public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Jared Lee Richardson <jaredr26@gmail.com>
To: Erik Aronesty <erik@q32.com>
Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] User Activated Soft Fork Split Protection
Date: Wed, 7 Jun 2017 14:09:04 -0700	[thread overview]
Message-ID: <CAD1TkXvaNq8wBsDdbYG4Qwn9YY=tXw8kPQQ2=B4nLKPdq3fsWg@mail.gmail.com> (raw)
In-Reply-To: <CAJowKgJi-68G5Xy1_8n_BOX5e8myj08_SPiFu+cdWsRD4DNy4w@mail.gmail.com>

> This is, by far, the safest way for miners to quickly defend against a chain split, much better than a -bip148 option.   This allows miners to defend themselves, with very little risk, since the defense is only activated if the majority of miners do so. I would move for a very rapid deployment.   Only miners would need to upgrade.   Regular users would not have to concern themselves with this release.

FYI, even if very successful, this deployment and change may have a
severe negative impact on a small group of miners.  Any miners/pools
who are not actively following the forums, news, or these discussions
may be difficult to reach and communicate with in time, particularly
with language barriers.  Of those, any who are also either not
signaling segwit currently or are running an older software version
will have their blocks continuously and constantly orphaned, but may
not have any alarms or notifications set up for such an unexpected
failure.  That may or may not be a worthy consideration, but it is
definitely brusque and a harsh price to pay.  Considering the
opposition mentioned against transaction limits for the rare cases
where a very large transaction has already been signed, it seems that
this would be worthy of consideration.  For the few miners in that
situation, it does turn segwit from an optional softfork into a
punishing hardfork.

I don't think that's a sufficient reason alone to kill the idea, but
it should be a concern.

Jared

On Wed, Jun 7, 2017 at 7:10 AM, Erik Aronesty via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
> This is, by far, the safest way for miners to quickly defend against a chain
> split, much better than a -bip148 option.   This allows miners to defend
> themselves, with very little risk, since the defense is only activated if
> the majority of miners do so. I would move for a very rapid deployment.
> Only miners would need to upgrade.   Regular users would not have to concern
> themselves with this release.
>
> On Wed, Jun 7, 2017 at 6:13 AM, James Hilliard via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>> I think even 55% would probably work out fine simply due to incentive
>> structures, once signalling is over 51% it's then clear to miners that
>> non-signalling blocks will be orphaned and the rest will rapidly
>> update to splitprotection/BIP148. The purpose of this BIP is to reduce
>> chain split risk for BIP148 since it's looking like BIP148 is going to
>> be run by a non-insignificant percentage of the economy at a minimum.
>>
>> On Wed, Jun 7, 2017 at 12:20 AM, Tao Effect <contact@taoeffect.com> wrote:
>> > See thread on replay attacks for why activating regardless of threshold
>> > is a
>> > bad idea [1].
>> >
>> > BIP91 OTOH seems perfectly reasonable. 80% instead of 95% makes it more
>> > difficult for miners to hold together in opposition to Core. It gives
>> > Core
>> > more leverage in negotiations.
>> >
>> > If they don't activate with 80%, Core can release another BIP to reduce
>> > it
>> > to 75%.
>> >
>> > Each threshold reduction makes it both more likely to succeed, but also
>> > increases the likelihood of harm to the ecosystem.
>> >
>> > Cheers,
>> > Greg
>> >
>> > [1]
>> >
>> > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-June/014497.html
>> >
>> > --
>> > Please do not email me anything that you are not comfortable also
>> > sharing
>> > with the NSA.
>> >
>> > On Jun 6, 2017, at 6:54 PM, James Hilliard <james.hilliard1@gmail.com>
>> > wrote:
>> >
>> > This is a BIP8 style soft fork so mandatory signalling will be active
>> > after Aug 1st regardless.
>> >
>> > On Tue, Jun 6, 2017 at 8:51 PM, Tao Effect <contact@taoeffect.com>
>> > wrote:
>> >
>> > What is the probability that a 65% threshold is too low and can allow a
>> > "surprise miner attack", whereby miners are kept offline before the
>> > deadline, and brought online immediately after, creating potential
>> > havoc?
>> >
>> > (Nit: "simple majority" usually refers to >50%, I think, might cause
>> > confusion.)
>> >
>> > -Greg Slepak
>> >
>> > --
>> > Please do not email me anything that you are not comfortable also
>> > sharing
>> > with the NSA.
>> >
>> > On Jun 6, 2017, at 5:56 PM, James Hilliard via bitcoin-dev
>> > <bitcoin-dev@lists.linuxfoundation.org> wrote:
>> >
>> > Due to the proposed calendar(https://segwit2x.github.io/) for the
>> > SegWit2x agreement being too slow to activate SegWit mandatory
>> > signalling ahead of BIP148 using BIP91 I would like to propose another
>> > option that miners can use to prevent a chain split ahead of the Aug
>> > 1st BIP148 activation date.
>> >
>> > The splitprotection soft fork is essentially BIP91 but using BIP8
>> > instead of BIP9 with a lower activation threshold and immediate
>> > mandatory signalling lock-in. This allows for a majority of miners to
>> > activate mandatory SegWit signalling and prevent a potential chain
>> > split ahead of BIP148 activation.
>> >
>> > This BIP allows for miners to respond to market forces quickly ahead
>> > of BIP148 activation by signalling for splitprotection. Any miners
>> > already running BIP148 should be encouraged to use splitprotection.
>> >
>> > <pre>
>> > BIP: splitprotection
>> > Layer: Consensus (soft fork)
>> > Title: User Activated Soft Fork Split Protection
>> > Author: James Hilliard <james.hilliard1@gmail.com>
>> > Comments-Summary: No comments yet.
>> > Comments-URI:
>> > Status: Draft
>> > Type: Standards Track
>> > Created: 2017-05-22
>> > License: BSD-3-Clause
>> >          CC0-1.0
>> > </pre>
>> >
>> > ==Abstract==
>> >
>> > This document specifies a coordination mechanism for a simple majority
>> > of miners to prevent a chain split ahead of BIP148 activation.
>> >
>> > ==Definitions==
>> >
>> > "existing segwit deployment" refer to the BIP9 "segwit" deployment
>> > using bit 1, between November 15th 2016 and November 15th 2017 to
>> > activate BIP141, BIP143 and BIP147.
>> >
>> > ==Motivation==
>> >
>> > The biggest risk of BIP148 is an extended chain split, this BIP
>> > provides a way for a simple majority of miners to eliminate that risk.
>> >
>> > This BIP provides a way for a simple majority of miners to coordinate
>> > activation of the existing segwit deployment with less than 95%
>> > hashpower before BIP148 activation. Due to time constraints unless
>> > immediately deployed BIP91 will likely not be able to enforce
>> > mandatory signalling of segwit before the Aug 1st activation of
>> > BIP148. This BIP provides a method for rapid miner activation of
>> > SegWit mandatory signalling ahead of the BIP148 activation date. Since
>> > the primary goal of this BIP is to reduce the chance of an extended
>> > chain split as much as possible we activate using a simple miner
>> > majority of 65% over a 504 block interval rather than a higher
>> > percentage. This BIP also allows miners to signal their intention to
>> > run BIP148 in order to prevent a chain split.
>> >
>> > ==Specification==
>> >
>> > While this BIP is active, all blocks must set the nVersion header top
>> > 3 bits to 001 together with bit field (1<<1) (according to the
>> > existing segwit deployment). Blocks that do not signal as required
>> > will be rejected.
>> >
>> > ==Deployment==
>> >
>> > This BIP will be deployed by "version bits" with a 65%(this can be
>> > adjusted if desired) activation threshold BIP9 with the name
>> > "splitprotecion" and using bit 2.
>> >
>> > This BIP starts immediately and is a BIP8 style soft fork since
>> > mandatory signalling will start on midnight August 1st 2017 (epoch
>> > time 1501545600) regardless of whether or not this BIP has reached its
>> > own signalling threshold. This BIP will cease to be active when segwit
>> > is locked-in.
>> >
>> > === Reference implementation ===
>> >
>> > <pre>
>> > // Check if Segregated Witness is Locked In
>> > bool IsWitnessLockedIn(const CBlockIndex* pindexPrev, const
>> > Consensus::Params& params)
>> > {
>> >   LOCK(cs_main);
>> >   return (VersionBitsState(pindexPrev, params,
>> > Consensus::DEPLOYMENT_SEGWIT, versionbitscache) ==
>> > THRESHOLD_LOCKED_IN);
>> > }
>> >
>> > // SPLITPROTECTION mandatory segwit signalling.
>> > if ( VersionBitsState(pindex->pprev, chainparams.GetConsensus(),
>> > Consensus::DEPLOYMENT_SPLITPROTECTION, versionbitscache) ==
>> > THRESHOLD_LOCKED_IN &&
>> >    !IsWitnessLockedIn(pindex->pprev, chainparams.GetConsensus()) &&
>> > // Segwit is not locked in
>> >    !IsWitnessEnabled(pindex->pprev, chainparams.GetConsensus()) ) //
>> > and is not active.
>> > {
>> >   bool fVersionBits = (pindex->nVersion & VERSIONBITS_TOP_MASK) ==
>> > VERSIONBITS_TOP_BITS;
>> >   bool fSegbit = (pindex->nVersion &
>> > VersionBitsMask(chainparams.GetConsensus(),
>> > Consensus::DEPLOYMENT_SEGWIT)) != 0;
>> >   if (!(fVersionBits && fSegbit)) {
>> >       return state.DoS(0, error("ConnectBlock(): relayed block must
>> > signal for segwit, please upgrade"), REJECT_INVALID, "bad-no-segwit");
>> >   }
>> > }
>> >
>> > // BIP148 mandatory segwit signalling.
>> > int64_t nMedianTimePast = pindex->GetMedianTimePast();
>> > if ( (nMedianTimePast >= 1501545600) &&  // Tue 01 Aug 2017 00:00:00 UTC
>> >    (nMedianTimePast <= 1510704000) &&  // Wed 15 Nov 2017 00:00:00 UTC
>> >    (!IsWitnessLockedIn(pindex->pprev, chainparams.GetConsensus()) &&
>> > // Segwit is not locked in
>> >     !IsWitnessEnabled(pindex->pprev, chainparams.GetConsensus())) )
>> > // and is not active.
>> > {
>> >   bool fVersionBits = (pindex->nVersion & VERSIONBITS_TOP_MASK) ==
>> > VERSIONBITS_TOP_BITS;
>> >   bool fSegbit = (pindex->nVersion &
>> > VersionBitsMask(chainparams.GetConsensus(),
>> > Consensus::DEPLOYMENT_SEGWIT)) != 0;
>> >   if (!(fVersionBits && fSegbit)) {
>> >       return state.DoS(0, error("ConnectBlock(): relayed block must
>> > signal for segwit, please upgrade"), REJECT_INVALID, "bad-no-segwit");
>> >   }
>> > }
>> > </pre>
>> >
>> >
>> > https://github.com/bitcoin/bitcoin/compare/0.14...jameshilliard:splitprotection-v0.14.1
>> >
>> > ==Backwards Compatibility==
>> >
>> > This deployment is compatible with the existing "segwit" bit 1
>> > deployment scheduled between midnight November 15th, 2016 and midnight
>> > November 15th, 2017. This deployment is also compatible with the
>> > existing BIP148 deployment. This BIP is compatible with BIP91 only if
>> > BIP91 activates before it and before BIP148. Miners will need to
>> > upgrade their nodes to support splitprotection otherwise they may
>> > build on top of an invalid block. While this bip is active users
>> > should either upgrade to splitprotection or wait for additional
>> > confirmations when accepting payments.
>> >
>> > ==Rationale==
>> >
>> > Historically we have used IsSuperMajority() to activate soft forks
>> > such as BIP66 which has a mandatory signalling requirement for miners
>> > once activated, this ensures that miners are aware of new rules being
>> > enforced. This technique can be leveraged to lower the signalling
>> > threshold of a soft fork while it is in the process of being deployed
>> > in a backwards compatible way. We also use a BIP8 style timeout to
>> > ensure that this BIP is compatible with BIP148 and that BIP148
>> > compatible mandatory signalling activates regardless of miner
>> > signalling levels.
>> >
>> > By orphaning non-signalling blocks during the BIP9 bit 1 "segwit"
>> > deployment, this BIP can cause the existing "segwit" deployment to
>> > activate without needing to release a new deployment. As we approach
>> > BIP148 activation it may be desirable for a majority of miners to have
>> > a method that will ensure that there is no chain split.
>> >
>> > ==References==
>> >
>> >
>> > *[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-March/013714.html
>> > Mailing list discussion]
>> >
>> > *[https://github.com/bitcoin/bitcoin/blob/v0.6.0/src/main.cpp#L1281-L1283
>> > P2SH flag day activation]
>> > *[[bip-0009.mediawiki|BIP9 Version bits with timeout and delay]]
>> > *[[bip-0016.mediawiki|BIP16 Pay to Script Hash]]
>> > *[[bip-0091.mediawiki|BIP91 Reduced threshold Segwit MASF]]
>> > *[[bip-0141.mediawiki|BIP141 Segregated Witness (Consensus layer)]]
>> > *[[bip-0143.mediawiki|BIP143 Transaction Signature Verification for
>> > Version 0 Witness Program]]
>> > *[[bip-0147.mediawiki|BIP147 Dealing with dummy stack element
>> > malleability]]
>> > *[[bip-0148.mediawiki|BIP148 Mandatory activation of segwit deployment]]
>> > *[[bip-0149.mediawiki|BIP149 Segregated Witness (second deployment)]]
>> > *[https://bitcoincore.org/en/2016/01/26/segwit-benefits/ Segwit
>> > benefits]
>> >
>> > ==Copyright==
>> >
>> > This document is dual licensed as BSD 3-clause, and Creative Commons
>> > CC0 1.0 Universal.
>> > _______________________________________________
>> > bitcoin-dev mailing list
>> > bitcoin-dev@lists.linuxfoundation.org
>> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>> >
>> >
>> >
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>


  parent reply	other threads:[~2017-06-07 21:09 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-07  0:56 [bitcoin-dev] User Activated Soft Fork Split Protection James Hilliard
2017-06-07  1:11 ` Karl Johan Alm
2017-06-07  1:29   ` James Hilliard
2017-06-07  1:51 ` Tao Effect
2017-06-07  1:54   ` James Hilliard
2017-06-07  4:17     ` Jacob Eliosoff
2017-06-07  5:20     ` Tao Effect
2017-06-07 10:13       ` James Hilliard
2017-06-07 14:10         ` Erik Aronesty
2017-06-07 16:44           ` Jacob Eliosoff
2017-06-07 18:05             ` Erik Aronesty
2017-06-07 19:39               ` Jacob Eliosoff
2017-06-07 19:59                 ` Erik Aronesty
2017-06-07 21:09           ` Jared Lee Richardson [this message]
2017-06-07 21:21             ` James Hilliard
2017-06-07 21:43               ` Jared Lee Richardson
2017-06-07 21:44                 ` James Hilliard
2017-06-07 21:29 ` Jared Lee Richardson
2017-06-07 21:42   ` James Hilliard
2017-06-07 21:50     ` Jared Lee Richardson
2017-06-07 22:23       ` James Hilliard
2017-06-07 22:53         ` Jared Lee Richardson
2017-06-07 23:11           ` James Hilliard
2017-06-07 23:43             ` Jared Lee Richardson
2017-06-08  0:01               ` James Hilliard
2017-06-08  0:20                 ` Jared Lee Richardson
2017-06-08  0:44                   ` James Hilliard
2017-06-08  1:01                     ` Jared Lee Richardson
2017-06-08  9:20                       ` James Hilliard

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAD1TkXvaNq8wBsDdbYG4Qwn9YY=tXw8kPQQ2=B4nLKPdq3fsWg@mail.gmail.com' \
    --to=jaredr26@gmail.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=erik@q32.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox