Hi Other Chris,

Thanks for pointing this out. Here are my responses.

On 12/4/2017 3:11 PM, Chris Stewart wrote:
>There is another interesting analysis on BMM and drivechains from /u/almkglor on reddit. I'm going to share here for visibility.
>> 3 and 7 will mean that non-verifying miners will be (inadvertently) complicit in theft. Drivechains have 1008-block cycles ostensibly to protect against theft, so that someone can "raise the alarm" and tell miners to downvote a particular theft withdrawal, but that sounds too much like centralized collusion to me.

Well, that is simply not what "centralized" means. "Centralized" means that one person has special, irreplaceable influence. In contrast, "decentralized" means that the process is not uniquely influenced by what any *one* individual does or believes. Which is the case here: each miner can independently make a decision about what to check, how to check it, and what to do as a result. They could do undertake this process, even if they ignored what everyone else was doing.

>> ...
>>
>> It seems Drivechain's security model is: miners always upvote by default. If a theft withdrawal is done on the mainchain, some sidechain nodes call up their miner friends (which makes me worry about miner centralization) to downvote it instead.
>>
>> The problem is: what if after a theft withdrawal is defeated, another theft withdrawal is done? And another, and another? This weakens the peg: while a theft withdrawal is on-going, a genuine withdrawal can't be posted (at least as I understand Sztorc's explanation). This chokes the sidechain withdrawal.

This is a good question.

The answer is that there are mechanisms in place to address these problems. Contrary to the reviewer's interpretation, multiple withdrawal-attempts *are* allowed simultaneously. (This part of design may have changed between now and Nov 2015, and I'm not sure if it was ever documented anywhere until very recently). Second, only one withdrawal can be upvoted at a time [ie, per sidechain per main:block]. Third, upvoting one withdrawal automatically downvotes all of the other withdrawals (all in-progress withdrawals for that sidechain). Thus, we have the asymmetry we desire. An "auditor class" can ignore all of the withdrawals, until a significant amount of time has been invested in one candidate. This makes the attempt more futile. Since they are unlikely to be meaninglessly harassed, this opens the door to a "farmer class" who can take it upon themselves to make sure the good withdrawals get in, and get upvotes (especially early upvotes). Thus, the system can tolerate a large "loafer class" who just lazily upvotes everything (or nothing, or only the front-runner).

> TLDR: a miner is most profitable if he always accepts BMM bribes, but downvotes withdrawal transactions (WT). This obviously isn't ideal because a withdrawal will never occur from the drivechain if enough miners employ this strategy -- which seems to be the most profitable strategy.
>
>-Chris

I agree that miners should "always accept BMM bribes". In my recent email to Matt Corallo, I described that this is basically the same as saying that miners should "always mine on top of the heaviest chain". (Of course, in mainchain Bitcoin miners are advised to mine atop the heaviest *valid* chain, which is different from this case. It is different because blind-merged-miners have no way of knowing if the sidechain blocks they are mining are valid or not, which is kind of the point. In practice I estimate that between 70% and 100% of today's hashpower is already mining the mainchain "blind" -- through some combination of pools, spv and spy mining.)

I don't agree with the conclusion (that the optimal policy is "always downvoting", see above), but even if this analysis turns out to be correct, it isn't a total disaster. The result (which is in the original Nov 2015 specification) is that miners are the ones who perform the atomic swaps. Then they walk the coins side-to-main (which, at this point, are *their* coins). As long as there are a few large mining groups, competition will drive the atomic swap fees down to negligible levels. This slightly encourages mining to consolidate into two large pools...but of course that is also true of the status quo!

Paul
 

On Mon, Dec 4, 2017 at 1:36 PM, Chris Pacia via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:

I think you are missing a few things.

First of all, I think the security model for sidechains is the same as
that of every blockchain

People will say things, like "but with sidechains 51% hashrate can steal
your coins!", but as I have repeated many times, this is also true of
 mainchain btc-tx.  is something else?

There are substantial opportunity costs as well as a collective action problem when it comes to re-writing the mainchain. 

Is there anything similar for drivechains? As far as I can tell there is no opportunity cost to casting a malicious vote, no repercussions, and no collective action barrier that needs to be overcome. 

Unless I'm missing something I wouldn't liken the security of a drivechain to that of the mainchain.

_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev