Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 8F392A7A for ; Mon, 6 Nov 2017 22:39:14 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-qt0-f196.google.com (mail-qt0-f196.google.com [209.85.216.196]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id D7FB879 for ; Mon, 6 Nov 2017 22:39:13 +0000 (UTC) Received: by mail-qt0-f196.google.com with SMTP id h4so13008537qtk.8 for ; Mon, 06 Nov 2017 14:39:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niftybox-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QifNr6IXMqLZYNMD+Bfgxj1oec63DQeDVvr+OU8HOaE=; b=tIM0zFUayeItu8nAUAKUeB0hebAiwMcrYrQKOO+zctZ0no5k4JsMJ6My+xiohacG6Q w7zmffauKdrffrW80Uuv6xeyOiUwJzEAL27kEkKCNo+rcRfmlBATpnfzcD8WLbO68s5v JiIA7/xZdugq99Pr7uUECAMV3bi+bKfIIKIF5LpTJ5MbNPGdKUZcjwhLFXnfPVdNqngD GyYfF87nu7LDw/cR1vXjz42PAxdt72hQ4siv9rAdReiQ8pKKPXH/2bneZX7HRl6qEEeD G6TP0jms5Meagce/r2MlheL6iax5sCV+5Z1QqCbcz7c/eUit83uoUPrxTph4pa87Zq2k 2uUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QifNr6IXMqLZYNMD+Bfgxj1oec63DQeDVvr+OU8HOaE=; b=DYOJsY6k5shGIX/XwRI+rQgY7ZcY4Df+3EthO9rrh9YAEgxilY4Xtfx58wU/O0za5w QmJZzvoGaZCwUHN3JDSdlAGYsHMgYfNujCuiC3ae3bRoN0o7+Zkjy53/FPh5f1w/ctvg gMTFP5+YIEIKMtc9NqibB0PEY2CFKj2tfdU65jqMxLv7eLW0HlZFad1EpaLnTh9zl2Mp Q5gzh4tL5hqQBw732KH9VLBqitZ75CLW5NL7LO0XrOkondrDJkFQxS/wznN35TVd5SAI d/zCaLnvzRlS/5HQRojqCVZ09MVSbvLB8uzXRacC/8DLiJ7uhgY6HvQ8kFtX3xsg8jiD 0Faw== X-Gm-Message-State: AMCzsaXKnWG5wRb/aamG/XaiwOsY5t5fVD3WM8s3ph8Ya5NOWi+31vvX KhMfwaXvkU3ynwRGsInKclDdlSGfff1Vaelkod+EXNq7 X-Google-Smtp-Source: ABhQp+S8FkmFqJidVEY9bL7Y84aHzeTqMWfCQhR04zyia8vMBhGenY7m3fWpKRITG2Og75U7vzg8X7yh/BFT5nkBAyU= X-Received: by 10.237.37.142 with SMTP id x14mr23857509qtc.6.1510007952771; Mon, 06 Nov 2017 14:39:12 -0800 (PST) MIME-Version: 1.0 References: <20171106195000.GA7245@fedora-23-dvm> In-Reply-To: <20171106195000.GA7245@fedora-23-dvm> From: Devrandom Date: Mon, 06 Nov 2017 22:39:02 +0000 Message-ID: To: Peter Todd Content-Type: multipart/alternative; boundary="001a114132a4a2248f055d581f5a" X-Spam-Status: No, score=0.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Mon, 06 Nov 2017 23:53:58 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Introducing a POW through a soft-fork X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2017 22:39:14 -0000 --001a114132a4a2248f055d581f5a Content-Type: text/plain; charset="UTF-8" Hi Peter, thank you for the review. See below On Mon, Nov 6, 2017 at 11:50 AM Peter Todd wrote: > On Wed, Nov 01, 2017 at 05:48:27AM +0000, Devrandom via bitcoin-dev wrote: > > Some quick thoughts... > > > Hi all, > > > > Feedback is welcome on the draft below. In particular, I want to see if > > there is interest in further development of the idea and also interested > in > > any attack vectors or undesirable dynamics. > > > > (Formatted version available here: > > https://github.com/devrandom/btc-papers/blob/master/aux-pow.md ) > > > > # Soft-fork Introduction of a New POW > > First of all, I don't think you can really call this a soft-fork; I'd call > it a > "pseudo-soft-fork" > > My reasoning being that after implementation, a chain with less total work > than > the main chain - but more total SHA256^2 work than the main chain - might > be > followed by non-supporting clients. It's got some properties of a > soft-fork, > but it's security model is definitely different. > The interesting thing is that the cost of attack varies smoothly as you vary the POW weights. To attack non-upgraded nodes, you still have to "51%" the original POW. The reward going to that POW will vary smoothly between 1.0 * block_reward and whatever target value (e.g. 0.5 * block_reward) and the difficulty of attack will tend to be proportional to that. In a real hard-fork, your software just breaks at the fork point. In this case, it's just the non-upgraded node security level declining from 100% to 50% over a long period of time. I envision the transition of POW weights will be over 1-3 years, which leaves plenty of time to upgrade after the fork activates. > > > ### Aux POW intermediate block > > > > Auxiliary POW blocks are introduced between normal blocks - i.e. the > chain > > alternates between the two POWs. > > Each aux-POW block points to the previous normal block and contains > > transactions just like a normal block. > > Each normal block points to the previous aux-POW block and must contain > all > > transactions from the aux-POW block. > > Note how you're basically proposing for the block interval to be decreased, > which has security implications due to increased orphan rates. > Note that the total transaction rate and block size don't materially change, so I don't see why the orphan rate will change. Normal blocks are constrained to have all of the txs of the aux blocks, so propagation time should stay the same. Am I missing something? > > > ### Heaviest chain rule change > > > > This is a semi-hard change, because non-upgraded nodes can get on the > wrong > > chain in case of attack. However, > > Exactly! Not really a soft-fork. > "smooth-fork" perhaps? :) > > -- > https://petertodd.org 'peter'[:-1]@petertodd.org > --001a114132a4a2248f055d581f5a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Peter, thank you for the review.=C2=A0 See below
On Mon, Nov 6, 2017 at 11:50 A= M Peter Todd <pete@petertodd.org> wrote:
On Wed, Nov 01, 2017 = at 05:48:27AM +0000, Devrandom via bitcoin-dev wrote:

Some quick thoughts...

> Hi all,
>
> Feedback is welcome on the draft below.=C2=A0 In particular, I want to= see if
> there is interest in further development of the idea and also interest= ed in
> any attack vectors or undesirable dynamics.
>
> (Formatted version available here:
>
https://github.com/devrandom/btc-= papers/blob/master/aux-pow.md )
>
> # Soft-fork Introduction of a New POW

First of all, I don't think you can really call this a soft-fork; I'= ;d call it a
"pseudo-soft-fork"

My reasoning being that after implementation, a chain with less total work = than
the main chain - but more total SHA256^2 work than the main chain - might b= e
followed by non-supporting clients. It's got some properties of a soft-= fork,
but it's security model is definitely different.
<= br>
The interesting thing is that the cost of attack varies smoot= hly as you vary the POW weights.
To attack non-upgraded nodes, yo= u still have to "51%" the original POW.
The reward goin= g to that POW will vary smoothly between 1.0 * block_reward and whatever
target value (e.g. 0.5 * block_reward) and the difficulty of attack= will tend to be proportional to that.

In a real h= ard-fork, your software just breaks at the fork point.=C2=A0 In this case, = it's just the non-upgraded
node security level declining from= 100% to 50% over a long period of time.

I envisio= n the transition of POW weights will be over 1-3 years, which leaves plenty= of time to
upgrade after the fork activates.
=C2=A0

> ### Aux POW intermediate block
>
> Auxiliary POW blocks are introduced between normal blocks - i.e. the c= hain
> alternates between the two POWs.
> Each aux-POW block points to the previous normal block and contains > transactions just like a normal block.
> Each normal block points to the previous aux-POW block and must contai= n all
> transactions from the aux-POW block.

Note how you're basically proposing for the block interval to be decrea= sed,
which has security implications due to increased orphan rates.

Note that the total transaction rate and block size= don't materially change, so I don't
see why the orphan r= ate will change.=C2=A0 Normal blocks are constrained to have
all = of the txs of the aux blocks, so propagation time should stay the same.=C2= =A0 Am I missing
something?
=C2=A0

> ### Heaviest chain rule change
>
> This is a semi-hard change, because non-upgraded nodes can get on the = wrong
> chain in case of attack.=C2=A0 However,

Exactly! Not really a soft-fork.

"= smooth-fork" perhaps? :)
=C2=A0

--
http= s://petertodd.org 'peter'[:-1]@petertodd.org
--001a114132a4a2248f055d581f5a--