1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
|
Return-Path: <james.hilliard1@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id B8A22BF7
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 7 Jun 2017 22:23:34 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-oi0-f49.google.com (mail-oi0-f49.google.com
[209.85.218.49])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 800471A0
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 7 Jun 2017 22:23:33 +0000 (UTC)
Received: by mail-oi0-f49.google.com with SMTP id s3so11611559oia.0
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 07 Jun 2017 15:23:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc; bh=uNjy5mvrFgMl4bqQKMQiFB5x1FOoZZ9JB+nWlbu0/h8=;
b=hZSvb6Fq+vCfTdqJ9G11SczIY6i2a+geS31c0+ltu1lgfCcpZP3N2qsEtX/ptlioyq
n/zoQzP0+y9/fiPbiVL1p0ic99vz7orgZf8vICYchKtS0KpnFakFIlstY36TSmnYHdL3
5oACKT50ZlPyEOURmSoY/0/+pMi0mHwHLYvorGwc34ez6LaEOKmqxQHB+Wm+rdgnVQLX
NXoeLWDWtvim4Nt1u7RAnGXZu1DcKs+5QjWUSVW0VvC/p+fyGl1oJhIxnTNHB4AOjimi
puwK1bi1KMEMd5/iyvZK1xOrlD2+Y8OczoTpOKl++ZhKSkCAmY6XbiEgZZsJpFNJSIN5
aSyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc;
bh=uNjy5mvrFgMl4bqQKMQiFB5x1FOoZZ9JB+nWlbu0/h8=;
b=N9llwz+kKPmjDgXofhn3CPcYaJd9HbERSE/kK+41lEhS+X/ssY9yc+veN40DqzQ8q0
e0/4q0BiAiwmH0bfXk0uJgEFbaQ77T0tzhjH1uBPYhqTYkwnvn8WXg3jZro5UtJ4LKvb
5y9k1vhEHlugMfQeQ5Zux6HnbIZK1AhLtj6OhDaD/t1+hLlCqStT3ErGw+B42g/Pld8L
g8z/n4HZxZ+3olv941ZJCoDPBZqapC0OXEV4Mw+/g19T3N3Aptr6Zmn3sGD6FZjWb8zY
TG58pCjyzw7PUwSsWdWpqb7TF6XfvQCIwHY1p9KF2DlDcI7kLNP3PuVF3wafIv5RQsSV
c+NQ==
X-Gm-Message-State: AODbwcCwUqQhrO3svaVaeG6sh3jBSN9O8rtSu+QyGwIxPeVKVNTsNK0F
DO98ywjNZfJ5sp91TNKkcbBmdsNIPQ==
X-Received: by 10.202.186.134 with SMTP id k128mr17078520oif.172.1496874212500;
Wed, 07 Jun 2017 15:23:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.224.230 with HTTP; Wed, 7 Jun 2017 15:23:31 -0700 (PDT)
In-Reply-To: <CAD1TkXskei1gk_kungSvdWGmbdJMA8AG+-zK+Osz6u5vSCN8BQ@mail.gmail.com>
References: <CADvTj4qpH-t5Gx6qyn3yToyUE_GFaBE989=AWNHLKMpMNW3R+w@mail.gmail.com>
<CAD1TkXviJouao7YoHjiDN3mTUWFEbMY9mtCqkQ8zp8JthyhT7Q@mail.gmail.com>
<CADvTj4rz4exYMvBEmYi=bTZDgDm0drLjpRZmZUo17inzCzCRVg@mail.gmail.com>
<CAD1TkXskei1gk_kungSvdWGmbdJMA8AG+-zK+Osz6u5vSCN8BQ@mail.gmail.com>
From: James Hilliard <james.hilliard1@gmail.com>
Date: Wed, 7 Jun 2017 17:23:31 -0500
Message-ID: <CADvTj4poO1L+Wg5J+M71sJMz-Xcg_st3MkAcQK=bfHhTJ3i8ow@mail.gmail.com>
To: Jared Lee Richardson <jaredr26@gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] User Activated Soft Fork Split Protection
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2017 22:23:34 -0000
On Wed, Jun 7, 2017 at 4:50 PM, Jared Lee Richardson <jaredr26@gmail.com> wrote:
> Could this risk mitigation measure be an optional flag? And if so,
> could it+BIP91 signal on a different bit than bit4?
It's fairly trivial for miners to signal for BIP91 on bit4 or a
different bit at the same time as the code is trivial enough to
combine
>
> The reason being, if for some reason the segwit2x activation cannot
> take place in time, it would be preferable for miners to have a more
> standard approach to activation that requires stronger consensus and
> may be more forgiving than BIP148. If the segwit2x activation is on
> time to cooperate with BIP148, it could be signaled through the
> non-bit4 approach and everything could go smoothly. Thoughts on that
> idea? It may add more complexity and more developer time, but may
> also address your concerns among others.
This does give miners another approach to activate segwit ahead of
BIP148, if segwit2x activation is rolled out and activated immediately
then this would not be needed however based on the timeline here
https://segwit2x.github.io/ it would not be possible for BIP91 to
enforce mandatory signalling ahead of BIP148. Maybe that can be
changed though, I've suggested an immediate rollout with a placeholder
client timeout instead of the HF code initially in order to accelerate
that.
>
>> Since this BIP
>> only activates with a clear miner majority it should not increase the
>> risk of an extended chain split.
>
> The concern I'm raising is more about the psychology of giving BIP148
> a sense of safety that may not be valid. Without several more steps,
> BIP148 is definitely on track to be a risky chainsplit, and without
> segwit2x it will almost certainly be a small minority chain. (Unless
> the segwit2x compromise falls apart before then, and even in that case
> it is likely to be a minority chain)
There are 2 primary factors involved here, economic support and
hashpower either of which is enough to make a permanent chain split
unlikely, miners will mine whichever chain is most profitable(see
ETH/ETC hashpower profitability equilibrium for an example of how this
works in practice) however there may be lag time immediately after the
split if there is an economic majority but not a hashpower majority
initially. This is risk mitigation that only requires miners support
however. The main issue is just one of activation timelines, BIP91 as
is takes too long to activate unless started ahead of the existing
segwit2x schedule and it's unlikely that BIP148 will get pushed back
any further.
>
> Jared
>
>
> On Wed, Jun 7, 2017 at 2:42 PM, James Hilliard
> <james.hilliard1@gmail.com> wrote:
>> I don't really see how this would increase the likelihood of an
>> extended chain split assuming BIP148 is going to have
>> non-insignificant economic backing. This BIP is designed to provide a
>> risk mitigation measure that miners can safely deploy. Since this BIP
>> only activates with a clear miner majority it should not increase the
>> risk of an extended chain split. At this point it is not completely
>> clear how much economic support there is for BIP148 but support
>> certainly seems to be growing and we have nearly 2 months until BIP148
>> activation. I intentionally used a shorter activation period here so
>> that decisions by miners can be made close to the BIP148 activation
>> date.
>>
>> On Wed, Jun 7, 2017 at 4:29 PM, Jared Lee Richardson <jaredr26@gmail.com> wrote:
>>> I think this BIP represents a gamble, and the gamble may not be a good
>>> one. The gamble here is that if the segwit2x changes are rolled out
>>> on time, and if the signatories accept the bit4 + bit1 signaling
>>> proposals within BIP91, the launch will go smoother, as intended. But
>>> conversely, if either the segwit2x signatories balk about the Bit1
>>> signaling OR if the timelines for segwit2mb are missed even by a bit,
>>> it may cause the BIP148 chainsplit to be worse than it would be
>>> without. Given the frequent concerns raised in multiple places about
>>> the aggressiveness of the segwit2x timelines, including the
>>> non-hardfork timelines, this does not seem like a great gamble to be
>>> making.
>>>
>>> The reason I say it may make the chainsplit be worse than it would
>>> otherwise be is that it may provide a false sense of safety for BIP148
>>> that currently does not currently exist(and should not, as it is a
>>> chainsplit). That sense of safety would only be legitimate if the
>>> segwit2x signatories were on board, and the segwit2x code effectively
>>> enforced BIP148 simultaneously, neither of which are guaranteed. If
>>> users and more miners had a false sense that BIP148 was *not* going to
>>> chainsplit from default / segwit2x, they might not follow the news if
>>> suddenly the segwit2x plan were delayed for a few days. While any
>>> additional support would definitely be cheered on by BIP148
>>> supporters, the practical reality might be that this proposal would
>>> take BIP148 from the "unlikely to have any viable chain after flag day
>>> without segwit2x" category into the "small but viable minority chain"
>>> category, and even worse, it might strengthen the chainsplit just days
>>> before segwit is activated on BOTH chains, putting the BIP148
>>> supporters on the wrong pro-segwit, but still-viable chain.
>>>
>>> If Core had taken a strong stance to include BIP148 into the client,
>>> and if BIP148 support were much much broader, I would feel differently
>>> as the gamble would be more likely to discourage a chainsplit (By
>>> forcing the acceleration of segwit2x) rather than encourage it (by
>>> strengthening an extreme minority chainsplit that may wind up on the
>>> wrong side of two segwit-activated chains). As it stands now, this
>>> seems like a very dangerous attempt to compromise with a small but
>>> vocal group that are the ones creating the threat to begin with.
>>>
>>> Jared
>>>
>>> On Tue, Jun 6, 2017 at 5:56 PM, James Hilliard via bitcoin-dev
>>> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>> Due to the proposed calendar(https://segwit2x.github.io/) for the
>>>> SegWit2x agreement being too slow to activate SegWit mandatory
>>>> signalling ahead of BIP148 using BIP91 I would like to propose another
>>>> option that miners can use to prevent a chain split ahead of the Aug
>>>> 1st BIP148 activation date.
>>>>
>>>> The splitprotection soft fork is essentially BIP91 but using BIP8
>>>> instead of BIP9 with a lower activation threshold and immediate
>>>> mandatory signalling lock-in. This allows for a majority of miners to
>>>> activate mandatory SegWit signalling and prevent a potential chain
>>>> split ahead of BIP148 activation.
>>>>
>>>> This BIP allows for miners to respond to market forces quickly ahead
>>>> of BIP148 activation by signalling for splitprotection. Any miners
>>>> already running BIP148 should be encouraged to use splitprotection.
>>>>
>>>> <pre>
>>>> BIP: splitprotection
>>>> Layer: Consensus (soft fork)
>>>> Title: User Activated Soft Fork Split Protection
>>>> Author: James Hilliard <james.hilliard1@gmail.com>
>>>> Comments-Summary: No comments yet.
>>>> Comments-URI:
>>>> Status: Draft
>>>> Type: Standards Track
>>>> Created: 2017-05-22
>>>> License: BSD-3-Clause
>>>> CC0-1.0
>>>> </pre>
>>>>
>>>> ==Abstract==
>>>>
>>>> This document specifies a coordination mechanism for a simple majority
>>>> of miners to prevent a chain split ahead of BIP148 activation.
>>>>
>>>> ==Definitions==
>>>>
>>>> "existing segwit deployment" refer to the BIP9 "segwit" deployment
>>>> using bit 1, between November 15th 2016 and November 15th 2017 to
>>>> activate BIP141, BIP143 and BIP147.
>>>>
>>>> ==Motivation==
>>>>
>>>> The biggest risk of BIP148 is an extended chain split, this BIP
>>>> provides a way for a simple majority of miners to eliminate that risk.
>>>>
>>>> This BIP provides a way for a simple majority of miners to coordinate
>>>> activation of the existing segwit deployment with less than 95%
>>>> hashpower before BIP148 activation. Due to time constraints unless
>>>> immediately deployed BIP91 will likely not be able to enforce
>>>> mandatory signalling of segwit before the Aug 1st activation of
>>>> BIP148. This BIP provides a method for rapid miner activation of
>>>> SegWit mandatory signalling ahead of the BIP148 activation date. Since
>>>> the primary goal of this BIP is to reduce the chance of an extended
>>>> chain split as much as possible we activate using a simple miner
>>>> majority of 65% over a 504 block interval rather than a higher
>>>> percentage. This BIP also allows miners to signal their intention to
>>>> run BIP148 in order to prevent a chain split.
>>>>
>>>> ==Specification==
>>>>
>>>> While this BIP is active, all blocks must set the nVersion header top
>>>> 3 bits to 001 together with bit field (1<<1) (according to the
>>>> existing segwit deployment). Blocks that do not signal as required
>>>> will be rejected.
>>>>
>>>> ==Deployment==
>>>>
>>>> This BIP will be deployed by "version bits" with a 65%(this can be
>>>> adjusted if desired) activation threshold BIP9 with the name
>>>> "splitprotecion" and using bit 2.
>>>>
>>>> This BIP starts immediately and is a BIP8 style soft fork since
>>>> mandatory signalling will start on midnight August 1st 2017 (epoch
>>>> time 1501545600) regardless of whether or not this BIP has reached its
>>>> own signalling threshold. This BIP will cease to be active when segwit
>>>> is locked-in.
>>>>
>>>> === Reference implementation ===
>>>>
>>>> <pre>
>>>> // Check if Segregated Witness is Locked In
>>>> bool IsWitnessLockedIn(const CBlockIndex* pindexPrev, const
>>>> Consensus::Params& params)
>>>> {
>>>> LOCK(cs_main);
>>>> return (VersionBitsState(pindexPrev, params,
>>>> Consensus::DEPLOYMENT_SEGWIT, versionbitscache) ==
>>>> THRESHOLD_LOCKED_IN);
>>>> }
>>>>
>>>> // SPLITPROTECTION mandatory segwit signalling.
>>>> if ( VersionBitsState(pindex->pprev, chainparams.GetConsensus(),
>>>> Consensus::DEPLOYMENT_SPLITPROTECTION, versionbitscache) ==
>>>> THRESHOLD_LOCKED_IN &&
>>>> !IsWitnessLockedIn(pindex->pprev, chainparams.GetConsensus()) &&
>>>> // Segwit is not locked in
>>>> !IsWitnessEnabled(pindex->pprev, chainparams.GetConsensus()) ) //
>>>> and is not active.
>>>> {
>>>> bool fVersionBits = (pindex->nVersion & VERSIONBITS_TOP_MASK) ==
>>>> VERSIONBITS_TOP_BITS;
>>>> bool fSegbit = (pindex->nVersion &
>>>> VersionBitsMask(chainparams.GetConsensus(),
>>>> Consensus::DEPLOYMENT_SEGWIT)) != 0;
>>>> if (!(fVersionBits && fSegbit)) {
>>>> return state.DoS(0, error("ConnectBlock(): relayed block must
>>>> signal for segwit, please upgrade"), REJECT_INVALID, "bad-no-segwit");
>>>> }
>>>> }
>>>>
>>>> // BIP148 mandatory segwit signalling.
>>>> int64_t nMedianTimePast = pindex->GetMedianTimePast();
>>>> if ( (nMedianTimePast >= 1501545600) && // Tue 01 Aug 2017 00:00:00 UTC
>>>> (nMedianTimePast <= 1510704000) && // Wed 15 Nov 2017 00:00:00 UTC
>>>> (!IsWitnessLockedIn(pindex->pprev, chainparams.GetConsensus()) &&
>>>> // Segwit is not locked in
>>>> !IsWitnessEnabled(pindex->pprev, chainparams.GetConsensus())) )
>>>> // and is not active.
