Re: [bitcoin-dev] User Activated Soft Fork Split Protection

[Tao Effect via bitcoin-dev]

What is the probability that a 65% threshold is too low and can allow a 
"surprise miner attack", whereby miners are kept offline before the deadline, 
and brought online immediately after, creating potential havoc?

(Nit: "simple majority" usually refers to >50%, I think, might cause confusion.)

-Greg Slepak

--
Please do not email me anything that you are not comfortable also sharing with 
the NSA.

> On Jun 6, 2017, at 5:56 PM, James Hilliard via bitcoin-dev 
>  > wrote:
> 
> Due to the proposed calendar(https://segwit2x.github.io/ 
> ) for the
> SegWit2x agreement being too slow to activate SegWit mandatory
> signalling ahead of BIP148 using BIP91 I would like to propose another
> option that miners can use to prevent a chain split ahead of the Aug
> 1st BIP148 activation date.
> 
> The splitprotection soft fork is essentially BIP91 but using BIP8
> instead of BIP9 with a lower activation threshold and immediate
> mandatory signalling lock-in. This allows for a majority of miners to
> activate mandatory SegWit signalling and prevent a potential chain
> split ahead of BIP148 activation.
> 
> This BIP allows for miners to respond to market forces quickly ahead
> of BIP148 activation by signalling for splitprotection. Any miners
> already running BIP148 should be encouraged to use splitprotection.
> 
> 
>  BIP: splitprotection
>  Layer: Consensus (soft fork)
>  Title: User Activated Soft Fork Split Protection
>  Author: James Hilliard  >
>  Comments-Summary: No comments yet.
>  Comments-URI:
>  Status: Draft
>  Type: Standards Track
>  Created: 2017-05-22
>  License: BSD-3-Clause
>   CC0-1.0
> 
> 
> ==Abstract==
> 
> This document specifies a coordination mechanism for a simple majority
> of miners to prevent a chain split ahead of BIP148 activation.
> 
> ==Definitions==
> 
> "existing segwit deployment" refer to the BIP9 "segwit" deployment
> using bit 1, between November 15th 2016 and November 15th 2017 to
> activate BIP141, BIP143 and BIP147.
> 
> ==Motivation==
> 
> The biggest risk of BIP148 is an extended chain split, this BIP
> provides a way for a simple majority of miners to eliminate that risk.
> 
> This BIP provides a way for a simple majority of miners to coordinate
> activation of the existing segwit deployment with less than 95%
> hashpower before BIP148 activation. Due to time constraints unless
> immediately deployed BIP91 will likely not be able to enforce
> mandatory signalling of segwit before the Aug 1st activation of
> BIP148. This BIP provides a method for rapid miner activation of
> SegWit mandatory signalling ahead of the BIP148 activation date. Since
> the primary goal of this BIP is to reduce the chance of an extended
> chain split as much as possible we activate using a simple miner
> majority of 65% over a 504 block interval rather than a higher
> percentage. This BIP also allows miners to signal their intention to
> run BIP148 in order to prevent a chain split.
> 
> ==Specification==
> 
> While this BIP is active, all blocks must set the nVersion header top
> 3 bits to 001 together with bit field (1<<1) (according to the
> existing segwit deployment). Blocks that do not signal as required
> will be rejected.
> 
> ==Deployment==
> 
> This BIP will be deployed by "version bits" with a 65%(this can be
> adjusted if desired) activation threshold BIP9 with the name
> "splitprotecion" and using bit 2.
> 
> This BIP starts immediately and is a BIP8 style soft fork since
> mandatory signalling will start on midnight August 1st 2017 (epoch
> time 1501545600) regardless of whether or not this BIP has reached its
> own signalling threshold. This BIP will cease to be active when segwit
> is locked-in.
> 
> === Reference implementation ===
> 
> 
> // Check if Segregated Witness is Locked In
> bool IsWitnessLockedIn(const CBlockIndex* pindexPrev, const
> Consensus::Params& params)
> {
>LOCK(cs_main);
>return (VersionBitsState(pindexPrev, params,
> Consensus::DEPLOYMENT_SEGWIT, versionbitscache) ==
> THRESHOLD_LOCKED_IN);
> }
> 
> // SPLITPROTECTION mandatory segwit signalling.
> if ( VersionBitsState(pindex->pprev, chainparams.GetConsensus(),
> Consensus::DEPLOYMENT_SPLITPROTECTION, versionbitscache) ==
> THRESHOLD_LOCKED_IN &&
> !IsWitnessLockedIn(pindex->pprev, chainparams.GetConsensus()) &&
> // Segwit is not locked in
> !IsWitnessEnabled(pindex->pprev, chainparams.GetConsensus()) ) //
> and is not active.
> {
>bool fVersionBits = (pindex->nVersion & VERSIONBITS_TOP_MASK) ==
> VERSIONBITS_TOP_BITS;
>bool fSegbit = (pindex->nVersion &
> VersionBitsMask(chainparams.GetConsensus(),
> Consensus::DEPLOYMENT_SEGWIT)) != 0;
>if (!(fVersionBits && fSegbit)) {
>return state.DoS(0, error("ConnectBlock(): relayed block must
> signal for segwit, please upgrade"), REJECT_INVALID, 

Re: [bitcoin-dev] User Activated Soft Fork Split Protection

[James Hilliard via bitcoin-dev]

This is a BIP8 style soft fork so mandatory signalling will be active
after Aug 1st regardless.

