Date: Tue, 2 Mar 2021 00:33:33 +1000
From: Anthony Towns <aj@erisian.com.au>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Message-ID: <20210301143333.mzpbmsi4fwwl3msl@erisian.com.au>
References: <bc69d684-3d6e-624e-a859-c2ef8ad5cb13@posteo.net>
 <202102271755.02271.luke@dashjr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <202102271755.02271.luke@dashjr.org>
User-Agent: NeoMutt/20170113 (1.7.2)
Subject: Re: [bitcoin-dev] Exploring alternative activation mechanisms:
 decreasing threshold
Precedence: list

On Sat, Feb 27, 2021 at 05:55:00PM +0000, Luke Dashjr via bitcoin-dev wrote:

[on the topic of non-signalled activation; ie "it doesn't matter what
miners do or signal, the rules are active as of height X"]

> This has the same problems BIP149 did: since there is no signalling, it is 
> ambiguous whether the softfork has activated at all. Both anti-SF and pro-SF 
> nodes will remain on the same chain, with conflicting perceptions of the 
> rules, and resolution (if ever) will be chaotic. Absent resolution, however, 
> there is a strong incentive not to rely on the rules, and thus it may never 
> get used, and therefore also never resolved.

I think this might be a bit abstract, and less convincing than it might
otherwise be.

To give a more explicit hypothetical: imagine that instead of making it
impossible to use an optimisation when mining (as segwit did to ASICBoost,
for which a patent had been applied for), a future soft-fork made it
possible/easier to use some mining optimisation, and further that the
optimisation is already patented, and that the patent wasn't widely known,
and the owners of the patent have put everyone that they can under NDA.

Obviously mining optimisations are great for manufacturers -- it means
a new generation of hardware is more efficient, which means miners
want to upgrade to it; but patented mining optimisations are bad for
decentralisation, because the're no competition in who can sell the new
generation of mining hardware, so the patent holder is able to choose
who is able to mine, and because miners control transaction selection,
they could insist that the only people they'll sell to must censor
transactions, and attempt to render miners that don't censor
uncompetitive.

So the incentives there are:

 - the patent holder wants the soft-fork to activate ASAP, and
   does not want to reveal the patent until after it's permanently
   locked in

 - people who want decentralisation/competition and know about the
   patent want to stop the soft-fork from activation, or hard-fork it
   out after it's activated; but they can't talk about the patent because
   of NDA (or other bribes/threats intended to keep them silent)

Suppose further that the anti-patent folks either directly control 20%
of hashpower, or are otherwise able to block the easy consensus path,
and that the patent holder isn't able to get over 50% of hashpower to
commit to orphaning non-signalling blocks to ensure early activation
despite that. (Or, alternatively, that an approach like Matt suggests in
"Straight Flag Day (Height)" is used, and there is no early-activation
via hashpower supermajority option)

So under that scenario you reach the timeout, but without activation
occurring. You also don't have any "reasonable, directed objection":
everyone who could provide a reasonable objection is under NDA.

What's the scenario look like if you say "signalling doesn't matter,
the software enforces the consensus rules"?

I think it'll be obvious there'll be two sets of software out there and
supported and following a single chain; one set that enforces the new
rules, and one set that doesn't, just as we had Bitcoin Unlimited back
in the day. For at least a while, it will be safe to do spends protected
by the new rules, because one set of nodes will enforce them, and any
miners running the other software won't want see it in their mempool,
and won't want to risk manually mining non-compliant transactions in case
it turns out they're in the minority -- just as Bitcoin Unlimited miners
didn't actually attempt to mine big blocks on mainnet back in the day.

So for a while, we have two divergent sets of maintained node software
following the same chain, with advocates of both claiming that they're the
majority. Some people will beleive the people claiming the new rules are
safe, and commit funds to them, and as those funds are demonstrably not
stolen, the number of people thinking it's safe will gradually increase
-- presumably the new rules have some benefit other than to the patent
holder, after all.

Eventually the patent gets revealed, though, just as covert ASICBoost
did. Either NDA's expire, something violates them, someone rediscovers
or reverse-engineers the idea, or the patent holder decides it's time
to start either suing competitors or advertising.

What happens at that point? We have two sets of node software that both
claim to have been in the majority, and one of which is clearly better
for decentralisation.

But if we all just switch to that two things happen: we allow miners to
steal the funds that users entrusted to the new rules, and anyone who
was enforcing the new rules but is not following the day-to-day drama
has a hard-fork event and can no longer follow the main chain until the
find new software to run.

Alternatively, do we all switch to software that protects users funds
and avoids hard-fork events, even though that software is bad for
decentralisation, and do we do that precisely when the people who were
advocating against using that software have just been proven to have
been right all along?

In my opinion, while the first choice would be horrible, the second
choice is completely at odds with human nature, so I think we'd end
up making the horrible choice, and so should avoid getting into that
scenario in the first place.

There's two ways we could avoid it: one is by not making changes any
time there's the possibility of good reasons to be against something:
so in the above, in an ideal world, we might have to delay activation
until any potential NDAs will expire.

I'm not convinced that level of patience is really plausible either
though: when covert ASICBoost became widely known, that was a "reasonable,
directed objection" to segwit -- it made real mining hardware less
efficient. We could have halted segwit deployment at that point and
changed the spec so that it didn't prevent covert ASICBoost -- eg, sorting
the wtxids prior to calculating the witness commitment would have made
segwit compatible with ASICBoost without a large impact in any other way,
and started again, perhaps with a BIP-91-alike to forbid miners signalling
for segwit so that we could begin a second activation attempt sooner.

But we didn't do anything like that; instead we got segwit activated
following the existing plan, and ended up with a hard-forked chain
split in the form of BCH. I'd suggested a lighter weight compromise to
some folks in early June 2017, to which one of the response was "The
time for this soft of ASICBoost compromise would have been right after
Scaling Bitcoin HK, when the mining hardware manufacturers realized the
unintentional effects of segwit on their hardware. But that door has long
since closed and at this point this proposal smells of appeasement." and
I think that ended up being a pretty accurate take.

The other way of avoiding that horrible scenario is committing to the
activation on-chain. That is, if the chain history satisfies property X,
enforce the new rules; if it does not satisify that property, don't
enforce the rules. That avoids the ambiguity: whether the new rules
are active becomes a matter of history, not subject to ongoing debate
and political posturing.

In the above scenario, where no one is able to discover/explain the actual
problems with the soft-fork before it activates, activation by signalling
means it likely activates unambiguously (because the opposition does not
seem reasonable), and once the problems are known they have to be dealt
with directly, there's no option to just pretend it never happened (and
that it's therefore fine to steal any funds from people who thought it
was able to be relied upon). That's much the same as how we've attempted
to fix problems with p2sh in segwit or taproot.


Other failure modes are possible too. 

One is if only a small number of rabid advocates run the code enforcing
the flag day, and someone calls their bluff -- if you're excluding that
failure case because "oh, but if core does it, plenty of people will
run the enforcing code" then you're assuming the market will just do
whatever the dev's say, and that devs are willing to test that assumption.

Another is if people factor in the above scenario and decide that if
there's any ongoing controversy they won't use the new soft fork's rules
-- if there's a chance everyone will switch over to the non-enforcing
software, why take the risk? But that allows you to prevent a soft-fork
from getting any adoption simply by maintaining an alternative client,
and hiring sock puppets to create controversy.


Another thing to consider is that it probably makes sense to support
"user-prohibited soft-forks" in a similar way to "user-activated
soft-forks". Saying "it's active if and only if there's signalling"
moves this action to whether you're required/prohibited from signalling,
which is fairly straightforward, with easy to analyse results. If you
make it be "just do/don't enforce the rules", then a user-prohibited
soft-fork following the same scheme seems like it would be very uncertain.

Cheers,
aj