summaryrefslogtreecommitdiff
path: root/fb/41f85d78e338494113202c6013479474d7f450
blob: 42de126225bb54868d3bb7c92c629201dbcfba5b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
Return-Path: <jtimon@jtimon.cc>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id B9FA0C0001
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 25 May 2021 10:24:57 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp2.osuosl.org (Postfix) with ESMTP id 9BED8400E4
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 25 May 2021 10:24:57 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -0.92
X-Spam-Level: 
X-Spam-Status: No, score=-0.92 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no autolearn_force=no
Authentication-Results: smtp2.osuosl.org (amavisd-new);
 dkim=pass (2048-bit key) header.d=jtimon-cc.20150623.gappssmtp.com
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Rq_whpfLqAga
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 25 May 2021 10:24:56 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com
 [IPv6:2607:f8b0:4864:20::b2e])
 by smtp2.osuosl.org (Postfix) with ESMTPS id D7894400C3
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 25 May 2021 10:24:55 +0000 (UTC)
Received: by mail-yb1-xb2e.google.com with SMTP id i4so42319116ybe.2
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 25 May 2021 03:24:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=jtimon-cc.20150623.gappssmtp.com; s=20150623;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=4MJrkykxj4f1Z+stguqfSrls70fGeRGljtszoIjGJeg=;
 b=yBs5gOqaZPOLqriqx9cYvcAnBgz27oyBv3MVVEvrczblT5bqh0u5OQD1HgC9uvbwHj
 i183GUdbuGw0+YviYIRvI0z9f01vtPYPGt6GwU/y9l9jMqaUNHFUa801QMPV+vR5jyyX
 lhlMIk+LjKyfVN5wZGZx0pL6uVrSvXaaCkJbKXPYf10mUdJEk8gJupFKD6ZcOG5lKehV
 I7f3XwAe3x419d/CNumIUUMPwTGgthHObmFVw8QZNvrkjktGR0S0XhMLyEgQnieAFQOa
 z+G91Eg7QF7DaM8i9ns7osGuNaP1t21aYQOtENob+wLb4+eReG9885JMRMbxONKDtNv2
 t8mg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=4MJrkykxj4f1Z+stguqfSrls70fGeRGljtszoIjGJeg=;
 b=gMozOz/RyD0oNx5Y94ycbvbiJvYdJAaBYFk2N2ACuhJP8gn1cn2oklAYFcWUlLlPT+
 7bKTa6zIhXHyNE1c0M3r2RiiDZSsPc1yGwvSSzQHc3fKSj+I+p2Vn059MNR6AUW/tHNz
 QpFpnJRBJfKRUVbvFvLV2A/knR62zTEu/En/rPB21qurlruHhOE0Hck7PkstBULd3Vzp
 mvmh0LNE1h42h6N0ONEhdsMXPZzKufyl371WSPbRN3z08VQONIHmzayuZIrGHbkYFDoC
 sau144XJk+qckdPpm6rY9OlD8L7FO97L1fwfTgYCt4OAcNlm2wLxMV+YYlKkGK9h2OhQ
 WxwA==
X-Gm-Message-State: AOAM530ROqzOCslFZLWCmVfg8yzcPUasUuzz/1huZ/AS49cJyJlEb/JS
 YWszRHSACmUVFtT7EcTJSIzjN2jSpRCfRGeY1vrykQ==
X-Google-Smtp-Source: ABdhPJxLCG7l79MkiO6DCwZJzrl96ooLkSKZ+ZphP+70yAgPod5MiFAlsUhBYhtmyN/CIShZpFVvAmr6lSD7MFDxLNQ=
X-Received: by 2002:a25:d78c:: with SMTP id o134mr6375541ybg.133.1621938294769; 
 Tue, 25 May 2021 03:24:54 -0700 (PDT)
MIME-Version: 1.0
References: <132931587-8b83bea7167e21d9e00510989ca34463@pmq3v.m5r2.onet>
In-Reply-To: <132931587-8b83bea7167e21d9e00510989ca34463@pmq3v.m5r2.onet>
From: =?UTF-8?B?Sm9yZ2UgVGltw7Nu?= <jtimon@jtimon.cc>
Date: Tue, 25 May 2021 11:24:43 +0100
Message-ID: <CABm2gDpqH+or9VRv8165XQwNTHWxJxH9=ojDLxY7DmkqSjke_g@mail.gmail.com>
To: vjudeu <vjudeu@gazeta.pl>, 
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000e8616405c324ef66"
Subject: Re: [bitcoin-dev] Consensus protocol immutability is a feature
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2021 10:24:57 -0000

--000000000000e8616405c324ef66
Content-Type: text/plain; charset="UTF-8"

Sure, many things that were though only possible with hardforks initially
were later shown to be possible with softforks.

That doesn't mean hardforks should be taboo in my opinion though.


On Mon, May 24, 2021, 01:09 vjudeu via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> > Because the above block header format is hashed to generate the
> `prevBlockHash` for the *next* block, it is almost impossible to change the
> format without a hardfork.
>
> First, assume that everything should be validated as today to be
> backward-compatible. For that reason, removing SHA-256 is impossible. Then,
> notice that breaking SHA-256 would mean that there would be more and more
> leading zeroes in "prevBlockHash". Breaking SHA-256 fully would mean
> reaching all zeroes hash. So, the old client would see "prevBlockHash" with
> all zeroes.
>
> Soft-fork means that previously valid blocks could be invalid, so rules
> should be more strict. And that means we could have two headers, one for
> SHA-256 and one for SHA-3. Normally, it would mean that our 80-byte headers
> would take 160 bytes instead. But we could compress it a little bit if we
> share some data.
>
> > * `nVersion`: 4 bytes
>
> Version would be some higher number than today and validated as today. It
> could be shared for both headers.
>
> > * `prevBlockHash`: 32 bytes, SHA2 of previous block.
>
> Previous block hash in SHA-256 would have more and more leading zeroes, so
> we could reuse them and fill with SHA-3 truncated to N bits. In this way,
> after fully breaking SHA-256 it would be fully replaced by SHA-3. Until
> then, first N bits could refer to truncated SHA-3 and the rest to SHA-256.
> When passing that to old nodes, that bits could be zeroed, but all new
> nodes should see them and perform SHA-3 validation.
>
> Example:
>
> SHA-2 of some block:
> 000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f
> SHA-3 of the same data:
> 95587d55da5108290c46bac70b622715ae380ef7a313febcc27aeb1c51a28d90
> 32 bytes stored for that block:
> 95587d550019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f
>
> Of course, we should perform SHA-3 on a different data than used for
> SHA-2, at least merkle root should be recalculated, but it is just an
> example showing how single 32-byte string could store data for both hash
> functions.
>
> > * `merkleTreeRoot`: 32 bytes, SHA2 of topmost Merkle tree node.
>
> If SHA-256 would be broken, then we could use single coinbase transaction
> to prevent doing transactions in the old way. That transaction would
> contain SHA-3 of the new merkle root, as you mentioned. New nodes could
> treat that transaction as some kind of annex to the block header, but still
> doing SHA-2 is needed for backward compatibility. For that reason, storing
> 32 bytes for SHA-2 and 32 bytes for SHA-3 is needed, unless we have some
> fast way to get hash with all zeroes, then we can save that 32 bytes.
>
> > * `nTime`: 4 bytes, miner-imagined time.
>
> Time should be the same in both headers, so there is no need to duplicate
> it.
>
> > * `nBits`: 4 bytes, encoded difficulty target
>
> Difficulty should be different for SHA-2 and SHA-3. Finally when SHA-256
> would be broken, we could reach 03000000 for SHA-256 and store only SHA-3
> difficulty.
>
> > * `nonce`: 4 bytes, random number with no other meaning.
>
> Nonce should be also different for SHA-2 and SHA-3. If SHA-256 would be
> fully broken, it could be set to zero for SHA-2 and stored only for SHA-3.
>
> On 2021-05-23 20:12:00 user ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
> > Good morning vjudeu,
> >
> > > > Perhaps the only things that cannot be usefully changed in a
> softfork is the block header format and how proof-of-work is computed from
> the block header.
> > >
> > > Why not? I can imagine a soft fork where the block header would
> contain SHA-256 and SHA-3 hashes in the same place. The SHA-256 would be
> calculated as-is, but the SHA-3 would be truncated only to cover zero bits
> in SHA-256 hashes. In this way, if SHA-256 would be totally broken, old
> nodes would see zero hashes in the previous block hash and the merkle tree
> hash, but the new nodes would see correct SHA-3 hashes in the same place.
> So, for example if we have 1d00ffff difficulty, the first 32-bits would be
> zeroes for all old nodes, but all new nodes would see SHA-3 truncated to
> 32-bits in the same place. The difficulty could tell us how many zero bits
> we should truncate our SHA-3 result to. Also, in the same way we could
> introduce SHA-4 in the future as a soft-fork if SHA-3 would be broken and
> we would see many zero bits in our mixed SHA-256 plus SHA-3 consensus.
> >
> > I do not think I follow.
> >
> > The block header has a Merkle tree root that is a SHA-256 of some Merkle
> tree node, is that what you refer to?
> > Do you mean the same Merkle tree node has to hash to some common value
> in both SHA-2 and SHA-3?
> >
> > Or do you refer to the `prevBlockHash`?
> > Do you mean the same `prevBlockHash` has to somehow be the same, for
> some number of bits, in both SHA-2 and SHA-3?
> >
> > More specifically:
> >
> > * `nVersion`: 4 bytes
> > * `prevBlockHash`: 32 bytes, SHA2 of previous block.
> > * `merkleTreeRoot`: 32 bytes, SHA2 of topmost Merkle tree node.
> > * `nTime`: 4 bytes, miner-imagined time.
> > * `nBits`: 4 bytes, encoded difficulty target
> > * `nonce`: 4 bytes, random number with no other meaning.
> >
> > What do you refer to?
> >
> > Because the above block header format is hashed to generate the
> `prevBlockHash` for the *next* block, it is almost impossible to change the
> format without a hardfork.
> >
> > Regaards,
> > ZmnSCPxj
> >
> > >
> > > On 2021-05-23 13:01:32 user ZmnSCPxj via bitcoin-dev
> bitcoin-dev@lists.linuxfoundation.org wrote:
> > >
> > > > Good morning Jorge, et al,
> > > >
> > > > > Hardforks can be useful too.
> > > > > But, yes, I agree softforks are preferable whenever possible.
> > > >
> > > > I think in principle the space of possible softforks is very much
> wider than can be trivially expected.
> > > > For instance, maaku7 once proposed a softfork that could potentially
> change the block discovery rate as a softfork.
> > > > Although this required exploiting a consensus bug that has since
> been closed.
> > > > The example of SegWit shows us that we can in fact create massive
> changes to the transaction and block formats with a softfork.
> > > > For example, it is possible to change the Merkle Tree to use SHA3
> instead, in a softfork, by requiring that miners no longer use the "normal"
> existing Merkle Tree, but instead to require miners to embed a commitment
> to the SHA3-Merkle-Tree on the coinbase of the "original" block format, and
> to build "empty" SHA2-Merkle-Trees containing only the coinbase.
> > > > To unupgraded nodes it looks as if there is a denial-of-service
> attack permanently, while upgraded nodes will seek blocks that conform to
> the SHA3-Merkle-Tree embedded in the coinbase.
> > > > (Do note that this definition of "softfork" is the "> 50% of miners
> is enough to pull everyone to the fork".
> > > > Some thinkers have a stricter definition of "softfork" as
> "non-upgraded nodes can still associate addresses to values in the UTXO set
> but might not be able to detect consensus rules violations in new address
> types", which fits SegWit and Taproot.)
> > > > (In addition, presumably the reason to switch to SHA3 is to avoid
> potential preimage attacks on SHA2, and the coinbase is still in a
> SHA2-Merkle-Tree, so... this is a bad example)
> > > > Perhaps the only things that cannot be usefully changed in a
> softfork is the block header format and how proof-of-work is computed from
> the block header.
> > > > But the flexibility of the coinbase allows us to hook new
> commitments to new Merkle Trees to it, which allows transactions to be
> annotated with additional information that is invisible to unupgraded nodes
> (similar to the `witness` field of SegWit transactions).
> > > >
> > > > Even if you do have a softfork, we should be reminded to look at the
> histories of SegWit and Taproot.
> > > > SegWit became controversial later on, which delayed its activation.
> > > > On the other hand, Taproot had no significant controversy and it was
> widely accepted as being a definite improvement to the network.
> > > > Yet its implementation and deployment still took a long time, and
> there was still controversy on how to properly implement the activation
> code.
> > > > Any hardforks would not only have to go through the hurdles that
> Taproot and SegWit had to go through, but will also have to pass through
> the much higher hurdle of being a hardfork.
> > > > Thus, anyone contemplating a hardfork, for any reason, must be
> prepared to work on it for several years before anyone even frowns and says
> "hmm maybe" instead of everyone just outright dismissing it with a simple
> "hardfork = hard pass".
> > > > As a simple estimate, I would assume that any hardfork would require
> twice the average amount of engeineering-manpower involved in SegWit and
> Taproot.
> > > > (this assumes that hardforks are only twice as hard as softforks ---
> this estimate may be wrong, and this might provide only a minimum rather
> than an expected average)
> > > > There are no quick solutions in this space.
> > > > Either we work with what we have and figure out how to get around
> issues with no real capability to fix them at the base layer, or we have
> insight on future problems and start working on future solutions today.
> > > > For example, I know at least one individual was maintaining an
> "emergency" branch to add some kind of post-quantum signature scheme to
> Bitcoin, in case of a quantum break.
> > > > Regards,
> > > > ZmnSCPxj
> > > >
> > > > bitcoin-dev mailing list
> > > > bitcoin-dev@lists.linuxfoundation.org
> > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >
> >
> >
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

--000000000000e8616405c324ef66
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">Sure, many things that were though only possible with har=
dforks initially were later shown to be possible with softforks.<div dir=3D=
"auto"><br></div><div dir=3D"auto">That doesn&#39;t mean hardforks should b=
e taboo in my opinion though.</div><div dir=3D"auto"><br></div></div><br><d=
iv class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, May =
24, 2021, 01:09 vjudeu via bitcoin-dev &lt;<a href=3D"mailto:bitcoin-dev@li=
sts.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a>&gt; wrot=
e:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bo=
rder-left:1px #ccc solid;padding-left:1ex">&gt; Because the above block hea=
der format is hashed to generate the `prevBlockHash` for the *next* block, =
it is almost impossible to change the format without a hardfork.<br>
<br>
First, assume that everything should be validated as today to be backward-c=
ompatible. For that reason, removing SHA-256 is impossible. Then, notice th=
at breaking SHA-256 would mean that there would be more and more leading ze=
roes in &quot;prevBlockHash&quot;. Breaking SHA-256 fully would mean reachi=
ng all zeroes hash. So, the old client would see &quot;prevBlockHash&quot; =
with all zeroes.<br>
<br>
Soft-fork means that previously valid blocks could be invalid, so rules sho=
uld be more strict. And that means we could have two headers, one for SHA-2=
56 and one for SHA-3. Normally, it would mean that our 80-byte headers woul=
d take 160 bytes instead. But we could compress it a little bit if we share=
 some data.<br>
<br>
&gt; * `nVersion`: 4 bytes<br>
<br>
Version would be some higher number than today and validated as today. It c=
ould be shared for both headers.<br>
<br>
&gt; * `prevBlockHash`: 32 bytes, SHA2 of previous block.<br>
<br>
Previous block hash in SHA-256 would have more and more leading zeroes, so =
we could reuse them and fill with SHA-3 truncated to N bits. In this way, a=
fter fully breaking SHA-256 it would be fully replaced by SHA-3. Until then=
, first N bits could refer to truncated SHA-3 and the rest to SHA-256. When=
 passing that to old nodes, that bits could be zeroed, but all new nodes sh=
ould see them and perform SHA-3 validation.<br>
<br>
Example:<br>
<br>
SHA-2 of some block: 000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1=
b60a8ce26f<br>
SHA-3 of the same data: 95587d55da5108290c46bac70b622715ae380ef7a313febcc27=
aeb1c51a28d90<br>
32 bytes stored for that block: 95587d550019d6689c085ae165831e934ff763ae46a=
2a6c172b3f1b60a8ce26f<br>
<br>
Of course, we should perform SHA-3 on a different data than used for SHA-2,=
 at least merkle root should be recalculated, but it is just an example sho=
wing how single 32-byte string could store data for both hash functions.<br=
>
<br>
&gt; * `merkleTreeRoot`: 32 bytes, SHA2 of topmost Merkle tree node.<br>
<br>
If SHA-256 would be broken, then we could use single coinbase transaction t=
o prevent doing transactions in the old way. That transaction would contain=
 SHA-3 of the new merkle root, as you mentioned. New nodes could treat that=
 transaction as some kind of annex to the block header, but still doing SHA=
-2 is needed for backward compatibility. For that reason, storing 32 bytes =
for SHA-2 and 32 bytes for SHA-3 is needed, unless we have some fast way to=
 get hash with all zeroes, then we can save that 32 bytes.<br>
<br>
&gt; * `nTime`: 4 bytes, miner-imagined time.<br>
<br>
Time should be the same in both headers, so there is no need to duplicate i=
t.<br>
<br>
&gt; * `nBits`: 4 bytes, encoded difficulty target<br>
<br>
Difficulty should be different for SHA-2 and SHA-3. Finally when SHA-256 wo=
uld be broken, we could reach 03000000 for SHA-256 and store only SHA-3 dif=
ficulty.<br>
<br>
&gt; * `nonce`: 4 bytes, random number with no other meaning.<br>
<br>
Nonce should be also different for SHA-2 and SHA-3. If SHA-256 would be ful=
ly broken, it could be set to zero for SHA-2 and stored only for SHA-3.<br>
<br>
On 2021-05-23 20:12:00 user ZmnSCPxj &lt;<a href=3D"mailto:ZmnSCPxj@protonm=
ail.com" target=3D"_blank" rel=3D"noreferrer">ZmnSCPxj@protonmail.com</a>&g=
t; wrote:<br>
&gt; Good morning vjudeu,<br>
&gt; <br>
&gt; &gt; &gt; Perhaps the only things that cannot be usefully changed in a=
 softfork is the block header format and how proof-of-work is computed from=
 the block header.<br>
&gt; &gt;<br>
&gt; &gt; Why not? I can imagine a soft fork where the block header would c=
ontain SHA-256 and SHA-3 hashes in the same place. The SHA-256 would be cal=
culated as-is, but the SHA-3 would be truncated only to cover zero bits in =
SHA-256 hashes. In this way, if SHA-256 would be totally broken, old nodes =
would see zero hashes in the previous block hash and the merkle tree hash, =
but the new nodes would see correct SHA-3 hashes in the same place. So, for=
 example if we have 1d00ffff difficulty, the first 32-bits would be zeroes =
for all old nodes, but all new nodes would see SHA-3 truncated to 32-bits i=
n the same place. The difficulty could tell us how many zero bits we should=
 truncate our SHA-3 result to. Also, in the same way we could introduce SHA=
-4 in the future as a soft-fork if SHA-3 would be broken and we would see m=
any zero bits in our mixed SHA-256 plus SHA-3 consensus.<br>
&gt; <br>
&gt; I do not think I follow.<br>
&gt; <br>
&gt; The block header has a Merkle tree root that is a SHA-256 of some Merk=
le tree node, is that what you refer to?<br>
&gt; Do you mean the same Merkle tree node has to hash to some common value=
 in both SHA-2 and SHA-3?<br>
&gt; <br>
&gt; Or do you refer to the `prevBlockHash`?<br>
&gt; Do you mean the same `prevBlockHash` has to somehow be the same, for s=
ome number of bits, in both SHA-2 and SHA-3?<br>
&gt; <br>
&gt; More specifically:<br>
&gt; <br>
&gt; * `nVersion`: 4 bytes<br>
&gt; * `prevBlockHash`: 32 bytes, SHA2 of previous block.<br>
&gt; * `merkleTreeRoot`: 32 bytes, SHA2 of topmost Merkle tree node.<br>
&gt; * `nTime`: 4 bytes, miner-imagined time.<br>
&gt; * `nBits`: 4 bytes, encoded difficulty target<br>
&gt; * `nonce`: 4 bytes, random number with no other meaning.<br>
&gt; <br>
&gt; What do you refer to?<br>
&gt; <br>
&gt; Because the above block header format is hashed to generate the `prevB=
lockHash` for the *next* block, it is almost impossible to change the forma=
t without a hardfork.<br>
&gt; <br>
&gt; Regaards,<br>
&gt; ZmnSCPxj<br>
&gt; <br>
&gt; &gt;<br>
&gt; &gt; On 2021-05-23 13:01:32 user ZmnSCPxj via bitcoin-dev <a href=3D"m=
ailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank" rel=3D"noref=
errer">bitcoin-dev@lists.linuxfoundation.org</a> wrote:<br>
&gt; &gt;<br>
&gt; &gt; &gt; Good morning Jorge, et al,<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; &gt; Hardforks can be useful too.<br>
&gt; &gt; &gt; &gt; But, yes, I agree softforks are preferable whenever pos=
sible.<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; I think in principle the space of possible softforks is very=
 much wider than can be trivially expected.<br>
&gt; &gt; &gt; For instance, maaku7 once proposed a softfork that could pot=
entially change the block discovery rate as a softfork.<br>
&gt; &gt; &gt; Although this required exploiting a consensus bug that has s=
ince been closed.<br>
&gt; &gt; &gt; The example of SegWit shows us that we can in fact create ma=
ssive changes to the transaction and block formats with a softfork.<br>
&gt; &gt; &gt; For example, it is possible to change the Merkle Tree to use=
 SHA3 instead, in a softfork, by requiring that miners no longer use the &q=
uot;normal&quot; existing Merkle Tree, but instead to require miners to emb=
ed a commitment to the SHA3-Merkle-Tree on the coinbase of the &quot;origin=
al&quot; block format, and to build &quot;empty&quot; SHA2-Merkle-Trees con=
taining only the coinbase.<br>
&gt; &gt; &gt; To unupgraded nodes it looks as if there is a denial-of-serv=
ice attack permanently, while upgraded nodes will seek blocks that conform =
to the SHA3-Merkle-Tree embedded in the coinbase.<br>
&gt; &gt; &gt; (Do note that this definition of &quot;softfork&quot; is the=
 &quot;&gt; 50% of miners is enough to pull everyone to the fork&quot;.<br>
&gt; &gt; &gt; Some thinkers have a stricter definition of &quot;softfork&q=
uot; as &quot;non-upgraded nodes can still associate addresses to values in=
 the UTXO set but might not be able to detect consensus rules violations in=
 new address types&quot;, which fits SegWit and Taproot.)<br>
&gt; &gt; &gt; (In addition, presumably the reason to switch to SHA3 is to =
avoid potential preimage attacks on SHA2, and the coinbase is still in a SH=
A2-Merkle-Tree, so... this is a bad example)<br>
&gt; &gt; &gt; Perhaps the only things that cannot be usefully changed in a=
 softfork is the block header format and how proof-of-work is computed from=
 the block header.<br>
&gt; &gt; &gt; But the flexibility of the coinbase allows us to hook new co=
mmitments to new Merkle Trees to it, which allows transactions to be annota=
ted with additional information that is invisible to unupgraded nodes (simi=
lar to the `witness` field of SegWit transactions).<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; Even if you do have a softfork, we should be reminded to loo=
k at the histories of SegWit and Taproot.<br>
&gt; &gt; &gt; SegWit became controversial later on, which delayed its acti=
vation.<br>
&gt; &gt; &gt; On the other hand, Taproot had no significant controversy an=
d it was widely accepted as being a definite improvement to the network.<br=
>
&gt; &gt; &gt; Yet its implementation and deployment still took a long time=
, and there was still controversy on how to properly implement the activati=
on code.<br>
&gt; &gt; &gt; Any hardforks would not only have to go through the hurdles =
that Taproot and SegWit had to go through, but will also have to pass throu=
gh the much higher hurdle of being a hardfork.<br>
&gt; &gt; &gt; Thus, anyone contemplating a hardfork, for any reason, must =
be prepared to work on it for several years before anyone even frowns and s=
ays &quot;hmm maybe&quot; instead of everyone just outright dismissing it w=
ith a simple &quot;hardfork =3D hard pass&quot;.<br>
&gt; &gt; &gt; As a simple estimate, I would assume that any hardfork would=
 require twice the average amount of engeineering-manpower involved in SegW=
it and Taproot.<br>
&gt; &gt; &gt; (this assumes that hardforks are only twice as hard as softf=
orks --- this estimate may be wrong, and this might provide only a minimum =
rather than an expected average)<br>
&gt; &gt; &gt; There are no quick solutions in this space.<br>
&gt; &gt; &gt; Either we work with what we have and figure out how to get a=
round issues with no real capability to fix them at the base layer, or we h=
ave insight on future problems and start working on future solutions today.=
<br>
&gt; &gt; &gt; For example, I know at least one individual was maintaining =
an &quot;emergency&quot; branch to add some kind of post-quantum signature =
scheme to Bitcoin, in case of a quantum break.<br>
&gt; &gt; &gt; Regards,<br>
&gt; &gt; &gt; ZmnSCPxj<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; bitcoin-dev mailing list<br>
&gt; &gt; &gt; <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" tar=
get=3D"_blank" rel=3D"noreferrer">bitcoin-dev@lists.linuxfoundation.org</a>=
<br>
&gt; &gt; &gt; <a href=3D"https://lists.linuxfoundation.org/mailman/listinf=
o/bitcoin-dev" rel=3D"noreferrer noreferrer" target=3D"_blank">https://list=
s.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a><br>
&gt; <br>
&gt; <br>
&gt; <br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank" =
rel=3D"noreferrer">bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer noreferrer" target=3D"_blank">https://lists.linuxfoundati=
on.org/mailman/listinfo/bitcoin-dev</a><br>
</blockquote></div>

--000000000000e8616405c324ef66--