>>>> {
>>>> bool fVersionBits = (pindex->nVersion & VERSIONBITS_TOP_MASK) ==
>>>> VERSIONBITS_TOP_BITS;
>>>> bool fSegbit = (pindex->nVersion &
>>>> VersionBitsMask(chainparams.GetConsensus(),
>>>> Consensus::DEPLOYMENT_SEGWIT)) != 0;
>>>> if (!(fVersionBits && fSegbit)) {
>>>> return state.DoS(0, error("ConnectBlock(): relayed block must
>>>> signal for segwit, please upgrade"), REJECT_INVALID, "bad-no-segwit");
>>>> }
>>>> }
>>>> </pre>
>>>>
>>>> https://github.com/bitcoin/bitcoin/compare/0.14...jameshilliard:splitprotection-v0.14.1
>>>>
>>>> ==Backwards Compatibility==
>>>>
>>>> This deployment is compatible with the existing "segwit" bit 1
>>>> deployment scheduled between midnight November 15th, 2016 and midnight
>>>> November 15th, 2017. This deployment is also compatible with the
>>>> existing BIP148 deployment. This BIP is compatible with BIP91 only if
>>>> BIP91 activates before it and before BIP148. Miners will need to
>>>> upgrade their nodes to support splitprotection otherwise they may
>>>> build on top of an invalid block. While this bip is active users
>>>> should either upgrade to splitprotection or wait for additional
>>>> confirmations when accepting payments.
>>>>
>>>> ==Rationale==
>>>>
>>>> Historically we have used IsSuperMajority() to activate soft forks
>>>> such as BIP66 which has a mandatory signalling requirement for miners
>>>> once activated, this ensures that miners are aware of new rules being
>>>> enforced. This technique can be leveraged to lower the signalling
>>>> threshold of a soft fork while it is in the process of being deployed
>>>> in a backwards compatible way. We also use a BIP8 style timeout to
>>>> ensure that this BIP is compatible with BIP148 and that BIP148
>>>> compatible mandatory signalling activates regardless of miner
>>>> signalling levels.
>>>>
>>>> By orphaning non-signalling blocks during the BIP9 bit 1 "segwit"
>>>> deployment, this BIP can cause the existing "segwit" deployment to
>>>> activate without needing to release a new deployment. As we approach
>>>> BIP148 activation it may be desirable for a majority of miners to have
>>>> a method that will ensure that there is no chain split.
>>>>
>>>> ==References==
>>>>
>>>> *[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-March/013714.html
>>>> Mailing list discussion]
>>>> *[https://github.com/bitcoin/bitcoin/blob/v0.6.0/src/main.cpp#L1281-L1283
>>>> P2SH flag day activation]
>>>> *[[bip-0009.mediawiki|BIP9 Version bits with timeout and delay]]
>>>> *[[bip-0016.mediawiki|BIP16 Pay to Script Hash]]
>>>> *[[bip-0091.mediawiki|BIP91 Reduced threshold Segwit MASF]]
>>>> *[[bip-0141.mediawiki|BIP141 Segregated Witness (Consensus layer)]]
>>>> *[[bip-0143.mediawiki|BIP143 Transaction Signature Verification for
>>>> Version 0 Witness Program]]
>>>> *[[bip-0147.mediawiki|BIP147 Dealing with dummy stack element malleability]]
>>>> *[[bip-0148.mediawiki|BIP148 Mandatory activation of segwit deployment]]
>>>> *[[bip-0149.mediawiki|BIP149 Segregated Witness (second deployment)]]
>>>> *[https://bitcoincore.org/en/2016/01/26/segwit-benefits/ Segwit benefits]
>>>>
>>>> ==Copyright==
>>>>
>>>> This document is dual licensed as BSD 3-clause, and Creative Commons
>>>> CC0 1.0 Universal.
>>>> _______________________________________________
>>>> bitcoin-dev mailing list
>>>> bitcoin-dev@lists.linuxfoundation.org
>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
|