Hourglass V2 Update

[Mike Casey]

In response to feedback, the Hourglass proposal to mitigate against potential mass liquidation of P2PK funds has been enhanced to further limit spend amounts from such outputs to only 1 bitcoin per block.

https://github.com/cryptoquick/bips/blob/hourglass-v2/bip-hourglass-v2.mediawiki

Prior discussion of the original Hourglass proposal:

https://groups.google.com/g/bitcoindev/c/zmg3U117aNc/m/lDCMs9j7EAAJ

Thoughts & feedback welcome!

[Light]

Bitcoin should not have an in-protocol plunge protection mechanism, and certainly not one that artificially restricts people's ability to spend their coins. I encourage you to withdraw this proposal, for the sake of bitcoin's integrity and utility as a p2p electronic cash system.

> --
> You received this message because you are subscribed to the Google
> Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to bitcoindev+...@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/bitcoindev/9336f5a4-5c28-4c1b-af29-a8462b7a9377n%40googlegroups.com
> <https://groups.google.com/d/msgid/bitcoindev/9336f5a4-5c28-4c1b-af29-a8462b7a9377n%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Jameson Lopp]

Bitcoin is ultimately a system of rules that are enforced by those who use the system and hold the keys to spend UTXOs. As such, if a sufficiently large cohort of economic power within the system is interested in protecting itself against massive liquidation events from malicious actors who arguably are not the rightful owners of UTXOs, the incentives are in place for them to do something about it.

I like Hourglass V2 a lot more than V1. My primary complaint is that 1 BTC per block is somewhat arbitrary. It would be interesting to point to the on-chain statistics of what P2PK UTXO spend volume we have seen in recent years.

Additionally, in the context of my own migration BIP, Hourglass V2 could be complementary to the concept of offering a ZK quantum safe spending option for folks who fail to migrate UTXOs to quantum safe scripts before a set deadline, given that these old P2PK outputs do not belong to HD wallets and thus the owners would be incapable of constructing a ZK proof of HD wallet ownership.

To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/57bd09bc-1c1b-4605-82f9-65b6b61cf8a2%40app.fastmail.com.

[Garlo Nicon]

> My primary complaint is that 1 BTC per block is somewhat arbitrary.

> Hourglass V2 further restricts the output amount to a maximum of 1 bitcoin per block, or roughly 144 bitcoin per day. This is far less than the 450 coins per day introduced by the current block reward subsidy, and should effectively mitigate the market impacts of quantum attacks on P2PK coins.

It can be replaced with something else. For example, if things are based on the coinbase reward, then these rules can be wired into consensus. Which means, that if the current block reward is 3.125 BTC plus fees, then P2PKs can be limited to be X% of the coinbase, and not more than that. It would still be arbitrary, but it would be more aligned with the explanation from the BIP, that it is all about how many coins are introduced into circulation, or assigned to miners.

Or, if it would be based only on the basic block reward, without fees, then when all coins will be mined, P2PKs will automatically expire, because there won't be any amount, which is less than zero satoshis. Because things can be based on fees, but then, a large miner with many coins, could game the system, and turn some of his own coins into fees, only to unlock more P2PK coins.

To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CADL_X_eb8byZs3VKORoUzaPoBvguSbxJ%3DKyKifsQFWFqyqHeRA%40mail.gmail.com.

[Mike Casey]

Admittedly, the actual value is arbitrary, but it's very easy to relay conceptually which helps communicate the concept and dissuade this particular branch of quantum FUD.  Fundamentally, it's a trade off between how quickly the entire set can be liquidated (if keys are cracked in advance) and how long and individual original keyholder has to wait to be able to exercise dominion over their P2PK coins.  In addition to memetics, the 1 BTC amount should provide a very lengthy liquidation period assuming most P2PK keys are lost and cannot be moved prior to implementation.

[Alex]

> Bitcoin should not have an in-protocol plunge protection mechanism, and certainly not one that artificially restricts people's ability to spend their coins. I encourage you to withdraw this proposal, for the sake of bitcoin's integrity and utility as a p2p electronic cash system.

The (time) limit is only applicable to legacy P2PK addresses. Anyone can move their funds to modern SegWit/Taproot addresses and continue without any such limit. You are free to insist on using legacy P2PK addresses as you wish, freely, but doing so would put a spending (time) limit much like current banking KYC limits. Again, insisting on keeping your BTC in specifically legacy P2PK addresses would lead to this (time) limit. All other addresses are unaffected.

[Isabel Foxen Duke]

>  [1 BTC] can be replaced with something else. For example, if things are based on the coinbase reward, then these rules can be wired into consensus. Which means, that if the current block reward is 3.125 BTC plus fees, then P2PKs can be limited to be X% of the coinbase, and not more than that.

I don't mind this idea — however, I worry it could add complexity from a user experience perspective. 1 BTC might actually make sense and not be so arbitrary—as it will be an easy number for people to track and understand what coins they can move or are moving at any given time. Hyper-simplicity has UX and comms benefits.      

Isabel Foxen Duke  

Bitcoin Rails Podcast // X

To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAN7kyNh%3DqzAiGvDBpLSJLVt64smR%2BHQh%2Bw%2BHm3cZGebZejJsqw%40mail.gmail.com.

[Isabel Foxen Duke]

>  [1 BTC] can be replaced with something else. For example, if things are based on the coinbase reward, then these rules can be wired into consensus. Which means, that if the current block reward is 3.125 BTC plus fees, then P2PKs can be limited to be X% of the coinbase, and not more than that.

I don't mind this idea — however, I worry it could add complexity from a user experience perspective. 1 BTC might actually make sense and not be so arbitrary—as it will be an easy number for people to track and understand what coins they can move or are moving at any given time. Hyper-simplicity has UX and comms benefits.      

-Isabel

[neonrooks]

Disagree with this proposal. Applying a rate-limit to P2PK utxos directly undermines the permissionless property of Bitcoin - ownership of private keys is the right to spend as the owner wishes. Instead of allowing laggards (we know there will be some!) to move coins just before a real, quantifiable threat, Hourglass V2 all but guarantees a quantum attacker has time to attack all remaining unspent P2PK utxos during the 32 years it would take to move all coins.

[Bob Burnett]

>  1 BTC might actually make sense and not be so arbitrary—as it will be an easy number for people to track and understand what coins they can move or are moving at any given time.

I very much agree that keeping things easy for people should be a high priority.  As opposed to a % of the block reward or subsidy, one suggestion is to use something like the halving we use for the subsidy.  Start with a maximum of 1 or 2 BTC per block and reduce the amount by half on the same 210,000 block schedule as the subsidy halving.  People seem to get that concept well and I think it would work here too.  Alternatively, we could use the same schedule but do doubling.  Start with a very small number like 1M Sats and then build to a bigger number in the future.  This takes away the incentive for an early attacker and means the bigger prizes for the quantum attackers would come in a period when there is massive competition from the quantum world and much more economic uncertainty for an individual quantum attacker.

I must admit that this does create a bit of quandary regarding property rights and that does bother me, but if the decision is to do something to slow down the attackers this, does seem like a reasonable approach.  Also, by spreading this out over several decades and restricting block space access, it means that there will likely be numerous quantum attackers, and they will be competing with each other not only for the private keys but also for the prized spot in each block (good news for fees).  

To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/4b02a925-663f-423f-8905-0fc1b528581fn%40googlegroups.com.

[Jameson Lopp]

Ultimately, I believe that the network should nudge people toward using best practices, whatever that may be.

Are there any strong reasons why the network should treat P2PK as a first class citizen, so to speak? It has both security flaws and is disincentivized for use from a transaction weight and thus fees perspective.

A proposal such as hourglass provides an additional nudge in the direction of "this is deprecated, don't use it."

To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/BY5PR03MB51717E25CEB9444CF2463E0C9675A%40BY5PR03MB5171.namprd03.prod.outlook.com.

[Light]

Hi Jameson,

Just as "the incentives are in place" for short term greedy participants to make their case for full node runners to follow them off a cliff, so are the incentives in place for those with longer term perspectives to encourage authors of confiscatory proposals to abandon them, and encourage the rest of the community to reject them as well.[1]

The people who appeal to short-term incentives to call in the plunge protection squad fail to see that in doing so they irreparably damage the long term value of their coins (and create extra work for those of us with lower time preferences who must now consider the logistics of defensive forking) by undermining one of the foundational principles that gives their coins value to begin with.

There is a difference between "can" and "should" and the norm around here is pretty well established that bitcoin protocol developers (and the broader community of full node runners) "should not" interfere with existing spending conditions, even if they are believed to be insecure. Key (mis)management is an application layer concern, not a consensus layer concern. If you disagree, where is your proposal for freezing coins held on exchanges? You have already written about the risks posed by such custody arrangements, and this is a much more imminent threat than the specter of a CRQC.[2]

[1] To say nothing of the incentives of the vulnerable keyholders and the CRQC operators, but that is a secondary and more academic topic compared to the discussion about principles and long term system integrity.

[2] https://blog.casa.io/the-custodian-menace

>> > an email to bitcoindev+...@googlegroups.com <mailto:bitcoindev%2Bunsu...@googlegroups.com>.

>> > To view this discussion visit
>> > https://groups.google.com/d/msgid/bitcoindev/9336f5a4-5c28-4c1b-af29-a8462b7a9377n%40googlegroups.com
>> > <https://groups.google.com/d/msgid/bitcoindev/9336f5a4-5c28-4c1b-af29-a8462b7a9377n%40googlegroups.com?utm_medium=email&utm_source=footer>.
>>
>> --
>> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.

>> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com <mailto:bitcoindev%2Bunsu...@googlegroups.com>.