What causes Bitcoin transaction delays? Luno

• What causes Bitcoin transaction delays? Luno
• Do unconfirmed transactions expire? - Bitcoin Stack Exchange
• Blockchain Charts
• 6 Tips On How To Fix A Stuck Or Failed Bitcoin Transaction ...
• Does Bitcoin have a transaction timeout where the funds ...

2. ETH Must Always Be on One Side of the Swap

Although the Serum method of cross-chain swapping could occur on any blockchain with smart contracts, the Serum whitepaper makes it clear the Serum arbitration contract is going to be deployed on the Ethereum blockchain. This means one party must always be locking the full value of the trade in ETH using an Ethereum smart contract.
This makes it impossible, for example, to do a single step trade between Bitcoin and Monero since the swap would need to be from Bitcoin to ETH first and then from ETH to Monero. This is comparable to other proposed cross-chain swap systems like Thorchain and Blockswap, however since those networks use AMM’s (automated market makers)and decentralized vaults to take custody of funds, the user needs not to interact with the intermediary chain at all.
Instead in Serum, the user wanting to swap Bitcoin to Monero will need to do the following steps:
1. Send Ethereum collateral to the Serum arbitration contract
2. Send Bitcoin to the user they are swapping with.
4. Send Ethereum back to Serum arbitration contract
6. Send Ethereum out of Serum arbitration contract
It might be possible to remove or simplify step 4, depending on how the smart contract is built, however, this means a swap from BTC to Monero would require 2 Ethereum and 1 Bitcoin transaction in the best-case scenario. Compared with the experience of other cross-chain swapping mechanisms, which only require the user to send a single transaction to swap between two assets, this is very poor user experience.

3. Proving Transactions on Arbitrary Chains to a Smart Contract Is Not Trivial

Perhaps the most central part of the Serum cross-chain swapping mechanism is left completely unexplored in the Serum whitepaper with only a brief explanation given.
“[The] Smart Contract is programmed to parse whether a proposed BTC blockchain is valid; it can then check which of Alice and Bob send the longer valid blockchain, and settle in their favor”
This is not a trivial problem, and it is unclear how this actually works from the explanation given in the Serum whitepaper. What actually needs to be presented to the smart contract to prove a Bitcoin transaction? Typically when talking about SPV the smart contract would need the block headers of all previous blocks and a merkle inclusion proof. This is far too heavy to submit in a dispute. Instead, Serum could use NIPoPoW, however, these proofs only work on chains with fixed difficulty and are still probably prohibitively too large (~100KB) to be submitted as a proof to a contract. Other solutions like Flyclient are more versatile, but proof sizes are much larger and have failed to see much real-world adoption.
Without explaining how they actually plan to do this validation of Bitcoin transactions, users are left in the dark about how secure their solution actually is.

4. High Dispute Fees Force Large Collateral on Small Trades

Although disputes should almost never happen because of the incentives and punishments designed into the Serum protocol, the way they are designed has negative impacts on the use of the network.
Although the Serum whitepaper does not say how the dispute mechanism works, they do say that it will cost about ~100 USD in GAS to dispute a swap.
Note: keep in mind that the Serum paper was published in July 2020 when the gas price was about 50 Gwei, as Ethereum use has picked up over the past month we have seen average GAS prices as high as 250 Gwei, with the average price right now about 120 Gwei.
This means that at the height of GAS prices it could have cost a user ~500 USD to dispute a swap.
This means for the network to ensure losing cross-chain swaps aren’t made each user must deploy at least $200 in collateral on each side. It may be possible to lower this to collateral if we assume the attacker is not financially motivated, however, there is a lower bound in which ransom attacks become possible on low-value trades. Further and perhaps more damagingly, this means in a trade of any size the user needs to have at least 300 USD in ETH laying around. 100 USD in ETH for the required collateral and 200 USD if they need to challenge the transaction. This further adds to the poor user experience when using Serum for cross-chain swapping. 5. Swaps Are Not Set and Forget Instead of being able to send a transaction and receive funds on the blockchain you are swapping to, the process is highly interactive. In the case where I am swapping ETH for Bitcoin, the following occurs: • Send a transaction to the Serum arbitration contract with my collateral. • Send a transaction to the Serum arbitration contract with the funds to be traded. • Wait until the Bitcoin transaction sent to my address has an acceptable amount of confirmations (up to 60 mins, depending on network congestion). If the Bitcoin transaction is never received then I need to wait for a timeout to occur before I can participate in the dispute process. • Send a transaction to the Serum arbitration contract unlocking my funds and sending them to the participant. And on the Bitcoin side (assuming the seller is ready), the following must take place: • Send my Ethereum collateral to the smart contract. • Send the Bitcoin. • Wait until the Seller has accepted that Bitcoin. If the Seller never accepts the Bitcoin I sent to him then I need to wait on line for the dispute process. • Wait to receive my ETH + Collateral back. This presents a strange user experience where the seller or seller’s wallet must be left online during this whole process and be ready to sign a new transaction if they need to dispute transactions or unlock funds from a smart contract. This is different from the typical exchange or swapping scenario in which, once your funds are sent you can be assured you will receive the amount you expected in your swap back to you, without any of your wallets needing to remain online. 6. The Serum Token Seems to Lack a Use Case The cross-chain swapping protocol Serum describes in its whitepaper could easily be forked and launched on the Ethereum blockchain without having any need for the Serum token. It seems that the Serum token will be used in some capacity when placing orders on the Solana based blockchain, however, the order book could just as easily be placed off with traditional rate-limiting schemes. There is some brief mention of future governance abilities for token holders, however, as a common theme in their whitepaper, details are scarce: Serum is anticipated to include a limited governance model based on the SRM token. While most of the Serum ecosystem will be immutable, some parameters without large security risks (e.g. future fees) may be modified via a governance vote of SRM tokens. Conclusion Until satisfactory answers are given to these questions I would be looking at other projects who are attempting to build platforms for cross-chain swaps. As previously mentioned, Thorchain & Blockswap show some promise in design, whilst there are some others competing in this space too, such as Incognito and RenVM. However, this area is still extremely immature so plenty of testing and time is required before we can call any of these projects a success. If you’ve got any feedback or thoughts about Serum, cross-chain swapping or DeFi in general, please don’t be shy in leaving a comment. submitted by Loooong_Loooong_Man to CryptoCurrency [link] [comments] [ Bitcoin ] Technical: Taproot: Why Activate? Topic originally posted in Bitcoin by almkglor [link] This is a follow-up on https://old.reddit.com/Bitcoin/comments/hqzp14/technical_the_path_to_taproot_activation/ Taproot! Everybody wants it!! But... you might ask yourself: sure, everybody else wants it, but why would I, sovereign Bitcoin HODLer, want it? Surely I can be better than everybody else because I swapped XXX fiat for Bitcoin unlike all those nocoiners? And it is important for you to know the reasons why you, o sovereign Bitcoiner, would want Taproot activated. After all, your nodes (or the nodes your wallets use, which if you are SPV, you hopefully can pester to your wallet vendoimplementor about) need to be upgraded in order for Taproot activation to actually succeed instead of becoming a hot sticky mess. First, let's consider some principles of Bitcoin. • You the HODLer should be the one who controls where your money goes. Your keys, your coins. • You the HODLer should be able to coordinate and make contracts with other people regarding your funds. • You the HODLer should be able to do the above without anyone watching over your shoulder and judging you. I'm sure most of us here would agree that the above are very important principles of Bitcoin and that these are principles we would not be willing to remove. If anything, we would want those principles strengthened (especially the last one, financial privacy, which current Bitcoin is only sporadically strong with: you can get privacy, it just requires effort to do so). So, how does Taproot affect those principles? Taproot and Your /Coins Most HODLers probably HODL their coins in singlesig addresses. Sadly, switching to Taproot would do very little for you (it gives a mild discount at spend time, at the cost of a mild increase in fee at receive time (paid by whoever sends to you, so if it's a self-send from a P2PKH or bech32 address, you pay for this); mostly a wash). (technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash, so the Taproot output spends 12 bytes more; spending from a P2WPKH requires revealing a 32-byte public key later, which is not needed with Taproot, and Taproot signatures are about 9 bytes smaller than P2WPKH signatures, but the 32 bytes plus 9 bytes is divided by 4 because of the witness discount, so it saves about 11 bytes; mostly a wash, it increases blockweight by about 1 virtual byte, 4 weight for each Taproot-output-input, compared to P2WPKH-output-input). However, as your HODLings grow in value, you might start wondering if multisignature k-of-n setups might be better for the security of your savings. And it is in multisignature that Taproot starts to give benefits! Taproot switches to using Schnorr signing scheme. Schnorr makes key aggregation -- constructing a single public key from multiple public keys -- almost as trivial as adding numbers together. "Almost" because it involves some fairly advanced math instead of simple boring number adding, but hey when was the last time you added up your grocery list prices by hand huh? With current P2SH and P2WSH multisignature schemes, if you have a 2-of-3 setup, then to spend, you need to provide two different signatures from two different public keys. With Taproot, you can create, using special moon math, a single public key that represents your 2-of-3 setup. Then you just put two of your devices together, have them communicate to each other (this can be done airgapped, in theory, by sending QR codes: the software to do this is not even being built yet, but that's because Taproot hasn't activated yet!), and they will make a single signature to authorize any spend from your 2-of-3 address. That's 73 witness bytes -- 18.25 virtual bytes -- of signatures you save! And if you decide that your current setup with 1-of-1 P2PKH / P2WPKH addresses is just fine as-is: well, that's the whole point of a softfork: backwards-compatibility; you can receive from Taproot users just fine, and once your wallet is updated for Taproot-sending support, you can send to Taproot users just fine as well! (P2WPKH and P2WSH -- SegWit v0 -- addresses start with bc1q; Taproot -- SegWit v1 --- addresses start with bc1p, in case you wanted to know the difference; in bech32 q is 0, p is 1) Now how about HODLers who keep all, or some, of their coins on custodial services? Well, any custodial service worth its salt would be doing at least 2-of-3, or probably something even bigger, like 11-of-15. So your custodial service, if it switched to using Taproot internally, could save a lot more (imagine an 11-of-15 getting reduced from 11 signatures to just 1!), which --- we can only hope! --- should translate to lower fees and better customer service from your custodial service! So I think we can say, very accurately, that the Bitcoin principle --- that YOU are in control of your money --- can only be helped by Taproot (if you are doing multisignature), and, because P2PKH and P2WPKH remain validly-usable addresses in a Taproot future, will not be harmed by Taproot. Its benefit to this principle might be small (it mostly only benefits multisignature users) but since it has no drawbacks with this (i.e. singlesig users can continue to use P2WPKH and P2PKH still) this is still a nice, tidy win! (even singlesig users get a minor benefit, in that multisig users will now reduce their blockchain space footprint, so that fees can be kept low for everybody; so for example even if you have your single set of private keys engraved on titanium plates sealed in an airtight box stored in a safe buried in a desert protected by angry nomads riding giant sandworms because you're the frickin' Kwisatz Haderach, you still gain some benefit from Taproot) And here's the important part: if P2PKH/P2WPKH is working perfectly fine with you and you decide to never use Taproot yourself, Taproot will not affect you detrimentally. First do no harm! Taproot and Your Contracts No one is an island, no one lives alone. Give and you shall receive. You know: by trading with other people, you can gain expertise in some obscure little necessity of the world (and greatly increase your productivity in that little field), and then trade the products of your expertise for necessities other people have created, all of you thereby gaining gains from trade. So, contracts, which are basically enforceable agreements that facilitate trading with people who you do not personally know and therefore might not trust. Let's start with a simple example. You want to buy some gewgaws from somebody. But you don't know them personally. The seller wants the money, you want their gewgaws, but because of the lack of trust (you don't know them!! what if they're scammers??) neither of you can benefit from gains from trade. However, suppose both of you know of some entity that both of you trust. That entity can act as a trusted escrow. The entity provides you security: this enables the trade, allowing both of you to get gains from trade. In Bitcoin-land, this can be implemented as a 2-of-3 multisignature. The three signatories in the multisgnature would be you, the gewgaw seller, and the escrow. You put the payment for the gewgaws into this 2-of-3 multisignature address. Now, suppose it turns out neither of you are scammers (whaaaat!). You receive the gewgaws just fine and you're willing to pay up for them. Then you and the gewgaw seller just sign a transaction --- you and the gewgaw seller are 2, sufficient to trigger the 2-of-3 --- that spends from the 2-of-3 address to a singlesig the gewgaw seller wants (or whatever address the gewgaw seller wants). But suppose some problem arises. The seller gave you gawgews instead of gewgaws. Or you decided to keep the gewgaws but not sign the transaction to release the funds to the seller. In either case, the escrow is notified, and if it can sign with you to refund the funds back to you (if the seller was a scammer) or it can sign with the seller to forward the funds to the seller (if you were a scammer). Taproot helps with this: like mentioned above, it allows multisignature setups to produce only one signature, reducing blockchain space usage, and thus making contracts --- which require multiple people, by definition, you don't make contracts with yourself --- is made cheaper (which we hope enables more of these setups to happen for more gains from trade for everyone, also, moon and lambos). (technology-wise, it's easier to make an n-of-n than a k-of-n, making a k-of-n would require a complex setup involving a long ritual with many communication rounds between the n participants, but an n-of-n can be done trivially with some moon math. You can, however, make what is effectively a 2-of-3 by using a three-branch SCRIPT: either 2-of-2 of you and seller, OR 2-of-2 of you and escrow, OR 2-of-2 of escrow and seller. Fortunately, Taproot adds a facility to embed a SCRIPT inside a public key, so you can have a 2-of-2 Taprooted address (between you and seller) with a SCRIPT branch that can instead be spent with 2-of-2 (you + escrow) OR 2-of-2 (seller + escrow), which implements the three-branched SCRIPT above. If neither of you are scammers (hopefully the common case) then you both sign using your keys and never have to contact the escrow, since you are just using the escrow public key without coordinating with them (because n-of-n is trivial but k-of-n requires setup with communication rounds), so in the "best case" where both of you are honest traders, you also get a privacy boost, in that the escrow never learns you have been trading on gewgaws, I mean ewww, gawgews are much better than gewgaws and therefore I now judge you for being a gewgaw enthusiast, you filthy gewgawer). Taproot and Your Contracts, Part 2: Cryptographic Boogaloo Now suppose you want to buy some data instead of things. For example, maybe you have some closed-source software in trial mode installed, and want to pay the developer for the full version. You want to pay for an activation code. This can be done, today, by using an HTLC. The developer tells you the hash of the activation code. You pay to an HTLC, paying out to the developer if it reveals the preimage (the activation code), or refunding the money back to you after a pre-agreed timeout. If the developer claims the funds, it has to reveal the preimage, which is the activation code, and you can now activate your software. If the developer does not claim the funds by the timeout, you get refunded. And you can do that, with HTLCs, today. Of course, HTLCs do have problems: • Privacy. Everyone scraping the Bitcoin blockchain can see any HTLCs, and preimages used to claim them. • This can be mitigated by using offchain techniques so HTLCs are never published onchain in the happy case. Lightning would probably in practice be the easiest way to do this offchain. Of course, there are practical limits to what you can pay on Lightning. If you are buying something expensive, then Lightning might not be practical. For example, the "software" you are activating is really the firmware of a car, and what you are buying is not the software really but the car itself (with the activation of the car firmware being equivalent to getting the car keys). • Even offchain techniques need an onchain escape hatch in case of unresponsiveness! This means that, if something bad happens during payment, the HTLC might end up being published onchain anyway, revealing the fact that some special contract occurred. • And an HTLC that is claimed with a preimage onchain will also publicly reveal the preimage onchain. If that preimage is really the activation key of a software than it can now be pirated. If that preimage is really the activation key for your newly-bought cryptographic car --- well, not your keys, not your car! • Trust requirement. You are trusting the developer that it gives you the hash of an actual valid activation key, without any way to validate that the activation key hidden by the hash is actually valid. Fortunately, with Schnorr (which is enabled by Taproot), we can now use the Scriptless Script constuction by Andrew Poelstra. This Scriptless Script allows a new construction, the PTLC or Pointlocked Timelocked Contract. Instead of hashes and preimages, just replace "hash" with "point" and "preimage" with "scalar". Or as you might know them: "point" is really "public key" and "scalar" is really a "private key". What a PTLC does is that, given a particular public key, the pointlocked branch can be spent only if the spender reveals the private key of the given private key to you. Another nice thing with PTLCs is that they are deniable. What appears onchain is just a single 2-of-2 signature between you and the developemanufacturer. It's like a magic trick. This signature has no special watermarks, it's a perfectly normal signature (the pledge). However, from this signature, plus some datta given to you by the developemanufacturer (known as the adaptor signature) you can derive the private key of a particular public key you both agree on (the turn). Anyone scraping the blockchain will just see signatures that look just like every other signature, and as long as nobody manages to hack you and get a copy of the adaptor signature or the private key, they cannot get the private key behind the public key (point) that the pointlocked branch needs (the prestige). (Just to be clear, the public key you are getting the private key from, is distinct from the public key that the developemanufacturer will use for its funds. The activation key is different from the developer's onchain Bitcoin key, and it is the activation key whose private key you will be learning, not the developer's/manufacturer's onchain Bitcoin key). So: • Privacy: PTLCs are private even if done onchain. Nobody else can learn what the private key behind the public key is, except you who knows the adaptor signature that when combined with the complete onchain signature lets you know what the private key of the activation key is. Somebody scraping the blockchain will not learn the same information even if all PTLCs are done onchain! • Lightning is still useful for reducing onchain use, and will also get PTLCs soon after Taproot is activated, but even if something bad happens and a PTLC has to go onchain, it doesn't reveal anything! • Trust issues can be proven more easily with a public-private keypair than with a hash-preimage pair. • For example, the developer of the software you are buying could provide a signature signing a message saying "unlock access to the full version for 1 day". You can check if feeding this message and signature to the program will indeed unlock full-version access for 1 day. Then you can check if the signature is valid for the purported pubkey whose private key you will pay for. If so, you can now believe that getting the private key (by paying for it in a PTLC) would let you generate any number of "unlock access to the full version for 1 day" message+signatures, which is equivalent to getting full access to the software indefinitely. • For the car, the manufacturer can show that signing a message "start the engine" and feeding the signature to the car's fimrware will indeed start the engine, and maybe even let you have a small test drive. You can then check if the signature is valid for the purported pubkey whose privkey you will pay for. If so, you can now believe that gaining knowledge of the privkey will let you start the car engine at any time you want. • (pedantry: the signatures need to be unique else they could be replayed, this can be done with a challenge-response sequence for the car, where the car gathers entropy somehow (it's a car, it probably has a bunch of sensors nowadays so it can get entropy for free) and uses the gathered entropy to challenge you to sign a random number and only start if you are able to sign the random number; for the software, it could record previous signatures somewhere in the developer's cloud server and refuse to run if you try to replay a previously-seen signature.) Taproot lets PTLCs exist onchain because they enable Schnorr, which is a requirement of PTLCs / Scriptless Script. (technology-wise, take note that Scriptless Script works only for the "pointlocked" branch of the contract; you need normal Script, or a pre-signed nLockTimed transaction, for the "timelocked" branch. Since Taproot can embed a script, you can have the Taproot pubkey be a 2-of-2 to implement the Scriptless Script "pointlocked" branch, then have a hidden script that lets you recover the funds with an OP_CHECKLOCKTIMEVERIFY after the timeout if the seller does not claim the funds.) Quantum Quibbles! Now if you were really paying attention, you might have noticed this parenthetical: (technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash...) So wait, Taproot uses raw 32-byte public keys, and not public key hashes? Isn't that more quantum-vulnerable?? Well, in theory yes. In practice, they probably are not. It's not that hashes can be broken by quantum computes --- they're still not. Instead, you have to look at how you spend from a P2WPKH/P2PKH pay-to-public-key-hash. When you spend from a P2PKH / P2WPKH, you have to reveal the public key. Then Bitcoin hashes it and checks if this matches with the public-key-hash, and only then actually validates the signature for that public key. So an unconfirmed transaction, floating in the mempools of nodes globally, will show, in plain sight for everyone to see, your public key. (public keys should be public, that's why they're called public keys, LOL) And if quantum computers are fast enough to be of concern, then they are probably fast enough that, in the several minutes to several hours from broadcast to confirmation, they have already cracked the public key that is openly broadcast with your transaction. The owner of the quantum computer can now replace your unconfirmed transaction with one that pays the funds to itself. Even if you did not opt-in RBF, miners are still incentivized to support RBF on RBF-disabled transactions. So the extra hash is not as significant a protection against quantum computers as you might think. Instead, the extra hash-and-compare needed is just extra validation effort. Further, if you have ever, in the past, spent from the address, then there exists already a transaction indelibly stored on the blockchain, openly displaying the public key from which quantum computers can derive the private key. So those are still vulnerable to quantum computers. For the most part, the cryptographers behind Taproot (and Bitcoin Core) are of the opinion that quantum computers capable of cracking Bitcoin pubkeys are unlikely to appear within a decade or two. • Current quantum computers can barely crack prime factorization problem for primes of 5 bits. • The 256-bit elliptic curve use by Bitcoin is, by my (possibly wrong) understanding, equivalent to 4096-bit primes, so you can see a pretty big gap between now (5 bit primes) and what is needed (4096 bit primes). • A lot of financial non-Bitcoin systems use the equivalent of 3072-bit primes or less, and are probably easier targets to crack than the equivalent-to-4096-bit-primes Bitcoin. So: • Quantum computers capable of cracking Bitcoin are still far off. • Pay-to-public-key-hash is not as protective as you might think. • We will probably see banks get cracked before Bitcoin, so the banking system is a useful canary-in-a-coal-mine to see whether we should panic about being quantum vulnerable. For now, the homomorphic and linear properties of elliptic curve cryptography provide a lot of benefits --- particularly the linearity property is what enables Scriptless Script and simple multisignature (i.e. multisignatures that are just 1 signature onchain). So it might be a good idea to take advantage of them now while we are still fairly safe against quantum computers. It seems likely that quantum-safe signature schemes are nonlinear (thus losing these advantages). Summary • If you are a singlesig HODL-only Bitcoin user, Taproot will not affect you positively or negatively. Importantly: Taproot does no harm! • If you use or intend to use multisig, Taproot will be a positive for you. • If you transact onchain regularly using typical P2PKH/P2WPKH addresses, you get a minor reduction in feerates since multisig users will likely switch to Taproot to get smaller tx sizes, freeing up blockspace for yours. • If you are using multiparticipant setups for special systems of trade, Taproot will be a positive for you. • Remember: Lightning channels are multipartiicpiant setups for special systems of lightning-fast offchain trades! I Wanna Be The Taprooter! So, do you want to help activate Taproot? Here's what you, mister sovereign Bitcoin HODLer, can do! • If you have developer experience especially in C, C++, or related languages • Review the Taproot code! There is one pull request in Bitcoin Core, and one in libsecp256k1. I deliberately am not putting links here, to avoid brigades of nontechnical but enthusiastic people leaving pointless reviews, but if you are qualified you know how to find them! • But I am not a cryptographeBitcoin Core contributomathematician/someone as awesome as Pieter Wuille • That's perfectly fine! The cryptographers have been over the code already and agree the math is right and the implementation is right. What is wanted is the dreary dreary dreary software engineering: are the comments comprehensive and understandable? no misspellings in the comments? variable names understandable? reasonable function naming convention? misleading coding style? off-by-one errors in loops? conditions not covered by tests? accidental mixups of variables with the same types? missing frees? read-before-init? better test coverage of suspicious-looking code? missing or mismatching header guards? portability issues? consistent coding style? you know, stuff any coder with a few years of experience in coding anything might be able to catch. With enough eyes all bugs are shallow! • If you are running a mining pool/mining operation/exchange/custodial service/SPV server • Be prepared to upgrade! • One of the typical issues with upgrading software is that subtle incompatibilities with your current custom programs tend to arise, disrupting operations and potentially losing income due to downtime. If so, consider moving to the two-node setup suggested by gmax, which is in the last section of my previous post. With this, you have an up-to-date "public" node and a fixed-version "private" node, with the public node protecting the private node from any invalid chainsplits or invalid transactions. Moving to this setup from a typical one-node setup should be smooth and should not disrupt operations (too much). • If you are running your own fullnode for fun or for your own wallet • Be prepared to upgrade! The more nodes validating the new rules (even if you are a non-mining node!), the safer every softfork will be! • If you are using an SPV wallet or custodial wallet/service (including hardware wallets using the software of the wallet provider) • Contact your wallet provider / SPV server and ask for a statement on whether they support Taproot, and whether they are prepared to upgrade for Taproot! Make it known to them that Taproot is something you want! But I Hate Taproot!! That's fine! • Raise your objections to Taproot now, or forever hold your peace! Maybe you can raise them here and some of the devs (probably nullc, he goes everywhere, even in rbtc!) might be able to see your objections! Or if your objections are very technical, head over to the appropriate pull request and object away! • Maybe you simply misunderstand something, and we can clarify it here! • Or maybe you do have a good objection, and we can make Taproot better by finding a solution for it! Discussions About Taproot Activation almkglor your post has been copied because one or more comments in this topic have been removed. This copy will preserve unmoderated topic. If you would like to opt-out, please send a message using [this link]. [deleted comment] [deleted comment] [deleted comment] submitted by anticensor_bot to u/anticensor_bot [link] [comments] Need help syncing my pruned node: ping timeout: 1200.000942s 2020-08-14T11:42:19Z Imported mempool transactions from disk: 212 succeeded, 0 failed, 0 expired, 0 already there 2020-08-14T11:42:28Z Loading addresses from DNS seed dnsseed.emzy.de 2020-08-14T11:42:28Z Loading addresses from DNS seed dnsseed.bitcoin.dashjr.org 2020-08-14T11:42:28Z Loading addresses from DNS seed seed.bitcoin.sipa.be 2020-08-14T11:42:40Z Loading addresses from DNS seed seed.bitcoin.jonasschnelli.ch 2020-08-14T11:42:43Z Loading addresses from DNS seed seed.bitcoinstats.com 2020-08-14T11:42:44Z Loading addresses from DNS seed seed.btc.petertodd.org 2020-08-14T11:42:55Z Loading addresses from DNS seed dnsseed.bluematt.me 2020-08-14T11:42:56Z Loading addresses from DNS seed seed.bitcoin.sprovoost.nl 2020-08-14T11:42:56Z 282 addresses found from DNS seeds 2020-08-14T11:42:56Z dnsseed thread exit 2020-08-14T11:42:59Z New outbound peer connected: version: 70015, blocks=643670, peer=0 (full-relay) 2020-08-14T11:43:08Z Synchronizing blockheaders, height: 643670 (~100.00%) 2020-08-14T11:43:10Z New outbound peer connected: version: 70015, blocks=643670, peer=1 (full-relay) 2020-08-14T11:43:23Z New outbound peer connected: version: 70015, blocks=643670, peer=2 (full-relay) 2020-08-14T11:44:22Z New outbound peer connected: version: 70015, blocks=643670, peer=4 (full-relay) 2020-08-14T11:45:10Z New outbound peer connected: version: 70015, blocks=643670, peer=6 (full-relay) 2020-08-14T11:45:28Z New outbound peer connected: version: 70015, blocks=643670, peer=7 (full-relay) 2020-08-14T11:45:44Z New outbound peer connected: version: 70015, blocks=643670, peer=8 (full-relay) 2020-08-14T11:45:53Z New outbound peer connected: version: 70015, blocks=643670, peer=9 (full-relay) 2020-08-14T11:46:33Z New outbound peer connected: version: 70015, blocks=643670, peer=10 (block-relay) 2020-08-14T11:46:44Z New outbound peer connected: version: 70015, blocks=643670, peer=11 (block-relay) 2020-08-14T11:50:23Z ThreadRPCServer incorrect password attempt from 127.0.0.1:32824 2020-08-14T11:51:45Z socket send error Broken pipe (32) 2020-08-14T12:04:39Z New outbound peer connected: version: 70015, blocks=643673, peer=16 (full-relay) 2020-08-14T12:04:41Z Synchronizing blockheaders, height: 643673 (~100.00%) 2020-08-14T12:04:59Z ping timeout: 1200.000942s 2020-08-14T12:05:10Z ping timeout: 1200.043368s 2020-08-14T12:06:13Z New outbound peer connected: version: 70015, blocks=643673, peer=18 (full-relay) 2020-08-14T12:06:22Z ping timeout: 1200.034643s 2020-08-14T12:06:32Z New outbound peer connected: version: 70015, blocks=643673, peer=19 (full-relay) 2020-08-14T12:06:44Z New outbound peer connected: version: 70015, blocks=643673, peer=20 (full-relay) 2020-08-14T12:07:00Z New outbound peer connected: version: 70015, blocks=643673, peer=21 (full-relay) 2020-08-14T12:07:10Z ping timeout: 1200.014859s 2020-08-14T12:07:28Z ping timeout: 1200.047817s 2020-08-14T12:07:38Z New outbound peer connected: version: 70015, blocks=643673, peer=23 (full-relay) 2020-08-14T12:07:44Z ping timeout: 1200.007960s 2020-08-14T12:07:55Z New outbound peer connected: version: 70015, blocks=643673, peer=24 (full-relay) 2020-08-14T12:08:33Z ping timeout: 1200.026059s 2020-08-14T12:08:39Z New outbound peer connected: version: 70015, blocks=643673, peer=25 (full-relay) 2020-08-14T12:08:44Z ping timeout: 1200.031032s 2020-08-14T12:09:16Z New outbound peer connected: version: 70015, blocks=643673, peer=26 (block-relay) 2020-08-14T12:09:36Z New outbound peer connected: version: 70015, blocks=643673, peer=27 (block-relay) Not my first time syncing, I only run this when I send some bitcoins. My internet is fine, not sure what's happening here. I'm still at nBestHeight = 643447 submitted by InfiniteExceptions to Bitcoin [link] [comments] hodltip - new way of tipping around here? New account but in Bitcoin for a while. Saw today the Bull meme here because we all know that memes is the fuel to get us to the moon and wanted to tip the user. Never done it before so checked the lntip wiki page and found this right at the bottom: Future 2020-08-01 I am looking into using HODL invoices to remove the custodial account-like way the bot currently works. How would it work? • A new command, say !hodltip , is now used for tipping. • When a tip is made, the bot will acknowledge it with a reply and also DM the tipper with a HODL invoice to pay. • The tipper pays the invoice within the invoice