On Tue, Jun 6, 2017 at 8:51 PM, Tao Effect  wrote:
> What is the probability that a 65% threshold is too low and can allow a
> "surprise miner attack", whereby miners are kept offline before the
> deadline, and brought online immediately after, creating potential havoc?
>
> (Nit: "simple majority" usually refers to >50%, I think, might cause
> confusion.)
>
> -Greg Slepak
>
> --
> Please do not email me anything that you are not comfortable also sharing
> with the NSA.
>
> On Jun 6, 2017, at 5:56 PM, James Hilliard via bitcoin-dev
>  wrote:
>
> Due to the proposed calendar(https://segwit2x.github.io/) for the
> SegWit2x agreement being too slow to activate SegWit mandatory
> signalling ahead of BIP148 using BIP91 I would like to propose another
> option that miners can use to prevent a chain split ahead of the Aug
> 1st BIP148 activation date.
>
> The splitprotection soft fork is essentially BIP91 but using BIP8
> instead of BIP9 with a lower activation threshold and immediate
> mandatory signalling lock-in. This allows for a majority of miners to
> activate mandatory SegWit signalling and prevent a potential chain
> split ahead of BIP148 activation.
>
> This BIP allows for miners to respond to market forces quickly ahead
> of BIP148 activation by signalling for splitprotection. Any miners
> already running BIP148 should be encouraged to use splitprotection.
>
> 
>  BIP: splitprotection
>  Layer: Consensus (soft fork)
>  Title: User Activated Soft Fork Split Protection
>  Author: James Hilliard 
>  Comments-Summary: No comments yet.
>  Comments-URI:
>  Status: Draft
>  Type: Standards Track
>  Created: 2017-05-22
>  License: BSD-3-Clause
>   CC0-1.0
> 
>
> ==Abstract==
>
> This document specifies a coordination mechanism for a simple majority
> of miners to prevent a chain split ahead of BIP148 activation.
>
> ==Definitions==
>
> "existing segwit deployment" refer to the BIP9 "segwit" deployment
> using bit 1, between November 15th 2016 and November 15th 2017 to
> activate BIP141, BIP143 and BIP147.
>
> ==Motivation==
>
> The biggest risk of BIP148 is an extended chain split, this BIP
> provides a way for a simple majority of miners to eliminate that risk.
>
> This BIP provides a way for a simple majority of miners to coordinate
> activation of the existing segwit deployment with less than 95%
> hashpower before BIP148 activation. Due to time constraints unless
> immediately deployed BIP91 will likely not be able to enforce
> mandatory signalling of segwit before the Aug 1st activation of
> BIP148. This BIP provides a method for rapid miner activation of
> SegWit mandatory signalling ahead of the BIP148 activation date. Since
> the primary goal of this BIP is to reduce the chance of an extended
> chain split as much as possible we activate using a simple miner
> majority of 65% over a 504 block interval rather than a higher
> percentage. This BIP also allows miners to signal their intention to
> run BIP148 in order to prevent a chain split.
>
> ==Specification==
>
> While this BIP is active, all blocks must set the nVersion header top
> 3 bits to 001 together with bit field (1<<1) (according to the
> existing segwit deployment). Blocks that do not signal as required
> will be rejected.
>
> ==Deployment==
>
> This BIP will be deployed by "version bits" with a 65%(this can be
> adjusted if desired) activation threshold BIP9 with the name
> "splitprotecion" and using bit 2.
>
> This BIP starts immediately and is a BIP8 style soft fork since
> mandatory signalling will start on midnight August 1st 2017 (epoch
> time 1501545600) regardless of whether or not this BIP has reached its
> own signalling threshold. This BIP will cease to be active when segwit
> is locked-in.
>
> === Reference implementation ===
>
> 
> // Check if Segregated Witness is Locked In
> bool IsWitnessLockedIn(const CBlockIndex* pindexPrev, const
> Consensus::Params& params)
> {
>LOCK(cs_main);
>return (VersionBitsState(pindexPrev, params,
> Consensus::DEPLOYMENT_SEGWIT, versionbitscache) ==
> THRESHOLD_LOCKED_IN);
> }
>
> // SPLITPROTECTION mandatory segwit signalling.
> if ( VersionBitsState(pindex->pprev, chainparams.GetConsensus(),
> Consensus::DEPLOYMENT_SPLITPROTECTION, versionbitscache) ==
> THRESHOLD_LOCKED_IN &&
> !IsWitnessLockedIn(pindex->pprev, chainparams.GetConsensus()) &&
> // Segwit is not locked in
> !IsWitnessEnabled(pindex->pprev, chainparams.GetConsensus()) ) //
> and is not active.
> {
>bool fVersionBits = (pindex->nVersion & VERSIONBITS_TOP_MASK) ==
> VERSIONBITS_TOP_BITS;
>bool fSegbit = (pindex->nVersion &
> VersionBitsMask(chainparams.GetConsensus(),
> Consensus::DEPLOYMENT_SEGWIT)) != 0;
>if (!(fVersionBits && fSegbit)) {
>return state.DoS(0, error("ConnectBlock(): relayed block must
> 

Re: [bitcoin-dev] User Activated Soft Fork Split Protection

[James Hilliard via bitcoin-dev]

You need a majority of miners enforcing BIP148 upon BIP148 activation
to prevent a split, not just a majority signalling segwit. This
provides a miner coordination mechanism for BIP148 mandatory
signalling enforcement.

On Tue, Jun 6, 2017 at 8:11 PM, Karl Johan Alm
 wrote:
> One thing about BIP148 activation that may be affected by this is the
> fact that segwit signalling non-BIP148 miners + BIP148 miners may hold
> majority hash power and prevent a chain split. With this SF, that will
> no longer be the case, right? Or am I completely confused on the
> subject?
>
> On Wed, Jun 7, 2017 at 9:56 AM, James Hilliard via bitcoin-dev
>  wrote:
>> Due to the proposed calendar(https://segwit2x.github.io/) for the
>> SegWit2x agreement being too slow to activate SegWit mandatory
>> signalling ahead of BIP148 using BIP91 I would like to propose another
>> option that miners can use to prevent a chain split ahead of the Aug
>> 1st BIP148 activation date.
>>
>> The splitprotection soft fork is essentially BIP91 but using BIP8
>> instead of BIP9 with a lower activation threshold and immediate
>> mandatory signalling lock-in. This allows for a majority of miners to
>> activate mandatory SegWit signalling and prevent a potential chain
>> split ahead of BIP148 activation.
>>
>> This BIP allows for miners to respond to market forces quickly ahead
>> of BIP148 activation by signalling for splitprotection. Any miners
>> already running BIP148 should be encouraged to use splitprotection.
>>
>> 
>>   BIP: splitprotection
>>   Layer: Consensus (soft fork)
>>   Title: User Activated Soft Fork Split Protection
>>   Author: James Hilliard 
>>   Comments-Summary: No comments yet.
>>   Comments-URI:
>>   Status: Draft
>>   Type: Standards Track
>>   Created: 2017-05-22
>>   License: BSD-3-Clause
>>CC0-1.0
>> 
>>
>> ==Abstract==
>>
>> This document specifies a coordination mechanism for a simple majority
>> of miners to prevent a chain split ahead of BIP148 activation.
>>
>> ==Definitions==
>>
>> "existing segwit deployment" refer to the BIP9 "segwit" deployment
>> using bit 1, between November 15th 2016 and November 15th 2017 to
>> activate BIP141, BIP143 and BIP147.
>>
>> ==Motivation==
>>
>> The biggest risk of BIP148 is an extended chain split, this BIP
>> provides a way for a simple majority of miners to eliminate that risk.
>>
>> This BIP provides a way for a simple majority of miners to coordinate
>> activation of the existing segwit deployment with less than 95%
>> hashpower before BIP148 activation. Due to time constraints unless
>> immediately deployed BIP91 will likely not be able to enforce
>> mandatory signalling of segwit before the Aug 1st activation of
>> BIP148. This BIP provides a method for rapid miner activation of
>> SegWit mandatory signalling ahead of the BIP148 activation date. Since
>> the primary goal of this BIP is to reduce the chance of an extended
>> chain split as much as possible we activate using a simple miner
>> majority of 65% over a 504 block interval rather than a higher
>> percentage. This BIP also allows miners to signal their intention to
>> run BIP148 in order to prevent a chain split.
>>
>> ==Specification==
>>
>> While this BIP is active, all blocks must set the nVersion header top
>> 3 bits to 001 together with bit field (1<<1) (according to the
>> existing segwit deployment). Blocks that do not signal as required
>> will be rejected.
>>
>> ==Deployment==
>>
>> This BIP will be deployed by "version bits" with a 65%(this can be
>> adjusted if desired) activation threshold BIP9 with the name
>> "splitprotecion" and using bit 2.
>>
>> This BIP starts immediately and is a BIP8 style soft fork since
>> mandatory signalling will start on midnight August 1st 2017 (epoch
>> time 1501545600) regardless of whether or not this BIP has reached its
>> own signalling threshold. This BIP will cease to be active when segwit
>> is locked-in.
>>
>> === Reference implementation ===
>>
>> 
>> // Check if Segregated Witness is Locked In
>> bool IsWitnessLockedIn(const CBlockIndex* pindexPrev, const
>> Consensus::Params& params)
>> {
>> LOCK(cs_main);
>> return (VersionBitsState(pindexPrev, params,
>> Consensus::DEPLOYMENT_SEGWIT, versionbitscache) ==
>> THRESHOLD_LOCKED_IN);
>> }
>>
>> // SPLITPROTECTION mandatory segwit signalling.
>> if ( VersionBitsState(pindex->pprev, chainparams.GetConsensus(),
>> Consensus::DEPLOYMENT_SPLITPROTECTION, versionbitscache) ==
>> THRESHOLD_LOCKED_IN &&
>>  !IsWitnessLockedIn(pindex->pprev, chainparams.GetConsensus()) &&
>> // Segwit is not locked in
>>  !IsWitnessEnabled(pindex->pprev, chainparams.GetConsensus()) ) //
>> and is not active.
>> {
>> bool fVersionBits = (pindex->nVersion & VERSIONBITS_TOP_MASK) ==
>> VERSIONBITS_TOP_BITS;
>> bool fSegbit = (pindex->nVersion &
>> VersionBitsMask(chainparams.GetConsensus(),
>> 

Re: [bitcoin-dev] User Activated Soft Fork Split Protection

[Karl Johan Alm via bitcoin-dev]

One thing about BIP148 activation that may be affected by this is the
fact that segwit signalling non-BIP148 miners + BIP148 miners may hold
majority hash power and prevent a chain split. With this SF, that will
no longer be the case, right? Or am I completely confused on the
subject?

On Wed, Jun 7, 2017 at 9:56 AM, James Hilliard via bitcoin-dev
 wrote:
> Due to the proposed calendar(https://segwit2x.github.io/) for the
> SegWit2x agreement being too slow to activate SegWit mandatory
> signalling ahead of BIP148 using BIP91 I would like to propose another
> option that miners can use to prevent a chain split ahead of the Aug
> 1st BIP148 activation date.
>
> The splitprotection soft fork is essentially BIP91 but using BIP8
> instead of BIP9 with a lower activation threshold and immediate
> mandatory signalling lock-in. This allows for a majority of miners to
> activate mandatory SegWit signalling and prevent a potential chain
> split ahead of BIP148 activation.
>
> This BIP allows for miners to respond to market forces quickly ahead
> of BIP148 activation by signalling for splitprotection. Any miners
> already running BIP148 should be encouraged to use splitprotection.
>
> 
>   BIP: splitprotection
>   Layer: Consensus (soft fork)
>   Title: User Activated Soft Fork Split Protection
>   Author: James Hilliard 
>   Comments-Summary: No comments yet.
>   Comments-URI:
>   Status: Draft
>   Type: Standards Track
>   Created: 2017-05-22
>   License: BSD-3-Clause
>CC0-1.0
> 
>
> ==Abstract==
>
> This document specifies a coordination mechanism for a simple majority
> of miners to prevent a chain split ahead of BIP148 activation.
>
> ==Definitions==
>
> "existing segwit deployment" refer to the BIP9 "segwit" deployment
> using bit 1, between November 15th 2016 and November 15th 2017 to
> activate BIP141, BIP143 and BIP147.
>
> ==Motivation==
>
> The biggest risk of BIP148 is an extended chain split, this BIP
> provides a way for a simple majority of miners to eliminate that risk.
>
> This BIP provides a way for a simple majority of miners to coordinate
> activation of the existing segwit deployment with less than 95%
> hashpower before BIP148 activation. Due to time constraints unless
> immediately deployed BIP91 will likely not be able to enforce
> mandatory signalling of segwit before the Aug 1st activation of
> BIP148. This BIP provides a method for rapid miner activation of
> SegWit mandatory signalling ahead of the BIP148 activation date. Since
> the primary goal of this BIP is to reduce the chance of an extended
> chain split as much as possible we activate using a simple miner
> majority of 65% over a 504 block interval rather than a higher
> percentage. This BIP also allows miners to signal their intention to
> run BIP148 in order to prevent a chain split.
>
> ==Specification==
>
> While this BIP is active, all blocks must set the nVersion header top
> 3 bits to 001 together with bit field (1<<1) (according to the
> existing segwit deployment). Blocks that do not signal as required
> will be rejected.
>
> ==Deployment==
>
> This BIP will be deployed by "version bits" with a 65%(this can be
> adjusted if desired) activation threshold BIP9 with the name
> "splitprotecion" and using bit 2.
>
> This BIP starts immediately and is a BIP8 style soft fork since
> mandatory signalling will start on midnight August 1st 2017 (epoch
> time 1501545600) regardless of whether or not this BIP has reached its
> own signalling threshold. This BIP will cease to be active when segwit
> is locked-in.
>
> === Reference implementation ===
>
> 
> // Check if Segregated Witness is Locked In
> bool IsWitnessLockedIn(const CBlockIndex* pindexPrev, const
> Consensus::Params& params)
> {
> LOCK(cs_main);
> return (VersionBitsState(pindexPrev, params,
> Consensus::DEPLOYMENT_SEGWIT, versionbitscache) ==
> THRESHOLD_LOCKED_IN);
> }
>
> // SPLITPROTECTION mandatory segwit signalling.
> if ( VersionBitsState(pindex->pprev, chainparams.GetConsensus(),
> Consensus::DEPLOYMENT_SPLITPROTECTION, versionbitscache) ==
> THRESHOLD_LOCKED_IN &&
>  !IsWitnessLockedIn(pindex->pprev, chainparams.GetConsensus()) &&
> // Segwit is not locked in
>  !IsWitnessEnabled(pindex->pprev, chainparams.GetConsensus()) ) //
> and is not active.
> {
> bool fVersionBits = (pindex->nVersion & VERSIONBITS_TOP_MASK) ==
> VERSIONBITS_TOP_BITS;
> bool fSegbit = (pindex->nVersion &
> VersionBitsMask(chainparams.GetConsensus(),
> Consensus::DEPLOYMENT_SEGWIT)) != 0;
> if (!(fVersionBits && fSegbit)) {
> return state.DoS(0, error("ConnectBlock(): relayed block must
> signal for segwit, please upgrade"), REJECT_INVALID, "bad-no-segwit");
> }
> }
>
> // BIP148 mandatory segwit signalling.
> int64_t nMedianTimePast = pindex->GetMedianTimePast();
> if ( (nMedianTimePast >= 1501545600) &&  // Tue 01 Aug 2017 00:00:00 UTC
>  (nMedianTimePast <= 

[bitcoin-dev] User Activated Soft Fork Split Protection

[James Hilliard via bitcoin-dev]

Due to the proposed calendar(https://segwit2x.github.io/) for the
SegWit2x agreement being too slow to activate SegWit mandatory
signalling ahead of BIP148 using BIP91 I would like to propose another
option that miners can use to prevent a chain split ahead of the Aug
1st BIP148 activation date.

The splitprotection soft fork is essentially BIP91 but using BIP8
instead of BIP9 with a lower activation threshold and immediate
mandatory signalling lock-in. This allows for a majority of miners to
activate mandatory SegWit signalling and prevent a potential chain
split ahead of BIP148 activation.

This BIP allows for miners to respond to market forces quickly ahead
of BIP148 activation by signalling for splitprotection. Any miners
already running BIP148 should be encouraged to use splitprotection.


  BIP: splitprotection
  Layer: Consensus (soft fork)
  Title: User Activated Soft Fork Split Protection
  Author: James Hilliard 
  Comments-Summary: No comments yet.
  Comments-URI:
  Status: Draft
  Type: Standards Track
  Created: 2017-05-22
  License: BSD-3-Clause
   CC0-1.0


==Abstract==

This document specifies a coordination mechanism for a simple majority
of miners to prevent a chain split ahead of BIP148 activation.

==Definitions==

"existing segwit deployment" refer to the BIP9 "segwit" deployment
using bit 1, between November 15th 2016 and November 15th 2017 to
activate BIP141, BIP143 and BIP147.

==Motivation==

The biggest risk of BIP148 is an extended chain split, this BIP
provides a way for a simple majority of miners to eliminate that risk.

This BIP provides a way for a simple majority of miners to coordinate
activation of the existing segwit deployment with less than 95%
hashpower before BIP148 activation. Due to time constraints unless
immediately deployed BIP91 will likely not be able to enforce
mandatory signalling of segwit before the Aug 1st activation of
BIP148. This BIP provides a method for rapid miner activation of
SegWit mandatory signalling ahead of the BIP148 activation date. Since
the primary goal of this BIP is to reduce the chance of an extended
chain split as much as possible we activate using a simple miner
majority of 65% over a 504 block interval rather than a higher
percentage. This BIP also allows miners to signal their intention to
run BIP148 in order to prevent a chain split.

==Specification==

While this BIP is active, all blocks must set the nVersion header top
3 bits to 001 together with bit field (1<<1) (according to the
existing segwit deployment). Blocks that do not signal as required
will be rejected.

==Deployment==

This BIP will be deployed by "version bits" with a 65%(this can be
adjusted if desired) activation threshold BIP9 with the name
"splitprotecion" and using bit 2.

This BIP starts immediately and is a BIP8 style soft fork since
mandatory signalling will start on midnight August 1st 2017 (epoch
time 1501545600) regardless of whether or not this BIP has reached its
own signalling threshold. This BIP will cease to be active when segwit
is locked-in.

=== Reference implementation ===


// Check if Segregated Witness is Locked In
bool IsWitnessLockedIn(const CBlockIndex* pindexPrev, const
Consensus::Params& params)
{
LOCK(cs_main);
return (VersionBitsState(pindexPrev, params,
Consensus::DEPLOYMENT_SEGWIT, versionbitscache) ==
THRESHOLD_LOCKED_IN);
}

// SPLITPROTECTION mandatory segwit signalling.
if ( VersionBitsState(pindex->pprev, chainparams.GetConsensus(),
Consensus::DEPLOYMENT_SPLITPROTECTION, versionbitscache) ==
THRESHOLD_LOCKED_IN &&
 !IsWitnessLockedIn(pindex->pprev, chainparams.GetConsensus()) &&
// Segwit is not locked in
 !IsWitnessEnabled(pindex->pprev, chainparams.GetConsensus()) ) //
and is not active.
{
bool fVersionBits = (pindex->nVersion & VERSIONBITS_TOP_MASK) ==
VERSIONBITS_TOP_BITS;
bool fSegbit = (pindex->nVersion &
VersionBitsMask(chainparams.GetConsensus(),
Consensus::DEPLOYMENT_SEGWIT)) != 0;
if (!(fVersionBits && fSegbit)) {
return state.DoS(0, error("ConnectBlock(): relayed block must
signal for segwit, please upgrade"), REJECT_INVALID, "bad-no-segwit");
}
}

// BIP148 mandatory segwit signalling.
int64_t nMedianTimePast = pindex->GetMedianTimePast();
if ( (nMedianTimePast >= 1501545600) &&  // Tue 01 Aug 2017 00:00:00 UTC
 (nMedianTimePast <= 1510704000) &&  // Wed 15 Nov 2017 00:00:00 UTC
 (!IsWitnessLockedIn(pindex->pprev, chainparams.GetConsensus()) &&
 // Segwit is not locked in
  !IsWitnessEnabled(pindex->pprev, chainparams.GetConsensus())) )
 // and is not active.
{
bool fVersionBits = (pindex->nVersion & VERSIONBITS_TOP_MASK) ==
VERSIONBITS_TOP_BITS;
bool fSegbit = (pindex->nVersion &
VersionBitsMask(chainparams.GetConsensus(),
Consensus::DEPLOYMENT_SEGWIT)) != 0;
if (!(fVersionBits && fSegbit)) {
return state.DoS(0, error("ConnectBlock(): relayed block must
signal for segwit, please upgrade"), REJECT_INVALID, 

Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable

[Kekcoin via bitcoin-dev]

Hmm, that's not the difference I was talking about. I was referring to the fact 
that using "post-chainsplit coinbases from the non-148 chain" to unilaterally 
(ie. can be done without action on the 148-chain) taint coins is more secure in 
extreme-adverserial cases such as secret-mining reorg attacks (as unfeasibly 
expensive they may be); the only large-scale (>100 block) reorganization the 
non-148 chain faces should be a resolution of the chainsplit and therefore 
render the replay threat moot.

Sent with [ProtonMail](https://protonmail.com) Secure Email.

 Original Message 
Subject: Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
Local Time: June 7, 2017 3:04 AM
UTC Time: June 7, 2017 12:04 AM
From: cont...@taoeffect.com
To: Kekcoin 
Anthony Towns , bitcoin-dev@lists.linuxfoundation.org 


You keep referring to 148 coinbase coins, what is the rationale behind this? 
Why would you prefer using 148 coinbases over legacy coinbases for this purpose?

OK, maybe "post-UASF coinbase coins" is a better term? I just wanted to make it 
clear that this refers to coins that come from blocks generated after the UASF 
is activated.

--
Please do not email me anything that you are not comfortable also sharing with 
the NSA.

On Jun 6, 2017, at 4:59 PM, Kekcoin  wrote:

You keep referring to 148 coinbase coins, what is the rationale behind this? 
Why would you prefer using 148 coinbases over legacy coinbases for this purpose?

Sent with [ProtonMail](https://protonmail.com/) Secure Email.___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable

[Tao Effect via bitcoin-dev]

> You keep referring to 148 coinbase coins, what is the rationale behind this? 
> Why would you prefer using 148 coinbases over legacy coinbases for this 
> purpose?

OK, maybe "post-UASF coinbase coins" is a better term? I just wanted to make it 
clear that this refers to coins that come from blocks generated after the UASF 
is activated.

--
Please do not email me anything that you are not comfortable also sharing with 
the NSA.

> On Jun 6, 2017, at 4:59 PM, Kekcoin  > wrote:
> 
> You keep referring to 148 coinbase coins, what is the rationale behind this? 
> Why would you prefer using 148 coinbases over legacy coinbases for this 
> purpose?
> 
> 
> Sent with ProtonMail  Secure Email.



signature.asc
Description: Message signed with OpenPGP
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable

[Kekcoin via bitcoin-dev]

You keep referring to 148 coinbase coins, what is the rationale behind this? 
Why would you prefer using 148 coinbases over legacy coinbases for this purpose?

Sent with [ProtonMail](https://protonmail.com) Secure Email.

