[bitcoin-dev] On The Drama

[Jeremy Rubin via bitcoin-dev]

Developers,

I know that some of you may be interested in hearing my perspective on what
happened and why. I still do not know exactly what happened and why.
However, I can offer a brief explanation of what I perceived my main
actions to be and the response to them:

1. I published and shared to this list a blog post encouraging review on
viability of having a Speedy Trial (ST) with signalling beginning around
3.5 weeks (May 12th), in line with previously communicated materials.
2. I held a regularly scheduled meeting to discuss the viability of an
activation attempt, "The Agenda for the meeting will be an open discussion
on the possibility of activating CTV[CheckTemplateVerify] in 2022, why we
may or may not wish to do that, if we did want to do that what would need
to be done, what the path might look like if we do not do that."
3. If ST was deemed viable, I provided a pathway for sufficient review to
occur and I also wrote User Resisted Soft Fork(URSF) software to be used
such that miners are not unilaterally in control, as well as encouragement
for someone to author a User Activated Soft Fork(UASF) as a follow up if
miners "vetoed".
4. If ST was not viable, I gave encouragement to more thoroughly "re-evaluate
the design of CTV against alternatives that would take more time to prepare
engineering wise (e.g., more general covenants, small tweaks to CTV)"
5. I Made clear that CTV activation was "not a must. All actors must decide
if it’s in their own rational self-interest to have the soft-fork proceed."
6. I provided a review of rationale for why I thought this to be the right
next step for CTV, and for future soft forks to follow.

Since I posted my blog, there have been a flurry of inaccurate claims
lobbed at me across various platforms that I am trying to route around
consensus, force miners to do a ST, force users to accept a patch they
don't want, calls for me to face various repercussions, attacks on my
character, and more. Anyone is free to read the material I actually
communicated myself and evaluate the claims of bad-faith being made. I
accept responsibility that ultimately I may not have communicated these
things clearly enough.

I've kept my word to listen to feedback on parameters before any release:

- I've not released binaries for a ST CTV client in May, and won't be.
- I've kept my promise not to run a UASF process.

I hope you can believe me that I am not trying to do anything wanton to
Bitcoin. I am trying to do my best to accurately communicate my exact
intentions and plans along the way, and learn from the ways I fell short.

I cannot thank enough the (majority!) of individuals who understand this
and have provided overwhelming amounts of personal support to me through
these last weeks. While I do not mistake that personal support for support
of my views, I wanted to share the depth of support and appreciation that
the community has for the difficult tasks developers engage in. This isn't
specific to me; the community has immense respect for the sacrifices every
developer makes in choosing to work on Bitcoin. The hate may be loud and
public on the shallow surface, but the love and support runs deep.

At the same time, it has been eye opening for me to see the processes by
which a kernel of disinformation blossoms into a panic across the Bitcoin
community. For any Bitcoin contributor who might engage in consensus
processes: Agree or disagree with the quality of my actions, it's worth
spending a little time to trace how the response to my proposal was
instigated so that you harden your own defenses against such disinformation
campaigns in the future. I encourage you to look closely at what various
"respected members of the community" have lobbied for because they
represent dangerous precedents for all Bitcoin developers. I've yet to
fully form my thoughts around this.

If you do not think that my actions lived up with my perception of them,
feel free to give me, either publicly or privately, any feedback on how I
can do better going forward.

With respect to this thread, I'll read whatever you send, but I won't be
reply-all'ing here as I view this as largely off-topic for this list,
unless anyone feels strongly otherwise.

Best,

Jeremy



--
@JeremyRubin 
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

[bitcoin-dev] Working Towards Consensus

[Jeremy Rubin via bitcoin-dev]

Developers,

There is much to say about the events of the last two weeks and the
response to them. I've been searching for the right words to share here,
but I think it best that short of a more thoughtful writeup I start with a
timely small step with the below comments.

First, let me be clear: I am not advancing a Speedy Trial(ST) activation of
Bitcoin Improvement Proposal-119 (BIP-119) CheckTemplateVerify (CTV) at
this time.

