* [Bitcoin-development] Assurance contracts to fund the network with OP_CHECKLOCKTIMEVERIFY
@ 2015-05-07 23:32 Tier Nolan
2015-05-08 9:49 ` Mike Hearn
2015-05-08 10:00 ` Jeff Garzik
0 siblings, 2 replies; 9+ messages in thread
From: Tier Nolan @ 2015-05-07 23:32 UTC (permalink / raw)
To: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 3331 bytes --]
One of the suggestions to avoid the problem of fees going to zero is
assurance contracts. This lets users (perhaps large merchants or
exchanges) pay to support the network. If insufficient people pay for the
contract, then it fails.
Mike Hearn suggests one way of achieving it, but it doesn't actually create
an assurance contract. Miners can exploit the system to convert the
pledges into donations.
https://bitcointalk.org/index.php?topic=157141.msg1821770#msg1821770
Consider a situation in the future where the minting fee has dropped to
almost zero. A merchant wants to cause block number 1 million to
effectively have a minting fee of 50BTC.
He creates a transaction with one input (0.1BTC) and one output (50BTC) and
signs it using SIGHASH_ANYONE_CAN_PAY. The output pays to OP_TRUE. This
means that anyone can spend it. The miner who includes the transaction
will send it to an address he controls (or pay to fee). The transaction
has a locktime of 1 million, so that it cannot be included before that
point.
This transaction cannot be included in a block, since the inputs are lower
than the outputs. The SIGHASH_ANYONE_CAN_PAY field mean that others can
pledge additional funds. They add more input to add more money and the
same sighash.
There would need to be some kind of notice boeard system for these pledges,
but if enough pledge, then a valid transaction can be created. It is in
miner's interests to maintain such a notice board.
The problem is that it counts as a pure donation. Even if only 10BTC has
been pledged, a miner can just add 40BTC of his own money and finish the
transaction. He nets the 10BTC of the pledges if he wins the block. If he
loses, nobody sees his 40BTC transaction. The only risk is if his block is
orphaned and somehow the miner who mines the winning block gets his 40BTC
transaction into his block.
The assurance contract was supposed to mean "If the effective minting fee
for block 1 million is 50 BTC, then I will pay 0.1BTC". By adding his
40BTC to the transaction the miner converts it to a pure donation.
The key point is that *other* miners don't get 50BTC reward if they find
the block, so it doesn't push up the total hashing power being committed to
the blockchain, that a 50BTC minting fee would achieve. This is the whole
point of the assurance contract.
OP_CHECKLOCKTIMEVERIFY could be used to solve the problem.
Instead of paying to OP_TRUE, the transaction should pay 50 BTC to "<1
million> OP_CHECKLOCKTIMEVERIFY OP_TRUE" and 0.01BTC to "OP_TRUE".
This means that the transaction could be included into a block well in
advance of the 1 million block point. Once block 1 million arrives, any
miner would be able to spend the 50 BTC. The 0.01BTC is the fee for the
block the transaction is included in.
If the contract hasn't been included in a block well in advance, pledgers
would be recommended to spend their pledged input,
It can be used to pledge to many blocks at once. The transaction could pay
out to lots of 50BTC outputs but with the locktime increasing by for each
output.
For high value transactions, it isn't just the POW of the next block that
matters but all the blocks that are built on top of it.
A pledger might want to say "I will pay 1BTC if the next 100 blocks all
have at least an effective minting fee of 50BTC"
[-- Attachment #2: Type: text/html, Size: 3884 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bitcoin-development] Assurance contracts to fund the network with OP_CHECKLOCKTIMEVERIFY
2015-05-07 23:32 [Bitcoin-development] Assurance contracts to fund the network with OP_CHECKLOCKTIMEVERIFY Tier Nolan
@ 2015-05-08 9:49 ` Mike Hearn
2015-05-08 10:01 ` Benjamin
2015-05-08 10:00 ` Jeff Garzik
1 sibling, 1 reply; 9+ messages in thread
From: Mike Hearn @ 2015-05-08 9:49 UTC (permalink / raw)
To: Tier Nolan; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 34 bytes --]
Looks like a neat solution, Tier.
[-- Attachment #2: Type: text/html, Size: 55 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bitcoin-development] Assurance contracts to fund the network with OP_CHECKLOCKTIMEVERIFY
2015-05-08 9:49 ` Mike Hearn
@ 2015-05-08 10:01 ` Benjamin
2015-05-08 14:15 ` Tier Nolan
0 siblings, 1 reply; 9+ messages in thread
From: Benjamin @ 2015-05-08 10:01 UTC (permalink / raw)
To: Mike Hearn; +Cc: Bitcoin Dev
Interesting.
1. How do you know who was first? If one node can figure out where
more transactions happen he can gain an advantage by being closer to
him. Mining would not be fair.
2. "A merchant wants to cause block number 1 million to effectively
have a minting fee of 50BTC." - why should he do that? That's the
entire tragedy of the commons problem, no?
On Fri, May 8, 2015 at 11:49 AM, Mike Hearn <mike@plan99.net> wrote:
> Looks like a neat solution, Tier.
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bitcoin-development] Assurance contracts to fund the network with OP_CHECKLOCKTIMEVERIFY
2015-05-08 10:01 ` Benjamin
@ 2015-05-08 14:15 ` Tier Nolan
2015-05-08 14:54 ` Benjamin
0 siblings, 1 reply; 9+ messages in thread
From: Tier Nolan @ 2015-05-08 14:15 UTC (permalink / raw)
To: Benjamin; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 2586 bytes --]
Just to clarify the process.
Pledgers create transactions using the following template and broadcast
them. The p2p protocol could be modified to allow this, or it could be a
separate system.
*Input: 0.01 BTC*
*Signed with SIGHASH_ANYONE_CAN_PAY*
*Output 50BTC*
*Paid to: <1 million> OP_CHECKLOCKTIMEVERIFY OP_TRUE*
*Output 0.01BTC*
*Paid to OP_TRUE*
This transaction is invalid, since the inputs don't pay for the output.
The advantage of the sighash "anyone can pay" field is that other people
can add additional inputs without making the signature invalid. Normally,
any change to the transaction would make a signature invalid.
Eventually, enough other users have added pledges and a valid transaction
can be broadcast.
*Input: 0.01 BTC*
*Signed with SIGHASH_ANYONE_CAN_PAY*
*Input: 1.2 BTCSigned with SIGHASH_ANYONE_CAN_PAY*
*Input: 5 BTCSigned with SIGHASH_ANYONE_CAN_PAY*
*<etc>*
*Input: 1.3 BTCSigned with SIGHASH_ANYONE_CAN_PAYOutput 50BTC*
*Paid to: <1 million> OP_CHECKLOCKTIMEVERIFY OP_TRUE*
*Output 0.01BTC**Paid to OP_TRUE*
This transaction can be submitted to the main network. Once it is included
into the blockchain, it is locked in.
In this example, it might be included in block 999,500. The 0.01BTC output
(and any excess over 50BTC) can be collected by the block 999,500 miner.
The OP_CHECKLOCKTIMEVERIFY opcode means that the 50BTC output cannot be
spent until block 1 million. Once block 1 million arrives, the output is
completely unprotected. This means that the miner who mines block 1
million can simply take it, by including his own transaction that sends it
to an address he controls. It would be irrational to include somebody
else's transaction which spent it.
If by block 999,900, the transaction hasn't been completed (due to not
enough pledgers), the pledgers can spend the coin(s) that they were going
to use for their pledge. This invalidates those inputs and effectively
withdraws from the pledge.
On Fri, May 8, 2015 at 11:01 AM, Benjamin <benjamin.l.cordes@gmail.com>
wrote:
> 2. "A merchant wants to cause block number 1 million to effectively
> have a minting fee of 50BTC." - why should he do that? That's the
> entire tragedy of the commons problem, no?
>
No, the pledger is saying that he will only pay 0.01BTC if the miner gets a
reward of 50BTC.
Imagine a group of 1000 people who want to make a donation of 50BTC to
something. They all way that they will donate 0.05BTC, but only if
everyone else donates.
It still isn't perfect. Everyone has an incentive to wait until the last
minute to pledge.
[-- Attachment #2: Type: text/html, Size: 3736 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bitcoin-development] Assurance contracts to fund the network with OP_CHECKLOCKTIMEVERIFY
2015-05-08 14:15 ` Tier Nolan
@ 2015-05-08 14:54 ` Benjamin
2015-05-08 14:56 ` Tier Nolan
2015-05-08 15:03 ` Tier Nolan
0 siblings, 2 replies; 9+ messages in thread
From: Benjamin @ 2015-05-08 14:54 UTC (permalink / raw)
To: Tier Nolan; +Cc: Bitcoin Dev
>> Imagine a group of 1000 people who want to make a donation of 50BTC to something. They all way that they will donate 0.05BTC, but only if everyone else donates.
It still isn't perfect. Everyone has an incentive to wait until the
last minute to pledge. <<
AC does not solve the problem. AC works if people gain directly from
the payment. Imagine a group of people paying tax - nobody gains from
paying it. You have to actually need to enforce negative outcomes to
enable it (jail for tax fraud). Hence in Bitcoin we have the enforced
subsidy. AFAIK the problem of how to incentivize transaction
verification without subsidy is unsolved. Who determines a fair price?
People around here should study more economics, game theory, etc.
instead of debating low level encodings all the time.
On Fri, May 8, 2015 at 4:15 PM, Tier Nolan <tier.nolan@gmail.com> wrote:
> Just to clarify the process.
>
> Pledgers create transactions using the following template and broadcast
> them. The p2p protocol could be modified to allow this, or it could be a
> separate system.
>
> Input: 0.01 BTC
> Signed with SIGHASH_ANYONE_CAN_PAY
>
> Output 50BTC
> Paid to: <1 million> OP_CHECKLOCKTIMEVERIFY OP_TRUE
>
> Output 0.01BTC
> Paid to OP_TRUE
>
> This transaction is invalid, since the inputs don't pay for the output. The
> advantage of the sighash "anyone can pay" field is that other people can add
> additional inputs without making the signature invalid. Normally, any
> change to the transaction would make a signature invalid.
>
> Eventually, enough other users have added pledges and a valid transaction
> can be broadcast.
>
> Input: 0.01 BTC
> Signed with SIGHASH_ANYONE_CAN_PAY
>
> Input: 1.2 BTC
> Signed with SIGHASH_ANYONE_CAN_PAY
>
> Input: 5 BTC
> Signed with SIGHASH_ANYONE_CAN_PAY
>
> <etc>
>
> Input: 1.3 BTC
> Signed with SIGHASH_ANYONE_CAN_PAY
>
> Output 50BTC
> Paid to: <1 million> OP_CHECKLOCKTIMEVERIFY OP_TRUE
>
> Output 0.01BTC
> Paid to OP_TRUE
>
> This transaction can be submitted to the main network. Once it is included
> into the blockchain, it is locked in.
>
> In this example, it might be included in block 999,500. The 0.01BTC output
> (and any excess over 50BTC) can be collected by the block 999,500 miner.
>
> The OP_CHECKLOCKTIMEVERIFY opcode means that the 50BTC output cannot be
> spent until block 1 million. Once block 1 million arrives, the output is
> completely unprotected. This means that the miner who mines block 1 million
> can simply take it, by including his own transaction that sends it to an
> address he controls. It would be irrational to include somebody else's
> transaction which spent it.
>
> If by block 999,900, the transaction hasn't been completed (due to not
> enough pledgers), the pledgers can spend the coin(s) that they were going to
> use for their pledge. This invalidates those inputs and effectively
> withdraws from the pledge.
>
> On Fri, May 8, 2015 at 11:01 AM, Benjamin <benjamin.l.cordes@gmail.com>
> wrote:
>>
>> 2. "A merchant wants to cause block number 1 million to effectively
>> have a minting fee of 50BTC." - why should he do that? That's the
>> entire tragedy of the commons problem, no?
>
>
> No, the pledger is saying that he will only pay 0.01BTC if the miner gets a
> reward of 50BTC.
>
> Imagine a group of 1000 people who want to make a donation of 50BTC to
> something. They all way that they will donate 0.05BTC, but only if everyone
> else donates.
>
> It still isn't perfect. Everyone has an incentive to wait until the last
> minute to pledge.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bitcoin-development] Assurance contracts to fund the network with OP_CHECKLOCKTIMEVERIFY
2015-05-08 14:54 ` Benjamin
@ 2015-05-08 14:56 ` Tier Nolan
2015-05-08 15:03 ` Tier Nolan
1 sibling, 0 replies; 9+ messages in thread
From: Tier Nolan @ 2015-05-08 14:56 UTC (permalink / raw)
Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 3586 bytes --]
On Fri, May 8, 2015 at 3:54 PM, Benjamin <benjamin.l.cordes@gmail.com>
wrote:
> AC does not solve the problem. AC works if people gain directly from
> the payment.
Not necessarily.
> Imagine a group of people paying tax - nobody gains from
> paying it. You have to actually need to enforce negative outcomes to
> enable it (jail for tax fraud). Hence in Bitcoin we have the enforced
> subsidy. AFAIK the problem of how to incentivize transaction
> verification without subsidy is unsolved. Who determines a fair price?
> People around here should study more economics, game theory, etc.
> instead of debating low level encodings all the time.
>
> On Fri, May 8, 2015 at 4:15 PM, Tier Nolan <tier.nolan@gmail.com> wrote:
> > Just to clarify the process.
> >
> > Pledgers create transactions using the following template and broadcast
> > them. The p2p protocol could be modified to allow this, or it could be a
> > separate system.
> >
> > Input: 0.01 BTC
> > Signed with SIGHASH_ANYONE_CAN_PAY
> >
> > Output 50BTC
> > Paid to: <1 million> OP_CHECKLOCKTIMEVERIFY OP_TRUE
> >
> > Output 0.01BTC
> > Paid to OP_TRUE
> >
> > This transaction is invalid, since the inputs don't pay for the output.
> The
> > advantage of the sighash "anyone can pay" field is that other people can
> add
> > additional inputs without making the signature invalid. Normally, any
> > change to the transaction would make a signature invalid.
> >
> > Eventually, enough other users have added pledges and a valid transaction
> > can be broadcast.
> >
> > Input: 0.01 BTC
> > Signed with SIGHASH_ANYONE_CAN_PAY
> >
> > Input: 1.2 BTC
> > Signed with SIGHASH_ANYONE_CAN_PAY
> >
> > Input: 5 BTC
> > Signed with SIGHASH_ANYONE_CAN_PAY
> >
> > <etc>
> >
> > Input: 1.3 BTC
> > Signed with SIGHASH_ANYONE_CAN_PAY
> >
> > Output 50BTC
> > Paid to: <1 million> OP_CHECKLOCKTIMEVERIFY OP_TRUE
> >
> > Output 0.01BTC
> > Paid to OP_TRUE
> >
> > This transaction can be submitted to the main network. Once it is
> included
> > into the blockchain, it is locked in.
> >
> > In this example, it might be included in block 999,500. The 0.01BTC
> output
> > (and any excess over 50BTC) can be collected by the block 999,500 miner.
> >
> > The OP_CHECKLOCKTIMEVERIFY opcode means that the 50BTC output cannot be
> > spent until block 1 million. Once block 1 million arrives, the output is
> > completely unprotected. This means that the miner who mines block 1
> million
> > can simply take it, by including his own transaction that sends it to an
> > address he controls. It would be irrational to include somebody else's
> > transaction which spent it.
> >
> > If by block 999,900, the transaction hasn't been completed (due to not
> > enough pledgers), the pledgers can spend the coin(s) that they were
> going to
> > use for their pledge. This invalidates those inputs and effectively
> > withdraws from the pledge.
> >
> > On Fri, May 8, 2015 at 11:01 AM, Benjamin <benjamin.l.cordes@gmail.com>
> > wrote:
> >>
> >> 2. "A merchant wants to cause block number 1 million to effectively
> >> have a minting fee of 50BTC." - why should he do that? That's the
> >> entire tragedy of the commons problem, no?
> >
> >
> > No, the pledger is saying that he will only pay 0.01BTC if the miner
> gets a
> > reward of 50BTC.
> >
> > Imagine a group of 1000 people who want to make a donation of 50BTC to
> > something. They all way that they will donate 0.05BTC, but only if
> everyone
> > else donates.
> >
> > It still isn't perfect. Everyone has an incentive to wait until the last
> > minute to pledge.
>
[-- Attachment #2: Type: text/html, Size: 4822 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bitcoin-development] Assurance contracts to fund the network with OP_CHECKLOCKTIMEVERIFY
2015-05-08 14:54 ` Benjamin
2015-05-08 14:56 ` Tier Nolan
@ 2015-05-08 15:03 ` Tier Nolan
1 sibling, 0 replies; 9+ messages in thread
From: Tier Nolan @ 2015-05-08 15:03 UTC (permalink / raw)
Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 605 bytes --]
Sorry for the spam of the last mail. I hit send by accident.
Assurance contracts are better than simple donations.
Donating to a project means that you always end up losing the money but the
project might still not get funded.
An assurance contract is like Kickstarter, you only get your CC charged if
the project is fully funded.
There is lower risk, either you get your money back or the project is
funded. It might still be worth risking it and hoping it gets funded.
Kickstarter does have pledge rewards to reward pledgers. That helps with
creating the momentum to encourage people to pledge.
[-- Attachment #2: Type: text/html, Size: 731 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bitcoin-development] Assurance contracts to fund the network with OP_CHECKLOCKTIMEVERIFY
2015-05-07 23:32 [Bitcoin-development] Assurance contracts to fund the network with OP_CHECKLOCKTIMEVERIFY Tier Nolan
2015-05-08 9:49 ` Mike Hearn
@ 2015-05-08 10:00 ` Jeff Garzik
2015-05-08 16:43 ` Peter Todd
1 sibling, 1 reply; 9+ messages in thread
From: Jeff Garzik @ 2015-05-08 10:00 UTC (permalink / raw)
To: Tier Nolan; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 4374 bytes --]
That reminds me - I need to integrate the patch that automatically sweeps
anyone-can-pay transactions for a miner.
On Thu, May 7, 2015 at 7:32 PM, Tier Nolan <tier.nolan@gmail.com> wrote:
> One of the suggestions to avoid the problem of fees going to zero is
> assurance contracts. This lets users (perhaps large merchants or
> exchanges) pay to support the network. If insufficient people pay for the
> contract, then it fails.
>
> Mike Hearn suggests one way of achieving it, but it doesn't actually
> create an assurance contract. Miners can exploit the system to convert the
> pledges into donations.
>
> https://bitcointalk.org/index.php?topic=157141.msg1821770#msg1821770
>
> Consider a situation in the future where the minting fee has dropped to
> almost zero. A merchant wants to cause block number 1 million to
> effectively have a minting fee of 50BTC.
>
> He creates a transaction with one input (0.1BTC) and one output (50BTC)
> and signs it using SIGHASH_ANYONE_CAN_PAY. The output pays to OP_TRUE.
> This means that anyone can spend it. The miner who includes the
> transaction will send it to an address he controls (or pay to fee). The
> transaction has a locktime of 1 million, so that it cannot be included
> before that point.
>
> This transaction cannot be included in a block, since the inputs are lower
> than the outputs. The SIGHASH_ANYONE_CAN_PAY field mean that others can
> pledge additional funds. They add more input to add more money and the
> same sighash.
>
> There would need to be some kind of notice boeard system for these
> pledges, but if enough pledge, then a valid transaction can be created. It
> is in miner's interests to maintain such a notice board.
>
> The problem is that it counts as a pure donation. Even if only 10BTC has
> been pledged, a miner can just add 40BTC of his own money and finish the
> transaction. He nets the 10BTC of the pledges if he wins the block. If he
> loses, nobody sees his 40BTC transaction. The only risk is if his block is
> orphaned and somehow the miner who mines the winning block gets his 40BTC
> transaction into his block.
>
> The assurance contract was supposed to mean "If the effective minting fee
> for block 1 million is 50 BTC, then I will pay 0.1BTC". By adding his
> 40BTC to the transaction the miner converts it to a pure donation.
>
> The key point is that *other* miners don't get 50BTC reward if they find
> the block, so it doesn't push up the total hashing power being committed to
> the blockchain, that a 50BTC minting fee would achieve. This is the whole
> point of the assurance contract.
>
> OP_CHECKLOCKTIMEVERIFY could be used to solve the problem.
>
> Instead of paying to OP_TRUE, the transaction should pay 50 BTC to "<1
> million> OP_CHECKLOCKTIMEVERIFY OP_TRUE" and 0.01BTC to "OP_TRUE".
>
> This means that the transaction could be included into a block well in
> advance of the 1 million block point. Once block 1 million arrives, any
> miner would be able to spend the 50 BTC. The 0.01BTC is the fee for the
> block the transaction is included in.
>
> If the contract hasn't been included in a block well in advance, pledgers
> would be recommended to spend their pledged input,
>
> It can be used to pledge to many blocks at once. The transaction could
> pay out to lots of 50BTC outputs but with the locktime increasing by for
> each output.
>
> For high value transactions, it isn't just the POW of the next block that
> matters but all the blocks that are built on top of it.
>
> A pledger might want to say "I will pay 1BTC if the next 100 blocks all
> have at least an effective minting fee of 50BTC"
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>
--
Jeff Garzik
Bitcoin core developer and open source evangelist
BitPay, Inc. https://bitpay.com/
[-- Attachment #2: Type: text/html, Size: 5512 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2015-05-08 16:43 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-07 23:32 [Bitcoin-development] Assurance contracts to fund the network with OP_CHECKLOCKTIMEVERIFY Tier Nolan
2015-05-08 9:49 ` Mike Hearn
2015-05-08 10:01 ` Benjamin
2015-05-08 14:15 ` Tier Nolan
2015-05-08 14:54 ` Benjamin
2015-05-08 14:56 ` Tier Nolan
2015-05-08 15:03 ` Tier Nolan
2015-05-08 10:00 ` Jeff Garzik
2015-05-08 16:43 ` Peter Todd
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox