📅 Original date posted:2016-02-08
📝 Original message:Hi all,
I believe we, today, have a unique opportunity to begin to close the
book on the short-term scaling debate.
First a little background. The scaling debate that has been gripping the
Bitcoin community for the past half year has taken an interesting turn
in 2016. Until recently, there have been two distinct camps - one
proposing a significant change to the consensus-enforced block size
limit to allow for more on-blockchain transactions and the other
opposing such a change, suggesting instead that scaling be obtained by
adding more flexible systems on top of the blockchain. At this point,
however, the entire Bitcoin community seems to have unified around a
single vision - roughly 2MB of transactions per block, whether via
Segregated Witness or via a hard fork, is something that can be both
technically supported and which adds more headroom before second-layer
technologies must be in place. Additionally, it seems that the vast
majority of the community agrees that segregated witness should be
implemented in the near future and that hard forks will be a necessity
at some point, and I don't believe it should be controversial that, as
we have never done a hard fork before, gaining experience by working
towards a hard fork now is a good idea.
With the apparent agreement in the community, it is incredibly
disheartening that there is still so much strife, creating a toxic
environment in which developers are not able to work, companies are
worried about their future ability to easily move Bitcoins, and
investors are losing confidence. The way I see it, this broad
unification of visions across all parts of the community places the
burden of selecting the most technically-sound way to achieve that
vision squarely on the development community.
Sadly, the strife is furthered by the huge risks involved in a hard fork
in the presence of strife, creating a toxic cycle which prevents a safe
hard fork. While there has been talk of doing an "emergency hardfork" as
an option, and while I do believe this is possible, it is not something
that will be easy, especially for something as controversial as rising
fees. Given that we have never done a hard fork before, being very
careful and deliberate in doing so is critical, and the technical
community working together to plan for all of the things that might go
wrong is key to not destroying significant value.
As such, I'd like to ask everyone involved to take this opportunity to
"reset", forgive past aggressions, and return the technical debates to
technical forums (ie here, IRC, etc).
As what a hard fork should look like in the context of segwit has never
(!) been discussed in any serious sense, I'd like to kick off such a
discussion with a (somewhat) specific proposal.
First some design notes:
* I think a key design feature should be taking this opportunity to add
small increases in decentralization pressure, where possible.
* Due to the several non-linear validation time issues in transaction
validation which are fixed by SegWit's signature-hashing changes, I
strongly believe any hard fork proposal which changes the block size
should rely on SegWit's existence.
* As with any hard fork proposal, its easy to end up pulling in hundreds
of small fixes for any number of protocol annoyances. In order to avoid
doing this, we should try hard to stick with a few simple changes.
Here is a proposed outline (to activate only after SegWit and with the
currently-proposed version of SegWit):
1) The segregated witness discount is changed from 75% to 50%. The block
size limit (ie transactions + witness/2) is set to 1.5MB. This gives a
maximum block size of 3MB and a "network-upgraded" block size of roughly
2.1MB. This still significantly discounts script data which is kept out
of the UTXO set, while keeping the maximum-sized block limited.
2) In order to prevent significant blowups in the cost to validate
pessimistic blocks, we must place additional limits on the size of many
non-segwit transactions. scriptPubKeys are now limited to 100 bytes in
size and may not contain OP_CODESEPARATOR, scriptSigs must be push-only
(ie no non-push opcodes), and transactions are only allowed to contain
up to 20 non-segwit inputs. Together these limits limit
total-bytes-hashed in block validation to under 200MB without any
possibility of making existing outputs unspendable and without adding
additional per-block limits which make transaction-selection-for-mining
difficult in the face of attacks or non-standard transactions. Though
200MB of hashing (roughly 2 seconds of hash-time on my high-end
workstation) is pretty strongly centralizing, limiting transactions to
fewer than 20 inputs seems arbitrarily low.
Along similar lines, we may wish to switch MAX_BLOCK_SIGOPS from
1-per-50-bytes across the entire block to a per-transaction limit which
is slightly looser (though not too much looser - even with libsecp256k1
1-per-50-bytes represents 2 seconds of single-threaded validation in
just sigops on my high-end workstation).
3) Move SegWit's generic commitments from an OP_RETURN output to a
second branch in the merkle tree. Depending on the timeline this may be
something to skip - once there is tooling for dealing with the extra
OP_RETURN output as a generic commitment, the small efficiency gain for
applications checking the witness of only one transaction or checking a
non-segwit commitment may not be worth it.
4) Instead of requiring the first four bytes of the previous block hash
field be 0s, we allow them to contain any value. This allows Bitcoin
mining hardware to reduce the required logic, making it easier to
produce competitive hardware [1].
I'll deliberately leave discussion of activation method out of this
proposal. Both jl2012 and Luke-Jr recently begun some discussions about
methods for activation on this list, and I'd love to see those continue.
If folks think a hard fork should go ahead without SPV clients having a
say, we could table #4, or activate #4 a year or two after 1-3 activate.
[1] Simpler here may not be entirely true. There is potential for
optimization if you brute force the SHA256 midstate, but if nothing
else, this will prevent there being a strong incentive to use the
version field as nonce space. This may need more investigation, as we
may wish to just set the minimum difficulty higher so that we can add
more than 4 nonce-bytes.
Obviously we cannot reasonably move forward with a hard fork as long as
the contention in the community continues. Still, I'm confident
continuing to work towards SegWit as a 2MB-ish soft-fork in the short
term with some plans on what a hard fork should look like if we can form
broad consensus can go a long way to resolving much of the contention
we've seen.
Matt Corallo [ARCHIVE] /
npub1e4…jxmcu
2023-06-07 17:48:54
in reply to nevent1q…9g36
Author Public Key
npub1e46n428mcyfwznl7nlsf6d3s7rhlwm9x3cmkuqzt3emmdpadmkaqqjxmcuSeen on
wss://relay.noswhere.comPublished at
2023-06-07 17:48:54Event JSON
{
"id": "a75008b9a813183e76b7e60239bd46b4246da35f6ef7de758c2201669f5c00a0",
"pubkey": "cd753aa8fbc112e14ffe9fe09d3630f0eff76ca68e376e004b8e77b687adddba",
"created_at": 1686160134,
"kind": 1,
"tags": [
[
"e",
"8c25de74ae7131786de7d5ab012e48bad7eff95963972248b7442bdb60a9ffb5",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2016-02-08\n📝 Original message:Hi all,\n\nI believe we, today, have a unique opportunity to begin to close the\nbook on the short-term scaling debate.\n\nFirst a little background. The scaling debate that has been gripping the\nBitcoin community for the past half year has taken an interesting turn\nin 2016. Until recently, there have been two distinct camps - one\nproposing a significant change to the consensus-enforced block size\nlimit to allow for more on-blockchain transactions and the other\nopposing such a change, suggesting instead that scaling be obtained by\nadding more flexible systems on top of the blockchain. At this point,\nhowever, the entire Bitcoin community seems to have unified around a\nsingle vision - roughly 2MB of transactions per block, whether via\nSegregated Witness or via a hard fork, is something that can be both\ntechnically supported and which adds more headroom before second-layer\ntechnologies must be in place. Additionally, it seems that the vast\nmajority of the community agrees that segregated witness should be\nimplemented in the near future and that hard forks will be a necessity\nat some point, and I don't believe it should be controversial that, as\nwe have never done a hard fork before, gaining experience by working\ntowards a hard fork now is a good idea.\n\nWith the apparent agreement in the community, it is incredibly\ndisheartening that there is still so much strife, creating a toxic\nenvironment in which developers are not able to work, companies are\nworried about their future ability to easily move Bitcoins, and\ninvestors are losing confidence. The way I see it, this broad\nunification of visions across all parts of the community places the\nburden of selecting the most technically-sound way to achieve that\nvision squarely on the development community.\n\nSadly, the strife is furthered by the huge risks involved in a hard fork\nin the presence of strife, creating a toxic cycle which prevents a safe\nhard fork. While there has been talk of doing an \"emergency hardfork\" as\nan option, and while I do believe this is possible, it is not something\nthat will be easy, especially for something as controversial as rising\nfees. Given that we have never done a hard fork before, being very\ncareful and deliberate in doing so is critical, and the technical\ncommunity working together to plan for all of the things that might go\nwrong is key to not destroying significant value.\n\nAs such, I'd like to ask everyone involved to take this opportunity to\n\"reset\", forgive past aggressions, and return the technical debates to\ntechnical forums (ie here, IRC, etc).\n\nAs what a hard fork should look like in the context of segwit has never\n(!) been discussed in any serious sense, I'd like to kick off such a\ndiscussion with a (somewhat) specific proposal.\n\nFirst some design notes:\n* I think a key design feature should be taking this opportunity to add\nsmall increases in decentralization pressure, where possible.\n* Due to the several non-linear validation time issues in transaction\nvalidation which are fixed by SegWit's signature-hashing changes, I\nstrongly believe any hard fork proposal which changes the block size\nshould rely on SegWit's existence.\n* As with any hard fork proposal, its easy to end up pulling in hundreds\nof small fixes for any number of protocol annoyances. In order to avoid\ndoing this, we should try hard to stick with a few simple changes.\n\nHere is a proposed outline (to activate only after SegWit and with the\ncurrently-proposed version of SegWit):\n\n1) The segregated witness discount is changed from 75% to 50%. The block\nsize limit (ie transactions + witness/2) is set to 1.5MB. This gives a\nmaximum block size of 3MB and a \"network-upgraded\" block size of roughly\n2.1MB. This still significantly discounts script data which is kept out\nof the UTXO set, while keeping the maximum-sized block limited.\n\n2) In order to prevent significant blowups in the cost to validate\npessimistic blocks, we must place additional limits on the size of many\nnon-segwit transactions. scriptPubKeys are now limited to 100 bytes in\nsize and may not contain OP_CODESEPARATOR, scriptSigs must be push-only\n(ie no non-push opcodes), and transactions are only allowed to contain\nup to 20 non-segwit inputs. Together these limits limit\ntotal-bytes-hashed in block validation to under 200MB without any\npossibility of making existing outputs unspendable and without adding\nadditional per-block limits which make transaction-selection-for-mining\ndifficult in the face of attacks or non-standard transactions. Though\n200MB of hashing (roughly 2 seconds of hash-time on my high-end\nworkstation) is pretty strongly centralizing, limiting transactions to\nfewer than 20 inputs seems arbitrarily low.\n\nAlong similar lines, we may wish to switch MAX_BLOCK_SIGOPS from\n1-per-50-bytes across the entire block to a per-transaction limit which\nis slightly looser (though not too much looser - even with libsecp256k1\n1-per-50-bytes represents 2 seconds of single-threaded validation in\njust sigops on my high-end workstation).\n\n3) Move SegWit's generic commitments from an OP_RETURN output to a\nsecond branch in the merkle tree. Depending on the timeline this may be\nsomething to skip - once there is tooling for dealing with the extra\nOP_RETURN output as a generic commitment, the small efficiency gain for\napplications checking the witness of only one transaction or checking a\nnon-segwit commitment may not be worth it.\n\n4) Instead of requiring the first four bytes of the previous block hash\nfield be 0s, we allow them to contain any value. This allows Bitcoin\nmining hardware to reduce the required logic, making it easier to\nproduce competitive hardware [1].\n\nI'll deliberately leave discussion of activation method out of this\nproposal. Both jl2012 and Luke-Jr recently begun some discussions about\nmethods for activation on this list, and I'd love to see those continue.\nIf folks think a hard fork should go ahead without SPV clients having a\nsay, we could table #4, or activate #4 a year or two after 1-3 activate.\n\n\n[1] Simpler here may not be entirely true. There is potential for\noptimization if you brute force the SHA256 midstate, but if nothing\nelse, this will prevent there being a strong incentive to use the\nversion field as nonce space. This may need more investigation, as we\nmay wish to just set the minimum difficulty higher so that we can add\nmore than 4 nonce-bytes.\n\n\n\n\nObviously we cannot reasonably move forward with a hard fork as long as\nthe contention in the community continues. Still, I'm confident\ncontinuing to work towards SegWit as a 2MB-ish soft-fork in the short\nterm with some plans on what a hard fork should look like if we can form\nbroad consensus can go a long way to resolving much of the contention\nwe've seen.",
"sig": "70355b47977a2a633f6d74b1fee7455f3dc6f53d56c2ed5752a4cea822e5c9ac27a97ecf9e300faa59daa43847078002990193f2252d8d0f3fb055c0b555883c"
}