From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 66CF4B55 for ; Wed, 14 Dec 2016 16:27:01 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-qk0-f176.google.com (mail-qk0-f176.google.com [209.85.220.176]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 526F6E3 for ; Wed, 14 Dec 2016 16:27:00 +0000 (UTC) Received: by mail-qk0-f176.google.com with SMTP id q130so26848699qke.1 for ; Wed, 14 Dec 2016 08:27:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=hcA6LBK5hOws65SPRL+gkhT2fQ0N9n/OrgBf7tc33v0=; b=WsOA/hooMRH2FGaB6m3nFVozNBuFnUgcNwHcRhohvhqTkkD3VUR2MfxnXZw4LdE4cx 3hT5Vp4pkmxcBuvsZ1K4GZdb5LZ8+AUGLZTRxcB5pEkQzHKXeZqk1EARdMohefHr10i+ DGVY8l+2MIleu1nEGJt0TC3C5VoJmvphJhCPzjpKWTDWNsmXvtr64rNoeECbuHwXTVw2 nbioeWtQ7UMxZN5BeWdO9qCKFqahpETNYcpWD0AGly0BtrzxhUJJVBv7P1yOnr4iQC1k p3cia5mtcM52kUUKcX1x03tVpYe9NqAEqwfbrAuOt0XNoHp2N19eY9GMbS3Xzr9poNuo Rlqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=hcA6LBK5hOws65SPRL+gkhT2fQ0N9n/OrgBf7tc33v0=; b=sQ7VYfjmnjVS/BM8GLBp+F3rFJd7KRxiemEuc31fhokAGCbLWSQ8MYbfA9fUScD4ez xoKRhv2zcQ0hoWYmOr1bCvhE+HTmqkZew5VFERuDowPRP9iWPw71MFkemEOgNaYQjYZx OT2H4geoUYMAd2LH4RGyIfzKmQdKBNozf/BQyg5SV276VBrqeLkUN06I2bXctmtoRs+J DBk0xn7pZpeUEculfwb7g0o8FsRPHRawsEH3sCc/m2pX7fimhxyGGQuxtPsi5p23Z4gP 8DjtLHz6dkIG4dqf6Uis/fGLZIme8bAAf0SL/LE4vFxDeya3qUmqVTdJo2sv61qAHmoy lQqg== X-Gm-Message-State: AKaTC013lxNG+noH0wuP/2rl/S2npRQrU0bFedBrrVseqi93zAv/5zRvhZuC93xPnC/NLJx/xP1+/Fv36AuDTw== X-Received: by 10.55.154.200 with SMTP id c191mr88646989qke.117.1481732819515; Wed, 14 Dec 2016 08:26:59 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.52.99 with HTTP; Wed, 14 Dec 2016 08:26:58 -0800 (PST) In-Reply-To: References: <201612102141.58206.luke@dashjr.org> <02E75CD7-24A8-4E2F-9466-B5497D0B77F8@xbt.hk> From: Tier Nolan Date: Wed, 14 Dec 2016 16:26:58 +0000 Message-ID: To: Johnson Lau Content-Type: multipart/alternative; boundary=001a114d66245c04280543a0ce19 X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: bitcoin-dev Subject: Re: [bitcoin-dev] Forcenet: an experimental network with a new header format X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Dec 2016 16:27:01 -0000 --001a114d66245c04280543a0ce19 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, Dec 14, 2016 at 3:45 PM, Johnson Lau wrote: > I think that=E2=80=99s too much tech debt just for softforkability. > > The better way would be making the sum tree as an independent tree with a > separate commitment, and define a special type of softfork (e.g. a specia= l > BIP9 bit). > One of the problems with fraud proofs is withholding by miners. It is important that proof of publication/archive nodes check that the miners are actually publishing their blocks. If you place the data in another tree, then care needs to be taken that the merkle path information can be obtained for that tree. If an SPV node asks for a run of transactions from an archive node, then the archive node can give the merkle branch for all of those transactions. The archive node inherently has to check that tree. The question is if there is a way to show that data is not available, but without opening up the network to DOS. If enough people run full nodes then this isn't a problem. > > When the softfork is activated, the legacy full node will stop validating > the sum tree. This doesn=E2=80=99t really degrade the security by more th= an a > normal softfork, as the legacy full node would still validate the total > weight and nSigOp based on its own rules. The only purpose of the sum tre= e > is to help SPV nodes to validate. This way we could even completely > redefine the structure and data committed in the sum tree. > Seems reasonable. I think the soft-fork would have to have a timeout before actually activating. That would give SPV clients time to switch over. That could happen before the vote though, so it isn't essential. The SPV clients would have to support both trees and then switch mode. Ensuring that SPV nodes actually bother would be helped by proving that the network actually intends to soft fork. The SPV client just has to check that every block has at least one of the commitments that it accepts so that it can understand fraud proofs. > > I=E2=80=99d like to combine the size weight and sigOp weight, but not sur= e if we > could. The current size weight limit is 4,000,000 and sigop limit is > 80,000. It=E2=80=99s 50:1. If we maintain this ratio, and define > weight =3D n * (total size + 3 * base size) + sigop , with n =3D 50 > a block may have millions of sigops which is totally unacceptable. > You multiplied by the wrong term. weight =3D total size + 3 * base size + n * sigop , with n =3D 50 weight for max block =3D 8,000,000 That gives a maximum of 8,000,000 / 50 =3D 160,000 sigops. To get that you would need zero transaction length. You could get close if you have transactions that just repeat OP_CHECKSIG over and over (or maybe something with OP_CHECKMULTISIG). > > On the other hand, if we make n too low, we may allow either too few > sigop, or a too big block size. > > Signature aggregation will make this a bigger problem as one signature ma= y > spend thousands of sigop > > > > On 14 Dec 2016, at 20:52, Tier Nolan wrote: > > > > On Wed, Dec 14, 2016 at 10:55 AM, Johnson Lau wrote: > >> In a sum tree, however, since the nSigOp is implied, any redefinition >> requires either a hardfork or a new sum tree (and the original sum tree >> becomes a placebo for old nodes. So every softfork of this type creates = a >> new tree) >> > > That's a good point. > > >> The only way to fix this is to explicitly commit to the weight and >> nSigOp, and the committed value must be equal to or larger than the real >> value. Only in this way we could redefine it with softfork. However, tha= t >> means each tx will have an overhead of 16 bytes (if two int64 are used) >> > > The weight and sigop count could be transmitted as variable length > integers. That would be around 2 bytes for the sigops and 3 bytes for th= e > weight, per transaction. > > It would mean that the block format would have to include the raw > transaction, "extra"/tree information and witness data for each transacti= on. > > On an unrelated note, the two costs could be combined into a unified > cost. For example, a sigop could have equal cost to 250 bytes. This wou= ld > make it easier for miners to decide what to charge. > > On the other hand, CPU cost and storage/network costs are not completely > interchangeable. > > Is there anything that would need to be summed fees, raw tx size, weight > and sigops that the greater or equal rule wouldn't cover? > > On 12 Dec 2016, at 00:40, Tier Nolan via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > > > On Sat, Dec 10, 2016 at 9:41 PM, Luke Dashjr wrote: > >> On Saturday, December 10, 2016 9:29:09 PM Tier Nolan via bitcoin-dev >> wrote: >> > Any new merkle algorithm should use a sum tree for partial validation >> and >> > fraud proofs. >> >> PR welcome. >> > > Fair enough. It is pretty basic. > > https://github.com/luke-jr/bips/pull/2 > > It sums up sigops, block size, block cost (that is "weight" right?) and > fees. > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > > > > --001a114d66245c04280543a0ce19 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Wed, Dec 14, 2016 at 3:45 PM, Johnson Lau <jl2012@xbt.hk>= wrote:
I think that=E2=80=99s too much tech debt just for so= ftforkability.

The better way would be making the sum tr= ee as an independent tree with a separate commitment, and define a special = type of softfork (e.g. a special BIP9 bit).
One of the problems with fraud proofs is withholding by miners= .=C2=A0 It is important that proof of publication/archive nodes check that = the miners are actually publishing their blocks.

If you p= lace the data in another tree, then care needs to be taken that the merkle = path information can be obtained for that tree.

If an SPV node asks = for a run of transactions from an archive node, then the archive node can g= ive the merkle branch for all of those transactions.=C2=A0 The archive node= inherently has to check that tree.

The question is if th= ere is a way to show that data is not available, but without opening up the= network to DOS.=C2=A0 If enough people run full nodes then this isn't = a problem.
=C2=A0
When the softfork is activated, = the legacy full node will stop validating the sum tree. This doesn=E2=80=99= t really degrade the security by more than a normal softfork, as the legacy= full node would still validate the total weight and nSigOp based on its ow= n rules. The only purpose of the sum tree is to help SPV nodes to validate.= This way we could even completely redefine the structure and data committe= d in the sum tree.

Seems reason= able.=C2=A0 I think the soft-fork would have to have a timeout before actua= lly activating.=C2=A0 That would give SPV clients time to switch over.=C2= =A0

That could happen before the vote though, so it isn&= #39;t essential.=C2=A0 The SPV clients would have to support both trees and= then switch mode.=C2=A0 Ensuring that SPV nodes actually bother would be h= elped by proving that the network actually intends to soft fork.

The SPV client just has to check that every block has at least one = of the commitments that it accepts so that it can understand fraud proofs.<= br>
=C2=A0

I=E2=80=99d like t= o combine the size weight and sigOp weight, but not sure if we could. The c= urrent size weight limit is 4,000,000 and sigop limit is 80,000. It=E2=80= =99s 50:1. If we maintain this ratio, and define
weight =3D n * (= total size + =C2=A03 * base size) + sigop , with n =3D 50
a block= may have millions of sigops which is totally unacceptable.

You multiplied by the wrong term.

weigh= t =3D total size + =C2=A03 * base size + n * sigop , with n =3D 50

<= /div>
weight for max block =3D 8,000,000

T= hat gives a maximum of 8,000,000 / 50 =3D 160,000 sigops.

To get that you would need zero transaction length.=C2=A0 You could get cl= ose if you have transactions that just repeat OP_CHECKSIG over and over (or= maybe something with OP_CHECKMULTISIG).
=C2=A0

On the other hand, if we make n too low, we may allo= w either too few sigop, or a too big block size.

S= ignature aggregation will make this a bigger problem as one signature may s= pend thousands of sigop



On 14 Dec 2016, a= t 20:52, Tier Nolan <tier.nolan@gmail.com> wrote:



On Wed, Dec 14, 2016 at 1= 0:55 AM, Johnson Lau <jl2012@xbt.hk> wrote:
I= n a sum tree, however, since the nSigOp is implied, any redefinition requir= es either a hardfork or a new sum tree (and the original sum tree becomes a= placebo for old nodes. So every softfork of this type creates a new tree)<= /div>

That's a good point.
=C2=A0
The only way to fix this is to explicit= ly commit to the weight and nSigOp, and the committed value must be equal t= o or larger than the real value. Only in this way we could redefine it with= softfork. However, that means each tx will have an overhead of 16 bytes (i= f two int64 are used)

The weight and sigop count could be transmitted as va= riable length integers.=C2=A0 That would be around 2 bytes for the sigops a= nd 3 bytes for the weight, per transaction.

It would mean that the block format would have to include= the raw transaction, "extra"/tree information and witness data f= or each transaction.

On an unrelated note, the two costs could= be combined into a unified cost.=C2=A0 For example, a sigop could have equ= al cost to 250 bytes.=C2=A0 This would make it easier for miners to decide = what to charge.

On the other hand, = CPU cost and storage/network costs are not completely interchangeable.
<= br>Is there anything that would need to be summed fees, raw tx size, weight= and sigops that the greater or equal rule wouldn't cover?

On 12= Dec 2016, at 00:40, Tier Nolan via bitcoin-dev <bitcoin-dev@lists.linux= foundation.org> wrote:
=

On Sat, Dec 10, 2016 at 9:41 PM, Luke Dashjr <luke@dashjr.org> wrote:
On Saturday,= December 10, 2016 9:29:09 PM Tier Nolan via bitcoin-dev wrote:
> Any new merkle algorithm should use a sum tree for partial validation = and
> fraud proofs.

PR welcome.

Fair enough.=C2=A0 I= t is pretty basic.

https://github.com/luke-jr/bips/pull/2

=
It sums up sigops, block size, block cost (that is "weight&= quot; right?) and fees.
_______________________________________________
bitcoin-dev mailing= list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev<= /a>



--001a114d66245c04280543a0ce19--