I'm skipping any discussion of the drama here. Most of you are interested
in developing Bitcoin, not drama. Let's try to keep this thread focused on
the actual work. I'll make some limited comments on the drama in a separate
thread, for those who care to hear from me on the subject directly.

I believe that the disinformation spread around my post ("7 Theses on a
next step for BIP-119"[0]) created three main negative outcomes within the
Bitcoin community:

1. Confusion about how Bitcoin's "technical consensus" works and how
changes are "approved".
2. Fear about the safety of CTV and covenants more broadly.
3. Misunderstandings around the properties of Speedy Trial, User Activated
Soft Fork (UASF), User Resisted Soft Fork (URSF), Soft Forks, Hard Forks,
and more.

While I cannot take responsibility for the spread of the disinformation, I
do apologize to anyone dealing with it for the role my actions have had in
leading to the current circumstance.

I personally take some solace in knowing that the only way out of this is
through it. The conversations happening now seem to have been more or less
inevitable, this has brought them to the surface, and as a technical
community we are able to address them head on if -- as individuals and
collectively -- we choose to. And, viewed through a certain lens, these
conversations represent incredibly important opportunities to participate
in defining the future of Bitcoin that would not be happening otherwise.
Ultimately, I am grateful to live in a time where I am able to play a small
role in such an important process. This is the work.

In the coming months, I expect the discourse to be messy, but I think the
work is clear cut that we should undertake at least the following:

1. Make great efforts to better document how Bitcoin's technical consensus
process works today, how it can be improved, and how changes may be
formally reviewed while still being unofficially advanced.
2. Work diligently to address the concerns many in the community have
around the negative potential of covenants and better explain the
trade-offs between levels of functionality.
3. Renew conversations about activation and release mechanisms and
re-examine our priors around why Speedy Trial may have been acceptable for
Taproot, was not acceptable for BIP-119, but may not be optimal long
term[1], and work towards processes that better captures the Bitcoin
network's diverse interests and requirements.
4. Work towards thoroughly systematizing knowledge around covenant
technologies so that in the coming months we may work towards delivering a
coherent pathway for the Bitcoin technical community to evaluate and put up
for offer to the broader community an upgrade or set of upgrades to improve
Bitcoin's capabilities for self sovereignty, privacy, scalability, and
decentralization.

This may not be the easiest path to take, but I believe that this work is
critical to the future of Bitcoin. I welcome all reading this to share your
thoughts with this list on how we might work towards consensus going
forward, including any criticisms of my observations and recommendations
above. While I would expect nothing less than passionate debate when it
comes to Bitcoin, remember that at the end of the day we all largely share
a mission to make the world a freer place, even if we disagree about how we
get there.

Yours truly,

Jeremy

[0]: https://rubin.io/bitcoin/2022/04/17/next-steps-bip119/
[1]: http://r6.ca/blog/20210615T191422Z.html I quite enjoyed Roconnor's
detailed post on Speedy Trial

--
@JeremyRubin 
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] What to do when contentious soft fork activations are attempted

[Billy Tetrud via bitcoin-dev]

+1 alicexbt

We of course want knowledgeable bitcoiners who aren't knowledgeable about a
certain proposal to be skeptical. But what we don't want is for that
natural skepticism-from-ignorance to be interpreted as opposition, or
really a strong signal of any kind. Any thoughts from ignorance, whether
self-aware or not, should be given small weight. It seems the vast majority
of push back has been this kind of skepticism from ignorance. And to a
certain degree I think we want to give time for understanding to those who
have not participated in the first, second, third, etc round of discussion
on a proposal. It may not be reasonable to say "you had the last 2 years of
time to voice your concern".

Now that CTV is being taken seriously as a proposal, we probably should
give the community who is finally taking a serious look at it time to
understand, get their questions answered, and come to terms with it. This
is not to say that CTV as a technology or proposal has been rushed, or has
not had enough work put into it, but rather that the community as a whole
has not paid enough attention to it for long enough.

The wrong approach is: "how do I yell more loudly next time I see something
I'm uncomfortable with?" The right approach is to educate those who aren't
educated on the proposal and gather consensus on what people think when
they understand enough about it to contribute to that consensus. If you
care about consensus, you should respect the consensus process and be ok
with consensus being not your preferred outcome. If you don't care about
consensus, then you're basically attacking the bitcoin community.

On Sun, May 1, 2022 at 3:22 AM alicexbt via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Hi Michael,
>
> Maybe the whole thing worked as designed. Some users identified what was
> going on, well known Bitcoin educators such as Andreas Antonopoulos, Jimmy
> Song etc brought additional attention to the dangers, a URSF movement
> started to gain momentum and those attempting a contentious soft fork
> activation backed off. (Disappointingly Bitcoin Optech didn't cover my
> previous posts to this mailing list 1
> ,
> 2
> ,
> 3
> 
> highlighting the dangers many months ago or recent posts. Normally Optech
> is very high signal.)
>
>
> Some users have been misled and there is nothing great being achieved by
> doing this on social media. Andreas is clueless about BIP 119 and other
> covenant proposals. He is spreading misinformation and some of the URSF
> enthusiasts do not understand what are they even opposing or going to run
> with risks involved.
>
>
> Answering the subject of this email: "What to do when contentious soft
> forks activations are attempted?"
>
> - Do not consider something contentious because someone said it on mailing
> list
> - Do not spread misinformation
> - Read all posts in detail with different opinions
> - Avoid personal attacks
> - Look at the technical details, code etc. and comment on things that
> could be improved
>
>
>
> /dev/fd0
>
> Sent with ProtonMail  secure email.
>
> --- Original Message ---
> On Saturday, April 30th, 2022 at 3:23 PM, Michael Folkson via bitcoin-dev
> bitcoin-dev@lists.linuxfoundation.org wrote:
>
>
> I’ve been in two minds on whether to completely move on to other topics or
> to formulate some thoughts on the recent attempt to activate a contentious
> soft fork. In the interests of those of us who have wasted
> days/weeks/months of our time on this (with no personal upside) and who
> don’t want to repeat this exercise again I thought I should at least raise
> the issue for discussion of what should be done differently if this is
> tried again in future.
>
> This could be Jeremy with OP_CTV at a later point (assuming it is still
> contentious) or anyone who wants to pick up a single opcode that is not yet
> activated on Bitcoin and try to get miners to signal for it bypassing
> technical concerns from many developers, bypassing Bitcoin Core and
> bypassing users.
>
> Maybe the whole thing worked as designed. Some users identified what was
> going on, well known Bitcoin educators such as Andreas Antonopoulos, Jimmy
> Song etc brought additional attention to the dangers, a URSF movement
> started to gain momentum and those attempting a contentious soft fork
> activation backed off. (Disappointingly Bitcoin Optech didn't cover my
> previous posts to this mailing list 1
> ,
> 2
> ,
> 3
> 
> highlighting the dangers many months ago or 

Re: [bitcoin-dev] What to do when contentious soft fork activations are attempted

[Jorge Timón via bitcoin-dev]

On Sun, May 1, 2022, 09:22 alicexbt via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Hi Michael,
>
> Maybe the whole thing worked as designed. Some users identified what was
> going on, well known Bitcoin educators such as Andreas Antonopoulos, Jimmy
> Song etc brought additional attention to the dangers, a URSF movement
> started to gain momentum and those attempting a contentious soft fork
> activation backed off. (Disappointingly Bitcoin Optech didn't cover my
> previous posts to this mailing list 1
> ,
> 2
> ,
> 3
> 
> highlighting the dangers many months ago or recent posts. Normally Optech
> is very high signal.)
>
>
> Some users have been misled and there is nothing great being achieved by
> doing this on social media. Andreas is clueless about BIP 119 and other
> covenant proposals. He is spreading misinformation and some of the URSF
> enthusiasts do not understand what are they even opposing or going to run
> with risks involved.
>
Clueless and spreading disinformation, you say? What misinformation, could
you explain?


> - Avoid personal attacks
>
Could accusing someone of apreading misinformation without prove and
calling him clueless be considered a personal attack?
What do we do with hypocrites and liars?
People who knowingly lie to push their own agenda, how do we protect
against those?


> /dev/fd0
>
> Sent with ProtonMail  secure email.
>
> --- Original Message ---
> On Saturday, April 30th, 2022 at 3:23 PM, Michael Folkson via bitcoin-dev
> bitcoin-dev@lists.linuxfoundation.org wrote:
>
>
> I’ve been in two minds on whether to completely move on to other topics or
> to formulate some thoughts on the recent attempt to activate a contentious
> soft fork. In the interests of those of us who have wasted
> days/weeks/months of our time on this (with no personal upside) and who
> don’t want to repeat this exercise again I thought I should at least raise
> the issue for discussion of what should be done differently if this is
> tried again in future.
>
> This could be Jeremy with OP_CTV at a later point (assuming it is still
> contentious) or anyone who wants to pick up a single opcode that is not yet
> activated on Bitcoin and try to get miners to signal for it bypassing
> technical concerns from many developers, bypassing Bitcoin Core and
> bypassing users.
>
> Maybe the whole thing worked as designed. Some users identified what was
> going on, well known Bitcoin educators such as Andreas Antonopoulos, Jimmy
> Song etc brought additional attention to the dangers, a URSF movement
> started to gain momentum and those attempting a contentious soft fork
> activation backed off. (Disappointingly Bitcoin Optech didn't cover my
> previous posts to this mailing list 1
> ,
> 2
> ,
> 3
> 
> highlighting the dangers many months ago or recent posts. Normally Optech
> is very high signal.)
>
> Alternatively this was the first time a contentious soft fork activation
> was attempted, we were all woefully unprepared for it and none of us knew
> what we were doing.
>
> I’m unsure on the above. I’d be interested to hear thoughts. What I am
> sure of is that it is totally unacceptable for one individual to bring the
> entire Bitcoin network to the brink of a chain split. There has to be a
> personal cost to that individual dissuading them from trying it again
> otherwise they’re motivated to try it again every week/month. Perhaps the
> personal cost that the community is now prepared if that individual tries
> it again is sufficient. I’m not sure. Obviously Bitcoin is a permissionless
> network, Bitcoin Core and other open source projects are easily forked and
> no authority (I’m certainly no authority) can stop things like this
> happening again.
>
> I’ll follow the responses if people have thoughts (I won't be responding
> to the instigators of this contentious soft fork activation attempt) but
> other than that I’d like to move on to other things than contentious soft
> fork activations. Thanks to those who have expressed concerns publicly (too
> many to name, Bob McElrath was often wording arguments better than I could)
> and who were willing to engage with the URSF conversation. If an individual
> can go directly to miners to get soft forks activated bypassing technical
> concerns from many developers, bypassing Bitcoin Core and bypassing users
> Bitcoin is fundamentally broken. The reason I still have hope that it isn't
> is that during a period of general apathy some people 

[bitcoin-dev] Password-protected wallet on Taproot

[vjudeu via bitcoin-dev]

It seems that Taproot allows us to protect each individual public key with a 
password. It could work in this way: we have some normal, Taproot-based public 
key, that is generated in a secure and random way, as it is today in Bitcoin 
Core wallet. Then, we can create another public key, just by taking password 
from the user, executing SHA-256 on that, and using it as a private key, so the 
second key will be just a brainwallet. Then, we can combine them in a Schnorr 
signature, forming 2-of-2 multisig, where the first key is totally random, and 
the second key is just a brainwallet that takes a password chosen by the user. 
By default, each key can be protected with the same password, used for the 
whole wallet, but it could be possible to choose different passwords for 
different addresses, if needed. Descriptors should handle that nicely, in the 
same way as they can be used to handle any other 2-of-2 multisig.
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] ANYPREVOUT in place of CTV

[Nadav Ivgi via bitcoin-dev]

> via `sha_sequences`

Since you cannot expect txid stability with >1 inputs either way[0], it
should be sufficient to commit just to the current input's
nSequence/scriptSig to get txid stability for single input transactions. I
chatted with Jeremy about this and he appears to agree.

Not committing to the nSequence of other inputs gives them the freedom to
set it independently, so for example you can spend a CSV-encumbered output
alongside the covenant. And there seems to be no downside to doing this [1].

APO/APOAS already commits to the nSequence of the current input. And since
APO is Taproot-only, the scriptSig of the covenant input is guarrnated to
be empty, so it is also already committed to in a way.

However, without committing to all the nSequences which implicitly commits
to the number of inputs, the number has to be committed separately.

So my suggestion is to explicitly commit to the number of inputs, instead
of commiting to `sha_sequences`.

Cheers
shesek

[0] the additional input(s) will be third-party malleable, since their
prevouts can be replaced with an entirely different txid:vout
[1] BIP 119's rationale for committing to the nSequences is txid
malleability:
https://github.com/bitcoin/bips/blob/master/bip-0119.mediawiki#committing-to-the-sequences-hash



On Sat, Apr 30, 2022 at 11:09 AM Nadav Ivgi  wrote:

> Hi darosior,
>
> It's interesting to note that APOAS|SINGLE (with the ANYONECANPAY
> behaviour and without covering the spent input index) has some interesting
> uses for cases where the covenant only needs to restrict a single output
> (so useful for e.g. vaults or spacechains, but not for batch channels or
> congestion control).
>
> For example in the vault use-case, it makes it possible to bump fees on
> the unvault tx by adding more inputs and a change output, as well as
> unvault multiple vaulted outputs in a single transaction.
>
> For spacechains, it makes it possible to add the spaceblock hash OP_RETURN
> and pay fees directly in the tx chain, instead of having to use an
> additional tx to prepare an output that gets spent in the tx chain  (see
> the diagram in [0]).
>
> > via `sha_sequences` and maybe also `sha_amounts`
>
> CTV does not commit to the input amounts. This has some practical
> implications:
>
> 1. If it is committed, sending an even slightly incorrect amount will make
> the covenant-encumbered spend path unusable.
>
> With CTV, sending a slightly lower amount results in slightly lower fees,
> while any extra gets spent/burned on fees. The covenant spend path only
> becomes unusable if the amount is too low to cover for the outputs (+relay
> fee for it to also be standard).
>
> 2. The ability to allow for additional inputs with unknown amounts makes
> it possible to fee-bump the covenant spending transaction (with whole utxos
> and no change). You can have one tapleaf for spending the covenant output
> alone, and another one for attaching an extra fee input to it.
>
> This also makes it possible to resolve the under-payment issue described
> in (1), by adding an input that covers the original intended amount.
>
> So my suggestion would be to either not cover `sha_amounts` in the msg
> hash, or to make it optional behind a flag.
>
> shesek
>
> [0] https://github.com/fiatjaf/simple-ctv-spacechain
>
> On Fri, Apr 22, 2022 at 2:23 PM darosior via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> I would like to know people's sentiment about doing (a very slightly
>> tweaked version of) BIP118 in place of
>> (or before doing) BIP119.
>>
>> SIGHASH_ANYPREVOUT and its precedent iterations have been discussed for
>> over 6 years. It presents proven and
>> implemented usecases, that are demanded and (please someone correct me if
>> i'm wrong) more widely accepted than
>> CTV's.
>>
>> SIGHASH_ANYPREVOUTANYSCRIPT, if its "ANYONECANPAY" behaviour is made
>> optional [0], can emulate CTV just fine.
>> Sure then you can't have bare or Segwit v0 CTV, and it's a bit more
>> expensive to use. But we can consider CTV
>> an optimization of APO-AS covenants.
>>
>> CTV advocates have been presenting vaults as the flagship usecase.
>> Although as someone who've been trying to
>> implement practical vaults for the past 2 years i doubt CTV is necessary
>> nor sufficient for this (but still
>> useful!), using APO-AS covers it. And it's not a couple dozen more
>> virtual bytes that are going to matter for
>> a potential vault user.
>>
>> If after some time all of us who are currently dubious about CTV's stated
>> usecases are proven wrong by onchain
>> usage of a less efficient construction to achieve the same goal, we could
>> roll-out CTV as an optimization.  In
>> the meantime others will have been able to deploy new applications
>> leveraging ANYPREVOUT (Eltoo, blind
>> statechains, etc..[1]).
>>
>>
>> Given the interest in, and demand for, both simple covenants and better
>> offchain protocols it seems to me that
>> BIP118 is a soft fork candidate that could 

Re: [bitcoin-dev] BIP proposal: Timelocked address fidelity bond for BIP39 seeds

[ZmnSCPxj via bitcoin-dev]

Good morning again Chris,

I wonder if there would be an incentive to *rent* out a fidelity bond, i.e. I 
am interested in application A, you are interested in application B, and you 
rent my fidelity bond for application B.
We can use a pay-for-signature protocol now that Taproot is available, so that 
the signature for the certificate for your usage of application B can only be 
completed if I reveal a secret via a signature on another Taproot UTXO that 
gets me the rent for the fidelity bond.

I do not know if this would count as "abuse" or just plain "economic 
sensibility".
But a time may come where people just offer fidelity bonds for lease without 
actually caring about the actual applications it is being used *for*.
If the point is simply to make it costly to show your existence, whether you 
pay for the fidelity bond by renting it, or by acquiring your own Bitcoins and 
foregoing the ability to utilize it for some amount of time (which should cost 
closely to renting the fidelity bond from a provider), should probably not 
matter economically.

You mention that JoinMarket clients now check for fidelity bonds not being used 
across multiple makers, how is this done exactly, and does the technique not 
deserve a section in this BIP?

Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] BIP proposal: Timelocked address fidelity bond for BIP39 seeds

[Chris Belcher via bitcoin-dev]

Hello ZmnSCPxj,

This is an intended feature. I'm thinking that the same fidelity bond 
can be used to running a JoinMarket maker as well as a Teleport 
(Coinswap) maker.


I don't believe it's abusable. It would be a problem if the same 
fidelity bond is used by two makers in the _same_ application, but 
JoinMarket takers are already coded to check for this, and Teleport 
takers will soon as well. Using the same bond across different 
applications is fine.


Best,
CB

On 01/05/2022 10:43, ZmnSCPxj wrote:

Good morning Chris,

Excellent BIP!


From a quick read-over, it seems to me that the fidelity bond does not commit 
to any particular scheme or application.

This means (as I understand it) that the same fidelity bond can be used to 
prove existence across multiple applications.
I am uncertain whether this is potentially abusable or not.


Regards,
ZmnSCPxj

___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] BIP proposal: Timelocked address fidelity bond for BIP39 seeds

[ZmnSCPxj via bitcoin-dev]

Good morning Chris,

Excellent BIP!

>From a quick read-over, it seems to me that the fidelity bond does not commit 
>to any particular scheme or application.
This means (as I understand it) that the same fidelity bond can be used to 
prove existence across multiple applications.
I am uncertain whether this is potentially abusable or not.


Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

[bitcoin-dev] BIP proposal: Timelocked address fidelity bond for BIP39 seeds

[Chris Belcher via bitcoin-dev]

See 
https://gist.github.com/chris-belcher/7257763cedcc014de2cd4239857cd36e 
for the latest version of this BIP.



  BIP: TBD. Preferably a two-digit number to match the bip44, bip49, 
bip84, bip86 family of bips

  Layer: Applications
  Title: Derivation scheme for storing timelocked address fidelity 
bonds in BIP39 phrases

  Author: Chris Belcher 
  Status: Draft
  Type: Standards Track
  Comments-Summary: No comments yet.
  Created: 2022-04-01
  License: CC0-1.0


== Abstract ==

This BIP defines the derivation scheme for BIP39 seed phrases which 
create timelocked addresses used for creating fidelity bonds. It also 
defines how to sign fidelity bond certificates, which are needed when 
using fidelity bonds that are stored offline.


== Motivation ==

Fidelity bonds are used to resist sybil attacks in certain decentralized 
anonymous protocols. They are created by locking up bitcoins using the 
`OP_CHECKLOCKTIMEVERIFY` opcode.


It would be useful to have a common derivation scheme so that users of 
wallet software can have a backup of their fidelity bonds by storing 
only the BIP39 seed phrase and a reference to this BIP. Importantly the 
user does not need to backup any timelock values.


We largely use the same approach used in BIPs 49, 84 and 86 for ease of 
implementation.


This standard is already implemented and deployed in JoinMarket. As most 
changes would requires a protocol change of a live system, there is 
limited scope for changing this standard in review. This BIP is more 
about documenting something which already exists, warts and all.


== Background ==

=== Fidelity bonds ===

A fidelity bond is a mechanism where bitcoin value is deliberately 
sacrificed to make a cryptographic identity expensive to obtain. A way 
to create a fidelity bond is to lock up bitcoins by sending them to a 
timelocked address. The valuable thing being sacrificed is the 
time-value-of-money.


The sacrifice must be done in a way that can be proven to a third party. 
This proof can be made by showing the UTXO outpoint, the address 
redeemscript and a signature which signs a message using the private key 
corresponding to the public key in the redeemscript.


The sacrificed value is an objective measurement that can't be faked and 
which can be verified by anybody (just like, for example PoW mining). 
Sybil attacks can be made very expensive by forcing a hypothetical sybil 
attacker to lock up many bitcoins for a long time. JoinMarket implements 
fidelity bonds for protection from sybil attackers. At the time of 
writing over 600 BTC in total have been locked up with some for many 
years. Their UTXOs and signatures have been advertised to the world as 
proof. We can calculate that for a sybil attacker to succeed in unmixing 
all the CoinJoins, they would have to lock up over 100k BTC for several 
years.


=== Fidelity bonds in cold storage ===

It would be useful to be able to keep the private keys of timelocked 
addresses in cold storage. This would allow the sybil resistance of a 
system to increase without hot wallet risk. For this reason there is an 
intermediate keypair called the certificate.


UTXO key ---signs---> certificate ---signs---> endpoint (e.g. IRC 
nickname or tor .onion hostname)


The certificate keypair can be kept online and used to prove ownership 
of the fidelity bond. Even if the hot wallet private keys are stolen, 
the coins in the timelocked address will still be safe, although the 
thief will be able to impersonate the fidelity bond until the expiry.


=== Fixed timelock values ===

It would be useful for the user to avoid having to keep a record of the 
timelocks in the time-locked addresses. So only a limited small set of 
timelocks are defined by this BIP. This way the user must only store 
their seed phrase, and knowledge that they have coins stored using this 
BIP standard. The user doesn't need to remember or store any dates.



== Specifications ==

This BIP defines the two needed steps to derive multiple deterministic 
addresses based on a [[bip-0032.mediawiki|BIP 32]] master private key. 
It also defines the format of the certificate can be signed by the 
deterministic address key.


=== Public key derivation ===

To derive a public key from the root account, this BIP uses a similar 
account-structure as defined in BIP [[bip-0084.mediawiki|44]] but with 
change set to 2.



m / 84' / 0' / 0' / 2 / index


A key derived with this derivation path pattern will be referred to as 
derived_key further

in this document.

For index, addresses are numbered from 0 in a sequentially 
increasing manner, but index does not increase forever like in other 
similar standards. The index only goes up to 959 inclusive. 
Only 960 addresses can be derived for a given BIP32 master key. 
Furthermore there is no concept of a gap limit, instead wallets must 
always generate all 960 addresses and check all of them if they have a 
balance and history.


=== Timelock derivation ===

The 

Re: [bitcoin-dev] What to do when contentious soft fork activations are attempted

[alicexbt via bitcoin-dev]

Hi Michael,

> Maybe the whole thing worked as designed. Some users identified what was 
> going on, well known Bitcoin educators such as Andreas Antonopoulos, Jimmy 
> Song etc brought additional attention to the dangers, a URSF movement started 
> to gain momentum and those attempting a contentious soft fork activation 
> backed off. (Disappointingly Bitcoin Optech didn't cover my previous posts to 
> this mailing list 
> [1](https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-October/019535.html),
>  
> [2](https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/019728.html),
>  
> [3](https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020235.html)
>  highlighting the dangers many months ago or recent posts. Normally Optech is 
> very high signal.)

Some users have been misled and there is nothing great being achieved by doing 
this on social media. Andreas is clueless about BIP 119 and other covenant 
proposals. He is spreading misinformation and some of the URSF enthusiasts do 
not understand what are they even opposing or going to run with risks involved.

Answering the subject of this email: "What to do when contentious soft forks 
activations are attempted?"

- Do not consider something contentious because someone said it on mailing list
- Do not spread misinformation
- Read all posts in detail with different opinions
- Avoid personal attacks
- Look at the technical details, code etc. and comment on things that could be 
improved

/dev/fd0

Sent with [ProtonMail](https://protonmail.com/) secure email.
--- Original Message ---
On Saturday, April 30th, 2022 at 3:23 PM, Michael Folkson via bitcoin-dev 
bitcoin-dev@lists.linuxfoundation.org wrote:

> I’ve been in two minds on whether to completely move on to other topics or to 
> formulate some thoughts on the recent attempt to activate a contentious soft 
> fork. In the interests of those of us who have wasted days/weeks/months of 
> our time on this (with no personal upside) and who don’t want to repeat this 
> exercise again I thought I should at least raise the issue for discussion of 
> what should be done differently if this is tried again in future.
>
> This could be Jeremy with OP_CTV at a later point (assuming it is still 
> contentious) or anyone who wants to pick up a single opcode that is not yet 
> activated on Bitcoin and try to get miners to signal for it bypassing 
> technical concerns from many developers, bypassing Bitcoin Core and bypassing 
> users.
>
> Maybe the whole thing worked as designed. Some users identified what was 
> going on, well known Bitcoin educators such as Andreas Antonopoulos, Jimmy 
> Song etc brought additional attention to the dangers, a URSF movement started 
> to gain momentum and those attempting a contentious soft fork activation 
> backed off. (Disappointingly Bitcoin Optech didn't cover my previous posts to 
> this mailing list 
> [1](https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-October/019535.html),
>  
> [2](https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/019728.html),
>  
> [3](https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020235.html)
>  highlighting the dangers many months ago or recent posts. Normally Optech is 
> very high signal.)
>
> Alternatively this was the first time a contentious soft fork activation was 
> attempted, we were all woefully unprepared for it and none of us knew what we 
> were doing.
>
> I’m unsure on the above. I’d be interested to hear thoughts. What I am sure 
> of is that it is totally unacceptable for one individual to bring the entire 
> Bitcoin network to the brink of a chain split. There has to be a personal 
> cost to that individual dissuading them from trying it again otherwise 
> they’re motivated to try it again every week/month. Perhaps the personal cost 
> that the community is now prepared if that individual tries it again is 
> sufficient. I’m not sure. Obviously Bitcoin is a permissionless network, 
> Bitcoin Core and other open source projects are easily forked and no 
> authority (I’m certainly no authority) can stop things like this happening 
> again.
>
> I’ll follow the responses if people have thoughts (I won't be responding to 
> the instigators of this contentious soft fork activation attempt) but other 
> than that I’d like to move on to other things than contentious soft fork 
> activations. Thanks to those who have expressed concerns publicly (too many 
> to name, Bob McElrath was often wording arguments better than I could) and 
> who were willing to engage with the URSF conversation. If an individual can 
> go directly to miners to get soft forks activated bypassing technical 
> concerns from many developers, bypassing Bitcoin Core and bypassing users 
> Bitcoin is fundamentally broken. The reason I still have hope that it isn't 
> is that during a period of general apathy some people were willing to stand 
> up and actively resist it.
>
> --