Re: [bitcoin-dev] hypothetical: Could soft-forks be prevented?

2017-09-15 Thread Simone Bronzini via bitcoin-dev
Since a soft-fork is a restriction of the consensus rules, I think the
only way to have an un-soft-forkable cryptocurrency is creating a
cryptocurrency where no transaction is valid.

Imagine I build a very minimal cryptocurrency where in the transaction
output you only indicate the public key to send your coins to and the
amount. One can still soft-fork it by deciding that, from now on, only
even amounts are valid or only public keys that are a multiple of 10 are
valid.


On 15/09/17 21:55, Dan Libby via bitcoin-dev wrote:
> Ok, this is good stuff.  thanks for the thoughtful reply.
>
> Regarding anyone-can-spend:
>
> all of the examples you gave do not satisfy isStandard.  So if our
> hypothetical cryptocurrency were to restrict all transactions to
> isStandard at the consensus layer, would that not effectively prevent
> anyone-can-spend?
>
> Or more generally and with our thinking caps on, what would be the best
> way to prevent anyone-can-spend, if that is our goal?
>
>
> Regarding soft-fork = restrict:
>
> Your example of miners running secret soft-fork code that blacklists
> satoshi's utxo's is intriguing and somewhat troubling.
>
> I think the main takeaways are that:
>   1) there are other ways to soft-fork besides anyone-can-spend.
>   2) it is impossible to prevent hidden soft-forks.
>
> Is that accurate?
>
> Still, I would put forth the following question:  If anyone-can-spend tx
> were no longer allowed according to consensus rules (assuming that is
> possible/practical), then could the network still be practically
> "upgraded" with new features (eg opcodes) via soft-fork, and if so, what
> would be the mechanism for backwards compatibility in this scenario?
>
>
> or from another angle:  even if it is impossible to prevent all
> soft-forks, can you see any way at all to make it logistically
> infeasible to use soft-forks as a network-wide consensus change mechanism?
>
> and another thought:  as I understand it, bitcoin is presently able to
> add new opcodes via soft-fork because Satoshi added 10 unused opcodes
> via hardfork. What will happen when these run out?  Can new opcodes
> still be added without a hard-fork?
>
>
> note: I ask these questions with the goal/vision of creating an
> immutable altcoin or sidechain, not necessarily restricting bitcoin's path.
>
>
>
>
>
> On 09/14/2017 09:01 PM, ZmnSCPxj wrote:
>> Good morning Dan,
>>
>> My understanding is that it is impossible for soft forks to be prevented.
>>
>> 1.  Anyone-can-spend
>>
>> There are a very large number of anyone-can-spend scripts, and it would
>> be very impractical to ban them all.
>>
>> For example, the below output script is anyone-can-spend
>>
>>   OP_TRUE
>>
>> So is the below:
>>
>>   OP_SIZE  OP_EQUAL
>>
>> Or:
>>
>>   OP_1ADD  OP_EQUAL
>>
>> Or:
>>
>>   OP_BOOLAND
>>
>> Or:
>>
>>   OP_BOOLOR
>>
>> And so on.
>>
>> So no, it is not practically possible to ban anyone-can-spend outputs,
>> as there are too many potential scriptPubKey that anyone can spend.
>>
>> It is even possible to have an output that requires a proof-of-work,
>> like so:
>>
>>  OP_HASH256  OP_LESSTHAN
>>
>> All the above outputs are disallowed from propagation by IsStandard, but
>> a miner can put them validly in a block, and IsStandard is not consensus
>> code and can be modified.
>>
>> 2.  Soft fork = restrict
>>
>> It is possible (although unlikely) for a majority of miners to run soft
>> forking code which the rest of us are not privy to.
>>
>> For example, for all we know, miners are already blacklisting spends on
>> Satoshi's coins.  We would not be able to detect this at all, since no
>> transaction that spends Satoshi's coins have been broadcast, ever.  It
>> is thus indistinguishable from a world where Satoshi lost his private
>> keys.  Of course, the world where Satoshi never spent his coins and
>> miners are blacklisting Satoshi's coins, is more complex than the world
>> where Satoshi never spent his coins, so it is more likely that miners
>> are not blacklisting.
>>
>> But the principle is there.  We may already be in a softfork whose rules
>> we do not know, and it just so happens that all our transactions today
>> do not violate those rules.  It is impossible for us to know this, but
>> it is very unlikely.
>>
>> Soft forks apply further restrictions on Bitcoin.  Hard forks do not. 
>> Thus, if everyone else is entering a soft fork and we are oblivious, we
>> do not even know about it.  Whereas, if everyone else is entering a hard
>> fork, we will immediately see (and reject) invalid transactions and blocks.
>>
>> Thus the only way to prevent soft fork is to hard fork against the new
>> soft fork, like Bcash did.
>>
>> Regards,
>> ZmnSCPxj
>>
>>  Original Message 
>> Subject: [bitcoin-dev] hypothetical: Could soft-forks be prevented?
>> Local Time: September 13, 2017 5:50 PM
>> UTC Time: September 13, 2017 9:50 AM
>> From: bitcoin-dev@lists.linuxfoundation.org
>> To: Bitcoin Protocol Discussion 

Re: [bitcoin-dev] BIP proposal for Lightning-oriented multiaccount multisig HD wallets

2017-08-30 Thread Simone Bronzini via bitcoin-dev
> This will lead to old UTXOs not being recognized by NEW wallets, because
> at some point new wallets will not care about implementing old standards.

Your observations make perfect sense. That's exactly why we endorse
option b. in my previous email.

> The only way to address this is to get out of bip39 and bip43, and to
> include a version number in the mnemonic seed.

As for the idea of having a versioning on mnemonic seeds, I believe it
would be a very useful feature indeed. How about opening a new,
separate, topic about it?


On 30/08/17 12:07, Thomas Voegtlin via bitcoin-dev wrote:
>
> On 29.08.2017 12:19, Simone Bronzini via bitcoin-dev wrote:
>
>> 2. SegWit addresses:
>> since mixing SegWit and non-SegWit addresses on the same BIP44 structure
>> could lead to UTXOs not being completely recognised by old wallets,
>> BIP49 was proposed to separate the key space. 
> This will lead to old UTXOs not being recognized by NEW wallets, because
> at some point new wallets will not care about implementing old standards.
>
> The only way to address this is to get out of bip39 and bip43, and to
> include a version number in the mnemonic seed.
>
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev



0xB2E60C73.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


Re: [bitcoin-dev] BIP proposal for Lightning-oriented multiaccount multisig HD wallets

2017-08-30 Thread Simone Bronzini via bitcoin-dev
Thanks for your feedback, I fixed what you suggested. As for the purpose
how should we move on? We would be inclined to use 46, but of course we
are open to any other number.


On 29/08/17 22:07, Luke Dashjr via bitcoin-dev wrote:
>> Status: Proposed
> This should only be set after peer review and implementations are complete, 
> and you intend that there will be no further changes.
>
>> As registered coin types we propose the ones already used for BIP44, which 
> can be found at the following page.
>
> I suggest just referring to SLIP 44 directly.
>
> You're missing the Backward Compatibility and Copyright sections.
>
>
>
> On Tuesday 29 August 2017 10:19:10 AM Simone Bronzini via bitcoin-dev wrote:
>> Hi all,
>> last month we started looking for feedback (here and on other channels)
>> about a proposal for a new structure to facilitate the management of
>> different multisig accounts under the same master key, avoiding key
>> reuse but still allowing cosigners to independently generate new
>> addresses. While previously multiaccount multisig wallets were little
>> used, now that LN is becoming a reality it is extremely important to
>> have a better multiaccount management method to handle multiple payment
>> channels.
>> Please have a look at the draft of the BIP at the link below:
>>
>> https://github.com/chainside/BIP-proposal/blob/master/BIP.mediawiki
>>
>> Any feedback is highly appreciated, but in particular we would like to
>> collect opinions about the following issues:
>>
>> 1. coin_type level:
>> this level is intended to allow users to manage multiple
>> cryptocurrencies or forks of Bitcoin using the same masterkey (similarly
>> to BIP44). We have already received some legit objections that, since we
>> are talking about a Bitcoin Improvement Proposal,  it shouldn't care
>> about alt-coins. While we can agree with such objections, we also
>> believe that having a coin_type level improves interoperability with
>> muti-currency wallets (which is good), without any major drawback.
>> Moreover, even a Bitcoin maximalist may hold multiple coins for whatever
>> reason (short term speculation, testing, etc).
>>
>> 2. SegWit addresses:
>> since mixing SegWit and non-SegWit addresses on the same BIP44 structure
>> could lead to UTXOs not being completely recognised by old wallets,
>> BIP49 was proposed to separate the key space. Since this is a new
>> proposal, we can assume that wallets implementing it would be
>> SegWit-compatible and so there should be no need to differetiate between
>> SegWit and non-SegWit pubkeys. Anyway, if someone believes this problem
>> still holds, we thought about two possible solutions:
>> a. Create separate purposes for SegWit and non SegWit addresses
>> (this would keep the same standard as BIP44 and BIP49)
>> b. Create a new level on this proposed structure to divide SegWit
>> and non SegWit addresses: we would suggest to add this new level between
>> cosigner_index and change
>>
>> We believe solution b. would be better as it would give the option of
>> having a multisig wallet with non SegWit-aware cosigners without having
>> to use two different subtrees.
>>
>> This proposal is a work in progess so we would like to receive some
>> feedback before moving on with proposing it as a BIP draft.
>>
>> Simone Bronzini
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev



0xB2E60C73.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


[bitcoin-dev] BIP proposal for Lightning-oriented multiaccount multisig HD wallets

2017-08-29 Thread Simone Bronzini via bitcoin-dev

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi all,
last month we started looking for feedback (here and on other channels)
about a proposal for a new structure to facilitate the management of
different multisig accounts under the same master key, avoiding key
reuse but still allowing cosigners to independently generate new
addresses. While previously multiaccount multisig wallets were little
used, now that LN is becoming a reality it is extremely important to
have a better multiaccount management method to handle multiple payment
channels.
Please have a look at the draft of the BIP at the link below:

https://github.com/chainside/BIP-proposal/blob/master/BIP.mediawiki

Any feedback is highly appreciated, but in particular we would like to
collect opinions about the following issues:

1. coin_type level:
this level is intended to allow users to manage multiple
cryptocurrencies or forks of Bitcoin using the same masterkey (similarly
to BIP44). We have already received some legit objections that, since we
are talking about a Bitcoin Improvement Proposal,  it shouldn't care
about alt-coins. While we can agree with such objections, we also
believe that having a coin_type level improves interoperability with
muti-currency wallets (which is good), without any major drawback.
Moreover, even a Bitcoin maximalist may hold multiple coins for whatever
reason (short term speculation, testing, etc).

2. SegWit addresses:
since mixing SegWit and non-SegWit addresses on the same BIP44 structure
could lead to UTXOs not being completely recognised by old wallets,
BIP49 was proposed to separate the key space. Since this is a new
proposal, we can assume that wallets implementing it would be
SegWit-compatible and so there should be no need to differetiate between
SegWit and non-SegWit pubkeys. Anyway, if someone believes this problem
still holds, we thought about two possible solutions:
a. Create separate purposes for SegWit and non SegWit addresses
(this would keep the same standard as BIP44 and BIP49)
b. Create a new level on this proposed structure to divide SegWit
and non SegWit addresses: we would suggest to add this new level between
cosigner_index and change

We believe solution b. would be better as it would give the option of
having a multisig wallet with non SegWit-aware cosigners without having
to use two different subtrees.

This proposal is a work in progess so we would like to receive some
feedback before moving on with proposing it as a BIP draft.

Simone Bronzini

-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEErS/wgXh5+C1vqPN/TXSJoN+7oQoFAlmlP2QACgkQTXSJoN+7
oQptgA/7B46/Why5h5/cxWyvgjmuUJ12Rkvh+EtfOUhMX+a8i4PJkLHGB2RibRfR
/Li1F+QWd2yeqdNO97er8HDGSlouxB7twB0ZMnS/LRPsHTA3Zf4OoD7H/yjj3lcD
GiJGy4MiHEOfjqaIwd0onUPX9ch5+Mm7aL34vBDdK0/8gm2v+HGO+GAefaUnZTQh
/CIaM0Th9dDS0xs5wcP3ncNqs1e59MHXOWlh7+zAxfvFio+HHnCbULIe4uct6stC
QxTNh8naQD4cB7tV9wsEeyuuJQ1gG8/pgN3WgRu5gW9CGpmpsySJgCCftkTZZHeL
eoqGJy5XFbI4CN2wEC2pbWW0xtDNyFq71wUPYNXINn8/7rnSjSl06OKISEk0u1yL
vhFuR9RSxEge2cS1pDwIwHVNR6pCeZMRwo0tp1OEXnt5VGGpmKengtpcFkFlOVdd
avUueIe8OoFGODco4+f25foB/z/rzyg3REXYX36bZiS6UkUOx4TCGpAzY86i4fDJ
STeDy5KMLk1S9rvTNrygxR74DkFMiNkalF3g4VauUlCFmh8iOzEDdtOQ3mLu/pgq
MXxfxq6ABxeCmQ7LsuBcFc+wN6AVLhrOhIPGyI8EAyaZNIGByqdgZGubvOl0J/gt
Yr4z5fViI7hjJijvooKzFtX0MNnaLBCOlggLpQO58t8En+BiNDE=
=XgcB
-END PGP SIGNATURE-



0xB2E60C73.asc
Description: application/pgp-keys


0xB2E60C73.asc.sig
Description: PGP signature
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


[bitcoin-dev] BIP proposal - multi-account key derivation hierarchy for multisig wallets

2017-07-21 Thread Simone Bronzini via bitcoin-dev
Maybe this has already been discussed, but I have not found anything online.

To the best of my knowledge, the only BIP which specifies a HD structure
for multisig wallets is BIP45. Unfortunately, when used in a
multi-account fashion, BIP45 gets very tricky very fast. In fact, one
has to either use a new master for every multisig account (hence having
to backup many master private keys) or use the same master for many
multisig accounts, resulting in deterministic but complex and
undesirable key reuse.
I would like to propose a new structure for multi-account multisig
wallets. This structure follows the derivation scheme of other proposals
(in particular BIP44 and BIP49) but adds a level to take into account
multisig accounts separation. In particular, the structure should be as
follows:

m/purpose'/coin_type'/account'/cosigner_index/change/address_index

In this case, a user can create many multisig accounts (each one will be
a different account number) and give his/her account's public derivation
to the cosigners. From this point on, the creation of a multisig P2SH
address will follow the same procedure as described in BIP45, with each
cosigner selecting his branch from the other cosigners' trees.

Would this proposal be acceptable as a BIP?

Simone Bronzini



0xB2E60C73.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev