Gold collapsing. Bitcoin UP.

[Peter R]

Another way to look at this is to consider the value of the information contained in the regular block, compared to the value of the information contained in the signature block. To the receiving miners, you could say that the information in the regular block has a value equal to the fees they could include if they had that information (a few BTC). On the other hand, the information in the signature block has a value equal to the block reward multiplied by the probability that the previous block was invalid (~12.5 BTC * 0.0001 = a few milliBTC).

 

[Zangelbert Bingledack]

@go1111111

I don't believe I said miner and user interests are perfectly aligned (and my answer to your two questions about companies are both "no").

The original quote of mine you were looking at was from a Slack discussion where I was explaining to a Core supporter how Bitcoin's incentive structure is supposed to work, i.e., that the incentive structure is designed to be sound (essentially "Bitcoin-economy-pleasing") as long as the majority of miners are intelligently profit-seeking.

I did not intend the claim to be taken as "Bitcoin's design definitely implements that condition properly/perfectly." I was just claiming that insofar as we are assuming Bitcoin works - as we bitcoiners generally are when arguing about issues *within* Bitcoin - we take it as a contextual assumption that that condition holds (i.e., the context of such discussions is "Bitcoin's design is not broken" and I was saying that is Bitcoin's design).

It's certainly quite conceivable that Bitcoin as designed lacks something necessary to ensure that the condition - that the hashpower majority being intelligently profit-seeking is sufficient to ensure the market remains happy, or at least not upset enough to risk a PoW change - holds. In other words, it is certainly possible that Bitcoin as designed is insecure and should be repaired (or even may be a lost cause).

So when you made a claim of that type, which I regard as a claim that Bitcoin may currently be broken, that switched the context from one where we are talking under the assumption that Bitcoin's design isn't already a broken one, the usual context in the blocksize debate, to one where that assumption is the very thing being questioned.

Since we are both bitcoiners, I was curious in passing if you had a particular reason for thinking that, other than the usual types of issues about mining cartels and bribing miners, etc., maybe having a novel take. I am not saying there is no such scenario that works, but I kind of lost interest in thinking about such things in 2012-2013 or so after the nth go-around.

Of course if many people think they have found a new specific reason why Bitcoin is a broken system, by referencing that type of scenario (cartel arrangement, etc.), I'd feel like it was worth it to game out that specific scenario in detail.

 

[go1111111]

@Peter R, good summary of the issue/argument. A few thoughts:

In the current situation, miners don't need to actually validate blocks. They can just download them, see how they update the UTXO set, and never validate. The difference in incentives under SegWit depends on the relative costs of downloading vs. validating transactions.

If downloading is the main cost, then forcing everyone to download the full block before they can start including transactions results in less incentive to skip validation, since validation is cheap and the miner already did the hard part.

If validation is the main cost, then we would expect incentives in the current situation to be similar to how they'd be post-SegWit.

In post-SegWit world, miners do have less incentive to send the signatures in a timely fashion, but I believe they still have "enough" incentive, for the following reason:

If I'm mining, and minerA sends me a block with no signatures, then minerB sends me a block with signatures, I'll switch over to mining on minerB's block. It doesn't cost me anything to switch, and I get more assurance that my block won't be orphaned. Even if minerA immediately sends me their signatures when they see that minerA sent their signatures out, I will still want to switch to minerB's block to punish minerA for being antisocial. Switching doesn't cost me anything, and it encourages a healthier, more valuable network. (Bitcoin is more valuable when blocks are publicly verifiable).

Further, what is the claimed incentive for the delaying miner to keep his signature data private for longer? Is the idea that this miner will eventually want to start mining invalid blocks, and he's priming the community to be vulnerable to this? What's the endgame here? That users will eventually just accept invalid blocks because it'd be too much of a hassle to unwind the chain?

Ask yourself: if you woke up tomorrow and you saw that the current longest chain had an invalid block from 8 hours ago, where a miner stole the funds of some random address, but the mining majority kept mining on this chain, would it change how you value tokens on that chain?

Another thing to note is that there's sort of an 'efficient market hypothesis' for miners wanting to validate blocks. When invalid blocks are so rare that they almost never happen, then the value of knowing whether the current chain is valid is low, because you can assume with high probability that it's valid. When miners start mining invalid blocks occasionally, the signature information becomes valuable since it lets you eliminate the risk of mining on an invalid chain. In that sense, this alleged problem is self-correcting.

 

[xhiggy]

I agree that they have enough incentive to broadcast witness data in the typical case.

3. With segwit transactions, because the "witness is segregated," this is no longer true. A miner can update his UTXO set and begin mining non-empty blocks without the signature data.

The danger I am seeing is that many blocks get found before the downloading and validation of witness data. Normally this would result in an empty block being mined, but with Segwit you can still claim the fees if you publish a block without checking the witness data. This is a change in the incentive structure of Bitcoin.

Let's imagine that 4/5 blocks are found quickly in a row and we have a full mempool. These blocks will be full of unvalidated transactions. Eventually people will prepare for this eventuality and look to take advantage and steal coins. It could be discovered that, during this period of rapid block discovery, an invalid transaction is included and the owner didn't notice until they went to spend it, say next week. Then the incentive is either for the miner to re-issue bitcoin to them directly, or just create a new UTXO set that erases the invalid transaction.

How will they get this 'valid' UTXO set? Why from the Core controlled nodes of course.

 

[Zangelbert Bingledack]

@go1111111 So how about the situation where Miner A withholds the witness for a certain amount of time for whatever reason (bribe, attack, malfunction, etc.) and you mine atop Miner A's witness-free (signature-less) block since it's usually more profitable, and then you find a block on top of it before Miner B sends you one? Aren't you now kind of in on it?

 

[AdrianX]

Ask yourself: if you woke up tomorrow and you saw that the current longest chain had an invalid block from 8 hours ago, where a miner stole the funds of some random address, but the mining majority kept mining on this chain, would it change how you value tokens on that chain?

As long as my LN channels and and the trillion dollar economy built on top of that was not threatened I would say that was OK, (too big to fail) It may be a good time to call bitcoin broken and find a new way to secure the LN network.

a miner with just 5% can mine such a block so it could be injected to catalyze demand to change how layer 2 solutions are underwritten.

 

[Peter R]

Ask yourself: if you woke up tomorrow and you saw that the current longest chain had an invalid block from 8 hours ago, where a miner stole the funds of some random address, but the mining majority kept mining on this chain, would it change how you value tokens on that chain?

Yes, of course. The segwit coins would be less valuable than standard bitcoins, due to their reduced security. There would be a stampede out of segwit coins back into standard bitcoins.

 

[jbreher]

The Bitcoin Unlimited Voting System is now live!

I would like to request a double-check of the members list. I am not listed. I was accepted as a member. I know I have voted on an issue in the recent past.

edit: proof of vote within last year: https://bitco.in/forum/threads/voting-is-closed-for-buips-43-46-47-48.1888/#post-35679

edit2: proof of membership: https://bitco.in/forum/threads/bitcoin-unlimited-membership-join-us.208/page-4#post-10798

 

[Peter R]

@jbreher: You're on the members list, for example your name is here on the new website.

However, I believe BU only has a PGP pubkey for you, and not a bitcoin signing address. The issue is that the voting system only works with Bitcoin-signed messages and so only members who have supplied bitcoin signing addresses can vote through that site. (It would be more development cost and complexity to support multiple digital signature schemes.)

We really want to list everybody as soon as possible and before the next vote, so please post a message here along with your bitcoin signing address to get listed.

/cc @awemany

 

[go1111111]

Let's imagine that 4/5 blocks are found quickly in a row and we have a full mempool. These blocks will be full of unvalidated transactions. Eventually people will prepare for this eventuality and look to take advantage and steal coins.

Note that it would still probably take less than 30 seconds validate 5 blocks, even if blocks were 8 MB. So the coin stealing would still be obvious to any full node in under a minute. So "stealing" coins only works for a very brief period unless users stop caring about block validity. You could still trick SPV nodes into thinking you had 5 valid confirmations, for about 30 minutes, but you could do the same today if 5 blocks were rapidly found on an invalid chain. This attack only gets more effective under segwit if people care less about invalid blocks under SegWit. That's what I see as the weak link in this line of argument.

It could be discovered that, during this period of rapid block discovery, an invalid transaction is included and the owner didn't notice until they went to spend it, say next week.

The rest of the economy would notice in a matter of seconds, and the invalid chain would get reorged in ~30 minutes.

Then the incentive is either for the miner to re-issue bitcoin to them directly, or just create a new UTXO set that erases the invalid transaction.

This seems to be mixing up the user's state of knowledge of the chain, with the chain that would actually be built on. The user thinks the invalid blocks are valid for a full week only because the user doesn't check the chain after seeing the 5 confirmations. The rest of the network knows almost immediately that this chain is invalid.

@go1111111 So how about the situation where Miner A withholds the witness for a certain amount of time for whatever reason (bribe, attack, malfunction, etc.) and you mine atop Miner A's witness-free (signature-less) block since it's usually more profitable, and then you find a block on top of it before Miner B sends you one? Aren't you now kind of in on it?

If you discover that you're mining on an invalid chain, and you keep mining on it, then sure. If you discover minerA's block was invalid and you then switch to a valid chain, then I don't think it makes you in on anything sketchy. As long as users care about which chain is valid, it's more profitable for me as a miner to abandon any chain as soon as I find out it's invalid.

Again, the questionable premise that all these arguments rely on is that users will not care about the rules of the chain they're on.

Yes, of course. The segwit coins would be less valuable than standard bitcoins, due to their reduced security. There would be a stampede out of segwit coins back into standard bitcoins.

My hypothetical wasn't about SegWit. Imagine you woke up tomorrow and saw that a miner had stole from just a regular Bitcoin address, and all the other miners were mining on this chain. Would it change how you valued coins on that chain?

 

[Peter R]

What do you guys think about this argument?

Consider the value of the block information compared to the value of the segwit information, from the perspective of an individual miner. If the dominant mining strategy is to collect the block information (horizontal axes), then each individual miner is better of by F if he too collects the block information (because knowing this information allows him to include F fees in his block candidate). If the dominant strategy is to not collect the block information, then the block information has no value anyways. And so we get the black falling step response shown below.

The case of the segwit extension block is different. Regardless of what the dominant strategy is, the individual miner is pretty much neutral no matter what he chooses to do, because he doesn't need the segwit information to claim transaction fees. And so we get the horizontal dashed orange line at 0.

A Nash equilibrium exists if an individual miner cannot increase his payoff by adjusting his strategy.

In the case of the regular block, two Nash equilibriums exist under this model: a weak equilibrium where most miners aren't collecting the block information and so it doesn't really matter what an individual miner does (bitcoins are insecure or all blocks are empty). And a strict equilibrium where everyone collects the block information (bitcoins are secure).

In the case of the segwit information, there is no longer a strict equilibrium. Instead there is a continuous weak equilibrium where segwit coins may or may not be secure.

 

[xhiggy]

That's what I see as the weak link in this line of argument.

I was thinking the time to verify problem would come into effect when blocks were quite large. It's very hard for miners to determine how big the blocks should safely be when transactions contribute to two different sized buckets.

 

[jbreher]

please post a message here along with your bitcoin signing address to get listed.

OK, time to parade my ignorance. I am confused by "your bitcoin signing address". I mean, I get that I can use the client wallet to sign messages. But from whence is the key derived? Is it tied to a particular transaction? A particular client (perhaps generated from entropy upon install)? What makes it _my_ bitcoin signing address, and (presumably) immutable and unlosable? Is there a backgrounder you can point me to?

 

[xhiggy]

This seems to be mixing up the user's state of knowledge of the chain, with the chain that would actually be built on.

Right, let me research some more.

 

[Peter R]

My hypothetical wasn't about SegWit. Imagine you woke up tomorrow and saw that a miner had stole from just a regular Bitcoin address, and all the other miners were mining on this chain. Would it change how you valued coins on that chain?

Yes. I would consider that a failure scenario for Bitcoin.

The point I was trying to make though is that segwit coins are distinct from bitcoins in that they each have different security models. If I woke up one morning and noticed that a miner had "stole" a segwit coin, then that would just confirm my belief that segwit coins are less secure than bitcoins. It wouldn't change my view on the security of bitcoins themselves. That said, I don't think many people would appreciate the nuance here, so--if segwit coins are indeed less secure than bitcoins--I'd rather segwit coins never come into existence in the first place.
[doublepost=1494636301][/doublepost]

OK, time to parade my ignorance. I am confused by "your bitcoin signing address". I mean, I get that I can use the client wallet to sign messages. But from whence is the key derived? Is it tied to a particular transaction? A particular client (perhaps generated from entropy upon install)? What makes it _my_ bitcoin signing address, and (presumably) immutable and unlosable? Is there a backgrounder you can point me to?

You can use any private key you like. Maybe just make a new one just for BUIP voting. And then post the Bitcoin address associated with that key in the thread I linked to.

 

[AdrianX]

OK, time to parade my ignorance. I am confused by "your bitcoin signing address". I mean, **I get that I can use the client wallet to sign messages.** But from whence is the key derived? Is it tied to a particular transaction? A particular client (perhaps generated from entropy upon install)? What makes it _my_ bitcoin signing address, and (presumably) immutable and unlosable? Is there a backgrounder you can point me to?

As I understand it

**I get that I can use the client wallet to sign messages.** that's all it is.

It can be any bitcoin address address you control no BTC needed - better to use an empty one. it's just a signed bitcoin message. I have the key imported on multiple devised for ease of use and so I don't lose it.

**What makes it _your_ bitcoin signing address** if you past that same message on bitcointalk and here we know with relative confidence that you control that key, once verified that address is assigned to your name. all votes are then just **wallet signed messages**. verified by the public key assigned to your name.

 

[Bloomie]

How does this prove that the voter has not hijacked someone else's private key, posted by that person on another message board, for example?

 

[adamstgbit]

@Bloomie

it doesn't
all it proves is that the signer has the private key.
[doublepost=1494644921][/doublepost]generally users will encrypt there wallets

(provided the password is strong... )this means the attacker would need to have the private key AND know the password.

 

[Bloomie]

So if someone goes MIA, how does this prevent an impostor from signing messages with that person's key?

 

[AdrianX]

@Bloomie you're concerns are not without merit. however you need to keep voting to stay active so you cant be MIA for too long. A vote that requires a real world identity will still require a real world identity to prevent sock puppets. Until we have an decentralized identity system this will be a concern.

For now members vote for members is the best way to try ensure real people become members - any better ideas are welcome.