From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1YqVHB-0007Bi-FJ for bitcoin-development@lists.sourceforge.net; Thu, 07 May 2015 23:32:21 +0000 Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.216.180 as permitted sender) client-ip=209.85.216.180; envelope-from=tier.nolan@gmail.com; helo=mail-qc0-f180.google.com; Received: from mail-qc0-f180.google.com ([209.85.216.180]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1YqVH7-0001aF-PS for bitcoin-development@lists.sourceforge.net; Thu, 07 May 2015 23:32:21 +0000 Received: by qcbgy10 with SMTP id gy10so29510198qcb.3 for ; Thu, 07 May 2015 16:32:12 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.140.150.209 with SMTP id 200mr1584447qhw.9.1431041532413; Thu, 07 May 2015 16:32:12 -0700 (PDT) Received: by 10.140.85.241 with HTTP; Thu, 7 May 2015 16:32:12 -0700 (PDT) Date: Fri, 8 May 2015 00:32:12 +0100 Message-ID: From: Tier Nolan To: Bitcoin Dev Content-Type: multipart/alternative; boundary=001a11356f7632ce23051586524d X-Spam-Score: 0.4 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (tier.nolan[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message 0.0 AC_DIV_BONANZA RAW: Too many divs in a row... spammy template -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 1.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1YqVH7-0001aF-PS Subject: [Bitcoin-development] Assurance contracts to fund the network with OP_CHECKLOCKTIMEVERIFY X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 May 2015 23:32:21 -0000 --001a11356f7632ce23051586524d Content-Type: text/plain; charset=UTF-8 One of the suggestions to avoid the problem of fees going to zero is assurance contracts. This lets users (perhaps large merchants or exchanges) pay to support the network. If insufficient people pay for the contract, then it fails. Mike Hearn suggests one way of achieving it, but it doesn't actually create an assurance contract. Miners can exploit the system to convert the pledges into donations. https://bitcointalk.org/index.php?topic=157141.msg1821770#msg1821770 Consider a situation in the future where the minting fee has dropped to almost zero. A merchant wants to cause block number 1 million to effectively have a minting fee of 50BTC. He creates a transaction with one input (0.1BTC) and one output (50BTC) and signs it using SIGHASH_ANYONE_CAN_PAY. The output pays to OP_TRUE. This means that anyone can spend it. The miner who includes the transaction will send it to an address he controls (or pay to fee). The transaction has a locktime of 1 million, so that it cannot be included before that point. This transaction cannot be included in a block, since the inputs are lower than the outputs. The SIGHASH_ANYONE_CAN_PAY field mean that others can pledge additional funds. They add more input to add more money and the same sighash. There would need to be some kind of notice boeard system for these pledges, but if enough pledge, then a valid transaction can be created. It is in miner's interests to maintain such a notice board. The problem is that it counts as a pure donation. Even if only 10BTC has been pledged, a miner can just add 40BTC of his own money and finish the transaction. He nets the 10BTC of the pledges if he wins the block. If he loses, nobody sees his 40BTC transaction. The only risk is if his block is orphaned and somehow the miner who mines the winning block gets his 40BTC transaction into his block. The assurance contract was supposed to mean "If the effective minting fee for block 1 million is 50 BTC, then I will pay 0.1BTC". By adding his 40BTC to the transaction the miner converts it to a pure donation. The key point is that *other* miners don't get 50BTC reward if they find the block, so it doesn't push up the total hashing power being committed to the blockchain, that a 50BTC minting fee would achieve. This is the whole point of the assurance contract. OP_CHECKLOCKTIMEVERIFY could be used to solve the problem. Instead of paying to OP_TRUE, the transaction should pay 50 BTC to "<1 million> OP_CHECKLOCKTIMEVERIFY OP_TRUE" and 0.01BTC to "OP_TRUE". This means that the transaction could be included into a block well in advance of the 1 million block point. Once block 1 million arrives, any miner would be able to spend the 50 BTC. The 0.01BTC is the fee for the block the transaction is included in. If the contract hasn't been included in a block well in advance, pledgers would be recommended to spend their pledged input, It can be used to pledge to many blocks at once. The transaction could pay out to lots of 50BTC outputs but with the locktime increasing by for each output. For high value transactions, it isn't just the POW of the next block that matters but all the blocks that are built on top of it. A pledger might want to say "I will pay 1BTC if the next 100 blocks all have at least an effective minting fee of 50BTC" --001a11356f7632ce23051586524d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On= e of the suggestions to avoid the problem of fees going to zero is assuranc= e contracts.=C2=A0 This lets users (perhaps large merchants or exchanges) p= ay to support the network.=C2=A0 If insufficient people pay for the contrac= t, then it fails.

Mike Hearn suggests one way of achievin= g it, but it doesn't actually create an assurance contract.=C2=A0 Miner= s can exploit the system to convert the pledges into donations.

https://bitcointalk.org/index.php?topic=3D157141.msg1821770#msg1821770<= /a>

Consider a situation in the future where the mi= nting fee has dropped to almost zero.=C2=A0 A merchant wants to cause block= number 1 million to effectively have a minting fee of 50BTC.

= He creates a transaction with one input (0.1BTC) and one output (50BTC) and= signs it using SIGHASH_ANYONE_CAN_PAY.=C2=A0 The output pays to OP_TRUE.= =C2=A0 This means that anyone can spend it.=C2=A0 The miner who includes th= e transaction will send it to an address he controls (or pay to fee).=C2=A0= The transaction has a locktime of 1 million, so that it cannot be included= before that point.

This transaction cannot be included i= n a block, since the inputs are lower than the outputs.=C2=A0 The SIGHASH_A= NYONE_CAN_PAY field mean that others can pledge additional funds.=C2=A0 The= y add more input to add more money and the same sighash.=C2=A0

There would need to be some kind of notice boeard system for these p= ledges, but if enough pledge, then a valid transaction can be created.=C2= =A0 It is in miner's interests to maintain such a notice board.

The problem is that it counts as a pure donation.=C2=A0 Ev= en if only 10BTC has been pledged, a miner can just add 40BTC of his own mo= ney and finish the transaction.=C2=A0 He nets the 10BTC of the pledges if h= e wins the block.=C2=A0 If he loses, nobody sees his 40BTC transaction.=C2= =A0 The only risk is if his block is orphaned and somehow the miner who min= es the winning block gets his 40BTC transaction into his block.

The assurance contract was supposed to mean "If the effective mintin= g fee for block 1 million is 50 BTC, then I will pay 0.1BTC".=C2=A0 By= adding his 40BTC to the transaction the miner converts it to a pure donati= on.

The key point is that other miners don't get 50= BTC reward if they find the block, so it doesn't push up the total hash= ing power being committed to the blockchain, that a 50BTC minting fee would= achieve.=C2=A0 This is the whole point of the assurance contract.

<= /div>
OP_CHECKLOCKTIMEVERIFY could be used to solve the problem.
Instead of paying to OP_TRUE, the transaction should pay 50 BTC= to "<1 million> OP_CHECKLOCKTIMEVERIFY OP_TRUE" and 0.01BT= C to "OP_TRUE".

This means that the transaction= could be included into a block well in advance of the 1 million block poin= t.=C2=A0 Once block 1 million arrives, any miner would be able to spend the= 50 BTC.=C2=A0 The 0.01BTC is the fee for the block the transaction is incl= uded in.

If the contract hasn't= been included in a block well in advance, pledgers would be recommended t= o spend their pledged input,

It can be used to pledge to= many blocks at once.=C2=A0 The transaction could pay out to lots of 50BTC = outputs but with the locktime increasing by for each output.=C2=A0

= For high value transactions, it isn't just the POW of the next block th= at matters but all the blocks that are built on top of it.=C2=A0

A = pledger might want to say "I will pay 1BTC if the next 100 blocks all = have at least an effective minting fee of 50BTC"
=
--001a11356f7632ce23051586524d--