Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id EE0A4B5F for ; Mon, 22 May 2017 16:19:18 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-lf0-f43.google.com (mail-lf0-f43.google.com [209.85.215.43]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id A7A3A15C for ; Mon, 22 May 2017 16:19:16 +0000 (UTC) Received: by mail-lf0-f43.google.com with SMTP id m18so34118824lfj.0 for ; Mon, 22 May 2017 09:19:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MVikv70RvuSrsyeyYTSLtw5yhfmOHORioBh+yJnFVOM=; b=MHNlAZOzyjDb0Q7Lc36lyiaQci9FT4f6UjlZY9L9VOjnp4XMDzEKDeTHmvx92+TQa4 vPfc+Osx2p0vkbpaEBOYlYRamsyIUTxI4bMawscKBCv1kcmHqbzImEpTdgSu0gxSme/O zDUZykK0YGOOrzANO2dmPQEGv8KzFl7RetL89Pto1B8CqYQifst7HLnmbzkK5AkfKqgq nRqPtNdF4AjxzdQbkCFZwqYxkE6FOo04dEnARHuMTSLjRhX3S+nS5O0t0Xeb7pllfYh/ uHRn6+0pqt8P1Wx2qoHfBp1Z/JNwPMAMwDfzpeX8bcqGHZrjgypBgtqmuynhbjM9TQqD OIOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MVikv70RvuSrsyeyYTSLtw5yhfmOHORioBh+yJnFVOM=; b=aVtz/5OPECAFK3wzXVKcpQQkK4f3LJ5cPiq5X6CfalJcLbK21ixklLn7JKK8KP4k19 BB167BR/536mY56VcT8+p95DtVVwYER4pA5az1B3a+PQF9G3pz5M7clBk3nqksSSW0PW Qbzm48ttp/EsuNsj3RHRXtfyt10tlkWdmr1LELlEeAkH+RksFLiiJht+q/EuYQW8KB4u 77jzU2mqiiF0QvWQWNrRDgKo5SXkgbKuEngVN9kFAysFTS80Xnt0QYvHDWMtDVHCOmyV hp69o31FEiQgIgpBJODjiDjqj4YNZM5yij6inG8HU/Ll6wj48SYgZT0LtZa6TLVvjGyy Jz2g== X-Gm-Message-State: AODbwcCKzio82GUJLx/+AirXUHf1Sz62SWuZJzf0XwBcunqRQxj9+89H tB35h7novApAojWvMyo91PqWKJwTlQ== X-Received: by 10.46.82.151 with SMTP id n23mr6294195lje.2.1495469955015; Mon, 22 May 2017 09:19:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.17.222 with HTTP; Mon, 22 May 2017 09:19:14 -0700 (PDT) Received: by 10.25.17.222 with HTTP; Mon, 22 May 2017 09:19:14 -0700 (PDT) In-Reply-To: References: <24f2b447-a237-45eb-ef9f-1a62533fad5c@gmail.com> From: Paul Sztorc Date: Mon, 22 May 2017 18:19:14 +0200 Message-ID: To: ZmnSCPxj Content-Type: multipart/alternative; boundary="001a113c22be70e90705501f3b2b" X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Bitcoin Dev Subject: Re: [bitcoin-dev] Drivechain -- Request for Discussion X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2017 16:19:19 -0000 --001a113c22be70e90705501f3b2b Content-Type: text/plain; charset="UTF-8" On May 22, 2017 10:39 AM, "ZmnSCPxj" wrote: Good morning Paul, I read only http://www.truthcoin.info/blog/blind-merged-mining/ From just this document, I can't see a good justification for believing that a main->side locking transaction can be safely spent into a side->main unlocking transaction. Do you have a better explanation? Yes, a better explanation is in the drivechain spec, at: http://www.truthcoin.info/blog/drivechain/ What you read is only an introduction of BMM. You may also consult the notes (at the bottom of the BMM post) or the code, although this is time consuming of course. If I attempt to spend a main->side locking transaction on the basis of a "mistaken" side block #49, what prevents me from this sequence: The literal answer to your question is that mainchain Bitcoin will notice that, for the second withdrawal, the sum of the inputs is less than the sum of the outputs and they the transaction is therefore invalid. 1. Put a side:side->main transaction into a block together with TheDAO's hacked money. So far, the only good side->main transfer I know of is in Blockstream's original sidechains paper, with the main:side->main transaction ... Is your proposal at the technical level actually similar, or does it truly seem to be riskier? I feel that my proposal is more secure, as it can operate healthily and quickly while using spv proofs which are much slower and much much easier to audit. seems to me that your OP_is_h_in_coinbase should scan a series of sidechain block headers backed by mainchain (meaning at the minimum that sidechains should have some common header format prefix), rather than just mainchain depth as your article seems to imply. How would security be improved as a result? In either case, 51% of hashrate can cause a reorg. The sidechain software itself does scan block headers, of course. Blind merged mining seems strictly inferior ... a rich attacker can simply reorg the sidechain outright without playing such games. In the future, when there is no block subsidy, a rich attacker can also do that in mainchain Bitcoin. Or is your proposal strictly for centralized sidechains, where only one entity creates side blocks? Not at all. How does your proposal handle multiple side block creators on the same sidechain, with the possibility that chain splits occur? The side block is only "mined" if it is committed to in a mainchain Bitcoin blog, and each mainchain block can only contain one block per sidechain. In this way, drivechain sidechains are different from classical Namecoin merged mining (where one _could_ run the entire system, mining included, without interfacing with Bitcoin at all). Regarding your dig about people who dislike data centers, the main issue with miners blindly accepting sidechain commitments is that it violates "Don't trust, verify", not that allows datacenters to be slightly smaller by not including side:nodes. As I explain early on, in earlier rounds of peer review, the focus was on harms the sidechain technology might do to mainchain Bitcoin, and the "datacenter point" was specifically the chief objection raised. So I am afraid you are entirely incorrect. In point of fact, the transactions *are* validated...by sidechain full nodes, same as Bitcoin proper. Paul Regards, ZmnSCPxj Sent with ProtonMail Secure Email. -------- Original Message -------- Subject: [bitcoin-dev] Drivechain -- Request for Discussion Local Time: May 22, 2017 6:17 AM UTC Time: May 22, 2017 6:17 AM From: bitcoin-dev@lists.linuxfoundation.org To: Bitcoin Dev Dear list, I've been working on "drivechain", a sidechain enabling technology, for some time. * The technical info site is here: www.drivechain.info * The changes to Bitcoin are here: https://github.com/drivechain-project/bitcoin/tree/mainchainBMM * A Blank sidechain template is here: https://github.com/drivechain-project/bitcoin/tree/sidechainBMM As many of you know, I've been seeking feedback in person, at various conferences and meetups over the past year, most prominently Scaling Milan. And I intend to continue to seek feedback at Consensus2017 this week, so if you are in NYC please just walk up and start talking to me! But I also wanted to ask the list for feedback. Initially, I was hesitant because I try not to consume reviewers' scarce time until the author has put in a serious effort. However, I may have waiting too long, as today it is actually quite close to a working release. Scaling Implications --------------------- This upgrade would have significant scaling implications. Since it is the case that sidechains can be added by soft fork, and since each of these chains will have its own blockspace, this theoretically removes the blocksize limit from "the Bitcoin system" (if one includes sidechains as part of such a system). People who want a LargeBlock bitcoin can just move their BTC over to such a network [1], and their txns will have no longer have an impact on "Bitcoin Core". Thus, even though this upgrade does not actually increase "scalability" per se, it may in fact put an end to the scalability debate...forever. This work includes the relatively new concept of "Blind Merged Mining" [2] which I developed in January to allow SHA256^2 miners to merge-mine these "drivechains", even if these miners aren't running the actual sidechain software. The goal is to prevent sidechains from affecting the levelness of the mining "playing field". BMM is conceptually similar to ZooKeeV [3] which Peter Todd sketched out in mid-2013. BMM is not required for drivechain, but it would address some of the last remaining concerns. Total Transaction Fees in the Far Future ----------------------------------------- Some people feel that a maximum blocksize limit is needed to ensure that future total equilibrium transaction fees are non-negligible. I presented [4] on why I don't agree, 8 months ago. The reviewers I spoke to over the last year have stopped bringing this complaint up, but I am not sure everyone feels that way. Juxtaposition with a recent "Scaling Compromise" ------------------------------------------------- Recently, a scalability proposal began to circulate on social media. As far as I could tell, it goes something like "immediately activate SegWit, and then HF to double the nonwitness blockspace to 2MB within 12 months". But such a proposal is quite meager, compared to a "LargeBlock Drivechain". The drivechain is better on both fronts, as it would not require a hardfork, and could *almost immediately* add _any_ amount of extra blockspace (specifically, I might expect a BIP101-like LargeBlock chain that has an 8 MB maxblocksize, which doubles every two years). In other words, I don't know why anyone would support that proposal over mine. The only reasons would be either ignorance (ie, unfamiliarity with drivechain) or because there are still nagging unspoken complaints about drivechain which I apparently need to hear and address. Other Thoughts --------------- Unfortunately, anyone who worked on the "first generation" of sidechain technology (the skiplist) or the "second generation" (federated / Liquid), will find that this is very different. I will admit that I am very pessimistic about any conversation that involves scalability. It is often said that "talking politics lowers your IQ by 25 points". Bitcoin scalability conversations seem to drain 50 points. (Instead of conversing, I think people should quietly work on whatever they are passionate about until their problem either is solved, or it goes away for some other reason, or until we all agree to just stop talking about it.) Cheers, Paul [1] http://www.drivechain.info/faq/#can-sidechains-really-help-with-scaling [2] http://www.truthcoin.info/blog/blind-merged-mining/ [3] https://s3.amazonaws.com/peter.todd/bitcoin-wizards-13-10-17.log [4] https://www.youtube.com/watch?v=YErLEuOi3xU&list=PLw8- 6ARlyVciNjgS_NFhAu-qt7HPf_dtg&index=4 _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev --001a113c22be70e90705501f3b2b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On May 22, 2017 10:39 AM, "ZmnSCPxj" <ZmnSCPxj@protonmail.com> wrote:
Good morning Paul,
=


From just this docume= nt, I can't see a good justification for believing that a main->side= locking transaction can be safely spent into a side->main unlocking tra= nsaction.=C2=A0 Do you have a better explanation?

Yes, a better = explanation is in the drivechain spec, at: http://www.truthcoin.info/blog/drivechain/
=

What you read is only an intr= oduction of BMM. You may also consult the notes (at the bottom of the BMM p= ost) or the code, although this is time consuming of course.

If I attempt to spend a main= ->side locking transaction on the basis of a "mistaken" side b= lock #49, what prevents me from this sequence:
=

The literal answe= r to your question is that mainchain Bitcoin will notice that, for the seco= nd withdrawal, the sum of the inputs is less than the sum of the outputs an= d they the transaction is therefore invalid.

1.=C2=A0 Put a side:side->main transaction i= nto a block together with TheDAO's hacked money.

So far, the only good side->main transfer I know of is in Blockst= ream's original sidechains paper, with the main:side->main transacti= on ... Is your proposal at the technical level actually similar, or does it= truly seem to be riskier?

I feel that my pr= oposal is more secure, as it can operate healthily and quickly while using = spv proofs which are much slower and much much easier to audit.


<= div dir=3D"auto">
seems to me that your OP_is_h_in_coinbase should= scan a series of sidechain block headers backed by mainchain (meaning at t= he minimum that sidechains should have some common header format prefix), r= ather than just mainchain depth as your article seems to imply.

= How would security be improved as a result? In either case, 51% of hashrate= can cause a reorg. The sidechain software itself does scan block headers, = of course.=C2=A0

= Blind merged mining seems strictly inferior ... a rich attacker can simply = reorg the sidechain outright without playing such games.

In the = future, when there is no block subsidy, a rich attacker can also do that in= mainchain Bitcoin.

Or is your proposal strictly for centralized sidechains, where only one = entity creates side blocks?

Not at all.

<= /div>
How does your proposal handle multiple side= block creators on the same sidechain, with the possibility that chain spli= ts occur?

The side block is only "mined" if it is comm= itted to in a mainchain Bitcoin blog, and each mainchain block can only con= tain one block per sidechain. In this way, drivechain sidechains are differ= ent from classical Namecoin merged mining (where one _could_ run the entire= system, mining included, without interfacing with Bitcoin at all).

Regarding your dig about= people who dislike data centers, the main issue with miners blindly accept= ing sidechain commitments is that it violates "Don't trust, verify= ", not that allows datacenters to be slightly smaller by not including= side:nodes.

=
As I explain early on, in earlier rounds of peer re= view, the focus was on harms the sidechain technology might do to mainchain= Bitcoin, and the "datacenter point" was specifically the chief o= bjection raised. So I am afraid you are entirely incorrect.

In point of fact, the transactions *a= re* validated...by sidechain full nodes, same as Bitcoin proper.

Paul

Regards,
ZmnSCPxj
=

Sent with ProtonMail Secure Email.
<= div class=3D"elided-text">

-------- Original Message ---= -----
Subject: [bitcoin-dev] Drivechain -- Request for Discus= sion
Local Time: May 22, 2017 6:17 AM
UTC Time:= May 22, 2017 6:17 AM

Dear list,

I've been working on "drivechain", a side= chain enabling technology, for
some time.
* The technical info site is here: www.drivechain.info
* The = changes to Bitcoin are here:
=
* A Blank sidechain template is here:

As many of you know, I've been see= king feedback in person, at various
conferences and meetups = over the past year, most prominently Scaling
Milan. And I in= tend to continue to seek feedback at Consensus2017 this
week= , so if you are in NYC please just walk up and start talking to me!

But I also wanted to ask the list for feedback. Ini= tially, I was
hesitant because I try not to consume reviewer= s' scarce time until the
author has put in a serious eff= ort. However, I may have waiting too
long, as today it is ac= tually quite close to a working release.

Scaling Implications
---------------------
<= /div>

This upgrade would have significant scaling impl= ications. Since it is
the case that sidechains can be added = by soft fork, and since each of
these chains will have its o= wn blockspace, this theoretically removes
the blocksize limi= t from "the Bitcoin system" (if one includes
sidec= hains as part of such a system). People who want a LargeBlock
bitcoin can just move their BTC over to such a network [1], and their
=
txns will have no longer have an impact on "Bitcoin Core&q= uot;. Thus, even
though this upgrade does not actually incre= ase "scalability" per se, it
may in fact put an en= d to the scalability debate...forever.

This = work includes the relatively new concept of "Blind Merged Mining"=
[2] which I developed in January to allow SHA256^2 miners t= o merge-mine
these "drivechains", even if these mi= ners aren't running the actual
sidechain software. The g= oal is to prevent sidechains from affecting the
levelness of= the mining "playing field". BMM is conceptually similar to
ZooKeeV [3] which Peter Todd sketched out in mid-2013. BMM is not=
required for drivechain, but it would address some of the l= ast remaining
concerns.


<= /div>
Total Transaction Fees in the Far Future
--------= ---------------------------------

Some = people feel that a maximum blocksize limit is needed to ensure that
future total equilibrium transaction fees are non-negligible. I
=
presented [4] on why I don't agree, 8 months ago. The revie= wers I spoke
to over the last year have stopped bringing thi= s complaint up, but I am
not sure everyone feels that way.


Juxtaposition with a recent &= quot;Scaling Compromise"
------------------------------= -------------------

Recently, a scalabi= lity proposal began to circulate on social media. As
far as = I could tell, it goes something like "immediately activate
SegWit, and then HF to double the nonwitness blockspace to 2MB within 1= 2
months". But such a proposal is quite meager, compare= d to a "LargeBlock
Drivechain". The drivechain is = better on both fronts, as it would not
require a hardfork, a= nd could *almost immediately* add _any_ amount of
extra bloc= kspace (specifically, I might expect a BIP101-like LargeBlock
chain that has an 8 MB maxblocksize, which doubles every two years).
<= /div>

In other words, I don't know why anyone woul= d support that proposal over
mine. The only reasons would be= either ignorance (ie, unfamiliarity with
drivechain) or bec= ause there are still nagging unspoken complaints about
drive= chain which I apparently need to hear and address.


Other Thoughts
---------------

Unfortunately, anyone who worked on the "firs= t generation" of sidechain
technology (the skiplist) or= the "second generation" (federated /
Liquid), wil= l find that this is very different.

I will a= dmit that I am very pessimistic about any conversation that
= involves scalability. It is often said that "talking politics lowers
your IQ by 25 points". Bitcoin scalability conversations= seem to drain
50 points. (Instead of conversing, I think pe= ople should quietly work on
whatever they are passionate abo= ut until their problem either is solved,
or it goes away for= some other reason, or until we all agree to just
stop talki= ng about it.)

Cheers,
Paul

--001a113c22be70e90705501f3b2b--