* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-16 20:50 ` Matt Corallo
@ 2015-12-16 21:51 ` Jameson Lopp
2015-12-16 22:29 ` Matt Corallo
2015-12-16 22:32 ` Matt Corallo
2015-12-17 2:21 ` Jeff Garzik
` (2 subsequent siblings)
3 siblings, 2 replies; 32+ messages in thread
From: Jameson Lopp @ 2015-12-16 21:51 UTC (permalink / raw)
To: Matt Corallo; +Cc: Bitcoin development mailing list
[-- Attachment #1: Type: text/plain, Size: 9891 bytes --]
On Wed, Dec 16, 2015 at 12:50 PM, Matt Corallo via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> A large part of your argument is that SW will take longer to deploy than a
> hard fork, but I completely disagree. Though I do not agree with some
> people claiming we can deploy SW significantly faster than a hard fork,
> once the code is ready (probably a six month affair) we can get it deployed
> very quickly. It's true the ecosystem may take some time to upgrade, but I
> see that as a feature, not a bug - we can build up some fee pressure with
> an immediate release valve available for people to use if they want to pay
> fewer fees.
>
> On the other hand, a hard fork, while simpler for the ecosystem to upgrade
> to, is a 1-2 year affair (after the code is shipped, so at least 1.5-2.5
> from today if we all put off heads down and work). One thing that has
> concerned me greatly through this whole debate is how quickly people seem
> to think we can roll out a hard fork. Go look at the distribution of node
> versions on the network today and work backwards to get nearly every node
> upgraded... Even with a year between fork-version-release and
> fork-activation, we'd still kill a bunch of nodes and instead of reducing
> their security model, lead them to be outright robbed.
>
>
Over a year seems to be an extraordinarily long time frame is for deploying
a hard fork. It looks like <https://bitnodes.21.co/dashboard/?days=365> 75%
of reachable nodes have upgraded in the past 6 months while as much as 25%
may not have been upgraded in over a year. However, viewing historical
stats of version upgrades doesn't seem to be an appropriate comparison
because node operators have never been faced with the same incentive to
upgrade. We can point to unintentional forks in the past that have been
resolved fairly quickly by reaching out to miners, but it's also a poor
comparison. Unfortunately, we have no way of knowing what percentage of
nodes are economically important - a great deal of them may be running and
not even be used by the operators.
Perhaps it would be better if we were to formalize the expectations for
full node operators, but it seems to me that node operators have a
responsibility to keep themselves informed and decide when it is
appropriate to update their software. I'm not so sure that it's the rest of
the ecosystem's responsibility to wait around for laggards.
- Jameson
On December 16, 2015 12:38:30 PM PST, Jeff Garzik via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>
>> 1. Summary
>>
>> Segregated Witness (SegWitness, SW) is being presented in the context of
>> Scaling Bitcoin. It has useful attributes, notably addressing a major
>> malleability vector, but is not a short term scaling solution.
>>
>>
>> 2. Definitions
>>
>> Import Fee Event, ECE, TFM, FFM from previous email.
>>
>> Older clients - Any software not upgraded to SW
>>
>> Newer clients - Upgraded, SW aware software
>>
>>
>> Block size - refers to the core block economic resource limit ed by
>> MAX_BLOCK_SIZE. Witness data (or extension block data) is excluded.
>> Requires a hard fork to change.
>>
>> Core block - Current bitcoin block, with upper bound MAX_BLOCK_SIZE. Not
>> changed by SW.
>>
>>
>> Extended transaction - Newer, upgraded version of transaction data format.
>>
>> Extended block - Newer, upgraded version of block data format.
>>
>>
>> EBS - Extended block size. Block size seen by newer clients.
>>
>>
>> 3. Context of analysis
>>
>> One proposal presents SW *in lieu of* a hard fork block size increase.
>> This email focuses directly on that.
>>
>> Useful features outside block size context, such as anti-malleability or
>> fraud proof features, are not covered in depth.
>>
>>
>> 4.1. Observations on data structure formats and views
>>
>> SW creates two *views* of each transaction and block. SW has blocks and
>> extended blocks. Similarly, there exists transactions and extended
>> transactions.
>>
>> This view is rendered to clients depending on compatibility level. Newer
>> clients see extended blocks and extended transactions. Older clients see
>> blocks (limit 1M), and do not see extended blocks. Older clients see
>> upgraded transactions as unsigned, anyone-can-pay transactions.
>>
>> Each extended transaction exists in two states, one unsigned and one
>> signed, each of which passes validation as a valid bitcoin transaction.
>>
>>
>> 4.2. Observations on behavior of older transaction creation
>>
>> Transactions created by older clients will not use the extended
>> transaction format. All data is stored the standard 1M block as today.
>>
>>
>> 4.3. Observations on new block economic model
>>
>> SW complicates block economics by creating two separate, supply limited
>> resources.
>>
>> The core block economic resource is heavily contended. Older clients use
>> core blocks exclusively. Newer clients use core block s more
>> conservatively, storing as much data as possible in extended blocks.
>>
>> The extended block economic resource is less heavily contended, though
>> that of course grows over time as clients upgrade.
>>
>> Because core blocks are more heavily contended, it is presumed that older
>> clients will pay a higher fee than newer clients (subject to elasticity
>> etc.).
>>
>>
>> 5.1. Problem: Pace of roll-out will be slow - Whole Ecosystem must be
>> considered.
>>
>> The current apparent proposal is to roll out Segregated Witness as a soft
>> fork, and keep block size at 1M.
>>
>> The roll-out pace cannot simply be judged by soft fork speed - which is
>> months at best. Analysis must the layers above: Updating bitcoin-core
>> (JS) and bitcoinj (Java), and then the timelines to roll out those updates
>> to apps, and then the timeline to update those apps to create extended
>> transactions.
>>
>> Overall, wallet software and programmer libraries must be upgraded to
>> make use of this new format, adding many more months (12+ in some stacks)
>> to the roll out timeline. In the meantime, clients continue to contend
>> entirely for core block space.
>>
>>
>> 5.2. Problem: Hard fork to bigger block size Just Works(tm) with most
>> software, unlike SW.
>>
>> A simple hard fork such as BIP 102 is automatically compatible with the
>> vast range of today's ecosystem software.
>>
>> SW requires merchants to upgrade almost immediately, requires wallet and
>> other peripheral software upgrades to make use of. Other updates are
>> opt-in and occur more slowly. BIP 70 processors need some updates.
>>
>> The number of LOC that must change for BIP 102 is very small, and the
>> problem domain well known, versus SW.
>>
>>
>> 5.3. Problem: Due to pace, Fee Event not forestalled.
>>
>> Even presuming SW is merged into Bitcoin Core tomorrow, this does not
>> address the risk of a Fee Event and associated Economic Change in the
>> coming months.
>>
>>
>> 5.4. Problem: More complex economic policy, new game theory, new
>> bidding structure risks.
>>
>> Splitting blocks into two pieces, each with separate and distinct
>> behaviors and resource values, creates *two fee markets.*
>>
>> Having two pricing strata within each block has certainly feasible - that
>> is the current mining policy of (1) fee/KB followed by (2) priority/age.
>>
>> Valuable or not - e.g. incentivizing older clients to upgrade - the fact
>> remains that SW creates a more-complex bidding structure by creating a
>> second economic resource.
>>
>> *This is clearly a change to a new economic policy* with standard risks
>> associated with that. Will that induce an Economic C hange Event (see def
>> last email)? *Unlikely*, due to slow rollout pace.
>>
>>
>> 5.5. Problem: Current SW mining algorithm needs improvement
>>
>> Current SW block template maker does a reasonable job, but makes some
>> naive assumptions about the fee market across an entire extended block.
>> This is a mismatch with the economic reality (just described).
>>
>> 5.6. Problem: New, under-analyzed attack surfaces
>>
>> Less significant and fundamental but still worth noting.
>>
>> This is not a fundamental SW problem, but simply standard complexity risk
>> factors: splitting the signatures away from transactions, and creating a
>> new apparently-unsigned version of the transaction opens t he possibility
>> of some network attacks which cause some clients to degrade down from
>> extended block to core block mode temporarily.
>>
>> There is a chance of a failure mode that fools older clients into
>> thinking fraudulent data is valid (judgement: unlikely vis hashpower but
>> not impossible)
>>
>> 6. Conclusions and recommendations
>>
>> It seems unlikely that SW provides scaling in the short term, and SW
>> introduces new economics complexities.
>>
>> A "short term bump" hard fork block size increase addresses economic and
>> ecosystem risks that SW does not.
>>
>> Bump + SW should proce ed in parallel, independent tracks, as orthogonal
>> issues.
>>
>>
>> 7. Appendix - Other SW comments
>>
>> Hard forks provide much stronger validation, and ensure the network
>> operates at a fully trustless level.
>>
>> SW hard fork is preferred, versus soft fork. Soft forking SW places a
>> huge amount of trust on miners to validate transaction signatures, versus
>> the rest of the network, as the network slowly upgrades to newer clients.
>>
>> An SW hard fork could also add several zero-filled placeholders in a
>> merkle tree for future use.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------
>>
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
[-- Attachment #2: Type: text/html, Size: 16102 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-16 21:51 ` Jameson Lopp
@ 2015-12-16 22:29 ` Matt Corallo
2015-12-16 22:32 ` Matt Corallo
1 sibling, 0 replies; 32+ messages in thread
From: Matt Corallo @ 2015-12-16 22:29 UTC (permalink / raw)
To: Jameson Lopp; +Cc: Bitcoin development mailing list
[-- Attachment #1: Type: text/plain, Size: 11350 bytes --]
We should probably start by defining "economically important". To me, it's pretty clear that every, or at least around 99% of, " economically important" node have upgraded by the time the fork kicks in, with way more than sufficient time given to everyone to upgrade (minding that this is not an emergency situation and that people have lives and many Bitcoin services are hobby projects and upgrading isn't always as easy as just restarting your node). I'd define "economically important" as any node that is used for anything more than simply "being a node" (ie people who started a node to provide resources to the network, and only using their node for that). Note, of course, that we should avoid breaking all such "non-economically important" nodes, but breaking many of them is not a big deal. Note that my proposal includes nodes such as the one doing transaction selection for the relay network. Though it is not used for payments, if it is not upgraded, things will break.
With this definition in mind, I think a year is an aggressive timeline.
On December 16, 2015 1:51:47 PM PST, Jameson Lopp <jameson.lopp@gmail.com> wrote:
>On Wed, Dec 16, 2015 at 12:50 PM, Matt Corallo via bitcoin-dev <
>bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> A large part of your argument is that SW will take longer to deploy
>than a
>> hard fork, but I completely disagree. Though I do not agree with some
>> people claiming we can deploy SW significantly faster than a hard
>fork,
>> once the code is ready (probably a six month affair) we can get it
>deployed
>> very quickly. It's true the ecosystem may take some time to upgrade,
>but I
>> see that as a feature, not a bug - we can build up some fee pressure
>with
>> an immediate release valve available for people to use if they want
>to pay
>> fewer fees.
>>
>> On the other hand, a hard fork, while simpler for the ecosystem to
>upgrade
>> to, is a 1-2 year affair (after the code is shipped, so at least
>1.5-2.5
>> from today if we all put off heads down and work). One thing that has
>> concerned me greatly through this whole debate is how quickly people
>seem
>> to think we can roll out a hard fork. Go look at the distribution of
>node
>> versions on the network today and work backwards to get nearly every
>node
>> upgraded... Even with a year between fork-version-release and
>> fork-activation, we'd still kill a bunch of nodes and instead of
>reducing
>> their security model, lead them to be outright robbed.
>>
>>
>Over a year seems to be an extraordinarily long time frame is for
>deploying
>a hard fork. It looks like <https://bitnodes.21.co/dashboard/?days=365>
>75%
>of reachable nodes have upgraded in the past 6 months while as much as
>25%
>may not have been upgraded in over a year. However, viewing historical
>stats of version upgrades doesn't seem to be an appropriate comparison
>because node operators have never been faced with the same incentive to
>upgrade. We can point to unintentional forks in the past that have been
>resolved fairly quickly by reaching out to miners, but it's also a poor
>comparison. Unfortunately, we have no way of knowing what percentage of
>nodes are economically important - a great deal of them may be running
>and
>not even be used by the operators.
>
>Perhaps it would be better if we were to formalize the expectations for
>full node operators, but it seems to me that node operators have a
>responsibility to keep themselves informed and decide when it is
>appropriate to update their software. I'm not so sure that it's the
>rest of
>the ecosystem's responsibility to wait around for laggards.
>
>- Jameson
>
>On December 16, 2015 12:38:30 PM PST, Jeff Garzik via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>
>>>
>>> 1. Summary
>>>
>>> Segregated Witness (SegWitness, SW) is being presented in the
>context of
>>> Scaling Bitcoin. It has useful attributes, notably addressing a
>major
>>> malleability vector, but is not a short term scaling solution.
>>>
>>>
>>> 2. Definitions
>>>
>>> Import Fee Event, ECE, TFM, FFM from previous email.
>>>
>>> Older clients - Any software not upgraded to SW
>>>
>>> Newer clients - Upgraded, SW aware software
>>>
>>>
>>> Block size - refers to the core block economic resource limit ed by
>>> MAX_BLOCK_SIZE. Witness data (or extension block data) is excluded.
>>> Requires a hard fork to change.
>>>
>>> Core block - Current bitcoin block, with upper bound MAX_BLOCK_SIZE.
> Not
>>> changed by SW.
>>>
>>>
>>> Extended transaction - Newer, upgraded version of transaction data
>format.
>>>
>>> Extended block - Newer, upgraded version of block data format.
>>>
>>>
>>> EBS - Extended block size. Block size seen by newer clients.
>>>
>>>
>>> 3. Context of analysis
>>>
>>> One proposal presents SW *in lieu of* a hard fork block size
>increase.
>>> This email focuses directly on that.
>>>
>>> Useful features outside block size context, such as
>anti-malleability or
>>> fraud proof features, are not covered in depth.
>>>
>>>
>>> 4.1. Observations on data structure formats and views
>>>
>>> SW creates two *views* of each transaction and block. SW has blocks
>and
>>> extended blocks. Similarly, there exists transactions and extended
>>> transactions.
>>>
>>> This view is rendered to clients depending on compatibility level.
>Newer
>>> clients see extended blocks and extended transactions. Older
>clients see
>>> blocks (limit 1M), and do not see extended blocks. Older clients
>see
>>> upgraded transactions as unsigned, anyone-can-pay transactions.
>>>
>>> Each extended transaction exists in two states, one unsigned and one
>>> signed, each of which passes validation as a valid bitcoin
>transaction.
>>>
>>>
>>> 4.2. Observations on behavior of older transaction creation
>>>
>>> Transactions created by older clients will not use the extended
>>> transaction format. All data is stored the standard 1M block as
>today.
>>>
>>>
>>> 4.3. Observations on new block economic model
>>>
>>> SW complicates block economics by creating two separate, supply
>limited
>>> resources.
>>>
>>> The core block economic resource is heavily contended. Older
>clients use
>>> core blocks exclusively. Newer clients use core block s more
>>> conservatively, storing as much data as possible in extended blocks.
>>>
>>> The extended block economic resource is less heavily contended,
>though
>>> that of course grows over time as clients upgrade.
>>>
>>> Because core blocks are more heavily contended, it is presumed that
>older
>>> clients will pay a higher fee than newer clients (subject to
>elasticity
>>> etc.).
>>>
>>>
>>> 5.1. Problem: Pace of roll-out will be slow - Whole Ecosystem must
>be
>>> considered.
>>>
>>> The current apparent proposal is to roll out Segregated Witness as a
>soft
>>> fork, and keep block size at 1M.
>>>
>>> The roll-out pace cannot simply be judged by soft fork speed - which
>is
>>> months at best. Analysis must the layers above: Updating
>bitcoin-core
>>> (JS) and bitcoinj (Java), and then the timelines to roll out those
>updates
>>> to apps, and then the timeline to update those apps to create
>extended
>>> transactions.
>>>
>>> Overall, wallet software and programmer libraries must be upgraded
>to
>>> make use of this new format, adding many more months (12+ in some
>stacks)
>>> to the roll out timeline. In the meantime, clients continue to
>contend
>>> entirely for core block space.
>>>
>>>
>>> 5.2. Problem: Hard fork to bigger block size Just Works(tm) with
>most
>>> software, unlike SW.
>>>
>>> A simple hard fork such as BIP 102 is automatically compatible with
>the
>>> vast range of today's ecosystem software.
>>>
>>> SW requires merchants to upgrade almost immediately, requires wallet
>and
>>> other peripheral software upgrades to make use of. Other updates
>are
>>> opt-in and occur more slowly. BIP 70 processors need some updates.
>>>
>>> The number of LOC that must change for BIP 102 is very small, and
>the
>>> problem domain well known, versus SW.
>>>
>>>
>>> 5.3. Problem: Due to pace, Fee Event not forestalled.
>>>
>>> Even presuming SW is merged into Bitcoin Core tomorrow, this does
>not
>>> address the risk of a Fee Event and associated Economic Change in
>the
>>> coming months.
>>>
>>>
>>> 5.4. Problem: More complex economic policy, new game theory, new
>>> bidding structure risks.
>>>
>>> Splitting blocks into two pieces, each with separate and distinct
>>> behaviors and resource values, creates *two fee markets.*
>>>
>>> Having two pricing strata within each block has certainly feasible -
>that
>>> is the current mining policy of (1) fee/KB followed by (2)
>priority/age.
>>>
>>> Valuable or not - e.g. incentivizing older clients to upgrade - the
>fact
>>> remains that SW creates a more-complex bidding structure by creating
>a
>>> second economic resource.
>>>
>>> *This is clearly a change to a new economic policy* with standard
>risks
>>> associated with that. Will that induce an Economic C hange Event
>(see def
>>> last email)? *Unlikely*, due to slow rollout pace.
>>>
>>>
>>> 5.5. Problem: Current SW mining algorithm needs improvement
>>>
>>> Current SW block template maker does a reasonable job, but makes
>some
>>> naive assumptions about the fee market across an entire extended
>block.
>>> This is a mismatch with the economic reality (just described).
>>>
>>> 5.6. Problem: New, under-analyzed attack surfaces
>>>
>>> Less significant and fundamental but still worth noting.
>>>
>>> This is not a fundamental SW problem, but simply standard complexity
>risk
>>> factors: splitting the signatures away from transactions, and
>creating a
>>> new apparently-unsigned version of the transaction opens t he
>possibility
>>> of some network attacks which cause some clients to degrade down
>from
>>> extended block to core block mode temporarily.
>>>
>>> There is a chance of a failure mode that fools older clients into
>>> thinking fraudulent data is valid (judgement: unlikely vis hashpower
>but
>>> not impossible)
>>>
>>> 6. Conclusions and recommendations
>>>
>>> It seems unlikely that SW provides scaling in the short term, and SW
>>> introduces new economics complexities.
>>>
>>> A "short term bump" hard fork block size increase addresses economic
>and
>>> ecosystem risks that SW does not.
>>>
>>> Bump + SW should proce ed in parallel, independent tracks, as
>orthogonal
>>> issues.
>>>
>>>
>>> 7. Appendix - Other SW comments
>>>
>>> Hard forks provide much stronger validation, and ensure the network
>>> operates at a fully trustless level.
>>>
>>> SW hard fork is preferred, versus soft fork. Soft forking SW places
>a
>>> huge amount of trust on miners to validate transaction signatures,
>versus
>>> the rest of the network, as the network slowly upgrades to newer
>clients.
>>>
>>> An SW hard fork could also add several zero-filled placeholders in a
>>> merkle tree for future use.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>>
[-- Attachment #2: Type: text/html, Size: 17715 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-16 21:51 ` Jameson Lopp
2015-12-16 22:29 ` Matt Corallo
@ 2015-12-16 22:32 ` Matt Corallo
1 sibling, 0 replies; 32+ messages in thread
From: Matt Corallo @ 2015-12-16 22:32 UTC (permalink / raw)
To: Jameson Lopp; +Cc: Bitcoin development mailing list
[-- Attachment #1: Type: text/plain, Size: 10699 bytes --]
As for "the ecosystem waiting around for laggards", yes, it is absolutely the ecosystems y responsibility to not take actions that will result in people losing money without providing them far more than enough opportunity to fix it. One of the absolute most important features of Bitcoin is that, if you're running a full node, you are provided reasonable security against accepting invalid transactions.
On December 16, 2015 1:51:47 PM PST, Jameson Lopp <jameson.lopp@gmail.com> wrote:
>On Wed, Dec 16, 2015 at 12:50 PM, Matt Corallo via bitcoin-dev <
>bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> A large part of your argument is that SW will take longer to deploy
>than a
>> hard fork, but I completely disagree. Though I do not agree with some
>> people claiming we can deploy SW significantly faster than a hard
>fork,
>> once the code is ready (probably a six month affair) we can get it
>deployed
>> very quickly. It's true the ecosystem may take some time to upgrade,
>but I
>> see that as a feature, not a bug - we can build up some fee pressure
>with
>> an immediate release valve available for people to use if they want
>to pay
>> fewer fees.
>>
>> On the other hand, a hard fork, while simpler for the ecosystem to
>upgrade
>> to, is a 1-2 year affair (after the code is shipped, so at least
>1.5-2.5
>> from today if we all put off heads down and work). One thing that has
>> concerned me greatly through this whole debate is how quickly people
>seem
>> to think we can roll out a hard fork. Go look at the distribution of
>node
>> versions on the network today and work backwards to get nearly every
>node
>> upgraded... Even with a year between fork-version-release and
>> fork-activation, we'd still kill a bunch of nodes and instead of
>reducing
>> their security model, lead them to be outright robbed.
>>
>>
>Over a year seems to be an extraordinarily long time frame is for
>deploying
>a hard fork. It looks like <https://bitnodes.21.co/dashboard/?days=365>
>75%
>of reachable nodes have upgraded in the past 6 months while as much as
>25%
>may not have been upgraded in over a year. However, viewing historical
>stats of version upgrades doesn't seem to be an appropriate comparison
>because node operators have never been faced with the same incentive to
>upgrade. We can point to unintentional forks in the past that have been
>resolved fairly quickly by reaching out to miners, but it's also a poor
>comparison. Unfortunately, we have no way of knowing what percentage of
>nodes are economically important - a great deal of them may be running
>and
>not even be used by the operators.
>
>Perhaps it would be better if we were to formalize the expectations for
>full node operators, but it seems to me that node operators have a
>responsibility to keep themselves informed and decide when it is
>appropriate to update their software. I'm not so sure that it's the
>rest of
>the ecosystem's responsibility to wait around for laggards.
>
>- Jameson
>
>On December 16, 2015 12:38:30 PM PST, Jeff Garzik via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>
>>>
>>> 1. Summary
>>>
>>> Segregated Witness (SegWitness, SW) is being presented in the
>context of
>>> Scaling Bitcoin. It has useful attributes, notably addressing a
>major
>>> malleability vector, but is not a short term scaling solution.
>>>
>>>
>>> 2. Definitions
>>>
>>> Import Fee Event, ECE, TFM, FFM from previous email.
>>>
>>> Older clients - Any software not upgraded to SW
>>>
>>> Newer clients - Upgraded, SW aware software
>>>
>>>
>>> Block size - refers to the core block economic resource limit ed by
>>> MAX_BLOCK_SIZE. Witness data (or extension block data) is excluded.
>>> Requires a hard fork to change.
>>>
>>> Core block - Current bitcoin block, with upper bound MAX_BLOCK_SIZE.
> Not
>>> changed by SW.
>>>
>>>
>>> Extended transaction - Newer, upgraded version of transaction data
>format.
>>>
>>> Extended block - Newer, upgraded version of block data format.
>>>
>>>
>>> EBS - Extended block size. Block size seen by newer clients.
>>>
>>>
>>> 3. Context of analysis
>>>
>>> One proposal presents SW *in lieu of* a hard fork block size
>increase.
>>> This email focuses directly on that.
>>>
>>> Useful features outside block size context, such as
>anti-malleability or
>>> fraud proof features, are not covered in depth.
>>>
>>>
>>> 4.1. Observations on data structure formats and views
>>>
>>> SW creates two *views* of each transaction and block. SW has blocks
>and
>>> extended blocks. Similarly, there exists transactions and extended
>>> transactions.
>>>
>>> This view is rendered to clients depending on compatibility level.
>Newer
>>> clients see extended blocks and extended transactions. Older
>clients see
>>> blocks (limit 1M), and do not see extended blocks. Older clients
>see
>>> upgraded transactions as unsigned, anyone-can-pay transactions.
>>>
>>> Each extended transaction exists in two states, one unsigned and one
>>> signed, each of which passes validation as a valid bitcoin
>transaction.
>>>
>>>
>>> 4.2. Observations on behavior of older transaction creation
>>>
>>> Transactions created by older clients will not use the extended
>>> transaction format. All data is stored the standard 1M block as
>today.
>>>
>>>
>>> 4.3. Observations on new block economic model
>>>
>>> SW complicates block economics by creating two separate, supply
>limited
>>> resources.
>>>
>>> The core block economic resource is heavily contended. Older
>clients use
>>> core blocks exclusively. Newer clients use core block s more
>>> conservatively, storing as much data as possible in extended blocks.
>>>
>>> The extended block economic resource is less heavily contended,
>though
>>> that of course grows over time as clients upgrade.
>>>
>>> Because core blocks are more heavily contended, it is presumed that
>older
>>> clients will pay a higher fee than newer clients (subject to
>elasticity
>>> etc.).
>>>
>>>
>>> 5.1. Problem: Pace of roll-out will be slow - Whole Ecosystem must
>be
>>> considered.
>>>
>>> The current apparent proposal is to roll out Segregated Witness as a
>soft
>>> fork, and keep block size at 1M.
>>>
>>> The roll-out pace cannot simply be judged by soft fork speed - which
>is
>>> months at best. Analysis must the layers above: Updating
>bitcoin-core
>>> (JS) and bitcoinj (Java), and then the timelines to roll out those
>updates
>>> to apps, and then the timeline to update those apps to create
>extended
>>> transactions.
>>>
>>> Overall, wallet software and programmer libraries must be upgraded
>to
>>> make use of this new format, adding many more months (12+ in some
>stacks)
>>> to the roll out timeline. In the meantime, clients continue to
>contend
>>> entirely for core block space.
>>>
>>>
>>> 5.2. Problem: Hard fork to bigger block size Just Works(tm) with
>most
>>> software, unlike SW.
>>>
>>> A simple hard fork such as BIP 102 is automatically compatible with
>the
>>> vast range of today's ecosystem software.
>>>
>>> SW requires merchants to upgrade almost immediately, requires wallet
>and
>>> other peripheral software upgrades to make use of. Other updates
>are
>>> opt-in and occur more slowly. BIP 70 processors need some updates.
>>>
>>> The number of LOC that must change for BIP 102 is very small, and
>the
>>> problem domain well known, versus SW.
>>>
>>>
>>> 5.3. Problem: Due to pace, Fee Event not forestalled.
>>>
>>> Even presuming SW is merged into Bitcoin Core tomorrow, this does
>not
>>> address the risk of a Fee Event and associated Economic Change in
>the
>>> coming months.
>>>
>>>
>>> 5.4. Problem: More complex economic policy, new game theory, new
>>> bidding structure risks.
>>>
>>> Splitting blocks into two pieces, each with separate and distinct
>>> behaviors and resource values, creates *two fee markets.*
>>>
>>> Having two pricing strata within each block has certainly feasible -
>that
>>> is the current mining policy of (1) fee/KB followed by (2)
>priority/age.
>>>
>>> Valuable or not - e.g. incentivizing older clients to upgrade - the
>fact
>>> remains that SW creates a more-complex bidding structure by creating
>a
>>> second economic resource.
>>>
>>> *This is clearly a change to a new economic policy* with standard
>risks
>>> associated with that. Will that induce an Economic C hange Event
>(see def
>>> last email)? *Unlikely*, due to slow rollout pace.
>>>
>>>
>>> 5.5. Problem: Current SW mining algorithm needs improvement
>>>
>>> Current SW block template maker does a reasonable job, but makes
>some
>>> naive assumptions about the fee market across an entire extended
>block.
>>> This is a mismatch with the economic reality (just described).
>>>
>>> 5.6. Problem: New, under-analyzed attack surfaces
>>>
>>> Less significant and fundamental but still worth noting.
>>>
>>> This is not a fundamental SW problem, but simply standard complexity
>risk
>>> factors: splitting the signatures away from transactions, and
>creating a
>>> new apparently-unsigned version of the transaction opens t he
>possibility
>>> of some network attacks which cause some clients to degrade down
>from
>>> extended block to core block mode temporarily.
>>>
>>> There is a chance of a failure mode that fools older clients into
>>> thinking fraudulent data is valid (judgement: unlikely vis hashpower
>but
>>> not impossible)
>>>
>>> 6. Conclusions and recommendations
>>>
>>> It seems unlikely that SW provides scaling in the short term, and SW
>>> introduces new economics complexities.
>>>
>>> A "short term bump" hard fork block size increase addresses economic
>and
>>> ecosystem risks that SW does not.
>>>
>>> Bump + SW should proce ed in parallel, independent tracks, as
>orthogonal
>>> issues.
>>>
>>>
>>> 7. Appendix - Other SW comments
>>>
>>> Hard forks provide much stronger validation, and ensure the network
>>> operates at a fully trustless level.
>>>
>>> SW hard fork is preferred, versus soft fork. Soft forking SW places
>a
>>> huge amount of trust on miners to validate transaction signatures,
>versus
>>> the rest of the network, as the network slowly upgrades to newer
>clients.
>>>
>>> An SW hard fork could also add several zero-filled placeholders in a
>>> merkle tree for future use.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>>
[-- Attachment #2: Type: text/html, Size: 17006 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-16 20:50 ` Matt Corallo
2015-12-16 21:51 ` Jameson Lopp
@ 2015-12-17 2:21 ` Jeff Garzik
2015-12-17 2:44 ` Eric Lombrozo
2015-12-17 5:32 ` jl2012
2015-12-17 6:14 ` Marcel Jamin
3 siblings, 1 reply; 32+ messages in thread
From: Jeff Garzik @ 2015-12-17 2:21 UTC (permalink / raw)
To: Matt Corallo; +Cc: Bitcoin development mailing list
[-- Attachment #1: Type: text/plain, Size: 2401 bytes --]
On Wed, Dec 16, 2015 at 3:50 PM, Matt Corallo <lf-lists@mattcorallo.com>
wrote:
> A large part of your argument is that SW will take longer to deploy than a
> hard fork, but I completely disagree. Though I do not agree with some
> people claiming we can deploy SW significantly faster than a hard fork,
> once the code is ready (probably a six month affair) we can get it deployed
> very quickly. It's true the ecosystem may take some time to upgrade, but I
> see that as a feature, not a bug - we can build up some fee pressure with
> an immediate release valve available for people to use if they want to pay
> fewer fees.
>
That's taking a big risk. "Build up some fee pressure" is essentially
risking a Fee Event if uptake is slower than planned, or traffic is greater
than expected.
>
> On the other hand, a hard fork, while simpler for the ecosystem to upgrade
> to, is a 1-2 year affair (after the code is shipped, so at least 1.5-2.5
> from today if we all put off heads down and work). One thing that has
> concerned me greatly through this whole debate is how quickly people seem
> to think we can roll out a hard fork. Go look at the distribution of node
> versions on the network today and work backwards to get nearly every node
> upgraded... Even with a year between fork-version-release and
> fork-activation, we'd still kill a bunch of nodes and instead of reducing
> their security model, lead them to be outright robbed.
>
A hard fork will never achieve 100% There are many credible folks and
estimates who feel a May hard fork is reasonable and doable.
Further, hard forks restore the full trustless nature of the post-hard-fork
nodes. Soft forks continually erode that. That's why SW should come via
hard fork. The end result is more secure - 100% validation of witness
transactions.
If regular hard fork plans are proposed in public, many months in advance,
there is plenty of time for the community to react. Hard forks create a
more predictable market and environment for Users, and a more secure
network.
Further, even if you believe SW makes hard fork unnecessary, it is the
responsible thing to code and communicate to users the plan for a Fee Event
just in case SW uptake and extension block use does not match theoretical
projections of SW proponents.
Finally, SW does not eliminate and is orthogonal to Short Term Problem #1
(orig. email - drift into ECE)
[-- Attachment #2: Type: text/html, Size: 3037 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-17 2:21 ` Jeff Garzik
@ 2015-12-17 2:44 ` Eric Lombrozo
2015-12-17 2:58 ` Jeff Garzik
0 siblings, 1 reply; 32+ messages in thread
From: Eric Lombrozo @ 2015-12-17 2:44 UTC (permalink / raw)
To: Jeff Garzik, Jeff Garzik via bitcoin-dev, Matt Corallo
Cc: Bitcoin development mailing list
[-- Attachment #1: Type: text/plain, Size: 3732 bytes --]
There are no good short-term scaling solutions...this is a very hard problem that necessarily requires a lot of out-of-the-box thinking, something 2015 has seen a LOT of...and I'm optimistic about the ideas presented thus far.
At least SW *is* a scaling solution (albeit most of the important benefits are long term). The issue of fee events has nothing to do with scaling - it has to do with economics...specifically whether we should be subsidizing transactions, who should pay the bill for it, etc. My own personal opinion is that increasing validation costs works against adoption, not for it...even if it artificially keeps fees low - and we'll have to deal with a fee event sooner or later anyhow. You may disagree with my opinion, but please, let's stop confounding the economic issues with actual scaling.
On December 16, 2015 6:21:22 PM PST, Jeff Garzik via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>On Wed, Dec 16, 2015 at 3:50 PM, Matt Corallo
><lf-lists@mattcorallo.com>
>wrote:
>
>> A large part of your argument is that SW will take longer to deploy
>than a
>> hard fork, but I completely disagree. Though I do not agree with some
>> people claiming we can deploy SW significantly faster than a hard
>fork,
>> once the code is ready (probably a six month affair) we can get it
>deployed
>> very quickly. It's true the ecosystem may take some time to upgrade,
>but I
>> see that as a feature, not a bug - we can build up some fee pressure
>with
>> an immediate release valve available for people to use if they want
>to pay
>> fewer fees.
>>
>
>That's taking a big risk. "Build up some fee pressure" is essentially
>risking a Fee Event if uptake is slower than planned, or traffic is
>greater
>than expected.
>
>
>
>>
>> On the other hand, a hard fork, while simpler for the ecosystem to
>upgrade
>> to, is a 1-2 year affair (after the code is shipped, so at least
>1.5-2.5
>> from today if we all put off heads down and work). One thing that has
>> concerned me greatly through this whole debate is how quickly people
>seem
>> to think we can roll out a hard fork. Go look at the distribution of
>node
>> versions on the network today and work backwards to get nearly every
>node
>> upgraded... Even with a year between fork-version-release and
>> fork-activation, we'd still kill a bunch of nodes and instead of
>reducing
>> their security model, lead them to be outright robbed.
>>
>
>A hard fork will never achieve 100% There are many credible folks and
>estimates who feel a May hard fork is reasonable and doable.
>
>Further, hard forks restore the full trustless nature of the
>post-hard-fork
>nodes. Soft forks continually erode that. That's why SW should come
>via
>hard fork. The end result is more secure - 100% validation of witness
>transactions.
>
>If regular hard fork plans are proposed in public, many months in
>advance,
>there is plenty of time for the community to react. Hard forks create
>a
>more predictable market and environment for Users, and a more secure
>network.
>
>Further, even if you believe SW makes hard fork unnecessary, it is the
>responsible thing to code and communicate to users the plan for a Fee
>Event
>just in case SW uptake and extension block use does not match
>theoretical
>projections of SW proponents.
>
>Finally, SW does not eliminate and is orthogonal to Short Term Problem
>#1
>(orig. email - drift into ECE)
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>bitcoin-dev mailing list
>bitcoin-dev@lists.linuxfoundation.org
>https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
[-- Attachment #2: Type: text/html, Size: 4657 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-17 2:44 ` Eric Lombrozo
@ 2015-12-17 2:58 ` Jeff Garzik
2015-12-17 3:48 ` Adam Back
0 siblings, 1 reply; 32+ messages in thread
From: Jeff Garzik @ 2015-12-17 2:58 UTC (permalink / raw)
To: Eric Lombrozo; +Cc: Jeff Garzik via bitcoin-dev
[-- Attachment #1: Type: text/plain, Size: 1145 bytes --]
On Wed, Dec 16, 2015 at 9:44 PM, Eric Lombrozo <elombrozo@gmail.com> wrote:
> At least SW *is* a scaling solution (albeit most of the important benefits
> are long term). The issue of fee events has nothing to do with scaling - it
> has to do with economics...specifically whether we should be subsidizing
> transactions, who should pay the bill for it, etc. My own personal opinion
> is that increasing validation costs works against adoption, not for
> it...even if it artificially keeps fees low - and we'll have to deal with a
> fee event sooner or later anyhow. You may disagree with my opinion, but
> please, let's stop confounding the economic issues with actual scaling.
>
At least on my part, the title of the 1st email was "It's economics & ..."
and focused on (a) economics and (b) transition issues. There was no
confounding. There was a list of real problems and risks taken when 1M is
not lifted in the short term.
Thus "SW is orthogonal" in these emails, because these problems remain
regardless of SW or no, as the 1st email outlined.
The 2nd email addresses the specific assertion of "no 1M hard fork needed,
because SW."
[-- Attachment #2: Type: text/html, Size: 1579 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-17 2:58 ` Jeff Garzik
@ 2015-12-17 3:48 ` Adam Back
0 siblings, 0 replies; 32+ messages in thread
From: Adam Back @ 2015-12-17 3:48 UTC (permalink / raw)
To: Jeff Garzik; +Cc: Jeff Garzik via bitcoin-dev
There are a range of opinions about input assumptions by different
people. In each case, short of misunderstanding, if we have the same
input assumptions we're going to reach the same conclusions. This is
the way of the world in a meritocracy. The interesting point is to
compare the input assumptions and try to figure out which are more
realistic, pragmatic and achieve the best outcome.
It might be instructive to re-read Greg's roadmap and others to
re-read Jeff's original post (I will).
There is a proposed roadmap and soft-fork block-size increase and code
that Pieter is working on. There has been rationale described for
this approach, and it achieves many useful things both short, mid and
long term for scale and other issues.
There seem to be a range of opinions on the fee market, and one
question is when do we deem it safe to aim to be prepared to support a
fee market.
How elastic is block-size demand? (I think there is evidence of some
elasticity which indicates a partly working fee market already). What
I mean by elasticity of block-size demand is there are off-chain
transactions and people make an economic choice of whether to go on
chain or not, and the vast majority of transactions, all told, are
off-chain. Clearly it is ideal if they all go on chain, scale
permitting.
If we look at the roadmap at high-level:
1) bump (seg-wit or ...)
2) network improvements (IBLT/weak-block/other)
3) longer term dynamic block-size (flexcap)
4) write-cache (lightning)
It would probably be good to see some work on preparing for fee
markets. That has happened somewhat recently in response to the
stress tests. We do have an observed problem that if there is no
incentive to prepare, the improvements dont happen, and so we can
never be ready for a fee market. That's kind of how we got here,
people were talking about fee-estimation and dynamic fees several
years ago before the block-size went from 250kB to 750kB, and then
lost interest as there was another 500kB to play with. There could be
a best practice doc written asking people to prepare. That might
help.
Presumably it's good if we do see the fee market more, for it to come
in gradually. Flexcap probably helps there because the block-size
itself becomes elastic to demand (pay for bigger blocks).
If we want to avoid a fee market for the immediate term, are we more
worried about period 1, or period 2 or 3. Probably 2 is more of a
worry as we're scaling in 1 where in period 2 we're preparing for
scaling and more time has passed for demand to grow. That might for
example argue for seg-wit because it brings us closer to 4) and if we
spread things out we might delay the possibility to do lightning as
there is only so many cycles for forks (hard or soft) in testing,
deployment planning etc so it can be good to have a holistic view.
Also the question of time-frame that is safe for soft-forks or
hard-forks is another input where views seem to vary. I think some
people are more optimistic about being able to avoid people losing
money in fast hard-forks. One lesson on users, is users find failure
modes that testing cant, or do things you would expect them not to do.
Also we're calling hard-forks things that are really soft-forks to SPV
clients, and hard-forks only to full-nodes. If we wanted to make a
real economic choice, we could artificially make an SPV hard-fork,
however that would make upgrade harder.
As I said in an earlier email I think everyone is empathetic to user
requirements, including economic desires - but Bitcoin has inherent
constraints that are complex to improve. Each proposal is trying to
best meet those holistic user requirements. There are no free lunches
and we dont want to economically hurt anyone in total or as a group or
type of use. Not all requirements can be met, they are in a trade
off, so that calls for balance, planning and transparency.
This is also a market, we can discuss protocol tradeoffs without being
melodramatic - would be kind of undesirable if a dramatic or emotive
way to express something as easily or more clearly expressed in
technical constructive words is moving the price around.
Adam
On 17 December 2015 at 03:58, Jeff Garzik via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
> On Wed, Dec 16, 2015 at 9:44 PM, Eric Lombrozo <elombrozo@gmail.com> wrote:
>>
>> At least SW *is* a scaling solution (albeit most of the important benefits
>> are long term). The issue of fee events has nothing to do with scaling - it
>> has to do with economics...specifically whether we should be subsidizing
>> transactions, who should pay the bill for it, etc. My own personal opinion
>> is that increasing validation costs works against adoption, not for
>> it...even if it artificially keeps fees low - and we'll have to deal with a
>> fee event sooner or later anyhow. You may disagree with my opinion, but
>> please, let's stop confounding the economic issues with actual scaling.
>
>
> At least on my part, the title of the 1st email was "It's economics & ..."
> and focused on (a) economics and (b) transition issues. There was no
> confounding. There was a list of real problems and risks taken when 1M is
> not lifted in the short term.
>
> Thus "SW is orthogonal" in these emails, because these problems remain
> regardless of SW or no, as the 1st email outlined.
>
> The 2nd email addresses the specific assertion of "no 1M hard fork needed,
> because SW."
>
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-16 20:50 ` Matt Corallo
2015-12-16 21:51 ` Jameson Lopp
2015-12-17 2:21 ` Jeff Garzik
@ 2015-12-17 5:32 ` jl2012
2015-12-17 7:54 ` Corey Haddad
` (2 more replies)
2015-12-17 6:14 ` Marcel Jamin
3 siblings, 3 replies; 32+ messages in thread
From: jl2012 @ 2015-12-17 5:32 UTC (permalink / raw)
To: Matt Corallo; +Cc: Jeff Garzik via bitcoin-dev
There are at least 2 proposals on the table:
1. SWSF (segwit soft fork) with 1MB virtual block limit, approximately
equals to 2MB actual limit
2. BIP102: 2MB actual limit
Since the actual limits for both proposals are approximately the same,
it is not a determining factor in this discussion
The biggest advantage of SWSF is its softfork nature. However, its
complexity is not comparable with any previous softforks we had. It is
reasonable to doubt if it could be ready in 6 months
For BIP102, although it is a hardfork, it is a very simple one and could
be deployed with ISM in less than a month. It is even simpler than
BIP34, 66, and 65.
So we have a very complicated softfork vs. a very simple hardfork. The
only reason makes BIP102 not easy is the fact that it's a hardfork.
The major criticism for a hardfork is requiring everyone to upgrade. Is
that really a big problem?
First of all, hardfork is not a totally unknown territory. BIP50 was a
hardfork. The accident happened on 13 March 2013. Bitcoind 0.8.1 was
released on 18 March, which only gave 2 months of grace period for
everyone to upgrade. The actual hardfork happened on 16 August.
Everything completed in 5 months without any panic or chaos. This
experience strongly suggests that 5 months is already safe for a simple
hardfork. (in terms of simplicity, I believe BIP102 is even simpler than
BIP50)
Another experience is from BIP66. The 0.10.0 was released on 16 Feb
2015, exactly 10 months ago. I analyze the data on
https://bitnodes.21.co and found that 4600 out of 5090 nodes (90.4%)
indicate BIP66 support. Considering this is a softfork, I consider this
as very good adoption already.
With the evidence from BIP50 and BIP66, I believe a 5 months
pre-announcement is good enough for BIP102. As the vast majority of
miners have declared their support for a 2MB solution, the legacy 1MB
fork will certainly be abandoned and no one will get robbed.
My primary proposal:
Now - 15 Jan 2016: formally consult the major miners and merchants if
they support an one-off rise to 2MB. I consider approximately 80% of
mining power and 80% of trading volume would be good enough
16 - 31 Jan 2016: release 0.11.3 with BIP102 with ISM vote requiring 80%
of hashing power
1 Jun 2016: the first day a 2MB block may be allowed
Before 31 Dec 2016: release SWSF
My secondary proposal:
Now: Work on SWSF in a turbo mode and have a deadline of 1 Jun 2016
1 Jun 2016: release SWSF
What if the deadline is not met? Maybe pushing an urgent BIP102 if
things become really bad.