 Original Message 
Subject: Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
Local Time: June 7, 2017 2:27 AM
UTC Time: June 6, 2017 11:27 PM
From: bitcoin-dev@lists.linuxfoundation.org
To: Anthony Towns 
bitcoin-dev@lists.linuxfoundation.org

CoinJoin works as a method of both improving fungibility and mixing with
coinbase transactions.

My understanding is that the two situations are quite different.

Unlike mixing to coin-split, CoinJoin doesn't create a high demand exclusively 
for coinbase transactions.

However, of the proposed methods, coin-mixing seems the better option, because 
it might be reasonably easy (I don't know) for exchanges to obtain 148 coinbase 
coins, and mix their coins with them, extending the coin-splitting capability 
beyond just miner coins and then using that to split incoming coins.

That seems like the most reasonable approach I've heard so far. Whether 
exchanges would be willing to do that is a separate question.

When it's confirmed on one chain, but not on the other, you
can then "double-spend" on the lower hashrate chain with a higher fee,
to end up with different coins on both chains.

This method is time consuming and not guaranteed to work. CPFP can be used by 
an attacker to get your original txn into the 148 chain.

(also, no double-n in untenable)

Why thank you aj, you're so good at spelling. :-)

Cheers,
Greg

--
Please do not email me anything that you are not comfortable also sharing with 
the NSA.

On Jun 6, 2017, at 4:20 PM, Anthony Towns via bitcoin-dev 
 wrote:

On Tue, Jun 06, 2017 at 03:39:28PM -0700, Tao Effect via bitcoin-dev wrote:- 
Mixing with 148 coinbase txns destroys fungibility.

CoinJoin works as a method of both improving fungibility and mixing with
coinbase transactions.

You probably don't need to do anything clever to split a coin though:
if you send a transaction with a standard fee it will get confirmed
in a normal time on the higher hashrate chain, but won't confirm as
quickly on the lower hashrate chain (precisely because transactions are
valid on both chains, but blocks are found more slowly with the lower
hashrate). When it's confirmed on one chain, but not on the other, you
can then "double-spend" on the lower hashrate chain with a higher fee,
to end up with different coins on both chains.

(also, no double-n in untenable)

Cheers,
aj

___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable

[Tao Effect via bitcoin-dev]

> CPFP can be used by an attacker to get your original txn into the 148 chain.

*err, my bad that's unlikely to happen, if I remember correctly CPFP can only 
be done by the person you're sending the coins to. Coin-mixing seems the better 
option of the two, but shouldn't the BIP148 folks wait until it's clear that 
will be supported by exchanges?

--
Please do not email me anything that you are not comfortable also sharing with 
the NSA.

> On Jun 6, 2017, at 4:27 PM, Tao Effect  > wrote:
> 
>> CoinJoin works as a method of both improving fungibility and mixing with
>> coinbase transactions.
> 
> My understanding is that the two situations are quite different.
> 
> Unlike mixing to coin-split, CoinJoin doesn't create a high demand 
> exclusively for coinbase transactions.
> 
> However, of the proposed methods, coin-mixing seems the better option, 
> because it might be reasonably easy (I don't know) for exchanges to obtain 
> 148 coinbase coins, and mix their coins with them, extending the 
> coin-splitting capability beyond just miner coins and then using that to 
> split incoming coins.
> 
> That seems like the most reasonable approach I've heard so far. Whether 
> exchanges would be willing to do that is a separate question.
> 
>> When it's confirmed on one chain, but not on the other, you
>> can then "double-spend" on the lower hashrate chain with a higher fee,
>> to end up with different coins on both chains.
> 
> This method is time consuming and not guaranteed to work. CPFP can be used by 
> an attacker to get your original txn into the 148 chain.
> 
>> (also, no double-n in untenable)
> 
> Why thank you aj, you're so good at spelling. :-)
> 
> Cheers,
> Greg
> 



signature.asc
Description: Message signed with OpenPGP
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable

[Tao Effect via bitcoin-dev]

> CoinJoin works as a method of both improving fungibility and mixing with
> coinbase transactions.

My understanding is that the two situations are quite different.

Unlike mixing to coin-split, CoinJoin doesn't create a high demand exclusively 
for coinbase transactions.

However, of the proposed methods, coin-mixing seems the better option, because 
it might be reasonably easy (I don't know) for exchanges to obtain 148 coinbase 
coins, and mix their coins with them, extending the coin-splitting capability 
beyond just miner coins and then using that to split incoming coins.

That seems like the most reasonable approach I've heard so far. Whether 
exchanges would be willing to do that is a separate question.

> When it's confirmed on one chain, but not on the other, you
> can then "double-spend" on the lower hashrate chain with a higher fee,
> to end up with different coins on both chains.

This method is time consuming and not guaranteed to work. CPFP can be used by 
an attacker to get your original txn into the 148 chain.

> (also, no double-n in untenable)

Why thank you aj, you're so good at spelling. :-)

Cheers,
Greg

--
Please do not email me anything that you are not comfortable also sharing with 
the NSA.

> On Jun 6, 2017, at 4:20 PM, Anthony Towns via bitcoin-dev 
>  > wrote:
> 
> On Tue, Jun 06, 2017 at 03:39:28PM -0700, Tao Effect via bitcoin-dev wrote:
>> - Mixing with 148 coinbase txns destroys fungibility.
> 
> CoinJoin works as a method of both improving fungibility and mixing with
> coinbase transactions.
> 
> You probably don't need to do anything clever to split a coin though:
> if you send a transaction with a standard fee it will get confirmed
> in a normal time on the higher hashrate chain, but won't confirm as
> quickly on the lower hashrate chain (precisely because transactions are
> valid on both chains, but blocks are found more slowly with the lower
> hashrate). When it's confirmed on one chain, but not on the other, you
> can then "double-spend" on the lower hashrate chain with a higher fee,
> to end up with different coins on both chains.
> 
> (also, no double-n in untenable)
> 
> Cheers,
> aj
> 
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org 
> 
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev



signature.asc
Description: Message signed with OpenPGP
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable

[Tao Effect via bitcoin-dev]

> Replay is a solved problem.

Point to this solved problem?

Your "solution" here is not a solution:

https://www.reddit.com/r/Bitcoin/comments/6f1urd/i_think_its_time_we_have_an_educated_discussion/diey21t/?context=3
 


> This is nothing but unfounded FUD. It is very simple to implement and
> guaranteed to work eventually. It may be time consuming, but that is the only
> truth here. The only risk is that of a long reorg, the same as double spend
> attacks.

Let's assume you invented a simple way to double-spend txns to self (which you 
haven't, fyi), then that is an issue in of itself as the point of bitcoin is to 
*prevent* double-spending to self.

There would need to be much more time for the community to discuss the 
implications of wallets have a "double-spend to self" button in them.

> What kind of "fungibility" does this FUD claim it destroys? Destroying cross-
> chain fungibility is the very *intent* of replay protection. And it does not
> destroy same-chain fungibility any more than any other miner spending.

Yes it does destroy same-chain fungibility, as discussed on twitter [1], you're 
making miner coins special on both chains.

> Lack of replay protection does not mean there is no coin.

It effectively does. If people want to proceed blindly, ignoring replay, 
they're welcome to read about the consequences [2].

[1] https://twitter.com/taoeffect/status/872226556571131905 

[2] http://gist.github.com/taoeffect/c910ebb16d9f6d248e9f1f3c6e10b1b8 


--
Please do not email me anything that you are not comfortable also sharing with 
the NSA.

> On Jun 6, 2017, at 4:08 PM, Luke Dashjr  > wrote:
> 
> On Tuesday 06 June 2017 10:39:28 PM Tao Effect via bitcoin-dev wrote:
>> I believe the severity of replay attacks is going unvoiced and is not
>> understood within the bitcoin community because of their lack of
>> experience with them.
> 
> Replay is a solved problem. It can be improved on and made simpler, but at
> this point, replay only occurs when the sender is either negligent or
> intending it.
> 
>> Both of the coin-splitting techniques given so far by the proponents BIP148
>> are also untenable:
>> 
>> - Double-spending to self with nLockTime txns is insanely complicated,
>> risky, not guaranteed to work, extremely time consuming, and would likely
>> result in a massive increase in backlogged transactions and increased
>> fees.
> 
> This is nothing but unfounded FUD. It is very simple to implement and
> guaranteed to work eventually. It may be time consuming, but that is the only
> truth here. The only risk is that of a long reorg, the same as double spend
> attacks.
> 
>> - Mixing with 148 coinbase txns destroys fungibility.
> 
> What kind of "fungibility" does this FUD claim it destroys? Destroying cross-
> chain fungibility is the very *intent* of replay protection. And it does not
> destroy same-chain fungibility any more than any other miner spending.
> 
>> Without a coin, there is no real threat from BIP148.
> 
> Lack of replay protection does not mean there is no coin. Replay protection is
> equally a concern for the main (BIP148) chain and any legacy chains malicious
> miners might choose to split off. And none of this changes the fact that such
> miners will be unable to sell their legacycoins at Bitcoin market prices,
> because whether other transactions are replayed or not, *their* coins won't be
> valid on the main chain.
> 
> Luke



signature.asc
Description: Message signed with OpenPGP
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable

[Tao Effect via bitcoin-dev]

Hey Greg,

It wasn't my intention to insult anyone (a bit defensive?).

Maybe this is yet another example of a recurring criticism of Core: that core 
doesn't community these issues very well to journalists / reports / media / 
community outside of this list.

Because outside of this list it's been all about those 148 coins, and almost 
zero mention of replay attacks.

> BIP149 is arguably something of another matter in particular because
> it has a time-frame that allows dealing with replay and other issues--
> and particularly because it has a time-frame that can allow for the
> avoidance of a meaningful fork at all.

Are there other, more reasonable / feasible ways of addressing replay attacks 
in Bitcoin / BIP149 scenario?

Cheers,
Greg

--
Please do not email me anything that you are not comfortable also sharing with 
the NSA.

> On Jun 6, 2017, at 4:02 PM, Gregory Maxwell  > wrote:
> 
> On Tue, Jun 6, 2017 at 10:39 PM, Tao Effect via bitcoin-dev
>  > wrote:
>> I believe the severity of replay attacks is going unvoiced and is not
>> understood within the bitcoin community because of their lack of experience
>> with them.
> 
> Please don't insult our community-- the issues with replay were
> pointed out by us to Ethereum in advance and were cited specifically
> in prior hardfork discussions long before Ethereum started editing
> their ledger for the economic benefit of its centralized
> administrators.
> 
> The lack of extensive discussion on these issues you're seeing is
> rather symptomatic of engineers that take stability seriously not
> taking BIP148 seriously; not symptomatic of people not knowing about
> them. The same concerns also applies to all these HF proposals (which
> for some reason you don't mention), arguably even stronger.  The same
> basic pattern exists: There are people that just don't care about the
> technical issues who have made up their minds, and so you don't see
> technical discussion.  Those people who do see the issues already
> called out the proposals as being ill-advised.   Replay isn't even the
> largest of the technical issues (network partitioning, for example, is
> a much larger one).
> 
> BIP149 is arguably something of another matter in particular because
> it has a time-frame that allows dealing with replay and other issues--
> and particularly because it has a time-frame that can allow for the
> avoidance of a meaningful fork at all.



signature.asc
Description: Message signed with OpenPGP
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable

[Anthony Towns via bitcoin-dev]

On Tue, Jun 06, 2017 at 03:39:28PM -0700, Tao Effect via bitcoin-dev wrote:
> - Mixing with 148 coinbase txns destroys fungibility.

CoinJoin works as a method of both improving fungibility and mixing with
coinbase transactions.

You probably don't need to do anything clever to split a coin though:
if you send a transaction with a standard fee it will get confirmed
in a normal time on the higher hashrate chain, but won't confirm as
quickly on the lower hashrate chain (precisely because transactions are
valid on both chains, but blocks are found more slowly with the lower
hashrate). When it's confirmed on one chain, but not on the other, you
can then "double-spend" on the lower hashrate chain with a higher fee,
to end up with different coins on both chains.

(also, no double-n in untenable)

Cheers,
aj

___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable

[Luke Dashjr via bitcoin-dev]

On Tuesday 06 June 2017 10:39:28 PM Tao Effect via bitcoin-dev wrote:
> I believe the severity of replay attacks is going unvoiced and is not
> understood within the bitcoin community because of their lack of
> experience with them.

Replay is a solved problem. It can be improved on and made simpler, but at 
this point, replay only occurs when the sender is either negligent or 
intending it.

> Both of the coin-splitting techniques given so far by the proponents BIP148
> are also untenable:
> 
> - Double-spending to self with nLockTime txns is insanely complicated,
> risky, not guaranteed to work, extremely time consuming, and would likely
> result in a massive increase in backlogged transactions and increased
> fees.

This is nothing but unfounded FUD. It is very simple to implement and 
guaranteed to work eventually. It may be time consuming, but that is the only 
truth here. The only risk is that of a long reorg, the same as double spend 
attacks.

> - Mixing with 148 coinbase txns destroys fungibility.

What kind of "fungibility" does this FUD claim it destroys? Destroying cross-
chain fungibility is the very *intent* of replay protection. And it does not 
destroy same-chain fungibility any more than any other miner spending.

> Without a coin, there is no real threat from BIP148.

Lack of replay protection does not mean there is no coin. Replay protection is 
equally a concern for the main (BIP148) chain and any legacy chains malicious 
miners might choose to split off. And none of this changes the fact that such 
miners will be unable to sell their legacycoins at Bitcoin market prices, 
because whether other transactions are replayed or not, *their* coins won't be 
valid on the main chain.

Luke
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable

[Gregory Maxwell via bitcoin-dev]

On Tue, Jun 6, 2017 at 10:39 PM, Tao Effect via bitcoin-dev
 wrote:
> I believe the severity of replay attacks is going unvoiced and is not
> understood within the bitcoin community because of their lack of experience
> with them.

Please don't insult our community-- the issues with replay were
pointed out by us to Ethereum in advance and were cited specifically
in prior hardfork discussions long before Ethereum started editing
their ledger for the economic benefit of its centralized
administrators.

The lack of extensive discussion on these issues you're seeing is
rather symptomatic of engineers that take stability seriously not
taking BIP148 seriously; not symptomatic of people not knowing about
them. The same concerns also applies to all these HF proposals (which
for some reason you don't mention), arguably even stronger.  The same
basic pattern exists: There are people that just don't care about the
technical issues who have made up their minds, and so you don't see
technical discussion.  Those people who do see the issues already
called out the proposals as being ill-advised.   Replay isn't even the
largest of the technical issues (network partitioning, for example, is
a much larger one).

BIP149 is arguably something of another matter in particular because
it has a time-frame that allows dealing with replay and other issues--
and particularly because it has a time-frame that can allow for the
avoidance of a meaningful fork at all.
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

[bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable

[Tao Effect via bitcoin-dev]

This is just me putting in my formal objection to BIP148 and BIP149 based on my 
experience with the ETH/ETC hard fork and involvement in that drama.

First, it's important to note that ETC/ETH HF is a very different situation 
from BIP148 and all other soft-forks. To those on this mailing list, the 
reasons should be self-evident (one results in two incompatible chains, the 
other doesn't).

However, replay attacks are common to both possibilities (i.e. when BIP148 has 
<51% hash power).

I believe the severity of replay attacks is going unvoiced and is not 
understood within the bitcoin community because of their lack of experience 
with them.

I further believe that replay attacks are the #1 issue with BIP148, BIP149, 
etc., superseding wipeout attacks in severity.

These are not baseless beliefs, they're born out of experience and I think 
anyone will reach the same conclusion upon study.

In a nutshell, replay attacks mean that all talk of there being potentially 
"two coins" as a result of BIP148 is basically nonsense.

Replay attacks effectively eliminate that possibility.

When users go to "sell their legacy coins", they've just sold their 148 coins, 
and vice versa.

Both of the coin-splitting techniques given so far by the proponents BIP148 are 
also untenable:

- Double-spending to self with nLockTime txns is insanely complicated, risky, 
not guaranteed to work, extremely time consuming, and would likely result in a 
massive increase in backlogged transactions and increased fees.

- Mixing with 148 coinbase txns destroys fungibility.

Without a coin, there is no real threat from BIP148. Without that threat, there 
is no point to BIP148, and the miners know this.

These and other concerns are outlined and explained in more detail in this 
conversation I had yesterday with John Light:

https://www.youtube.com/watch?v=33rL3-p8cPw 


Cheers,
Greg Slepak

--
Please do not email me anything that you are not comfortable also sharing with 
the NSA.



signature.asc
Description: Message signed with OpenPGP
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

[bitcoin-dev] SegWit activation proposal with 2MB Hard Fork by next Block Halving on 2020

[Upal Chakraborty via bitcoin-dev]

*Proposal*: Verify whether 50% Tx mined from SegWit activation block to
block 63 are SegWit Tx. If yes, increase legacy max block size to 2MB
and SegWit max block size to 8MB.

*Implementation*: This proposal either needs to be implemented in next
release of Bitcoin Core or require SegWit activation period restart while
it is implemented & released.

*Rationale*: This proposal minimizes the chance of a chain split, while
sticking to the original bitcoin scaling roadmap, i.e.
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-December/011865.html


Thanks & Regards,
Upal Chakraborty
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev