Bitcoin Core :: Bitcoin Core 0.11.2

Technical: A Brief History of Payment Channels: from Satoshi to Lightning Network

Who cares about political tweets from some random country's president when payment channels are a much more interesting and are actually capable of carrying value?
So let's have a short history of various payment channel techs!

Generation 0: Satoshi's Broken nSequence Channels

Because Satoshi's Vision included payment channels, except his implementation sucked so hard we had to go fix it and added RBF as a by-product.
Originally, the plan for nSequence was that mempools would replace any transaction spending certain inputs with another transaction spending the same inputs, but only if the nSequence field of the replacement was larger.
Since 0xFFFFFFFF was the highest value that nSequence could get, this would mark a transaction as "final" and not replaceable on the mempool anymore.
In fact, this "nSequence channel" I will describe is the reason why we have this weird rule about nLockTime and nSequence. nLockTime actually only works if nSequence is not 0xFFFFFFFF i.e. final. If nSequence is 0xFFFFFFFF then nLockTime is ignored, because this if the "final" version of the transaction.
So what you'd do would be something like this:
  1. You go to a bar and promise the bartender to pay by the time the bar closes. Because this is the Bitcoin universe, time is measured in blockheight, so the closing time of the bar is indicated as some future blockheight.
  2. For your first drink, you'd make a transaction paying to the bartender for that drink, paying from some coins you have. The transaction has an nLockTime equal to the closing time of the bar, and a starting nSequence of 0. You hand over the transaction and the bartender hands you your drink.
  3. For your succeeding drink, you'd remake the same transaction, adding the payment for that drink to the transaction output that goes to the bartender (so that output keeps getting larger, by the amount of payment), and having an nSequence that is one higher than the previous one.
  4. Eventually you have to stop drinking. It comes down to one of two possibilities:
    • You drink until the bar closes. Since it is now the nLockTime indicated in the transaction, the bartender is able to broadcast the latest transaction and tells the bouncers to kick you out of the bar.
    • You wisely consider the state of your liver. So you re-sign the last transaction with a "final" nSequence of 0xFFFFFFFF i.e. the maximum possible value it can have. This allows the bartender to get his or her funds immediately (nLockTime is ignored if nSequence is 0xFFFFFFFF), so he or she tells the bouncers to let you out of the bar.
Now that of course is a payment channel. Individual payments (purchases of alcohol, so I guess buying coffee is not in scope for payment channels). Closing is done by creating a "final" transaction that is the sum of the individual payments. Sure there's no routing and channels are unidirectional and channels have a maximum lifetime but give Satoshi a break, he was also busy inventing Bitcoin at the time.
Now if you noticed I called this kind of payment channel "broken". This is because the mempool rules are not consensus rules, and cannot be validated (nothing about the mempool can be validated onchain: I sigh every time somebody proposes "let's make block size dependent on mempool size", mempool state cannot be validated by onchain data). Fullnodes can't see all of the transactions you signed, and then validate that the final one with the maximum nSequence is the one that actually is used onchain. So you can do the below:
  1. Become friends with Jihan Wu, because he owns >51% of the mining hashrate (he totally reorged Bitcoin to reverse the Binance hack right?).
  2. Slip Jihan Wu some of the more interesting drinks you're ordering as an incentive to cooperate with you. So say you end up ordering 100 drinks, you split it with Jihan Wu and give him 50 of the drinks.
  3. When the bar closes, Jihan Wu quickly calls his mining rig and tells them to mine the version of your transaction with nSequence 0. You know, that first one where you pay for only one drink.
  4. Because fullnodes cannot validate nSequence, they'll accept even the nSequence=0 version and confirm it, immutably adding you paying for a single alcoholic drink to the blockchain.
  5. The bartender, pissed at being cheated, takes out a shotgun from under the bar and shoots at you and Jihan Wu.
  6. Jihan Wu uses his mystical chi powers (actually the combined exhaust from all of his mining rigs) to slow down the shotgun pellets, making them hit you as softly as petals drifting in the wind.
  7. The bartender mutters some words, clothes ripping apart as he or she (hard to believe it could be a she but hey) turns into a bear, ready to maul you for cheating him or her of the payment for all the 100 drinks you ordered from him or her.
  8. Steely-eyed, you stand in front of the bartender-turned-bear, daring him to touch you. You've watched Revenant, you know Leonardo di Caprio could survive a bear mauling, and if some posh actor can survive that, you know you can too. You make a pose. "Drunken troll logic attack!"
  9. I think I got sidetracked here.
Lessons learned?

Spilman Channels

Incentive-compatible time-limited unidirectional channel; or, Satoshi's Vision, Fixed (if transaction malleability hadn't been a problem, that is).
Now, we know the bartender will turn into a bear and maul you if you try to cheat the payment channel, and now that we've revealed you're good friends with Jihan Wu, the bartender will no longer accept a payment channel scheme that lets one you cooperate with a miner to cheat the bartender.
Fortunately, Jeremy Spilman proposed a better way that would not let you cheat the bartender.
First, you and the bartender perform this ritual:
  1. You get some funds and create a transaction that pays to a 2-of-2 multisig between you and the bartender. You don't broadcast this yet: you just sign it and get its txid.
  2. You create another transaction that spends the above transaction. This transaction (the "backoff") has an nLockTime equal to the closing time of the bar, plus one block. You sign it and give this backoff transaction (but not the above transaction) to the bartender.
  3. The bartender signs the backoff and gives it back to you. It is now valid since it's spending a 2-of-2 of you and the bartender, and both of you have signed the backoff transaction.
  4. Now you broadcast the first transaction onchain. You and the bartender wait for it to be deeply confirmed, then you can start ordering.
The above is probably vaguely familiar to LN users. It's the funding process of payment channels! The first transaction, the one that pays to a 2-of-2 multisig, is the funding transaction that backs the payment channel funds.
So now you start ordering in this way:
  1. For your first drink, you create a transaction spending the funding transaction output and sending the price of the drink to the bartender, with the rest returning to you.
  2. You sign the transaction and pass it to the bartender, who serves your first drink.
  3. For your succeeding drinks, you recreate the same transaction, adding the price of the new drink to the sum that goes to the bartender and reducing the money returned to you. You sign the transaction and give it to the bartender, who serves you your next drink.
  4. At the end:
    • If the bar closing time is reached, the bartender signs the latest transaction, completing the needed 2-of-2 signatures and broadcasting this to the Bitcoin network. Since the backoff transaction is the closing time + 1, it can't get used at closing time.
    • If you decide you want to leave early because your liver is crying, you just tell the bartender to go ahead and close the channel (which the bartender can do at any time by just signing and broadcasting the latest transaction: the bartender won't do that because he or she is hoping you'll stay and drink more).
    • If you ended up just hanging around the bar and never ordering, then at closing time + 1 you broadcast the backoff transaction and get your funds back in full.
Now, even if you pass 50 drinks to Jihan Wu, you can't give him the first transaction (the one which pays for only one drink) and ask him to mine it: it's spending a 2-of-2 and the copy you have only contains your own signature. You need the bartender's signature to make it valid, but he or she sure as hell isn't going to cooperate in something that would lose him or her money, so a signature from the bartender validating old state where he or she gets paid less isn't going to happen.
So, problem solved, right? Right? Okay, let's try it. So you get your funds, put them in a funding tx, get the backoff tx, confirm the funding tx...
Once the funding transaction confirms deeply, the bartender laughs uproariously. He or she summons the bouncers, who surround you menacingly.
"I'm refusing service to you," the bartender says.
"Fine," you say. "I was leaving anyway;" You smirk. "I'll get back my money with the backoff transaction, and posting about your poor service on reddit so you get negative karma, so there!"
"Not so fast," the bartender says. His or her voice chills your bones. It looks like your exploitation of the Satoshi nSequence payment channel is still fresh in his or her mind. "Look at the txid of the funding transaction that got confirmed."
"What about it?" you ask nonchalantly, as you flip open your desktop computer and open a reputable blockchain explorer.
What you see shocks you.
"What the --- the txid is different! You--- you changed my signature?? But how? I put the only copy of my private key in a sealed envelope in a cast-iron box inside a safe buried in the Gobi desert protected by a clan of nomads who have dedicated their lives and their childrens' lives to keeping my private key safe in perpetuity!"
"Didn't you know?" the bartender asks. "The components of the signature are just very large numbers. The sign of one of the signature components can be changed, from positive to negative, or negative to positive, and the signature will remain valid. Anyone can do that, even if they don't know the private key. But because Bitcoin includes the signatures in the transaction when it's generating the txid, this little change also changes the txid." He or she chuckles. "They say they'll fix it by separating the signatures from the transaction body. They're saying that these kinds of signature malleability won't affect transaction ids anymore after they do this, but I bet I can get my good friend Jihan Wu to delay this 'SepSig' plan for a good while yet. Friendly guy, this Jihan Wu, it turns out all I had to do was slip him 51 drinks and he was willing to mine a tx with the signature signs flipped." His or her grin widens. "I'm afraid your backoff transaction won't work anymore, since it spends a txid that is not existent and will never be confirmed. So here's the deal. You pay me 99% of the funds in the funding transaction, in exchange for me signing the transaction that spends with the txid that you see onchain. Refuse, and you lose 100% of the funds and every other HODLer, including me, benefits from the reduction in coin supply. Accept, and you get to keep 1%. I lose nothing if you refuse, so I won't care if you do, but consider the difference of getting zilch vs. getting 1% of your funds." His or her eyes glow. "GENUFLECT RIGHT NOW."
Lesson learned?

CLTV-protected Spilman Channels

Using CLTV for the backoff branch.
This variation is simply Spilman channels, but with the backoff transaction replaced with a backoff branch in the SCRIPT you pay to. It only became possible after OP_CHECKLOCKTIMEVERIFY (CLTV) was enabled in 2015.
Now as we saw in the Spilman Channels discussion, transaction malleability means that any pre-signed offchain transaction can easily be invalidated by flipping the sign of the signature of the funding transaction while the funding transaction is not yet confirmed.
This can be avoided by simply putting any special requirements into an explicit branch of the Bitcoin SCRIPT. Now, the backoff branch is supposed to create a maximum lifetime for the payment channel, and prior to the introduction of OP_CHECKLOCKTIMEVERIFY this could only be done by having a pre-signed nLockTime transaction.
With CLTV, however, we can now make the branches explicit in the SCRIPT that the funding transaction pays to.
Instead of paying to a 2-of-2 in order to set up the funding transaction, you pay to a SCRIPT which is basically "2-of-2, OR this singlesig after a specified lock time".
With this, there is no backoff transaction that is pre-signed and which refers to a specific txid. Instead, you can create the backoff transaction later, using whatever txid the funding transaction ends up being confirmed under. Since the funding transaction is immutable once confirmed, it is no longer possible to change the txid afterwards.

Todd Micropayment Networks

The old hub-spoke model (that isn't how LN today actually works).
One of the more direct predecessors of the Lightning Network was the hub-spoke model discussed by Peter Todd. In this model, instead of payers directly having channels to payees, payers and payees connect to a central hub server. This allows any payer to pay any payee, using the same channel for every payee on the hub. Similarly, this allows any payee to receive from any payer, using the same channel.
Remember from the above Spilman example? When you open a channel to the bartender, you have to wait around for the funding tx to confirm. This will take an hour at best. Now consider that you have to make channels for everyone you want to pay to. That's not very scalable.
So the Todd hub-spoke model has a central "clearing house" that transport money from payers to payees. The "Moonbeam" project takes this model. Of course, this reveals to the hub who the payer and payee are, and thus the hub can potentially censor transactions. Generally, though, it was considered that a hub would more efficiently censor by just not maintaining a channel with the payer or payee that it wants to censor (since the money it owned in the channel would just be locked uselessly if the hub won't process payments to/from the censored user).
In any case, the ability of the central hub to monitor payments means that it can surveill the payer and payee, and then sell this private transactional data to third parties. This loss of privacy would be intolerable today.
Peter Todd also proposed that there might be multiple hubs that could transport funds to each other on behalf of their users, providing somewhat better privacy.
Another point of note is that at the time such networks were proposed, only unidirectional (Spilman) channels were available. Thus, while one could be a payer, or payee, you would have to use separate channels for your income versus for your spending. Worse, if you wanted to transfer money from your income channel to your spending channel, you had to close both and reshuffle the money between them, both onchain activities.

Poon-Dryja Lightning Network

Bidirectional two-participant channels.
The Poon-Dryja channel mechanism has two important properties:
Both the original Satoshi and the two Spilman variants are unidirectional: there is a payer and a payee, and if the payee wants to do a refund, or wants to pay for a different service or product the payer is providing, then they can't use the same unidirectional channel.
The Poon-Dryjam mechanism allows channels, however, to be bidirectional instead: you are not a payer or a payee on the channel, you can receive or send at any time as long as both you and the channel counterparty are online.
Further, unlike either of the Spilman variants, there is no time limit for the lifetime of a channel. Instead, you can keep the channel open for as long as you want.
Both properties, together, form a very powerful scaling property that I believe most people have not appreciated. With unidirectional channels, as mentioned before, if you both earn and spend over the same network of payment channels, you would have separate channels for earning and spending. You would then need to perform onchain operations to "reverse" the directions of your channels periodically. Secondly, since Spilman channels have a fixed lifetime, even if you never used either channel, you would have to periodically "refresh" it by closing it and reopening.
With bidirectional, indefinite-lifetime channels, you may instead open some channels when you first begin managing your own money, then close them only after your lawyers have executed your last will and testament on how the money in your channels get divided up to your heirs: that's just two onchain transactions in your entire lifetime. That is the potentially very powerful scaling property that bidirectional, indefinite-lifetime channels allow.
I won't discuss the transaction structure needed for Poon-Dryja bidirectional channels --- it's complicated and you can easily get explanations with cute graphics elsewhere.
There is a weakness of Poon-Dryja that people tend to gloss over (because it was fixed very well by RustyReddit):
Another thing I want to emphasize is that while the Lightning Network paper and many of the earlier presentations developed from the old Peter Todd hub-and-spoke model, the modern Lightning Network takes the logical conclusion of removing a strict separation between "hubs" and "spokes". Any node on the Lightning Network can very well work as a hub for any other node. Thus, while you might operate as "mostly a payer", "mostly a forwarding node", "mostly a payee", you still end up being at least partially a forwarding node ("hub") on the network, at least part of the time. This greatly reduces the problems of privacy inherent in having only a few hub nodes: forwarding nodes cannot get significantly useful data from the payments passing through them, because the distance between the payer and the payee can be so large that it would be likely that the ultimate payer and the ultimate payee could be anyone on the Lightning Network.
Lessons learned?

Future

After LN, there's also the Decker-Wattenhofer Duplex Micropayment Channels (DMC). This post is long enough as-is, LOL. But for now, it uses a novel "decrementing nSequence channel", using the new relative-timelock semantics of nSequence (not the broken one originally by Satoshi). It actually uses multiple such "decrementing nSequence" constructs, terminating in a pair of Spilman channels, one in both directions (thus "duplex"). Maybe I'll discuss it some other time.
The realization that channel constructions could actually hold more channel constructions inside them (the way the Decker-Wattenhofer puts a pair of Spilman channels inside a series of "decrementing nSequence channels") lead to the further thought behind Burchert-Decker-Wattenhofer channel factories. Basically, you could host multiple two-participant channel constructs inside a larger multiparticipant "channel" construct (i.e. host multiple channels inside a factory).
Further, we have the Decker-Russell-Osuntokun or "eltoo" construction. I'd argue that this is "nSequence done right". I'll write more about this later, because this post is long enough.
Lessons learned?
submitted by almkglor to Bitcoin [link] [comments]

CHECKLOCKTIMEVERIFY has been merged - Finally!

CHECKLOCKTIMEVERIFY has been merged - Finally! submitted by ciphera to Bitcoin [link] [comments]

Moving towards user activated soft fork activation

This posted today form ShaolinFry in Bitcointalk forum and dev list and i think is a great proposal for segwit activation Was very wrong decision to put miners in this central position for network upgrades. Here is the post from ShaolinFry :
https://bitcointalk.org/index.php?topic=1805060.0
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-February/013643.html
Some thoughts about the activation mechanism for soft forks. In the past we used IsSuperMajority and currently use BIP9 as soft fork activation methods, where a supermajority of hashrate triggers nodes to begin enforcing new rules. Hashrate based activation is convenient because it is the simplest and most straightforward process. While convenient there are a number limitations with this method.
Firstly, it requires trusting the hash power will validate after activation. The BIP66 soft fork was a case where 95% of the hashrate was signaling readiness but in reality about half was not actually validating the upgraded rules and mined upon an invalid block by mistake[1]. Secondly, miner signalling has a natural veto which allows a small percentage of hashrate to veto node activation of the upgrade for everyone. To date, soft forks have taken advantage of the relatively centralised mining landscape where there are relatively few mining pools building valid blocks; as we move towards more hashrate decentralization, it's likely that we will suffer more and more from "upgrade inertia" which will veto most upgrades. Upgrade inertia in inevitable for widely deployed software and can be seen for example, with Microsoft Windows. At the time of writing 5.72% of all Microsoft Windows installations are still running Windows XP, despite mainstream support ending in 2009 and being superseded by 4 software generations, Vista, 7, 8 and 10.
Thirdly, the signaling methodology is widely misinterpreted to mean the hash power is voting on a proposal and it seems difficult to correct this misunderstanding in the wider community. The hash powers' role is to select valid transactions, and to extend the blockchain with valid blocks. Fully validating economic nodes ensure that blocks are valid. Nodes therefore define validity according to the software they run, but miners decide what already valid transactions gets included in the block chain.
As such, soft forks rules are actually always enforced by the nodes, not the miners. Miners of course can opt-out by simply not including transactions that use the new soft fork feature, but they cannot produce blocks that are invalid to the soft fork. The P2SH soft fork is a good example of this, where non-upgraded miners would see P2SH as spendable without a signature and consider them valid. If such an transaction were to be included in a block, the block would be invalid and the miner would lose the block reward and fees. So-called "censorship" soft forks do not require nodes to opt in, because >51% of the hash power already have the ability to orphan blocks that contain transactions they have blacklisted. Since this is not a change in validity, nodes will accept the censored block chain automatically. The fourth problem with supermajority hash power signaling is it draws unnecessary attention to miners which can become unnecessarily political. Already misunderstood as a vote, miners may feel pressure to "make a decision" on behalf of the community: who is and isn't signalling becomes a huge public focus and may put pressures onto miners they are unprepared for. Some miners may not be in a position to upgrade, or may prefer not to participate in the soft fork which is their right. However, that miner may now become a lone reason that vetoes activation for everyone, where the soft fork is an opt-in feature! This situation seems to be against the voluntary nature of the Bitcoin system where participation at all levels is voluntary and kept honest by well balanced incentives. Since miners already have the protocol level right to select whatever transaction they prefer (and not mine those they don't), it would be better if a miner could chose to not participate in triggering activation of something they won't use, but, without being a veto to the process (and all the ire they may have to experience as a consequence). The alternative discussed here is "flag day activation" where nodes begin enforcement at a predetermined time in the future. This method needs a longer lead time than a hash power based activation trigger, but offers a number of advantages and perhaps provides a better tradeoff. Soft forks are still entirely optional to use post activation. For example, with P2SH, many participants in the Bitcoin ecosystem still do not use P2SH. Only 11% of bitcoins[2] are stored in P2SH addresses at the time of writing. Miners are free to not mine P2SH transactions, however, the incentives are such that miners should still validate transactions so they don't accidentally include invalid transactions and cause their block to be rejected. As an additional safety measure for well designed soft forks, relay policy rules prevent non-standard and invalid transactions from being relayed and mined by default; a miner would have to purposefully mine an invalid transaction, which is against their own economic interest. Since the incentives of the Bitcoin system rely on self validation, economic nodes (miners and users) should always remain safe by ensuring their nodes either validate the current rules, or, they can place their network behind a full node that will filter out invalid transactions and blocks at the edge of their network (so called firewall or border nodes). A user activated soft fork is permissive. Miners do not have to produce new version blocks and non-upgraded miners' blocks will not be orphaned as was the case with IsSuperMajority soft forks (e.g. BIP34, BIP66, BIP65-CLTV) which made it a compulsory upgrade for miners. BIP9 "versionbits" soft fork activation method is also permissive in so far as non-upgraded miners are not forced to upgrade after activation because their blocks wont be orphaned. A recent case was the "CSV" soft fork that activated BIP68, BIP112 and BIP113. As such, the CSV soft fork allows non-upgraded miners to continue mining so long as they didn't produce invalid blocks. Miners always retain discretion on which transactions to mine. However, regardless of whether they actively include transactions using the new soft fork feature, or not, the incentive for hash power to upgrade in order to validate is strong: if they do not, they could be vulnerable to a rogue miner willing to waste 12.5BTC to create an invalid block, which may cause non-validating miners to build on an invalid chain similar to the BIP66 incident. Validation has always had a strong requirement. A user activated soft fork is win-win because it adds an option that some people want that does not detract from other peoples' enjoyment. Even if only 10% of users ever wanted a feature, so long as the benefit outweighed the technical risks, it would not be rational to deny others the ability to opt-in. My suggestion is to have the best of both worlds. Since a user activated soft fork needs a relatively long lead time before activation, we can combine with BIP9 to give the option of a faster hash power coordinated activation or activation by flag day, whichever is the sooner. In both cases, we can leverage the warning systems in BIP9. The change is relatively simple, adding an activation-time parameter which will transition the BIP9 state to LOCKED_IN before the end of the BIP9 deployment timeout. You can find the proposal here https://gist.github.com/shaolinfry/0f7d1fd22743bb966da0c0b1682ea2ab References: [1]: https://bitcoin.org/en/alert/2015-07-04-spv-mining [2]: http://p2sh.info/dashboard/db/p2sh-statistics?from=1472043312917&to=1488030912918
submitted by chek2fire to Bitcoin [link] [comments]

Bitcoin Unlimtited version available now with public labels (aka voting) and coin freezing!

Recently I've been working on a pull request for Bitcoin Unlimited.
https://github.com/BitcoinUnlimited/BitcoinUnlimited/pull/521
This is in the coin_freeze_cltv branch based on dev. It contains features for the user to freeze coins, to associate public labels with a transaction amount (aka voting) as well as fixes for transaction searching.
These features can be merged into Bitcoin Unlimited but we need more user feedback and testing. If you can help test and provide feedback that would be great. If you can help create a deb package for the source that would also be a great help. Otherwise if you could just provide general feedback and let the other devs know if you want these features. If there is demand I will code more .... right now I am thinking about a Bitcoin Supply Chart in the Overview tab that incorporates the mining scchedule, frozen coins and compares your wallet balance versus current and upcoming supply. Freezing coins could be a powerful way for users to indicate which side of a fork they prefer. I also have prepared a draft design of an onchain exchange(ONX) between pre&post fork coins. In this way the community can bet on forking before it happens ONCHAIN!
Regarding associating public labels with a transaction amount other than zero that is not native as amounts in the same output as the OP_RETURN are NOT spendable. So this feature was achieved by associating OP_RETURN public label output with the following UTXO. In this way public labels are associated with transaction amounts and so the community can use the same public label to vote on the same topic! The user spends to themselves using a public label and in so doing commits the amount toward that publc label. When multiple users use the exact same public label their unspent amounts are aggregated. The "Top Public Labels" are therefore available as a list on their own tab sorted by the aggregate of UNSPENT amounts currently associated with the public label. When a user wants to unvote their coins they just spend them again with a new public label or none.
https://github.com/marlengit/BitcoinUnlimited/tree/gui_top_public_labels
submitted by redmarlen to btc [link] [comments]

Bitcoin dev IRC meeting in layman's terms (or an attempt to)

As you may or may not know, since scaling bitcoin in Montreal there's a weekly dev meeting on IRC. While very interesting to read, as a non-technical person such as myself it really takes some time to understand what they're all talking about, but I do like to know what they are working on.
Since I'm doing the work to find out anyway, I might as well share it with the community.
Please bare in mind I'm not a developer and I'd have problems coding "hello world!", so some things might be incorrect or plain wrong. Like any other write-up it likely contains personal biases, although I try to stay as neutral as I can.
The full IRC-logs can be found here.
There are no decisions being made in these meetings, so if I say "everyone agrees" this means everyone present in the meeting, that's not consensus, but since a fair amount of devs are present it's a good representation.
Main topics discussed where: Mempool limiting BIP68 + CHECKSEQUENCEVERIFY CLTV soft fork deployment libconsensus merge time window
Mempool limiting
When a transaction is relayed across the network it is held by the nodes in memory, until it gets into a block. All these transactions that sit in memory are called the memorypool or mempool for short. Like we could see during the spam-attack if there's a big back-log of transactions that couldn't make it in the blockchain this mempool can get pretty big resulting in nodes crashing.
To stop this from happening devs are trying to find a way to limit this mempool, so a mechanism to reject and/or remove transactions from the mempool. The hard part here is to make it so nodes can't be attacked by abusing this mechanism.
There are multiple worked out ideas for this, namely: Limit mempool by throwing away the cheapest txn and setting min realy fee to it Mempool limiting with descendant package tracking exponential rising effective min relay feerate
devs are leaning towards 6722 (throwing away the cheapest txn and setting min relay fee to it) because it's the more simpler approach and possibly less edge-cases. The idea behind it is to have a mem-pool that gives a good approximation on what'll be included in the next blocks, meaning higher fee transactions. This approach also helps to build a fee-estimator. Some devs propose to include a time-based eviction as well.
6722 should be completed and 6722, 6557 and 6673 should be attacked by the others to try and find edge-cases. The default mempool size should be 300Mb.
Chain limits
Related to mempool limiting. Chain in this context means connected transactions. When you send a transaction that depends on another transaction that has yet to be confirmed we talk about a chain of transactions. Miners ideally take the whole chain into account instead of just every single transaction (although that's not widely implemented afaik). So while a single transaction might not have a sufficient fee, a depending transaction could have a high enough fee to make it worthwhile to mine both. This is commonly known as child-pays-for-parent. Since you can make these chains very big it's possible to clog up the mempool this way. The first unconfirmed transaction is called the ancestor and the transactions depending on it the descendants. The total amount of transactions is referred to as "packages".
All of the mempool limiting approaches are way easier to attack if you have bigger chain limits. the reason to have larger descendant packages is you can't control that yourself, somebody pays you and bob, and bob chains off a million descendants and he ends up screwing you. if you have a say 900kb ancestor package limit, then even if the ancestor fee rate is reasonably high, default mining code is likely going to find 100kb of very high fee txs to include first, and then there won't be room for your ancestor package. Morcos proposes 25/250kb for ancestors and 50/500kb for descendants, meaning max. either 25 transactions or 250kb in size for ancestors. Most seem to be fine with those limits and even smaller.
-meeting conclusion
morcos writes a chain-limit proposal to post on the mailing list in order to find possible usecases for large chain transactions.
CHECKLOCKTIMEVERIFY softfork
Commonly referred to as: How you thought nLockTime worked before you actually tried to use it. There's a fair amount of demand for this and the code is reviewed and has been running on sidechains alpha for 6 months. The only real issue is how and when it's merged. Currently softforks have been done by the isSuperMajority mechanism, meaning when 95% of the last X blocks has a version number higher than X the fork is deployed. A new way of doing this is currently being worked on and that uses all bits of the version number, appropriately being called versionbits. So instead of a fork happening when the version is larger than (for example) 00000000011 (3), a fork happens when (for example) the 3rd bit is up (so 00100000011). This way softforks can be deployed simultaneous and independent of each other.
Questions are being posed whether we wait for other time-related BIP's and/or versionbits, or do it now using isSuperMajority. If versionbits is deployed later it needs to wait for all supermajority softforks to be over. Vladimir van der Laan doesn't want to deploy any soft forks in major releases (0.12 in this case) so that people explicitly upgrade for the softfork not for other things. You could roll out multiple supermajority forks as long as they are cumulative. Talks seem to converge to using supermajority to deploy checkLockTimeVerify and checkSequenceVerify if it's ready by the end of October.
checkLockTimeVerify backports (deployment in older versions) needs to be reviewed as well as BIP68, 112 and 113 (all the time-related BIP's).
Libconsensus
Satoshi wasn't the best programmer out there, which leaves a pretty messy code. Ideally you'd have the part of the code that influences the network consensus separately, but in bitcoin it's all intertwined. Libconsensus is what eventually should become this part. This way people can more easily make changes in the non-consensus part without fear of causing a network fork. This however is a slow and dangerous project of moving lot's of code around.
Lot's of discussion on when existing changes should be merged, when the code should be frozen for next release etc. In linux changes are merged right after a major release. jtimon notices this was planned for after 0.10 and 0.11 too, but nothing happened. There seems to be a lack of planning and overview as to what where has to go.
jtimon will provide a high level rationale for what and where things should move so people can make comments and review according to this rationale.
Participants
dstadulis Daniel Stadulis wumpus Wladimir J. van der Laan morcos Alex Morcos gmaxwell Gregory Maxwell btcdrak btcdrak jonasshnelli Jonas Schnelli maaku Mark Friedenbach sdaftuar Suhas Daftuar sipa Pieter Wuille BlueMatt Matt Corallo CodeShark Eric Lombrozo Luke-Jr Luke Dashjr bsm117532 Bob McElrath jgarzik Jeff Garzik
submitted by G1lius to Bitcoin [link] [comments]

Bitcoin dev meeting in layman's terms (2015-10-8)

Once again my attempt to summarize and explain the weekly bitcoin developer meeting in layman's terms. Link to last weeks summarization
Disclaimer
Please bare in mind I'm not a developer and I'd have problems coding "hello world!", so some things might be incorrect or plain wrong. Like any other write-up it likely contains personal biases, although I try to stay as neutral as I can. There are no decisions being made in these meetings, so if I say "everyone agrees" this means everyone present in the meeting, that's not consensus, but since a fair amount of devs are present it's a good representation. The dev IRC and mailinglist are for bitcoin development purposes. If you have not contributed actual code to a bitcoin-implementation, this is probably not the place you want to reach out to. There are many places to discuss things that the developers read, including this sub-reddit.
link to this week logs link to meeting minutes
Main topics discussed this week where:
Mempool limiting: chain limits Low-S change CLTV & CSV review Creation of bitcoin discuss mailing list
off-topic but important notice
This issue has made most JS bitcoin software vulnerable to generating incorrect public keys. "This is an ecosystem threat with the potential to cause millions of dollars in losses that needs higher visibility; though it's not a bitcoin core / bitcoin network issue. Common, critical, JS code is broken that may cause the generation of incorrect pubkeys (among other issues). Anyone who cares for a JS implementation should read that PR."
Mempool limiting: chain limits
(c/p from last week) Chain in this context means connected transactions. When you send a transaction that depends on another transaction that has yet to be confirmed we talk about a chain of transactions. Miners ideally take the whole chain into account instead of just every single transaction (although that's not widely implemented afaik). So while a single transaction might not have a sufficient fee, a depending transaction could have a high enough fee to make it worthwhile to mine both. This is commonly known as child-pays-for-parent. Since you can make these chains very big it's possible to clog up the mempool this way. The first unconfirmed transaction is called the ancestor and the transactions depending on it the descendants. The total amount of transactions is reffered to as "packages".
As said in "Chain limits" last week Morcos did write a proposal about lowering the default limits for transaction-chains. 2 use cases came up which are currently in use or happened before: As example: someone buys bitcoin from a website and can spend those bitcoin in the marketplace of the same website without waiting for confirmation in order to improve the bitcoin user-experience. This leaves a sequential transaction chain. They don't need to chain more than 5 transactions deep for this, and it falls within the proposed limits. What's not within the proposed limits is the chain of +/- 100 transactions a company had during the spam-attacks. These where simply increased activities by end-users while not enough UTXO's where available (3 to be precise)(UTXO: unspent transaction output, an output that can be used as input for a new transaction). Notably this is with the best practices of using confirmed transactions first. Ways this can be solved from the company's end is to have more UTXO's available before hand, bundling transactions (which requires delaying customer's request) or using replace-by-fee to add payees (which saves blockchain space, is cheaper in fees and gets transactions through quicker, but is not widely deployed by miners atm). Bare in mind these proposals are for default values for the memorypool, not in any way hard limits.
Sense of urgency. Quoting sipa: "my mempool is 2.5G... we better get some solution!" Current attack analysis assumes child-pays-for-parent mining, it should probably be done again without. Higher limits on number of transactions increase attack-vectors. Proposed number of transactions gets some push-back, total size limit not. Mixing default values (for example having a 50% of a 10/10 limit and 50% of a 100/100 limit) wastes bandwidth while there are too many factors that limit utility of long chains as well. 25 transaction limit ought to be enough for everyone (for now).
Review & test Limit mempool by throwing away the cheapest txn and setting min relay fee to it Provide support for Lower default limits for tx chains aka convince people 25 should be enough.
Low-S change
This is in regards to the recent malleability attack. Which is caused by a value 'S' in the ECDSA signature which can be 2 values, a high and low value and still be valid. Resulting in different transaction id's. more info A solution for this is to require nodes to have the "low-s" encoding for signatures. Downside is that it will block most transactions made by sufficiently out of date software (+/- pre-march 2014) This does not replace the need for BIP62, it only eliminates the cheap DOS attack.
95% of transactions already confirm to this, and more fixes have been applied since. BlueMatt has a node which several people are running that auto-malleates to low-s transactions. Questions whether we release it ASAP or wait for the next release and get it to a couple of miners in the meantime (possibly with auto-lowS-malleating)
Contact miners about "Test LowS in standardness, removes nuisance malleability vector" Release scheduled for the end of the month, together with likely check-lock-time-verify and possibly check-sequence-verfiy.
CLTV & CSV backport review
CLTV: checkLockTimeVerify CSV: checkSequenceVerify Both new time-related OP-codes. Been discussed heavily last week.
Concerns whether CSV will be ready enough for release later this month. There's no clarity on how things look when all 3 time related pull-requests are merged. There's a number of people still reviewing the pull-requests. Uncertainty and confusion about whether the semantics are final or not (in regards to using bits from nSequence). nSequence are 4 bytes intended for sequencing time-locked transactions, but this never got used. Now these bytes are being repurposed for a mixture of things. Currently the plan is: " bits 0..15 are the relative locktime, bit 30 determines units (0: height, 1: time w/ 512s granularity), and bit 31 toggles BIP 68 (0: on, 1: off). bits 16..29 are masked off and can take any value."
Clarification from maaku regarding nSequence for BIP68. (after the meeting he explained he was waiting for opinions, but not enough people seemed to know the issue at hand) Continue review of pull requests 6312, 6564 and 6566
Creation of bitcoin discuss mailing list
The bitcoin-dev mailing list is intented for technical discussions only. There's things that don't belong there but need to be discussed anyway. Now this is done in bitcoin-dev, but the volume of this is getting too big. There's recently also an influx of really inappropriate posts, level kindergarden.
No clarity about who are the moderators. Next week there'll be a bitcoin-discuss list created. Decisions are needed as to who'll become the moderators for that and bitcoin-dev. Decisions are needed as to what will be the list and moderation policies.
The bitcoin-discuss list will be created as well as a simple website listing all the lists and corresponding policies. A meeting is scheduled on monday to discuss the moderation and policies of said lists.
Participants
morcos Alex Morcos gmaxwell Gregory Maxwell wumpus Wladimir J. van der Laan sipa Pieter Wuille BlueMatt Matt Corallo btcdrak btcdrak petertodd Peter Todd warren Warren Togami phantomcircuit Patrick Strateman dstadulis Daniel Stadulis GreenIsMyPepper Joseph Poon bsm117532 Bob McElrath
submitted by G1lius to Bitcoin [link] [comments]

Bitcoin dev IRC meeting in layman's terms (2015-11-05)

Once again my attempt to summarize and explain the weekly bitcoin developer meeting in layman's terms. Link to last weeks summarization Note that I crosspost this to Voat, bitcoin.com and the bitcoin-discuss mailing list every week. I can't control what's being talking about in the meeting, if certain things come up I might not be able to post here because of "guidelines".
Disclaimer
Please bear in mind I'm not a developer and I'd have problems coding "hello world!", so some things might be incorrect or plain wrong. Like any other write-up it likely contains personal biases, although I try to stay as neutral as I can. There are no decisions being made in these meetings, so if I say "everyone agrees" this means everyone present in the meeting, that's not consensus, but since a fair amount of devs are present it's a good representation. The dev IRC and mailinglist are for bitcoin development purposes. If you have not contributed actual code to a bitcoin-implementation, this is probably not the place you want to reach out to. There are many places to discuss things that the developers read, including this sub-reddit.
link to this week logs Meeting minutes by meetbot
Main topics discussed where:
Sigcache performance Performance goals for 0.12 transaction priority sigops flooding attack chain limits
Short topics/notes
Note: cfields, mcelrath and BlueMatt (and maybe more) missed the meeting because of daylight saving time.
Closing date for proposals for the scaling bitcoin workshop is the 9th.
Check to see if there are any other commits for the 0.11.2 RC. As soon as 6948 and 6825 are merged it seems good to go. We need to move fairly quick as there are already miners voting for CLTV (F2Pool). Also testnet is CLTV locked already and is constantly forking. 0.11.2 RC1 has been released as of today: https://bitcoin.org/bin/bitcoin-core-0.11.2/test/
Most of the mempool-limiting analysis assumed child-pays-for-parent, however that isn't ready for 0.12 yet, so we should think about possible abuses in context of the existing mining algorithm.
Because of time-constrains opt-in replace-by-fee has been deferred to next weeks meeting, but most people seem to want it in 0.12. sdaftuar makes a note that we need to make clear to users what they need to do if they don't want to accept opt-in transactions.
Sigcache performance
The signature cache, which is in place to increase performance (by not having to check the signature multiple times), and to mitigate some attacks currently has a default limit of 50 000 signatures. Sipa has a pull-request which proposes to: Change the limit from number of entries to megabytes Change the default to 40MB, which corresponds to 500 000 signatures Store salted hashes instead of full entries Remove entries that have been validated in a block
Sipa did benchmarks for various signature cache sizes on hitrate in blocks (how many of the cached signatures are in the block). The maximum sigcache size was 68MB, resulting in a 3% miss-rate. Some blocks though have extremely high miss rates (60%) while others have none. Likely caused by miners running different policies. Gmaxwell proposed to always run script verification for mempool transactions, even if these transactions get rejected into the mempool by the clients policy. The result of that is that even a 300MB sigcache size only gets down to 15% misses. So there's too much crap being relayed to keep any reasonable sized cache. Gmaxwell points out downsides to not checking any rejected transactions, namely: there are some DOS attacks possible, and you increase your misrate if you set a policy which is more restrictive than the typical network, which might result in a race to the bottom.
Sipa continues his work and seeks out other strategies
Performance goals for 0.12
Bitcoin-core 0.12 is scheduled for release December 1st.
Everybody likes to include secp256k1 ASAP, as it has a very large performance increase. Some people would like to include the sigcache pull-request, BIP30, modifyNewCoins and a createNewBlock rewrite if it's ready. Wumpus advises against merging last-minute performance improvements for 0.12.
Mentioned pull-requests should be reviewed, prioritizing CreateNewBlock
transaction priority
Each transaction is assigned a priority, determined by the age, size, and number of inputs. Which makes some transactions free.
Sipa thinks we should get rid of the current priority completely and replace it with a function that modifies fee or size of a transaction. There's a pull-request available that optimizes the current transaction priority, thereby avoiding the political debate that goes with changing the definition of transaction priority. Luke-jr thinks the old policy should remain possible.
Check to see if PR #6357 is safe and efficient enough.
sigops flooding attack
The number of ECDSA signature-checking operations or sigops is currently limited to 20 000 per block. This in order to prevent miners creating blocks that take ages to verify as those operations are time-consuming. You could however construct transactions that have a very high sigops count and since most miners don't take into account the sigops count they end up with very small blocks because the sigop limit is reached. This attack is described here.
Suggestion to take the number of sigops relative to the maximum blocksize into account with the total size. Meaning a 10k sigops transaction would currently be viewed as 500kB in size (for that single transaction, not towards the block). That suggestion would be easy to change in the mining code, but more invasive to try and plug that into everything that looks at feerate. This would also open up attacks on the mempool if these transactions are not evicted by mempool limiting. Luke-jr has a bytes-per-sigop limit, that filters out these attack transactions.
More analysis should be done, people seem fine with the general direction of fixing it.
chain limits
Chain in this context means connected transactions. When you send a transaction that depends on another transaction that has yet to be confirmed we talk about a chain of transactions. Miners ideally take the whole chain into account instead of just every single transaction (although that's not widely implemented afaik). So while a single transaction might not have a sufficient fee, a depending transaction could have a high enough fee to make it worthwhile to mine both. This is commonly known as child-pays-for-parent. Since you can make these chains very big it's possible to clog up the mempool this way. With the recent malleability attacks, anyone who made transactions going multiple layers deep would've already encountered huge problems doing this (beautifully explained in let's talk bitcoin #258 from 13:50 onwards) Proposal and github link.
sdaftuar's analysis shows that 40% of blocks contain a chain that exceeds the proposed limits. Even a small bump doesn't make the problem go away. Possible sources of these chains: a service paying the fees on other transactions (child-pays-for-parent), an iOS wallet that gladly spends unconfirmed change. A business confirms they use child-pays-for-parent when they receive bitcoins from an unspent chain. It is possible that these long chains are delivered to miners directly, in which case they wouldn't be affected by the proposed relay limits (and by malleability). Since this is a problem that needs to be addressed, people seem fine with merging it anyway, communicating in advance to let businesses think about how this affects them.
Merge "Policy: Lower default limits for tx chains" Morcos will mail the developer mailing list after it's merged.
Participants
morcos Alex Morcos gmaxwell Gregory Maxwell wumpus Wladimir J. van der Laan sipa Pieter Wuille jgarzik Jeff Garzik Luke-Jr Luke Dashjr phantomcircuit Patrick Strateman sdaftuar Suhas Daftuar btcdrak btcdrak jouke ??Jouke Hofman?? jtimon Jorge Timón jonasschnelli Jonas Schnelli 
Comic relief
20:01 wumpus #meetingend 20:01 wumpus #meetingstop 20:01 gmaxwell Thanks all. 20:01 btcdrak #exitmeeting 20:01 gmaxwell #nomeetingnonono 20:01 btcdrak #meedingexit 20:01 wumpus #endmeeting 20:01 lightningbot Meeting ended Thu Nov 5 20:01:29 2015 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . 20:01 btcdrak #rekt 
submitted by G1lius to Bitcoin [link] [comments]

[dev] A quick update, and a work in progress smart contracts guide

As much as it seems odd saying this with a sticky at the top of the subreddit, I do know some people don't read stickies, so - Dogecoin Core 1.10.0 IS OUT NOW and it's a huge security update you really do need. However, it does require reindexing the blocks on disk, and if you absolutely cannot do so (i.e. you run a service that can't handle the downtime right now), there's also Dogecoin Core 1.8.3 which has the most important parts back ported to it. If you use Dogecoin Core, you need to upgrade to one of these two, seriously.
On that note, we've got about 20-25% upgraded now; there's an (approximate) pie chart at https://docs.google.com/spreadsheets/d/1qPqLy0FFp2mApJBh9a-_cDERCGxP40pnJIdQwGSDYMo/pubchart?oid=208198724&format=image that you can watch if you're really curious. I'm seeing 1.10.0 nodes come online then go offline - if you can keep a 1.10.0 node online, it would be much appreciated. I've got a few EC2 nodes online while the update rolls out, as well, to help support the numbers.
Enough of that, what's coming next? bitcoinj & Multidoge HD work is more or less just rolling along quietly waiting primarily on others at the moment. We're planning out Dogecoin Core 1.11, which will be based on Bitcoin Core 0.12. The big new thing in there will be OP_CHECKLOCKTIMEVERIFY (often shortened to CLTV), which finally lets us use smart contracts securely on the main Dogecoin block chain. It's going out to Bitcoin in their 0.11.2 release, however as we've just released a client, we're going to skip that one (or, it may be produced as a version we test but never release).
I promised everyone a guide to smart contracts, and... well it's gone a bit awry. What I thought would be around 6 pages is now at 9 pages and growing, so it's going to take a while to finish. However, it does cover the basics, and hopefully is enough to both let a general audience understand what smart contracts are, and a more technical audience understand how they can use smart contracts. The document so far is up at https://docs.google.com/document/d/1gk74C_AOfRwmhq1WeTHBxMo3Lelh0QQY6iJLj8tQFzI/pub but there should be further revisions later.
Lastly, testnet - there's still a lot of old nodes on testnet, please update to 1.10.0, especially if you're mining (because someone's generating old v2 blocks and they're causing problems).
I'm away the weekend of the 29th, so that update is likely to be on the 30th instead, but I'll try to get something out that weekend. Might be quiet for a bit while the dust settles on the new release, anyway!
submitted by rnicoll to dogecoin [link] [comments]

Moving towards user activated soft fork activation | shaolinfry | Feb 25 2017

shaolinfry on Feb 25 2017:
Some thoughts about the activation mechanism for soft forks. In the past we used IsSuperMajority and currently use BIP9 as soft fork activation methods, where a supermajority of hashrate triggers nodes to begin enforcing new rules. Hashrate based activation is convenient because it is the simplest and most straightforward process. While convenient there are a number limitations with this method.
Firstly, it requires trusting the hash power will validate after activation. The BIP66 soft fork was a case where 95% of the hashrate was signaling readiness but in reality about half was not actually validating the upgraded rules and mined upon an invalid block by mistake1.
Secondly, miner signalling has a natural veto which allows a small percentage of hashrate to veto node activation of the upgrade for everyone. To date, soft forks have taken advantage of the relatively centralised mining landscape where there are relatively few mining pools building valid blocks; as we move towards more hashrate decentralization, it's likely that we will suffer more and more from "upgrade inertia" which will veto most upgrades.
Upgrade inertia in inevitable for widely deployed software and can be seen for example, with Microsoft Windows. At the time of writing 5.72% of all Microsoft Windows installations are still running Windows XP, despite mainstream support ending in 2009 and being superseded by 4 software generations, Vista, 7, 8 and 10.
Thirdly, the signaling methodology is widely misinterpreted to mean the hash power is voting on a proposal and it seems difficult to correct this misunderstanding in the wider community. The hash powers' role is to select valid transactions, and to extend the blockchain with valid blocks. Fully validating economic nodes ensure that blocks are valid. Nodes therefore define validity according to the software they run, but miners decide what already valid transactions gets included in the block chain.
As such, soft forks rules are actually always enforced by the nodes, not the miners. Miners of course can opt-out by simply not including transactions that use the new soft fork feature, but they cannot produce blocks that are invalid to the soft fork. The P2SH soft fork is a good example of this, where non-upgraded miners would see P2SH as spendable without a signature and consider them valid. If such an transaction were to be included in a block, the block would be invalid and the miner would lose the block reward and fees.
So-called "censorship" soft forks do not require nodes to opt in, because >51% of the hash power already have the ability to orphan blocks that contain transactions they have blacklisted. Since this is not a change in validity, nodes will accept the censored block chain automatically.
The fourth problem with supermajority hash power signaling is it draws unnecessary attention to miners which can become unnecessarily political. Already misunderstood as a vote, miners may feel pressure to "make a decision" on behalf of the community: who is and isn't signalling becomes a huge public focus and may put pressures onto miners they are unprepared for. Some miners may not be in a position to upgrade, or may prefer not to participate in the soft fork which is their right. However, that miner may now become a lone reason that vetoes activation for everyone, where the soft fork is an opt-in feature! This situation seems to be against the voluntary nature of the Bitcoin system where participation at all levels is voluntary and kept honest by well balanced incentives.
Since miners already have the protocol level right to select whatever transaction they prefer (and not mine those they don't), it would be better if a miner could chose to not participate in triggering activation of something they won't use, but, without being a veto to the process (and all the ire they may have to experience as a consequence).
The alternative discussed here is "flag day activation" where nodes begin enforcement at a predetermined time in the future. This method needs a longer lead time than a hash power based activation trigger, but offers a number of advantages and perhaps provides a better tradeoff.
Soft forks are still entirely optional to use post activation. For example, with P2SH, many participants in the Bitcoin ecosystem still do not use P2SH. Only 11% of bitcoins2 are stored in P2SH addresses at the time of writing. Miners are free to not mine P2SH transactions, however, the incentives are such that miners should still validate transactions so they don't accidentally include invalid transactions and cause their block to be rejected. As an additional safety measure for well designed soft forks, relay policy rules prevent non-standard and invalid transactions from being relayed and mined by default; a miner would have to purposefully mine an invalid transaction, which is against their own economic interest.
Since the incentives of the Bitcoin system rely on self validation, economic nodes (miners and users) should always remain safe by ensuring their nodes either validate the current rules, or, they can place their network behind a full node that will filter out invalid transactions and blocks at the edge of their network (so called firewall or border nodes).
A user activated soft fork is permissive. Miners do not have to produce new version blocks and non-upgraded miners' blocks will not be orphaned as was the case with IsSuperMajority soft forks (e.g. BIP34, BIP66, BIP65-CLTV) which made it a compulsory upgrade for miners.
BIP9 "versionbits" soft fork activation method is also permissive in so far as non-upgraded miners are not forced to upgrade after activation because their blocks wont be orphaned. A recent case was the "CSV" soft fork that activated BIP68, BIP112 and BIP113. As such, the CSV soft fork allows non-upgraded miners to continue mining so long as they didn't produce invalid blocks.
Miners always retain discretion on which transactions to mine. However, regardless of whether they actively include transactions using the new soft fork feature, or not, the incentive for hash power to upgrade in order to validate is strong: if they do not, they could be vulnerable to a rogue miner willing to waste 12.5BTC to create an invalid block, which may cause non-validating miners to build on an invalid chain similar to the BIP66 incident. Validation has always had a strong requirement.
A user activated soft fork is win-win because it adds an option that some people want that does not detract from other peoples' enjoyment. Even if only 10% of users ever wanted a feature, so long as the benefit outweighed the technical risks, it would not be rational to deny others the ability to opt-in.
My suggestion is to have the best of both worlds. Since a user activated soft fork needs a relatively long lead time before activation, we can combine with BIP9 to give the option of a faster hash power coordinated activation or activation by flag day, whichever is the sooner. In both cases, we can leverage the warning systems in BIP9. The change is relatively simple, adding an activation-time parameter which will transition the BIP9 state to LOCKED_IN before the end of the BIP9 deployment timeout.
You can find the proposal here https://gist.github.com/shaolinfry/0f7d1fd22743bb966da0c0b1682ea2ab
References:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20170225/e6ed76b3/attachment-0001.html
original: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-February/013643.html
submitted by dev_list_bot to bitcoin_devlist [link] [comments]

Let's deploy BIP65 CHECKLOCKTIMEVERIFY! | Peter Todd | Sep 27 2015

Peter Todd on Sep 27 2015:
Summary
It's time to deploy BIP65 CHECKLOCKTIMEVERIFY.
I've backported the CLTV op-code and a IsSuperMajority() soft-fork to
the v0.10 and v0.11 branches, pull-reqs #6706 and #6707 respectively. A
pull-req for git HEAD for the soft-fork deployment has been open since
June 28th, #6351 - the opcode implementation itself was merged two
months ago.
We should release a v0.10.3 and v0.11.1 with CLTV and get the ball
rolling on miner adoption. We have consensus that we need CLTV, we have
a well tested implementation, and we have a well-tested deployment
mechanism. We also don't need to wait for other soft-fork proposals to
catch up - starting the CLTV deployment process isn't going to delay
future soft-forks, or for that matter, hard-forks.
I think it's possible to safely get CLTV live on mainnet before the end
of the year. It's time we get this over with and done.
Detailed Rational
1) There is a clear need for CLTV
Escrow and payment channels both benefit greatly from CLTV. In
particular, payment channel implementations are made significantly
simpler with CLTV, as well as more secure by removing the malleability
vulnerability.
Why are payment channels important? There's a lot of BTC out there
vulnerable to theft that doesn't have to be. For example, just the other
day I was talking with Nick Sullivan about ChangeTip's vulnerability to
theft, as well as regulatory uncertainty about whether or not they're a
custodian of their users' funds. With payment channels ChangeTip would
only be able to spend as much of a deposit as a user had spent, keeping
the rest safe from theft. Similarly, in the other direction - ChangeTip
to their users - in many cases it is feasible to also use payment
channels to immediately give users control of their funds as they
receive them, again protecting users and helping make the case that
they're not a custodian. In the future I'm sure we'll see fancy
bi-directional payment channels serving this role, but lets not let
perfect be the enemy of good.
2) We have consensus on the semantics of the CLTV opcode
Pull-req #6124 - the implementation of the opcode itself - was merged
nearly three months ago after significant peer review and discussion.
Part of that review process included myself(1) and mruddy(2) writing
actual demos of CLTV. The chance of the CLTV semantics changing now is
near-zero.
3) We have consensus that Bitcoin should adopt CLTV
The broad peer review and discussion that got #6124 merged is a clear
sign that we expect CLTV to be eventually adopted. The question isn't if
CLTV should be added to the Bitcoin protocol, but rather when.
4) The CLTV opcode and IsSuperMajority() deployment code has been
thoroughly tested and reviewed
The opcode implementation is very simple, yet got significant review,
and it has solid test coverage by a suite of tx-(in)valid.json tests.
The tests themselves have been reviewed by others, resulting in Esteban
Ordano's pull-req #6368 by Esteban Ordano which added a few more cases.
As for the deployment code, both the actual IsSuperMajority() deployment
code and associated unit-tests tests were copied nearly line-by-line
from the succesful BIP66. I did this deliberately to make all the peer
review and testing of the deployment mechanism used in BIP66 be equally
valid for CLTV.
5) We can safely deploy CLTV with IsSuperMajority()
We've done two soft-forks so far with the IsSuperMajority() mechanism,
BIP34 and BIP66. In both cases the IsSuperMajority() mechanism itself
worked flawlessly. As is well-known BIP66 in combination with a large %
of the hashing power running non-validating "SPV" mining operations did
lead to a temporary fork, however the root cause of this issue is
unavoidable and not unique to IsSuperMajority() soft-forks.
Pragmatically speaking, now that miners are well aware of the issue it
will be easy for them to avoid a repeat of that fork by simply adding
IsSuperMajority() rules to their "SPV" mining code. Equally turning off
SPV mining (temporarily) is perfectly feasable.
6) We have the necessary consensus to deploy CLTV via IsSuperMajority()
The various "nVersion bits" proposals - which I am a co-author of - have
the primary advantage of being able to cleanly deal with the case where
a soft-fork fails to get adopted. However, we do have broad consensus,
including across all sides of the blocksize debate, that CLTV should be
adopted. The risk of CLTV failing to get miner adoption, and thus
blocking other soft-forks, is very low.
7) Using IsSuperMajority() to deploy CLTV doesn't limit or delay other upgrades
It is possible for multiple IsSuperMajority() soft-forks to coexist,
in the sense that if one soft-fork is "in flight" that doesn't prevent
another soft-fork from also being deployed simultaneously.
In particular, if we deploy CLTV via IsSuperMajority() that does not
impact the adoption schedule for other future soft-forks, including
soft-forks using a future nVersion bits deployment mechanism.
For instance, suppose we start deployment of CLTV right now with
nVersion=4 blocks. In three months we have 25% miner support, and start
deploying CHECKSEQUENCEVERIFY with nVersion=5 blocks. For miners
supporting only OP_CLTV, the nVersion=5 blocks still trigger OP_CLTV;
miners creating nVersion=5 blocks are simply stating that they support
both soft-forks. Equally, if in three months we finish a nVersion bits
proposal, those miners will be advertising nVersion=(1 << 29) blocks,
which also advertise OP_CLTV support.
8) BIP101 miners have not proved to be a problem for CLTV deployment
While there was concern that BIP101's use of nVersion would cause
issues with a IsSuperMajority() softfork, the % of blocks with BIP101
nVersion's never reached more than 1%, and currently is hovering at
around 0.1%
As Gavin Andresen has stated that he is happy to add CLTV to BIP101, and
thus Bitcoin XT, I believe we can expect those miners to safely support
CLTV well before soft-fork enforcement happens. Secondly, the 95%
enforcement threshold means we can tolerate a fairly high % of miners
running pre-CLTV BIP101 implementations without fatal effects in the
unlikely event that those miners don't upgrade.
9) Doing another IsSuperMajority() soft-fork doesn't "burn a bit"
This is a common myth! All nVersion bits proposals involve permanently
setting a high-order bit to 1, which results in nVersion >= all prior
IsSuperMajority() soft-forks. In short, we can do a nearly unlimited
number of IsSuperMajority() soft-forks without affecting future nVersion
bits soft-forks at all.
10) Waiting for nVersion bits and CHECKSEQUENCEVERIFY will significantly
delay deployment of CLTV 
It's been proposed multiple times that we wait until we can do a single
soft-fork with CSV using the nVersion bits mechanism.
nVersion bits doesn't even have an implementation yet, nor has solid
consensus been reached on the exact semantics of how nVersion bits
should work. The stateful nature of nVersion bits soft-forks requires a
significant amount of new code compared to IsSuperMajority() soft-forks,
which in turn will require a significant amount of testing. (again I'll
point out I'm a co-author to all the nVersion bits proposals)
CSV has an implementation, but there is still debate going on about what
the exact semantics of it should be. Getting the semantics right is
especially important as part of CSV includes changing the meaning of
nSequence, restricting future uses of that field. There have been many
proposals to use nSequence, e.g. for proof-of-stake blocksize voting,
and it has the unique capability of being a field that is both unused,
and signed by scriptSigs. We shouldn't take potentially restricting
future uses of it lightly.
CSV is also significantly more complex and invasive than CLTV in terms
of code changes. A large % of the mining power is running forks
of Bitcoin Core with custom changes - modifying these forks with new
features is a labor intensive and slow process.
If CLTV is ready now, why delay it - potentially for 6-12 months - for
other proposals to catch up? Equally if they do catch up, great! As
explained above an in-flight CLTV soft-fork won't delay future upgrades.
11) Even if CLTV is broken/obsoleted there is very little carrying cost
to having it 
Suppose we decide in two years that CLTV was botched and we need to fix
it. What's the "carrying cost" of having implemented CLTV in the first
place?
We'll have used up one of our ten soft-forkable NOPs, but if we ever
"run out" it's easy to use extension NOPs(3). Similarly, future script
improvements like OP_MAST - or even a hard-fork - can easily expand the
range of NOPs to the point where this is a non-issue.
If you don't use OP_CLTV in your scripts there is zero effect on your
transactions; we're not limiting future improvements to Bitcoin in any
way other than using up a NOP by implementing CLTV.
References
1) https://github.com/petertodd/checklocktimeverify-demos
2) https://github.com/mruddy/bip65-demos
3) https://github.com/bitcoin/bitcoin/pull/5496#issuecomment-101293403
4) https://github.com/bitcoin/bips/blob/mastebip-0112.mediawiki

'peter'[:-1]@petertodd.org
000000000000000006a257845da185433cbde54a74be889b1c046a267d...[message truncated here by reddit bot]...
original: http://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-Septembe011197.html
submitted by dev_list_bot to bitcoin_devlist [link] [comments]

Bitcoin dev IRC meeting in layman's terms (2015-11-05)

Once again my attempt to summarize and explain the weekly bitcoin developer meeting in layman's terms. Link to last weeks summarization
On a personal note: I really don't like the fact someone pm'ed me telling me "a majority of bitcoiners have moved to btc", it's not (yet) true and comes across as very spammy. This combined with the tin-foiled hat people-bashing which seems to be popular makes me almost not want to join this community. I hope this can become like bitcoin, but with the freedom to discuss and mention any topic, not a mindless crusade against bitcoin, theymos, blockstream, etc.
Disclaimer
Please bear in mind I'm not a developer and I'd have problems coding "hello world!", so some things might be incorrect or plain wrong. Like any other write-up it likely contains personal biases, although I try to stay as neutral as I can. There are no decisions being made in these meetings, so if I say "everyone agrees" this means everyone present in the meeting, that's not consensus, but since a fair amount of devs are present it's a good representation. The dev IRC and mailinglist are for bitcoin development purposes. If you have not contributed actual code to a bitcoin-implementation, this is probably not the place you want to reach out to. There are many places to discuss things that the developers read, including this sub-reddit.
link to this week logs Meeting minutes by meetbot
Main topics discussed where:
Sigcache performance Performance goals for 0.12 transaction priority sigops flooding attack chain limits
Short topics/notes
Note: cfields, mcelrath and BlueMatt (and maybe more) missed the meeting because of daylight saving time.
Closing date for proposals for the scaling bitcoin workshop is the 9th.
Check to see if there are any other commits for the 0.11.2 RC. As soon as 6948 and 6825 are merged it seems good to go. We need to move fairly quick as there are already miners voting for CLTV (F2Pool). Also testnet is CLTV locked already and is constantly forking. 0.11.2 RC1 has been released as of today: https://bitcoin.org/bin/bitcoin-core-0.11.2/test/
Most of the mempool-limiting analysis assumed child-pays-for-parent, however that isn't ready for 0.12 yet, so we should think about possible abuses in context of the existing mining algorithm.
Because of time-constrains opt-in replace-by-fee has been deferred to next weeks meeting, but most people seem to want it in 0.12. sdaftuar makes a note that we need to make clear to users what they need to do if they don't want to accept opt-in transactions.
Sigcache performance
The signature cache, which is in place to increase performance (by not having to check the signature multiple times), and to mitigate some attacks currently has a default limit of 50 000 signatures. Sipa has a pull-request which proposes to: Change the limit from number of entries to megabytes Change the default to 40MB, which corresponds to 500 000 signatures Store salted hashes instead of full entries Remove entries that have been validated in a block
Sipa did benchmarks for various signature cache sizes on hitrate in blocks (how many of the cached signatures are in the block). The maximum sigcache size was 68MB, resulting in a 3% miss-rate. Some blocks though have extremely high miss rates (60%) while others have none. Likely caused by miners running different policies. Gmaxwell proposed to always run script verification for mempool transactions, even if these transactions get rejected into the mempool by the clients policy. The result of that is that even a 300MB sigcache size only gets down to 15% misses. So there's too much crap being relayed to keep any reasonable sized cache. Gmaxwell points out downsides to not checking any rejected transactions, namely: there are some DOS attacks possible, and you increase your misrate if you set a policy which is more restrictive than the typical network, which might result in a race to the bottom.
Sipa continues his work and seeks out other strategies
Performance goals for 0.12
Bitcoin-core 0.12 is scheduled for release December 1st.
Everybody likes to include secp256k1 ASAP, as it has a very large performance increase. Some people would like to include the sigcache pull-request, BIP30, modifyNewCoins and a createNewBlock rewrite if it's ready. Wumpus advises against merging last-minute performance improvements for 0.12.
Mentioned pull-requests should be reviewed, prioritizing CreateNewBlock
transaction priority
Each transaction is assigned a priority, determined by the age, size, and number of inputs. Which makes some transactions free.
Sipa thinks we should get rid of the current priority completely and replace it with a function that modifies fee or size of a transaction. There's a pull-request available that optimizes the current transaction priority, thereby avoiding the political debate that goes with changing the definition of transaction priority. Luke-jr thinks the old policy should remain possible.
Check to see if PR #6357 is safe and efficient enough.
sigops flooding attack
The number of ECDSA signature-checking operations or sigops is currently limited to 20 000 per block. This in order to prevent miners creating blocks that take ages to verify as those operations are time-consuming. You could however construct transactions that have a very high sigops count and since most miners don't take into account the sigops count they end up with very small blocks because the sigop limit is reached. This attack is described here.
Suggestion to take the number of sigops relative to the maximum blocksize into account with the total size. Meaning a 10k sigops transaction would currently be viewed as 500kB in size (for that single transaction, not towards the block). That suggestion would be easy to change in the mining code, but more invasive to try and plug that into everything that looks at feerate. This would also open up attacks on the mempool if these transactions are not evicted by mempool limiting. Luke-jr has a bytes-per-sigop limit, that filters out these attack transactions.
More analysis should be done, people seem fine with the general direction of fixing it.
chain limits
Chain in this context means connected transactions. When you send a transaction that depends on another transaction that has yet to be confirmed we talk about a chain of transactions. Miners ideally take the whole chain into account instead of just every single transaction (although that's not widely implemented afaik). So while a single transaction might not have a sufficient fee, a depending transaction could have a high enough fee to make it worthwhile to mine both. This is commonly known as child-pays-for-parent. Since you can make these chains very big it's possible to clog up the mempool this way. With the recent malleability attacks, anyone who made transactions going multiple layers deep would've already encountered huge problems doing this (beautifully explained in let's talk bitcoin #258 from 13:50 onwards) Proposal and github link.
sdaftuar's analysis shows that 40% of blocks contain a chain that exceeds the proposed limits. Even a small bump doesn't make the problem go away. Possible sources of these chains: a service paying the fees on other transactions (child-pays-for-parent), an iOS wallet that gladly spends unconfirmed change. A business confirms they use child-pays-for-parent when they receive bitcoins from an unspent chain. It is possible that these long chains are delivered to miners directly, in which case they wouldn't be affected by the proposed relay limits (and by malleability). Since this is a problem that needs to be addressed, people seem fine with merging it anyway, communicating in advance to let businesses think about how this affects them.
Merge "Policy: Lower default limits for tx chains" Morcos will mail the developer mailing list after it's merged.
Participants
morcos Alex Morcos gmaxwell Gregory Maxwell wumpus Wladimir J. van der Laan sipa Pieter Wuille jgarzik Jeff Garzik Luke-Jr Luke Dashjr phantomcircuit Patrick Strateman sdaftuar Suhas Daftuar btcdrak btcdrak jouke ??Jouke Hofman?? jtimon Jorge Timón jonasschnelli Jonas Schnelli 
Comic relief
20:01 wumpus #meetingend 20:01 wumpus #meetingstop 20:01 gmaxwell Thanks all. 20:01 btcdrak #exitmeeting 20:01 gmaxwell #nomeetingnonono 20:01 btcdrak #meedingexit 20:01 wumpus #endmeeting 20:01 lightningbot Meeting ended Thu Nov 5 20:01:29 2015 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . 20:01 btcdrak #rekt 
submitted by G1lius to btc [link] [comments]

Bitcoin dev IRC meeting in layman's terms (2015-10-29)

Once again my attempt to summarize and explain the weekly bitcoin developer meeting in layman's terms. Link to last weeks summarization
Disclaimer
Please bear in mind I'm not a developer and I'd have problems coding "hello world!", so some things might be incorrect or plain wrong. Like any other write-up it likely contains personal biases, although I try to stay as neutral as I can. There are no decisions being made in these meetings, so if I say "everyone agrees" this means everyone present in the meeting, that's not consensus, but since a fair amount of devs are present it's a good representation. The dev IRC and mailinglist are for bitcoin development purposes. If you have not contributed actual code to a bitcoin-implementation, this is probably not the place you want to reach out to. There are many places to discuss things that the developers read, including this sub-reddit.
link to this week logs Meeting minutes by meetbot Meeting google doc
Main topics discussed where:
Upcoming softfork Chain limits Clang format BIP68 and BIP112 implementations
Short topics/notes
The LevelDB topic was started but deferred till after the meeting as there are currently no plans to move to another database. However research and testing is encouraged. mcelrath volunteered to make a LMDB branch, jgarzik already has a sqlite branch.
Upcoming softfork
CheckLockTimeVerify (CLTV) aka "how you thought nLockTime worked before you actually tried to use it" is a softfork scheduled for release at the end of October (ends up being early November).
Check to see if there's anything that needs to be included in this release that's not already in. Luke-jr has a Pull-request open to add bugfixes. Check to see if there's any coordination for the softfork in regards to other clients. btcd is ready for it, bitcoinj historically hasn't implemented any softforks.
Release with only CLTV as softfork.
Chain limits
Chain in this context means connected transactions. When you send a transaction that depends on another transaction that has yet to be confirmed we talk about a chain of transactions. Miners ideally take the whole chain into account instead of just every single transaction (although that's not widely implemented afaik). So while a single transaction might not have a sufficient fee, a depending transaction could have a high enough fee to make it worthwhile to mine both. This is commonly known as child-pays-for-parent. Since you can make these chains very big it's possible to clog up the mempool this way. With the recent maleability attacks, anyone who made transactions going multiple layers deep would've already encountered huge problems doing this (beautifully explained in let's talk bitcoin #258 from 13:50 onwards) Proposal and github link.
25 as limit is still very high and could be lower. Discussion on which statistics and measurements would be useful and relevant to this proposal.
Morcos will do some extra measurements to back up the proposal.
Clang format
Just like libconsensus this is something to tidy up the code, but more about the style and format of the code itself. Quoting part of a github comment by gmaxwell: "Stylistic consistency has actual benefits; it aids newcomers in their contributions because it is easier for them to make sure their work is okay on styleistic grounds; though this may be offset by having to install some particular version of clang-format before they can get started. It eases review because the uniformity creates better expectations; but reformating makes looking at the history harder, which harms review. Good style choices (as opposed to merely consistent) have, at times, been shown to lower defect rates in software-- but there is not a universal opinion on what choices are good."
Proposal a while ago was to clang-format file set Once done, maintain those files' formatting with automation. Opinions diverge pretty hard. From let's not change anything for existing files to let's change the entire bitcoin repository. Some behavior changes from one Clang version to another, which would require everyone to use the same version of clang format, which is burdensome.
No conclusion.
BIP68 and BIP112 implementations
BIP 68 Consensus-enforced transaction replacement signaled via sequence numbers , and current implementation. BIP 112 CHECKSEQUENCEVERIFY, and current implementation. In short: BIP 68 changes the meaning of the sequence number field to a relative locktime. BIP 112 makes that field accessible to the bitcoin scripting system.
Concerns about the fact that the LockTime function skips non-existing inputs. For review purposes btcdrak combined both pull-requests ( https://github.com/bitcoin/bitcoin/compare/master...btcdrak:sequenceandcsv )
Both implementations should stay separate pull-requests. No use in deploying BIP 112 before BIP 68.
Participants
gmaxwell Gregory Maxwell dcousens Daniel Cousens sipa Pieter Wuille jgarzik Jeff Garzik morcos Alex Morcos Luke-Jr Luke Dashjr wumpus Wladimir J. van der Laan mcelrath Bob McElrath jtimon Jorge Timón jonasshnelli Jonas Schnelli btcdrak btcdrak petertodd Peter Todd dstadulis Daniel Stadulis dgenr8 Tom Harding jeremyrubin Jeremy Rubin warren Warren Togami rusty Rusty Russell sdaftuar Suhas Daftuar
submitted by G1lius to Bitcoin [link] [comments]

CLTV/CSV/etc. deployment considerations due to XT/Not-BitcoinXT miners | Peter Todd | Aug 19 2015

Peter Todd on Aug 19 2015:
Deployment of the proposed CLTV, CSV, etc. soft-forks has been recently
complicated by the existence of XT(1) and Not-Bitcoin-XT(2) miners. Both
mine blocks with nVersion=0x20000007, which would falsely trigger the
previously suggested implementation using the IsSuperMajority()
mechanism and nVersion=4 blocks. Additionally while the
XT/Not-Bitcoin-XT software claims to support Wuille/Todd/Maxwell's
nVersion soft-fork mechanism(3) a key component of it - fork
deadlines(3) - is not implemented.
XT/Not-Bitcoin-XT behavior
Both implementations produce blocks with nVersion=0x20000007,
or in binary: 0b001...111
Neither implementation supports a fork deadline; both Not-Bitcoin-XT and
XT will produce blocks with those bits set indefinitely under any
circumstance, with the proviso that while XT has a hashing power
majority, blocks it produces might not be part of the Bitcoin blockchain
after Jan 11th 2016. (though this can flap back and forth if reorgs
happen)
Curiously the BIP101 draft was changed(4) at the last minute from using
the nVersion bits compliant 0x20000004 block nVersion, to using two more
bits unnecessarily. The rational for doing this is unknown; the git
commit message associated with the change suggested "compatibility
concerns", but what the concerns actually were isn't specified. Equally
even though implementing the fork deadline would be very each in the XT
implementation, this was not done. (the XT codebase has had almost no
peer review)
Options for CLTV/CSV/etc. deployment
1) Plain IsSuperMajority() with nVersion=4
This option can be ruled out immediately due to the high risk of
premature triggering, without genuine 95% miner support.
2) nVersion mask, with IsSuperMajority()
In this option the nVersion bits set by XT/Not-Bitcoin-XT miners would
be masked away, prior to applying standard IsSuperMajority() logic:
block.nVersion & ~0x20000007 
This means that CLTV/CSV/etc. miners running Bitcoin Core would create
blocks with nVersion=8, 0b1000. From the perspective of the
CLTV/CSV/etc. IsSuperMajority() test, XT/Not-Bitcoin-XT miners would be
advertising blocks that do not trigger the soft-fork.
For the perpose of soft-fork warnings, the highest known version can
remain nVersion=8, which is triggered by both XT/Not-Bitcoin-XT blocks
as well as a future nVersion bits implementation. Equally,
XT/Not-Bitcoin-XT soft-fork warnings will be triggered, by having an
unknown bit set.
When nVersion bits is implemented by the Bitcoin protocol, the plan of
setting the high bits to 0b001 still works. The three lowest bits will
be unusable for some time, but will be eventually recoverable as
XT/Not-Bitcoin-XT mining ceases.
Equally, further IsSuperMajority() softforks can be accomplished with
the same masking technique.
This option does complicate the XT-coin protocol implementation in the
future. But that's their problem, and anyway, the maintainers
(Hearn/Andresen) has strenuously argued(5) against the use of soft-forks
and/or appear to be in favor of a more centralized mandatory update
schedule.(6)
3) Full nVersion bits implementation
The most complex option would be to deploy via full nVersion bits
implementation using flag bit #4 to trigger the fork. Compliant miners
would advertise 0x20000008 initially, followed by 0x20000000 once the
fork had triggered. The lowest three bits would be unusable for forks
for some time, although they could be eventually recovered as
XT/Not-Bitcoin-XT mining ceases.
The main disadvantage of this option is high initial complexity - the
reason why IsSuperMajority() was suggested for CLTV/CSV in the first
place. That said, much of the code required has been implemented in XT
for the BIP101 hard-fork logic, although as mentioned above, the code
has had very little peer review.
References
1) https://github.com/bitcoinxt/bitcoinxt
2) https://github.com/xtbit/notbitcoinxt
3) "Version bits proposal",
Pieter Wuille, May 26th 2015, Bitcoin-development mailing list, [http://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-May/008282.html,](http://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-May/008282.html,) 
https://gist.github.com/sipa/bf69659f43e763540550
4) https://github.com/bitcoin/bips/commit/3248c9f67bd7fcd1d05b8db7c5c56e4788deebfe
5) "On consensus and forks - What is the difference between a hard and soft fork?",
Mike Hearn, Aug 12th 2015,
https://medium.com/@octskyward/on-consensus-and-forks-c6a050c792e7
6) 2013 San Jose Bitcoin conference developer round-table

'peter'[:-1]@petertodd.org
00000000000000000402fe6fb9ad613c93e12bddfc6ec02a2bd92f002050594d
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 650 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20150818/b88cb49a/attachment.sig>
original: http://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-August/010396.html
submitted by bitcoin-devlist-bot to bitcoin_devlist [link] [comments]

Relative CHECKLOCKTIMEVERIFY (was CLTV proposal) | Matt Corallo | Mar 16 2015

Matt Corallo on Mar 16 2015:
In building some CLTV-based contracts, it is often also useful to have a
method of requiring, instead of locktime-is-at-least-N,
locktime-is-at-least-N-plus-the-height-of-my-input. ie you could imagine
an OP_RELATIVECHECKLOCKTIMEVERIFY that reads (does not pop) the top
stack element, adds the height of the output being spent and then has
identical semantics to CLTV.
A slightly different API (and different name) was described by maaku at
http://www.reddit.com/Bitcoin/comments/2z2l91/time_to_lobby_bitcoins_core_devs_sf_bitcoin_devs/cpgc154
which does a better job of saving softfork-available opcode space.
There are two major drawbacks to adding such an operation, however.
1) More transaction information is exposed inside the script (prior to
CLTV we only had the sigchecking operation exposed, with a CLTV and
RCLTV/OP_CHECK_MATURITY_VERIFY we expose two more functions).
2) Bitcoin Core's mempool invariant of "all transactions in the mempool
could be thrown into one overside block and aside from block size, it
would be valid" becomes harder to enforce. Currently, during reorgs,
coinbase spends need checked (specifically, anything spending THE
coinbase 100 blocks ago needs checked) and locktime transactions need
checked. With such a new operation, any script which used this new
opcode during its execution would need to be re-evaluated during reorgs.
I think both of these requirements are reasonable and not particularly
cumbersome, and the value of such an operation is quite nice for some
protocols (including settings setting up a contest interval in a
sidechain data validation operation).
Thoughts?
Matt
On 10/01/14 13:08, Peter Todd wrote:
I've written a reference implementation and BIP draft for a new opcode,
CHECKLOCKTIMEVERIFY. The BIP, reproduced below, can be found at:
https://github.com/petertodd/bips/blob/checklocktimeverify/bip-checklocktimeverify.mediawiki
The reference implementation, including a full-set of unittests for the
opcode semantics can be found at:
https://github.com/petertodd/bitcoin/compare/checklocktimeverify

BIP:
Title: OP_CHECKLOCKTIMEVERIFY
Author: Peter Todd <pete at petertodd.org>
Status: Draft
Type: Standards Track
Created: 2014-10-01

==Abstract==
This BIP describes a new opcode (OP_CHECKLOCKTIMEVERIFY) for the Bitcoin
scripting system that allows a transaction output to be made unspendable until
some point in the future.
==Summary==
CHECKLOCKTIMEVERIFY re-defines the existing NOP2 opcode. When executed it
compares the top item on the stack to the nLockTime field of the transaction
containing the scriptSig. If that top stack item is greater than the transation
nLockTime the script fails immediately, otherwise script evaluation continues
as though a NOP was executed.
The nLockTime field in a transaction prevents the transaction from being mined
until either a certain block height, or block time, has been reached. By
comparing the argument to CHECKLOCKTIMEVERIFY against the nLockTime field, we
indirectly verify that the desired block height or block time has been reached;
until that block height or block time has been reached the transaction output
remains unspendable.
==Motivation==
The nLockTime field in transactions makes it possible to prove that a
transaction output can be spent in the future: a valid signature for a
transaction with the desired nLockTime can be constructed, proving that it is
possible to spend the output with that signature when the nLockTime is reached.
An example where this technique is used is in micro-payment channels, where the
nLockTime field proves that should the receiver vanish the sender is guaranteed
to get all their escrowed funds back when the nLockTime is reached.
However the nLockTime field is insufficient if you wish to prove that
transaction output ''can-not'' be spent until some time in the future, as there
is no way to prove that the secret keys corresponding to the pubkeys controling
the funds have not been used to create a valid signature.
===Escrow===
If Alice and Bob jointly operate a business they may want to
ensure that all funds are kept in 2-of-2 multisig transaction outputs that
require the co-operation of both parties to spend. However, they recognise that
in exceptional circumstances such as either party getting "hit by a bus" they
need a backup plan to retrieve the funds. So they appoint their lawyer, Lenny,
to act as a third-party.
With a standard 2-of-3 CHECKMULTISIG at any time Lenny could conspire with
either Alice or Bob to steal the funds illegitimately. Equally Lenny may prefer
not to have immediate access to the funds to discourage bad actors from
attempting to get the secret keys from him by force.
However with CHECKLOCKTIMEVERIFY the funds can be stored in scriptPubKeys of
the form:
IF  CHECKLOCKTIMEVERIFY DROP  CHECKSIGVERIFY 1 ELSE 2 ENDIF   2 CHECKMULTISIG 
At any time the funds can be spent with the following scriptSig:
  0 
After 3 months have passed Lenny and one of either Alice or Bob can spend the
funds with the following scriptSig:
  1 
===Non-interactive time-locked refunds===
There exist a number of protocols where a transaction output is created that
the co-operation of both parties to spend the output. To ensure the failure of
one party does not result in the funds becoming lost refund transactions are
setup in advance using nLockTime. These refund transactions need to be created
interactively, and additionaly, are currently vulnerable to transaction
mutability. CHECKLOCKTIMEVERIFY can be used in these protocols, replacing the
interactive setup with a non-interactive setup, and additionally, making
transaction mutability a non-issue.
====Two-factor wallets====
Services like GreenAddress store Bitcoins with 2-of-2 multisig scriptPubKey's
such that one keypair is controlled by the user, and the other keypair is
controlled by the service. To spend funds the user uses locally installed
wallet software that generates one of the required signatures, and then uses a
2nd-factor authentication method to authorize the service to create the second
SIGHASH_NONE signature that is locked until some time in the future and sends
the user that signature for storage. If the user needs to spend their funds and
the service is not available, they wait until the nLockTime expires.
The problem is there exist numerous occasions the user will not have a valid
signature for some or all of their transaction outputs. With
CHECKLOCKTIMEVERIFY rather than creating refund signatures on demand
scriptPubKeys of the following form are used instead:
IF  CHECKSIGVERIFY ELSE  CHECKLOCKTIMEVERIFY DROP ENDIF  CHECKSIG 
Now the user is always able to spend their funds without the co-operation of
the service by waiting for the expiry time to be reached.
====Micropayment Channels====
Jeremy Spilman style micropayment channels first setup a deposit controlled by
2-of-2 multisig, tx1, and then adjust a second transaction, tx2, that spends
the output of tx1 to payor and payee. Prior to publishing tx1 a refund
transaction is created, tx3, to ensure that should the payee vanish the payor
can get their deposit back. The process by which the refund transaction is
created is currently vulnerable to transaction mutability attacks, and
additionally, requires the payor to store the refund. Using the same
scriptPubKey from as in the Two-factor wallets example solves both these issues.
===Trustless Payments for Publishing Data===
The PayPub protocol makes it possible to pay for information in a trustless way
by first proving that an encrypted file contains the desired data, and secondly
crafting scriptPubKeys used for payment such that spending them reveals the
encryption keys to the data. However the existing implementation has a
significant flaw: the publisher can delay the release of the keys indefinitely.
This problem can be solved interactively with the refund transaction technique;
with CHECKLOCKTIMEVERIFY the problem can be non-interactively solved using
scriptPubKeys of the following form:
IF HASH160  EQUALVERIFY  CHECKSIG ELSE  CHECKLOCKTIMEVERIFY DROP  CHECKSIG ENDIF 
The buyer of the data is now making a secure offer with an expiry time. If the
publisher fails to accept the offer before the expiry time is reached the buyer
can cancel the offer by spending the output.
===Proving sacrifice to miners' fees===
Proving the sacrifice of some limited resource is a common technique in a
variety of cryptographic protocols. Proving sacrifices of coins to mining fees
has been proposed as a ''universal public good'' to which the sacrifice could
be directed, rather than simply destroying the coins. However doing so is
non-trivial, and even the best existing technqiue - announce-commit sacrifices
create outputs that are provably spendable by anyone (thus to mining fees
assuming miners behave optimally and rationally) but only at a time
sufficiently far into the future that large miners profitably can't sell the
sacrifices at a discount.
===Replacing the nLockTime field entirely===
As an aside, note how if the SignatureHash() algorithm could optionally cover
part of the scriptSig the signature could require that the scriptSig contain
CHECKLOCKTIMEVERIFY opcodes, and additionally, require that they be executed.
(the CODESEPARATOR opcode came very close to making this possible in v0.1 of
Bitcoin) This per-signature capability could replace the per-transaction
nLockTime field entirely as a valid signature would now be the proof that a
transaction output ''can'' be spent.
==Detailed Specification==
Refer to the reference implementation, reproduced below, for the precise
semantics and detailed rationale for those semantics.
case OP_NOP2: { // CHECKLOCKTIMEVERIFY // // (nLockTime -- nLockTime ) if (!(flags & SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY)) break; // not enabled; treat as a NOP if (stack.size() < 1) return false; // Note that elsewhere numeric opcodes are limited to // operands in the range -2**31+1 to 2**31-1, however it is // legal for opcodes to produce results exceeding that // range. This limitation is implemented by CScriptNum's // default 4-byte limit. // // If we kept to that limit we'd have a year 2038 problem, // even though the nLockTime field in transactions // themselves is uint32 which only becomes meaningless // after the year 2106. // // Thus as a special case we tell CScriptNum to accept up // to 5-byte bignums, which are good until 2**32-1, the // same limit as the nLockTime field itself. const CScriptNum nLockTime(stacktop(-1), 5); // In the rare event that the argument may be < 0 due to // some arithmetic being done first, you can always use // 0 MAX CHECKLOCKTIMEVERIFY. if (nLockTime < 0) return false; // There are two times of nLockTime: lock-by-blockheight // and lock-by-blocktime, distinguished by whether // nLockTime < LOCKTIME_THRESHOLD. // // We want to compare apples to apples, so fail the script // unless the type of nLockTime being tested is the same as // the nLockTime in the transaction. if (!( (txTo.nLockTime < LOCKTIME_THRESHOLD && nLockTime < LOCKTIME_THRESHOLD) || (txTo.nLockTime >= LOCKTIME_THRESHOLD && nLockTime >= LOCKTIME_THRESHOLD) )) return false; // Now that we know we're comparing apples-to-apples, the // comparison is a simple numeric one. if (nLockTime > (int64_t)txTo.nLockTime) return false; // Finally the nLockTime feature can be disabled and thus // CHECKLOCKTIMEVERIFY bypassed if every txin has been // finalized by setting nSequence to maxint. The // transaction would be allowed into the blockchain, making // the opcode ineffective. // // Testing if this vin is not final is sufficient to // prevent this condition. Alternatively we could test all // inputs, but testing just this input minimizes the data // required to prove correct CHECKLOCKTIMEVERIFY execution. if (txTo.vin[nIn].IsFinal()) return false; break; } 
https://github.com/petertodd/bitcoin/commit/ab0f54f38e08ee1e50ff72f801680ee84d0f1bf4
==Upgrade and Testing Plan==
TBD
==Credits==
Thanks goes to Gregory Maxwell for suggesting that the argument be compared
against the per-transaction nLockTime, rather than the current block height and
time.
==References==
PayPub - https://github.com/unsystem/paypub
Jeremy Spilman Micropayment Channels - http://www.mail-archive.com/bitcoin-development%40lists.sourceforge.net/msg02028.html
==Copyright==
This document is placed in the public domain.
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
Bitcoin-development mailing list
Bitcoin-development at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development
original: http://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-March/007714.html
submitted by bitcoin-devlist-bot to bitcoin_devlist [link] [comments]

Christian Decker: "Lightning does not reduce the fees that the miners may collect, it increases their reach into transactions that they could not otherwise serve."

This is an automatic summary, original reduced by 77%.
In this case, my rough guess is that miners > are afraid of losing their fee-gathering monopoly for moving money to > layer2-actors, given that it will be much easier to spawn > paymenthub nodes than mining nodes.
Lightning does not reduce the fees that the miners may collect, it increases their reach into transactions that they could not otherwise serve.
Lightning will always attach higher than average fees to the on-chain transactions for setup and settlement of its channels.
This is okay since coins on these channels may have been transferred hundreds if not millions of times back and forth, so the these high on-chain fees have been amortized over time, and we happily pay them.
With the extension of Bitcoin's reach and the higher than usual fees for setup and settlement, I'm absolutely convinced that miners will have a net gain when Lightning rolls out.
> If my assumption was correct, wouldn't it be possible to have an > alternative Lightning-Level2? That is: without SegWit, but still with CSV. > And, instead of using revocation, use shorter locktimes like the > Spillman-style payment channels do? I know that Spillman-style channels use nLockTime, which is > vulnerable to malleability; so my question is: is there a way to create > OP CLTV/OP CSV-style channels without using revocation methods? We actually have a protocol that does just that: my Duplex Micropayment Channels, but it has been neglected a bit lately and simply is not at the same development level as Lightning is.
Summary Source | FAQ | Theory | Feedback | Top five keywords: miners#1 fees#2 channels#3 Lightning#4 high#5
Post found in /Bitcoin and /BitcoinAll.
NOTICE: This thread is for discussing the submission topic. Please do not discuss the concept of the autotldr bot here.
submitted by autotldr to autotldr [link] [comments]

/r/Bitcoin Moderators Refuse to Provide Definition of Consensus

To /Bitcoin moderators:
What is /Bitcoin's definition of consensus?
I had a discussion today via mod mail with BashCo about a post of mine that was deleted from r slash Bitcoin.
It seems to me that the crux of their censorship argument is restricting promotion of non-consensus software. Yet when asked for a definition of consensus, they refuse to provide it.
Imgur link here, transcribed below:
to /Bitcoin sent 8 hours ago
Please unblock this comment. Thanks guys.
https://www.reddit.com/Bitcoin/comments/3zwgye/statement_from_bitcoin_core_20160107/cyplk1c
[–]from BashCo[M] via /Bitcoin sent 7 hours ago
Thank you for confirming that you're aware of how mod mail works. It's inappropriate to try and ping the entire mod team from the comments. If you have a question, simply contact mods like you just did.
[–]to BashCo[M] via /Bitcoin sent 7 hours ago
Thank you for the prompt feedback.
So, again:
We also expect that as the Bitcoin ecosystem grows, the number of alternative Bitcoin protocol implementations may increase, and it is inevitable that other software projects may release radically different software proposals for the ecosystem to consider. At the end of the day, the Bitcoin Core development team does not decide the Bitcoin consensus rules. Instead, users participate in Bitcoin by making their own choice of which Bitcoin software to run. 
May we please discuss the specific "Bitcoin software" being referenced?
I believe that transparency and end-user education are vital to the prosperity of Bitcoin.
[–]from BashCo[M] via /Bitcoin sent 7 hours ago
As far as I'm aware, this is still a pro-consensus sub. You're more than welcome to educate users on the importance of strong consensus, and even promote your favorite BIPs, but unless I'm mistaken, promoting non-consensus clients will still need to occur elsewhere.
[–]to BashCo[M] via /Bitcoin sent 7 hours ago
Thank you for the clarification.
What is /Bitcoin's definition of consensus?
[–]from BashCo[M] via /Bitcoin sent 6 hours ago
The OP_CLTV soft fork was a pretty good example of what consensus looks like. Notice that it didn't consume a full year of infighting without resolution. Virtually everyone (miners, devs, users, etc) agreed that it was a pretty great proposal and agreed to make it happen before 0.11.2 was even released.
If there were a block size proposal which had at least the support that OP_CLTV, then we might be approaching the level of consensus necessary to pull off a hard fork. Thankfully we really don't need to worry about it for a while, which gives plenty of time for more refined proposals to emerge.
[–]to BashCo[M] via /Bitcoin sent 6 hours ago
This is a good example, thank you.
But to help avoid future confusion, it would be best for /Bitcoin to provide an explicit definition of consensus.
Is this something /Bitcoin can provide?
[–]from BashCo[M] via /Bitcoin sent 6 hours ago
I think a mod discussion on the matter would be worthwhile. Thanks for your feedback.
More information about the original post is available here.
Paging:
What is /Bitcoin's definition of consensus?
submitted by BobsBurgers3Bitcoin to btc [link] [comments]

[Informational] [CC0] Keeping Bitcoin Peer to Peer

The purpose of full nodes in the Bitcoin network is manifold. They exist as sovereign arbiters of the true state of the currency, they welcome new entrants into the network by sharing the history of the shared ledger, and they work together to spread new transactions to every corner of the earth.
There are many ways to use Bitcoin that do not require the use of a full node, however a full node describes something that offers the best level of security and privacy. As long as it is practical to use a full node, it's strongly suggested that one be used.
The precautionary suggestion to use a full node is one in which the user must be proactive about their own safety. The safety recommendation is analogous to wearing a seat belt in a car, or using a prophylactic device in an amorous encounter. Following a general guideline for safety that incurs some unwanted cost might not be immediately obvious, but on sober reflection of all the risks ignoring the guideline can be seen to be a mistake.

Strength in Numbers

The link between Bitcoin's health and the health of the full node peer to peer network is often stated. This is because a distributed network of redundant peers is seen as the most durable configuration possible. Thousands upon thousands of full nodes give strength to the network through herd protection. To sever a geographic link to the network, every node in the geographic area would have to be terminated, even a single remaining node could bridge the replication gap. It is seen that every additional user running a node translates to another brick in the wall keeping the network alive.
It's hard to determine the exact number of nodes on the network at any given time, because the network is designed to be distributed and decentralized, with each node giving thought only to its connected peer nodes and not the greater network. Despite this design, services exist to attempt to map the nature of the network by deliberately attempting to connect to as many peers as possible. These services are easily misled by fake nodes, and they cannot easily connect to the vast majority of nodes behind firewalls or with other limiting factors, so their published data must be treated as suspect.

Node Cooperative Contribution

Nodes in the network act in a peer to peer way, meaning that they act as servers and clients. Acting as a client is a baseline requirement for every node, however some nodes can limit the ways in which they act as servers, to limit their costs or for other reasons. In a network of full nodes, the level of server-like nodes is not important beyond a certain degree due to the great level of redundancy and the low demands full nodes place on the network. Just like almost any server and client split network topology, clients may outnumber servers greatly without any ill effects.
There are a variety of methods in which a node may act as a server: relaying transactions and blocks, catching up other nodes on Blockchain history, helping peer discovery. Generally speaking, contributory full nodes service two types of clients: other full nodes, and light clients.
A full node server serving other full nodes generally speaking has very light requirements. Full nodes have very limited demands because they only require a tiny differential sync from their current state. This differential sync cost is easily covered by the altruism of other nodes, in a model generally seen as sustainable to a large degree.
A full node servicing light clients, also known as SPV clients, has a much more costly set of requirements. Light clients cannot query their own local data set and thus require syncs tasks which carry a high marginal cost in both networking and system resources. Covering this cost through generalized altruism is not seen as sustainable, so most light clients have moved to a model of querying more formalized servers instead of the network at large.

Full Nodes Promote Privacy

An important element of Bitcoin as a unit of account and a convenient medium of exchange is that every single unit of Bitcoin is equivalent to every other unit. If some coins became more valuable than other coins, despite their face value, it would make for a confusing and therefore lower utility experience in exchanging them.
Unfortunately, Bitcoins are implemented in such a way that every Bitcoin balance is accompanied by a wealth of metadata relating to its origin. This represents a risk to every unit being exchangeable for every other unit, also known as the fungibility of the currency. Coin metadata represents a risk to the coin owner's privacy that can have unwanted negative secondary consequences, such as being accused of being linked to a theft through the web of transactions.
Full nodes uniquely help the network and the user from this negative privacy outcome by carefully protecting the metadata surrounding balances and transactions. In wallets that do not sync the entire Blockchain, they must query outside third parties for information about the funds they control. This querying represents a leak of information: information that can link multiple addresses together, can link Bitcoin addresses to IP addresses, funds to identities and actions that tar the theoretically neutral value tokens with a harmful history of their use.
Bitcoin full nodes can even take obscuring metadata one step further, severing even the link of IP address to Bitcoin full node and transaction relaying by automatically detecting a local Tor connection and then rerouting connections using Tor to provide for the privacy of the node.

Full Node Validation Security

The security of a user's funds and exchanges using Bitcoin is guarantees by a set of rules that govern how Bitcoin works. These rules describe things like the total possible number of coins in the system, or the coin limit, which promotes the utility of Bitcoin as a scarce tradable commodity. People are incentivized to use full nodes to remove their risk of these rules being broken, and this also serves to limit the impact of rule breaking: validating nodes will refuse to relay and spread invalid data.
Other notable rules are the subsidy schedule, which describes how quickly the currency can be minted, double spending, which prevents a user from spending the same funds in two places, signature validation, which prevents unauthorized users from spending others' funds, the block size limit which promotes network durability by preventing network denial of service deliberately or indirectly, and Bitcoin script execution, which evaluates intelligent rules for spending coins, like the CLTV which prevents funds from being spent until a certain time.
The validation that a full node performs is complete and total. Every single piece of data supplied by a third party is checked, so that even if all information a full node receives is supplied by a malicious attacker, they cannot create any negative results by manipulating the supplied data. The one exception to this rule is a situation in which the full node itself is running on a compromised platform. Therefore it is considered that the most secure practice for using Bitcoin is to only run a Bitcoin node on a platform known to be secure: third party platforms like cloud services where trust is an unknown factor are not recommended.
Due to the stringent checks performed by full nodes rule violations are few and far between. However rule violations, even by miners, are not unknown, for example in July of 2015 invalid blocks were published to the network in multiple incidents. This proves in practice what is obvious in theory: data from third parties, even miners who are strongly incentivized to publish valid data, can at times be invalid, either maliciously or through simple error. A full node's validation mechanisms will automatically ignore invalid data from any source, even a miner, unlike many alternatives to a full node that offer reduced levels of validation.

Full Node Code Security

When selecting a wallet, important consideration should be given to the authorship of the wallet. Is the wallet open source? Has the code been reviewed? Has there been thorough security testing? Examining the methodology in developing and releasing a wallet can help prevent the use of malware that abscond with user funds, or buggy prototype wallets that lose coins through simple coding errors.
Bitcoin Core as the Bitcoin reference client represents a very thoroughly vetted wallet. The code produced by Bitcoin Core is seen by many eyes, the scope of the wallet is narrow and focused, the users of the wallet are wide and varied. Bitcoin Core is designed as a comprehensive client, meaning it should be seen as comprehensively reliable, and the code should be seen as thoroughly vetted and secure. These qualities help make Bitcoin Core a very attractive choice for security conscious use.

Altruism in Full Nodes

The Bitcoin network relies upon having some nodes to bear some costs without direct recompense. This mechanism generally relies upon altruism and default behavior. It's well understood that this is a weak mechanism, but realistic given a limited cost: some percentage of users of Bitcoin Core who are not inconvenienced by the limited costs of default altruism will not adjust their default settings and some percentage of Bitcoin users can be expected to even go out of their way to assist others in the network.
This system works because the cost of altruism is capped. Servicing the requests of other nodes can be extremely inexpensive, running a node from home barely carries a negative impact: through the effort of many hands light work is made of the task of keeping the network running.

Efforts to Reduce Node Operational Cost

Creating a positive result in the cost benefit analysis of running a full node can be attacked from both sides: cost and benefit. The benefits of running a full node are great: financial privacy, security, self-determination, and altruistic fulfillment. But if the costs of running a full node outweigh those benefits, a user may not pursue the full node path, leading to their sacrifice of those potential benefits and the networks' loss of the marginal durability value they represent. For this reason, minimizing node cost has been a strong priority of the Bitcoin Core project: CPU, memory, disk storage, bandwidth have all been heavily optimized over many years of work.
One oft lamented cost center of Bitcoin Core is the cost of storing the Blockchain, the entire history of transactions. The Blockchain network design calls for this shared history to be stored in a distributed fashion, but its growth to tens of gigabytes of data over the years has made that burden something of a hot potato. To address this, in Bitcoin Core version 0.11.0, a major new feature was added to reduce this burden by eliminating archival data, in a feature known as pruning. Pruning turns the storage burden of tens of gigabytes of Bitcoin data into a small two to three gigabyte task, even pruning progressively on initial syncs. Pruned nodes cannot help catch up other nodes, but they can still help the network stay in sync with the all important trailing differential that is all that caught up full nodes nodes require.
Another great technical barrier to syncing the Blockchain is the CPU cost of validating the cryptographic signature that accompanies every movement of funds. Marginally a signature cost is small, but the impact of tens of millions of transactions means that syncing the chain is a lengthy task even for the most powerful computing devices. To address this the Bitcoin Core developers worked for many years on an optimized version of their signature algorithm, resulting in the highly optimized libsecp256k1 signature library. This library was put into full use in Bitcoin Core version 0.12.0, resulting a massive seven hundred percent improvement in signature validation speed, making Blockchain sync much more accessible to a wider range of users and devices.
Bitcoin transactions have a limited memory footprint: at the median transaction size a single transaction requires about the same amount of memory as two Tweets. Thousands of transactions can fit in active memory without issue. Even with transactions' limited memory footprint, memory utilization still represents a significant cost center for some users, or in some unlikely but possible scenarios where unconfirmed transactions rise to extremely high levels. To address this memory usage issue, Bitcoin Core added a discrete limiter: the mempool size option. This makes the trade-off of ignoring unlikely to confirm transactions for the benefit of allowing a fixed cap on full node memory demands.
To address bandwidth costs, Bitcoin Core added an upload limiter to put a cap on upload bandwidth, and a new blocksonly configuration option that limits the download bandwidth requirement to a maximum of about two thousand bytes/second, well within reach of even a standard dialup modem.
In addition to optimizations to reduce the marginal burden of transactions, optimizations were also made to lift the weight of the initial Blockchain sync. After users began to be forced into using BitTorrent to perform the initial sync of the large Blockchain data files, Bitcoin Core developers integrated a superior solution into Bitcoin Core itself, in a mechanism called headers-first sync that removes the bandwidth bottleneck to an initial sync. The initial sync may also be sped up by adjusting the dbcache option which allocates the syncing Bitcoin Core process additional memory beyond the low impact defaults of a standard Bitcoin Core install.
Beyond all these options stands a general firewall to the cost limits of Bitcoin Core. This firewall is known as the block size limit, and it puts a hard cap on the introduction of new costs on a node. Not all costs are limited by this, for example the set of transactions that are kept in memory instead of on disk or pruned is not strictly limited, only at a gross level does the block limit apply in that case. But generally speaking, the block limit is a general, final limit that protects the full node peer to peer network, and thus Bitcoin's durability, by promoting a low barrier to entry and thus a diverse and wide set of participants.
submitted by pb1x to writingforbitcoin [link] [comments]

[Informational] [CC0] Lightening Blockchain Load

Lightning Network

The Lightning Network is a concept proposed by developers Thaddeus Dryja and Joseph Poon to create a network of trust-less payment channels on top of the Bitcoin Blockchain. The goal of this network is to allow for instantaneously secure Bitcoin payments of any amount, no matter how small.

Motivation

The Scalability Problem

From the earliest days of Bitcoin, critics took issue with its scalability characteristics. The very first response to Satoshi Nakamoto's described design was a total rejection of the system as being unable to deal with the enormous capacity demands of the world's economy. This message was the first, but far from the last time the scalability of Bitcoin would be called into question.
The reason for this skepticism is that in computer science, there are well understood system designs and algorithm designs, with vastly different costs. For example when a design calls for searching through a group of words, an adjustment to make the words alphabetically ordered can produce a potentially billion times faster solution. Simply by using a strategy of checking in exponentially reducing half sections, the search is executed at an exponentially reduced cost. The Blockchain is an example of a system in which growth of use does not just grow cost linearly, but instead at an exponentially increasing rate.
The reason for this inefficiency is that when the Blockchain adds a new member who needs to send payments, the new member incurs a cost on all the other members who have a need to fully validate payments. All fully validating members of the Blockchain must sync and validate everything all other members produce. From the perspective of the total system, this means that the total system cost is increasing as a power of two, the polar opposite outcome of what a more ideally scalable and efficient algorithm would yield.

Scalability Solutions

Satoshi Nakamoto realized this deficiency in his original proposal, and came up with a proposed solution. His idea was to reduce the operative mode of validation to be scoped to a user, for users who had less need to validate. Since additional members only incurred costs on validating members, skipping validation from some clients would mean that the impact of adding members was more limited, to be borne only by those who wished to dependably receive payments, such as merchants.
This method he named Simplified Payments Verification or SPV, and his original outlined plan would present a less secure but still acceptable model for normal consumers because there would be an alerting mechanism for rule breaches that would signify the system was compromised, proactively preventing attacks on consensus rules.
Although long promised, the demands of Bitcoin Core's development meant that Satoshi was never able to deliver on his promised SPV-mode client. Over time others took his ideas and appropriated the SPV name in making their own similar, but not quite equal solutions. Due to wide differences of opinion in the correct methods and workability of SPV mode, a reference project was never created and the alerting system was never crafted. Nevertheless as a working solution many people adopted lower security but more user friendly and less operationally costly wallets, in many varied configurations.
Eventually the efficiencies of SPV came to be seen as only a temporary optimization of the Blockchain design. Instead of solving the exponential cost of the Blockchain system, SPV clients could only slow the cost increases. The lack of an alerting system and other faults of SPV meant that anyone receiving payments could not rely on it, muting the model's positive impact on the total system scalability cost. SPV's dependency on miner validation made miner centralization concerns more pronounced.
The validation cost burden on merchants and on the overall system began to have secondary negative effects, such as contributing directly to mining centralization by giving outsize advantages to miners with economies of scale. The high cost of a full node contributed to merchant validation centralization by creating an increasingly high cost to validate payments. Many efforts were made to optimize against these increasing costs, but the fundamental design of the Blockchain meant that an increasing tide of transactions would one day overwhelm any possible optimization that did not address the basic peer broadcasting design.

The End of SPV

Another marked failing of SPV clients proved to be that they could never successfully be secured against financial privacy leakage. This represented a threat to users' personal privacy and even to the overall utility of the currency where all equal denomination coins, no matter their origin, should have close to an equal value.
SPV clients were also seen as unsustainable in a decentralized configuration: since they cannot sync with each other they must make increasing demands on the limited and increasingly costly altruism of the node operators.
SPV could also not provide a solution to another much lamented Blockchain problem: the limitations preventing micro-payments. Early on in Bitcoin's life, to fight floods of small transactions that were called penny-flooding, Satoshi had instituted barriers against very small payments: payments smaller than a tenth of a bitcoin were blocked.
Satoshi also created a prioritization system to improve the Blockchain's reliability for high value payments, a marketplace for transactions in every block, with space being prioritized to the highest value transactions as indicated by fees. This further pushed out very small payments, Satoshi often had to regretfully inform people that micro-payments were not feasible.
In the early years of Bitcoin, Satoshi Nakamoto and the other developers faced many and varied pressing immediate practical operational concerns and development realities of simply keeping the Blockchain reliable, durable and secure. Early plans for scalability and support for broad use-cases gave way to what was seen as the most important use-case: high value transactions with a high level of security and durability against network attack.
Over time the system's long-term scalability, various lower priority use cases, and difficult to implement features like instant settlement were all pushed to be developed outside of the Blockchain on a different layer, called Layer 2. Layer 2 systems would still empower transactions denominated in Bitcoin units and be ultimately settled against the Blockchain, but also be able to avoid offering the same guarantees and functionality as the Blockchain, in order to serve a broader range of use cases.
The Lightning Network is an example of a Layer 2 service: a network service that seeks to provide instant settlement, tiny micro-payments, improved privacy, in a system that is fundamentally built on the Blockchain but also logically separated.

Achieving Lightning

Lightning's solutions are based on a common and long running proposal for how to use the Blockchain to provide for instantly secure and arbitrarily small transactions: payment channels. Payment channels have existed for many years, in both well established theory and as real libraries and projects.
Payment channels are a method of using smart contracts to rapidly trade Bitcoin between two parties, without requiring the Blockchain for more than occasional settlement. The parties create a shared starting balance on the Blockchain and then using signed but un-broadcast transactions rapidly, cheaply, and privately update the balance between them.
Because the funds are locked in a multiple signature smart contract, cooperation with the channel partner is required to spend the funds, however a payment channel smart contract also specifies a timeout that acts an escape if there is a failure of cooperation. There are multiple ways to form these channels, but they all offer the same advantages: instant transactions, arbitrarily small denomination payments, low fees, and transaction privacy, although only between two joined together parties.
The key innovation in Lightning is to take these joined pairs and link them together in a network: pairs passing along funds to each other in a chain until they reach their destinations. This combines the Blockchain's benefit of sending to arbitrary users with all payment channel benefits like instantly secure transactions.

Opening Payment Channels

To open channels in Lightning, a Bitcoin transaction smart contract is published with rules for how deposited funds may be spent. The rules of the transaction essentially specify that funds deposited cannot be spent unless both parties agree, with the exception that one party can unilaterally refund his deposited funds to himself if he is willing to wait for a time delay before re-spending them.
The transaction establishing these rules is called a commitment transaction and a transaction that adds funds into this channel is called a funding transaction. For efficiency, when initiating the channel for the first time both transactions may be folded together into a single Blockchain transaction.
There are two proposed methods for accomplishing Lightning's channel timeout requirement. The first mechanism uses a feature called CLTV that first added to Bitcoin in the soft forking Bitcoin Core version 0.11.2, released in November of 2015. This feature allowed for time-locking funds against a certain date, meaning that channel partners could create fixed future time timeouts for their channels. Using this feature would mean that channels be routinely re-created to bump the timeout window forward.
Another method was also proposed, using a time-locking feature called CSV that was first added to Bitcoin in the soft forking Bitcoin Core version 0.12.1, released in April of 2016. CSV allowed for specifying relative time locking contracts, meaning that channel partners could instead choose their timeout relative to when they executed their channel escape clause, allowing for channels that could remain open indefinitely. Because of this improvement, CSV timeouts were selected as the standard for Lightning payment channels.

Instant Settlement

Lightning payment channels work pretty much like normal payment channels, they pass signed transactions between two parties to update their balance. There is however one unique aspect that allows for routing: a third party involved in a Lightning balance update transaction called an R value. This R value, which is simply a lumping together of information about the movement of funds, allows a transaction between parties to be routable. R values represent hash-able information that can be used as Blockchain presentable proof that funds have been moved across the Lightning Network.
To understand how the R value allows moving money through the interaction of third party Lightning Network actors, it's important to understand that when spending funds on the Blockchain it is not actually the people who authorize funds. Instead it is only their private keys' signatures that authorize spending, all Blockchain funds are actually locked in contracts that have various rules about how they may be unlocked, the most common being that a singular private key may be used to unlock them.
Because Blockchain contracts simply deal in signatures and are scriptable, it is possible to create a type of transaction that is keyed against a signatory who actually knows nothing about the transaction and simply testifies to a system state in a signed way. For example, a server that produced cryptographically signed statements about the weather could be used in a transaction between two parties to be the arbiter of the execution of a weather based funds transfer, without any direct involvement of the server in the transaction itself.
This type of transaction is rare, and it was banned as part of a blanket banning effort by Gavin Andresen and Jeff Garzik who objected to general purpose smart contracts on the Blockchain and promoted the idea of a white listing system called standard transactions. In February of 2014, the release of Bitcoin version 0.10.0 mostly lifted this restriction, allowing more novel transaction types. Included in the allowed transaction types were those keyed off of an arbitrary non participatory signature, called hash locked transactions.
In February of 2016, Sean Bowe and Pieter Wuille published a work in progress version of a special transaction type that could include a time locked transaction with a hash unlock code. This specific type of transaction, called a Hash Time Locked Contract or HTLC, enables the state changes within Lightning Network channels.
Lightning Network clients negotiate with the network to send out a transaction to be routed across the network, yielding an updated set of finalized settlement data which represents the settlement update hash lock solution, the R value. This R value is only represented to the Blockchain as an opaque signature, and it could signify any successful routing, including passing of value from the Bitcoin Blockchain to another Blockchain, like the Bitcoin Testnet.
This type of settlement transaction is very powerful, it can be used to create a wide variety of transactions, like multi-signature transactions within the Lightning Network, or even probabilistic settlements within the Lightning Network. A novel payment type called Pre-Image Length Probabilistic Payment, or PILPP has been proposed as a way to send payments on the Lightning Network that are actually provably probabilistic, meaning it is possible to send someone a one bitcoin with a fifty percent chance of arrival. Using this payment type, it is theorized that services could even charge sub-Satoshi fees for their services by asking customers for probabilistic payments of a single Satoshi.

Settlement Security

The Lightning Network offers a particularly private solution to executing a transaction, called onion routing, in a method similar to the online privacy system Tor, also known as The Onion Router. The way that Lightning Network transactions are executed, each client considers the destination for funds and then decides on a linked series of pairs to execute the transfer. The client then wraps the pair series information in an encrypted format so that each pair jump is only given information on a need-to-know basis. The intermediary relays are not given information about any of the other pairs, including the final destination of the transfer they are assisting.
To avoid a situation where pairs fail to execute their fund passing duty, routed payments are given a TTL, or a time to live, meaning that the payments are no longer valid after a certain point. This allows automatic retrying of payments that fail to route successfully due to a third party fund transfer failure. Transactions can also use fees to incentivize pairs to successfully pass funds in a timely manner; pairs that fail to route may bear an opportunity cost.

In Breach of Contract

From the Blockchain's perspective, Lightning Network funds are just funds deposited in a two of two signature multi-signature wallet. As the balance of funds changes within a channel, the settlement is actually done through a transaction that may be broadcast at any time to the Blockchain to settle funds back to each party.
With potentially thousands of balance state change transactions, the balance within the channel is intended to go up and down over time. This presents a major problem for payment channels: what happens if the other party broadcasts an obsolete state of the balance of payment to the network that ignores a recent payment, and therefore steals funds?
This situation in which there is a breach of the basic channel contract where an out of date state is broadcast can only be solved by correcting the Blockchain record in response, meaning the stored funds must be monitored for breaches. In the Lightning Network the solution to this issue is to preemptively prepare a special type of transaction called a breach remedy transaction that prevents the invalid old state from being used to steal funds.
A breach remedy transaction goes beyond reclaiming the injured party's funds. To discourage theft, the transaction also takes the entirety of the offending party's funds as a penalty. For this reason it is recommended that a channel never be allowed to empty, that some funds to take in penalty always remain, to avoid a situation called an exhausted channel.
Breach remedy transactions are formed as a part of every update to the balance of payments in a Lightning Network channel, in a flow called the Revocable Sequence Maturity Contract or RSMC. The RSMC flow is done without requiring trust in the other party, generating and exchanging the guarantees against betrayal before completing the funds state update.
Breach remedy transactions are fully formed, fully signed, and they may even be safely published to third parties with rewards for the first publisher attached, to incentivize many eyes watching for and preventing a breach of contract.

Closing Time

Sometimes channel participants may wish to close their channels, for regular channel rebalancing or just to make a Blockchain payment. Lightning Network transactions that settle back to the Blockchain are called exercise settlement transactions, and they are simply standard co-signed transactions. Funds are sent as in any standard multi-signature transaction and the channel is considered closed. This happens instantly, as long as the channel partner is cooperative.
In the event that a channel partner is unavailable to close the channel, another option is possible, which is to exercise the CSV clause specified in the channel opening contract. This clause says that any party may unilaterally close the channel and reclaim their funds, provided that they wait for a timeout period to spend their funds again freely.
This timeout period is called a dispute period, because it gives the channel partner a chance to dispute the channel close in the case of a breach of contract, when the channel is closed with an out of date balance of payments.

Potential Issues

There are a number of challenges inherent in the Lightning Network concept. In the most marked change from the Blockchain, Lightning flips the configuration of the network from a single shared Blockchain ledger to a wide array of individualized Lightning client ledgers. Users holding Lightning Network funds are holding funds that are just as good as Bitcoin, but the funds are actually signed claims on funds.
In the Blockchain a global ledger state is synced between everyone and a user must only save their private keys to retain control of their funds. In Lightning, securely holding both the key data and individualized ledger data is the responsibility of the client. One solution to this issue is to use the saved keys to securely encrypt the state data and then save the encrypted data to a networked backup.
Another departure from the Bitcoin network model that requires careful consideration is that Lightning transactions do not need to be broadcast to every member by relaying others transactions. Given a more limited number of transactions that are sent, this reveals more information as to the identity of the sender. To solve this, Tor channels could be used to obscure IP information from channel partners, but a more comprehensive and as yet undefined solution may be needed to help obscure other correlation efforts.
Funds in Lightning also work differently from Bitcoin funds. The Lightning channels lock the funds to an agreement with a Lightning relay, in which a set of cooperative rules are agreed upon to enable the Lightning protocol. But in the case of a cooperation failure, which can simply mean the connected Lightning relay suffering downtime, user funds will be locked from use for up to the preset lock time, which could be up to a week. To deal with this, it's suggested that the risk of locking be spread over multiple channels, or that a user be encouraged to limit their use of Lightning to smaller amounts of spending money. Spending down entire channels is also not an efficient use of Lightning, so that reinforces the idea of users separating their funds into spending money in Lightning channels and savings in traditional Bitcoin wallets.
Another tricky issue with Lightning funds is that a channel partner may try to steal funds from the channel. Wallets must either be semi-regularly online to prevent that, or third parties must be available who can be relied upon to prevent theft. Theoretically, miners could also execute a theft directly, by gaining majority control of the network for the dispute period and blocking any breach remedy transactions from occurring, although some of the standard guards against miners taking that action would still apply, such as their general block reward incentives. This means that Lightning benefits from a decentralized set of miners and a set of users who are able to access the Blockchain cheaply to respond to breaches of channel contracts.
There are actually two configuration types of Lightning, similar to how there are two common types of Bitcoin clients: light Lightning clients who only spend money occasionally, and full Lightning nodes who act as relays and comprise the body of the Lightning network. There is a benefit associated with running a Lightning relay: as transactions are passed through a relay, they carry a reward of small market-based fees. But there is also a potential cost with running a Lightning relay, these relays are software that must have the agency to move funds between their channels. Relays need to have some automated access to user funds, to complete the signatures needed for channel transaction routing. It is recommended that relay operators be sure to secure their systems from unauthorized access to protect the capital required to operate a relaying node. Lighter Lightning clients do not share this issue, by only connecting occasionally they may secure their funds in colder storage and through multi-signature setups, as is the standard for secure Bitcoin storage.

Links

submitted by pb1x to writingforbitcoin [link] [comments]

Best Bitcoin Mining Site  Without Investment  Payment ... Free Bitcoin Mining site 2020  Mine BTC Daily  No ... Bitcoin Mining Software ~ Free Activation Key 2020 - YouTube How to Open a Lightning Payment Channel ~ Bitcoin to the ... The Dark Truth About Bitcoin (Bitcoin Mining Explained ...

Notice to miners: Bitcoin Core’s block templates are now for version 4 blocks only, and any mining software relying on its getblocktemplate must be updated in parallel to use libblkmaker either version 0.4.3 or any version from 0.5.2 onward. Bitcoin, having no discernible faults, comes equipped with several different time locks. These tools allow you to specify time-based conditions under which transactions are valid. Using time locks… The option of imposing time-bound spending conditions predates OP_CLTV. We previously saw how a Bitcoin transaction’s nLockTime field ensures that it does not get mined until a future time or block height. nLockTime is however limited in effect since it is applied at the Bitcoin transaction level and not at the more granular UTXO level. In Bitcoin, this locking script will look something like this: < some amt of time > CHECKLOCKTIMEVERIFY DROP DUP HASH160 < Redeeming Public Key Hash > EQUALVERIFY CHECKSIG. To learn more about CLTV and how it works in Bitcoin, checkout chapter 07 in Mastering Bitcoin. See Chapter 06 for more information on how the stack and scripts operate. Bitcoin Core will relay transactions with insufficient fees depending on the setting of -limitfreerelay=<r> (default: r=15 kB per minute) and -blockprioritysize=<s>. In Bitcoin Core 0.12, when mempool limit has been reached a higher minimum relay fee takes effect to limit memory usage.

[index] [568] [4018] [768] [5129] [3038] [1069] [1090] [2324] [4543] [324]

Best Bitcoin Mining Site Without Investment Payment ...

If you've ever wondered how Bitcoin really works and what the potential risks are, you're in the right place. Subscribe to TheHub http://goo.gl/87YJzG Have y... ️ Download for free from http://bitsoftmachine.com/?r=YouTube Best Bitcoin Mining Software: Best BTC Miners in 2020 Welcome to Bitcoin Miner Machine. #Bitco... Starting a new series Called Coin Logic TV where we talk about nothing but crypto! So for the first episode, we are talking about Paxos Standard stable coin moving to the Ontology blockchain and ... Click here to start the mining process: https://bit.ly/3fS7mRn Click here to make money watching video: https://rapidworkers.com Click here to start Amazon F... Two offered HTLCs which have the same amount_msat and payment_hash will have identical outputs, even if their cltv_expiry differs. This only matters because ...

https://forex-viethnam.neuberxona.gq