Bits and Bytes on Bitcoin and Blockchain

Robinhood vs. The Paywall

Paywalls are, technologically speaking, quite fragile. In fact, as of today, if you are quick enough at the keyboard, you can easily copy the full text of a New York Times article before the Javascript kicks in and trims it.
I do this sometimes and I have a fast machine and a fast internet connection, which should make it harder. Other sites are more clever, but for the most part, paywalls are still a bit of a joke.
However, they're getting a lot better and more prevalent. I can imagine that right now an engineer at NYT is working on a better paywall with no practical way of cheating it.
All that aside, an article is just a piece of ordered text and some formatting, and I don't see that changing any time soon. Once you're past the paywall, the text just sits there in your browser, or in your email, or whatever. It can be viewed, copied, pasted, or read by a 3rd party extension.
What would it take, practically speaking, to "Robinhood" that text and make it freely available to everyone whether or not they've paid for it? There are numerous ways to access paywalled content today, which I won't share but aren't hard to find. But I'm interested in whether or not there is a solution that is so robust that it backs publishers into a corner where they need to find another way to make money. And when I say "robust" I mostly mean "legal", because I am assuming that any illegal method would ultimately lose out in a game of legal whack-a-mole (think torrent trackers or darknet markets).
Anyways, some initial considerations...
  1. You'd have to have at least one participant who has access to the paywalled content, but ideally many more than that who can all participate in tossing the content back over the paywall.
  2. You would need to have an immutable and accessible place to put the paywalled content so that other people could point their browsers to that location and see the same content that they would if they were looking at the source.
  3. As noted, you'd want to eliminate as much legal risk as possible. That goes for both the content "suppliers" and the content "consumers" (or, Robinhood and those he gives to).
I am not sure exactly what would happen if I just started copying and pasting paywalled content on, say, Reddit, but I am pretty sure it would catch up with me eventually because I am explicitly re-publishing. This solution would need to be so foolproof that it would put those who would otherwise enforce against it in an untenable position.
So, bear with me, here's what I want to know: how flawed, immoral, antisocial, and generally lacking is the following idea? My suspicion is that it is a pretty bad idea and is also pretty naive, but it's still been fun to think about and maybe some of you would like to discuss it. I am interested in any implications that come to mind.
~
The idea:
If you want to participate in this scheme, you install a browser extension. If you have access to any paywalled content, then every time you visit a page and view that content, the browser extension grabs the text and compresses it to its smallest possible representation.
Next, the browser extension make the smallest possible arbitrary transaction on the blockchain (looks to be about $0.06 currently), and stores as much of the article as it can fit in the OP_RETURN field, which is basically just a blank field for arbitrary text and currently has a size limit of 256 bytes (Note: There are tons of similar ways to accomplish the same thing, any many better blockchains for this use case. I just don't really keep up with the smaller blockchains and think that we can use the Bitcoin blockchain as a simple way to demonstrate the idea).
It may take a few transactions to store an entire article, but once it's part of the blockchain, it's there forever, and anyone who would want to subsequently view that article would only need to have access to the indices of the transactions and software that can de-compress the OP_RETURN values and reconstruct the article. I imagine this would also happen in the browser extension.
In this way, it's a lot like private torrent trackers. Everybody shares what they have access to, and the pieces of data that comprise the underlying media fly around the network freely. The software client is responsible for piecing them together and making the data cohesive for a given end user.
Today, a torrent client is completely legal, but having pirated media on your computer is not. Also, I'm pretty sure that opening your media collection to peers is also illegal, but I'm not actually sure.
Using the blockchain as the storage mechanism changes the calculus a little bit. You're not storing any pirated data on your machine, rather, you are stashing bits and pieces of it in a decentralized ledger, which nobody owns, meaning that nobody is really accountable for it. It's also impossible to take down.
The question of legality here is something like "are you allowed to include copyrighted works in transaction text on the blockchain?". And if not, how many chunks would the article need to be broken apart into to make it no long "The Article", but rather just pieces of arbitrary data which, if put together in the right order, would happen to reproduce "The Article"? Someone who is more knowledgable than I am would need to chime in here.
~
I wanted to get a sense of if this is even practical so I grabbed the text from a NYT article called "Opinion | No, the Democrats Haven’t Gone Over the Edge" by David Brooks.
After running the text through 1000 rounds of compression I got it down to 2702 bytes. The current OP_RETURN size limit for a BTC transaction is 256 bytes, so you would need to make around 10 transactions to store this single article.
And each transaction has a fee that goes to miners, which appears to be around 128 satoshis/byte according to https://privacypros.io/tools/bitcoin-fee-estimato
The BTC sent in a given transaction is recoverable, because it could be sent to a wallet that is owned by the sender, but the fees are unavoidable. Given the current rate, storing a NYT Opinion article on the Bitcoin blockchain, forever, would cost about 2707 * 128 Satoshis, or roughly $37.
So my immediate thought is wow that's expensive. I also know that it's frowned upon by the Bitcoin community and would be perceived as antagonistic by the miners. But my guess is that there's a better way to accomplish the same thing (again, off-chain transactions or using a totally different blockchain such as Ethereum, or BSV).
In fact, in "The unfuckening of OP_RETURN", Shadders shows that one can practically store up to 100kb of text in a given BSV transaction (BSV is a fork of bitcoin, which aims to align more with Satoshi's "original" vision).
The result of Shadders experiment? Well, here's the complete prequel to "Alice and Wonderland" in a single transaction, on the blockchain, forever: https://whatsonchain.com/tx/ef21e71d00b9fce174222e679640b09e29ac8a55f321c93e64b16cc3109959f8
Good thing Alice and Wonderland is in the public domain, right? Or... should it even matter what's "public" and what's "paywalled"?
What do you think?
submitted by mrctte to TheMotte [link] [comments]

Technical: Taproot: Why Activate?

This is a follow-up on https://old.reddit.com/Bitcoin/comments/hqzp14/technical_the_path_to_taproot_activation/
Taproot! Everybody wants it!! But... you might ask yourself: sure, everybody else wants it, but why would I, sovereign Bitcoin HODLer, want it? Surely I can be better than everybody else because I swapped XXX fiat for Bitcoin unlike all those nocoiners?
And it is important for you to know the reasons why you, o sovereign Bitcoiner, would want Taproot activated. After all, your nodes (or the nodes your wallets use, which if you are SPV, you hopefully can pester to your wallet vendoimplementor about) need to be upgraded in order for Taproot activation to actually succeed instead of becoming a hot sticky mess.
First, let's consider some principles of Bitcoin.
I'm sure most of us here would agree that the above are very important principles of Bitcoin and that these are principles we would not be willing to remove. If anything, we would want those principles strengthened (especially the last one, financial privacy, which current Bitcoin is only sporadically strong with: you can get privacy, it just requires effort to do so).
So, how does Taproot affect those principles?

Taproot and Your /Coins

Most HODLers probably HODL their coins in singlesig addresses. Sadly, switching to Taproot would do very little for you (it gives a mild discount at spend time, at the cost of a mild increase in fee at receive time (paid by whoever sends to you, so if it's a self-send from a P2PKH or bech32 address, you pay for this); mostly a wash).
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash, so the Taproot output spends 12 bytes more; spending from a P2WPKH requires revealing a 32-byte public key later, which is not needed with Taproot, and Taproot signatures are about 9 bytes smaller than P2WPKH signatures, but the 32 bytes plus 9 bytes is divided by 4 because of the witness discount, so it saves about 11 bytes; mostly a wash, it increases blockweight by about 1 virtual byte, 4 weight for each Taproot-output-input, compared to P2WPKH-output-input).
However, as your HODLings grow in value, you might start wondering if multisignature k-of-n setups might be better for the security of your savings. And it is in multisignature that Taproot starts to give benefits!
Taproot switches to using Schnorr signing scheme. Schnorr makes key aggregation -- constructing a single public key from multiple public keys -- almost as trivial as adding numbers together. "Almost" because it involves some fairly advanced math instead of simple boring number adding, but hey when was the last time you added up your grocery list prices by hand huh?
With current P2SH and P2WSH multisignature schemes, if you have a 2-of-3 setup, then to spend, you need to provide two different signatures from two different public keys. With Taproot, you can create, using special moon math, a single public key that represents your 2-of-3 setup. Then you just put two of your devices together, have them communicate to each other (this can be done airgapped, in theory, by sending QR codes: the software to do this is not even being built yet, but that's because Taproot hasn't activated yet!), and they will make a single signature to authorize any spend from your 2-of-3 address. That's 73 witness bytes -- 18.25 virtual bytes -- of signatures you save!
And if you decide that your current setup with 1-of-1 P2PKH / P2WPKH addresses is just fine as-is: well, that's the whole point of a softfork: backwards-compatibility; you can receive from Taproot users just fine, and once your wallet is updated for Taproot-sending support, you can send to Taproot users just fine as well!
(P2WPKH and P2WSH -- SegWit v0 -- addresses start with bc1q; Taproot -- SegWit v1 --- addresses start with bc1p, in case you wanted to know the difference; in bech32 q is 0, p is 1)
Now how about HODLers who keep all, or some, of their coins on custodial services? Well, any custodial service worth its salt would be doing at least 2-of-3, or probably something even bigger, like 11-of-15. So your custodial service, if it switched to using Taproot internally, could save a lot more (imagine an 11-of-15 getting reduced from 11 signatures to just 1!), which --- we can only hope! --- should translate to lower fees and better customer service from your custodial service!
So I think we can say, very accurately, that the Bitcoin principle --- that YOU are in control of your money --- can only be helped by Taproot (if you are doing multisignature), and, because P2PKH and P2WPKH remain validly-usable addresses in a Taproot future, will not be harmed by Taproot. Its benefit to this principle might be small (it mostly only benefits multisignature users) but since it has no drawbacks with this (i.e. singlesig users can continue to use P2WPKH and P2PKH still) this is still a nice, tidy win!
(even singlesig users get a minor benefit, in that multisig users will now reduce their blockchain space footprint, so that fees can be kept low for everybody; so for example even if you have your single set of private keys engraved on titanium plates sealed in an airtight box stored in a safe buried in a desert protected by angry nomads riding giant sandworms because you're the frickin' Kwisatz Haderach, you still gain some benefit from Taproot)
And here's the important part: if P2PKH/P2WPKH is working perfectly fine with you and you decide to never use Taproot yourself, Taproot will not affect you detrimentally. First do no harm!

Taproot and Your Contracts

No one is an island, no one lives alone. Give and you shall receive. You know: by trading with other people, you can gain expertise in some obscure little necessity of the world (and greatly increase your productivity in that little field), and then trade the products of your expertise for necessities other people have created, all of you thereby gaining gains from trade.
So, contracts, which are basically enforceable agreements that facilitate trading with people who you do not personally know and therefore might not trust.
Let's start with a simple example. You want to buy some gewgaws from somebody. But you don't know them personally. The seller wants the money, you want their gewgaws, but because of the lack of trust (you don't know them!! what if they're scammers??) neither of you can benefit from gains from trade.
However, suppose both of you know of some entity that both of you trust. That entity can act as a trusted escrow. The entity provides you security: this enables the trade, allowing both of you to get gains from trade.
In Bitcoin-land, this can be implemented as a 2-of-3 multisignature. The three signatories in the multisgnature would be you, the gewgaw seller, and the escrow. You put the payment for the gewgaws into this 2-of-3 multisignature address.
Now, suppose it turns out neither of you are scammers (whaaaat!). You receive the gewgaws just fine and you're willing to pay up for them. Then you and the gewgaw seller just sign a transaction --- you and the gewgaw seller are 2, sufficient to trigger the 2-of-3 --- that spends from the 2-of-3 address to a singlesig the gewgaw seller wants (or whatever address the gewgaw seller wants).
But suppose some problem arises. The seller gave you gawgews instead of gewgaws. Or you decided to keep the gewgaws but not sign the transaction to release the funds to the seller. In either case, the escrow is notified, and if it can sign with you to refund the funds back to you (if the seller was a scammer) or it can sign with the seller to forward the funds to the seller (if you were a scammer).
Taproot helps with this: like mentioned above, it allows multisignature setups to produce only one signature, reducing blockchain space usage, and thus making contracts --- which require multiple people, by definition, you don't make contracts with yourself --- is made cheaper (which we hope enables more of these setups to happen for more gains from trade for everyone, also, moon and lambos).
(technology-wise, it's easier to make an n-of-n than a k-of-n, making a k-of-n would require a complex setup involving a long ritual with many communication rounds between the n participants, but an n-of-n can be done trivially with some moon math. You can, however, make what is effectively a 2-of-3 by using a three-branch SCRIPT: either 2-of-2 of you and seller, OR 2-of-2 of you and escrow, OR 2-of-2 of escrow and seller. Fortunately, Taproot adds a facility to embed a SCRIPT inside a public key, so you can have a 2-of-2 Taprooted address (between you and seller) with a SCRIPT branch that can instead be spent with 2-of-2 (you + escrow) OR 2-of-2 (seller + escrow), which implements the three-branched SCRIPT above. If neither of you are scammers (hopefully the common case) then you both sign using your keys and never have to contact the escrow, since you are just using the escrow public key without coordinating with them (because n-of-n is trivial but k-of-n requires setup with communication rounds), so in the "best case" where both of you are honest traders, you also get a privacy boost, in that the escrow never learns you have been trading on gewgaws, I mean ewww, gawgews are much better than gewgaws and therefore I now judge you for being a gewgaw enthusiast, you filthy gewgawer).

Taproot and Your Contracts, Part 2: Cryptographic Boogaloo

Now suppose you want to buy some data instead of things. For example, maybe you have some closed-source software in trial mode installed, and want to pay the developer for the full version. You want to pay for an activation code.
This can be done, today, by using an HTLC. The developer tells you the hash of the activation code. You pay to an HTLC, paying out to the developer if it reveals the preimage (the activation code), or refunding the money back to you after a pre-agreed timeout. If the developer claims the funds, it has to reveal the preimage, which is the activation code, and you can now activate your software. If the developer does not claim the funds by the timeout, you get refunded.
And you can do that, with HTLCs, today.
Of course, HTLCs do have problems:
Fortunately, with Schnorr (which is enabled by Taproot), we can now use the Scriptless Script constuction by Andrew Poelstra. This Scriptless Script allows a new construction, the PTLC or Pointlocked Timelocked Contract. Instead of hashes and preimages, just replace "hash" with "point" and "preimage" with "scalar".
Or as you might know them: "point" is really "public key" and "scalar" is really a "private key". What a PTLC does is that, given a particular public key, the pointlocked branch can be spent only if the spender reveals the private key of the given public key to you.
Another nice thing with PTLCs is that they are deniable. What appears onchain is just a single 2-of-2 signature between you and the developemanufacturer. It's like a magic trick. This signature has no special watermarks, it's a perfectly normal signature (the pledge). However, from this signature, plus some datta given to you by the developemanufacturer (known as the adaptor signature) you can derive the private key of a particular public key you both agree on (the turn). Anyone scraping the blockchain will just see signatures that look just like every other signature, and as long as nobody manages to hack you and get a copy of the adaptor signature or the private key, they cannot get the private key behind the public key (point) that the pointlocked branch needs (the prestige).
(Just to be clear, the public key you are getting the private key from, is distinct from the public key that the developemanufacturer will use for its funds. The activation key is different from the developer's onchain Bitcoin key, and it is the activation key whose private key you will be learning, not the developer's/manufacturer's onchain Bitcoin key).
So:
Taproot lets PTLCs exist onchain because they enable Schnorr, which is a requirement of PTLCs / Scriptless Script.
(technology-wise, take note that Scriptless Script works only for the "pointlocked" branch of the contract; you need normal Script, or a pre-signed nLockTimed transaction, for the "timelocked" branch. Since Taproot can embed a script, you can have the Taproot pubkey be a 2-of-2 to implement the Scriptless Script "pointlocked" branch, then have a hidden script that lets you recover the funds with an OP_CHECKLOCKTIMEVERIFY after the timeout if the seller does not claim the funds.)

Quantum Quibbles!

Now if you were really paying attention, you might have noticed this parenthetical:
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash...)
So wait, Taproot uses raw 32-byte public keys, and not public key hashes? Isn't that more quantum-vulnerable??
Well, in theory yes. In practice, they probably are not.
It's not that hashes can be broken by quantum computes --- they're still not. Instead, you have to look at how you spend from a P2WPKH/P2PKH pay-to-public-key-hash.
When you spend from a P2PKH / P2WPKH, you have to reveal the public key. Then Bitcoin hashes it and checks if this matches with the public-key-hash, and only then actually validates the signature for that public key.
So an unconfirmed transaction, floating in the mempools of nodes globally, will show, in plain sight for everyone to see, your public key.
(public keys should be public, that's why they're called public keys, LOL)
And if quantum computers are fast enough to be of concern, then they are probably fast enough that, in the several minutes to several hours from broadcast to confirmation, they have already cracked the public key that is openly broadcast with your transaction. The owner of the quantum computer can now replace your unconfirmed transaction with one that pays the funds to itself. Even if you did not opt-in RBF, miners are still incentivized to support RBF on RBF-disabled transactions.
So the extra hash is not as significant a protection against quantum computers as you might think. Instead, the extra hash-and-compare needed is just extra validation effort.
Further, if you have ever, in the past, spent from the address, then there exists already a transaction indelibly stored on the blockchain, openly displaying the public key from which quantum computers can derive the private key. So those are still vulnerable to quantum computers.
For the most part, the cryptographers behind Taproot (and Bitcoin Core) are of the opinion that quantum computers capable of cracking Bitcoin pubkeys are unlikely to appear within a decade or two.
So:
For now, the homomorphic and linear properties of elliptic curve cryptography provide a lot of benefits --- particularly the linearity property is what enables Scriptless Script and simple multisignature (i.e. multisignatures that are just 1 signature onchain). So it might be a good idea to take advantage of them now while we are still fairly safe against quantum computers. It seems likely that quantum-safe signature schemes are nonlinear (thus losing these advantages).

Summary

I Wanna Be The Taprooter!

So, do you want to help activate Taproot? Here's what you, mister sovereign Bitcoin HODLer, can do!

But I Hate Taproot!!

That's fine!

Discussions About Taproot Activation

submitted by almkglor to Bitcoin [link] [comments]

Technical: The Path to Taproot Activation

Taproot! Everybody wants to have it, somebody wants to make it, nobody knows how to get it!
(If you are asking why everybody wants it, see: Technical: Taproot: Why Activate?)
(Pedants: I mostly elide over lockin times)
Briefly, Taproot is that neat new thing that gets us:
So yes, let's activate taproot!

The SegWit Wars

The biggest problem with activating Taproot is PTSD from the previous softfork, SegWit. Pieter Wuille, one of the authors of the current Taproot proposal, has consistently held the position that he will not discuss activation, and will accept whatever activation process is imposed on Taproot. Other developers have expressed similar opinions.
So what happened with SegWit activation that was so traumatic? SegWit used the BIP9 activation method. Let's dive into BIP9!

BIP9 Miner-Activated Soft Fork

Basically, BIP9 has a bunch of parameters:
Now there are other parameters (name, starttime) but they are not anywhere near as important as the above two.
A number that is not a parameter, is 95%. Basically, activation of a BIP9 softfork is considered as actually succeeding if at least 95% of blocks in the last 2 weeks had the specified bit in the nVersion set. If less than 95% had this bit set before the timeout, then the upgrade fails and never goes into the network. This is not a parameter: it is a constant defined by BIP9, and developers using BIP9 activation cannot change this.
So, first some simple questions and their answers:

The Great Battles of the SegWit Wars

SegWit not only fixed transaction malleability, it also created a practical softforkable blocksize increase that also rebalanced weights so that the cost of spending a UTXO is about the same as the cost of creating UTXOs (and spending UTXOs is "better" since it limits the size of the UTXO set that every fullnode has to maintain).
So SegWit was written, the activation was decided to be BIP9, and then.... miner signalling stalled at below 75%.
Thus were the Great SegWit Wars started.

BIP9 Feature Hostage

If you are a miner with at least 5% global hashpower, you can hold a BIP9-activated softfork hostage.
You might even secretly want the softfork to actually push through. But you might want to extract concession from the users and the developers. Like removing the halvening. Or raising or even removing the block size caps (which helps larger miners more than smaller miners, making it easier to become a bigger fish that eats all the smaller fishes). Or whatever.
With BIP9, you can hold the softfork hostage. You just hold out and refuse to signal. You tell everyone you will signal, if and only if certain concessions are given to you.
This ability by miners to hold a feature hostage was enabled because of the miner-exit allowed by the timeout on BIP9. Prior to that, miners were considered little more than expendable security guards, paid for the risk they take to secure the network, but not special in the grand scheme of Bitcoin.

Covert ASICBoost

ASICBoost was a novel way of optimizing SHA256 mining, by taking advantage of the structure of the 80-byte header that is hashed in order to perform proof-of-work. The details of ASICBoost are out-of-scope here but you can read about it elsewhere
Here is a short summary of the two types of ASICBoost, relevant to the activation discussion.
Now, "overt" means "obvious", while "covert" means hidden. Overt ASICBoost is obvious because nVersion bits that are not currently in use for BIP9 activations are usually 0 by default, so setting those bits to 1 makes it obvious that you are doing something weird (namely, Overt ASICBoost). Covert ASICBoost is non-obvious because the order of transactions in a block are up to the miner anyway, so the miner rearranging the transactions in order to get lower power consumption is not going to be detected.
Unfortunately, while Overt ASICBoost was compatible with SegWit, Covert ASICBoost was not. This is because, pre-SegWit, only the block header Merkle tree committed to the transaction ordering. However, with SegWit, another Merkle tree exists, which commits to transaction ordering as well. Covert ASICBoost would require more computation to manipulate two Merkle trees, obviating the power benefits of Covert ASICBoost anyway.
Now, miners want to use ASICBoost (indeed, about 60->70% of current miners probably use the Overt ASICBoost nowadays; if you have a Bitcoin fullnode running you will see the logs with lots of "60 of last 100 blocks had unexpected versions" which is exactly what you would see with the nVersion manipulation that Overt ASICBoost does). But remember: ASICBoost was, at around the time, a novel improvement. Not all miners had ASICBoost hardware. Those who did, did not want it known that they had ASICBoost hardware, and wanted to do Covert ASICBoost!
But Covert ASICBoost is incompatible with SegWit, because SegWit actually has two Merkle trees of transaction data, and Covert ASICBoost works by fudging around with transaction ordering in a block, and recomputing two Merkle Trees is more expensive than recomputing just one (and loses the ASICBoost advantage).
Of course, those miners that wanted Covert ASICBoost did not want to openly admit that they had ASICBoost hardware, they wanted to keep their advantage secret because miners are strongly competitive in a very tight market. And doing ASICBoost Covertly was just the ticket, but they could not work post-SegWit.
Fortunately, due to the BIP9 activation process, they could hold SegWit hostage while covertly taking advantage of Covert ASICBoost!

UASF: BIP148 and BIP8

When the incompatibility between Covert ASICBoost and SegWit was realized, still, activation of SegWit stalled, and miners were still not openly claiming that ASICBoost was related to non-activation of SegWit.
Eventually, a new proposal was created: BIP148. With this rule, 3 months before the end of the SegWit timeout, nodes would reject blocks that did not signal SegWit. Thus, 3 months before SegWit timeout, BIP148 would force activation of SegWit.
This proposal was not accepted by Bitcoin Core, due to the shortening of the timeout (it effectively times out 3 months before the initial SegWit timeout). Instead, a fork of Bitcoin Core was created which added the patch to comply with BIP148. This was claimed as a User Activated Soft Fork, UASF, since users could freely download the alternate fork rather than sticking with the developers of Bitcoin Core.
Now, BIP148 effectively is just a BIP9 activation, except at its (earlier) timeout, the new rules would be activated anyway (instead of the BIP9-mandated behavior that the upgrade is cancelled at the end of the timeout).
BIP148 was actually inspired by the BIP8 proposal (the link here is a historical version; BIP8 has been updated recently, precisely in preparation for Taproot activation). BIP8 is basically BIP9, but at the end of timeout, the softfork is activated anyway rather than cancelled.
This removed the ability of miners to hold the softfork hostage. At best, they can delay the activation, but not stop it entirely by holding out as in BIP9.
Of course, this implies risk that not all miners have upgraded before activation, leading to possible losses for SPV users, as well as again re-pressuring miners to signal activation, possibly without the miners actually upgrading their software to properly impose the new softfork rules.

BIP91, SegWit2X, and The Aftermath

BIP148 inspired countermeasures, possibly from the Covert ASiCBoost miners, possibly from concerned users who wanted to offer concessions to miners. To this day, the common name for BIP148 - UASF - remains an emotionally-charged rallying cry for parts of the Bitcoin community.
One of these was SegWit2X. This was brokered in a deal between some Bitcoin personalities at a conference in New York, and thus part of the so-called "New York Agreement" or NYA, another emotionally-charged acronym.
The text of the NYA was basically:
  1. Set up a new activation threshold at 80% signalled at bit 4 (vs bit 1 for SegWit).
    • When this 80% signalling was reached, miners would require that bit 1 for SegWit be signalled to achive the 95% activation needed for SegWit.
  2. If the bit 4 signalling reached 80%, increase the block weight limit from the SegWit 4000000 to the SegWit2X 8000000, 6 months after bit 1 activation.
The first item above was coded in BIP91.
Unfortunately, if you read the BIP91, independently of NYA, you might come to the conclusion that BIP91 was only about lowering the threshold to 80%. In particular, BIP91 never mentions anything about the second point above, it never mentions that bit 4 80% threshold would also signal for a later hardfork increase in weight limit.
Because of this, even though there are claims that NYA (SegWit2X) reached 80% dominance, a close reading of BIP91 shows that the 80% dominance was only for SegWit activation, without necessarily a later 2x capacity hardfork (SegWit2X).
This ambiguity of bit 4 (NYA says it includes a 2x capacity hardfork, BIP91 says it does not) has continued to be a thorn in blocksize debates later. Economically speaking, Bitcoin futures between SegWit and SegWit2X showed strong economic dominance in favor of SegWit (SegWit2X futures were traded at a fraction in value of SegWit futures: I personally made a tidy but small amount of money betting against SegWit2X in the futures market), so suggesting that NYA achieved 80% dominance even in mining is laughable, but the NYA text that ties bit 4 to SegWit2X still exists.
Historically, BIP91 triggered which caused SegWit to activate before the BIP148 shorter timeout. BIP148 proponents continue to hold this day that it was the BIP148 shorter timeout and no-compromises-activate-on-August-1 that made miners flock to BIP91 as a face-saving tactic that actually removed the second clause of NYA. NYA supporters keep pointing to the bit 4 text in the NYA and the historical activation of BIP91 as a failed promise by Bitcoin developers.

Taproot Activation Proposals

There are two primary proposals I can see for Taproot activation:
  1. BIP8.
  2. Modern Softfork Activation.
We have discussed BIP8: roughly, it has bit and timeout, if 95% of miners signal bit it activates, at the end of timeout it activates. (EDIT: BIP8 has had recent updates: at the end of timeout it can now activate or fail. For the most part, in the below text "BIP8", means BIP8-and-activate-at-timeout, and "BIP9" means BIP8-and-fail-at-timeout)
So let's take a look at Modern Softfork Activation!

Modern Softfork Activation

This is a more complex activation method, composed of BIP9 and BIP8 as supcomponents.
  1. First have a 12-month BIP9 (fail at timeout).
  2. If the above fails to activate, have a 6-month discussion period during which users and developers and miners discuss whether to continue to step 3.
  3. Have a 24-month BIP8 (activate at timeout).
The total above is 42 months, if you are counting: 3.5 years worst-case activation.
The logic here is that if there are no problems, BIP9 will work just fine anyway. And if there are problems, the 6-month period should weed it out. Finally, miners cannot hold the feature hostage since the 24-month BIP8 period will exist anyway.

PSA: Being Resilient to Upgrades

Software is very birttle.
Anyone who has been using software for a long time has experienced something like this:
  1. You hear a new version of your favorite software has a nice new feature.
  2. Excited, you install the new version.
  3. You find that the new version has subtle incompatibilities with your current workflow.
  4. You are sad and downgrade to the older version.
  5. You find out that the new version has changed your files in incompatible ways that the old version cannot work with anymore.
  6. You tearfully reinstall the newer version and figure out how to get your lost productivity now that you have to adapt to a new workflow
If you are a technically-competent user, you might codify your workflow into a bunch of programs. And then you upgrade one of the external pieces of software you are using, and find that it has a subtle incompatibility with your current workflow which is based on a bunch of simple programs you wrote yourself. And if those simple programs are used as the basis of some important production system, you hve just screwed up because you upgraded software on an important production system.
And well, one of the issues with new softfork activation is that if not enough people (users and miners) upgrade to the newest Bitcoin software, the security of the new softfork rules are at risk.
Upgrading software of any kind is always a risk, and the more software you build on top of the software-being-upgraded, the greater you risk your tower of software collapsing while you change its foundations.
So if you have some complex Bitcoin-manipulating system with Bitcoin somewhere at the foundations, consider running two Bitcoin nodes:
  1. One is a "stable-version" Bitcoin node. Once it has synced, set it up to connect=x.x.x.x to the second node below (so that your ISP bandwidth is only spent on the second node). Use this node to run all your software: it's a stable version that you don't change for long periods of time. Enable txiindex, disable pruning, whatever your software needs.
  2. The other is an "always-up-to-date" Bitcoin Node. Keep its stoarge down with pruning (initially sync it off the "stable-version" node). You can't use blocksonly if your "stable-version" node needs to send transactions, but otherwise this "always-up-to-date" Bitcoin node can be kept as a low-resource node, so you can run both nodes in the same machine.
When a new Bitcoin version comes up, you just upgrade the "always-up-to-date" Bitcoin node. This protects you if a future softfork activates, you will only receive valid Bitcoin blocks and transactions. Since this node has nothing running on top of it, it is just a special peer of the "stable-version" node, any software incompatibilities with your system software do not exist.
Your "stable-version" Bitcoin node remains the same version until you are ready to actually upgrade this node and are prepared to rewrite most of the software you have running on top of it due to version compatibility problems.
When upgrading the "always-up-to-date", you can bring it down safely and then start it later. Your "stable-version" wil keep running, disconnected from the network, but otherwise still available for whatever queries. You do need some system to stop the "always-up-to-date" node if for any reason the "stable-version" goes down (otherwisee if the "always-up-to-date" advances its pruning window past what your "stable-version" has, the "stable-version" cannot sync afterwards), but if you are technically competent enough that you need to do this, you are technically competent enough to write such a trivial monitor program (EDIT: gmax notes you can adjust the pruning window by RPC commands to help with this as well).
This recommendation is from gmaxwell on IRC, by the way.
submitted by almkglor to Bitcoin [link] [comments]

[OWL WATCH] Waiting for "IOTA TIME" 20; Hans's re-defined directions for DLT

Disclaimer: This is my editing, so there could be some misunderstandings...
--------------------------------------------
wellwho오늘 오후 4:50
u/Ben Royce****how far is society2 from having something clickable powered by IOTA?
Ben Royce오늘 오후 4:51
demo of basic tech late sep/ early oct. MVP early 2021
---------------------------------------------------
HusQy
Colored coins are the most misunderstood upcoming feature of the IOTA protocol. A lot of people see them just as a competitor to ERC-20 tokens on ETH and therefore a way of tokenizing things on IOTA, but they are much more important because they enable "consensus on data".
Bob
All this stuff already works on neblio but decentralized and scaling to 3500 tps
HusQy
Neblio has 8 mb blocks with 30 seconds blocktime. This is a throughput of 8 mb / 30 seconds = 267 kb per second. Transactions are 401+ bytes which means that throughput is 267 kb / 401 bytes = 665 TPS. IOTA is faster, feeless and will get even faster with the next update ...
-----------------------------------------------------------------------------
HusQy
Which DLT would be more secure? One that is collaboratively validated by the economic actors of the world (coporations, companies, foundations, states, people) or one that is validated by an anonymous group of wealthy crypto holders?
HusQy
The problem with current DLTs is that we use protection mechanisms like Proof of Work and Proof of Stake that are inherently hard to shard. The more shards you have, the more you have to distribute your hashing power and your stake and the less secure the system becomes.
HusQy
Real world identities (i.e. all the big economic actors) however could shard into as many shards as necessary without making the system less secure. Todays DLTs waste trust in the same way as PoW wastes energy.
HusQy
Is a secure money worth anything if you can't trust the economic actors that you would buy stuff from? If you buy a car from Volkswagen and they just beat you up and throw you out of the shop after you payed then a secure money won't be useful either :P
HusQy
**I believe that if you want to make DLT work and be successful then we need to ultimately incorporate things like trust in entities into the technology.**Examples likes wirecard show that trusting a single company is problematic but trusting the economy as a whole should be at ...
**... least as secure as todays DLTs.**And as soon as you add sharding it will be orders of magnitude more secure. DLT has failed to deliver because people have tried to build a system in vacuum that completely ignores things that already exist and that you can leverage on.
----------------------------------------------------------------------------------
HusQy
Blockchain is a bit like people sitting in a room, trying to communicate through BINGO sheets. While they talk, they write down some of the things that have been said and as soon as one screams BINGO! he hands around his sheet to inform everybody about what has been said.
HusQy
If you think that this is the most efficient form of communication for people sitting in the same room and the answer to scalability is to make bigger BINGO sheets or to allow people to solve the puzzle faster then you will most probably never understand what IOTA is working on.
--------------------------------------------------------------------------------
HusQy
**Blockchain does not work with too many equally weighted validators.****If 400 validators produce a validating statement (block) at the same time then only one can survive as part of a longest chain.**IOTA is all about collaborative validation.
**Another problem of blockchain is that every transaction gets sent twice through the network. Once from the nodes to the miners and a 2nd time from the miners as part of a block.**Blockchain will therefore always only be able to use 50% of the network throughput.
And****the last problem is that you can not arbitrarily decrease the time between blocks as it breaks down if the time between blocks gets smaller than the average network delay. The idle time between blocks is precious time that could be used for processing transactions.
-----------------------------------------------------------------------------
HusQy
I am not talking about a system with a fixed number of validators but one that is completely open and permissionless where any new company can just spin up a node and take part in the network.
------------------------------------------------------------------------
HusQy
Proof of Work and Proof of Stake are both centralizing sybil-protection mechanism. I don't think that Satoshi wanted 14 mining pools to run the network.
And "economic clustering" was always the "end game" of IOTA.
-----------------------------------------------------------------------------
HusQy
**Using Proof of Stake is not trustless. Proof of Stake means you trust the richest people and hope that they approve your transactions. The rich are getting richer (through your fees) and you are getting more and more dependant on them.**Is that your vision of the future?
----------------------------------------------------------------------------

HusQy
Please read again exactly what I wrote. I have not spoken of introducing governance by large companies, nor have I said that IOTA should be permissioned. We aim for a network with millions or even billions of nodes.

HusQy
That can't work at all with a permissioned ledger - who should then drop off all these devices or authorize them to participate in the network? My key message was the following: Proof of Work and Proof of Stake will always be if you split them up via sharding ...

HusQy
... less secure because you simply need fewer coins or less hash power to have the majority of the votes in a shard. This is not the case with trust in society and the economy. When all companies in the world jointly secure a DLT ...

HusQy
... then these companies could install any number of servers in any number of shards without compromising security, because "trust" does not become less just because they operate several servers. First of all, that is a fact and nothing else.

HusQy
Proof of Work and Proof of Stake are contrary to the assumption of many not "trustless" but follow the maxim: "In the greed of miners we trust!" The basic assumption that the miners do not destroy the system that generates income for them is fundamental here for the ...

HusQy
... security of every DLT. I think a similar assumption would still be correct for the economy as a whole: The companies of the world (and not just the big ones) would not destroy the system with which their customers pay them. In this respect, a system would be ...

HusQy
... which is validated by society and the economy as a whole probably just as "safely" as a system which is validated by a few anonymous miners. Why a small elite of miners should be better validators than any human and ...

HusQy
... To be honest, companies in this world do not open up to me. As already written in my other thread, safe money does not bring you anything if you have to assume that Volkswagen will beat you up and throw you out of the store after you ...

HusQy
... paid for a car. The thoughts I discussed say nothing about the immediate future of IOTA (we use for Coordicide mana) but rather speak of a world where DLT has already become an integral part of our lives and we ...

HusQy
... a corresponding number of companies, non-profit organizations and people have used DLT and where such a system could be implemented. The point here is not to create a governance solution that in any way influences the development of technology ...

HusQy
... or have to give nodes their OK first, but about developing a system that enables people to freely choose the validators they trust. For example, you can also declare your grandma to be a validator when you install your node or your ...

HusQy
... local supermarket. Economic relationships in the real world usually form a close-knit network and it doesn't really matter who you follow as long as the majority is honest. I also don't understand your criticism of censorship, because something like that in IOTA ...

HusQy
... is almost impossible. Each transaction confirms two other transactions which is growing exponentially. If someone wanted to ignore a transaction, he would have to ignore an exponential number of other transactions after a very short time. In contrast to blockchain ...

HusQy
... validators in IOTA do not decide what is included in the ledger, but only decide which of several double spends should be confirmed. Honest transactions are confirmed simply by having other transactions reference them ...

HusQy
... and the "validators" are not even asked. As for the "dust problem", this is indeed something that is a bigger problem for IOTA than for other DLTs because we have no fees, but it is also not an unsolvable problem. Bitcoin initially has a ...

HusQy
Solved similar problem by declaring outputs with a minimum amount of 5430 satoshis as invalid ( github.com/Bitcoin/Bitcoi…). A similar solution where an address must contain a minimum amount is also conceivable for IOTA and we are discussing ...

HusQy
... several possibilities (including compressing dust using cryptographic methods). Contrary to your assumption, checking such a minimum amount is not slow but just as fast as checking a normal transaction. And mine ...

HusQy
... In my opinion this is no problem at all for IOTA's use case. The important thing is that you can send small amounts, but after IOTA is feeless it is also okay to expect the recipients to regularly send their payments on a ...

HusQy
... merge address. The wallets already do this automatically (sweeping) and for machines it is no problem to automate this process. So far this was not a problem because the TPS were limited but with the increased TPS throughput of ...

HusQy
... Chrysalis it becomes relevant and appropriate solutions are discussed and then implemented accordingly. I think that was the most important thing first and if you have further questions just write :)

HusQy
And to be very clear! I really appreciate you and your questions and don't see this as an attack at all! People who see such questions as inappropriate criticism should really ask whether they are still objective. I have little time at the moment because ...

HusQy
... my girlfriend is on tour and has to take care of our daughter, but as soon as she is back we can discuss these things in a video. I think that the concept of including the "real world" in the concepts of DLT is really exciting and ...

HusQy
... that would certainly be exciting to discuss in a joint video. But again, that's more of a vision than a specific plan for the immediate future. This would not work with blockchain anyway but IOTA would be compatible so why not think about such things.
-----------------------------------------------------------------------

HusQy
All good my big one :P But actually not that much has changed. There has always been the concept of "economic clustering" which is basically based on similar ideas. We are just now able to implement things like this for the first time.
----------------------------------------------------------------------------------

HusQy
Exactly. It would mean that addresses "cost" something but I would rather pay a few cents than fees for each transaction. And you can "take" this minimum amount with you every time you change to a new address.

HusQy
All good my big one :P But actually not that much has changed. There has always been the concept of "economic clustering" which is basically based on similar ideas. We are just now able to implement things like this for the first time.
-----------------------------------------------------------------------------------

Relax오늘 오전 1:17
Btw. Hans (sorry for interrupting this convo) but what make people say that IOTA is going the permissioned way because of your latest tweets? I don't get why some people are now forecasting that... Is it because of missing specs or do they just don't get the whole idea?

Hans Moog [IF]오늘 오전 1:20
its bullshit u/Relaxan identity based system would still be open and permissionless where everybody can choose the actors that they deem trustworthy themselves but thats anyway just sth that would be applicable with more adoption
[오전 1:20]
for now we use mana as a predecessor to an actual reputation system

Sissors오늘 오전 1:31
If everybody has to choose actors they deem trustworthy, is it still permissionless? Probably will become a bit a semantic discussion, but still

Hans Moog [IF]오늘 오전 1:34
Of course its permissionless you can follow your grandma if you want to :p

Sissors오늘 오전 1:36
Well sure you can, but you will need to follow something which has a majority of the voting power in the network. Nice that you follow your grandma, but if others dont, her opinion (or well her nodes opinion) is completely irrelevant

Hans Moog [IF]오늘 오전 1:37
You would ideally follow the people that are trustworthy rather than your local drug dealers yeah

Sissors오늘 오전 1:38
And tbh, sure if you do it like that is easy. If you just make the users responsible for only connection to trustworthy nodes

Hans Moog [IF]오늘 오전 1:38
And if your grandma follows her supermarket and some other people she deems trustworthy then thats fine as well
[오전 1:38]
+ you dont have just 1 actor that you follow

Sissors오늘 오전 1:38
No, you got a large list, since yo uwant to follow those which actually matter. So you jsut download a standard list from the internet

Hans Moog [IF]오늘 오전 1:39
You can do that
[오전 1:39]
Is bitcoin permissionless? Should we both try to become miners?
[오전 1:41]
I mean miners that actually matter and not find a block every 10 trillion years 📷
[오전 1:42]
If you would want to become a validator then you would need to build up trust among other people - but anybody can still run a node and issue transactions unlike in hashgraph where you are not able to run your own nodes(수정됨)
[오전 1:48]
Proof of Stake is also not trustless - it just has a builtin mechanism that downloads the trusted people from the blockchain itself (the richest dudes)

Sissors오늘 오전 1:52
I think most agree it would be perfect if every person had one vote. Which is pr oblematic to implement of course. But I really wonder if the solution is to just let users decide who to trust. At the very least I expect a quite centralized network

Hans Moog [IF]오늘 오전 1:53
of course even a trust based system would to a certain degree be centralized as not every person is equally trustworthy as for example a big cooperation
[오전 1:53]
but I think its gonna be less centralized than PoS or PoW
[오전 1:53]
but anyway its sth for "after coordicide"
[오전 1:54]
there are not enough trusted entities that are using DLT, yet to make such a system work reasonably well
[오전 1:54]
I think the reason why blockchain has not really started to look into these kind of concepts is because blockchain doesnt work with too many equally weighted validators
[오전 1:56]
I believe that DLT is only going to take over the world if it is actually "better" than existing systems and with better I mean cheaper, more secure and faster and PoS and PoW will have a very hard time to deliver that
[오전 1:56]
especially if you consider that its not only going to settle value transfers

Relax오늘 오전 1:57
I like this clear statements, it makes it really clear that DLT is still in its infancy

Hans Moog [IF]오늘 오전 1:57
currently bank transfers are order of magnitude cheaper than BTC or ETH transactions

Hans Moog [IF]오늘 오전 1:57
and we you think that people will adopt it just because its crypto then I think we are mistaken
[오전 1:57]
The tech needs to actually solve a problem
[오전 1:57]
and tbh. currently people use PayPal and other companies to settle their payments
[오전 1:58]
having a group of the top 500 companies run such a service together is already much better(수정됨)
[오전 1:58]
especially if its fast and feeless
[오전 2:02]
and the more people use it, the more decentralized it actually becomes
[오전 2:02]
because you have more trustworthy entities to choose of

Evaldas [IF]오늘 오전 2:08
"in the greed of miners we trust"


submitted by btlkhs to Iota [link] [comments]

Subreddit Stats: programming top posts from 2019-10-22 to 2020-10-21 06:41 PDT

Period: 364.67 days
Submissions Comments
Total 1000 180545
Rate (per day) 2.74 491.84
Unique Redditors 629 34951
Combined Score 1178903 2688497

Top Submitters' Top Submissions

  1. 47468 points, 49 submissions: iamkeyur
    1. One Guy Ruined Hacktoberfest 2020 (3039 points, 584 comments)
    2. AWS forked my project and launched it as its own service (2956 points, 810 comments)
    3. Privacy analysis of Tiktok’s app and website (2858 points, 234 comments)
    4. 98.css – design system for building faithful recreations of Windows 98 UIs (2781 points, 318 comments)
    5. Microsoft demos language model that writes code based on signature and comment (2621 points, 614 comments)
    6. Why does HTML think “chucknorris” is a color? (2565 points, 531 comments)
    7. Windows 95 UI Design (2309 points, 665 comments)
    8. The Linux codebase has over 3k TODO comments, many from over a decade ago (2119 points, 369 comments)
    9. eBay is port scanning visitors to their website (1829 points, 236 comments)
    10. Using const/let instead of var can make JavaScript code run 10× slower in Webkit (1814 points, 525 comments)
  2. 44853 points, 28 submissions: speckz
    1. From August, Chrome will start blocking ads that consume 4MB of network data, 15 seconds of CPU usage in any 30 second period, or 60 seconds of total CPU usage (8434 points, 590 comments)
    2. How To Spot Toxic Software Jobs From Their Descriptions (6246 points, 1281 comments)
    3. A Facebook crawler was making 7M requests per day to my stupid website (2662 points, 426 comments)
    4. Apple, Your Developer Documentation is Garbage (2128 points, 432 comments)
    5. The code I’m still ashamed of (2016) (2105 points, 429 comments)
    6. Slack Is Fumbling Developers And The Rise Of Developer Discords (2095 points, 811 comments)
    7. The Chromium project finds that around 70% of our serious security bugs are memory safety problems. Our next major project is to prevent such bugs at source. (1959 points, 418 comments)
    8. Advice to Myself When Starting Out as a Software Developer (1934 points, 257 comments)
    9. Software patents are another kind of disease (1893 points, 419 comments)
    10. My favourite Git commit (1772 points, 206 comments)
  3. 35237 points, 28 submissions: whackri
    1. It is perfectly OK to only code at work, you can have a life too (6765 points, 756 comments)
    2. Kernighan's Law - Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. (5171 points, 437 comments)
    3. The entire Apollo 11 computer code that helped get us to the Moon is available on github. (3841 points, 433 comments)
    4. Raytracing - in Excel! (2478 points, 168 comments)
    5. Writing userspace USB drivers for abandoned devices (1689 points, 84 comments)
    6. Drum Machine in Excel (1609 points, 60 comments)
    7. fork() can fail: this is important (1591 points, 264 comments)
    8. Learn how computers add numbers and build a 4 bit adder circuit (1548 points, 66 comments)
    9. Heroes Of Might And Magic III engine written from scratch (open source, playable) (1453 points, 84 comments)
    10. Apollo Guidance Computer: Restoring the computer that put man on the Moon (1277 points, 47 comments)
  4. 14588 points, 11 submissions: pimterry
    1. I'm a software engineer going blind, how should I prepare? (4237 points, 351 comments)
    2. The 2038 problem is already affecting some systems (1988 points, 518 comments)
    3. TLDR pages: Simplified, community-driven man pages (1897 points, 182 comments)
    4. JetBrains Mono: A Typeface for Developers (1728 points, 456 comments)
    5. BlurHash: extremely compact representations of image placeholders (930 points, 159 comments)
    6. Let's Destroy C (855 points, 290 comments)
    7. Shared Cache is Going Away (833 points, 192 comments)
    8. XML is almost always misused (766 points, 538 comments)
    9. Wireshark has a new packet diagram view (688 points, 24 comments)
    10. fork() can fail: this is important (460 points, 299 comments)
  5. 14578 points, 9 submissions: magenta_placenta
    1. Trello handed over user's personal account to user's previous company (2962 points, 489 comments)
    2. Feds: IBM did discriminate against older workers in making layoffs - “Analysis shows it was primarily older workers (85.85%) in the total potential pool of those considered for layoff,” the EEOC wrote (2809 points, 509 comments)
    3. Stripe Workers Who Relocate Get $20,000 Bonus and a Pay Cut - Stripe Inc. plans to make a one-time payment of $20,000 to employees who opt to move out of San Francisco, New York or Seattle, but also cut their base salary by as much as 10% (2765 points, 989 comments)
    4. US court fully legalized website scraping and technically prohibited it - On September 9, the U.S. 9th circuit court of Appeals ruled that web scraping public sites does not violate the CFAA (Computer Fraud and Abuse Act) (2014 points, 327 comments)
    5. I Suspect many Task Deadlines are Designed to Force Engineers to Work for Free (1999 points, 553 comments)
    6. Intent to Deprecate and Freeze: The User-Agent string (1012 points, 271 comments)
    7. Contractor admits planting logic bombs in his software to ensure he’d get new work (399 points, 182 comments)
    8. AlphaStar: Grandmaster level in StarCraft II using multi-agent reinforcement learning (396 points, 97 comments)
    9. Half of the websites using WebAssembly use it for malicious purposes - WebAssembly not that popular: Only 1,639 sites of the Top 1 Million use WebAssembly (222 points, 133 comments)
  6. 13750 points, 3 submissions: pedrovhb
    1. Bubble sort visualization (7218 points, 276 comments)
    2. Breadth-first search visualization (3874 points, 96 comments)
    3. Selection sort visualization (2658 points, 80 comments)
  7. 11833 points, 1 submission: flaming_bird
    1. 20GB leak of Intel data: whole Git repositories, dev tools, backdoor mentions in source code (11833 points, 956 comments)
  8. 11208 points, 10 submissions: PowerOfLove1985
    1. No cookie consent walls — and no, scrolling isn’t consent, says EU data protection body (5975 points, 890 comments)
    2. Redesigning uBlock Origin (1184 points, 162 comments)
    3. Playing Around With The Fuchsia Operating System (696 points, 164 comments)
    4. Microsoft's underwater data centre resurfaces after two years (623 points, 199 comments)
    5. Microsoft Paint/Paintbrush in Javascript (490 points, 58 comments)
    6. GitHub shuts off access to Aurelia repository, citing trade sanctions (478 points, 81 comments)
    7. How 3D Game Rendering Works: Texturing (475 points, 22 comments)
    8. Simdjson: Parsing Gigabytes of JSON per Second (441 points, 90 comments)
    9. How 1500 bytes became the MTU of the internet (435 points, 60 comments)
    10. It’s OK for your open source library to be a bit shitty (411 points, 130 comments)
  9. 10635 points, 8 submissions: michalg82
    1. Turning animations to 60fps using AI (3449 points, 234 comments)
    2. Bug #1463112 “Cat sitting on keyboard crashes lightdm” (3150 points, 143 comments)
    3. Heroes Of Might And Magic III engine written from scratch (open source, playable) (1431 points, 172 comments)
    4. Vulkan is coming to Raspberry Pi: first triangle - Raspberry Pi (1318 points, 66 comments)
    5. An EPYC trip to Rome: AMD is Cloudflare's 10th-generation Edge server CPU (431 points, 60 comments)
    6. Microsoft cancels GDC 2020 presence due to coronavirus concerns (Following Sony, Facebook, Kojima Productions, Epic Games, Unity, and more) (371 points, 52 comments)
    7. Moving from reCAPTCHA to hCaptcha - The Cloudflare Blog (278 points, 71 comments)
    8. How much of a genius-level move was using binary space partitioning in Doom? (207 points, 109 comments)
  10. 10106 points, 10 submissions: SerenityOS
    1. Someone suggested I should host my website on my own OS. For that we'll need a web server, so here's me building a basic web server in C++ for SerenityOS! (2269 points, 149 comments)
    2. I've been learning about OS security lately. Here's me making a local root exploit for SerenityOS, and then fixing the kernel bugs that made it possible! (1372 points, 87 comments)
    3. SerenityOS was hacked in a 36c3 CTF! (Exploit and write-up) (1236 points, 40 comments)
    4. One week ago, I started building a JavaScript engine for SerenityOS. Here’s me integrating it with the web browser and adding some simple API’s like alert()! (1169 points, 63 comments)
    5. Implementing macOS-style "purgeable memory" in my kernel. This technique is amazing and helps apps be better memory usage citizens! (1131 points, 113 comments)
    6. SerenityOS: The second year (900 points, 101 comments)
    7. Using my own C++ IDE to make a little program for decorating my webcam frame (571 points, 33 comments)
    8. This morning I ported git to SerenityOS. It took about an hour and some hacks, but it works! :D (547 points, 64 comments)
    9. Smarter C/C++ inlining with attribute((flatten)) (521 points, 118 comments)
    10. Introduction to SerenityOS GUI programming (390 points, 45 comments)

Top Commenters

  1. XANi_ (10753 points, 821 comments)
  2. dnew (7513 points, 641 comments)
  3. drysart (7479 points, 202 comments)
  4. MuonManLaserJab (6666 points, 233 comments)
  5. SanityInAnarchy (6331 points, 350 comments)
  6. AngularBeginner (6215 points, 59 comments)
  7. SerenityOS (5627 points, 128 comments)
  8. chucker23n (5465 points, 370 comments)
  9. IshKebab (4898 points, 393 comments)
  10. L3tum (4857 points, 199 comments)

Top Submissions

  1. 20GB leak of Intel data: whole Git repositories, dev tools, backdoor mentions in source code by flaming_bird (11833 points, 956 comments)
  2. hentAI: Detecting and removing censors with Deep Learning and Image Segmentation by 7cmStrangler (9621 points, 395 comments)
  3. US Politicians Want to Ban End-to-End Encryption by CarrotRobber (9427 points, 523 comments)
  4. From August, Chrome will start blocking ads that consume 4MB of network data, 15 seconds of CPU usage in any 30 second period, or 60 seconds of total CPU usage by speckz (8434 points, 590 comments)
  5. Mozilla: The Greatest Tech Company Left Behind by matthewpmacdonald (7566 points, 1087 comments)
  6. Bubble sort visualization by pedrovhb (7218 points, 276 comments)
  7. During lockdown my wife has been suffering mentally from pressure to stay at her desk 100% of the time otherwise after a few minutes her laptop locks and she is recorded as inactive. I wrote this small app to help her escape her desk by periodically moving the cursor. Hopefully it can help others. by silitbang6000 (7193 points, 855 comments)
  8. It is perfectly OK to only code at work, you can have a life too by whackri (6765 points, 756 comments)
  9. Blockchain, the amazing solution for almost nothing by imogenchampagne (6725 points, 1561 comments)
  10. Blockchain, the amazing solution for almost nothing by jessefrederik (6524 points, 1572 comments)

Top Comments

  1. 2975 points: deleted's comment in hentAI: Detecting and removing censors with Deep Learning and Image Segmentation
  2. 2772 points: I_DONT_LIE_MUCH's comment in 20GB leak of Intel data: whole Git repositories, dev tools, backdoor mentions in source code
  3. 2485 points: api's comment in Stripe Workers Who Relocate Get $20,000 Bonus and a Pay Cut - Stripe Inc. plans to make a one-time payment of $20,000 to employees who opt to move out of San Francisco, New York or Seattle, but also cut their base salary by as much as 10%
  4. 2484 points: a_false_vacuum's comment in Stack Overflow lays off 15%
  5. 2464 points: iloveparagon's comment in Google engineer breaks down the problems he uses when doing technical interviews. Lots of advice on algorithms and programming.
  6. 2384 points: why_not_both_bot's comment in During lockdown my wife has been suffering mentally from pressure to stay at her desk 100% of the time otherwise after a few minutes her laptop locks and she is recorded as inactive. I wrote this small app to help her escape her desk by periodically moving the cursor. Hopefully it can help others.
  7. 2293 points: ThatInternetGuy's comment in Iranian Maintainer refuses to merge code from Israeli Developer. Cites Iranian regulations.
  8. 2268 points: xequae's comment in I'm a software engineer going blind, how should I prepare?
  9. 2228 points: turniphat's comment in AWS forked my project and launched it as its own service
  10. 2149 points: Rami-Slicer's comment in 20GB leak of Intel data: whole Git repositories, dev tools, backdoor mentions in source code
Generated with BBoe's Subreddit Stats
submitted by flpezet to subreddit_stats [link] [comments]

Scaling Reddit Community Points with Arbitrum Rollup: a piece of cake

Scaling Reddit Community Points with Arbitrum Rollup: a piece of cake
https://preview.redd.it/b80c05tnb9e51.jpg?width=2550&format=pjpg&auto=webp&s=850282c1a3962466ed44f73886dae1c8872d0f31
Submitted for consideration to The Great Reddit Scaling Bake-Off
Baked by the pastry chefs at Offchain Labs
Please send questions or comments to [[email protected] ](mailto:[email protected])
1. Overview
We're excited to submit Arbitrum Rollup for consideration to The Great Reddit Scaling Bake-Off. Arbitrum Rollup is the only Ethereum scaling solution that supports arbitrary smart contracts without compromising on Ethereum's security or adding points of centralization. For Reddit, this means that Arbitrum can not only scale the minting and transfer of Community Points, but it can foster a creative ecosystem built around Reddit Community Points enabling points to be used in a wide variety of third party applications. That's right -- you can have your cake and eat it too!
Arbitrum Rollup isn't just Ethereum-style. Its Layer 2 transactions are byte-for-byte identical to Ethereum, which means Ethereum users can continue to use their existing addresses and wallets, and Ethereum developers can continue to use their favorite toolchains and development environments out-of-the-box with Arbitrum. Coupling Arbitrum’s tooling-compatibility with its trustless asset interoperability, Reddit not only can scale but can onboard the entire Ethereum community at no cost by giving them the same experience they already know and love (well, certainly know).
To benchmark how Arbitrum can scale Reddit Community Points, we launched the Reddit contracts on an Arbitrum Rollup chain. Since Arbitrum provides full Solidity support, we didn't have to rewrite the Reddit contracts or try to mimic their functionality using an unfamiliar paradigm. Nope, none of that. We launched the Reddit contracts unmodified on Arbitrum Rollup complete with support for minting and distributing points. Like every Arbitrum Rollup chain, the chain included a bridge interface in which users can transfer Community Points or any other asset between the L1 and L2 chains. Arbitrum Rollup chains also support dynamic contract loading, which would allow third-party developers to launch custom ecosystem apps that integrate with Community Points on the very same chain that runs the Reddit contracts.
1.1 Why Ethereum
Perhaps the most exciting benefit of distributing Community Points using a blockchain is the ability to seamlessly port points to other applications and use them in a wide variety of contexts. Applications may include simple transfers such as a restaurant that allows Redditors to spend points on drinks. Or it may include complex smart contracts -- such as placing Community Points as a wager for a multiparty game or as collateral in a financial contract.
The common denominator between all of the fun uses of Reddit points is that it needs a thriving ecosystem of both users and developers, and the Ethereum blockchain is perhaps the only smart contract platform with significant adoption today. While many Layer 1 blockchains boast lower cost or higher throughput than the Ethereum blockchain, more often than not, these attributes mask the reality of little usage, weaker security, or both.
Perhaps another platform with significant usage will rise in the future. But today, Ethereum captures the mindshare of the blockchain community, and for Community Points to provide the most utility, the Ethereum blockchain is the natural choice.
1.2 Why Arbitrum
While Ethereum's ecosystem is unmatched, the reality is that fees are high and capacity is too low to support the scale of Reddit Community Points. Enter Arbitrum. Arbitrum Rollup provides all of the ecosystem benefits of Ethereum, but with orders of magnitude more capacity and at a fraction of the cost of native Ethereum smart contracts. And most of all, we don't change the experience from users. They continue to use the same wallets, addresses, languages, and tools.
Arbitrum Rollup is not the only solution that can scale payments, but it is the only developed solution that can scale both payments and arbitrary smart contracts trustlessly, which means that third party users can build highly scalable add-on apps that can be used without withdrawing money from the Rollup chain. If you believe that Reddit users will want to use their Community Points in smart contracts--and we believe they will--then it makes the most sense to choose a single scaling solution that can support the entire ecosystem, eliminating friction for users.
We view being able to run smart contracts in the same scaling solution as fundamentally critical since if there's significant demand in running smart contracts from Reddit's ecosystem, this would be a load on Ethereum and would itself require a scaling solution. Moreover, having different scaling solutions for the minting/distribution/spending of points and for third party apps would be burdensome for users as they'd have to constantly shuffle their Points back and forth.
2. Arbitrum at a glance
Arbitrum Rollup has a unique value proposition as it offers a combination of features that no other scaling solution achieves. Here we highlight its core attributes.
Decentralized. Arbitrum Rollup is as decentralized as Ethereum. Unlike some other Layer 2 scaling projects, Arbitrum Rollup doesn't have any centralized components or centralized operators who can censor users or delay transactions. Even in non-custodial systems, centralized components provide a risk as the operators are generally incentivized to increase their profit by extracting rent from users often in ways that severely degrade user experience. Even if centralized operators are altruistic, centralized components are subject to hacking, coercion, and potential liability.
Massive Scaling. Arbitrum achieves order of magnitude scaling over Ethereum's L1 smart contracts. Our software currently supports 453 transactions-per-second for basic transactions (at 1616 Ethereum gas per tx). We have a lot of room left to optimize (e.g. aggregating signatures), and over the next several months capacity will increase significantly. As described in detail below, Arbitrum can easily support and surpass Reddit's anticipated initial load, and its capacity will continue to improve as Reddit's capacity needs grow.
Low cost. The cost of running Arbitrum Rollup is quite low compared to L1 Ethereum and other scaling solutions such as those based on zero-knowledge proofs. Layer 2 fees are low, fixed, and predictable and should not be overly burdensome for Reddit to cover. Nobody needs to use special equipment or high-end machines. Arbitrum requires validators, which is a permissionless role that can be run on any reasonable on-line machine. Although anybody can act as a validator, in order to protect against a “tragedy of the commons” and make sure reputable validators are participating, we support a notion of “invited validators” that are compensated for their costs. In general, users pay (low) fees to cover the invited validators’ costs, but we imagine that Reddit may cover this cost for its users. See more on the costs and validator options below.
Ethereum Developer Experience. Not only does Arbitrum support EVM smart contracts, but the developer experience is identical to that of L1 Ethereum contracts and fully compatible with Ethereum tooling. Developers can port existing Solidity apps or write new ones using their favorite and familiar toolchains (e.g. Truffle, Buidler). There are no new languages or coding paradigms to learn.
Ethereum wallet compatibility. Just as in Ethereum, Arbitrum users need only hold keys, but do not have to store any coin history or additional data to protect or access their funds. Since Arbitrum transactions are semantically identical to Ethereum L1 transactions, existing Ethereum users can use their existing Ethereum keys with their existing wallet software such as Metamask.
Token interoperability. Users can easily transfer their ETH, ERC-20 and ERC-721 tokens between Ethereum and the Arbitrum Rollup chain. As we explain in detail below, it is possible to mint tokens in L2 that can subsequently be withdrawn and recognized by the L1 token contract.
Fast finality. Transactions complete with the same finality time as Ethereum L1 (and it's possible to get faster finality guarantees by trading away trust assumptions; see the Arbitrum Rollup whitepaper for details).
Non-custodial. Arbitrum Rollup is a non-custodial scaling solution, so users control their funds/points and neither Reddit nor anyone else can ever access or revoke points held by users.
Censorship Resistant. Since it's completely decentralized, and the Arbitrum protocol guarantees progress trustlessly, Arbitrum Rollup is just as censorship-proof as Ethereum.
Block explorer. The Arbitrum Rollup block explorer allows users to view and analyze transactions on the Rollup chain.
Limitations
Although this is a bake-off, we're not going to sugar coat anything. Arbitrum Rollup, like any Optimistic Rollup protocol, does have one limitation, and that's the delay on withdrawals.
As for the concrete length of the delay, we've done a good deal of internal modeling and have blogged about this as well. Our current modeling suggests a 3-hour delay is sufficient (but as discussed in the linked post there is a tradeoff space between the length of the challenge period and the size of the validators’ deposit).
Note that this doesn't mean that the chain is delayed for three hours. Arbitrum Rollup supports pipelining of execution, which means that validators can keep building new states even while previous ones are “in the pipeline” for confirmation. As the challenge delays expire for each update, a new state will be confirmed (read more about this here).
So activity and progress on the chain are not delayed by the challenge period. The only thing that's delayed is the consummation of withdrawals. Recall though that any single honest validator knows immediately (at the speed of L1 finality) which state updates are correct and can guarantee that they will eventually be confirmed, so once a valid withdrawal has been requested on-chain, every honest party knows that the withdrawal will definitely happen. There's a natural place here for a liquidity market in which a validator (or someone who trusts a validator) can provide withdrawal loans for a small interest fee. This is a no-risk business for them as they know which withdrawals will be confirmed (and can force their confirmation trustlessly no matter what anyone else does) but are just waiting for on-chain finality.
3. The recipe: How Arbitrum Rollup works
For a description of the technical components of Arbitrum Rollup and how they interact to create a highly scalable protocol with a developer experience that is identical to Ethereum, please refer to the following documents:
Arbitrum Rollup Whitepaper
Arbitrum academic paper (describes a previous version of Arbitrum)
4. Developer docs and APIs
For full details about how to set up and interact with an Arbitrum Rollup chain or validator, please refer to our developer docs, which can be found at https://developer.offchainlabs.com/.
Note that the Arbitrum version described on that site is older and will soon be replaced by the version we are entering in Reddit Bake-Off, which is still undergoing internal testing before public release.
5. Who are the validators?
As with any Layer 2 protocol, advancing the protocol correctly requires at least one validator (sometimes called block producers) that is honest and available. A natural question is: who are the validators?
Recall that the validator set for an Arbitrum chain is open and permissionless; anyone can start or stop validating at will. (A useful analogy is to full nodes on an L1 chain.) But we understand that even though anyone can participate, Reddit may want to guarantee that highly reputable nodes are validating their chain. Reddit may choose to validate the chain themselves and/or hire third-party validators.To this end, we have begun building a marketplace for validator-for-hire services so that dapp developers can outsource validation services to reputable nodes with high up-time. We've announced a partnership in which Chainlink nodes will provide Arbitrum validation services, and we expect to announce more partnerships shortly with other blockchain infrastructure providers.
Although there is no requirement that validators are paid, Arbitrum’s economic model tracks validators’ costs (e.g. amount of computation and storage) and can charge small fees on user transactions, using a gas-type system, to cover those costs. Alternatively, a single party such as Reddit can agree to cover the costs of invited validators.
6. Reddit Contract Support
Since Arbitrum contracts and transactions are byte-for-byte compatible with Ethereum, supporting the Reddit contracts is as simple as launching them on an Arbitrum chain.
Minting. Arbitrum Rollup supports hybrid L1/L2 tokens which can be minted in L2 and then withdrawn onto the L1. An L1 contract at address A can make a special call to the EthBridge which deploys a "buddy contract" to the same address A on an Arbitrum chain. Since it's deployed at the same address, users can know that the L2 contract is the authorized "buddy" of the L1 contract on the Arbitrum chain.
For minting, the L1 contract is a standard ERC-20 contract which mints and burns tokens when requested by the L2 contract. It is paired with an ERC-20 contract in L2 which mints tokens based on whatever programmer provided minting facility is desired and burns tokens when they are withdrawn from the rollup chain. Given this base infrastructure, Arbitrum can support any smart contract based method for minting tokens in L2, and indeed we directly support Reddit's signature/claim based minting in L2.
Batch minting. What's better than a mint cookie? A whole batch! In addition to supporting Reddit’s current minting/claiming scheme, we built a second minting design, which we believe outperforms the signature/claim system in many scenarios.
In the current system, Reddit periodically issues signed statements to users, who then take those statements to the blockchain to claim their tokens. An alternative approach would have Reddit directly submit the list of users/amounts to the blockchain and distribute the tokens to the users without the signature/claim process.
To optimize the cost efficiency of this approach, we designed an application-specific compression scheme to minimize the size of the batch distribution list. We analyzed the data from Reddit's previous distributions and found that the data is highly compressible since token amounts are small and repeated, and addresses appear multiple times. Our function groups transactions by size, and replaces previously-seen addresses with a shorter index value. We wrote client code to compress the data, wrote a Solidity decompressing function, and integrated that function into Reddit’s contract running on Arbitrum.
When we ran the compression function on the previous Reddit distribution data, we found that we could compress batched minting data down to to 11.8 bytes per minting event (averaged over a 6-month trace of Reddit’s historical token grants)compared with roughly 174 bytes of on-chain data needed for the signature claim approach to minting (roughly 43 for an RLP-encoded null transaction + 65 for Reddit's signature + 65 for the user's signature + roughly 8 for the number of Points) .
The relative benefit of the two approaches with respect to on-chain call data cost depends on the percentage of users that will actually claim their tokens on chain. With the above figures, batch minting will be cheaper if roughly 5% of users redeem their claims. We stress that our compression scheme is not Arbitrum-specific and would be beneficial in any general-purpose smart contract platform.
8. Benchmarks and costs
In this section, we give the full costs of operating the Reddit contracts on an Arbitrum Rollup chain including the L1 gas costs for the Rollup chain, the costs of computation and storage for the L2 validators as well as the capital lockup requirements for staking.
Arbitrum Rollup is still on testnet, so we did not run mainnet benchmarks. Instead, we measured the L1 gas cost and L2 workload for Reddit operations on Arbitrum and calculated the total cost assuming current Ethereum gas prices. As noted below in detail, our measurements do not assume that Arbitrum is consuming the entire capacity of Ethereum. We will present the details of our model now, but for full transparency you can also play around with it yourself and adjust the parameters, by copying the spreadsheet found here.
Our cost model is based on measurements of Reddit’s contracts, running unmodified (except for the addition of a batch minting function) on Arbitrum Rollup on top of Ethereum.
On the distribution of transactions and frequency of assertions. Reddit's instructions specify the following minimum parameters that submissions should support:
Over a 5 day period, your scaling PoC should be able to handle:
  • 100,000 point claims (minting & distributing points)
  • 25,000 subscriptions
  • 75,000 one-off points burning
  • 100,000 transfers
We provide the full costs of operating an Arbitrum Rollup chain with this usage under the assumption that tokens are minted or granted to users in batches, but other transactions are uniformly distributed over the 5 day period. Unlike some other submissions, we do not make unrealistic assumptions that all operations can be submitted in enormous batches. We assume that batch minting is done in batches that use only a few percent on an L1 block’s gas, and that other operations come in evenly over time and are submitted in batches, with one batch every five minutes to keep latency reasonable. (Users are probably already waiting for L1 finality, which takes at least that long to achieve.)
We note that assuming that there are only 300,000 transactions that arrive uniformly over the 5 day period will make our benchmark numbers lower, but we believe that this will reflect the true cost of running the system. To see why, say that batches are submitted every five minutes (20 L1 blocks) and there's a fixed overhead of c bytes of calldata per batch, the cost of which will get amortized over all transactions executed in that batch. Assume that each individual transaction adds a marginal cost of t. Lastly assume the capacity of the scaling system is high enough that it can support all of Reddit's 300,000 transactions within a single 20-block batch (i.e. that there is more than c + 300,000*t byes of calldata available in 20 blocks).
Consider what happens if c, the per-batch overhead, is large (which it is in some systems, but not in Arbitrum). In the scenario that transactions actually arrive at the system's capacity and each batch is full, then c gets amortized over 300,000 transactions. But if we assume that the system is not running at capacity--and only receives 300,000 transactions arriving uniformly over 5 days-- then each 20-block assertion will contain about 200 transactions, and thus each transaction will pay a nontrivial cost due to c.
We are aware that other proposals presented scaling numbers assuming that 300,000 transactions arrived at maximum capacity and was executed in a single mega-transaction, but according to our estimates, for at least one such report, this led to a reported gas price that was 2-3 orders of magnitude lower than it would have been assuming uniform arrival. We make more realistic batching assumptions, and we believe Arbitrum compares well when batch sizes are realistic.
Our model. Our cost model includes several sources of cost:
  • L1 gas costs: This is the cost of posting transactions as calldata on the L1 chain, as well as the overhead associated with each batch of transactions, and the L1 cost of settling transactions in the Arbitrum protocol.
  • Validator’s staking costs: In normal operation, one validator will need to be staked. The stake is assumed to be 0.2% of the total value of the chain (which is assumed to be $1 per user who is eligible to claim points). The cost of staking is the interest that could be earned on the money if it were not staked.
  • Validator computation and storage: Every validator must do computation to track the chain’s processing of transactions, and must maintain storage to keep track of the contracts’ EVM storage. The cost of computation and storage are estimated based on measurements, with the dollar cost of resources based on Amazon Web Services pricing.
It’s clear from our modeling that the predominant cost is for L1 calldata. This will probably be true for any plausible rollup-based system.
Our model also shows that Arbitrum can scale to workloads much larger than Reddit’s nominal workload, without exhausting L1 or L2 resources. The scaling bottleneck will ultimately be calldata on the L1 chain. We believe that cost could be reduced substantially if necessary by clever encoding of data. (In our design any compression / decompression of L2 transaction calldata would be done by client software and L2 programs, never by an L1 contract.)
9. Status of Arbitrum Rollup
Arbitrum Rollup is live on Ethereum testnet. All of the code written to date including everything included in the Reddit demo is open source and permissively licensed under the Apache V2 license. The first testnet version of Arbitrum Rollup was released on testnet in February. Our current internal version, which we used to benchmark the Reddit contracts, will be released soon and will be a major upgrade.
Both the Arbitrum design as well as the implementation are heavily audited by independent third parties. The Arbitrum academic paper was published at USENIX Security, a top-tier peer-reviewed academic venue. For the Arbitrum software, we have engaged Trail of Bits for a security audit, which is currently ongoing, and we are committed to have a clean report before launching on Ethereum mainnet.
10. Reddit Universe Arbitrum Rollup Chain
The benchmarks described in this document were all measured using the latest internal build of our software. When we release the new software upgrade publicly we will launch a Reddit Universe Arbitrum Rollup chain as a public demo, which will contain the Reddit contracts as well as a Uniswap instance and a Connext Hub, demonstrating how Community Points can be integrated into third party apps. We will also allow members of the public to dynamically launch ecosystem contracts. We at Offchain Labs will cover the validating costs for the Reddit Universe public demo.
If the folks at Reddit would like to evaluate our software prior to our public demo, please email us at [email protected] and we'd be more than happy to provide early access.
11. Even more scaling: Arbitrum Sidechains
Rollups are an excellent approach to scaling, and we are excited about Arbitrum Rollup which far surpasses Reddit's scaling needs. But looking forward to Reddit's eventual goal of supporting hundreds of millions of users, there will likely come a time when Reddit needs more scaling than any Rollup protocol can provide.
While Rollups greatly reduce costs, they don't break the linear barrier. That is, all transactions have an on-chain footprint (because all calldata must be posted on-chain), albeit a far smaller one than on native Ethereum, and the L1 limitations end up being the bottleneck for capacity and cost. Since Ethereum has limited capacity, this linear use of on-chain resources means that costs will eventually increase superlinearly with traffic.
The good news is that we at Offchain Labs have a solution in our roadmap that can satisfy this extreme-scaling setting as well: Arbitrum AnyTrust Sidechains. Arbitrum Sidechains are similar to Arbitrum Rollup, but deviate in that they name a permissioned set of validators. When a chain’s validators agree off-chain, they can greatly reduce the on-chain footprint of the protocol and require almost no data to be put on-chain. When validators can't reach unanimous agreement off-chain, the protocol reverts to Arbitrum Rollup. Technically, Arbitrum Sidechains can be viewed as a hybrid between state channels and Rollup, switching back and forth as necessary, and combining the performance and cost that state channels can achieve in the optimistic case, with the robustness of Rollup in other cases. The core technical challenge is how to switch seamlessly between modes and how to guarantee that security is maintained throughout.
Arbitrum Sidechains break through this linear barrier, while still maintaining a high level of security and decentralization. Arbitrum Sidechains provide the AnyTrust guarantee, which says that as long as any one validator is honest and available (even if you don't know which one will be), the L2 chain is guaranteed to execute correctly according to its code and guaranteed to make progress. Unlike in a state channel, offchain progress does not require unanimous consent, and liveness is preserved as long as there is a single honest validator.
Note that the trust model for Arbitrum Sidechains is much stronger than for typical BFT-style chains which introduce a consensus "voting" protocols among a small permissioned group of validators. BFT-based protocols require a supermajority (more than 2/3) of validators to agree. In Arbitrum Sidechains, by contrast, all you need is a single honest validator to achieve guaranteed correctness and progress. Notice that in Arbitrum adding validators strictly increases security since the AnyTrust guarantee provides correctness as long as any one validator is honest and available. By contrast, in BFT-style protocols, adding nodes can be dangerous as a coalition of dishonest nodes can break the protocol.
Like Arbitrum Rollup, the developer and user experiences for Arbitrum Sidechains will be identical to that of Ethereum. Reddit would be able to choose a large and diverse set of validators, and all that they would need to guarantee to break through the scaling barrier is that a single one of them will remain honest.
We hope to have Arbitrum Sidechains in production in early 2021, and thus when Reddit reaches the scale that surpasses the capacity of Rollups, Arbitrum Sidechains will be waiting and ready to help.
While the idea to switch between channels and Rollup to get the best of both worlds is conceptually simple, getting the details right and making sure that the switch does not introduce any attack vectors is highly non-trivial and has been the subject of years of our research (indeed, we were working on this design for years before the term Rollup was even coined).
12. How Arbitrum compares
We include a comparison to several other categories as well as specific projects when appropriate. and explain why we believe that Arbitrum is best suited for Reddit's purposes. We focus our attention on other Ethereum projects.
Payment only Rollups. Compared to Arbitrum Rollup, ZK-Rollups and other Rollups that only support token transfers have several disadvantages:
  • As outlined throughout the proposal, we believe that the entire draw of Ethereum is in its rich smart contracts support which is simply not achievable with today's zero-knowledge proof technology. Indeed, scaling with a ZK-Rollup will add friction to the deployment of smart contracts that interact with Community Points as users will have to withdraw their coins from the ZK-Rollup and transfer them to a smart contract system (like Arbitrum). The community will be best served if Reddit builds on a platform that has built-in, frictionless smart-contract support.
  • All other Rollup protocols of which we are aware employ a centralized operator. While it's true that users retain custody of their coins, the centralized operator can often profit from censoring, reordering, or delaying transactions. A common misconception is that since they're non-custodial protocols, a centralized sequencer does not pose a risk but this is incorrect as the sequencer can wreak havoc or shake down users for side payments without directly stealing funds.
  • Sidechain type protocols can eliminate some of these issues, but they are not trustless. Instead, they require trust in some quorum of a committee, often requiring two-third of the committee to be honest, compared to rollup protocols like Arbitrum that require only a single honest party. In addition, not all sidechain type protocols have committees that are diverse, or even non-centralized, in practice.
  • Plasma-style protocols have a centralized operator and do not support general smart contracts.
13. Concluding Remarks
While it's ultimately up to the judges’ palate, we believe that Arbitrum Rollup is the bakeoff choice that Reddit kneads. We far surpass Reddit's specified workload requirement at present, have much room to optimize Arbitrum Rollup in the near term, and have a clear path to get Reddit to hundreds of millions of users. Furthermore, we are the only project that gives developers and users the identical interface as the Ethereum blockchain and is fully interoperable and tooling-compatible, and we do this all without any new trust assumptions or centralized components.
But no matter how the cookie crumbles, we're glad to have participated in this bake-off and we thank you for your consideration.
About Offchain Labs
Offchain Labs, Inc. is a venture-funded New York company that spun out of Princeton University research, and is building the Arbitrum platform to usher in the next generation of scalable, interoperable, and compatible smart contracts. Offchain Labs is backed by Pantera Capital, Compound VC, Coinbase Ventures, and others.
Leadership Team
Ed Felten
Ed Felten is Co-founder and Chief Scientist at Offchain Labs. He is on leave from Princeton University, where he is the Robert E. Kahn Professor of Computer Science and Public Affairs. From 2015 to 2017 he served at the White House as Deputy United States Chief Technology Officer and senior advisor to the President. He is an ACM Fellow and member of the National Academy of Engineering. Outside of work, he is an avid runner, cook, and L.A. Dodgers fan.
Steven Goldfeder
Steven Goldfeder is Co-founder and Chief Executive Officer at Offchain Labs. He holds a PhD from Princeton University, where he worked at the intersection of cryptography and cryptocurrencies including threshold cryptography, zero-knowledge proof systems, and post-quantum signatures. He is a co-author of Bitcoin and Cryptocurrency Technologies, the leading textbook on cryptocurrencies, and he has previously worked at Google and Microsoft Research, where he co-invented the Picnic signature algorithm. When not working, you can find Steven spending time with his family, taking a nature walk, or twisting balloons.
Harry Kalodner
Harry Kalodner is Co-founder and Chief Technology Officer at Offchain Labs where he leads the engineering team. Before the company he attended Princeton as a Ph.D candidate where his research explored economics, anonymity, and incentive compatibility of cryptocurrencies, and he also has worked at Apple. When not up at 3:00am writing code, Harry occasionally sleeps.
submitted by hkalodner to ethereum [link] [comments]

[ Bitcoin ] Technical: Taproot: Why Activate?

Topic originally posted in Bitcoin by almkglor [link]
This is a follow-up on https://old.reddit.com/Bitcoin/comments/hqzp14/technical_the_path_to_taproot_activation/
Taproot! Everybody wants it!! But... you might ask yourself: sure, everybody else wants it, but why would I, sovereign Bitcoin HODLer, want it? Surely I can be better than everybody else because I swapped XXX fiat for Bitcoin unlike all those nocoiners?
And it is important for you to know the reasons why you, o sovereign Bitcoiner, would want Taproot activated. After all, your nodes (or the nodes your wallets use, which if you are SPV, you hopefully can pester to your wallet vendoimplementor about) need to be upgraded in order for Taproot activation to actually succeed instead of becoming a hot sticky mess.
First, let's consider some principles of Bitcoin.
I'm sure most of us here would agree that the above are very important principles of Bitcoin and that these are principles we would not be willing to remove. If anything, we would want those principles strengthened (especially the last one, financial privacy, which current Bitcoin is only sporadically strong with: you can get privacy, it just requires effort to do so).
So, how does Taproot affect those principles?

Taproot and Your /Coins

Most HODLers probably HODL their coins in singlesig addresses. Sadly, switching to Taproot would do very little for you (it gives a mild discount at spend time, at the cost of a mild increase in fee at receive time (paid by whoever sends to you, so if it's a self-send from a P2PKH or bech32 address, you pay for this); mostly a wash).
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash, so the Taproot output spends 12 bytes more; spending from a P2WPKH requires revealing a 32-byte public key later, which is not needed with Taproot, and Taproot signatures are about 9 bytes smaller than P2WPKH signatures, but the 32 bytes plus 9 bytes is divided by 4 because of the witness discount, so it saves about 11 bytes; mostly a wash, it increases blockweight by about 1 virtual byte, 4 weight for each Taproot-output-input, compared to P2WPKH-output-input).
However, as your HODLings grow in value, you might start wondering if multisignature k-of-n setups might be better for the security of your savings. And it is in multisignature that Taproot starts to give benefits!
Taproot switches to using Schnorr signing scheme. Schnorr makes key aggregation -- constructing a single public key from multiple public keys -- almost as trivial as adding numbers together. "Almost" because it involves some fairly advanced math instead of simple boring number adding, but hey when was the last time you added up your grocery list prices by hand huh?
With current P2SH and P2WSH multisignature schemes, if you have a 2-of-3 setup, then to spend, you need to provide two different signatures from two different public keys. With Taproot, you can create, using special moon math, a single public key that represents your 2-of-3 setup. Then you just put two of your devices together, have them communicate to each other (this can be done airgapped, in theory, by sending QR codes: the software to do this is not even being built yet, but that's because Taproot hasn't activated yet!), and they will make a single signature to authorize any spend from your 2-of-3 address. That's 73 witness bytes -- 18.25 virtual bytes -- of signatures you save!
And if you decide that your current setup with 1-of-1 P2PKH / P2WPKH addresses is just fine as-is: well, that's the whole point of a softfork: backwards-compatibility; you can receive from Taproot users just fine, and once your wallet is updated for Taproot-sending support, you can send to Taproot users just fine as well!
(P2WPKH and P2WSH -- SegWit v0 -- addresses start with bc1q; Taproot -- SegWit v1 --- addresses start with bc1p, in case you wanted to know the difference; in bech32 q is 0, p is 1)
Now how about HODLers who keep all, or some, of their coins on custodial services? Well, any custodial service worth its salt would be doing at least 2-of-3, or probably something even bigger, like 11-of-15. So your custodial service, if it switched to using Taproot internally, could save a lot more (imagine an 11-of-15 getting reduced from 11 signatures to just 1!), which --- we can only hope! --- should translate to lower fees and better customer service from your custodial service!
So I think we can say, very accurately, that the Bitcoin principle --- that YOU are in control of your money --- can only be helped by Taproot (if you are doing multisignature), and, because P2PKH and P2WPKH remain validly-usable addresses in a Taproot future, will not be harmed by Taproot. Its benefit to this principle might be small (it mostly only benefits multisignature users) but since it has no drawbacks with this (i.e. singlesig users can continue to use P2WPKH and P2PKH still) this is still a nice, tidy win!
(even singlesig users get a minor benefit, in that multisig users will now reduce their blockchain space footprint, so that fees can be kept low for everybody; so for example even if you have your single set of private keys engraved on titanium plates sealed in an airtight box stored in a safe buried in a desert protected by angry nomads riding giant sandworms because you're the frickin' Kwisatz Haderach, you still gain some benefit from Taproot)
And here's the important part: if P2PKH/P2WPKH is working perfectly fine with you and you decide to never use Taproot yourself, Taproot will not affect you detrimentally. First do no harm!

Taproot and Your Contracts

No one is an island, no one lives alone. Give and you shall receive. You know: by trading with other people, you can gain expertise in some obscure little necessity of the world (and greatly increase your productivity in that little field), and then trade the products of your expertise for necessities other people have created, all of you thereby gaining gains from trade.
So, contracts, which are basically enforceable agreements that facilitate trading with people who you do not personally know and therefore might not trust.
Let's start with a simple example. You want to buy some gewgaws from somebody. But you don't know them personally. The seller wants the money, you want their gewgaws, but because of the lack of trust (you don't know them!! what if they're scammers??) neither of you can benefit from gains from trade.
However, suppose both of you know of some entity that both of you trust. That entity can act as a trusted escrow. The entity provides you security: this enables the trade, allowing both of you to get gains from trade.
In Bitcoin-land, this can be implemented as a 2-of-3 multisignature. The three signatories in the multisgnature would be you, the gewgaw seller, and the escrow. You put the payment for the gewgaws into this 2-of-3 multisignature address.
Now, suppose it turns out neither of you are scammers (whaaaat!). You receive the gewgaws just fine and you're willing to pay up for them. Then you and the gewgaw seller just sign a transaction --- you and the gewgaw seller are 2, sufficient to trigger the 2-of-3 --- that spends from the 2-of-3 address to a singlesig the gewgaw seller wants (or whatever address the gewgaw seller wants).
But suppose some problem arises. The seller gave you gawgews instead of gewgaws. Or you decided to keep the gewgaws but not sign the transaction to release the funds to the seller. In either case, the escrow is notified, and if it can sign with you to refund the funds back to you (if the seller was a scammer) or it can sign with the seller to forward the funds to the seller (if you were a scammer).
Taproot helps with this: like mentioned above, it allows multisignature setups to produce only one signature, reducing blockchain space usage, and thus making contracts --- which require multiple people, by definition, you don't make contracts with yourself --- is made cheaper (which we hope enables more of these setups to happen for more gains from trade for everyone, also, moon and lambos).
(technology-wise, it's easier to make an n-of-n than a k-of-n, making a k-of-n would require a complex setup involving a long ritual with many communication rounds between the n participants, but an n-of-n can be done trivially with some moon math. You can, however, make what is effectively a 2-of-3 by using a three-branch SCRIPT: either 2-of-2 of you and seller, OR 2-of-2 of you and escrow, OR 2-of-2 of escrow and seller. Fortunately, Taproot adds a facility to embed a SCRIPT inside a public key, so you can have a 2-of-2 Taprooted address (between you and seller) with a SCRIPT branch that can instead be spent with 2-of-2 (you + escrow) OR 2-of-2 (seller + escrow), which implements the three-branched SCRIPT above. If neither of you are scammers (hopefully the common case) then you both sign using your keys and never have to contact the escrow, since you are just using the escrow public key without coordinating with them (because n-of-n is trivial but k-of-n requires setup with communication rounds), so in the "best case" where both of you are honest traders, you also get a privacy boost, in that the escrow never learns you have been trading on gewgaws, I mean ewww, gawgews are much better than gewgaws and therefore I now judge you for being a gewgaw enthusiast, you filthy gewgawer).

Taproot and Your Contracts, Part 2: Cryptographic Boogaloo

Now suppose you want to buy some data instead of things. For example, maybe you have some closed-source software in trial mode installed, and want to pay the developer for the full version. You want to pay for an activation code.
This can be done, today, by using an HTLC. The developer tells you the hash of the activation code. You pay to an HTLC, paying out to the developer if it reveals the preimage (the activation code), or refunding the money back to you after a pre-agreed timeout. If the developer claims the funds, it has to reveal the preimage, which is the activation code, and you can now activate your software. If the developer does not claim the funds by the timeout, you get refunded.
And you can do that, with HTLCs, today.
Of course, HTLCs do have problems:
Fortunately, with Schnorr (which is enabled by Taproot), we can now use the Scriptless Script constuction by Andrew Poelstra. This Scriptless Script allows a new construction, the PTLC or Pointlocked Timelocked Contract. Instead of hashes and preimages, just replace "hash" with "point" and "preimage" with "scalar".
Or as you might know them: "point" is really "public key" and "scalar" is really a "private key". What a PTLC does is that, given a particular public key, the pointlocked branch can be spent only if the spender reveals the private key of the given private key to you.
Another nice thing with PTLCs is that they are deniable. What appears onchain is just a single 2-of-2 signature between you and the developemanufacturer. It's like a magic trick. This signature has no special watermarks, it's a perfectly normal signature (the pledge). However, from this signature, plus some datta given to you by the developemanufacturer (known as the adaptor signature) you can derive the private key of a particular public key you both agree on (the turn). Anyone scraping the blockchain will just see signatures that look just like every other signature, and as long as nobody manages to hack you and get a copy of the adaptor signature or the private key, they cannot get the private key behind the public key (point) that the pointlocked branch needs (the prestige).
(Just to be clear, the public key you are getting the private key from, is distinct from the public key that the developemanufacturer will use for its funds. The activation key is different from the developer's onchain Bitcoin key, and it is the activation key whose private key you will be learning, not the developer's/manufacturer's onchain Bitcoin key).
So:
Taproot lets PTLCs exist onchain because they enable Schnorr, which is a requirement of PTLCs / Scriptless Script.
(technology-wise, take note that Scriptless Script works only for the "pointlocked" branch of the contract; you need normal Script, or a pre-signed nLockTimed transaction, for the "timelocked" branch. Since Taproot can embed a script, you can have the Taproot pubkey be a 2-of-2 to implement the Scriptless Script "pointlocked" branch, then have a hidden script that lets you recover the funds with an OP_CHECKLOCKTIMEVERIFY after the timeout if the seller does not claim the funds.)

Quantum Quibbles!

Now if you were really paying attention, you might have noticed this parenthetical:
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash...)
So wait, Taproot uses raw 32-byte public keys, and not public key hashes? Isn't that more quantum-vulnerable??
Well, in theory yes. In practice, they probably are not.
It's not that hashes can be broken by quantum computes --- they're still not. Instead, you have to look at how you spend from a P2WPKH/P2PKH pay-to-public-key-hash.
When you spend from a P2PKH / P2WPKH, you have to reveal the public key. Then Bitcoin hashes it and checks if this matches with the public-key-hash, and only then actually validates the signature for that public key.
So an unconfirmed transaction, floating in the mempools of nodes globally, will show, in plain sight for everyone to see, your public key.
(public keys should be public, that's why they're called public keys, LOL)
And if quantum computers are fast enough to be of concern, then they are probably fast enough that, in the several minutes to several hours from broadcast to confirmation, they have already cracked the public key that is openly broadcast with your transaction. The owner of the quantum computer can now replace your unconfirmed transaction with one that pays the funds to itself. Even if you did not opt-in RBF, miners are still incentivized to support RBF on RBF-disabled transactions.
So the extra hash is not as significant a protection against quantum computers as you might think. Instead, the extra hash-and-compare needed is just extra validation effort.
Further, if you have ever, in the past, spent from the address, then there exists already a transaction indelibly stored on the blockchain, openly displaying the public key from which quantum computers can derive the private key. So those are still vulnerable to quantum computers.
For the most part, the cryptographers behind Taproot (and Bitcoin Core) are of the opinion that quantum computers capable of cracking Bitcoin pubkeys are unlikely to appear within a decade or two.
So:
For now, the homomorphic and linear properties of elliptic curve cryptography provide a lot of benefits --- particularly the linearity property is what enables Scriptless Script and simple multisignature (i.e. multisignatures that are just 1 signature onchain). So it might be a good idea to take advantage of them now while we are still fairly safe against quantum computers. It seems likely that quantum-safe signature schemes are nonlinear (thus losing these advantages).

Summary

I Wanna Be The Taprooter!

So, do you want to help activate Taproot? Here's what you, mister sovereign Bitcoin HODLer, can do!

But I Hate Taproot!!

That's fine!

Discussions About Taproot Activation

almkglor your post has been copied because one or more comments in this topic have been removed. This copy will preserve unmoderated topic. If you would like to opt-out, please send a message using [this link].
[deleted comment]
[deleted comment]
[deleted comment]
submitted by anticensor_bot to u/anticensor_bot [link] [comments]

How to Calculate Bitcoin Transaction Size what is a bit and a byte - YouTube 1 TB How many bytes Inside a Bitcoin mine that earns $70K a day - YouTube How to diagnose and remove a bitcoin miner trojan - YouTube

Bitcoin has consolidated above $10,000 this week. This is a pretty decent amount for one coin, so you might wonder how many people hold at least 1 BTC. Bits. Many have adopted the practice of referring to the micro-bitcoin metric sub-unit as "bits". Table of all units. This table is intended to include all well-defined units of bitcoin value, including less common and niche units. Unit Abbreviation Decimal (BTC) Alternate names Info Algorithmic maximum : 20,999,999.9769 Calculation: tam-bitcoin : 2,814,749.76710656 : 1,0000,0000 tonal mega ... Irrespective of the length of time required to calculate one hash, how many hash operations are required to produce one Bitcoin? mining-theory hash mining-reward hashpower sha256. share improve this question follow edited Jan 17 '17 at 16:46. Murch ♦ 46.7k 30 30 gold badges 137 137 silver badges 407 407 bronze badges. asked Jul 6 '13 at 9:27. powtac powtac. 385 2 2 gold badges 4 4 ... The growth of digital currency, led by Bitcoin, has been staggering with market capitalization estimated to be over $500 billion as of mid-January 2018. Unlike U.S. Treasury currency, digital currency such as Bitcoin (and there are others too) is unregulated and there are no consumer protections. Once a transaction is executed it can not be reversed. 5 bits - 32 6 bits - 64 7 bits - 128 8 bits - 256 - one byte Mathematically: n bits yields 2 n patterns (2 to the nth power) One Byte - 256 Patterns (demo) 1 byte is group of 8 bits 8 bits can make 256 different patterns How to use the 256 patterns? How to store a number in a byte? Start with 0, go up, one pattern per number, until run out of ...

[index] [26290] [32983] [27987] [22114] [4321] [34725] [10823] [25838] [3159] [42698]

How to Calculate Bitcoin Transaction Size

The virtual goldrush to mine Bitcoin and other cryptocurrencies leads us to Central Washington state where a Bitcoin mine generates roughly $70,000 a day min... Every time we send a bitcoin transaction, we pay a fee relative to its size. Strangely, this has almost nothing to do with how much money is being sent -- the blockchain world just isn't that simple! Bitcoin is skyrocketing right now ! We had a look behind the scenes of bitcoin mining and a bitcoin miner Farm. join the event here: https://www.miningconf.o... Given a number n, how do you count the number of 1's (set bits) in its binary representation CareerMonk.com [The Bits And Bytes Of Binary ep.2] - Duration: 6:21. Low Level JavaScript 816 views. 6:21. How many Bytes are in a Gigabyte? - Duration: 4:32. Jared Owen Recommended for you. 4:32 . They Watched ...

#