Bitcoin Forum
October 21, 2017, 02:26:05 PM *
News: Latest stable version of Bitcoin Core: 0.15.0.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: 1 2 3 [All]
  Print  
Author Topic: Sidechain Technical Feasibility Discussion  (Read 13499 times)
thezerg
Legendary
*
Offline Offline

Activity: 1246


View Profile
April 11, 2014, 03:53:08 PM
 #1

Let us centralize and clarify discussion on bitcoin sidechains.  

The basic idea has been around since at least mid-2012 (any earlier references?) and is to allow value to be moved from the bitcoin network into a separate blockchain and back.  But a possible implementation has only emerged relatively recently (gmaxwell).

First, if both blockchains "see" each other then side chains are easy.  Let's say you want to move value from chain A to chain B.  The owner spends bitcoins on chain A from any address (say 1Me) into a well-known unspendable address (let's pretend the address prefix is 1chainBxfer).  Nodes on chain "B" are watching chain A, perhaps only as a SPV node to see txouts going to 1chainBxfer.  When a suitable transaction is found and sufficiently confirmed, a coinbase txn is allowed on chain B that grants coins to the same addresses as the txins on chain A (1Me).

And you can spend back from B to A in the same way.

Basically, a similar technique was used to fund mastercoins, except that the mastercoin bitcoin address IS spendable (which therefore inflates the TOTAL crypto-currency (MC+bitcoin) supply) and the transfer was a one-time "kickoff" deal.


The real question is how to spend in both directions (2-peg is what people have been saying) when chain A is not aware of chain B?  I think that the general consensus is that this is impossible which is why the sidechain idea languished for 2 years.  

However, the real question is "what is the MINIMUM amount of information that chain B requires and how can that be provided to B with the smallest, safest API changes to B?"

The first requirement is to ensure that the total number of bitcoins will never exceed the amount mined, regardless of errors or antagonistic players on the side chains.  This ensures that errors on a side chain will never inflate the total number of bitcoins on the bitcoin blockchain.  This is easily solved by requiring only allowing "reanimations" of coins on the bitcoin blockchain.  That is, an output transaction was created to an "unspendable" address in the bitcoin blockchain to transfer the coin to chain B.  To transfer value back to the bitcoin blockchain, this txo must be "spent".  It probably does not matter which TXO gets spent to reanimate a coin (in fact choosing a random one will help anonymity), it only matter that the size of the "reanimating" txins = the spending txo's (miner's fees will need to come from a normal txin).

Now, the worst case scenario is that someone will be able "reanimate" all the coins transferred to another chain, stealing them.  This could cause the sum of the spendable "bitcoins" on the bitcoin blockchain and the sidechain to exceed 21M.  But the 21M limit is not broken, on the bitcoin blockchain (presumably the other chain dies a horrible gox-like death at this point :-( because its coins are no longer "backed")...


To stop that, we need to prove ownership of a off-chain coin to the bitcoin blockchain...

BRB :-)



1508595965
Hero Member
*
Offline Offline

Posts: 1508595965

View Profile Personal Message (Offline)

Ignore
1508595965
Reply with quote  #2

1508595965
Report to moderator
1508595965
Hero Member
*
Offline Offline

Posts: 1508595965

View Profile Personal Message (Offline)

Ignore
1508595965
Reply with quote  #2

1508595965
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1508595965
Hero Member
*
Offline Offline

Posts: 1508595965

View Profile Personal Message (Offline)

Ignore
1508595965
Reply with quote  #2

1508595965
Report to moderator
1508595965
Hero Member
*
Offline Offline

Posts: 1508595965

View Profile Personal Message (Offline)

Ignore
1508595965
Reply with quote  #2

1508595965
Report to moderator
thezerg
Legendary
*
Offline Offline

Activity: 1246


View Profile
April 11, 2014, 03:53:28 PM
 #2

Terminology:

SPV: Simplified Payment Verification.  How non-fully-validating wallets have trust in your balance.  Basically a chain of block headers that proves that a certain amount of work has happened after a particular txn was posted.   https://en.bitcoin.it/wiki/Scalability#Simplified_payment_verification

SPV proof of burn:  Someone who wants to "reanimate" coins on the bitcoin blockchain (chain A) needs to submit proof that the coins were spent on chain B into the 1chainAxfer (well known unspendable address -- i.e. the coins were "burned" on that chain) AND that sufficient work has been done subsequently to make it unlikely that a fork will unroll this spend.  Rather than force the chain A miners to access the chain B blockchain, the entity who wants to "reanimate" the coin gathers all this information into a "proof" and submits it as part of the "reanimate" transaction.

Security Firewall: Ensure that no matter what happens on side-chains, people/coins that have only been used on the main chain remain unaffected.  Most importantly, no accidental inflation.

1-way peg:  This refers to moving bitcoins to a sidechain.  To understand the term, note that if it is possible to move bitcoins to the sidechain, the price of the sidechain coins cannot exceed that of 1 bitcoin.  The price is "pegged".  If ever did exceed 1 bitcoin did people would simply move bitcoins to the sidechain and sell them...

2-way peg:  This refers to moving bitcoins to a sidechain and back.  This functionality "pegs" the price of the sidechain coin to that of bitcoin because any deviation simply allows people to move coins to the lower priced chain and sell them.

References:

This chat is really the best description: http://download.wpsoftware.net/bitcoin/wizards/2013-12-18.txt

00:24:30 <BlueMatt> are there any serious or semi-serious proposals for how to fix an altcoin 1:1 to bitcoin without a large cost to bitcoin miners given some hardfork changes to bitcoin?
00:26:38 <gmaxwell> if not for the disabled operators you could probably do it without hardfork changes to bitcoin, though you would only have SPV security in the altcoin-bitcoin direction.
00:27:16 <BlueMatt> even getting spv security in the altcoin-> bitcoin direction is non-trivial, no?
00:27:26 <BlueMatt> (given hardfork to reenable opcodes)
00:27:54 <BlueMatt> you'd have to have the whole chain history, or some subset starting from the time of the bitcoin->altcoin transfer
00:28:03 <BlueMatt> well, whole block-header-chain-history
00:28:27 <gmaxwell> yea, you just write a script that can do a spv validation and then takes a chunk of headers of a prespecified sufficient difficulty.
00:28:44 <gmaxwell> the proof can start at the point the txn of interest was mined.
00:28:45 <BlueMatt> that gets pretty expensive?
00:28:57 <gmaxwell> I mean, it's 80 bytes per header. so not really.
00:29:02 <BlueMatt> very expensive if you hold the alt for an extended period...
00:29:21 <BlueMatt> well, no miner is gonna mine a tx that is 80 bytes*N where N is a few weeks/months of headers
00:29:24 <gmaxwell> BlueMatt: oh no, you don't do it over the life of the alt.
00:29:32 <gmaxwell> crazy no no thats not how it works.
00:30:25 <gmaxwell> you take some coin and assign it to a scriptPubKey that can be redeemed by anyone who provide a SPV fragment from the altcoin showing any of those coins being reassigned back to bitcoin, with a sum difficulty of at least X.
00:30:47 <adam3us> gmaxwell, BlueMatt: a 1:1 peg - doesnt that import security risk from the alt into bitcoin? (i suggested a 1 way peg "bitcoin staging" only so bitcoin is security firewalled) are we talking about the same area of feature
00:31:39 <gmaxwell> adam3us: only to the limit of the alt. say the alt was somehow totally insecure... you could then steal all the bitcoins that had been assigned to the altcoin.
00:31:44 <gmaxwell> but no more.
00:32:01 <adam3us> gmaxwell: hmm that might be ok
00:32:18 <BlueMatt> adam3us: what gmaxwell said (if you decide to put your btc in the alt, sucks for you)
00:32:43 <gmaxwell> BlueMatt: one problem there is that isn't really spv security, its "spv transcript" security, in that the bitcoin network isn't going to go out and find a longer chain.
00:32:48 <adam3us> BlueMatt: yes that is an acceptable trade off and already at risk with a 1-way peg
00:33:20 <gmaxwell> BlueMatt: But I did come up with a way to boost that to more like real SPV security with a bit more script power.
00:33:33 <BlueMatt> gmaxwell: well, ok, sum difficulty is one way...but very non-ideal
00:34:18 <gmaxwell> (you make the relase of coins back into bitcoin two phase. The first phase you do a header proof for the release.. and that gets mined.. but it can only output to a special holding script with the following rules:
00:35:13 <gmaxwell> after N blocks the releasing party can grab the coins. OR at any point, any party can show a longer chain to prove the release was bogus. and then they can only be redeemed with a new release on a chain longer than that one.
00:35:55 <gmaxwell> In any case I think most of the stuff thats been said of any technical substance on this is in the coinwitness thread (where I suggest using SNARKs for C to compact the proofs, though its not essential): https://bitcointalk.org/index.php?topic=277389.0
00:36:17 <gmaxwell> obviously if you compact the proofs things start sounding more interesting from a scaling perspective.
00:37:04 <gmaxwell> also if the headers of the altcoin form a MMR (insertion ordered binary tree) it may be cheaper to prove long spans of difficulty.
00:37:09 <BlueMatt> yea, though depending on cutting-edge crypto is ugly...
00:38:02 <gmaxwell> BlueMatt: well there are less ambitious (efficiency wise) ways to construct these proofs, but they're larger... though I'm not sure if we could get the direct proofs down with special support. Maybe.
00:38:08 <gmaxwell> SPV fragments can be pretty small.
00:39:02 <BlueMatt> yea, its all a bit expensive, really
00:39:23 <BlueMatt> it would be fun to be able to peg arbitrary altcoins to bitcoin as it really addresses the issues altcoins cause
00:40:02 <BlueMatt> allows them to innovate (ie risk people's money) while not costing bitcoin's digital scarcity/competing on store-of-value
00:40:51 <gmaxwell> BlueMatt: one way is easy— just have them validate bitcoin too.
00:40:55 <adam3us> BlueMatt: agreed
00:41:57 <gmaxwell> BlueMatt: one point is that you could coinjoin your cross chain merges perhaps, to make them smaller. e.g. one proof and then a dozen transactions hop the gap.
00:44:18 <BlueMatt>  gmaxwell sure, but if you only peg one-way its really not particularly useful
00:44:40 <BlueMatt> well, it is, but not as useful
00:44:54 <BlueMatt> gmaxwell: sure, you could limit to like 1 coinjoin'd alt->btc tx per day
00:45:03 <BlueMatt> but even that could be expensive
00:45:29 <gmaxwell> I dunno, I mean, it's a seralized transaction and spv proof, plus some additional headers.
00:45:43 <BlueMatt> well, if you have 100 alts all doing that, it does
00:46:04 <adam3us> BlueMatt: I like 1:1 peg idea, I only suggested 1-way peg to insulate security, if you can insulate security to the coins in the alt, thats even better
00:47:41 <BlueMatt> as long as you limit it to the people who transferred their coins...
00:47:49 <BlueMatt> gmaxwell: hmm...
00:47:57 <gmaxwell> lets say there are 2^12 txn per altcoin block, ... lets imagine you make the altcoin txn themselves hashtree so you can get to only their outputs.. so say maybe 64 bytes for the altcoin output, 384 bytes for the spv tree. 4 bytes for a spv index, and 12 80 byte headers = 1.4k.
00:48:15 <gmaxwell> it's bigger than a typical ecdsa signature, but not murderous.
00:48:48 <gmaxwell> and if they coinjoin the biggest parts (960 bytes of headers, 384 bytes of hashes) can be shared.
00:49:56 <gmaxwell> adam3us: yea,  I don't think there is a security need to make it one way. If you can never "pull back" more from an altcoin than was sent to it, then only the holders of the altcoin are at risk.
00:50:43 <adam3us> gmaxwell: seems plausible indeed, i just didnt think of it in those terms at the time.  good
00:51:22 <gmaxwell> the altcoin is also a bitcoin node, and monitors bitcoin for coins assigned to the altcoin, and then permits someone on the altcoin to emerge those coins from thin air.. and then when you want to send them back you make a special transaction in the altchain and prove you did it to bitcoin.
00:51:23 <adam3us> gmaxwell: i suppose the other thing is it itself requires bitcoin changes, perhaps non-trivial ones, and that is part of the reason for the exercise.
00:51:46 <gmaxwell> yea, unfortunately it requires changes to bitcoin.
00:52:18 <gmaxwell> we could _almost_ do it in script without the disabled opcodes, but there are enough little corners that I suspect we can't.


2-peg side chain links:

2-way pegging, Adam Back: http://sourceforge.net/p/bitcoin/mailman/message/32108143/

Description of skip-lists that can space-efficiently prove difficulty (SPV proof of burn):

The High-Value Hash Highway: https://bitcointalk.org/index.php?topic=98986.0
Compact SPV proofs via block header commitments: http://sourceforge.net/p/bitcoin/mailman/message/32111357/
TierNolan
Legendary
*
Offline Offline

Activity: 1120


View Profile
April 11, 2014, 03:56:34 PM
 #3

Do you have a link to gmaxwell's actual proposal?

1LxbG5cKXzTwZg9mjL3gaRE835uNQEteWF
thezerg
Legendary
*
Offline Offline

Activity: 1246


View Profile
April 11, 2014, 04:17:23 PM
 #4

Do you have a link to gmaxwell's actual proposal?

There is none, its in bits and pieces... hang on, updating 2nd reply now with links.  EDIT: updated
hoffmabc
Newbie
*
Offline Offline

Activity: 15


View Profile WWW
April 11, 2014, 05:37:46 PM
 #5

Here's some good overview of Adam Back's thoughts on the concept.

http://www.ofnumbers.com/2014/04/09/paraphrased-notes-from-back-and-hill-interview/
benjyz
Full Member
***
Offline Offline

Activity: 140


View Profile
April 11, 2014, 06:32:17 PM
 #6

what determines the price between two chains? say you have currency C which is pegged to BTC. what determines the ratio at which people exchange C to BTC? say someone has 1M$ worth of C - now he has to find someone who wants to buy 1M$ worth of C for BTC. not only does the price mechanism allow for a value determination of different currencies / approaches, but it also provides a very powerful incentive for developing the software. the mechanism by which one moves currencies into another is called a market. there seems to be a confusion between chains and coin issuance. every coin will have a price and therefore one needs a mechanism to establish the price. I suppose the idea is that Alt-Coins could potentially use the existing hashing-power. I think the same arguments that apply to bitcoin apply to (potential) Alt-coins. Why would someone waste resource to attack a coin instead of mining it?

I find it confusing when people talk about Mastercoin, Ethereum, Counterparty and Opentransactions as if they exist. None of these projects work as of today. Mastercoin has lost 80% in marketcap since IPO, so the market is a very good indicator in this case of how things are going. Let a market establish a price for different projects/chains.
Carlton Banks
Legendary
*
Offline Offline

Activity: 1792



View Profile
April 11, 2014, 06:47:03 PM
 #7

And so there would be free-market merged mining of the sidechains? Choose a sidechain you wish to mine, and pay the additional storage cost for maintaining the chains you perceive as valuable?

Vires in numeris
benjyz
Full Member
***
Offline Offline

Activity: 140


View Profile
April 11, 2014, 06:53:45 PM
 #8

And so there would be free-market merged mining of the sidechains? Choose a sidechain you wish to mine, and pay the additional storage cost for maintaining the chains you perceive as valuable?

As far as I understand there are 3 different ideas here: i) sidechains for scaling ii) sidechains as staging (Bitcoin 2.0) iii) sidechains as Altcoins. Of these only i) makes sense to me, which does not require a market. I think ii) is a bad idea. I'm not sure about iii). I believe eventually (in 5-10 years) we will have a sort of chain based exchange mechanism, but it will look very different than what exists today.
thezerg
Legendary
*
Offline Offline

Activity: 1246


View Profile
April 11, 2014, 07:01:03 PM
 #9

what determines the price between two chains? say you have currency C which is pegged to BTC. what determines the ratio at which people exchange C to BTC? say someone has 1M$ worth of C - now he has to find someone who wants to buy 1M$ worth of C for BTC. not only does the price mechanism allow for a value determination of different currencies / approaches, but it also provides a very powerful incentive for developing the software. the mechanism by which one moves currencies into another is called a market. there seems to be a confusion between chains and coin issuance. every coin will have a price and therefore one needs a mechanism to establish the price. I suppose the idea is that Alt-Coins could potentially use the existing hashing-power. I think the same arguments that apply to bitcoin apply to (potential) Alt-coins. Why would someone waste resource to attack a coin instead of mining it?

I find it confusing when people talk about Mastercoin, Ethereum, Counterparty and Opentransactions as if they exist. None of these projects work as of today. Mastercoin has lost 80% in marketcap since IPO, so the market is a very good indicator in this case of how things are going. Let a market establish a price for different projects/chains.

@Benjyz:  the concept of "sidechains" is an attempt to allow a bitcoin to move from one blockchain to another.  Its still a bitcoin, its just hosted on a different blockchain.  So essentially the price of a bitcoin on blockchain A cannot diverge from that of a bitcoin on blockchain B because the bitcoins freely move between the blockchains.

Let us keep this topic technical in nature: whether a particular technology *should* be offered as a sidechain or as an alt-coin is a topic better discussed elsewhere.  However, let me briefly offer several possible justifications for side chains:  
1. Bitcoin may have such a strong momentum and monopoly in the digital coin space that even alt-coins with useful features are unlikely to succeed.
2. As a live proving ground for features that could be added the the Bitcoin core blockchain.  These features may be useful, but not cool enough to build a successful alt-coin around.
3. There may be a reluctance (by responsible stewards of the digital currency concept anyway) to inflate the total crypto-currency pool by creating new alt-coins.  
4. The main bitcoin chain cannot easily carry worldwide VISA/MC levels of load

thezerg
Legendary
*
Offline Offline

Activity: 1246


View Profile
April 11, 2014, 07:19:46 PM
 #10

And so there would be free-market merged mining of the sidechains? Choose a sidechain you wish to mine, and pay the additional storage cost for maintaining the chains you perceive as valuable?

This is an open question AFAIK and very interesting.  The sidechain would not be allowed to create any bitcoin, so the current mining "subsidy" would not exist.  Having a tiny or zero mining reward at least would avoid Coiled Coin's fate (51%ed by a pool operator starting merged mining).

Miners could gain txn fees.  However, I think that the most likely miners would be those who benefit from the side chain in other ways.  For example, if a side chain solved the micro payment problem (high frequency, small payments), services that accept micro payments would be interested in mining the coin.  The current coin subsidy has overshadowed this possibility on the bitcoin blockchain, but look at the core devs.  They are paid by TBF which was funded by contributions from companies invested in bitcoin's future success.

Peter R
Legendary
*
Offline Offline

Activity: 1050



View Profile
April 11, 2014, 07:23:53 PM
 #11

I think I prefer spin-offs to side-chains:  https://bitcointalk.org/index.php?topic=563972.0

Spin-offs facilitate low-risk experimentation of new innovations in a non-threatening and non-inflationary way.  They also require no changes to the core of bitcoin and allow new mining techniques + experimentation with PoS.  

4. The main bitcoin chain cannot easily carry worldwide VISA/MC levels of load

Adding side-chains or increasing the transaction capacity of the current bitcoin network requires changes to the code.  I would prefer to increase the capacity of the primary blockchain consistent with the Satoshi model.  I believe this can be done by propagating new blocks by transaction hash to reduce the orphan cost, floating the miners fee, and eventually floating (or increasing) the maximum block size.  

Run Bitcoin Unlimited (www.bitcoinunlimited.info)
benjyz
Full Member
***
Offline Offline

Activity: 140


View Profile
April 11, 2014, 07:24:38 PM
 #12

@Benjyz:  the concept of "sidechains" is an attempt to allow a bitcoin to move from one blockchain to another.  Its still a bitcoin, its just hosted on a different blockchain.  So essentially the price of a bitcoin on blockchain A cannot diverge from that of a bitcoin on blockchain B because the bitcoins freely move between the blockchains.

In Bitcoin the chain is public for a good reason. Making it private requires an innovation, which I fail to see here. I doubt that ZK proofs are the solution. These things are much too complex to be properly audited.

1. Bitcoin may have such a strong momentum and monopoly in the digital coin space that even alt-coins with useful features are unlikely to succeed.
2. As a live proving ground for features that could be added the the Bitcoin core blockchain.  These features may be useful, but not cool enough to build a successful alt-coin around.
3. There may be a reluctance (by responsible stewards of the digital currency concept anyway) to inflate the total crypto-currency pool by creating new alt-coins.  
4. The main bitcoin chain cannot easily carry worldwide VISA/MC levels of load

1. you're referring to the hashing-power. I don't see much reason why miners should attack good coins. after all they mostly care about $'s and if they think the coin is good, they'll support it to make money.
2. well, this seems to move away from the consensus model, that is absolutely constitutional to Bitcoin. this kind of staging would be likely introducing many problems, and I personally don't see the upside. I don't think one can so radically alter Bitcoin and I'm surprised that others do. such changes introduce risk to an existing capital base invested in Bitcoin.
3. I don't understand what that is supposed to mean. issuing worthless coins isn't inflation. only currency systems that are worthwhile get value from the market. this is a non-problem in my opinion. it's the same as in the stock market. plenty of bad stock is issued every day, but that is party of the healthy incentive mechanism.
4. I don't see how side-chains as proposed solve the problem. It would help if suggestions would be put in a format where one can judge whether they are serious concrete proposals or plans/speculations. I think one should distinguish much more clearly between the two (something like BIP draft format). There is quite a lot of hand-waving going on, especially with regards to the so called 2.0 concepts.
thezerg
Legendary
*
Offline Offline

Activity: 1246


View Profile
April 11, 2014, 08:02:21 PM
 #13

@peter r: Spin-offs is a good idea, in fact it may be mine.  I posted it on the other forum on March 26 as a way to handle adding multiple currencies to bitcoin if the core devs would not add it.  But please do not sidetrack this discussion into it.

WRT transaction capacity:

The Satoshi scalability model gets us somewhere.  I haven't re-analyzed it since bitcoin was much smaller, but IIRC I think it gets us to worldwide international settlement bandwidth with a high enough tx fee to eliminate micro payments.

Regardless, the various transaction parameters: bandwidth, settlement times etc, have been significant motivators of alt-coins.  Clearly Bitcoin has either been seen deficient by some in this respect (esp the 10 minute average confirmation time), or we need blockchains with different parameters to satisfy different needs.


@benjyz: Nobody is talking about a private blockchain...

1. I'm not talking about hashing power.  I am talking about network effect, the first mover advantage.  Why MS word is STILL the standard word processor....
2. It does not move away from consensus.  Consensus is still required for any features to be added to the bitcoin blockchain.  And as an owner of a coin, its my choice whether I want to move it to the "quick&tinyCoin" sidechain (just to make something up) for use in a cloud storage solution.
3. You can have your opinion, but lots of people see the scam-coin movement as detrimental to the public image of crypto-currencies.  Additionally, let's imagine someone does create Bitcoin2 that really does have compelling features, solving lots of Bitcoin's current problems.  Let's imagine that it exceeds the Bitcoin first mover advantage.  The resulting transfer of value from Bitcoin to Bitcoin2 is not going to paint a pretty picture to the general public, potential investors, Venture Capitalists, etc.  It would set crypto-currency adoption back many years IMO.  Solving this is one purpose of the "spin-off" idea...
4. What's "the problem?" that it doesn't solve... 1 through 4?


But this is going to be my last response debating the merits rather then the technique of this feature.  It has value to many, perhaps not to you.
benjyz
Full Member
***
Offline Offline

Activity: 140


View Profile
April 11, 2014, 08:17:04 PM
 #14

But this is going to be my last response debating the merits rather then the technique of this feature.  It has value to many, perhaps not to you.

these kinds of proposals are not covered by consensus and will not get implemented, I'm sure. you can't just upgrade, there are plenty of stakeholders which have to agree.

Quote
the scam-coin movement as detrimental to the public image of crypto-currencies.

who cares about the opinion of one person. that's not how a market economy works.
thezerg
Legendary
*
Offline Offline

Activity: 1246


View Profile
April 11, 2014, 08:38:53 PM
 #15

But this is going to be my last response debating the merits rather then the technique of this feature.  It has value to many, perhaps not to you.

these kinds of proposals are not covered by consensus and will not get implemented, I'm sure. you can't just upgrade, there are plenty of stakeholders which have to agree.

Quote
the scam-coin movement as detrimental to the public image of crypto-currencies.

who cares about the opinion of one person. that's not how a market economy works.

IF and WHEN we figure out whether this is even possible THEN we can debate its merits.  Before that significant debate seems premature... or feel free to go start another thread.  I was hoping to discuss technical feasibility here.  I will change the title.
keystroke
Hero Member
*****
Offline Offline

Activity: 842


advocate of a cryptographic attack on the globe


View Profile
April 11, 2014, 09:41:34 PM
 #16

So miners who 51% the side-chain can steal coins?

"The difference between a castle and a prison is only a question of who holds the keys."
thezerg
Legendary
*
Offline Offline

Activity: 1246


View Profile
April 11, 2014, 10:12:48 PM
 #17

So miners who 51% the side-chain can steal coins?

no but good observation: they could prevent the coins from being spent, including being spent back into the main chain. 

PS, in case you don't know, in general a 51% attack can't steal coins.  But they can claim EVERY block reward which is what happened to CoiledCoin.  For alt-coins that have block rewards that could be seen as a problem.  For the proposed merged-mined sidechain implementation, there is no block reward so nothing to claim.
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2324



View Profile
April 12, 2014, 01:30:28 AM
 #18

a non-threatening and non-inflationary way.
What you propose is creating competing systems with their own redundant supply of coins. I am boggling that you call it non-threatening (what do you think people holding those coins will do as the ownership of them diverges from Bitcoin? Sit idly while their coins remain worthless because people are using Bitcoin instead of it? ... No, they're going to go out and tell people to accept their Foocoins instead and suggest that old bitcoins will soon be worthless) and non-inflationary.

It may be a useful thing to do, especially as a promotional method— for someone who already was convinced they wanted to create a new currency...  but it doesn't address the issues that the sidechain idea hopes to address, including giving people the freedom to choose to use new transaction processing systems as they see fit without the loss of network effect and adoption dillution that comes from having to choose to accept a whole different currency.

Bitcoin will not be compromised
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2324



View Profile
April 12, 2014, 01:34:21 AM
 #19

And so there would be free-market merged mining of the sidechains? Choose a sidechain you wish to mine, and pay the additional storage cost for maintaining the chains you perceive as valuable?
Correct.  To put some numbers on that, the namecoin chain is currently about 4GB of data, and its mined by >80% of Bitcoin's hashrate.

Though I'd like to see something deployed that didn't force merged mining. I think having the flexibility to do other things is good.

Whats interesting now that this has had some press coverage is that people have piped up and pointed out places where they'd invented substantially similar things in the past. So we're now up to ~5 independent inventions of the core idea... perhaps a good sign. Smiley

Bitcoin will not be compromised
smooth
Legendary
*
Offline Offline

Activity: 1568



View Profile
April 12, 2014, 01:43:27 AM
 #20

and non-inflationary.

It's not inflationary because the value of spin-off foocoin is already incorporated in the value of bitcoin. Bitcoin (pre-spin-off) = bitcoin (ex-spin-off) + foo coin.  

This does not mean that foo coin couldn't possibly replace bitcoin or even possibly (though the prevailing view seems to discount this) co-exist alongside bitcoin. In this sense I don't agree with Peter R that the process is non-threatening, to the extent that your allegiance is to ex-spin-off bitcoin as opposed to pre-spin-off bitcoin), but in and of itself the spin-off process is not inflationary.

I don't think it serves the same purpose as side chains though.

gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2324



View Profile
April 12, 2014, 01:48:08 AM
 #21

The sidechain would not be allowed to create any bitcoin, so the current mining "subsidy" would not exist. 
Thats not strictly true. In that a side-chain could have a subsidy created by stashing coins in compulsory fees on coins crossing the boundary, or by not having a 1:1 value relationship with Bitcoin, or by issuing credits for future fees or other mechanisms.

I don't list these things to suggest that any of them or good or that I've considered them in depth— I'm just pointing out that there are more possibilities than you may have considered.

Quote
Miners could gain txn fees.  However, I think that the most likely miners would be those who benefit from the side chain in other ways.  For example, if a side chain solved the micro payment problem (high frequency, small payments), services that accept micro payments would be interested in mining the coin.
Absolutely, the one example of a MM alt in bitcoin failing was CLC which can be perceived as being overtly hostile (they took the pre-release bitcoin op_eval/p2sh code, complete with nasty exploits, and rushed it to market: announcing a new altcoin + exchange on the same day, basically trying to monetize other people's code, saying it would replace bitcoin, etc).  Services provided by sidechains enhance the value of the Bitcoins miners receive.

There are a number of things miners could do if they were short term greedy rational— esp considering that we have parties with >25% hashrate that they aren't doing— they'd have a 5% success rate at a 6 block reorg.. could make for some pretty nice theft.

This isn't to say that security is a non-issue, but the nice thing with the sidechains is that you can always choose to not use them. For whatever level of security arises out of any particular sidechains mix of internal incentives and redemption rules there are applications which would find that level of security acceptable. Esp when you start talking about things like high volume micro transaction-ish stuff there is some interesting tradeoff: if you hardfork bitcoin to allow gigantic blocks to make those things even remotely viable, you end up potentially pushing more and more bitcoin users to an SPV model. Given the choice between all of Bitcoin being more SPV like security and just regional microtransaction networks being more SPV like, the latter is a lot more attractive.

Bitcoin will not be compromised
hoffmabc
Newbie
*
Offline Offline

Activity: 15


View Profile WWW
April 12, 2014, 02:52:20 AM
 #22


Whats interesting now that this has had some press coverage is that people have piped up and pointed out places where they'd invented substantially similar things in the past. So we're now up to ~5 independent inventions of the core idea... perhaps a good sign. Smiley

I've heard that Dorian actually coined the concept of a sidechain as a "free lunch" off Bitcoin.
benjyz
Full Member
***
Offline Offline

Activity: 140


View Profile
April 12, 2014, 09:20:40 AM
 #23

Here is an interview with Adam on the matter: http://letstalkbitcoin.com/e99-sidechain-innovation/#.U0kCJPh4ib4

What we really want is a market principle, so that people value alternative coins. Why one would want to remove this fundamental pricing and incentive mechanism is beyond me. Anway, people will continue to seek profit, no matter what you do. the question is how to design protocols which frame that profit-seeking motive.
maaku
Legendary
*
expert
Offline Offline

Activity: 905


View Profile
April 12, 2014, 07:21:17 PM
 #24

Here is an interview with Adam on the matter: http://letstalkbitcoin.com/e99-sidechain-innovation/#.U0kCJPh4ib4

What we really want is a market principle, so that people value alternative coins. Why one would want to remove this fundamental pricing and incentive mechanism is beyond me. Anway, people will continue to seek profit, no matter what you do. the question is how to design protocols which frame that profit-seeking motive.

Alt currencies are not seeking profits, they are seeking rents. That is an important distinction that should not be lost.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
benjyz
Full Member
***
Offline Offline

Activity: 140


View Profile
April 12, 2014, 07:40:43 PM
 #25

Here is an interview with Adam on the matter: http://letstalkbitcoin.com/e99-sidechain-innovation/#.U0kCJPh4ib4

What we really want is a market principle, so that people value alternative coins. Why one would want to remove this fundamental pricing and incentive mechanism is beyond me. Anway, people will continue to seek profit, no matter what you do. the question is how to design protocols which frame that profit-seeking motive.

Alt currencies are not seeking profits, they are seeking rents. That is an important distinction that should not be lost.

who makes that decision? and who is to say that nobody should/can invent something that is better than Bitcoin? clearly that hasn't happened yet. the argument for side-chains is that everyone should use the hashing-power of Bitcoin. I think it would be interesting to see some actual competition on the hashing. would miners destroy a serious alt-coin? I doubt it. I believe they would choose to try and make money off of it, instead of destroying it. so this profit-argument against attacks applies to smaller coins just as well.
smooth
Legendary
*
Offline Offline

Activity: 1568



View Profile
April 12, 2014, 07:55:29 PM
 #26

the argument for side-chains is that everyone should use the hashing-power of Bitcoin.

That is not really the argument. The argument is for other developers to adopt the scarcity model of bitcoin, or alternately for the population of developers who have adopted the scarcity model of bitcoin to be able to innovate in a larger space (compared to the status quo where it is very hard to innovate anything in bitcoin).




maaku
Legendary
*
expert
Offline Offline

Activity: 905


View Profile
April 12, 2014, 09:01:06 PM
 #27

who makes that decision?

No one does. It's a definitional difference:

http://en.wikipedia.org/wiki/Economic_rent

and who is to say that nobody should/can invent something that is better than Bitcoin?

They certainly can. But there is no justification for creating another p2p issued currency (unless there is some intrinsic economic difference in the construction of the currency itself -- this is not the case with just about every alt out there except one or two).

the argument for side-chains is that everyone should use the hashing-power of Bitcoin.

No, the argument is that people should be bitcoin as the currency no matter what chain they are on. Merged mining is just an implementation detail.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
benjyz
Full Member
***
Offline Offline

Activity: 140


View Profile
April 12, 2014, 09:17:34 PM
 #28

the argument for side-chains is that everyone should use the hashing-power of Bitcoin.

That is not really the argument. The argument is for other developers to adopt the scarcity model of bitcoin, or alternately for the population of developers who have adopted the scarcity model of bitcoin to be able to innovate in a larger space (compared to the status quo where it is very hard to innovate anything in bitcoin).

well, you still need consensus for a new potential feature which carries risk. and those who have a stake in bitcoin likely don't want to take too much risk. whether those features are on a separate chain or side-chain doesn't change that dynamic. also, the process is such that there is a certain team structure ("developer consensus" if you will) that moves the project in a certain direction. if a different team would develop new features, who is to say that the bitcoin dev team would approve of them? if N sidechains compete for features, who decides which features are to be ported? these decisions are very far from trivial and straightforward. Bitcoin is not just a sum of features.

I'm not sure what you mean by scarcity model. If somebody issues any coin the market values that coin. Alt-Coins are not inflationary at all. there are 100+ coins and most of them are worthless bits.

Quote
But there is no justification for creating another p2p issued currency

I don't see a release of clones as a problem at all. The license of Bitcoin is pretty clear. So nobody has the (legal) authority to make such claims. Basically we have different chains, and then markets to move between them. The market is currently not very sophisticated but is going to be much more so in the future. There will be a cross-section of protocols along these lines. Bitcoin doesn't have an auction mechanism and it's impossible to build one on top of it.
smooth
Legendary
*
Offline Offline

Activity: 1568



View Profile
April 12, 2014, 09:33:25 PM
 #29

the argument for side-chains is that everyone should use the hashing-power of Bitcoin.

That is not really the argument. The argument is for other developers to adopt the scarcity model of bitcoin, or alternately for the population of developers who have adopted the scarcity model of bitcoin to be able to innovate in a larger space (compared to the status quo where it is very hard to innovate anything in bitcoin).

well, you still need consensus for a new potential feature which carries risk. and those who have a stake in bitcoin likely don't want to take too much risk.

That's not how the proposal works. There needs to be one change to bitcoin to support all side chains but then you can have as many side chains as you want and the side chains can do whatever they want, including risky things. People who don't participate in the side chain are not exposed to the risk. In theory.

Quote
I'm not sure what you mean by scarcity model.

The scarcity model meaning the total supply is limited to 21 million tokens (bitcoins). With side chains, those 21 million tokens can be used in all sorts of different ways, without creating new tokens (coins).

Quote
If somebody issues any coin the market values that coin. Alt-Coins are not inflationary at all. there are 100+ coins and most of them are worthless bits.

That's a different scarcity model from the side chain model. I'm not placing a value judgement on the matter, just explaining it.

benjyz
Full Member
***
Offline Offline

Activity: 140


View Profile
April 12, 2014, 09:47:08 PM
 #30

Quote
There needs to be one change to bitcoin to support all side chains but then you can have as many side chains as you want and the side chains can do whatever they want, including risky things.

Who would define which chains are those which allowed to inter-operate? bitcoin-devs would have to select side-chains / teams who are allowed to participate (otherwise one would have side-chain scams).  Its hard to imagine a scenario in which it makes sense to integrate such a selection process into Bitcoin.
smooth
Legendary
*
Offline Offline

Activity: 1568



View Profile
April 12, 2014, 09:57:24 PM
 #31

Quote
There needs to be one change to bitcoin to support all side chains but then you can have as many side chains as you want and the side chains can do whatever they want, including risky things.

Who would define which chains are those which allowed to inter-operate? bitcoin-devs would effectively have to select side-chains / teams who are allowed to participate.

There hasn't been a comprehensive white paper, etc. so it is unclear what the requirements will be. It has been promoted as allowing freer exploration, and it has been stated that the security firewall will be that no more coins will ever be allowed to return from the side chain than were sent to the side chain. If that requirement is enforced within the bitcoin chain, then allowing free (or nearly free) experimentation in side chains may be possible. Beyond that we will have to see, unless one of the developers is prepared to explain this aspect of the model here.




thezerg
Legendary
*
Offline Offline

Activity: 1246


View Profile
April 12, 2014, 10:05:12 PM
 #32

Quote
There needs to be one change to bitcoin to support all side chains but then you can have as many side chains as you want and the side chains can do whatever they want, including risky things.

Who would define which chains are those which allowed to inter-operate? bitcoin-devs would have to select side-chains / teams who are allowed to participate (otherwise one would have side-chain scams).  Its hard to imagine a scenario in which it makes sense to integrate such a selection process into Bitcoin.

@benjyz: Are you a software engineer?  No disrespect; I'm just trying to figure out how to couch the idea.

Nobody would define which chains are allowed.  We are talking about a distributed system here.  Essentially there is a protocol (an API, if you will) and any chain that can talk that protocol can join.  But that protocol is going to be requiring specific information that some services (sidechains) may not be able to meet. 

Its similar to you asking who defines what services run over the web?  The answer is ANY service that can be defined in HTTP.  For example, a forum can be defined in HTTP, an Auction site.  A virtual computer.  But the act of skiing cannot be.  Yes you can advertise and sell skiing tickets over the web, but you can't sell actual skiing.

thezerg
Legendary
*
Offline Offline

Activity: 1246


View Profile
April 12, 2014, 10:11:46 PM
 #33

And so there would be free-market merged mining of the sidechains? Choose a sidechain you wish to mine, and pay the additional storage cost for maintaining the chains you perceive as valuable?
Correct.  To put some numbers on that, the namecoin chain is currently about 4GB of data, and its mined by >80% of Bitcoin's hashrate.

Though I'd like to see something deployed that didn't force merged mining. I think having the flexibility to do other things is good.

Whats interesting now that this has had some press coverage is that people have piped up and pointed out places where they'd invented substantially similar things in the past. So we're now up to ~5 independent inventions of the core idea... perhaps a good sign. Smiley

If I'm not one of your 5 you can add me to the list :-)  [emphasis added]

....
If the bitcoin protocol evolved into a fractal blockchain, where the larger, slower, blockchains do not verify every transaction of the smaller, faster ones it will solve both interplanetary (extremely slow) and regional (high frequency) transactions.  Note that on a single planet, "regional" would not have to refer to a physical region -- it could be any social network; in fact "regional" blockchain membership could be created automatically by looking at transaction history of the parent blockchain.

Essentially we'd end up creating blockchains both slower and faster then the current one.  

It would be possible to do this with multiple independent "coin" chains but then you'd have the friction of independent markets that trade these different coins.  Just like we have today with gold -> USD.  This is what "litecoin" is attempting to do.  A "better" solution would be to allow the same bitcoin commodity to transfer into and out of the slower and faster blockchains and have the greater blockchain verify some invariants (such as total quantity) of the lesser blockchain -- but not verify every transaction on it.  An additional advantage is that periodically the leaf (final state) of every account in the lesser blockchain could be "committed" to the greater chain, and then that entire chain (the entire history of transactions within that chain) could be restarted.

If you are confused, imagine a "tree" of blockchains...

This architecture relies on the premise the the network has the "scale" property.  That is the premise of localization of payments (i.e. that the majority of payments happen locally); if the average user paid randomly across the entire network (a "scaleless" network), the largest blockchain would see more traffic then the local ones and there would be little point in a fractal design.  I think that bitCoin is "scaleless" as used today, but will become very scaled if mobile payments take off.

A big problem with shoehorning this into the existing system today is the BTC mining award.  There is no way today's blockchain could recognize coins "mined" on other blockchains... so the lesser and greater chains would have to rely entirely on transaction fees.


The sidechain would not be allowed to create any bitcoin, so the current mining "subsidy" would not exist.
Thats not strictly true. In that a side-chain could have a subsidy created by stashing coins in compulsory fees on coins crossing the boundary, or by not having a 1:1 value relationship with Bitcoin, or by issuing credits for future fees or other mechanisms.

I don't list these things to suggest that any of them or good or that I've considered them in depth— I'm just pointing out that there are more possibilities than you may have considered.

Yes, maybe it was unclear but by "subsidy" I was referring exclusively to the coinbase txn, not the txn fees or myriad other ways...

thezerg
Legendary
*
Offline Offline

Activity: 1246


View Profile
April 12, 2014, 10:33:24 PM
 #34

ok technical discussion:

Though I'd like to see something deployed that didn't force merged mining. I think having the flexibility to do other things is good.

When I first read the chat transcript proposal my first concern was as follows:
Coins are spent from bitcoin to chain A.
Attacker has some service that briefly owns coins on chain A and spends them to someone else (maybe a mixer, but exactly what does not matter)
Now the coins are floating around chain A, for a very long time, potentially forever.
Attacker has this entire amount of time to privately generate a completely fake 100 or even 1000 deep SPV proof, starting from his ownership of the coins.
Attacker submits it to bitcoin blockchain.

I believe that this attack fails due to merged-mining.  Or in other words, the bitcoin blockchain should only accept the merged-mined blocks found on the bitcoin blockchain as evidence of difficulty.  Because the bitcoin blockchain miners cannot be sure that the non-merged mined blocks are real or even that the represent meaningful work if chain A uses a different and unknown (to the bitcoin blockchain) mining algorithm.

This has ramifications on how often blocks can be moved from the sidechain back to the main blockchain.  If you have 1% merged mining, you will get 1 merged-mined block on the bitcoin chain every 1000 minutes (16 hrs).  However, with the strength of the bitcoin blockchain and my supposition that both chains will be unwound if the bitcoin blockchain unwinds a fork, I do not think you need 100+ confs as suggested in the email.

What do you think?  Does this analysis make sense?
maaku
Legendary
*
expert
Offline Offline

Activity: 905


View Profile
April 12, 2014, 10:46:21 PM
 #35

The attack fails because of the quieting period during which anyone can step forward and provide a reorg proof showing that the claimed return peg is not the most-work chain. The attacker would have to either overpower the honest chain, or by some magical mechanism DoS every single observer of the honest chain, preventing them from telling bitcoin about the real chain.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
Carlton Banks
Legendary
*
Offline Offline

Activity: 1792



View Profile
April 12, 2014, 10:51:27 PM
 #36

And so there would be free-market merged mining of the sidechains? Choose a sidechain you wish to mine, and pay the additional storage cost for maintaining the chains you perceive as valuable?
Correct.  To put some numbers on that, the namecoin chain is currently about 4GB of data, and its mined by >80% of Bitcoin's hashrate.

Though I'd like to see something deployed that didn't force merged mining. I think having the flexibility to do other things is good.

Whats interesting now that this has had some press coverage is that people have piped up and pointed out places where they'd invented substantially similar things in the past. So we're now up to ~5 independent inventions of the core idea... perhaps a good sign. Smiley

So the fundamental qualification for a side-chain would be direct, chain verified transference of coins between the primary chain and sidechains? Could there be a case for writing the extension in a way that lets coins be transferred between sidechains, without the need for re-entering the main chain? I suspect yes, but is this technically possible?

And so Namecoin doesn't qualify as a sidechain now, but could (although a Namecoin functional clone introduced as a sidechain sounds more likely). Purpose-specific alts could indeed become usurped by a successful sidechain targeting the same purpose. Services that squat on the main chain could also become redundant.


I very much like the idea. It permits experimentation with non-money information services that work as a part the existing system, and yet it's structured in a way that the data from the experiments don't become co-mingled as they have been up to now. And of course purely money-based services with different characteristics could also be created.

Furthermore, a chain with a purpose that works under a certain set of real-world circumstances can continue as long as those real-world circumstances exist, and if/when the real-world changes, the chain can either change, remain, or be discontinued, driven by market forces. Very powerful idea.

And so the case for tightening rules for arbitrary data in (what may henceforth be referred to as "main-chain")  transactions can be made more convincingly, without overriding the arguments that innovations are being stifled.

This could add alot more nuance to the work of a miner too, depending on what applications are developed as side-chains. Potentially very far reaching. All sorts of regulatory angles, and all the moral issues associated with processing data that is informative about actual humans.

Vires in numeris
maaku
Legendary
*
expert
Offline Offline

Activity: 905


View Profile
April 12, 2014, 11:03:23 PM
 #37

So the fundamental qualification for a side-chain would be direct, chain verified transference of coins between the primary chain and sidechains? Could there be a case for writing the extension in a way that lets coins be transferred between sidechains, without the need for re-entering the main chain? I suspect yes, but is this technically possible?

The process can be made entirely symmetrical such that you'd be able to transfer value between any two chains, if the chains are setup to support that in the first place. However coins of the form BTC -> A -> B would be technically treated as a different asset class than BTC -> B coins, so I don't think this would have quite the semantics you are looking for.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
thezerg
Legendary
*
Offline Offline

Activity: 1246


View Profile
April 13, 2014, 01:05:37 AM
 #38

The attack fails because of the quieting period during which anyone can step forward and provide a reorg proof showing that the claimed return peg is not the most-work chain. The attacker would have to either overpower the honest chain, or by some magical mechanism DoS every single observer of the honest chain, preventing them from telling bitcoin about the real chain.


the quieting idea has issues as I understand it.

Intuitively relying on an altruistic third party or require coin owners to be online 24/7 to protect a spend to sidechain seems dangerous.

specifically, an attacker colluding with a bitcoin miner could choose to not relay the reanimate txn until it solves it in a block.


another issue this raises is what happens if it happens?  There are now fewer backing btc on the blockchain than on the sidechain.  like musical chairs the last one to spend back into btc blockchain loses.  this could trigger a run on the sidechain.
TierNolan
Legendary
*
Offline Offline

Activity: 1120


View Profile
April 13, 2014, 09:33:57 AM
 #39

The process can be made entirely symmetrical such that you'd be able to transfer value between any two chains, if the chains are setup to support that in the first place. However coins of the form BTC -> A -> B would be technically treated as a different asset class than BTC -> B coins, so I don't think this would have quite the semantics you are looking for.

It could be setup so that the chains group multiple cross chain transfers together.

If there was 100 transfers between 2 chains, then the chain that ends up losing money could transfer some of its "reserve" to the other chain.

This would be like where banks do 1 transfer each day no matter how many of their customers send money between the 2 banks.

1LxbG5cKXzTwZg9mjL3gaRE835uNQEteWF
benjyz
Full Member
***
Offline Offline

Activity: 140


View Profile
April 13, 2014, 12:14:20 PM
 #40

The analogy would be roughly as follows: when you enter a casino you transfer dollars into chips. Each chip has a definite value, and there is a 1:1 correspondence. you can move chips into dollars if you enter or leave the casino, but you can't use dollars to play in the casino. The chips in the casino can represent anything, as long as the movement in and out are 1:1. Now, that is all well and fine. However, when you think about it more you come to realize that the casinos have to able to convert dollars into chips. Because chip amounts are usually small compared to the overall money supply of the casino this is not a problem. But if someone comes in with 10M$ to convert dollars into chips, that is going to be a problem if the casino is small. likewise if somebody wants to cash out 10M$ that might bust the casino.

what you need is supply and demanding matching, so that people can move between different alternatives. what markets do, they establish a function of supply and demand to clear the outstanding balances. this function is the price of a currency. with pegged fiat currencies, a central bank will offset, i.e. manage, demand and supply. the price fixing results in a need to manage a balance sheet by some authority. for someone to move out of a network/currency, you need someone moving in. if I want to use XYZ-Coin and I own BTC, I have find someone who owns XYZ and wants BTC.

as an example: if one sidechain has a bug and all state / coins are lost. how does Bitcoin know that those coins are not re-spendable? if an Alt-Coin has a fatal bug, coins become worthless rather quickly. or say it is rumored that one chain has a fatal bug. now half of the coins rush out. who loses in this transaction? some value (BTC) was destroyed. burning dollar bills has an effect on your balance sheet. I don't see where these questions, which are the interesting ones, are even being addressed. for this to work you would basically have to prove that sidechain doesn't lose state (is perfectly safe), or that if state is lost that will be a known quantity or more abstractly that risk exposure is linear. all kinds of assumptions you don't want to make in robust systems.
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2324



View Profile
April 13, 2014, 07:00:32 PM
 #41

if an Alt-Coin has a fatal bug, coins become worthless rather quickly. or say it is rumored that one chain has a fatal bug. now half of the coins rush out. who loses in this transaction?
This is addresses where Adam writes about firewalling (and in the IRC description of sidechains that adam linked; both of which you should read if you're posting here).   Take your casino example and imagine that the casino is hygienic— i.e. not intermingling their books, so that every chip they issue is backed. People bring the casino's teller dollars, the teller gives them chips with a promise to exchange back for dollars later. Now, say the casino's chips are insecure and easily cloned by the players.  The casino's teller is drained. Who loses out?  The people left holding the chips.  Other people using the USD are not /directly/ affected.

If instead there wasn't actually a fatal bug, just phobia about one, then no one loses at all— except perhaps people who overpaid some in transaction fees trying to hastily exit. Unlike an altcoin a sidechain-coin doesn't lose its value due to changes in sentiment, since you can go trade it back for Bitcoins regardless of what other people think about the side chain, unless the side chain is _actually_ insecure and the backing bitcoin is taken.

Bitcoin will not be compromised
smooth
Legendary
*
Offline Offline

Activity: 1568



View Profile
April 13, 2014, 07:32:50 PM
 #42

another issue this raises is what happens if it happens?  There are now fewer backing btc on the blockchain than on the sidechain.  like musical chairs the last one to spend back into btc blockchain loses.  this could trigger a run on the sidechain.

Side chains that want to avoid this had better be transparent and verifiable in some way. This takes nothing away from the idea of having a (relatively) low barrier to creating side-chains. If a particular side chain can't convey sufficient confidence, no one will use them.

Would you move your coins to a side chain knowing there were only a (say) 80% chance you could ever move them back? If not, then no coins ever move to the chain and it doesn't even matter whether the chain exists.

For this reason, I have some question as to whether the 1:1 side chain proposal can even work. There will always be some doubt as to the security of any side-chain, so it is irrational to ever move coins there at 1:1. But perhaps with a subsidy added by a third party, or a bond, this barrier can be overcome.
benjyz
Full Member
***
Offline Offline

Activity: 140


View Profile
April 13, 2014, 08:55:54 PM
 #43

This is addresses where Adam writes about firewalling (and in the IRC description of sidechains that adam linked; both of which you should read if you're posting here).  

still, you have the problem of convertability. if Alice wants to move 1 BTC to 1 pegged XYZ, there has to be a counterparty moving from XYZ to BTC. there has to be a ledger/matching mechanism which tracks it. and if Alice wants to move 1000 XYZ to BTC she might have to wait a very long time to convert. the way auction protocols handle this, there is an adjustment of price to balance the books. if you fix the ratio at 1:1 liquidity is going be so low, that nobody will ever care to move outside, because the risk is just too high. blockchains are very bad for handling such an event flow.
smooth
Legendary
*
Offline Offline

Activity: 1568



View Profile
April 13, 2014, 09:06:03 PM
 #44

still, you have the problem of convertability. if Alice wants to move 1 BTC to 1 pegged XYZ, there has to be a counterparty moving from XYZ to BTC.

The idea of this proposal is for the protocol serve as a permanent counterparty by accepting bitcoins into what is in effect a collateral account on the main chain and substituting what is in effect a tradable redemption receipt on the side chain, and then reversing this transaction later. This process is said to be slow so you may prefer to trade with someone already holding a receipt (your liquid bitcoins for their redemption receipt).

go1111111
Full Member
***
Offline Offline

Activity: 182


View Profile
April 13, 2014, 09:40:42 PM
 #45

The sidechain would not be allowed to create any bitcoin, so the current mining "subsidy" would not exist. 
Thats not strictly true. In that a side-chain could have a subsidy created by stashing coins in compulsory fees on coins crossing the boundary, or by not having a 1:1 value relationship with Bitcoin, or by issuing credits for future fees or other mechanisms.

I don't list these things to suggest that any of them or good or that I've considered them in depth— I'm just pointing out that there are more possibilities than you may have considered.

Has anyone else thought about this stuff in more depth? IMO finding a good way to implement a side-chain coin with a mining subsidy is a big deal, because in the long run there will be a lot of pressure for transactions to migrate to the platform with the lowest transaction fees, and it'd be nice if these transactions could move to a Bitcoin side-chain instead of another currency.

Here is some brainstorming:

Let's say you had some side-chain where the coin supply increased 2% per year. To avoid increasing the bitcoin supply, you might come up with a rule where if you move a bitcoin to the side-chain and then try to redeem the bitcoin at any point in the future you'd need to destroy an amount of sidecoins proportional to the amount of inflation there has been in the sidechain since you moved the bitcoin there. However it seems like it'd be super hard to guarantee that there could be no accidental bitcoin inflation due to consensus issues / timing issues/ chain-reorgs, etc. Perhaps bitcoin sidechains could be implemented to require a 1:1 value relationship with bitcoin, but then you could try this with another level of sidechains, so Bitcoin <--> Foocoin <--> Inflationcoin, where Bitcoin:Foocoin must have a 1:1 relationship, then the Foocoin:Inflationcoin interface could be more dangerous.

Re: fees for crossing the boundary. This main issue that comes to mind is that the amount of mining subsidy depends a lot on user behavior that's hard to predict ahead of time. Maybe people come up with methods to trade bitcoins for sidecoins without doing an official boundary-crossing.


maaku
Legendary
*
expert
Offline Offline

Activity: 905


View Profile
April 13, 2014, 11:39:19 PM
 #46

Yes we've looked at that and it is pretty straightforward to have either inflation and moving price or demurage and a finite supply. more complicated setups are also possible of course but need to be examined in more detail.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
benjyz
Full Member
***
Offline Offline

Activity: 140


View Profile
April 14, 2014, 10:34:13 AM
 #47

ok, my last comment on the matter here. I think it should be recognized that, if one wants to discuss the future of financial systems, one needs an in depth understanding of economics.  people who are ignorant of a topic want to isolate the discussion by making Bitcoin all about cryptography/a technical matter, completely overlooking how social systems are designed.

this is the perfect example. using proofs or audits (outside the system) to move balances is not a good idea. movement of currency/capital requires considerations of liquidity and supply/demand. the pricing mechanism of a market allows speed of movement, by adjusting the rate at which balances (bid and ask) match. which is why we have financial markets (and a market economy for that matter). these systems exist for a reason: they perform certain measurement functions. a buyer of a car does not need complete information about the car, and the seller doesn't need to prove that the car has certain qualities. if we would have to prove completeness in all transactions our economy would not work. these kinds of things tie in together with information asymmetry, signaling, and a host of other issues studied in economics, which unfortunately standard economics gets mostly wrong. pegged fiat currencies exist and one can study the history of those to understand why they often quickly collapse (look at the histoiry of ERM for example). eventually such schemes evolve around partial central planning of some sort. "auditors" and fraud proofs would be central points of failure.

hand-waving about Open-Transactions is very unconvincing (ethereum does the same). as if you could somehow attach markets on top of blockchains. that will never work, because the blockchain design fundamentally is not a system which allows for such transfers. a market is a system where order of events is crucially important. the blockchain creates an order of events in blocks. that's the whole point, to create a partial order. this is the same reason why Mastercoin doesn't work, which should pretty obvious by now.
thezerg
Legendary
*
Offline Offline

Activity: 1246


View Profile
April 14, 2014, 01:14:55 PM
 #48

ok, my last comment on the matter here. I think it should be recognized that, if one wants to discuss the future of financial systems, one needs an in depth understanding of economics.  people who are ignorant of a topic want to isolate the discussion by making Bitcoin all about cryptography/a technical matter, completely overlooking how social systems are designed.

this is the perfect example. using proofs or audits (outside the system) to move balances is not a good idea. movement of currency/capital requires considerations of liquidity and supply/demand. the pricing mechanism of a market allows speed of movement, by adjusting the rate at which balances (bid and ask) match. which is why we have financial markets (and a market economy for that matter). these systems exist for a reason: they perform certain measurement functions. a buyer of a car does not need complete information about the car, and the seller doesn't need to prove that the car has certain qualities. if we would have to prove completeness in all transactions our economy would not work. these kinds of things tie in together with information asymmetry, signaling, and a host of other issues studied in economics, which unfortunately standard economics gets mostly wrong. pegged fiat currencies exist and one can study the history of those to understand why they often quickly collapse (look at the histoiry of ERM for example). eventually such schemes evolve around partial central planning of some sort. "auditors" and fraud proofs would be central points of failure.

hand-waving about Open-Transactions is very unconvincing (ethereum does the same). as if you could somehow attach markets on top of blockchains. that will never work, because the blockchain design fundamentally is not a system which allows for such transfers. a market is a system where order of events is crucially important. the blockchain creates an order of events in blocks. that's the whole point, to create a partial order. this is the same reason why Mastercoin doesn't work, which should pretty obvious by now.

What we are proposing here is analogous to moving money between Bank of America (BOA) and JP Morgan Chase (JPM).  Technically you are correct, we really ought to say we have 10000 BOA_USD or 5000 JPM_USD and there should be a market to trade these.  But so long as more convenient mechanisms exist to transfer the money in and out of these institutions on a 1 for 1 basis people do not bother.  And look what happened to Mt. Gox.  As soon as it became very difficult to move USD into/out of Gox, a "market" (on these forums people made offers) sprung up which was valuing GoxUSD differently than USD.  And this happened spectacularly formally (with an explicit web-based exchange "btcbuilder.com") when both USD and BTC flows were shuttered.  [Personally I think that the history of that was an awesome display of the power of markets and if I was an social economics PHD I would be studying it]

So given 1-for-1 why would you prefer your USD to be in BOA vs JPM?  Maybe BOA has some essential feature that you need.  Maybe a better web banking interface.  Maybe a close relationship with a bank in timbuktu (where you do lots of business) so transfers happen instantly to there.  But I don't WANT all my USD converted into timbucks, or I'd just transfer to the tumbuktu bank.  Same thing with these side-chains.  It will be some piece of side-chain functionality that encourages people to move BTC into them.  I want the functionality without the sketchy currency -- its useful to have my money near timbuktu, but not useful enough to risk holding timbucks.


So all we are really doing here is dramatically reducing the friction to move BTC between "institution" chains, if you will.

Today banks only do wires (market free transfers) between trusted banks.  Will we have "trusted" chains?  No.  We will replace this trust with cryptographic proofs that at a minimum protects the BTC blockchain from shenanigans happening on the sidechain. 


gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2324



View Profile
April 14, 2014, 05:17:59 PM
 #49

still, you have the problem of convertability. if Alice wants to move 1 BTC to 1 pegged XYZ, there has to be a counterparty moving from XYZ to BTC.
No. There does not.

Bitcoin will not be compromised
Peter R
Legendary
*
Offline Offline

Activity: 1050



View Profile
April 15, 2014, 05:20:17 AM
 #50

spin-offs...a non-threatening and non-inflationary way.
What you propose is creating competing systems with their own redundant supply of coins. I am boggling that you call it non-threatening (what do you think people holding those coins will do as the ownership of them diverges from Bitcoin? Sit idly while their coins remain worthless because people are using Bitcoin instead of it? ... No, they're going to go out and tell people to accept their Foocoins instead and suggest that old bitcoins will soon be worthless) and non-inflationary.

I missed your reply Greg until just now.  I highly doubt spin-offs / alt-clones will thrive.  I see them as alt-coin neutralizers, sucking market cap away from non-innovative alt-coins, and then later dying in most cases.

Bitcoin is presently the most useful payment network and the blockchain is the most legitimate ledger.  Spin-offs are based on the premise that if a "better payment network were found," its technology would be spun-off using the blockchain ledger.  The blockchain version would become dominant since the economic majority in our community view it as the most legitimate.  People who hold long-term hope in the future of their Foocoins are labouring under the false assumption that it is the coin's feature set that gives it value.  At some point in the future, it will be generally understood that "money is memory" and bitcoin's value comes from our shared consensus that the blockchain is an accurate and legitimate record.  

Quote
It may be a useful thing to do, especially as a promotional method— for someone who already was convinced they wanted to create a new currency...  but it doesn't address the issues that the sidechain idea hopes to address, including giving people the freedom to choose to use new transaction processing systems as they see fit without the loss of network effect and adoption dillution that comes from having to choose to accept a whole different currency.

I agree that spin-offs do not address the issues that sidechains hope to address.  Spin-offs hope to neutralize the threat of alt-coins hijacking value from the blockchain (and wasting it in pump and dumps), whereas sidechains hope to move innovation to the blockchain.  

Side-chains are technically brilliant.  If there was a way to implement them without any changes to bitcoin they would have my support.  My concern is that the desire to facilitate experimentation of features with questionable utility may not outweigh the very real technical risk of implementing them and the potential loss of confidence that may result.  I will be able to make up my mind more definitively after I have studied the to-be-released side-chain white-paper.

Many people erroneously think the value of bitcoin comes primarily from its "features."  In my opinion, a large part of its value comes from the fact that it has been endlessly beaten-up since 2009 and remained resilient--bitcoin has in fact grown by leaps and bounds in spite the world's efforts to thwart it.

Bitcoin is powerful because it is simple and robust.  

Run Bitcoin Unlimited (www.bitcoinunlimited.info)
aminorex
Legendary
*
Offline Offline

Activity: 1288


Sine secretum non libertas


View Profile
April 17, 2014, 08:54:15 PM
 #51

Side-chains could be used to mitigate what I deem the biggest vulnerability of bitcoin:  Centralization of mining.  The approach is simplicity itself:  Move mining to a side-chain.  All coin issuance occurs on the side-chain.  The side-chain has a proportionately smaller block reward and higher block rate.  

Why is this desirable?  Mining is centralized primarily as a result of pooling.  Reducing the variance problem reduces the incentive to pool.  Joining smaller pools is then more acceptable to miners.  Since miners do not want bitcoin to be vulnerable to attack, they move to smaller pools.  

The only reason I can imagine why anyone would object to this change, all else being equal, is that they are planning to attack the network.  In practice there are some other possible objections and difficulties to overcome, but they seem relatively minor in comparison to the envisioned benefit.

I see this as a way to incrementally recover the decentralized mining feature present in the Satoshi model originally, but which is gradually being lost as a result of technological change.


Give a man a fish and he eats for a day.  Give a man a Poisson distribution and he eats at random times independent of one another, at a constant known rate.
johnyj
Legendary
*
Offline Offline

Activity: 1834


Beyond Imagination


View Profile
April 21, 2014, 12:24:35 AM
 #52

For me it seems this is just another way to steal the bitcoin from the blockchain, like mastercoin did  Grin

And the blockchain will become the babysitter of all those side chains, constantly checking their heartbeat...

I think the improvement should be downward, e.g. modularization the core and make the protocol level code as simple and robust as possible. Don't you think the bitcoin protocol is already too complex? Raised level of complexity is always a danger

Scalability is the only valid reason side chain is supported. but as I understand, the limitation is on P2P network broadcasting speed. A side chain could only provide as many transaction per minute as the blockchain, so a scale of 10x will require 10 different new side chains, and
the exchange between all these chains will be troublesome, since you can't send some sidecoin1 to sidecoin2's wallet, you have to convert them back to bitcoin and convert again to be able to do a transaction




aminorex
Legendary
*
Offline Offline

Activity: 1288


Sine secretum non libertas


View Profile
April 21, 2014, 02:53:43 AM
 #53

A side chain could only provide as many transaction per minute as the blockchain...

That's not true.

Give a man a fish and he eats for a day.  Give a man a Poisson distribution and he eats at random times independent of one another, at a constant known rate.
johnyj
Legendary
*
Offline Offline

Activity: 1834


Beyond Imagination


View Profile
April 21, 2014, 10:50:13 AM
 #54

A side chain could only provide as many transaction per minute as the blockchain...

That's not true.

http://www.tik.ee.ethz.ch/file/49318d3f56c1d525aabf7fda78b23fc0/P2P2013_041.pdf

aminorex
Legendary
*
Offline Offline

Activity: 1288


Sine secretum non libertas


View Profile
April 21, 2014, 01:54:40 PM
 #55


There is a difference between "does not"  and "can not".  The current software implementation is described by the first.  The second describes the design space.  As no side-chain implementation exists, it would be odd to discuss a prospective implementation in the former terms.  If mining is done on a side-chain, then block times in expectation can trivially be any integer (R) fraction of the main chain block time in expectation.  AuxPOW blocks would be mined once in R blocks on the fast chain.

Give a man a fish and he eats for a day.  Give a man a Poisson distribution and he eats at random times independent of one another, at a constant known rate.
Peter R
Legendary
*
Offline Offline

Activity: 1050



View Profile
August 02, 2014, 06:11:37 PM
 #56

Quick question: is there a white paper that describes in full detail how sidechains could be implemented?  Or perhaps a thread somewhere?  I've never actually seen a complete proposal.  

Run Bitcoin Unlimited (www.bitcoinunlimited.info)
sickpig
Legendary
*
Offline Offline

Activity: 1218


View Profile
August 04, 2014, 06:14:51 AM
 #57

Quick question: is there a white paper that describes in full detail how sidechains could be implemented?  Or perhaps a thread somewhere?  I've never actually seen a complete proposal.  

No there's no publicly available whitepaper that I'm aware of.

Bitcoin is a participatory system which ought to respect the right of self determinism of all of its users - Gregory Maxwell.
kolinko
Member
**
Offline Offline

Activity: 91


View Profile
August 05, 2014, 04:16:44 PM
 #58

Quote
Quick question: is there a white paper that describes in full detail how sidechains could be implemented?  Or perhaps a thread somewhere?  I've never actually seen a complete proposal.

Right now distributed oracles seem the only possibility:

https://github.com/orisi/wiki/wiki/Orisi-White-Paper - a paper describing m of n oracles + a few words on how it can be used for sidechains
https://github.com/orisi/wiki/wiki/Mastering-Distributed-Oracles - a tutorial through the Orisi oracles
http://gavintech.blogspot.com/2014/06/bit-thereum.html - Gavin Andersen explaining why M of N oracles might probably be the best solution for sidechains

Distributed oracle sidechains have an obvious problem that you have to trust a selected number of entities to support the network. On the other hand they have two big benefits:

- they require no changes in bitcoin protocol
- it's possible to create a non-blockchain sidechain Wink e.g. you could create a ripple-based bitcoin sidechain, or you could create a sidechain that keeps it's data within a tomp2p database
bybitcoin
Hero Member
*****
Offline Offline

Activity: 672



View Profile
August 07, 2014, 10:34:37 PM
 #59

Quote
Quick question: is there a white paper that describes in full detail how sidechains could be implemented?  Or perhaps a thread somewhere?  I've never actually seen a complete proposal.

Right now distributed oracles seem the only possibility:

https://github.com/orisi/wiki/wiki/Orisi-White-Paper - a paper describing m of n oracles + a few words on how it can be used for sidechains
https://github.com/orisi/wiki/wiki/Mastering-Distributed-Oracles - a tutorial through the Orisi oracles
http://gavintech.blogspot.com/2014/06/bit-thereum.html - Gavin Andersen explaining why M of N oracles might probably be the best solution for sidechains

Distributed oracle sidechains have an obvious problem that you have to trust a selected number of entities to support the network. On the other hand they have two big benefits:

- they require no changes in bitcoin protocol
- it's possible to create a non-blockchain sidechain Wink e.g. you could create a ripple-based bitcoin sidechain, or you could create a sidechain that keeps it's data within a tomp2p database
Thank you very much for the links, time to read!
rapport
Full Member
***
Offline Offline

Activity: 141


Crowdsale: Saturday, Aug 12, 2017


View Profile
August 10, 2014, 05:45:06 AM
 #60

Quick question: is there a white paper that describes in full detail how sidechains could be implemented?  Or perhaps a thread somewhere?  I've never actually seen a complete proposal.  

From Adam Back himself a few days ago
http://www.reddit.com/r/Bitcoin/comments/2ci1hm/bitcoin_development_sidechains_vs_treechains/cjgkdns
this is all that has been released:
http://sourceforge.net/p/bitcoin/mailman/message/32108143/

Pages: 1 2 3 [All]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!