@go1111111
Here's a simple model to help make my point:
The expected profit per block for a miner
with the segwit data is
f(+) = h (R + F) - C,
where h is the miner's relative hash power, R is the block reward, F is the fees he can claim and C is the per-block cost of running his mining equipment.
The expected profit for a miner
without the segwit data is
f(-) = h (R + F) (1 - P_invalid) - C,
where P_invalid is the probability that the previous block contained an invalid segwit spend (which he of course can't detect).
I think up to this point everyone would agree.
Now note that if P_invalid << 1, that the miner's expected profit does not depend on whether or not he collects the segwit data. (Like we discussed up-thread, the miner's expected profit
does depend on whether he collects the regular block data. Without the regular block data, he cannot update his UTXO set and must mine empty blocks, missing out on the fees that he could otherwise claim.)
P_invalid is just the probability that the miner assigns to his block being orphaned if he doesn't know the witness data. We can't really say for sure what that is, but empirically, over the last year I think only a single block was orphaned for being "invalid" out of 50,000+ blocks. So empirically, P_invalid is very small. Even the creators of segwit agree, as they argue that miners can choose to not support segwit and still mine non-segwit blocks (i.e., these miners would be assuming that P_invalid was small enough not to care about).
(1) As the fraction of the network missing witness info goes from 0 to 50%, the value of that info should increase. Not only do you get the fees if you mine a block, but you also can learn immediately if any given block is invalid, which tells you not to mine on it and saves you time/money.
I don't see how the fraction of the network missing the witness info can be measured accurately (except by a miner willing to risk having his "test" blocks orphaned). But assuming it could be, I would argue that if it looks like the majority of the hash power will soon cease supporting segwit -- that is, if it appears the network is going to "phase change" from the "enforce segwit" state to the "don't enforce segwit" state, then individual miners are more likely to want to "side with the hash power majority" and also not enforce segwit. Otherwise, they would risk forking themselves from the blockchain!
(BTW--the miner can get the fees without the segwit data but not without the block data -- that's one of the main pieces of this argument).
The way I see it, if the miners are actually worried enough about blocks that spend segwit TXs without valid signatures (P_invalid is significant) for this to affect their mining strategy, there are then two equilibrium states for the network:
(1) all miners collect the witness data and honour segwit signatures,
(2) no miners do and segwit coins never really "exist" in the first place.
(2) The value of witness info when > 50% of miners aren't using it is still positive, because if users enforce validity and there's higher demand for coins on the valid chain, then either the hash rate majority will move back to a valid chain, or the users will hard fork, starting from the valid chain. So as a miner, it will pay off in the future to stay on the valid chain now. so knowing which is which is valuable.
Like I argued above, possessing and honouring the witness data when the majority of miners don't risks forking the miner off the blockchain. This strategy has a negative expected pay-off (unless you want to argue that he will soon be vindicated as the other miners realize the "errors of their way" and forfeit all the blocks they've mined and return to the minority chain).
As I've said many times before, this entire argument rests on an assumption that users will stop caring about whether blocks are valid, or what the rules or for various chains. I haven't seen this justified anywhere.
It only requires that users view segwit coins as something distinct from bitcoins. If they recognize that segwit coins have a weaker security model than bitcoins, in aggregate they may applaud miners for not honoring segwit transactions. They may view Bitcoin as
better without segwit (e.g., I hold the view that Bitcoin is better off if segwit is never adopted).
A lot of people would consider miners just stealing segwit coins as a 'failure scenario' for Bitcoin. I'm out of those people. These other people (and me) would reject any chain containing such a theft, the same way that you'd currently reject any block containing a normal theft. If someone asked you if you wanted to buy some Bitcoins, and gave you the option to buy some on a chain where a regular-Bitcoin theft occurred and a chain where no such theft occurred, I assume you'd prefer the no-theft chain even if the theft-chain was a few confirmations longer. Similarly, me and many other users would prefer the no-SegWit-theft chain.
Yes, I think a lot of people would feel this way. But I think these are people that haven't realized that segwit coins are
not bitcoins; they are different by definition:
In the white paper, Satoshi Nakamoto defined a bitcoin
"as a chain of digital signatures. Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin. A payee can verify the signatures to verify the chain of ownership."
The segwit proposal defined a new type of electronic coin. To transfer a segwit coin, the owner no longer signs the hash of the previous transaction. Instead, she signs the hash of only the part of the previous transaction that does not depend on the previous owner's signature.
The implications of this peculiar detail
could be significant. In fact, we know it's significant: it eliminates third-party malleability. However, the implications to Bitcoin's game theory of "segrating the witness" are largely unstudied. Instead it is normally assumed that a segwit coin would have the same security properties as a bitcoin (of course, most people refer to segwit coins
as bitcoins despite the differences in the definitions between the two coins). I'm not sure that assumption necessarily holds.
I believe miners would realize this, and therefore they wouldn't steal segwit coins (or if any did, they'd learn the harsh lesson that users control Bitcoin).
Yes, I think this is one of the stable equilibriums.
The other equilibrium is that segwit coins never exist (or exist briefly before being transferred back into bitcoins)
If you don't agree with this reasoning: why do you think Litecoin miners aren't stealing the one million dollar segwit bounty? (
https://www.reddit.com/r/litecoin/comments/6azeu1/1mm_segwit_bounty/). Do you think they will eventually steal it? If so, do you want to bet some money on this?
My argument isn't that segwit coins are
necessarily insecure. My argument is that segwit coins are not bitcoins and that they have a strictly weaker security model. They may or may not be insecure and it will take a long time to find out for sure.
We know that Bitcoin's game theory works, in that miners are motivated enough to enforce the rules that give bitcoins their properties. We don't yet know whether miners will be sufficiently motived to enforce the rules that would give segwit coins their properties.
But sure, just for fun I'm happy to bet 1 BTC that either those coins will be stolen, or the owner will worry that they could be stolen and move them, within 1 year.
