Bitcoin Unlimite开发者安得鲁·斯通演讲文字录中英文对照
第1章Andrew Stone - FSHblocks: A method to trial and deploy features into the Bitcoin blockchain一个在比特币区块链上测试和部署新特性的方法——FSH区块。
I want to talk about adifferent extension of block.
bitcoin has a seriousproblem, which is how to upgrade its network. either u r a segwitter, a bigblocker, this problem has been in your face for the last two years. In order toconvince people, u have to convince people this code works. how can u do this?
you could have asandbox, like a testnet, altcoin, layer 2 network or hard/soft fork. There arealso people who believes that it’s unnecessary to upgrade bitcoin at all.
here i put a piece ofradio shack on which all the items were 90's and have been upgraded.
the promise of bitcoinbeyond gold is that it is a technology that is upgraded and it has a limitedsupply.
Here is the problem ofcurrent approaches.
1,the problem withsandbox is that its user cases are artificially limited.
nothing at stake. noone can steal money from you. it means no one will even try to hack the code.no black/white hat attention. if u r a security researcher, you found a bug ontestnet, that is not a same thing with finding a bug on bitcoin’s main network.
2,problem with testingaltcoin:
we could test a lot ofthings on altcoins. so why we not ask vitalik to shut off ethereum since he hasproven it works? why not turn it off and bring it to bitcoin. So the problem isthat you created a competitor. who cares? i am not a bitcoin maximalist and wecan just transfer to new cryptocurrencies everyday.
i am not an economistbut currency stability is really important, you really don’t want to changeyour currency every decade. It's like rolling dice and early adopters have moreadvantages.another problem is that it’s not real implementation, you have tomove it onto bitcoin.
Problem with hard andsoft forks, some people believe upgrading bitcoin is upgrading an airplane inflight. it’s like upgrading an airplane in flight and all the passengers arelike members of worldwide wrestling federation. and they attack each other whilethe upgrading is happening. this is what we are happening today.
4, the biggest problemwith layer two is that everything that works on layer two will be betterworking on an upgraded layer one with the same layer two features.
extension blocks is nota new idea, i just want to make sure everyone knows that.
here is how it works.here is a bitcoin block, and some where in there you cram a hash right ofanother block, and through some additional protocol layer or completelyseparate protocol, you passing the information in the block. but the Achille’shill is that in order to have extension blocks, you must have miners all agreeto start mining that.
what i want to talkabout today is an idea i called FSH extension blocks. the idea is we can trialextension blocks on a reduced security model, basically a federated model.without changing a line of code, we can move that block to either a soft orhard fork if the block gains economic use, if it’s not full of bugs.
The advantage doesn'tcreate a competing altcoin. it has permissionless deployment in trial, You are using real money, seamlesstransaction to soft and hard fork.
actually in my talkingwith some altcoin startup companies, they actually prefer this idea over aseparately mined system. For a company doing a separate blockchain, thequestion is do they really have to maintain hashpower. and if the publicmaintains hashpwer, there’s a certain loss of control.
Here is a phase one:federated signed extension block.
you create a bitcointransaction, and create two addresses, one is ingress address, one is a holdingaddress. they are both multi-sig addresses that are signed by people who areunderwriting this proposed feature. and obviously these people would be companiesor publicly named individuals. so here the trust model is you are trustingthese people, u believe the majority of signers are honest.
his is indicating asort of utxo, and individual might pay to an ingress address, and then a singletransaction is made which contains an input, incoming funds, and something icall a continuity address. A continuityaddress is basically an output from the previous FSH transaction. what thatsimply does is order the blocks.
and then on the outputside, you have an outgoing payment. people are withdrawing money from theextension block system. and if your incoming funds are greater than outgoing,then u might want to make payments to this holding address. and then your continuityaddress would go to the next block, and finally the extension block pointer.
The continuity addresscreates a chain of blocks. if the signer creates a FSH transaction, but forsome reason it is not committed to the blockchain for some reason, such as lowfees. and then u create another blockchain and now both of them get committedto that blockchain. you suddenly have aproblem where the FSH block is inconsistent with the blockchain, but bycreating a continuity address that gets spend on each new transaction, youensure that only one of the two transactions can be spent on the blockchain.
in previous extensionprotocols, there was an issue that transaction is not atomic. e.g. theextension block address has to be the last transaction in a block, but we can’tcontrol that.because we are doing it in a permissionless way. so we don’tnecessarily have the control of any miners. so by having the ingress addressseparate and pays to a holding address, we know that in a single transactionthat contains the utxo inputs and all the spends, and the extension blockpointer is sort of having atomically creates an extension block which must beconsistent with the money flows in bitcoin in your bitcoin side.
here is some use cases.let me start with an example. i recently have some solar installed on my roof.in US, u get the renewable energy credit.
so if you’re a dirtycompany and you burn coal then you have to buy these credits from people whoproduce solar. so how do they track these renewable energy credits? they have adial that goes around in circles. and I guess someone is going to come into myhouse and look at the dial once. and then every quarter I'm going to take aphotograph of the dial. And I can't Photoshop that photograph or anythingright. okay so so this could be a blockchain application right.
o let's imagine thatthis device store these renewable energy credits on a blockchain. so if we usethe public blockchain the problem is like the ethereum ICO happens andtransactions are blocked for three days. How is this gonna work? I think weheard about yours and they were recently really worried about Bitcoin fees. butswitching to the litecoin is just increasing the block size by a factor of fourso if litecoin overtakes Bitcoin they could be in the same situation in a fewyears.(当然莱特币是不可能超越比特币的)again you need to solve that problem.
I think Doctor Wright'ssolution is have absolutely unlimited blocked. I would love that, but this is away that maybe we can kind of shard the Bitcoin network into these app coinsbecause I think some people find unlimited blocksunpalatable. so while there'sno block space competition you also don't have to rely on miners. here it meansu don't have to generate your own mining capacity you can just use the Bitcoinmining system.so it's a public blockchain though so there's a fewer billingdisputes
so it's a publicblockchain though, so there's a fewer billing disputes.
Here are users’sadvantages:
If you had a privatechain, the issuer could just rewrite the blocks. he could just rewind theblockchain, sign a hundred additional blocks and you have a new longest chainright. But by committing extension blocks to the public blockchain, there willbe no history rewrite. you also have Bitcoin moving in and out of yourextension block so that you could easily trade these renewable energy creditsfor Bitcoin.
Although Ihaven't done the math for scaling but I do believe like dr. wright that Bitcoinon chain could scale for all the economic activity in the world eventually, butcould it scale for every single app coin that every single person creates forany silly use? I don't really know about that.
so one advantage ofthese extension blocks is that they are domain-specific. and finally a hugeunsolved problem is always happens with your bank statements and E-statementsis that you get an e statement and when you click on it it brings you to thebank site and they show you your statement. But there's no guarantee theyhaven’t changed that statement. they might already rewrote the last five yearsof statements. so you can easily turn a blockchain into sort of an e-statementsystem.
Phase two: soft fork
the next step is tomove this system into a soft fork. The way that segwit soft fork works is thisanyone can spend idea. although anyone can spend the transaction, the minersenforce the only spends that are consistent with the segwitted extension block.so let me observe that I can turn this multi-sig transaction into an anyone canspend transaction simply by publishing the private keys, then all of a suddenanyone can spend this, and the miners have to enforce it. so we have a protocolhere or social set of steps:
第一步:to make this workfirst of all miners agree on a fork activation block. they could use any formof voting protocol .
第二步:and step two minerswill begin enforcement. they would do a soft fork. And what they are enforcing?
FSH ingress address isonly spent as the input to these FSH transactions that contain a pointer to theFSH blocks. the holding is only spent as input as well and then the ingress andthe holding is consistent with the contents of the extension block.
FSH ingress地址只是这些包含FSH区块pointer的FSH交易的输入。持有地址也只是输入,这里ingress 和持有地址要与扩展区块上的内容保持一致。
第三步:step three. this issomething actually goes beyond the security model for segwit. signers beforethey publish private keys could actually test the network to see whether it'sactually enforcing the soft fork. they could post some invalid spends, some badblocks and inconsistent items to see if the network actually rejects those. ifit doesn't then you know we are still assuming that those signers are sort ofthe benevolent dictators of the extension block, so presumably that money isnot lost.
finally when they'resatisfied that the network is properly enforcing the soft fork,signers simplypublish theprivate keys so then the miners can produce their own extensionblocks.So it's quite simple. As you can see we move from a federated model to asoft fork without changing a single line of code.
Phasethree:hard fork
so step three ishard fork. In this case whether you could do a hard fork doesn’t depend on thecontents of your extension block. FSH block must be blockchain capable: BitcoinV2 block. in other words, it can be mined. it has proof-of-work.
then miners choose aV1(new) block height. they stop mining VI blocks,(original blocks) and startmining FSH blocks. so the old block chain is essentially abandoned, and theextension block becomes the new blockchain. And of course your extension blockshould accept legacy Bitcoin transactions and all this stuff. So your extensionblock need to be fully featured.
You could also do asoft-hard fork?
So basically whatyou would do in this case is you just enforce in the software, you create avalid
Bitcoin block, butit doesn't contain any transactions other than ones that move money into yourextension block. I don’t know if you guys are similar with the soft-hard forkconcept. The idea is to use a soft fork toforce everyone into a hard fork.
bitcoin unlimitedextension block(22:58)
now that we candeploy an extension block, what should we do?
Block height
TX commitment
UTXO commitment
pay to nextblock(for example, at Coinbase you could designate some of the fees that yougot
in the current blockand offer it to the subsequent block)
2 nonces
UTXO commitment
BU extension blockhash pointers
we might as wellreconsider what hashing algorithm we're using for a lot of stuff.
Cryptographicpointers use blake2 256
address use blake2160
see zcash forreasons
加密的pointers使用blake2 256
地址使用blake 216
BUextension block mining 详情见25:55处的PPT
here is a problem.If you are simultaneously mining an extension block and also periodicallycommitting to a bitcoin block, what incentives does the committer have tocommit the latest block in your extension chain? why doesn’t he just commit theunmined prior block?
theend of Bitcoin where there's no more Bitcoin fees, so the question is if youhad unlimited blocks,why would anyone extend the Bitcoin blockchain? whywouldn't they just take
all ofthe transactions in the prior block and all the ones in the mempool and createa new block with those?and
then the next guyinstead of building on top of that he just takes all of the transactions inthat block and all the new ones in the mempool and creates another block. so you have the same problem which is theextension block signers might ignore mined extension blocks and just use thenext block on the Bitcoin blockchain skipping all the others.
sowhat I'm going to do is create an economic incentive mechanism to encouragepeople to include the latest block on the chain. To do that I want to create afee pool in the blocks and the ability to pay some transaction fees forward toanother block. a fee pool is the idea that instead of taking all of the TX feesfor yourself you would put the value in a pool and then every block that'smined gets a fraction of that pool.比如1:1000.
BU extension block fees
So what we would dohere is change the way that fees are paid. and use a decay function todetermine how much of the fee is paid to the miner of a particular block andhow much is paid into the pool. so what I have there is about 10 minutes andthen you can see we never want to pay a 100% of the fee to the miner to avoidthis fake fees situation, so 90% if you mined the block right away and thenthat comes down to zero in ten minutes. If you're able to to mine a block veryquickly after the transaction was created, then you reap most of the fees. butif you are not, then the fees goes to the fee pool. It is not that bad.
If your hash power is10% you're going to get that back eventually, but what happens is you don't geta bonus for mining rapidly. The idea of mining transaction fees I believe is toencourage miners to commit transactions to blocks rapidly. And what it alsodoes is it would mean that miners who are mining the blocks in between Bitcoinblocks can gain the fees up here, so then they can pay off this much to thenext block, and in the end by producing more blocks you actually hit the thefee curve higher than you would if you created blocks every ten minutes. So bycreating more blocks you’re actually able to give more money to the miner who'smining the FSH transaction block that’s connected to the bitcoin blocks. Youmight say that a miner could cheat and change his block time to maximize feepayout.
But that's actuallyfine. Because if you did that you would have to leave transactions that occurafter your block time unmined, so there's an incentive to move your block timebackwards to include more transactions in your block. I think I haven't workedout the game theory but it seems pretty clear that this is not going to affectthe system tremendously.
BU Extension BlockTransactions
BU 扩展区块交易(34:00)
so let's talk aboutwhat a transaction would look like. The first thing that I just talked about ishow the fee would be relative to how soon a block was able to put thetransaction in the block. Because of that we definitely need a time when the transaction was created, or when it firstbecomes valid. So we know Bitcoin today has this idea of end time where you cancreate a transaction which won't be valid until a certain number of blocks havepassed, or a certain time so we can combine these two concepts and call itvalid at time.
这里需要注意的一点是:one thing toconsider is to forget about the scripting system. I'm not saying removescripting entirely because we still have the main chain blocks. But most of thetransactions don't really use the scripting system so we can actually save a bunchof bytes by creating a simple multi-sig transaction format where you justspecify the number of signatures needed to sign and then the set of addresses.Finally this is an interesting concept which I think we can possibly apply toBitcoin today. An outpoint contains a transaction ID and an index. If atransaction ID is 32 bytes, and we replace that with instead the block heightof the UTXO and then the transaction ID and the index.
Then instead of 32bytes you end up with maybe 12 bytes, so that actually saves a lot of space.And it has an
additional featurewhich is that it solves the fraud proof problem because the transaction isspecifically indicating exactly where it is located in the blockchain, so youdon't have to search through the entire blockchain for the prior transaction.Now the big disadvantage though is that you can’t talk about these transactionsthen until they're committed to the blockchain. This might create some issuesfor the layer 2 people, but again this is an extension block right meant forsome specific implementations. And then perhaps you could also have allowed astandard outpoint so that the inputs would look like outputs. I like the P2SHformat so you just create an output in the new hash and you include that hash.The advantage is that instead of carrying a whole bunch of addresses throughthe UTXO you just have one 32 byte hash so it makes your UTXO a little bitsmaller.
And then how would yousign these transactions?Let's play a little trick with the signing. the firstthing is that this TXO triple here, so you could imagine a really like directedblockchain reorg maybe an attack which would try and replace who try and reminea transaction, and replace one with one with a different height, so what you’dwant to do is sign all this and then you also want to include the transactionhash as well in the signature.
算了,让我换一句表达吧。之所以把这个称之为"trick"是因为youcould kind of submarine data inside of a transaction by including it in what'ssigned, but not include it in the transaction itself. The first use for thatwas to include the value of the prior input in the signature. The reason whyyou would want to do that is so that a light wallet, like a hardware walletcould sign a transaction with these values and it doesn't have to check theblockchain to make sure that the previous input values are real because if theywere incorrect and the signature would fail.
so we'll do that fortwo things. we’ll add both the transaction hash and the input value, and thenyou sign that hash, and the transaction hash would just be the hash of outputsand the inputs. This signing and hashing scheme would solve transaction malleabilityand the quadratic signature hash problem.
Transaction Advantages:
I did a little bit ofcalculating. If you use some of those tricks I was talking about, then if youcreate a standard transaction with one input, two outputs you get 157 bytes,the current Bitcoin uses 226 bytes.
In Bitcoin today whatif you use this trick instead of storing the out point as transaction ID andindex. What if you actually in all cases where you could possibly store it tothe database, you stored it and sent it to each other as block index transactionID. I think you would save this exact same amount and the sort of a detrimentwould be you don’t have to look up these transactions in the blockchain, butyou have the blockchain because you're a full node.
so I think that couldsave us a lot of space in the blockchain. Of course our problem is not the sizeof the blockchain. although some people like to argue that because as Dr.Wright was saying hard drives are so cheap these days.
Source code:
I've written a lot ofthis and I have you know these extension blocks being created and in reg testand test nets and things like that. but I did it in Python because I want tojust create a reference implementation that's simple
to read. That I haven'tdone is done the p2p protocol layer.
问:有关你的fee pool的议案,Iactually did a few calculations myself with more simplified version of that.And my conclusion was that the security lowered from 51% to
38.2%. I’m just curiousif you did any calculations regarding how secure that fee pool system is?
演讲人:你为什么会认为这个feepool会降低安全性?why would you think that the people would lower the security?
提问者的回答:因为你刚刚在演讲中提到一个bigminer可以连续挖很多blocks,a big miner that mines a few blocks in a row, then he canpublish a chain that he's dealt mines while orders of mining the main chain.
演讲人:I haven’t likeconsidered that. it would seem to me intuitively that since the large miner isgiving fees away to future miners, it would actually be worse for him to dothat not better. I would like to see your your reasoning on that.
演讲者:比特币的设计就是你在交易时会出现1个input,2个output.and so Bitcoin uses 226 bytes to do that approximately. 但是如果你使用TXO triple asyour inputs you're saving a lot of bytes.
演讲者:比特币的设计就是交易时会出现1个输入,2个输出。因此比特币大约要使用226个字节的空间。但是如果你使用TXOtriple 做为输入,你就会省下很多空间。