In any case, I hope a clear decision and road map could be made now.
This topic has been discussed to death. We are just bringing further
uncertainty if we keep discussing.
Matt Corallo via bitcoin-dev 於 2015-12-16 15:50 寫到:
> A large part of your argument is that SW will take longer to deploy
> than a hard fork, but I completely disagree. Though I do not agree
> with some people claiming we can deploy SW significantly faster than a
> hard fork, once the code is ready (probably a six month affair) we can
> get it deployed very quickly. It's true the ecosystem may take some
> time to upgrade, but I see that as a feature, not a bug - we can build
> up some fee pressure with an immediate release valve available for
> people to use if they want to pay fewer fees.
>
> On the other hand, a hard fork, while simpler for the ecosystem to
> upgrade to, is a 1-2 year affair (after the code is shipped, so at
> least 1.5-2.5 from today if we all put off heads down and work). One
> thing that has concerned me greatly through this whole debate is how
> quickly people seem to think we can roll out a hard fork. Go look at
> the distribution of node versions on the network today and work
> backwards to get nearly every node upgraded... Even with a year
> between fork-version-release and fork-activation, we'd still kill a
> bunch of nodes and instead of reducing their security model, lead them
> to be outright robbed.
>
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-17 5:32 ` jl2012
@ 2015-12-17 7:54 ` Corey Haddad
2015-12-17 13:09 ` Jorge Timón
2015-12-17 9:33 ` Mark Friedenbach
2015-12-17 10:57 ` Anthony Towns
2 siblings, 1 reply; 32+ messages in thread
From: Corey Haddad @ 2015-12-17 7:54 UTC (permalink / raw)
To: jl2012; +Cc: Jeff Garzik via bitcoin-dev
[-- Attachment #1: Type: text/plain, Size: 6936 bytes --]
A planned hardfork, similar to certain softforks, leaves users with some
reduction in security. It does not leave them defenseless. Consider the
following:
1: Hard to be robbed on the basis of hashpower.
In reality the old chain will see mining all but stop, and blocks would be
hours to days apart even if a couple percentage points of hashpower failed
to switch over. Six confirmations would certainly take days. If the fork
can be scheduled at the beginning of a difficulty period, the old chain
would almost certainly not even ever make it to the next retargeting.
2: Hard to be robber on the basis of awareness.
Expect there to be fairly widespread coverage in the Bitcoin press, and as
the fork draws near, maybe coverage in business and tech publications.
Further, the alert keys will certainly be used, so node operators will get
the message directly.
3: There still needs to be a targeted attack by a fraudster on an unaware
node operator.
To fall victim, one needs to give up something of value to an attacker in
exchange for Bitcoins (on the old chain). The typical uninitiated
full-node user (probably a small subset anyway) is typically going to be
buying bitcoin from a trusted source, and then saving or spending them, or
perhaps gambling. They are not, typically, going to be providing a service
or selling goods in exchange for Bitcoin unless they are at least somewhat
aware of what is going on in the Bitcoin space. It's possible, of course,
but we are talking about small numbers here of people who fit the above.
All three parts of the above would have to go perfectly wrong for someone
to loose out. Someone somewhere will probably get scammed as a result of a
hardfork. That stinks, and we should make reasonable efforts to help them
avoid that fate. But at this point in Bitcoin's development, it is still
in beta, it's still an economic experiment, and we can't allow the software
to become hamstrung out of fear that some inattentive user might bungle
their security. If they merely waited for 6 confirmations, as is the
standard advice, they would be waiting for days. If that along doesn't
give them a hint that something is wrong, it might still be too early days
for them to be playing with Bitcoin for anything important.
I support a hardfork deployment that takes 80% of hashpower activate + a
4-month delay.
On Wed, Dec 16, 2015 at 9:32 PM, jl2012 via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> There are at least 2 proposals on the table:
>
> 1. SWSF (segwit soft fork) with 1MB virtual block limit, approximately
> equals to 2MB actual limit
>
> 2. BIP102: 2MB actual limit
>
> Since the actual limits for both proposals are approximately the same, it
> is not a determining factor in this discussion
>
> The biggest advantage of SWSF is its softfork nature. However, its
> complexity is not comparable with any previous softforks we had. It is
> reasonable to doubt if it could be ready in 6 months
>
> For BIP102, although it is a hardfork, it is a very simple one and could
> be deployed with ISM in less than a month. It is even simpler than BIP34,
> 66, and 65.
>
> So we have a very complicated softfork vs. a very simple hardfork. The
> only reason makes BIP102 not easy is the fact that it's a hardfork.
>
> The major criticism for a hardfork is requiring everyone to upgrade. Is
> that really a big problem?
>
> First of all, hardfork is not a totally unknown territory. BIP50 was a
> hardfork. The accident happened on 13 March 2013. Bitcoind 0.8.1 was
> released on 18 March, which only gave 2 months of grace period for everyone
> to upgrade. The actual hardfork happened on 16 August. Everything completed
> in 5 months without any panic or chaos. This experience strongly suggests
> that 5 months is already safe for a simple hardfork. (in terms of
> simplicity, I believe BIP102 is even simpler than BIP50)
>
> Another experience is from BIP66. The 0.10.0 was released on 16 Feb 2015,
> exactly 10 months ago. I analyze the data on https://bitnodes.21.co and
> found that 4600 out of 5090 nodes (90.4%) indicate BIP66 support.
> Considering this is a softfork, I consider this as very good adoption
> already.
>
> With the evidence from BIP50 and BIP66, I believe a 5 months
> pre-announcement is good enough for BIP102. As the vast majority of miners
> have declared their support for a 2MB solution, the legacy 1MB fork will
> certainly be abandoned and no one will get robbed.
>
>
> My primary proposal:
>
> Now - 15 Jan 2016: formally consult the major miners and merchants if they
> support an one-off rise to 2MB. I consider approximately 80% of mining
> power and 80% of trading volume would be good enough
>
> 16 - 31 Jan 2016: release 0.11.3 with BIP102 with ISM vote requiring 80%
> of hashing power
>
> 1 Jun 2016: the first day a 2MB block may be allowed
>
> Before 31 Dec 2016: release SWSF
>
>
>
> My secondary proposal:
>
> Now: Work on SWSF in a turbo mode and have a deadline of 1 Jun 2016
>
> 1 Jun 2016: release SWSF
>
> What if the deadline is not met? Maybe pushing an urgent BIP102 if things
> become really bad.
>
>
> In any case, I hope a clear decision and road map could be made now. This
> topic has been discussed to death. We are just bringing further uncertainty
> if we keep discussing.
>
>
> Matt Corallo via bitcoin-dev 於 2015-12-16 15:50 寫到:
>
>> A large part of your argument is that SW will take longer to deploy
>> than a hard fork, but I completely disagree. Though I do not agree
>> with some people claiming we can deploy SW significantly faster than a
>> hard fork, once the code is ready (probably a six month affair) we can
>> get it deployed very quickly. It's true the ecosystem may take some
>> time to upgrade, but I see that as a feature, not a bug - we can build
>> up some fee pressure with an immediate release valve available for
>> people to use if they want to pay fewer fees.
>>
>> On the other hand, a hard fork, while simpler for the ecosystem to
>> upgrade to, is a 1-2 year affair (after the code is shipped, so at
>> least 1.5-2.5 from today if we all put off heads down and work). One
>> thing that has concerned me greatly through this whole debate is how
>> quickly people seem to think we can roll out a hard fork. Go look at
>> the distribution of node versions on the network today and work
>> backwards to get nearly every node upgraded... Even with a year
>> between fork-version-release and fork-activation, we'd still kill a
>> bunch of nodes and instead of reducing their security model, lead them
>> to be outright robbed.
>>
>>
> _______________________________________________
>
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 7807 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-17 7:54 ` Corey Haddad
@ 2015-12-17 13:09 ` Jorge Timón
2015-12-17 15:51 ` sickpig
0 siblings, 1 reply; 32+ messages in thread
From: Jorge Timón @ 2015-12-17 13:09 UTC (permalink / raw)
To: Corey Haddad; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 1496 bytes --]
Although I agree that how safe a pre-hardfork upgrade period is depends on
the complexity of the changes (we should assume everyone may need time to
reimplementat it themselves in their own implementations, not just upgrade
bitcoin core) and bip102 is indeed a very simple hardfork, I think less
than 6 months for a hardfork is starting to push it too much.
For a more complex hardfork (say, a SW hardfork or a collection of many
little fixes) I believe 1 year or more would make more sense.
BIP99 recommends a time threshold (height or median time) + 95% miner
upgrade confirmation with BIP9 (version bits).
So how about the following plan?
1) Deploy BIP102 when its ready + 6 median time months + 95% miner upgrade
confirmation
2) Deploy SW when it's ready + 95% miner upgrade confirmation via bip9.
Note that both "when it's ready" depend on something we are not paying a
lot of attention to: bip9's implementation (just like bip113, bip68-112,
bip99, the coinbase-commitments-cleanup post-SW uncontroversial hardfork,
etc).
Unless I'm missing something, 2 mb x4 = 8mb, so bip102 + SW is already
equivalent to the 2-4-8 "compromise" proposal (which by the way I never
liked, because I don't think anybody should be in a position to
"compromise" anything and because I don't see how "let's avoid an
unavoidable economic change for a little bit longer" arguments can
reasoably claim that "we need to kick the can down the road exactly 3 more
times" or whatever is the reasoning behind it).
[-- Attachment #2: Type: text/html, Size: 1687 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-17 13:09 ` Jorge Timón
@ 2015-12-17 15:51 ` sickpig
2015-12-17 17:55 ` Anthony Towns
0 siblings, 1 reply; 32+ messages in thread
From: sickpig @ 2015-12-17 15:51 UTC (permalink / raw)
To: Jorge Timón; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 733 bytes --]
On Thu, Dec 17, 2015 at 2:09 PM, Jorge Timón <
bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> Unless I'm missing something, 2 mb x4 = 8mb, so bip102 + SW is already
> equivalent to the 2-4-8 "compromise" proposal (which by the way I never
> liked, because I don't think anybody should be in a position to
> "compromise" anything and because I don't see how "let's avoid an
> unavoidable economic change for a little bit longer" arguments can
> reasoably claim that "we need to kick the can down the road exactly 3 more
> times" or whatever is the reasoning behind it).
>
isn't SegWit gain ~75%? hence 2mb x 1.75 = 3.5.
4x is theoric gain you get in case of 2-2 multisig txs.
am I missign something obvious?
[-- Attachment #2: Type: text/html, Size: 1176 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-17 15:51 ` sickpig
@ 2015-12-17 17:55 ` Anthony Towns
2015-12-18 10:01 ` sickpig
0 siblings, 1 reply; 32+ messages in thread
From: Anthony Towns @ 2015-12-17 17:55 UTC (permalink / raw)
To: bitcoin-dev
On Thu, Dec 17, 2015 at 04:51:19PM +0100, sickpig--- via bitcoin-dev wrote:
> On Thu, Dec 17, 2015 at 2:09 PM, Jorge Timón wrote:
> > Unless I'm missing something, 2 mb x4 = 8mb, so bip102 + SW is already
> > equivalent to the 2-4-8 "compromise" proposal [...]
> isn't SegWit gain ~75%? hence 2mb x 1.75 = 3.5.
Segwit as proposed gives a 75% *discount* to witness data with the
same limit, so at a 1MB limit, that might give you (eg) 2.05MB made up
of 650kB of base block data plus 1.4MB of witness data; where 650kB +
1.4MB/4 = 1MB at the 1MB limit; or 4.1MB made up of 1.3MB of base plus
2.8MB of witness, for 1.3MB+2.8MB/4 = 2MB at a 2MB limit.
> 4x is theoric gain you get in case of 2-2 multisig txs.
With segregated witness, 2-2 multisig transactions are made up of 94B
of base data, plus about 214B of witness data; discounting the witness
data by 75% gives 94+214/4=148 bytes. That compares to about 301B for
a 2-2 multisig transaction with P2SH rather than segwit, and 301/148
gives about a 2.03x gain, not a 4x gain. A 2.05x gain is what I assumed
to get the numbers above.
You get further improvements with, eg, 3-of-3 multisig, but to get
the full, theoretical 4x gain you'd need a fairly degenerate looking
transaction.
Pay to public key hash with segwit lets you move about half the
transaction data into the witness, giving about a 1.6x improvement by
my count (eg 1.6MB = 800kB of base data plus 800kB of witness data,
where 800kB+800kB/4=1MB), so I think a gain of between 1.6 and 2.0 is
a reasonable expectation to have for the proposed segwit scheme overall.
Cheers,
aj
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-17 17:55 ` Anthony Towns
@ 2015-12-18 10:01 ` sickpig
2015-12-19 7:50 ` Mark Friedenbach
0 siblings, 1 reply; 32+ messages in thread
From: sickpig @ 2015-12-18 10:01 UTC (permalink / raw)
To: Anthony Towns; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 2122 bytes --]
Anthony,
On Thu, Dec 17, 2015 at 6:55 PM, Anthony Towns via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> On Thu, Dec 17, 2015 at 04:51:19PM +0100, sickpig--- via bitcoin-dev wrote:
> > On Thu, Dec 17, 2015 at 2:09 PM, Jorge Timón wrote:
> > > Unless I'm missing something, 2 mb x4 = 8mb, so bip102 + SW is already
> > > equivalent to the 2-4-8 "compromise" proposal [...]
> > isn't SegWit gain ~75%? hence 2mb x 1.75 = 3.5.
>
> Segwit as proposed gives a 75% *discount* to witness data with the
> same limit, so at a 1MB limit, that might give you (eg) 2.05MB made up
> of 650kB of base block data plus 1.4MB of witness data; where 650kB +
> 1.4MB/4 = 1MB at the 1MB limit; or 4.1MB made up of 1.3MB of base plus
> 2.8MB of witness, for 1.3MB+2.8MB/4 = 2MB at a 2MB limit.
>
> > 4x is theoric gain you get in case of 2-2 multisig txs.
>
> With segregated witness, 2-2 multisig transactions are made up of 94B
> of base data, plus about 214B of witness data; discounting the witness
> data by 75% gives 94+214/4=148 bytes. That compares to about 301B for
> a 2-2 multisig transaction with P2SH rather than segwit, and 301/148
> gives about a 2.03x gain, not a 4x gain. A 2.05x gain is what I assumed
> to get the numbers above.
>
> You get further improvements with, eg, 3-of-3 multisig, but to get
> the full, theoretical 4x gain you'd need a fairly degenerate looking
> transaction.
>
> Pay to public key hash with segwit lets you move about half the
> transaction data into the witness, giving about a 1.6x improvement by
> my count (eg 1.6MB = 800kB of base data plus 800kB of witness data,
> where 800kB+800kB/4=1MB), so I think a gain of between 1.6 and 2.0 is
> a reasonable expectation to have for the proposed segwit scheme overall.
>
>
many thanks for the explanation.
so it should be fair to say that BIP 102 + SW would bring a gain between
2*1.6 and 2*2.
Just for the sake of simplicity if we take the middle of the interval we
could say
that BIP102 + SW will bring us a max block (virtual) size equal to 1MB * 2
* 1.8 = 3.6
Is it right?
[-- Attachment #2: Type: text/html, Size: 2822 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-18 10:01 ` sickpig
@ 2015-12-19 7:50 ` Mark Friedenbach
2015-12-19 23:03 ` Dave Scotese
0 siblings, 1 reply; 32+ messages in thread
From: Mark Friedenbach @ 2015-12-19 7:50 UTC (permalink / raw)
To: sickpig; +Cc: Bitcoin Dev, Anthony Towns
[-- Attachment #1: Type: text/plain, Size: 2863 bytes --]
Not entirely correct, no. Edge cases also matter. Segwit is described as
4MB because that is the largest possible combined block size that can be
constructed. BIP 102 + segwit would allow a maximum relay of 8MB. So you
have to be confident that an 8MB relay size would be acceptable, even if a
block full of actual transactions would be closer to 3.5MB.
On Fri, Dec 18, 2015 at 6:01 PM, sickpig--- via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Anthony,
>
>
> On Thu, Dec 17, 2015 at 6:55 PM, Anthony Towns via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> On Thu, Dec 17, 2015 at 04:51:19PM +0100, sickpig--- via bitcoin-dev
>> wrote:
>> > On Thu, Dec 17, 2015 at 2:09 PM, Jorge Timón wrote:
>> > > Unless I'm missing something, 2 mb x4 = 8mb, so bip102 + SW is already
>> > > equivalent to the 2-4-8 "compromise" proposal [...]
>> > isn't SegWit gain ~75%? hence 2mb x 1.75 = 3.5.
>>
>> Segwit as proposed gives a 75% *discount* to witness data with the
>> same limit, so at a 1MB limit, that might give you (eg) 2.05MB made up
>> of 650kB of base block data plus 1.4MB of witness data; where 650kB +
>> 1.4MB/4 = 1MB at the 1MB limit; or 4.1MB made up of 1.3MB of base plus
>> 2.8MB of witness, for 1.3MB+2.8MB/4 = 2MB at a 2MB limit.
>>
>> > 4x is theoric gain you get in case of 2-2 multisig txs.
>>
>> With segregated witness, 2-2 multisig transactions are made up of 94B
>> of base data, plus about 214B of witness data; discounting the witness
>> data by 75% gives 94+214/4=148 bytes. That compares to about 301B for
>> a 2-2 multisig transaction with P2SH rather than segwit, and 301/148
>> gives about a 2.03x gain, not a 4x gain. A 2.05x gain is what I assumed
>> to get the numbers above.
>>
>> You get further improvements with, eg, 3-of-3 multisig, but to get
>> the full, theoretical 4x gain you'd need a fairly degenerate looking
>> transaction.
>>
>> Pay to public key hash with segwit lets you move about half the
>> transaction data into the witness, giving about a 1.6x improvement by
>> my count (eg 1.6MB = 800kB of base data plus 800kB of witness data,
>> where 800kB+800kB/4=1MB), so I think a gain of between 1.6 and 2.0 is
>> a reasonable expectation to have for the proposed segwit scheme overall.
>>
>>
> many thanks for the explanation.
>
> so it should be fair to say that BIP 102 + SW would bring a gain between
> 2*1.6 and 2*2.
>
> Just for the sake of simplicity if we take the middle of the interval we
> could say
> that BIP102 + SW will bring us a max block (virtual) size equal to 1MB * 2
> * 1.8 = 3.6
>
> Is it right?
>
>
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
[-- Attachment #2: Type: text/html, Size: 3978 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-19 7:50 ` Mark Friedenbach
@ 2015-12-19 23:03 ` Dave Scotese
0 siblings, 0 replies; 32+ messages in thread
From: Dave Scotese @ 2015-12-19 23:03 UTC (permalink / raw)
To: Mark Friedenbach; +Cc: Bitcoin Dev, Anthony Towns
[-- Attachment #1: Type: text/plain, Size: 4935 bytes --]
A couple observations:
- The consensus block limit is different than the disk space required to
do validation. Some participants are worried about one and some about the
other, and sometimes they feel what amounts to an imaginary contention
because they perceive these two different things as the same. They are
both addressed by scaling solutions, but to different degrees. This is the
most concrete I can get about my impression whenever someone writes "not
correct." Less concrete is my usual impression, "you're both right."
- "Kicking the can" has value, but no one has connected the value to the
phrase, so here it is: The more time we have to make changes, the better
the changes will be. Of course it's a trade-off (because we suffer through
that extra time with the unsolved problem), but using (or thinking of)
"kicking the can" as bad is a mistake.
- Whether or not there is a massive campaign targeting *current
bitcoiners* has a very strong effect on upgrade rates.
It seems that a hardfork to a 2MB limit on 5/5/16 is a tad more than one
LOC, since we want an if-then around it so it doesn't happen til the agreed
date. But I still support it.
On Fri, Dec 18, 2015 at 11:50 PM, Mark Friedenbach via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Not entirely correct, no. Edge cases also matter. Segwit is described as
> 4MB because that is the largest possible combined block size that can be
> constructed. BIP 102 + segwit would allow a maximum relay of 8MB. So you
> have to be confident that an 8MB relay size would be acceptable, even if a
> block full of actual transactions would be closer to 3.5MB.
>
> On Fri, Dec 18, 2015 at 6:01 PM, sickpig--- via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Anthony,
>>
>>
>> On Thu, Dec 17, 2015 at 6:55 PM, Anthony Towns via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> On Thu, Dec 17, 2015 at 04:51:19PM +0100, sickpig--- via bitcoin-dev
>>> wrote:
>>> > On Thu, Dec 17, 2015 at 2:09 PM, Jorge Timón wrote:
>>> > > Unless I'm missing something, 2 mb x4 = 8mb, so bip102 + SW is
>>> already
>>> > > equivalent to the 2-4-8 "compromise" proposal [...]
>>> > isn't SegWit gain ~75%? hence 2mb x 1.75 = 3.5.
>>>
>>> Segwit as proposed gives a 75% *discount* to witness data with the
>>> same limit, so at a 1MB limit, that might give you (eg) 2.05MB made up
>>> of 650kB of base block data plus 1.4MB of witness data; where 650kB +
>>> 1.4MB/4 = 1MB at the 1MB limit; or 4.1MB made up of 1.3MB of base plus
>>> 2.8MB of witness, for 1.3MB+2.8MB/4 = 2MB at a 2MB limit.
>>>
>>> > 4x is theoric gain you get in case of 2-2 multisig txs.
>>>
>>> With segregated witness, 2-2 multisig transactions are made up of 94B
>>> of base data, plus about 214B of witness data; discounting the witness
>>> data by 75% gives 94+214/4=148 bytes. That compares to about 301B for
>>> a 2-2 multisig transaction with P2SH rather than segwit, and 301/148
>>> gives about a 2.03x gain, not a 4x gain. A 2.05x gain is what I assumed
>>> to get the numbers above.
>>>
>>> You get further improvements with, eg, 3-of-3 multisig, but to get
>>> the full, theoretical 4x gain you'd need a fairly degenerate looking
>>> transaction.
>>>
>>> Pay to public key hash with segwit lets you move about half the
>>> transaction data into the witness, giving about a 1.6x improvement by
>>> my count (eg 1.6MB = 800kB of base data plus 800kB of witness data,
>>> where 800kB+800kB/4=1MB), so I think a gain of between 1.6 and 2.0 is
>>> a reasonable expectation to have for the proposed segwit scheme overall.
>>>
>>>
>> many thanks for the explanation.
>>
>> so it should be fair to say that BIP 102 + SW would bring a gain between
>> 2*1.6 and 2*2.
>>
>> Just for the sake of simplicity if we take the middle of the interval we
>> could say
>> that BIP102 + SW will bring us a max block (virtual) size equal to 1MB *
>> 2 * 1.8 = 3.6
>>
>> Is it right?
>>
>>
>>
>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
--
I like to provide some work at no charge to prove my value. Do you need a
techie?
I own Litmocracy <http://www.litmocracy.com> and Meme Racing
<http://www.memeracing.net> (in alpha).
I'm the webmaster for The Voluntaryist <http://www.voluntaryist.com> which
now accepts Bitcoin.
I also code for The Dollar Vigilante <http://dollarvigilante.com/>.
"He ought to find it more profitable to play by the rules" - Satoshi
Nakamoto
[-- Attachment #2: Type: text/html, Size: 6805 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-17 5:32 ` jl2012
2015-12-17 7:54 ` Corey Haddad
@ 2015-12-17 9:33 ` Mark Friedenbach
2015-12-17 10:00 ` jl2012
2015-12-17 10:57 ` Anthony Towns
2 siblings, 1 reply; 32+ messages in thread
From: Mark Friedenbach @ 2015-12-17 9:33 UTC (permalink / raw)
To: jl2012; +Cc: Jeff Garzik via bitcoin-dev
[-- Attachment #1: Type: text/plain, Size: 5252 bytes --]
There are many reasons to support segwit beyond it being a soft-fork. For
example:
* the limitation of non-witness data to no more than 1MB makes the
quadratic scaling costs in large transaction validation no worse than they
currently are;
* redeem scripts in witness use a more accurate cost accounting than
non-witness data (further improvements to this beyond what Pieter has
implemented are possible); and
* segwit provides features (e.g. opt-in malleability protection) which are
required by higher-level scaling solutions.
With that in mind I really don't understand the viewpoint that it would be
better to engage a strictly inferior proposal such as a simple adjustment
of the block size to 2MB.
On Thu, Dec 17, 2015 at 1:32 PM, jl2012 via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> There are at least 2 proposals on the table:
>
> 1. SWSF (segwit soft fork) with 1MB virtual block limit, approximately
> equals to 2MB actual limit
>
> 2. BIP102: 2MB actual limit
>
> Since the actual limits for both proposals are approximately the same, it
> is not a determining factor in this discussion
>
> The biggest advantage of SWSF is its softfork nature. However, its
> complexity is not comparable with any previous softforks we had. It is
> reasonable to doubt if it could be ready in 6 months
>
> For BIP102, although it is a hardfork, it is a very simple one and could
> be deployed with ISM in less than a month. It is even simpler than BIP34,
> 66, and 65.
>
> So we have a very complicated softfork vs. a very simple hardfork. The
> only reason makes BIP102 not easy is the fact that it's a hardfork.
>
> The major criticism for a hardfork is requiring everyone to upgrade. Is
> that really a big problem?
>
> First of all, hardfork is not a totally unknown territory. BIP50 was a
> hardfork. The accident happened on 13 March 2013. Bitcoind 0.8.1 was
> released on 18 March, which only gave 2 months of grace period for everyone
> to upgrade. The actual hardfork happened on 16 August. Everything completed
> in 5 months without any panic or chaos. This experience strongly suggests
> that 5 months is already safe for a simple hardfork. (in terms of
> simplicity, I believe BIP102 is even simpler than BIP50)
>
> Another experience is from BIP66. The 0.10.0 was released on 16 Feb 2015,
> exactly 10 months ago. I analyze the data on https://bitnodes.21.co and
> found that 4600 out of 5090 nodes (90.4%) indicate BIP66 support.
> Considering this is a softfork, I consider this as very good adoption
> already.
>
> With the evidence from BIP50 and BIP66, I believe a 5 months
> pre-announcement is good enough for BIP102. As the vast majority of miners
> have declared their support for a 2MB solution, the legacy 1MB fork will
> certainly be abandoned and no one will get robbed.
>
>
> My primary proposal:
>
> Now - 15 Jan 2016: formally consult the major miners and merchants if they
> support an one-off rise to 2MB. I consider approximately 80% of mining
> power and 80% of trading volume would be good enough
>
> 16 - 31 Jan 2016: release 0.11.3 with BIP102 with ISM vote requiring 80%
> of hashing power
>
> 1 Jun 2016: the first day a 2MB block may be allowed
>
> Before 31 Dec 2016: release SWSF
>
>
>
> My secondary proposal:
>
> Now: Work on SWSF in a turbo mode and have a deadline of 1 Jun 2016
>
> 1 Jun 2016: release SWSF
>
> What if the deadline is not met? Maybe pushing an urgent BIP102 if things
> become really bad.
>
>
> In any case, I hope a clear decision and road map could be made now. This
> topic has been discussed to death. We are just bringing further uncertainty
> if we keep discussing.
>
>
> Matt Corallo via bitcoin-dev 於 2015-12-16 15:50 寫到:
>
>> A large part of your argument is that SW will take longer to deploy
>> than a hard fork, but I completely disagree. Though I do not agree
>> with some people claiming we can deploy SW significantly faster than a
>> hard fork, once the code is ready (probably a six month affair) we can
>> get it deployed very quickly. It's true the ecosystem may take some
>> time to upgrade, but I see that as a feature, not a bug - we can build
>> up some fee pressure with an immediate release valve available for
>> people to use if they want to pay fewer fees.
>>
>> On the other hand, a hard fork, while simpler for the ecosystem to
>> upgrade to, is a 1-2 year affair (after the code is shipped, so at
>> least 1.5-2.5 from today if we all put off heads down and work). One
>> thing that has concerned me greatly through this whole debate is how
>> quickly people seem to think we can roll out a hard fork. Go look at
>> the distribution of node versions on the network today and work
>> backwards to get nearly every node upgraded... Even with a year
>> between fork-version-release and fork-activation, we'd still kill a
>> bunch of nodes and instead of reducing their security model, lead them
>> to be outright robbed.
>>
>>
> _______________________________________________
>
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 6168 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-17 9:33 ` Mark Friedenbach
@ 2015-12-17 10:00 ` jl2012
0 siblings, 0 replies; 32+ messages in thread
From: jl2012 @ 2015-12-17 10:00 UTC (permalink / raw)
To: Mark Friedenbach; +Cc: Jeff Garzik via bitcoin-dev
I know my reply is a long one but please read before you hit send. I
have 2 proposals: fast BIP102 + slow SWSF and fast SWSF only. I guess no
one here is arguing for not doing segwit; and it is on the top of my
wish list. My main argument (maybe also Jeff's) is that segwit is too
complicated and may not be a viable short term solution (with the
reasons I listed that I don't want to repeat)
And also I don't agree with you that BIP102 is *strictly* inferior than
segwit. We never had a complex softfork like segwit, but we did have a
successful simple hardfork (BIP50), and BIP102 is very simple. (Details
in my last post. I'm not going to repeat)
Mark Friedenbach 於 2015-12-17 04:33 寫到:
> There are many reasons to support segwit beyond it being a soft-fork.
> For example:
>
> * the limitation of non-witness data to no more than 1MB makes the
> quadratic scaling costs in large transaction validation no worse than
> they currently are;
> * redeem scripts in witness use a more accurate cost accounting than
> non-witness data (further improvements to this beyond what Pieter has
> implemented are possible); and
> * segwit provides features (e.g. opt-in malleability protection) which
> are required by higher-level scaling solutions.
>
> With that in mind I really don't understand the viewpoint that it
> would be better to engage a strictly inferior proposal such as a
> simple adjustment of the block size to 2MB.
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-17 5:32 ` jl2012
2015-12-17 7:54 ` Corey Haddad
2015-12-17 9:33 ` Mark Friedenbach
@ 2015-12-17 10:57 ` Anthony Towns
2 siblings, 0 replies; 32+ messages in thread
From: Anthony Towns @ 2015-12-17 10:57 UTC (permalink / raw)
To: bitcoin-dev
On Thu, Dec 17, 2015 at 12:32:11AM -0500, jl2012 via bitcoin-dev wrote:
> There are at least 2 proposals on the table:
> 1. SWSF (segwit soft fork) with 1MB virtual block limit, approximately
> equals to 2MB actual limit
> 2. BIP102: 2MB actual limit
I think there's a few variants of (2) -- there's "just 2MB", "2MB now,
4MB in a while, 8MB after that", "1MB for a while longer, then 2MB,
then 4MB" (halved from 2/4/8 since segwit gives 1.6x-2x benefit), and
variations of those with different dates, whether or not to smooth out
the increases to avoid economic shocks, and how to determine activation
(flag day? miner consensus? combination?).
> Since the actual limits for both proposals are approximately the same, it is
> not a determining factor in this discussion
That's true on the benefit side (both give about double the number of
ordinary transactions per block; though segregated witness has other
benefits). On the cost side, the limits are different:
* worst case block data size is 2x for BIP102, 4x for segwit (affecting
bandwidth, latency and storage costs for nodes)
* worst case sigops is 2x for BIP102, but the same as today for segwit
(affecting block validation time)
* worst case bytes to hash a block is 4x for BIP102 (doubling block
size and sigops), but the same as today for segwit (again affecting
block validation time)
* worst case UTXO bloat is 2x for BIP102, but the same as today for
segwit (affecting memory usage, and validation time)
In the "expected" case (where people aren't attacking the blockchain)
I think they're the same on all these metrics. But increasing the
limits could easily make attacks more common, especially if it makes
them more effective.
I think the main attack vector of these is that increasing block
validation time via too many (active) sigops or too many bytes hashed
allows a selfish mining attack, but I'm not clear enough on how that
would work exactly to estimate where the boundary between acceptable and
unacceptable risk is (and how feasible non-consensus-level countermeasures
might be).
But at 1x sigops, you can already (accidently!) construct blocks that
take minutes to verify; and at 4x you can probably already construct a
block that takes 10 minutes to verify, which would probably be pretty
bad... But I'm not sure this isn't already exploitable, so maybe we're
already assuming a certain level of altruism and making things worse
doesn't actually make them worse?
I think it would be good for BIP102 or similar to include an evaluation
of that risk before being deployed [0].
> The major criticism for a hardfork is requiring everyone to upgrade. Is that
> really a big problem?
Yes. That doesn't mean it's not worth it, though.
(The 2-month timeline for the BIP50 accidental hardfork to be accepted
on the network seems persuasive to me that it's possible to roll out a
deliberate, SPV-compatible, hardfork on today's network in 3-6 months)
> My primary proposal:
> 1 Jun 2016: the first day a 2MB block may be allowed
>
> My secondary proposal:
> 1 Jun 2016: release SWSF
I think it makes sense to just do both of these independently; ie:
* release segwit via softfork ASAP (perhaps targetting March or April
to get it included in bitcoin, activation a month or three
afterwards?), with virtual block size calculated as proposed and
capped by MAX_BLOCK_SIZE [1]
* increase MAX_BLOCK_SIZE via hardfork to 2MB after block 420,000
(phased in gradually? with future scheduled increases to 4MB or 8MB?)
If segwit gets delayed because it's complicated, that's okay; if
it comes out earlier, that's okay too. If the hardfork gets delayed
because miners aren't ready or because it's better to introduce it in a
staggered fashion, or because there's no clear evaluation of the risks,
that's okay too.
But more importantly, it allows evaluate the pros and cons of each
implementation separately and on its own merits, rather than arguing
against working on one just because you're in favour of doing the
other ASAP.
They have benefits if you combine them too; for instance, if the
MAX_BLOCK_SIZE increase is phased in rather than done as a step increase
(ie block x's limit is 1MB, block x+1's limit is 1.005MB or similar,
and block x+2's limit is 1.01MB, etc) having segwit available in parallel
could provide a helpful escape valve: if an individual bitcoin user has
been dying for more capacity, they can spend the time/effort to update
their software for segwit and get it immediately without having to wait
as the consensus limits rise.
Conversely, having both segwit and a phased increase to MAX_BLOCK_SIZE
means that miners generally won't be immediately mining 2MB (or 4MB)
blocks halfway through the year, which should avoid both technological
shocks (bandwidth just doubled!) or economic shocks (supply has increased
so fees have plummeted), which could be good.
FWIW, the worst case scenarios are:
* block data size:
BIP102: 2x (worst/avg)
segwit: 4x (worst, ~2x avg)
both: 8x (worst, ~4x avg)
BIP101: 8x (worst/avg)
* sigops per block:
BIP102: 2x
segwit: 1x
both: 2x
BIP101: 8x
* bytes hashed per block:
BIP102: 4x
segwit: 1x
both: 4x
BIP101: 64x
* UTXO rate of increase:
BIP102: 2x
segwit: 1x
both: 2x
BIP101: 8x
Compared to the (expected, eventual, near-term) benefits:
* transactions per block:
BIP102: 2x
segwit: 1.6x-2x
both: 3.2x-4x
BIP101: 8x
* misc:
BIP101/2: planned hardforks are possible, bitcoin community governance
is demonstrably working, etc
segwit: malleability fixes, script improvements, lightning
enablement, etc
The block data is the only case where the average case is already just
about the worst case; for the others, as long as the worst case doesn't
inspire new attacks, the future average case should just increase in
proportion to the additional transactions.
Cheers,
aj
[0] (and segwit should actually account for sigops in witness data before
being deployed...)
[1] If segwit warrants a hardfork to clean up data structures, I think
that should be deferred until well after the MAX_BLOCK_SIZE hardfork,
rather than trying to do it at the same time. As such, doing segwit by
soft fork in the short term seems to make sense, since it also helps
with transaction malleability and further improvements to script.
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [bitcoin-dev] Segregated Witness in the context of Scaling Bitcoin
2015-12-16 20:50 ` Matt Corallo
` (2 preceding siblings ...)
2015-12-17 5:32 ` jl2012
@ 2015-12-17 6:14 ` Marcel Jamin
3 siblings, 0 replies; 32+ messages in thread
From: Marcel Jamin @ 2015-12-17 6:14 UTC (permalink / raw)
To: Matt Corallo; +Cc: Bitcoin development mailing list
[-- Attachment #1: Type: text/plain, Size: 9696 bytes --]
Maybe we should first gather concrete estimates about and roughly agree on
- how long SW (SF) development will probably take
- how long the ecosystem needs to prepare for a hardfork (SW (HF) or a
simple can kicking block size increase)
Opinions differ wildly from what it looks like, but maybe we can get to
estimates that the majority here can accept.
---
Personally, I think that the disclaimer "Bitcoin is an experiment" is
pervasive. It's still a pre-release, even with a $6bn vote of confidence.
If you don't follow developments in this phase, don't upgrade and then have
an elevated risk of losing money by getting scammed, then that's a little
bit your fault. I'd absolutely support a change in mentality on that once
1.0.0 arrives, but until then is bitcoin a work-in-progress experiment and
a high risk investment.
A planned hard-fork is an experiment that needs to be run anyway. When do
we want to do that, if not now?
2015-12-16 21:50 GMT+01:00 Matt Corallo via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org>:
> A large part of your argument is that SW will take longer to deploy than a
> hard fork, but I completely disagree. Though I do not agree with some
> people claiming we can deploy SW significantly faster than a hard fork,
> once the code is ready (probably a six month affair) we can get it deployed
> very quickly. It's true the ecosystem may take some time to upgrade, but I
> see that as a feature, not a bug - we can build up some fee pressure with
> an immediate release valve available for people to use if they want to pay
> fewer fees.
>
> On the other hand, a hard fork, while simpler for the ecosystem to upgrade
> to, is a 1-2 year affair (after the code is shipped, so at least 1.5-2.5
> from today if we all put off heads down and work). One thing that has
> concerned me greatly through this whole debate is how quickly people seem
> to think we can roll out a hard fork. Go look at the distribution of node
> versions on the network today and work backwards to get nearly every node
> upgraded... Even with a year between fork-version-release and
> fork-activation, we'd still kill a bunch of nodes and instead of reducing
> their security model, lead them to be outright robbed.
>
> On December 16, 2015 12:38:30 PM PST, Jeff Garzik via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>
>> 1. Summary
>>
>> Segregated Witness (SegWitness, SW) is being presented in the context of
>> Scaling Bitcoin. It has useful attributes, notably addressing a major
>> malleability vector, but is not a short term scaling solution.
>>
>>
>> 2. Definitions
>>
>> Import Fee Event, ECE, TFM, FFM from previous email.
>>
>> Older clients - Any software not upgraded to SW
>>
>> Newer clients - Upgraded, SW aware software
>>
>>
>> Block size - refers to the core block economic resource limit ed by
>> MAX_BLOCK_SIZE. Witness data (or extension block data) is excluded.
>> Requires a hard fork to change.
>>
>> Core block - Current bitcoin block, with upper bound MAX_BLOCK_SIZE. Not
>> changed by SW.
>>
>>
>> Extended transaction - Newer, upgraded version of transaction data format.
>>
>> Extended block - Newer, upgraded version of block data format.
>>
>>
>> EBS - Extended block size. Block size seen by newer clients.
>>
>>
>> 3. Context of analysis
>>
>> One proposal presents SW *in lieu of* a hard fork block size increase.
>> This email focuses directly on that.
>>
>> Useful features outside block size context, such as anti-malleability or
>> fraud proof features, are not covered in depth.
>>
>>
>> 4.1. Observations on data structure formats and views
>>
>> SW creates two *views* of each transaction and block. SW has blocks and
>> extended blocks. Similarly, there exists transactions and extended
>> transactions.
>>
>> This view is rendered to clients depending on compatibility level. Newer
>> clients see extended blocks and extended transactions. Older clients see
>> blocks (limit 1M), and do not see extended blocks. Older clients see
>> upgraded transactions as unsigned, anyone-can-pay transactions.
>>
>> Each extended transaction exists in two states, one unsigned and one
>> signed, each of which passes validation as a valid bitcoin transaction.
>>
>>
>> 4.2. Observations on behavior of older transaction creation
>>
>> Transactions created by older clients will not use the extended
>> transaction format. All data is stored the standard 1M block as today.
>>
>>
>> 4.3. Observations on new block economic model
>>
>> SW complicates block economics by creating two separate, supply limited
>> resources.
>>
>> The core block economic resource is heavily contended. Older clients use
>> core blocks exclusively. Newer clients use core block s more
>> conservatively, storing as much data as possible in extended blocks.
>>
>> The extended block economic resource is less heavily contended, though
>> that of course grows over time as clients upgrade.
>>
>> Because core blocks are more heavily contended, it is presumed that older
>> clients will pay a higher fee than newer clients (subject to elasticity
>> etc.).
>>
>>
>> 5.1. Problem: Pace of roll-out will be slow - Whole Ecosystem must be
>> considered.
>>
>> The current apparent proposal is to roll out Segregated Witness as a soft
>> fork, and keep block size at 1M.
>>
>> The roll-out pace cannot simply be judged by soft fork speed - which is
>> months at best. Analysis must the layers above: Updating bitcoin-core
>> (JS) and bitcoinj (Java), and then the timelines to roll out those updates
>> to apps, and then the timeline to update those apps to create extended
>> transactions.
>>
>> Overall, wallet software and programmer libraries must be upgraded to
>> make use of this new format, adding many more months (12+ in some stacks)
>> to the roll out timeline. In the meantime, clients continue to contend
>> entirely for core block space.
>>
>>
>> 5.2. Problem: Hard fork to bigger block size Just Works(tm) with most
>> software, unlike SW.
>>
>> A simple hard fork such as BIP 102 is automatically compatible with the
>> vast range of today's ecosystem software.
>>
>> SW requires merchants to upgrade almost immediately, requires wallet and
>> other peripheral software upgrades to make use of. Other updates are
>> opt-in and occur more slowly. BIP 70 processors need some updates.
>>
>> The number of LOC that must change for BIP 102 is very small, and the
>> problem domain well known, versus SW.
>>
>>
>> 5.3. Problem: Due to pace, Fee Event not forestalled.
>>
>> Even presuming SW is merged into Bitcoin Core tomorrow, this does not
>> address the risk of a Fee Event and associated Economic Change in the
>> coming months.
>>
>>
>> 5.4. Problem: More complex economic policy, new game theory, new
>> bidding structure risks.
>>
>> Splitting blocks into two pieces, each with separate and distinct
>> behaviors and resource values, creates *two fee markets.*
>>
>> Having two pricing strata within each block has certainly feasible - that
>> is the current mining policy of (1) fee/KB followed by (2) priority/age.
>>
>> Valuable or not - e.g. incentivizing older clients to upgrade - the fact
>> remains that SW creates a more-complex bidding structure by creating a
>> second economic resource.
>>
>> *This is clearly a change to a new economic policy* with standard risks
>> associated with that. Will that induce an Economic C hange Event (see def
>> last email)? *Unlikely*, due to slow rollout pace.
>>
>>
>> 5.5. Problem: Current SW mining algorithm needs improvement
>>
>> Current SW block template maker does a reasonable job, but makes some
>> naive assumptions about the fee market across an entire extended block.
>> This is a mismatch with the economic reality (just described).
>>
>> 5.6. Problem: New, under-analyzed attack surfaces
>>
>> Less significant and fundamental but still worth noting.
>>
>> This is not a fundamental SW problem, but simply standard complexity risk
>> factors: splitting the signatures away from transactions, and creating a
>> new apparently-unsigned version of the transaction opens t he possibility
>> of some network attacks which cause some clients to degrade down from
>> extended block to core block mode temporarily.
>>
>> There is a chance of a failure mode that fools older clients into
>> thinking fraudulent data is valid (judgement: unlikely vis hashpower but
>> not impossible)
>>
>> 6. Conclusions and recommendations
>>
>> It seems unlikely that SW provides scaling in the short term, and SW
>> introduces new economics complexities.
>>
>> A "short term bump" hard fork block size increase addresses economic and
>> ecosystem risks that SW does not.
>>
>> Bump + SW should proce ed in parallel, independent tracks, as orthogonal
>> issues.
>>
>>
>> 7. Appendix - Other SW comments
>>
>> Hard forks provide much stronger validation, and ensure the network
>> operates at a fully trustless level.
>>
>> SW hard fork is preferred, versus soft fork. Soft forking SW places a
>> huge amount of trust on miners to validate transaction signatures, versus
>> the rest of the network, as the network slowly upgrades to newer clients.
>>
>> An SW hard fork could also add several zero-filled placeholders in a
>> merkle tree for future use.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------
>>
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
[-- Attachment #2: Type: text/html, Size: 15168 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread