* [bitcoin-dev] Softchains: Sidechains as a Soft Fork via Proof-of-Work Fraud Proofs
@ 2020-12-31 22:00 Ruben Somsen
2020-12-31 23:26 ` ZmnSCPxj
2020-12-31 23:37 ` Sergio Demian Lerner
0 siblings, 2 replies; 5+ messages in thread
From: Ruben Somsen @ 2020-12-31 22:00 UTC (permalink / raw)
To: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 6645 bytes --]
Hi everyone,
This post describes a fully decentralized two-way peg sidechain design.
Activating new sidechains requires a soft fork, hence the name softchains.
The key aspect is that all softchains are validated by everyone via
Proof-of-Work Fraud Proofs (PoW FP) -- a slow but very efficient consensus
mechanism that only requires the validation of disputed blocks. This does
increase the validation burden of mainchain full nodes, but only by a
minimal amount (~100MB per chain per year). It's similar to drivechains[0],
but without the major downside of having to rely on miners, since all
Bitcoin full node users can efficiently validate each sidechain.
Proof-of-Work Fraud Proofs
Last year I posted the idea of PoW FP to the Bitcoin mailing list[1][2].
The idea is that we can use the existence of a fork in Bitcoin's PoW as
evidence that a block might be invalid (i.e. a proof of potential fraud).
Whenever this occurs, we download the block in question to verify whether
it was valid (and available), and reject it if it was not. We forego the
need for maintaining a UTXO set with UTXO set commitments (such as
utreexo[3]), by assuming that the commitment inside the last block to exist
in both forks is valid. As a result, we only need to download as many
blocks (and their corresponding UTXO set proofs) as there are orphans,
which lowers the validation costs considerably compared to running a full
node.
In the past 4 months, Forkmonitor has registered 11 stale and invalid
blocks[4]. Extrapolating from that data, a PoW FP node verifying Bitcoin
consensus would have to download and verify a little over 100MB per year in
order to have consensus guarantees that come close to that of a full node:
- All PoW headers (~4MB per year)
- 3 x 11 = 33 full blocks (~2MB x 33 = 66MB)
- UTXO merkle proofs (~1MB x 33 = 33MB with utreexo)
The reason consensus is considered slow, is because we need to allow time
for a honest PoW minority to fork away from an invalid chain. If we assume
only 1% of all miners are honest, this means consensus slows down by 100x.
If you are normally satisfied waiting for 6 confirmations, you now need to
wait 600 confirmations. The longer you wait, the less honest miners you
need.
Softchains
In order to have two-way pegged sidechains, you need a succinct method for
proving to the mainchain that a peg-out is valid. PoW FP provides exactly
that -- a low-bandwidth way of determining if a chain, and thus a peg-out,
is valid. The slowness of PoW FP consensus is not an issue, as peg-outs can
be made arbitrarily slow (e.g. one year).
The safest design would be a set of softchains that shares its consensus
code with Bitcoin Core, with the addition of UTXO set commitments, and
disabling non-taproot address types to minimize certain resource usage
issues[5]. All users validate the mainchain as usual with their full node,
and all softchains are validated with PoW FP consensus. If a user is
interested in directly using a specific softchain, they should run it as a
full node in order to get fast consensus.
Peg-ins occur by freezing coins on the mainchain and assigning them to a
softchain. Peg-outs occur by creating a mainchain transaction that points
to a peg-out transaction on a softchain and waiting for a sufficient number
of mainchain confirmations. If the peg-out transaction remains part of the
softchain according to PoW FP consensus, the coins become spendable.
The peg-in/peg-out mechanism itself would require a soft fork (the exact
design is an open question), and subsequently every softchain that gets
activated will also require a soft fork.
Potential dangers
Softchain consensus still requires a form of validation from mainchain
users, which means that consensus bugs can have an adverse effect. In
particular, if a softchain suffers from a non-deterministic consensus bug,
it may be the case that a majority accepts a peg-in, while a minority
rejects it. This specific scenario could cause a chain split in mainchain
consensus. This is why it would be safest to base softchain designs on
Bitcoin Core.
Similarly, it can theoretically be possible that a softchain gets a major
reorg, invalidating a peg-out right as it would have become accepted on the
mainchain, thus splitting consensus. The slow peg-out process makes this
increasingly unlikely, but not impossible. One thing that might help (or
perhaps only make it worse) is introducing a consensus rule that disallows
reorgs that are bigger than half the peg-out time (e.g. half a year, if the
peg-out is one year). This kind of rule does not actually solve this
consensus problem, but instead pushes the problem forward so it plays out
first on the softchain, giving time to take action before the problem
affects the mainchain.
It is also important that each softchain produces a non-trivial amount of
PoW, because if the difficulty is too low, the cost of creating forks and
increasing the resource usage of PoW FP consensus goes down. It may
therefore make sense to have a minimum accepted difficulty for softchain
blocks (slowing down the chain when fees are not sufficient). Merged Mining
could also help here, since that would allow the softchains to potentially
receive the same hashrate as Bitcoin (assuming all miners participate), but
of course this would also put an additional validation burden on miners.
In closing
It may turn out that the consensus risks outlined above make this
prohibitively risky, but at the very least it seems worth exploring the
possibilities. At a minimum it would provide more opt-in block space, and
it could potentially open the door to chains with entirely different
consensus rules.
Thank you for taking the time to read and comprehend my work. I will
happily answer any questions and I look forward to any feedback on issues
that I might have overlooked, and ideas on mitigating problems to ensure
maximum safety.
Hopefully this will bring decentralized two-way peg sidechains one step
closer to becoming a reality.
Happy new year, everyone.
-- Ruben Somsen
This post is mirrored and kept up-to-date here:
https://gist.github.com/RubenSomsen/7ecf7f13dc2496aa7eed8815a02f13d1
[0] Drivechains
https://www.drivechain.info/
[1] PoW FP
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-April/016873.html
[2] PoW FP without a soft fork
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-September/017287.html
[3]: utreexo
https://eprint.iacr.org/2019/611.pdf
[4]: Forkmonitor
https://forkmonitor.info/notifications
[5]: Harding on worst-case utreexo
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-September/017298.html
[-- Attachment #2: Type: text/html, Size: 7586 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [bitcoin-dev] Softchains: Sidechains as a Soft Fork via Proof-of-Work Fraud Proofs
2020-12-31 22:00 [bitcoin-dev] Softchains: Sidechains as a Soft Fork via Proof-of-Work Fraud Proofs Ruben Somsen
@ 2020-12-31 23:26 ` ZmnSCPxj
2020-12-31 23:39 ` Ruben Somsen
2020-12-31 23:37 ` Sergio Demian Lerner
1 sibling, 1 reply; 5+ messages in thread
From: ZmnSCPxj @ 2020-12-31 23:26 UTC (permalink / raw)
To: Ruben Somsen, Bitcoin Protocol Discussion
Good morning Ruben, and list,
First and foremost --- what is the point of sidechains, in the first place?
If sidechains are for experimental new features, then softforking in a new sidechain with novel untested new features would be additionally risky --- as you note, a bug in the sidechain consensus may cause non-deterministic consensus in the sidechain which would propagate into mainchain.
Federated sidechains, which already are enabled on current Bitcoin, are safer here, as mainchain will only care about the k-of-n signature that the federation agrees on, and if the federation is unable to come to consensus due to a sidechain consensus bug, "fails safe" in that it effectively disables the peg-out back to mainchain and restricts the consensus problem to the sidechain.
If sidechains are for scaling, then I would like to remind anyone reading this that ***blockchains do not scale***, and adding more blockchains for the purpose of scaling is *questionable*.
"I have a scaling problem.
I know, I will add a sidechain!
Now I have two scaling problems."
Ultimately, proof-of-work is about energy expenditure, and you would be splitting the global energy budget for blockchain security among multiple blockchains, thus making each blockchain easier to 51%.
Regards,
ZmnSCPxj
> Hi everyone,
>
> This post describes a fully decentralized two-way peg sidechain design. Activating new sidechains requires a soft fork, hence the name softchains. The key aspect is that all softchains are validated by everyone via Proof-of-Work Fraud Proofs (PoW FP) -- a slow but very efficient consensus mechanism that only requires the validation of disputed blocks. This does increase the validation burden of mainchain full nodes, but only by a minimal amount (~100MB per chain per year). It's similar to drivechains[0], but without the major downside of having to rely on miners, since all Bitcoin full node users can efficiently validate each sidechain.
>
> Proof-of-Work Fraud Proofs
>
> Last year I posted the idea of PoW FP to the Bitcoin mailing list[1][2]. The idea is that we can use the existence of a fork in Bitcoin's PoW as evidence that a block might be invalid (i.e. a proof of potential fraud). Whenever this occurs, we download the block in question to verify whether it was valid (and available), and reject it if it was not. We forego the need for maintaining a UTXO set with UTXO set commitments (such as utreexo[3]), by assuming that the commitment inside the last block to exist in both forks is valid. As a result, we only need to download as many blocks (and their corresponding UTXO set proofs) as there are orphans, which lowers the validation costs considerably compared to running a full node.
>
> In the past 4 months, Forkmonitor has registered 11 stale and invalid blocks[4]. Extrapolating from that data, a PoW FP node verifying Bitcoin consensus would have to download and verify a little over 100MB per year in order to have consensus guarantees that come close to that of a full node:
> - All PoW headers (~4MB per year)
> - 3 x 11 = 33 full blocks (~2MB x 33 = 66MB)
> - UTXO merkle proofs (~1MB x 33 = 33MB with utreexo)
>
> The reason consensus is considered slow, is because we need to allow time for a honest PoW minority to fork away from an invalid chain. If we assume only 1% of all miners are honest, this means consensus slows down by 100x. If you are normally satisfied waiting for 6 confirmations, you now need to wait 600 confirmations. The longer you wait, the less honest miners you need.
>
> Softchains
>
> In order to have two-way pegged sidechains, you need a succinct method for proving to the mainchain that a peg-out is valid. PoW FP provides exactly that -- a low-bandwidth way of determining if a chain, and thus a peg-out, is valid. The slowness of PoW FP consensus is not an issue, as peg-outs can be made arbitrarily slow (e.g. one year).
>
> The safest design would be a set of softchains that shares its consensus code with Bitcoin Core, with the addition of UTXO set commitments, and disabling non-taproot address types to minimize certain resource usage issues[5]. All users validate the mainchain as usual with their full node, and all softchains are validated with PoW FP consensus. If a user is interested in directly using a specific softchain, they should run it as a full node in order to get fast consensus.
>
> Peg-ins occur by freezing coins on the mainchain and assigning them to a softchain. Peg-outs occur by creating a mainchain transaction that points to a peg-out transaction on a softchain and waiting for a sufficient number of mainchain confirmations. If the peg-out transaction remains part of the softchain according to PoW FP consensus, the coins become spendable.
>
> The peg-in/peg-out mechanism itself would require a soft fork (the exact design is an open question), and subsequently every softchain that gets activated will also require a soft fork.
>
> Potential dangers
>
> Softchain consensus still requires a form of validation from mainchain users, which means that consensus bugs can have an adverse effect. In particular, if a softchain suffers from a non-deterministic consensus bug, it may be the case that a majority accepts a peg-in, while a minority rejects it. This specific scenario could cause a chain split in mainchain consensus. This is why it would be safest to base softchain designs on Bitcoin Core.
>
> Similarly, it can theoretically be possible that a softchain gets a major reorg, invalidating a peg-out right as it would have become accepted on the mainchain, thus splitting consensus. The slow peg-out process makes this increasingly unlikely, but not impossible. One thing that might help (or perhaps only make it worse) is introducing a consensus rule that disallows reorgs that are bigger than half the peg-out time (e.g. half a year, if the peg-out is one year). This kind of rule does not actually solve this consensus problem, but instead pushes the problem forward so it plays out first on the softchain, giving time to take action before the problem affects the mainchain.
>
> It is also important that each softchain produces a non-trivial amount of PoW, because if the difficulty is too low, the cost of creating forks and increasing the resource usage of PoW FP consensus goes down. It may therefore make sense to have a minimum accepted difficulty for softchain blocks (slowing down the chain when fees are not sufficient). Merged Mining could also help here, since that would allow the softchains to potentially receive the same hashrate as Bitcoin (assuming all miners participate), but of course this would also put an additional validation burden on miners.
>
> In closing
>
> It may turn out that the consensus risks outlined above make this prohibitively risky, but at the very least it seems worth exploring the possibilities. At a minimum it would provide more opt-in block space, and it could potentially open the door to chains with entirely different consensus rules.
>
> Thank you for taking the time to read and comprehend my work. I will happily answer any questions and I look forward to any feedback on issues that I might have overlooked, and ideas on mitigating problems to ensure maximum safety.
>
> Hopefully this will bring decentralized two-way peg sidechains one step closer to becoming a reality.
>
> Happy new year, everyone.
>
> -- Ruben Somsen
>
> This post is mirrored and kept up-to-date here:
> https://gist.github.com/RubenSomsen/7ecf7f13dc2496aa7eed8815a02f13d1
>
> [0] Drivechains
> https://www.drivechain.info/
>
> [1] PoW FP
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-April/016873.html
>
> [2] PoW FP without a soft fork
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-September/017287.html
>
> [3]: utreexo
> https://eprint.iacr.org/2019/611.pdf
>
> [4]: Forkmonitor
> https://forkmonitor.info/notifications
>
> [5]: Harding on worst-case utreexo
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-September/017298.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [bitcoin-dev] Softchains: Sidechains as a Soft Fork via Proof-of-Work Fraud Proofs
2020-12-31 22:00 [bitcoin-dev] Softchains: Sidechains as a Soft Fork via Proof-of-Work Fraud Proofs Ruben Somsen
2020-12-31 23:26 ` ZmnSCPxj
@ 2020-12-31 23:37 ` Sergio Demian Lerner
2021-01-01 0:05 ` Ruben Somsen
1 sibling, 1 reply; 5+ messages in thread
From: Sergio Demian Lerner @ 2020-12-31 23:37 UTC (permalink / raw)
To: Ruben Somsen, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 8832 bytes --]
Hi Roben,
It's an interesting proposal, but I have two issues with it, one technical
and one philosophical.
On the technical side, I don't understand how your proposal prevents miners
proposing a peg-out for an invalid sidechain fork which is not made
available to the nodes (there are missing blocks). It seems that the system
would need to allow users to challenge miners to make available full
sidechain blocks that are missing, which really complicates the protocol.
On the philosophical side, as you mentioned, it is very limited in the
types of sidechains it can verify. I won't be able to verify RSK
(merge-mined with Bitcoin, but with different block format and different
functionality). It cannot verify a zCash-like sidechain for the same
reasons. Therefore it is strictly a payment scalability solution.
Drivechains, on the other hand, enable many new use cases apart from
scaling, which have a much lower level of complexity (if implemented
correctly).
Since the inception of RSK sidechain, I suggested in its white-paper that
sidechains should be designed to support an hybrid peg-out system, based on
both a large multisig AND a drivechain, where both groups need to agree for
the peg-out to occur. It's a censorship/security trade-off that most users
would be willing to accept until a trusted-setup-free SNARK-like based
solution is finally available.
Until we have a sidechain-selectable SNARK-like succinct verification of
any block state transition function, having a single succint proof to cover
the whole sidechain validity, as in Coda (now renamed Mina), drivechains
are the low-hanging-fruit.
regards
On Thu, Dec 31, 2020 at 7:01 PM Ruben Somsen via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Hi everyone,
>
> This post describes a fully decentralized two-way peg sidechain design.
> Activating new sidechains requires a soft fork, hence the name softchains.
> The key aspect is that all softchains are validated by everyone via
> Proof-of-Work Fraud Proofs (PoW FP) -- a slow but very efficient consensus
> mechanism that only requires the validation of disputed blocks. This does
> increase the validation burden of mainchain full nodes, but only by a
> minimal amount (~100MB per chain per year). It's similar to drivechains[0],
> but without the major downside of having to rely on miners, since all
> Bitcoin full node users can efficiently validate each sidechain.
>
>
> Proof-of-Work Fraud Proofs
>
> Last year I posted the idea of PoW FP to the Bitcoin mailing list[1][2].
> The idea is that we can use the existence of a fork in Bitcoin's PoW as
> evidence that a block might be invalid (i.e. a proof of potential fraud).
> Whenever this occurs, we download the block in question to verify whether
> it was valid (and available), and reject it if it was not. We forego the
> need for maintaining a UTXO set with UTXO set commitments (such as
> utreexo[3]), by assuming that the commitment inside the last block to exist
> in both forks is valid. As a result, we only need to download as many
> blocks (and their corresponding UTXO set proofs) as there are orphans,
> which lowers the validation costs considerably compared to running a full
> node.
>
> In the past 4 months, Forkmonitor has registered 11 stale and invalid
> blocks[4]. Extrapolating from that data, a PoW FP node verifying Bitcoin
> consensus would have to download and verify a little over 100MB per year in
> order to have consensus guarantees that come close to that of a full node:
> - All PoW headers (~4MB per year)
> - 3 x 11 = 33 full blocks (~2MB x 33 = 66MB)
> - UTXO merkle proofs (~1MB x 33 = 33MB with utreexo)
>
> The reason consensus is considered slow, is because we need to allow time
> for a honest PoW minority to fork away from an invalid chain. If we assume
> only 1% of all miners are honest, this means consensus slows down by 100x.
> If you are normally satisfied waiting for 6 confirmations, you now need to
> wait 600 confirmations. The longer you wait, the less honest miners you
> need.
>
>
> Softchains
>
> In order to have two-way pegged sidechains, you need a succinct method for
> proving to the mainchain that a peg-out is valid. PoW FP provides exactly
> that -- a low-bandwidth way of determining if a chain, and thus a peg-out,
> is valid. The slowness of PoW FP consensus is not an issue, as peg-outs can
> be made arbitrarily slow (e.g. one year).
>
> The safest design would be a set of softchains that shares its consensus
> code with Bitcoin Core, with the addition of UTXO set commitments, and
> disabling non-taproot address types to minimize certain resource usage
> issues[5]. All users validate the mainchain as usual with their full node,
> and all softchains are validated with PoW FP consensus. If a user is
> interested in directly using a specific softchain, they should run it as a
> full node in order to get fast consensus.
>
> Peg-ins occur by freezing coins on the mainchain and assigning them to a
> softchain. Peg-outs occur by creating a mainchain transaction that points
> to a peg-out transaction on a softchain and waiting for a sufficient number
> of mainchain confirmations. If the peg-out transaction remains part of the
> softchain according to PoW FP consensus, the coins become spendable.
>
> The peg-in/peg-out mechanism itself would require a soft fork (the exact
> design is an open question), and subsequently every softchain that gets
> activated will also require a soft fork.
>
>
> Potential dangers
>
> Softchain consensus still requires a form of validation from mainchain
> users, which means that consensus bugs can have an adverse effect. In
> particular, if a softchain suffers from a non-deterministic consensus bug,
> it may be the case that a majority accepts a peg-in, while a minority
> rejects it. This specific scenario could cause a chain split in mainchain
> consensus. This is why it would be safest to base softchain designs on
> Bitcoin Core.
>
> Similarly, it can theoretically be possible that a softchain gets a major
> reorg, invalidating a peg-out right as it would have become accepted on the
> mainchain, thus splitting consensus. The slow peg-out process makes this
> increasingly unlikely, but not impossible. One thing that might help (or
> perhaps only make it worse) is introducing a consensus rule that disallows
> reorgs that are bigger than half the peg-out time (e.g. half a year, if the
> peg-out is one year). This kind of rule does not actually solve this
> consensus problem, but instead pushes the problem forward so it plays out
> first on the softchain, giving time to take action before the problem
> affects the mainchain.
>
> It is also important that each softchain produces a non-trivial amount of
> PoW, because if the difficulty is too low, the cost of creating forks and
> increasing the resource usage of PoW FP consensus goes down. It may
> therefore make sense to have a minimum accepted difficulty for softchain
> blocks (slowing down the chain when fees are not sufficient). Merged Mining
> could also help here, since that would allow the softchains to potentially
> receive the same hashrate as Bitcoin (assuming all miners participate), but
> of course this would also put an additional validation burden on miners.
>
>
> In closing
>
> It may turn out that the consensus risks outlined above make this
> prohibitively risky, but at the very least it seems worth exploring the
> possibilities. At a minimum it would provide more opt-in block space, and
> it could potentially open the door to chains with entirely different
> consensus rules.
>
> Thank you for taking the time to read and comprehend my work. I will
> happily answer any questions and I look forward to any feedback on issues
> that I might have overlooked, and ideas on mitigating problems to ensure
> maximum safety.
>
> Hopefully this will bring decentralized two-way peg sidechains one step
> closer to becoming a reality.
>
> Happy new year, everyone.
>
>
> -- Ruben Somsen
>
>
>
> This post is mirrored and kept up-to-date here:
> https://gist.github.com/RubenSomsen/7ecf7f13dc2496aa7eed8815a02f13d1
>
>
> [0] Drivechains
> https://www.drivechain.info/
>
> [1] PoW FP
>
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-April/016873.html
>
> [2] PoW FP without a soft fork
>
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-September/017287.html
>
> [3]: utreexo
> https://eprint.iacr.org/2019/611.pdf
>
> [4]: Forkmonitor
> https://forkmonitor.info/notifications
>
> [5]: Harding on worst-case utreexo
>
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-September/017298.html
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 10303 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [bitcoin-dev] Softchains: Sidechains as a Soft Fork via Proof-of-Work Fraud Proofs
2020-12-31 23:26 ` ZmnSCPxj
@ 2020-12-31 23:39 ` Ruben Somsen
0 siblings, 0 replies; 5+ messages in thread
From: Ruben Somsen @ 2020-12-31 23:39 UTC (permalink / raw)
To: ZmnSCPxj; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 9413 bytes --]
Happy new morning ZmnSCPxj,
Thanks for taking a look :)
>If sidechains are for experimental new features, then softforking in a new
sidechain with novel untested new features would be additionally risky
There is definitely a risk, but it's one that can be minimized. For
instance, a softchain with Confidential Transactions could be introduced,
which allows for appealing privacy features without introducing a
completely new code base.
>If sidechains are for scaling, then I would like to remind anyone reading
this that ***blockchains do not scale***
I agree, you will still run into limitations, but you do get some scaling
gains from not having to verify each chain, but only the subset that
interests you.
>you would be splitting the global energy budget for blockchain security
among multiple blockchains
Not necessarily if you incorporate Merged Mining, but of course that comes
with the tradeoff of requiring miners to do more validation.
Cheers,
Ruben
On Fri, Jan 1, 2021 at 12:26 AM ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
> Good morning Ruben, and list,
>
> First and foremost --- what is the point of sidechains, in the first place?
>
> If sidechains are for experimental new features, then softforking in a new
> sidechain with novel untested new features would be additionally risky ---
> as you note, a bug in the sidechain consensus may cause non-deterministic
> consensus in the sidechain which would propagate into mainchain.
> Federated sidechains, which already are enabled on current Bitcoin, are
> safer here, as mainchain will only care about the k-of-n signature that the
> federation agrees on, and if the federation is unable to come to consensus
> due to a sidechain consensus bug, "fails safe" in that it effectively
> disables the peg-out back to mainchain and restricts the consensus problem
> to the sidechain.
>
> If sidechains are for scaling, then I would like to remind anyone reading
> this that ***blockchains do not scale***, and adding more blockchains for
> the purpose of scaling is *questionable*.
> "I have a scaling problem.
> I know, I will add a sidechain!
> Now I have two scaling problems."
>
> Ultimately, proof-of-work is about energy expenditure, and you would be
> splitting the global energy budget for blockchain security among multiple
> blockchains, thus making each blockchain easier to 51%.
>
> Regards,
> ZmnSCPxj
>
> > Hi everyone,
> >
> > This post describes a fully decentralized two-way peg sidechain design.
> Activating new sidechains requires a soft fork, hence the name softchains.
> The key aspect is that all softchains are validated by everyone via
> Proof-of-Work Fraud Proofs (PoW FP) -- a slow but very efficient consensus
> mechanism that only requires the validation of disputed blocks. This does
> increase the validation burden of mainchain full nodes, but only by a
> minimal amount (~100MB per chain per year). It's similar to drivechains[0],
> but without the major downside of having to rely on miners, since all
> Bitcoin full node users can efficiently validate each sidechain.
> >
> > Proof-of-Work Fraud Proofs
> >
> > Last year I posted the idea of PoW FP to the Bitcoin mailing list[1][2].
> The idea is that we can use the existence of a fork in Bitcoin's PoW as
> evidence that a block might be invalid (i.e. a proof of potential fraud).
> Whenever this occurs, we download the block in question to verify whether
> it was valid (and available), and reject it if it was not. We forego the
> need for maintaining a UTXO set with UTXO set commitments (such as
> utreexo[3]), by assuming that the commitment inside the last block to exist
> in both forks is valid. As a result, we only need to download as many
> blocks (and their corresponding UTXO set proofs) as there are orphans,
> which lowers the validation costs considerably compared to running a full
> node.
> >
> > In the past 4 months, Forkmonitor has registered 11 stale and invalid
> blocks[4]. Extrapolating from that data, a PoW FP node verifying Bitcoin
> consensus would have to download and verify a little over 100MB per year in
> order to have consensus guarantees that come close to that of a full node:
> > - All PoW headers (~4MB per year)
> > - 3 x 11 = 33 full blocks (~2MB x 33 = 66MB)
> > - UTXO merkle proofs (~1MB x 33 = 33MB with utreexo)
> >
> > The reason consensus is considered slow, is because we need to allow
> time for a honest PoW minority to fork away from an invalid chain. If we
> assume only 1% of all miners are honest, this means consensus slows down by
> 100x. If you are normally satisfied waiting for 6 confirmations, you now
> need to wait 600 confirmations. The longer you wait, the less honest miners
> you need.
> >
> > Softchains
> >
> > In order to have two-way pegged sidechains, you need a succinct method
> for proving to the mainchain that a peg-out is valid. PoW FP provides
> exactly that -- a low-bandwidth way of determining if a chain, and thus a
> peg-out, is valid. The slowness of PoW FP consensus is not an issue, as
> peg-outs can be made arbitrarily slow (e.g. one year).
> >
> > The safest design would be a set of softchains that shares its consensus
> code with Bitcoin Core, with the addition of UTXO set commitments, and
> disabling non-taproot address types to minimize certain resource usage
> issues[5]. All users validate the mainchain as usual with their full node,
> and all softchains are validated with PoW FP consensus. If a user is
> interested in directly using a specific softchain, they should run it as a
> full node in order to get fast consensus.
> >
> > Peg-ins occur by freezing coins on the mainchain and assigning them to a
> softchain. Peg-outs occur by creating a mainchain transaction that points
> to a peg-out transaction on a softchain and waiting for a sufficient number
> of mainchain confirmations. If the peg-out transaction remains part of the
> softchain according to PoW FP consensus, the coins become spendable.
> >
> > The peg-in/peg-out mechanism itself would require a soft fork (the exact
> design is an open question), and subsequently every softchain that gets
> activated will also require a soft fork.
> >
> > Potential dangers
> >
> > Softchain consensus still requires a form of validation from mainchain
> users, which means that consensus bugs can have an adverse effect. In
> particular, if a softchain suffers from a non-deterministic consensus bug,
> it may be the case that a majority accepts a peg-in, while a minority
> rejects it. This specific scenario could cause a chain split in mainchain
> consensus. This is why it would be safest to base softchain designs on
> Bitcoin Core.
> >
> > Similarly, it can theoretically be possible that a softchain gets a
> major reorg, invalidating a peg-out right as it would have become accepted
> on the mainchain, thus splitting consensus. The slow peg-out process makes
> this increasingly unlikely, but not impossible. One thing that might help
> (or perhaps only make it worse) is introducing a consensus rule that
> disallows reorgs that are bigger than half the peg-out time (e.g. half a
> year, if the peg-out is one year). This kind of rule does not actually
> solve this consensus problem, but instead pushes the problem forward so it
> plays out first on the softchain, giving time to take action before the
> problem affects the mainchain.
> >
> > It is also important that each softchain produces a non-trivial amount
> of PoW, because if the difficulty is too low, the cost of creating forks
> and increasing the resource usage of PoW FP consensus goes down. It may
> therefore make sense to have a minimum accepted difficulty for softchain
> blocks (slowing down the chain when fees are not sufficient). Merged Mining
> could also help here, since that would allow the softchains to potentially
> receive the same hashrate as Bitcoin (assuming all miners participate), but
> of course this would also put an additional validation burden on miners.
> >
> > In closing
> >
> > It may turn out that the consensus risks outlined above make this
> prohibitively risky, but at the very least it seems worth exploring the
> possibilities. At a minimum it would provide more opt-in block space, and
> it could potentially open the door to chains with entirely different
> consensus rules.
> >
> > Thank you for taking the time to read and comprehend my work. I will
> happily answer any questions and I look forward to any feedback on issues
> that I might have overlooked, and ideas on mitigating problems to ensure
> maximum safety.
> >
> > Hopefully this will bring decentralized two-way peg sidechains one step
> closer to becoming a reality.
> >
> > Happy new year, everyone.
> >
> > -- Ruben Somsen
> >
> > This post is mirrored and kept up-to-date here:
> > https://gist.github.com/RubenSomsen/7ecf7f13dc2496aa7eed8815a02f13d1
> >
> > [0] Drivechains
> > https://www.drivechain.info/
> >
> > [1] PoW FP
> >
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-April/016873.html
> >
> > [2] PoW FP without a soft fork
> >
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-September/017287.html
> >
> > [3]: utreexo
> > https://eprint.iacr.org/2019/611.pdf
> >
> > [4]: Forkmonitor
> > https://forkmonitor.info/notifications
> >
> > [5]: Harding on worst-case utreexo
> >
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-September/017298.html
>
>
>
[-- Attachment #2: Type: text/html, Size: 10975 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [bitcoin-dev] Softchains: Sidechains as a Soft Fork via Proof-of-Work Fraud Proofs
2020-12-31 23:37 ` Sergio Demian Lerner
@ 2021-01-01 0:05 ` Ruben Somsen
0 siblings, 0 replies; 5+ messages in thread
From: Ruben Somsen @ 2021-01-01 0:05 UTC (permalink / raw)
To: Sergio Demian Lerner; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 11266 bytes --]
Hi Sergio,
Thanks for taking an interest.
>I don't understand how your proposal prevents miners proposing a peg-out
for an invalid sidechain fork which is not made available to the nodes
(there are missing blocks)
Good question. Data availability is a common problem for sidechain designs,
but PoW FP are actually a unique solution to this problem. In order for a
block with missing data to be accepted for a peg-out, it has to a.) remain
in the chain with the most PoW for a whole year, and b.) no fork that
questions the validity/availability of that block must exist. If a fork
does exist, this triggers all nodes to attempt to download the block with
the missing data. Since they will fail, the chain will be considered
invalid. I recommend reading the original posts about PoW FP ([1] and [2]
in my original post) for more elaboration.
>it is very limited in the types of sidechains it can verify
I agree that something like drivechains is much more flexible, but it comes
with a security tradeoff that many find uncomfortable.
>based on both a large multisig AND a drivechain, where both groups need to
agree for the peg-out to occur. It's a censorship/security trade-off that
most users would be willing to accept
I think federations are an absolutely fine tradeoff, but of course the
softchain design is one that deliberately tries to avoid them for reasons
that I assume are obvious.
>until a trusted-setup-free SNARK-like based solution is finally available
From my research into SNARKs I concluded that they still won't get you away
from having the sidechain function like an extension block, so the fruit
doesn't seem to be hanging that low from my perspective. This is because
SNARKs actually do suffer from the data availability problem you were
asking about. You can definitely save a lot by aggregating witness data
with SNARKs, but non-witness data cannot be aggregated and must be
downloaded by everyone, so you're still going to be restricted by
bandwidth. I described the issue here in detail:
https://medium.com/@RubenSomsen/snarks-and-the-future-of-blockchains-55b82012452b
Cheers,
Ruben
On Fri, Jan 1, 2021 at 12:38 AM Sergio Demian Lerner <
sergio.d.lerner@gmail.com> wrote:
> Hi Roben,
> It's an interesting proposal, but I have two issues with it, one
> technical and one philosophical.
>
> On the technical side, I don't understand how your proposal prevents
> miners proposing a peg-out for an invalid sidechain fork which is not made
> available to the nodes (there are missing blocks). It seems that the system
> would need to allow users to challenge miners to make available full
> sidechain blocks that are missing, which really complicates the protocol.
>
> On the philosophical side, as you mentioned, it is very limited in the
> types of sidechains it can verify. I won't be able to verify RSK
> (merge-mined with Bitcoin, but with different block format and different
> functionality). It cannot verify a zCash-like sidechain for the same
> reasons. Therefore it is strictly a payment scalability solution.
> Drivechains, on the other hand, enable many new use cases apart from
> scaling, which have a much lower level of complexity (if implemented
> correctly).
>
> Since the inception of RSK sidechain, I suggested in its white-paper that
> sidechains should be designed to support an hybrid peg-out system, based on
> both a large multisig AND a drivechain, where both groups need to agree for
> the peg-out to occur. It's a censorship/security trade-off that most users
> would be willing to accept until a trusted-setup-free SNARK-like based
> solution is finally available.
> Until we have a sidechain-selectable SNARK-like succinct verification of
> any block state transition function, having a single succint proof to cover
> the whole sidechain validity, as in Coda (now renamed Mina), drivechains
> are the low-hanging-fruit.
>
> regards
>
> On Thu, Dec 31, 2020 at 7:01 PM Ruben Somsen via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Hi everyone,
>>
>> This post describes a fully decentralized two-way peg sidechain design.
>> Activating new sidechains requires a soft fork, hence the name softchains.
>> The key aspect is that all softchains are validated by everyone via
>> Proof-of-Work Fraud Proofs (PoW FP) -- a slow but very efficient consensus
>> mechanism that only requires the validation of disputed blocks. This does
>> increase the validation burden of mainchain full nodes, but only by a
>> minimal amount (~100MB per chain per year). It's similar to drivechains[0],
>> but without the major downside of having to rely on miners, since all
>> Bitcoin full node users can efficiently validate each sidechain.
>>
>>
>> Proof-of-Work Fraud Proofs
>>
>> Last year I posted the idea of PoW FP to the Bitcoin mailing list[1][2].
>> The idea is that we can use the existence of a fork in Bitcoin's PoW as
>> evidence that a block might be invalid (i.e. a proof of potential fraud).
>> Whenever this occurs, we download the block in question to verify whether
>> it was valid (and available), and reject it if it was not. We forego the
>> need for maintaining a UTXO set with UTXO set commitments (such as
>> utreexo[3]), by assuming that the commitment inside the last block to exist
>> in both forks is valid. As a result, we only need to download as many
>> blocks (and their corresponding UTXO set proofs) as there are orphans,
>> which lowers the validation costs considerably compared to running a full
>> node.
>>
>> In the past 4 months, Forkmonitor has registered 11 stale and invalid
>> blocks[4]. Extrapolating from that data, a PoW FP node verifying Bitcoin
>> consensus would have to download and verify a little over 100MB per year in
>> order to have consensus guarantees that come close to that of a full node:
>> - All PoW headers (~4MB per year)
>> - 3 x 11 = 33 full blocks (~2MB x 33 = 66MB)
>> - UTXO merkle proofs (~1MB x 33 = 33MB with utreexo)
>>
>> The reason consensus is considered slow, is because we need to allow time
>> for a honest PoW minority to fork away from an invalid chain. If we assume
>> only 1% of all miners are honest, this means consensus slows down by 100x.
>> If you are normally satisfied waiting for 6 confirmations, you now need to
>> wait 600 confirmations. The longer you wait, the less honest miners you
>> need.
>>
>>
>> Softchains
>>
>> In order to have two-way pegged sidechains, you need a succinct method
>> for proving to the mainchain that a peg-out is valid. PoW FP provides
>> exactly that -- a low-bandwidth way of determining if a chain, and thus a
>> peg-out, is valid. The slowness of PoW FP consensus is not an issue, as
>> peg-outs can be made arbitrarily slow (e.g. one year).
>>
>> The safest design would be a set of softchains that shares its consensus
>> code with Bitcoin Core, with the addition of UTXO set commitments, and
>> disabling non-taproot address types to minimize certain resource usage
>> issues[5]. All users validate the mainchain as usual with their full node,
>> and all softchains are validated with PoW FP consensus. If a user is
>> interested in directly using a specific softchain, they should run it as a
>> full node in order to get fast consensus.
>>
>> Peg-ins occur by freezing coins on the mainchain and assigning them to a
>> softchain. Peg-outs occur by creating a mainchain transaction that points
>> to a peg-out transaction on a softchain and waiting for a sufficient number
>> of mainchain confirmations. If the peg-out transaction remains part of the
>> softchain according to PoW FP consensus, the coins become spendable.
>>
>> The peg-in/peg-out mechanism itself would require a soft fork (the exact
>> design is an open question), and subsequently every softchain that gets
>> activated will also require a soft fork.
>>
>>
>> Potential dangers
>>
>> Softchain consensus still requires a form of validation from mainchain
>> users, which means that consensus bugs can have an adverse effect. In
>> particular, if a softchain suffers from a non-deterministic consensus bug,
>> it may be the case that a majority accepts a peg-in, while a minority
>> rejects it. This specific scenario could cause a chain split in mainchain
>> consensus. This is why it would be safest to base softchain designs on
>> Bitcoin Core.
>>
>> Similarly, it can theoretically be possible that a softchain gets a major
>> reorg, invalidating a peg-out right as it would have become accepted on the
>> mainchain, thus splitting consensus. The slow peg-out process makes this
>> increasingly unlikely, but not impossible. One thing that might help (or
>> perhaps only make it worse) is introducing a consensus rule that disallows
>> reorgs that are bigger than half the peg-out time (e.g. half a year, if the
>> peg-out is one year). This kind of rule does not actually solve this
>> consensus problem, but instead pushes the problem forward so it plays out
>> first on the softchain, giving time to take action before the problem
>> affects the mainchain.
>>
>> It is also important that each softchain produces a non-trivial amount of
>> PoW, because if the difficulty is too low, the cost of creating forks and
>> increasing the resource usage of PoW FP consensus goes down. It may
>> therefore make sense to have a minimum accepted difficulty for softchain
>> blocks (slowing down the chain when fees are not sufficient). Merged Mining
>> could also help here, since that would allow the softchains to potentially
>> receive the same hashrate as Bitcoin (assuming all miners participate), but
>> of course this would also put an additional validation burden on miners.
>>
>>
>> In closing
>>
>> It may turn out that the consensus risks outlined above make this
>> prohibitively risky, but at the very least it seems worth exploring the
>> possibilities. At a minimum it would provide more opt-in block space, and
>> it could potentially open the door to chains with entirely different
>> consensus rules.
>>
>> Thank you for taking the time to read and comprehend my work. I will
>> happily answer any questions and I look forward to any feedback on issues
>> that I might have overlooked, and ideas on mitigating problems to ensure
>> maximum safety.
>>
>> Hopefully this will bring decentralized two-way peg sidechains one step
>> closer to becoming a reality.
>>
>> Happy new year, everyone.
>>
>>
>> -- Ruben Somsen
>>
>>
>>
>> This post is mirrored and kept up-to-date here:
>> https://gist.github.com/RubenSomsen/7ecf7f13dc2496aa7eed8815a02f13d1
>>
>>
>> [0] Drivechains
>> https://www.drivechain.info/
>>
>> [1] PoW FP
>>
>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-April/016873.html
>>
>> [2] PoW FP without a soft fork
>>
>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-September/017287.html
>>
>> [3]: utreexo
>> https://eprint.iacr.org/2019/611.pdf
>>
>> [4]: Forkmonitor
>> https://forkmonitor.info/notifications
>>
>> [5]: Harding on worst-case utreexo
>>
>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-September/017298.html
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
[-- Attachment #2: Type: text/html, Size: 13259 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-01-01 0:06 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-31 22:00 [bitcoin-dev] Softchains: Sidechains as a Soft Fork via Proof-of-Work Fraud Proofs Ruben Somsen
2020-12-31 23:26 ` ZmnSCPxj
2020-12-31 23:39 ` Ruben Somsen
2020-12-31 23:37 ` Sergio Demian Lerner
2021-01-01 0:05 ` Ruben Somsen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox