From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 1AC77C0012 for ; Thu, 23 Dec 2021 11:56:33 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id E3CCD40646 for ; Thu, 23 Dec 2021 11:56:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -0.854 X-Spam-Level: X-Spam-Status: No, score=-0.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (1024-bit key) header.d=gazeta.pl Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DQhsoztfKxCt for ; Thu, 23 Dec 2021 11:56:29 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.8.0 Received: from smtpo76.poczta.onet.pl (smtpo76.poczta.onet.pl [141.105.16.26]) by smtp2.osuosl.org (Postfix) with ESMTPS id 2099340103 for ; Thu, 23 Dec 2021 11:56:28 +0000 (UTC) Received: from pmq3v.m5r2.onet (pmq3v.m5r2.onet [10.174.32.69]) by smtp.poczta.onet.pl (Onet) with ESMTP id 4JKTDh3jKyz1pKN; Thu, 23 Dec 2021 12:56:20 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gazeta.pl; s=2013; t=1640260580; bh=Hih79KUvz1cpl0B8cT10eYl0cy6aAeA6dnSl3MTQRho=; h=From:Cc:To:In-Reply-To:Date:Subject:From; b=bW/N9ZFEPchd/8Tydz15FuuXyllpESEJKXv9vKKMGjYy6QtJxdP80/Fw/2718/YLf 3R3WkCpij7jZvmWH24iIu7EnoOIm5KrwujUj7I5eo3EhAkyPQsNqqk+fVOhyiCI3q8 qlK2yEKfVgVMEzOez64uGnnpNcFHheeth1wGfCPc= Content-Type: multipart/alternative; boundary="===============0028088375559804441==" MIME-Version: 1.0 Received: from [31.61.160.121] by pmq3v.m5r2.onet via HTTP id ; Thu, 23 Dec 2021 12:56:20 +0100 From: vjudeu@gazeta.pl X-Priority: 3 To: Billy Tetrud In-Reply-To: Date: Thu, 23 Dec 2021 12:56:18 +0100 Message-Id: <151161119-8858833d76ec6beed19cf87cc542dc62@pmq3v.m5r2.onet> X-Mailer: onet.poczta X-Onet-PMQ: ;31.61.160.121;PL;3 X-Mailman-Approved-At: Thu, 23 Dec 2021 17:38:21 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] [Bitcoin Advent Calendar] Decentralized Coordination Free Mining Pools X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Dec 2021 11:56:33 -0000 This is a multi-part message in MIME format. --===============0028088375559804441== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable > Associating signing with proof of stake and thereby concluding that signi= ng is something to avoid sounds like superstitious thinking. If you introduce signing into mining, then you will have cases, where someo= ne is powerful enough to produce blocks, but cannot, because signing is nee= ded. Then, your consensus is no longer "the heaviest chain", but "the heavi= est signed chain". That means, your computing power is no longer enough by = itself (as today), because to make a block, you also need some kind of "per= mission to mine", because first you sign things (like in signet) and then y= ou mine them. That kind of being "reliably unreliable" may be ok for testin= g, but not for the main network. > A signing scheme with proof of work would clearly not be proof of stake. It is not that far from Proof of Stake as you may think. In Proof of Stake,= you sign your whale balance with thousands of BTC, and then you can mine a= new block, just by putting your coins at stake. In Proof of Work with sign= ing, you also make a signature, and even if there is no amount in satoshis = for your signing key, it is still somehow checked, who can sign a block and= how many signatures are needed. So, is your private key that allows you to= extend the chain is really worth zero satoshis, because there is no balanc= e connected with your address/public key? Not really, it is worth a lot of = coins, because it can be used to control the chain. > The benefit of that over merge mining would be no extra on chain foot pri= nt. Your signatures would be that "extra on chain foot print". In signet, by de= fault you have 1-of-2 multisig, so you have one signature for every block. = In the main chain, there is no need for any foot print, because you can rev= eal taproot public key and hide other things in tapscript, so your foot pri= nt is present only when people will not cooperate. On 2021-12-20 18:18:58 user Billy Tetrud wrote: > you can assign some minimal difficulty, =C2=A0 I was assuming that would be part of the plan. =C2=A0 >=C2=A0Signing sounds more like Proof of Stake =C2=A0 Associating signing with proof of stake and thereby concluding that signing= is something to avoid sounds like superstitious thinking. A signing scheme= with proof of work would clearly not be proof of stake. I would suggest no= t dismissing a design out of hand like that. The benefit of that over merge= mining would be no extra on chain foot print. What do you think the downsi= des might be? =C2=A0 > if you use just hashes, then they could be random. =C2=A0 You're right. Nodes would of course need to validate the Bitcoin block head= ers being included, so i concede hashing them doesn't gain you anything. On Thu, Dec 16, 2021, 22:37 wrote: > I was thinking that this would be a separate blockchain with separate hea= ders that progress linearly like a normal blockchain. Exactly, that's what I called "superblocks", where you have a separate chai= n, just to keep block headers instead of transactions. > A block creator would collect together as many blocks that haven't been c= ollected yet into the next superblock (and maybe receive a reward proportio= nal to how many / how much weight they include). You cannot "catch them all". If you do, you can end up with a lot of block = headers, where each of them has difficulty equal to one. You need some limi= t, you can limit amount of blocks, you can assign some minimal difficulty, = it does not matter that much, but some limit is needed, also because mining= on top of the latest superblock should be more profitable than replacing s= omeone else's reward in the previous superblock by your own reward and gett= ing a bigger share in the previous superblock. > This could be done using merge mining, or it could be done using a signin= g scheme (eg where the block creator signs to say "I created this superbloc= k" and have mechanisms to punish those who sign multiple superblocks at the= same height. I would pick merge mining, because it is more compatible with existing mini= ng scheme. Signing sounds more like Proof of Stake and I am trying to avoid= that solution. Also, there is no need to sign anything, because you are so= lo mining where you have your own coinbase transaction or you are mining in= a pool, where you have some shared address, and then you cannot produce an= y incompatible superblock, because the protocol can tell you, which address= you should use (and if it is N-of-N taproot multisig and you have some clo= sing transaction, then you can safely mine it). > Really, you could even just use hashes of the block headers. Replacing transactions with block headers will do the same trick. Each tran= saction is first hashed with double SHA-256, in exactly the same way as blo= ck headers are. If you replace transactions with block headers, you would g= et a superblock header, then varint saying how many block headers are there= , and then you can place all block headers. During superblock merkle tree c= onstruction, you will hash all block headers (so you will get block hashes = as leaves), and then you will combine block hashes in the same way as trans= action hashes are combined. >From the Script point of view, you can always use "OP_SIZE 80 OP_EQUALVERIF= Y OP_HASH256 OP_EQUAL". Then, you can just change the size, just to = show which object is hashed. Value 80 will work for block headers, small va= lues below 520 will work for small transactions, value 64 will work for any= merkle tree proof, no matter if it is for superblock or normal block. Also= , by using block headers instead of hashes, you can prove that at least a p= roper amount of work was done to produce it, because if you use just hashes= , then they could be random. On 2021-12-16 17:57:23 user Billy Tetrud wrote: @Jeremy >=C2=A0 =C2=A0for top-level pool participants there is never any central cu= stody. =C2=A0 I definitely see that. That was actually what I meant when I said the goals= aren't the same as benefits. While your idea definitely satisfies all your= goals in a modular way, the fact that it relies on pools means that unless= the pools can also satisfy the goals, the total system also doesn't satisf= y the goals (even tho the piece of that system you designed does).=C2=A0 =C2=A0 >=C2=A0Thus it doesn't "hurt" anyone except for the miners who are taking t= he not fully locked in funds risk =C2=A0 True, it only potentially hurts whoever the channel partner is accepting th= e unspendable coins. And no one can really stop anyone from taking that ris= k if they really want to. But in that case, its not exactly a fully functio= nal channel, since recourse mechanisms couldn't be performed. Wouldn't that= open such a channel up to a pretty bad theft possibility? =C2=A0 @Bob >=C2=A0Increased payout regularity does not lower the viable size of mining= pools, because smaller mining pools using this mechanism still have higher= variance. =C2=A0 Yes, smaller mining pools will always have higher variance. However, lower = variance has diminishing benefits. Below a certain amount of variance, less= variance isn't very valuable. So increased payout regularity does indeed l= ower the viable size of mining pools because a given low-enough level of va= riance can be achieved with less pool hashpower. =C2=A0 > The on-chain footprint is *higher* due to the increased payout regularity. =C2=A0 That's a reasonable point. However, I think there is a difference here betw= een the regularity of rewards vs payouts. Rewards for each miner can be mor= e regular without necessarily increasing the number of on-chain payouts. In= fact, theoretically, an individual miner could let their rewards accumulat= e in a pool over many rewards and only redeem when they need the coins for = something. The incentive is there for each miner to be judicious on how muc= h onchain space they take up. =C2=A0 @vjudeu =C2=A0 > how many block headers should be stored per one "superblock"? =C2=A0 I was thinking that this would be a separate blockchain with separate heade= rs that progress linearly like a normal blockchain. A block creator would c= ollect together as many blocks that haven't been collected yet into the nex= t superblock (and maybe receive a reward proportional to how many / how muc= h weight they include). This could be done using merge mining, or it could = be done using a signing scheme (eg where the block creator signs to say "I = created this superblock" and have mechanisms to punish those who sign multi= ple superblocks at the same height. For merge mining, I could even imagine = the data necessary to validate that it has been merge mined could be put in= to a taproot script branch (creating an invalid script, but a valid hash of= the superblock).=C2=A0 =C2=A0 > we can collect all headers with the same previous block hash, and distrib= ute block reward between all coinbase transactions in those headers =C2=A0 Exactly. =C2=A0 > we would just have block headers instead of transactions =C2=A0 Yeah, I think that would be the way to go. Really, you could even just use = hashes of the block headers. But the size doesn't matter much because it wo= uld be both a small blockchain and an ephemeral one (which can be fully dis= carded after all parties have been paid out, or at least their payout has b= een committed to on the bitcoin blockchain).=C2=A0 On Thu, Dec 16, 2021 at 1:35 AM wrote: > The missing piece here would be an ordering of weak blocks to make the wi= ndow possible. Or at least a way to determine what blocks should definitely= be part of a particular block's pay out. I could see this being done by a = separate ephemeral blockchain (which starts fresh after each Bitcoin block)= that keeps track of which weak blocks have been submitted, potentially usi= ng the pow already in each block to secure it. Granted that piece is a bit = half baked, but it seems quite solvable. Wdyt? =C2=A0 I thought about something like that, but there is one problem: how many blo= ck headers should be stored per one "superblock"? Currently, we have single= block header, where the whole coinbase transaction is taken by some mining= pool or solo miner. But instead, each miner could submit its own block hea= der. Then, we can collect all headers with the same previous block hash, an= d distribute block reward between all coinbase transactions in those header= s. One "superblock" then would be created in a similar way as existing bloc= ks, we would just have block headers instead of transactions. If most trans= actions inside those blocks will be the same, then each block could be expr= essed just as a set of transaction hashes, only coinbase transactions or cu= stom, non-broadcasted transactions included by miners will be revealed, eve= rything else will be known. > One thing that jumped out at me as not safe is throwing block rewards int= o a channel and being able to spend them immediately. There's a reason bloc= k rewards aren't spendable for a while, and channels don't solve that probl= em, do they? Why not simply reduce the on chain wait time for spending bloc= k rewards at that point? Seems like the consequences would be the same. All coinbase rewards are unspendable for 100 blocks, it is enforced by cons= ensus. It does not matter if there are outputs owned directly by miners, or= if there is one huge N-of-N taproot multisig for the whole pool, where eve= ry miner signed the closing transaction. The only option to take coins fast= er I can see is swapping the coins by some LN transaction. But then, the ot= her party can check if some deposit to the LN channel is a part of the coin= base transaction or not, and then decide if it is acceptable to do the swap. On 2021-12-15 19:00:44 user Billy Tetrud via bitcoin-dev wrote: Looks like an interesting proposal, but it doesn't seem to quite match the = goals you mentioned. As you do mention, this mining pool coordination doesn= 't get rid of the need for mining pools in the first place. So it doesn't s= atisfy item 1 on your goal list afaict.=C2=A0 =C2=A0 The primary benefits over what we have today that I can see are: 1. increased payout regularity, which lowers the viable size of mining pool= s, and 2. Lower on chain footprint through combining pay outs from multiple pools. =C2=A0 Am I missing some? =C2=A0 These are interesting benefits, but it would be nice if your post was clear= er on that, since the goals list is not the same as the list of potential b= enefits of this kind of design. =C2=A0 As far as enabling solo mining, what if this concept were used off chain? H= ave a public network of solo miners who publish "weak blocks" to that netwo= rk, and the next 100 (or 1000 etc) nice miners pay you out as long as you'r= e also being nice by following the protocol? All the nice optimizations you= mentioned about eg combined taproot payouts would apply i think. The only = goals this wouldn't satisfy are 3 and 5 since an extra network is needed, b= ut to be fair, your proposal requires pools which all need their own extra = network anyways.=C2=A0 =C2=A0 The missing piece here would be an ordering of weak blocks to make the wind= ow possible. Or at least a way to determine what blocks should definitely b= e part of a particular block's pay out. I could see this being done by a se= parate ephemeral blockchain (which starts fresh after each Bitcoin block) t= hat keeps track of which weak blocks have been submitted, potentially using= the pow already in each block to secure it. Granted that piece is a bit ha= lf baked, but it seems quite solvable. Wdyt? =C2=A0 One thing that jumped out at me as not safe is throwing block rewards into = a channel and being able to spend them immediately. There's a reason block = rewards aren't spendable for a while, and channels don't solve that problem= , do they? Why not simply reduce the on chain wait time for spending block = rewards at that point? Seems like the consequences would be the same. On Tue, Dec 14, 2021, 16:12 Bob McElrath via bitcoin-dev wrote: You are hand waving. Attempting to redefine terms to justify your argument = is intellectually dishonest. Bitcoin pools have *always* been about variance reduction. Your window function fundamentally CANNOT be used to hedge hashr= ate. Various suggestions below introduce dangerous new games that might be playe= d by miners. The fact is that the half-baked design you posted is less than useless, and doesn't do anything that anyone wants. You are trying to justify CTV by making it be all things to all people. "Wh= en all you have is a hammer, every problem looks like a nail".=C2=A0 Instead I= humbly suggest that you pick ONE problem for which CTV is demonstrably the right a= nd best solution, instead of snowing us with a ton of half-baked things that *could* be done, and often don't even require CTV, and some (like this one) fundamentally don't work. I do like some of your ideas, but if you had to p= ick just one "use case", which would it be? Jeremy [jlrubin@mit.edu] wrote: > Bitcoin didn't invent the concept of pooling: https://en.wikipedia.org/wi= ki/ > Pooling_(resource_management). This is a Bitcoin Mining Pool, although it= may > not be your favorite kind, which is fixated on specific properties of com= puting > contributions before finding a block. Pooling is just a general technique= for > aggregating resources to accomplish something. If you have another name l= ike > pooling that is in common use for this type of activity I would be more t= han > happy to adopt it. > > This sort of pool can hedge not only against fee rates but also against > increases in hashrate since your historical rate 'carries' into the futur= e as a > function of the window. Further, windows and reward functions can be defi= ned in > a myriad of ways that could, e.g., pay less to blocks found in more rapid > succession, contributing to the smoothing functionality. > > With respect to sub-block pooling, as described in the article, this sort= of > design also helps with micro-pools being able to split resources > non-custodially in every block as a part of the higher order DCFMP. The p= oint > is not, as noted, to enable solo mining an S9, but to decrease the size o= f the > minimum viable pool. It's also possible to add, without much validation or > data, some 'uncle block' type mechanism in an incentive compatible way (e= .g., > add 10 pow-heavy headers on the last block for cost 48 bytes header + 32 = bytes > payout key) such that there's an incentive to include the heaviest ones y= ou've > seen, not just your own, that are worth further study and consideration > (particularly because it's non-consensus, only for opt-in participation i= n the > pool). > > With respect to space usage, it seems you wholly reject the viability of a > payment pool mechanism to cut-through chain space. Is this a critique that > holds for all Payment Pools, or just in the context of mining? Is there a > particular reason why you think it infeasible that "strongly online" > counterparties would be able to coordinate more efficiently? Is it prefer= able > for miners, the nexus of decentralization for Bitcoin, to prefer to use > custodial services for pooling (which may require KYC/AM) over bearing a = cost > of some extra potential chainload? > > Lastly, with respect to complexity, the proposal is actually incredibly s= imple > when you take it in a broader context. Non Interactive Channels and Payme= nt > Pools are useful=C2=A0by themselves, so are the operations to merge them = and swap > balance across them. Therefore most of the complexity in this proposal is > relying on tools we'll likely see in everyday use in any case, DCFMP or n= o. > > Jeremy > !DSPAM:61b8f2f5321461582627336! -- Cheers, Bob McElrath "For every complex problem, there is a solution that is simple, neat, and w= rong." =C2=A0 =C2=A0 -- H. L. Mencken _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev --===============0028088375559804441== Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable
> Associating signing with proof of stake and thereby concluding th= at signing is something to avoid sounds like superstitious thinking.
<= br />If you introduce signing into mining, then you will have cases, where = someone is powerful enough to produce blocks, but cannot, because signing i= s needed. Then, your consensus is no longer "the heaviest chain", but "the = heaviest signed chain". That means, your computing power is no longer enoug= h by itself (as today), because to make a block, you also need some kind of= "permission to mine", because first you sign things (like in signet) and t= hen you mine them. That kind of being "reliably unreliable" may be ok for t= esting, but not for the main network.

> A signing scheme with= proof of work would clearly not be proof of stake.

It is not th= at far from Proof of Stake as you may think. In Proof of Stake, you sign yo= ur whale balance with thousands of BTC, and then you can mine a new block, = just by putting your coins at stake. In Proof of Work with signing, you als= o make a signature, and even if there is no amount in satoshis for your sig= ning key, it is still somehow checked, who can sign a block and how many si= gnatures are needed. So, is your private key that allows you to extend the = chain is really worth zero satoshis, because there is no balance connected = with your address/public key? Not really, it is worth a lot of coins, becau= se it can be used to control the chain.

> The benefit of that= over merge mining would be no extra on chain foot print.

Your s= ignatures would be that "extra on chain foot print". In signet, by default = you have 1-of-2 multisig, so you have one signature for every block. In the= main chain, there is no need for any foot print, because you can reveal ta= proot public key and hide other things in tapscript, so your foot print is = present only when people will not cooperate.

On 2021-12-20 18:18:58 user Billy Tetrud <billy.tetrud@gmail.com>= ; wrote:
> you can assign some minimal difficulty,
 
I was assuming that would be part of the plan.
 
> Signing sounds more like Proof of Stake
 
Associating signing with proof of stake and thereby concl= uding that signing is something to avoid sounds like superstitious thinking= . A signing scheme with proof of work would clearly not be proof of stake. = I would suggest not dismissing a design out of hand like that. The benefit = of that over merge mining would be no extra on chain foot print. What do yo= u think the downsides might be?
 
> if you use just hashes, then they could be random.
 
You're right. Nodes would of course need to validate the = Bitcoin block headers being included, so i concede hashing them doesn't gai= n you anything.


On Thu, Dec 16, 2021, 22:37 <vjudeu@gazeta.pl> wrote:
> I was thinking that this would be a separate blockchain with sepa= rate headers that progress linearly like a normal blockchain.

Ex= actly, that's what I called "superblocks", where you have a separate chain,= just to keep block headers instead of transactions.

> A bloc= k creator would collect together as many blocks that haven't been collected= yet into the next superblock (and maybe receive a reward proportional to h= ow many / how much weight they include).

You cannot "catch them = all". If you do, you can end up with a lot of block headers, where each of = them has difficulty equal to one. You need some limit, you can limit amount= of blocks, you can assign some minimal difficulty, it does not matter that= much, but some limit is needed, also because mining on top of the latest s= uperblock should be more profitable than replacing someone else's reward in= the previous superblock by your own reward and getting a bigger share in t= he previous superblock.

> This could be done using merge mini= ng, or it could be done using a signing scheme (eg where the block creator = signs to say "I created this superblock" and have mechanisms to punish thos= e who sign multiple superblocks at the same height.

I would pick= merge mining, because it is more compatible with existing mining scheme. S= igning sounds more like Proof of Stake and I am trying to avoid that soluti= on. Also, there is no need to sign anything, because you are solo mining wh= ere you have your own coinbase transaction or you are mining in a pool, whe= re you have some shared address, and then you cannot produce any incompatib= le superblock, because the protocol can tell you, which address you should = use (and if it is N-of-N taproot multisig and you have some closing transac= tion, then you can safely mine it).

> Really, you could even = just use hashes of the block headers.

Replacing transactions wit= h block headers will do the same trick. Each transaction is first hashed wi= th double SHA-256, in exactly the same way as block headers are. If you rep= lace transactions with block headers, you would get a superblock header, th= en varint saying how many block headers are there, and then you can place a= ll block headers. During superblock merkle tree construction, you will hash= all block headers (so you will get block hashes as leaves), and then you w= ill combine block hashes in the same way as transaction hashes are combined= .

From the Script point of view, you can always use "OP_SIZE 80 = OP_EQUALVERIFY OP_HASH256 <hash> OP_EQUAL". Then, you can just change= the size, just to show which object is hashed. Value 80 will work for bloc= k headers, small values below 520 will work for small transactions, value 6= 4 will work for any merkle tree proof, no matter if it is for superblock or= normal block. Also, by using block headers instead of hashes, you can prov= e that at least a proper amount of work was done to produce it, because if = you use just hashes, then they could be random.

On 2021-12-16 17:57:23 user Billy Tetrud <billy.tetrud@gmail.com> wrote:
@Jeremy
 for top-level pool participants there is never any central c= ustody.
 
I definitely see that. That was actually what I meant when I said the = goals aren't the same as benefits. While your idea definitely satisfies all= your goals in a modular way, the fact that it relies on pools means that u= nless the pools can also satisfy the goals, the total system also doesn't s= atisfy the goals (even tho the piece of that system you designed does).&nbs= p;
 
Thus it doesn't "hurt" anyone except for the miners who are ta= king the not fully locked in funds risk
 
True, it only potentially hurts whoeve= r the channel partner is accepting the unspendable coins. And no one can re= ally stop anyone from taking that risk if they really want to. But in that = case, its not exactly a fully functional channel, since recourse mechanisms= couldn't be performed. Wouldn't that open such a channel up to a pretty ba= d theft possibility?
 
@Bob
Increased payout regu= larity does not lower the viable size of mining pools, because smaller mini= ng pools using this mechanism still have higher variance.
 
Yes, smaller mining pools will always have higher variance. However, l= ower variance has diminishing benefits. Below a certain amount of variance,= less variance isn't very valuable. So increased payout regularity does ind= eed lower the viable size of mining pools because a given low-enough level = of variance can be achieved with less pool hashpower.
 
> The on-chain footprint is *higher* due to the increased payout re= gularity.
 
That's a reasonable point. However, I think there is a difference here= between the regularity of rewards vs payouts. Rewards for each miner can b= e more regular without necessarily increasing the number of on-chain payout= s. In fact, theoretically, an individual miner could let their rewards accu= mulate in a pool over many rewards and only redeem when they need the coins= for something. The incentive is there for each miner to be judicious on ho= w much onchain space they take up.
 
@vjudeu
 
> how many block headers should be stored per one "superblock"?
 
I was thinking that this would be a separate blockchain with separate = headers that progress linearly like a normal blockchain. A block creator wo= uld collect together as many blocks that haven't been collected yet into th= e next superblock (and maybe receive a reward proportional to how many / ho= w much weight they include). This could be done using merge mining, or it c= ould be done using a signing scheme (eg where the block creator signs to sa= y "I created this superblock" and have mechanisms to punish those who sign = multiple superblocks at the same height. For merge mining, I could even ima= gine the data necessary to validate that it has been merge mined could be p= ut into a taproot script branch (creating an invalid script, but a valid ha= sh of the superblock). 
 
> we can collect all headers with the same previous block hash, and= distribute block reward between all coinbase transactions in those headers=
 
Exactly.
 
> we would just have block headers instead of transactions
 
Yeah, I think that would be the way to go. Really, you could even just= use hashes of the block headers. But the size doesn't matter much because = it would be both a small blockchain and an ephemeral one (which can be full= y discarded after all parties have been paid out, or at least their payout = has been committed to on the bitcoin blockchain). 

On Thu, Dec 16, 2021 at 1:35 AM <<= a href=3D"http://../NowaWiadomosc/Do/QlIkBFQ6QUFhIVRZX192dnQBeCtCchEuGRE%2B= JkYAEBM5BgkBElIaQgpBQUFBVCVGX18dBRtTEQcBF1UyQUoDEQ0TRQYNQUdjI1hCU0cyajZIblh= VZRQcVlEe" target=3D"_blank" rel=3D"noopener noreferrer">vjudeu@gazeta.pl> wrote:
> The missing piece here would be an ordering of weak blocks to mak= e the window possible. Or at least a way to determine what blocks should de= finitely be part of a particular block's pay out. I could see this being do= ne by a separate ephemeral blockchain (which starts fresh after each Bitcoi= n block) that keeps track of which weak blocks have been submitted, potenti= ally using the pow already in each block to secure it. Granted that piece i= s a bit half baked, but it seems quite solvable. Wdyt?
 
I t= hought about something like that, but there is one problem: how many block = headers should be stored per one "superblock"? Currently, we have single bl= ock header, where the whole coinbase transaction is taken by some mining po= ol or solo miner. But instead, each miner could submit its own block header= . Then, we can collect all headers with the same previous block hash, and d= istribute block reward between all coinbase transactions in those headers. = One "superblock" then would be created in a similar way as existing blocks,= we would just have block headers instead of transactions. If most transact= ions inside those blocks will be the same, then each block could be express= ed just as a set of transaction hashes, only coinbase transactions or custo= m, non-broadcasted transactions included by miners will be revealed, everyt= hing else will be known.

> One thing that jumped out at me as= not safe is throwing block rewards into a channel and being able to spend = them immediately. There's a reason block rewards aren't spendable for a whi= le, and channels don't solve that problem, do they? Why not simply reduce t= he on chain wait time for spending block rewards at that point? Seems like = the consequences would be the same.

All coinbase rewards are uns= pendable for 100 blocks, it is enforced by consensus. It does not matter if= there are outputs owned directly by miners, or if there is one huge N-of-N= taproot multisig for the whole pool, where every miner signed the closing = transaction. The only option to take coins faster I can see is swapping the= coins by some LN transaction. But then, the other party can check if some = deposit to the LN channel is a part of the coinbase transaction or not, and= then decide if it is acceptable to do the swap.

On 2021-12-15 19:00:44 user Billy Tetrud via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>= wrote:
Looks like an interesting proposal, but it doesn't seem t= o quite match the goals you mentioned. As you do mention, this mining pool = coordination doesn't get rid of the need for mining pools in the first plac= e. So it doesn't satisfy item 1 on your goal list afaict. 
 
The primary benefits over what we have today that I can s= ee are:
1. increased payout regularity, which lowers the viable s= ize of mining pools, and
2. Lower on chain footprint through combining pay outs fr= om multiple pools.
 
Am I missing some?
 
These are interesting benefits, but it would be nice if y= our post was clearer on that, since the goals list is not the same as the l= ist of potential benefits of this kind of design.
 
As far as enabling solo mining, what if this concept were= used off chain? Have a public network of solo miners who publish "weak blo= cks" to that network, and the next 100 (or 1000 etc) nice miners pay you ou= t as long as you're also being nice by following the protocol? All the nice= optimizations you mentioned about eg combined taproot payouts would apply = i think. The only goals this wouldn't satisfy are 3 and 5 since an extra ne= twork is needed, but to be fair, your proposal requires pools which all nee= d their own extra network anyways. 
 
The missing piece here would be an ordering of weak block= s to make the window possible. Or at least a way to determine what blocks s= hould definitely be part of a particular block's pay out. I could see this = being done by a separate ephemeral blockchain (which starts fresh after eac= h Bitcoin block) that keeps track of which weak blocks have been submitted,= potentially using the pow already in each block to secure it. Granted that= piece is a bit half baked, but it seems quite solvable. Wdyt?
 
One thing that jumped out at me as not safe is throwing b= lock rewards into a channel and being able to spend them immediately. There= 's a reason block rewards aren't spendable for a while, and channels don't = solve that problem, do they? Why not simply reduce the on chain wait time f= or spending block rewards at that point? Seems like the consequences would = be the same.

On Tue, Dec 14, 2021, 16:12 Bob McElr= ath via bitcoin-dev <bit= coin-dev@lists.linuxfoundation.org> wrote:
You are hand waving. Attempt= ing to redefine terms to justify your argument is
intellectually disho= nest. Bitcoin pools have *always* been about variance
reduction. Your = window function fundamentally CANNOT be used to hedge hashrate.
Variou= s suggestions below introduce dangerous new games that might be played byminers.

The fact is that the half-baked design you posted is= less than useless, and
doesn't do anything that anyone wants.
You are trying to justify CTV by making it be all things to all people.= "When
all you have is a hammer, every problem looks like a nail".&nbs= p; Instead I humbly
suggest that you pick ONE problem for which CTV is= demonstrably the right and
best solution, instead of snowing us with = a ton of half-baked things that
*could* be done, and often don't even = require CTV, and some (like this one)
fundamentally don't work. I do l= ike some of your ideas, but if you had to pick
just one "use case", wh= ich would it be?

Jeremy [jlrubin@mit.edu] wrote:
> Bitcoin didn't invent the concept of pooling: https://en.wikipedia.org/wiki/
> Poolin= g_(resource_management). This is a Bitcoin Mining Pool, although it may
> not be your favorite kind, which is fixated on specific properties o= f computing
> contributions before finding a block. Pooling is just= a general technique for
> aggregating resources to accomplish some= thing. If you have another name like
> pooling that is in common us= e for this type of activity I would be more than
> happy to adopt i= t.
>
> This sort of pool can hedge not only against fee ra= tes but also against
> increases in hashrate since your historical = rate 'carries' into the future as a
> function of the window. Furth= er, windows and reward functions can be defined in
> a myriad of wa= ys that could, e.g., pay less to blocks found in more rapid
> succe= ssion, contributing to the smoothing functionality.
>
> Wi= th respect to sub-block pooling, as described in the article, this sort of<= br />> design also helps with micro-pools being able to split resources<= br />> non-custodially in every block as a part of the higher order DCFM= P. The point
> is not, as noted, to enable solo mining an S9, but t= o decrease the size of the
> minimum viable pool. It's also possibl= e to add, without much validation or
> data, some 'uncle block' typ= e mechanism in an incentive compatible way (e.g.,
> add 10 pow-heav= y headers on the last block for cost 48 bytes header + 32 bytes
> p= ayout key) such that there's an incentive to include the heaviest ones you'= ve
> seen, not just your own, that are worth further study and cons= ideration
> (particularly because it's non-consensus, only for opt-= in participation in the
> pool).
>
> With respect = to space usage, it seems you wholly reject the viability of a
> pay= ment pool mechanism to cut-through chain space. Is this a critique that
> holds for all Payment Pools, or just in the context of mining? Is th= ere a
> particular reason why you think it infeasible that "strongl= y online"
> counterparties would be able to coordinate more efficie= ntly? Is it preferable
> for miners, the nexus of decentralization = for Bitcoin, to prefer to use
> custodial services for pooling (whi= ch may require KYC/AM) over bearing a cost
> of some extra potentia= l chainload?
>
> Lastly, with respect to complexity, the p= roposal is actually incredibly simple
> when you take it in a broad= er context. Non Interactive Channels and Payment
> Pools are useful=  by themselves, so are the operations to merge them and swap
>= balance across them. Therefore most of the complexity in this proposal is<= br />> relying on tools we'll likely see in everyday use in any case, DC= FMP or no.
>
> Jeremy
> !DSPAM:61b8f2f532146158262= 7336!
--
Cheers, Bob McElrath

"For every complex probl= em, there is a solution that is simple, neat, and wrong."
   = ; -- H. L. Mencken

____________________________________________= ___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
h= ttps://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
--===============0028088375559804441==--