrS8JKqnO/HpJGHYEDsgu71fZUE1nz6n5J6/B2u
	5LxKHFnImNUASYyE2YtWg7Z+EOic8g==
X-Received: by 10.157.7.164 with SMTP id 33mr8788328oto.120.1496830424365;
	Wed, 07 Jun 2017 03:13:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.224.230 with HTTP; Wed, 7 Jun 2017 03:13:43 -0700 (PDT)
In-Reply-To: <0CDEF5A2-0BAF-46E4-8906-39D4724AF3F2@taoeffect.com>
References: <CADvTj4qpH-t5Gx6qyn3yToyUE_GFaBE989=AWNHLKMpMNW3R+w@mail.gmail.com>
	<AE5BA251-9DA6-4E34-A748-11C8CF91977C@taoeffect.com>
	<CADvTj4q+oOS=DKfpiNQ6PAbksQfa1gKNfokr2Zc6PNGWqLyL4A@mail.gmail.com>
	<0CDEF5A2-0BAF-46E4-8906-39D4724AF3F2@taoeffect.com>
From: James Hilliard <james.hilliard1@gmail.com>
Date: Wed, 7 Jun 2017 05:13:43 -0500
Message-ID: <CADvTj4oJr38V+b=96pt7GiaMMSPujsz9wQ-5wmgM=rvWUC8Dkw@mail.gmail.com>
To: Tao Effect <contact@taoeffect.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] User Activated Soft Fork Split Protection
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2017 10:13:46 -0000

I think even 55% would probably work out fine simply due to incentive
structures, once signalling is over 51% it's then clear to miners that
non-signalling blocks will be orphaned and the rest will rapidly
update to splitprotection/BIP148. The purpose of this BIP is to reduce
chain split risk for BIP148 since it's looking like BIP148 is going to
be run by a non-insignificant percentage of the economy at a minimum.

On Wed, Jun 7, 2017 at 12:20 AM, Tao Effect <contact@taoeffect.com> wrote:
> See thread on replay attacks for why activating regardless of threshold is a
> bad idea [1].
>
> BIP91 OTOH seems perfectly reasonable. 80% instead of 95% makes it more
> difficult for miners to hold together in opposition to Core. It gives Core
> more leverage in negotiations.
>
> If they don't activate with 80%, Core can release another BIP to reduce it
> to 75%.
>
> Each threshold reduction makes it both more likely to succeed, but also
> increases the likelihood of harm to the ecosystem.
>
> Cheers,
> Greg
>
> [1]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-June/014497.html
>
> --
> Please do not email me anything that you are not comfortable also sharing
> with the NSA.
>
> On Jun 6, 2017, at 6:54 PM, James Hilliard <james.hilliard1@gmail.com>
> wrote:
>
> This is a BIP8 style soft fork so mandatory signalling will be active
> after Aug 1st regardless.
>
> On Tue, Jun 6, 2017 at 8:51 PM, Tao Effect <contact@taoeffect.com> wrote:
>
> What is the probability that a 65% threshold is too low and can allow a
> "surprise miner attack", whereby miners are kept offline before the
> deadline, and brought online immediately after, creating potential havoc?
>
> (Nit: "simple majority" usually refers to >50%, I think, might cause
> confusion.)
>
> -Greg Slepak
>
> --
> Please do not email me anything that you are not comfortable also sharing
> with the NSA.
>
> On Jun 6, 2017, at 5:56 PM, James Hilliard via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> Due to the proposed calendar(https://segwit2x.github.io/) for the
> SegWit2x agreement being too slow to activate SegWit mandatory
> signalling ahead of BIP148 using BIP91 I would like to propose another
> option that miners can use to prevent a chain split ahead of the Aug
> 1st BIP148 activation date.
>
> The splitprotection soft fork is essentially BIP91 but using BIP8
> instead of BIP9 with a lower activation threshold and immediate
> mandatory signalling lock-in. This allows for a majority of miners to
> activate mandatory SegWit signalling and prevent a potential chain
> split ahead of BIP148 activation.
>
> This BIP allows for miners to respond to market forces quickly ahead
> of BIP148 activation by signalling for splitprotection. Any miners
> already running BIP148 should be encouraged to use splitprotection.
>
> <pre>
> BIP: splitprotection
> Layer: Consensus (soft fork)
> Title: User Activated Soft Fork Split Protection
> Author: James Hilliard <james.hilliard1@gmail.com>
> Comments-Summary: No comments yet.
> Comments-URI:
> Status: Draft
> Type: Standards Track
> Created: 2017-05-22
> License: BSD-3-Clause
>          CC0-1.0
> </pre>
>
> ==Abstract==
>
> This document specifies a coordination mechanism for a simple majority
> of miners to prevent a chain split ahead of BIP148 activation.
>
> ==Definitions==
>
> "existing segwit deployment" refer to the BIP9 "segwit" deployment
> using bit 1, between November 15th 2016 and November 15th 2017 to
> activate BIP141, BIP143 and BIP147.
>
> ==Motivation==
>
> The biggest risk of BIP148 is an extended chain split, this BIP
> provides a way for a simple majority of miners to eliminate that risk.
>
> This BIP provides a way for a simple majority of miners to coordinate
> activation of the existing segwit deployment with less than 95%
> hashpower before BIP148 activation. Due to time constraints unless
> immediately deployed BIP91 will likely not be able to enforce
> mandatory signalling of segwit before the Aug 1st activation of
> BIP148. This BIP provides a method for rapid miner activation of
> SegWit mandatory signalling ahead of the BIP148 activation date. Since
> the primary goal of this BIP is to reduce the chance of an extended
> chain split as much as possible we activate using a simple miner
> majority of 65% over a 504 block interval rather than a higher
> percentage. This BIP also allows miners to signal their intention to
> run BIP148 in order to prevent a chain split.
>
> ==Specification==
>
> While this BIP is active, all blocks must set the nVersion header top
> 3 bits to 001 together with bit field (1<<1) (according to the
> existing segwit deployment). Blocks that do not signal as required
> will be rejected.
>
> ==Deployment==
>
> This BIP will be deployed by "version bits" with a 65%(this can be
> adjusted if desired) activation threshold BIP9 with the name
> "splitprotecion" and using bit 2.
>
> This BIP starts immediately and is a BIP8 style soft fork since
> mandatory signalling will start on midnight August 1st 2017 (epoch
> time 1501545600) regardless of whether or not this BIP has reached its
> own signalling threshold. This BIP will cease to be active when segwit
> is locked-in.
>
> === Reference implementation ===
>
> <pre>
> // Check if Segregated Witness is Locked In
> bool IsWitnessLockedIn(const CBlockIndex* pindexPrev, const
> Consensus::Params& params)
> {
>   LOCK(cs_main);
>   return (VersionBitsState(pindexPrev, params,
> Consensus::DEPLOYMENT_SEGWIT, versionbitscache) ==
> THRESHOLD_LOCKED_IN);
> }
>
> // SPLITPROTECTION mandatory segwit signalling.
> if ( VersionBitsState(pindex->pprev, chainparams.GetConsensus(),
> Consensus::DEPLOYMENT_SPLITPROTECTION, versionbitscache) ==
> THRESHOLD_LOCKED_IN &&
>    !IsWitnessLockedIn(pindex->pprev, chainparams.GetConsensus()) &&
> // Segwit is not locked in
>    !IsWitnessEnabled(pindex->pprev, chainparams.GetConsensus()) ) //
> and is not active.
> {
>   bool fVersionBits = (pindex->nVersion & VERSIONBITS_TOP_MASK) ==
> VERSIONBITS_TOP_BITS;
>   bool fSegbit = (pindex->nVersion &
> VersionBitsMask(chainparams.GetConsensus(),
> Consensus::DEPLOYMENT_SEGWIT)) != 0;
>   if (!(fVersionBits && fSegbit)) {
>       return state.DoS(0, error("ConnectBlock(): relayed block must
> signal for segwit, please upgrade"), REJECT_INVALID, "bad-no-segwit");
>   }
> }
>
> // BIP148 mandatory segwit signalling.
> int64_t nMedianTimePast = pindex->GetMedianTimePast();
> if ( (nMedianTimePast >= 1501545600) &&  // Tue 01 Aug 2017 00:00:00 UTC
>    (nMedianTimePast <= 1510704000) &&  // Wed 15 Nov 2017 00:00:00 UTC
>    (!IsWitnessLockedIn(pindex->pprev, chainparams.GetConsensus()) &&
> // Segwit is not locked in
>     !IsWitnessEnabled(pindex->pprev, chainparams.GetConsensus())) )
> // and is not active.
> {
>   bool fVersionBits = (pindex->nVersion & VERSIONBITS_TOP_MASK) ==
> VERSIONBITS_TOP_BITS;
>   bool fSegbit = (pindex->nVersion &
> VersionBitsMask(chainparams.GetConsensus(),
> Consensus::DEPLOYMENT_SEGWIT)) != 0;
>   if (!(fVersionBits && fSegbit)) {
>       return state.DoS(0, error("ConnectBlock(): relayed block must
> signal for segwit, please upgrade"), REJECT_INVALID, "bad-no-segwit");
>   }
> }
> </pre>
>
> https://github.com/bitcoin/bitcoin/compare/0.14...jameshilliard:splitprotection-v0.14.1
>
> ==Backwards Compatibility==
>
> This deployment is compatible with the existing "segwit" bit 1
> deployment scheduled between midnight November 15th, 2016 and midnight
> November 15th, 2017. This deployment is also compatible with the
> existing BIP148 deployment. This BIP is compatible with BIP91 only if
> BIP91 activates before it and before BIP148. Miners will need to
> upgrade their nodes to support splitprotection otherwise they may
> build on top of an invalid block. While this bip is active users
> should either upgrade to splitprotection or wait for additional
> confirmations when accepting payments.
>
> ==Rationale==
>
> Historically we have used IsSuperMajority() to activate soft forks
> such as BIP66 which has a mandatory signalling requirement for miners
> once activated, this ensures that miners are aware of new rules being
> enforced. This technique can be leveraged to lower the signalling
> threshold of a soft fork while it is in the process of being deployed
> in a backwards compatible way. We also use a BIP8 style timeout to
> ensure that this BIP is compatible with BIP148 and that BIP148
> compatible mandatory signalling activates regardless of miner
> signalling levels.
>
> By orphaning non-signalling blocks during the BIP9 bit 1 "segwit"
> deployment, this BIP can cause the existing "segwit" deployment to
> activate without needing to release a new deployment. As we approach
> BIP148 activation it may be desirable for a majority of miners to have
> a method that will ensure that there is no chain split.
>
> ==References==
>
> *[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-March/013714.html
> Mailing list discussion]
> *[https://github.com/bitcoin/bitcoin/blob/v0.6.0/src/main.cpp#L1281-L1283
> P2SH flag day activation]
> *[[bip-0009.mediawiki|BIP9 Version bits with timeout and delay]]
> *[[bip-0016.mediawiki|BIP16 Pay to Script Hash]]
> *[[bip-0091.mediawiki|BIP91 Reduced threshold Segwit MASF]]
> *[[bip-0141.mediawiki|BIP141 Segregated Witness (Consensus layer)]]
> *[[bip-0143.mediawiki|BIP143 Transaction Signature Verification for
> Version 0 Witness Program]]
> *[[bip-0147.mediawiki|BIP147 Dealing with dummy stack element malleability]]
> *[[bip-0148.mediawiki|BIP148 Mandatory activation of segwit deployment]]
> *[[bip-0149.mediawiki|BIP149 Segregated Witness (second deployment)]]
> *[https://bitcoincore.org/en/2016/01/26/segwit-benefits/ Segwit benefits]
>
> ==Copyright==
>
> This document is dual licensed as BSD 3-clause, and Creative Commons
> CC0 1.0 Universal.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
>