timeout period (probably something like 2 days) • Once the invoice is paid (but not settled yet by the bot), the tip recipient will be notified to supply an invoice for the same amount. • If the tip recipient supplies an invoice within the HODL timeout, the bot will attempt to pay the invoice. If successful, it will settle the tipper's invoice and the transaction is complete. • If the tip recipient does not supply an invoice within the timeout, the tipper's invoice will expire and funds are returned to the tipper. Advantages • Less trust in the bot since balances are no longer needed. • No risk of loss due to lost access to reddit account. • Refunds now possible if the tip recipient is not interested in redeeming. Disadvantages • Tippers/tip recipients need to pay/create an invoice for every tip they make/receive. As a result, I would probably increase the minimum tip for this way of tipping to something like 500-1000 satoshis. The original way of tipping as well as withdrawals would still be supported indefinitely, but I will likely disable deposits going forward once this is ready in the coming months. Disclaimer: I have nothing to do with LNTipBot just trying to get the news to the community. I think, LN is the future and will be really important in the next bull run with all the shitcoins pointing at the high fees and slow transactions we should all promote LN as much as we can. Also, if you have a tiny bit of time, at least subscribe to the lightningnetwork there's less than 5k members. Thank you all for this subreddit reading the whole thing. TL;DR: LN is cool, subscribe to lightningnetwork, HODL! submitted by hodl_ninja to Bitcoin [link] [comments] Dive Into Tendermint Consensus Protocol (I) This article is written by the CoinEx Chain lab. CoinEx Chain is the world’s first public chain exclusively designed for DEX, and will also include a Smart Chain supporting smart contracts and a Privacy Chain protecting users’ privacy. longcpp @ 20200618 This is Part 1 of the serialized articles aimed to explain the Tendermint consensus protocol in detail. Part 1. Preliminary of the consensus protocol: security model and PBFT protocol Part 2. Tendermint consensus protocol illustrated: two-phase voting protocol and the locking and unlocking mechanism Part 3. Weighted round-robin proposer selection algorithm used in Tendermint project Any consensus agreement that is ultimately reached is the General Agreement, that is, the majority opinion. The consensus protocol on which the blockchain system operates is no exception. As a distributed system, the blockchain system aims to maintain the validity of the system. Intuitively, the validity of the blockchain system has two meanings: firstly, there is no ambiguity, and secondly, it can process requests to update its status. The former corresponds to the safety requirements of distributed systems, while the latter to the requirements of liveness. The validity of distributed systems is mainly maintained by consensus protocols, considering the multiple nodes and network communication involved in such systems may be unstable, which has brought huge challenges to the design of consensus protocols. The semi-synchronous network model and Byzantine fault tolerance Researchers of distributed systems characterize these problems that may occur in nodes and network communications using node failure models and network models. The fail-stop failure in node failure models refers to the situation where the node itself stops running due to configuration errors or other reasons, thus unable to go on with the consensus protocol. This type of failure will not cause side effects on other parts of the distributed system except that the node itself stops running. However, for such distributed systems as the public blockchain, when designing a consensus protocol, we still need to consider the evildoing intended by nodes besides their failure. These incidents are all included in the Byzantine Failure model, which covers all unexpected situations that may occur on the node, for example, passive downtime failures and any deviation intended by the nodes from the consensus protocol. For a better explanation, downtime failures refer to nodes’ passive running halt, and the Byzantine failure to any arbitrary deviation of nodes from the consensus protocol. Compared with the node failure model which can be roughly divided into the passive and active models, the modeling of network communication is more difficult. The network itself suffers problems of instability and communication delay. Moreover, since all network communication is ultimately completed by the node which may have a downtime failure or a Byzantine failure in itself, it is usually difficult to define whether such failure arises from the node or the network itself when a node does not receive another node's network message. Although the network communication may be affected by many factors, the researchers found that the network model can be classified by the communication delay. For example, the node may fail to send data packages due to the fail-stop failure, and as a result, the corresponding communication delay is unknown and can be any value. According to the concept of communication delay, the network communication model can be divided into the following three categories: • The synchronous network model: There is a fixed, known upper bound of delay$\Delta$in network communication. Under this model, the maximum delay of network communication between two nodes in the network is$\Delta$. Even if there is a malicious node, the communication delay arising therefrom does not exceed$\Delta$. • The asynchronous network model: There is an unknown delay in network communication, with the upper bound of the delay known, but the message can still be successfully delivered in the end. Under this model, the network communication delay between two nodes in the network can be any possible value, that is, a malicious node, if any, can arbitrarily extend the communication delay. • The semi-synchronous network model: Assume that there is a Global Stabilization Time (GST), before which it is an asynchronous network model and after which, a synchronous network model. In other words, there is a fixed, known upper bound of delay in network communication$\Delta$. A malicious node can delay the GST arbitrarily, and there will be no notification when no GST occurs. Under this model, the delay in the delivery of the message at the time$T$is$\Delta + max(T, GST)$. The synchronous network model is the most ideal network environment. Every message sent through the network can be received within a predictable time, but this model cannot reflect the real network communication situation. As in a real network, network failures are inevitable from time to time, causing the failure in the assumption of the synchronous network model. Yet the asynchronous network model goes to the other extreme and cannot reflect the real network situation either. Moreover, according to the FLP (Fischer-Lynch-Paterson) theorem, under this model if there is one node fails, no consensus protocol will reach consensus in a limited time. In contrast, the semi-synchronous network model can better describe the real-world network communication situation: network communication is usually synchronous or may return to normal after a short time. Such an experience must be no stranger to everyone: the web page, which usually gets loaded quite fast, opens slowly every now and then, and you need to try before you know the network is back to normal since there is usually no notification. The peer-to-peer (P2P) network communication, which is widely used in blockchain projects, also makes it possible for a node to send and receive information from multiple network channels. It is unrealistic to keep blocking the network information transmission of a node for a long time. Therefore, all the discussion below is under the semi-synchronous network model. The design and selection of consensus protocols for public chain networks that allow nodes to dynamically join and leave need to consider possible Byzantine failures. Therefore, the consensus protocol of a public chain network is designed to guarantee the security and liveness of the network under the semi-synchronous network model on the premise of possible Byzantine failure. Researchers of distributed systems point out that to ensure the security and liveness of the system, the consensus protocol itself needs to meet three requirements: • Validity: The value reached by honest nodes must be the value proposed by one of them • Agreement: All honest nodes must reach consensus on the same value • Termination: The honest nodes must eventually reach consensus on a certain value Validity and agreement can guarantee the security of the distributed system, that is, the honest nodes will never reach a consensus on a random value, and once the consensus is reached, all honest nodes agree on this value. Termination guarantees the liveness of distributed systems. A distributed system unable to reach consensus is useless. The CAP theorem and Byzantine Generals Problem In a semi-synchronous network, is it possible to design a Byzantine fault-tolerant consensus protocol that satisfies validity, agreement, and termination? How many Byzantine nodes can a system tolerance? The CAP theorem and Byzantine Generals Problem provide an answer for these two questions and have thus become the basic guidelines for the design of Byzantine fault-tolerant consensus protocols. Lamport, Shostak, and Pease abstracted the design of the consensus mechanism in the distributed system in 1982 as the Byzantine Generals Problem, which refers to such a situation as described below: several generals each lead the army to fight in the war, and their troops are stationed in different places. The generals must formulate a unified action plan for the victory. However, since the camps are far away from each other, they can only communicate with each other through the communication soldiers, or, in other words, they cannot appear on the same occasion at the same time to reach a consensus. Unfortunately, among the generals, there is a traitor or two who intend to undermine the unified actions of the loyal generals by sending the wrong information, and the communication soldiers cannot send the message to the destination by themselves. It is assumed that each communication soldier can prove the information he has brought comes from a certain general, just as in the case of a real BFT consensus protocol, each node has its public and private keys to establish an encrypted communication channel for each other to ensure that its messages will not be tampered with in the network communication, and the message receiver can also verify the sender of the message based thereon. As already mentioned, any consensus agreement ultimately reached represents the consensus of the majority. In the process of generals communicating with each other for an offensive or retreat, a general also makes decisions based on the majority opinion from the information collected by himself. According to the research of Lamport et al, if there are 1/3 or more traitors in the node, the generals cannot reach a unified decision. For example, in the following figure, assume there are 3 generals and only 1 traitor. In the figure on the left, suppose that General C is the traitor, and A and B are loyal. If A wants to launch an attack and informs B and C of such intention, yet the traitor C sends a message to B, suggesting what he has received from A is a retreat. In this case, B can't decide as he doesn't know who the traitor is, and the information received is insufficient for him to decide. If A is a traitor, he can send different messages to B and C. Then C faithfully reports to B the information he received. At this moment as B receives conflicting information, he cannot make any decisions. In both cases, even if B had received consistent information, it would be impossible for him to spot the traitor between A and C. Therefore, it is obvious that in both situations shown in the figure below, the honest General B cannot make a choice. According to this conclusion, when there are$n$generals with at most$f$traitors (n≤3f), the generals cannot reach a consensus if$n \leq 3f$; and with$n > 3f$, a consensus can be reached. This conclusion also suggests that when the number of Byzantine failures$f$exceeds 1/3 of the total number of nodes$n$in the system$f \ge n/3$, no consensus will be reached on any consensus protocol among all honest nodes. Only when$f < n/3$, such condition is likely to happen, without loss of generality, and for the subsequent discussion on the consensus protocol,$ n \ge 3f + 1$by default. The conclusion reached by Lamport et al. on the Byzantine Generals Problem draws a line between the possible and the impossible in the design of the Byzantine fault tolerance consensus protocol. Within the possible range, how will the consensus protocol be designed? Can both the security and liveness of distributed systems be fully guaranteed? Brewer provided the answer in his CAP theorem in 2000. It indicated that a distributed system requires the following three basic attributes, but any distributed system can only meet two of the three at the same time. 1. Consistency: When any node responds to the request, it must either provide the latest status information or provide no status information 2. Availability: Any node in the system must be able to continue reading and writing 3. Partition Tolerance: The system can tolerate the loss of any number of messages between two nodes and still function normally https://preview.redd.it/1ozfwk7u7m851.png?width=1400&format=png&auto=webp&s=fdee6318de2cf1c021e636654766a7a0fe7b38b4 A distributed system aims to provide consistent services. Therefore, the consistency attribute requires that the two nodes in the system cannot provide conflicting status information or expired information, which can ensure the security of the distributed system. The availability attribute is to ensure that the system can continuously update its status and guarantee the availability of distributed systems. The partition tolerance attribute is related to the network communication delay, and, under the semi-synchronous network model, it can be the status before GST when the network is in an asynchronous status with an unknown delay in the network communication. In this condition, communicating nodes may not receive information from each other, and the network is thus considered to be in a partitioned status. Partition tolerance requires the distributed system to function normally even in network partitions. The proof of the CAP theorem can be demonstrated with the following diagram. The curve represents the network partition, and each network has four nodes, distinguished by the numbers 1, 2, 3, and 4. The distributed system stores color information, and all the status information stored by all nodes is blue at first. 1. Partition tolerance and availability mean the loss of consistency: When node 1 receives a new request in the leftmost image, the status changes to red, the status transition information of node 1 is passed to node 3, and node 3 also updates the status information to red. However, since node 3 and node 4 did not receive the corresponding information due to the network partition, the status information is still blue. At this moment, if the status information is queried through node 2, the blue returned by node 2 is not the latest status of the system, thus losing consistency. 2. Partition tolerance and consistency mean the loss of availability: In the middle figure, the initial status information of all nodes is blue. When node 1 and node 3 update the status information to red, node 2 and node 4 maintain the outdated information as blue due to network partition. Also when querying status information through node 2, you need to first ask other nodes to make sure you’re in the latest status before returning status information as node 2 needs to follow consistency, but because of the network partition, node 2 cannot receive any information from node 1 or node 3. Then node 2 cannot determine whether it is in the latest status, so it chooses not to return any information, thus depriving the system of availability. 3. Consistency and availability mean the loss of the partition tolerance: In the right-most figure, the system does not have a network partition at first, and both status updates and queries can go smoothly. However, once a network partition occurs, it degenerates into one of the previous two conditions. It is thus proved that any distributed system cannot have consistency, availability, and partition tolerance all at the same time. https://preview.redd.it/456x2blv7m851.png?width=1400&format=png&auto=webp&s=550797373145b8fc1471bdde68ed5f8d45adb52b The discovery of the CAP theorem seems to declare that the aforementioned goals of the consensus protocol is impossible. However, if you’re careful enough, you may find from the above that those are all extreme cases, such as network partitions that cause the failure of information transmission, which could be rare, especially in P2P network. In the second case, the system rarely returns the same information with node 2, and the general practice is to query other nodes and return the latest status as believed after a while, regardless of whether it has received the request information of other nodes. Therefore, although the CAP theorem points out that any distributed system cannot satisfy the three attributes at the same time, it is not a binary choice, as the designer of the consensus protocol can weigh up all the three attributes according to the needs of the distributed system. However, as the communication delay is always involved in the distributed system, one always needs to choose between availability and consistency while ensuring a certain degree of partition tolerance. Specifically, in the second case, it is about the value that node 2 returns: a probably outdated value or no value. Returning the possibly outdated value may violate consistency but guarantees availability; yet returning no value deprives the system of availability but guarantees its consistency. Tendermint consensus protocol to be introduced is consistent in this trade-off. In other words, it will lose availability in some cases. The genius of Satoshi Nakamoto is that with constraints of the CAP theorem, he managed to reach a reliable Byzantine consensus in a distributed network by combining PoW mechanism, Satoshi Nakamoto consensus, and economic incentives with appropriate parameter configuration. Whether Bitcoin's mechanism design solves the Byzantine Generals Problem has remained a dispute among academicians. Garay, Kiayias, and Leonardos analyzed the link between Bitcoin mechanism design and the Byzantine consensus in detail in their paper The Bitcoin Backbone Protocol: Analysis and Applications. In simple terms, the Satoshi Consensus is a probabilistic Byzantine fault-tolerant consensus protocol that depends on such conditions as the network communication environment and the proportion of malicious nodes' hashrate. When the proportion of malicious nodes’ hashrate does not exceed 1/2 in a good network communication environment, the Satoshi Consensus can reliably solve the Byzantine consensus problem in a distributed environment. However, when the environment turns bad, even with the proportion within 1/2, the Satoshi Consensus may still fail to reach a reliable conclusion on the Byzantine consensus problem. It is worth noting that the quality of the network environment is relative to Bitcoin's block interval. The 10-minute block generation interval of the Bitcoin can ensure that the system is in a good network communication environment in most cases, given the fact that the broadcast time of a block in the distributed network is usually just several seconds. In addition, economic incentives can motivate most nodes to actively comply with the agreement. It is thus considered that with the current Bitcoin network parameter configuration and mechanism design, the Bitcoin mechanism design has reliably solved the Byzantine Consensus problem in the current network environment. Practical Byzantine Fault Tolerance, PBFT It is not an easy task to design the Byzantine fault-tolerant consensus protocol in a semi-synchronous network. The first practically usable Byzantine fault-tolerant consensus protocol is the Practical Byzantine Fault Tolerance (PBFT) designed by Castro and Liskov in 1999, the first of its kind with polynomial complexity. For a distributed system with$n$nodes, the communication complexity is$O(n2$.) Castro and Liskov showed in the paper that by transforming centralized file system into a distributed one using the PBFT protocol, the overwall performance was only slowed down by 3%. In this section we will briefly introduce the PBFT protocol, paving the way for further detailed explanations of the Tendermint protocol and the improvements of the Tendermint protocol. The PBFT protocol that includes$n=3f+1$nodes can tolerate up to$f$Byzantine nodes. In the original paper of PBFT, full connection is required among all the$n$nodes, that is, any two of the n nodes must be connected. All the nodes of the network jointly maintain the system status through network communication. In the Bitcoin network, a node can participate in or exit the consensus process through hashrate mining at any time, which is managed by the administrator, and the PFBT protocol needs to determine all the participating nodes before the protocol starts. All nodes in the PBFT protocol are divided into two categories, master nodes, and slave nodes. There is only one master node at any time, and all nodes take turns to be the master node. All nodes run in a rotation process called View, in each of which the master node will be reelected. The master node selection algorithm in PBFT is very simple: all nodes become the master node in turn by the index number. In each view, all nodes try to reach a consensus on the system status. It is worth mentioning that in the PBFT protocol, each node has its own digital signature key pair. All sent messages (including request messages from the client) need to be signed to ensure the integrity of the message in the network and the traceability of the message itself. (You can determine who sent a message based on the digital signature). The following figure shows the basic flow of the PBFT consensus protocol. Assume that the current view’s master node is node 0. Client C initiates a request to the master node 0. After the master node receives the request, it broadcasts the request to all slave nodes that process the request of client C and return the result to the client. After the client receives f+1 identical results from different nodes (based on the signature value), the result can be taken as the final result of the entire operation. Since the system can have at most f Byzantine nodes, at least one of the f+1 results received by the client comes from an honest node, and the security of the consensus protocol guarantees that all honest nodes will reach consensus on the same status. So, the feedback from 1 honest node is enough to confirm that the corresponding request has been processed by the system. https://preview.redd.it/sz8so5ly7m851.png?width=1400&format=png&auto=webp&s=d472810e76bbc202e91a25ef29a51e109a576554 For the status synchronization of all honest nodes, the PBFT protocol has two constraints on each node: on one hand, all nodes must start from the same status, and on the other, the status transition of all nodes must be definite, that is, given the same status and request, the results after the operation must be the same. Under these two constraints, as long as the entire system agrees on the processing order of all transactions, the status of all honest nodes will be consistent. This is also the main purpose of the PBFT protocol: to reach a consensus on the order of transactions between all nodes, thereby ensuring the security of the entire distributed system. In terms of availability, the PBFT consensus protocol relies on a timeout mechanism to find anomalies in the consensus process and start the View Change protocol in time to try to reach a consensus again. The figure above shows a simplified workflow of the PBFT protocol. Where C is the client, 0, 1, 2, and 3 represent 4 nodes respectively. Specifically, 0 is the master node of the current view, 1, 2, 3 are slave nodes, and node 3 is faulty. Under normal circumstances, the PBFT consensus protocol reaches consensus on the order of transactions between nodes through a three-phase protocol. These three phases are respectively: Pre-Prepare, Prepare, and Commit: • The master node of the pre-preparation node is responsible for assigning the sequence number to the received client request, and broadcasting the message to the slave node. The message contains the hash value of the client request d, the sequence number of the current viewv, the sequence number n assigned by the master node to the request, and the signature information of the master nodesig. The scheme design of the PBFT protocol separates the request transmission from the request sequencing process, and the request transmission is not to be discussed here. The slave node that receives the message accepts the message after confirming the message is legitimate and enter preparation phase. The message in this step checks the basic signature, hash value, current view, and, most importantly, whether the master node has given the same sequence number to other request from the client in the current view. • In preparation, the slave node broadcasts the message to all nodes (including itself), indicating that it assigns the sequence number n to the client request with the hash value d under the current view v, with its signaturesig as proof. The node receiving the message will check the correctness of the signature, the matching of the view sequence number, etc., and accept the legitimate message. When the PRE-PREPARE message about a client request (from the main node) received by a node matches with the PREPARE from 2f slave nodes, the system has agreed on the sequence number requested by the client in the current view. This means that 2f+1 nodes in the current view agree with the request sequence number. Since it contains information from at most fmalicious nodes, there are a total of f+1 honest nodes that have agreed with the allocation of the request sequence number. With f malicious nodes, there are a total of 2f+1 honest nodes, so f+1represents the majority of the honest nodes, which is the consensus of the majority mentioned before. • After the node (including the master node and the slave node) receives a PRE-PREPARE message requested by the client and 2f PREPARE messages, the message is broadcast across the network and enters the submission phase. This message is used to indicate that the node has observed that the whole network has reached a consensus on the sequence number allocation of the request message from the client. When the node receives 2f+1 COMMIT messages, there are at least f+1 honest nodes, that is, most of the honest nodes have observed that the entire network has reached consensus on the arrangement of sequence numbers of the request message from the client. The node can process the client request and return the execution result to the client at this moment. Roughly speaking, in the pre-preparation phase, the master node assigns a sequence number to all new client requests. During preparation, all nodes reach consensus on the client request sequence number in this view, while in submission the consistency of the request sequence number of the client in different views is to be guaranteed. In addition, the design of the PBFT protocol itself does not require the request message to be submitted by the assigned sequence number, but out of order. That can improve the efficiency of the implementation of the consensus protocol. Yet, the messages are still processed by the sequence number assigned by the consensus protocol for the consistency of the distributed system. In the three-phase protocol execution of the PBFT protocol, in addition to maintaining the status information of the distributed system, the node itself also needs to log all kinds of consensus information it receives. The gradual accumulation of logs will consume considerable system resources. Therefore, the PBFT protocol additionally defines checkpoints to help the node deal with garbage collection. You can set a checkpoint every 100 or 1000 sequence numbers according to the request sequence number. After the client request at the checkpoint is executed, the node broadcasts messages throughout the network, indicating that after the node executes the client request with sequence number n, the hash value of the system status is d, and it is vouched by its own signature sig. After 2f+1 matching CHECKPOINT messages (one of which can come from the node itself) are received, most of the honest nodes in the entire network have reached a consensus on the system status after the execution of the client request with the sequence numbern, and then you can clear all relevant log records of client requests with the sequence number less than n. The node needs to save these2f+1 CHECKPOINTmessages as proof of the legitimate status at this moment, and the corresponding checkpoint is called a stable checkpoint. The three-phase protocol of the PBFT protocol can ensure the consistency of the processing order of the client request, and the checkpoint mechanism is set to help nodes perform garbage collection and further ensures the status consistency of the distributed system, both of which can guarantee the security of the distributed system aforementioned. How is the availability of the distributed system guaranteed? In the semi-synchronous network model, a timeout mechanism is usually introduced, which is related to delays in the network environment. It is assumed that the network delay has a known upper bound after GST. In such condition, an initial value is usually set according to the network condition of the system deployed. In case of a timeout event, besides the corresponding processing flow triggered, additional mechanisms will be activated to readjust the waiting time. For example, an algorithm like TCP's exponential back off can be adopted to adjust the waiting time after a timeout event. To ensure the availability of the system in the PBFT protocol, a timeout mechanism is also introduced. In addition, due to the potential the Byzantine failure in the master node itself, the PBFT protocol also needs to ensure the security and availability of the system in this case. When the Byzantine failure occurs in the master node, for example, when the slave node does not receive the PRE-PREPARE message or the PRE-PREPARE message sent by the master node from the master node within the time window and is thus determined to be illegitimate, the slave node can broadcast to the entire network, indicating that the node requests to switch to the new view with sequence number v+1. n indicates the request sequence number corresponding to the latest stable checkpoint local to the node, and C is to prove the stable checkpoint 2f+1 legitimate CHECKPOINT messages as aforementioned. After the latest stable checkpoint and before initiating the VIEWCHANGE message, the system may have reached a consensus on the sequence numbers of some request messages in the previous view. To ensure the consistency of these request sequence numbers to be switched in the view, the VIEWCHANGE message needs to carry this kind of the information to the new view, which is also the meaning of the P field in the message. P contains all the client request messages collected at the node with a request sequence number greater than n and the proof that a consensus has been reached on the sequence number in the node: the legitimate PRE-PREPARE message of the request and 2f matching PREPARE messages. When the master node in view v+1 collects 2f+1 VIEWCHANGE messages, it can broadcast the NEW-VIEW message and take the entire system into a new view. For the security of the system in combination with the three-phase protocol of the PBFT protocol, the construction rules of the NEW-VIEW information are designed in a quite complicated way. You can refer to the original paper of PBFT for more details. https://preview.redd.it/x5efdc908m851.png?width=1400&format=png&auto=webp&s=97b4fd879d0ec668ee0990ea4cadf476167a2948 VIEWCHANGE contains a lot of information. For example, C contains 2f+1 signature information, P contains several signature sets, and each set has 2f+1 signature. At least 2f+1 nodes need to send a VIEWCHANGE message before prompting the system to enter the next new view, and that means, in addition to the complex logic of constructing the information of VIEWCHANGE and NEW-VIEW, the communication complexity of the view conversion protocol is$O(n2$.) Such complexity also limits the PBFT protocol to support only a few nodes, and when there are 100 nodes, it is usually too complex to practically deploy PBFT. It is worth noting that in some materials the communication complexity of the PBFT protocol is inappropriately attributed to the full connection between n nodes. By changing the fully connected network topology to the P2P network topology based on distributed hash tables commonly used in blockchain projects, high communication complexity caused by full connection can be conveniently solved, yet still, it is difficult to improve the communication complexity during the view conversion process. In recent years, researchers have proposed to reduce the amount of communication in this step by adopting aggregate signature scheme. With this technology, 2f+1 signature information can be compressed into one, thereby reducing the communication volume during view change. submitted by coinexchain to u/coinexchain [link] [comments] r/bitcoin  submitted by -the-goat-herder- to btc [link] [comments] Paid 1 Satoshi tip over LN. Cryptographically secured, instantly. submitted by Zelgada to Bitcoin [link] [comments] Re-Launching The Borderless, Unkillable Crypto-Fiat Gateway, DAIHard. Enter or Exit Crypto via Any Fiat and Any Payment Method, Anywhere in the World, Without KYC. All you need is a little Dai. Some of you might recall recall our initial facepalm failed launch about 3 months ago (post-mortem here). Well, we're back--this time with an audit and some new features. This version of DAIHard should should die a little harder this time ;) The Audit After shopping around a bit in the auditor space, we decided to go with Adam Dossa--the very same Adam Dossa that actually found our launch vulnerability and responsibly disclosed it to us! You can see his report here. By the way, Adam has been a gem: friendly, professional, timely, and flexible. Definitely keep him in mind if you need an audit! (Re)Introducing DAIHard Following is an updated version of our original launch post. If you've already read that, you might want to skip to the heading What's New in v0.9.2. Or you can go straight to the app or go to our info site for more info! Here is a legitimate concern most of us are familiar with: To enter or exit the crypto economy, we rely on centralized exchanges such as Coinbase, which track their users, impose limits, and are tightly coupled to their jurisdiction and its banking system. And for all we know, any day now regulations could start tightening these controls further (*we've actually seen some of this play out in the two months since our first launch post). In light of this, can we say in any meaningful sense that crypto is anonymous, limtiless, borderless, immune to regulation, and (most importantly) unstoppable? To really address this concern, we need a completely decentralized gateway between fiat and crypto: something that extends the benefits of crypto to the very act of moving between the old and new economies. But the design of such a platform is far from obvious. (Localethereum comes close, but as discussed under Unkillable, it doesn't quite cut it. And Bisq is decentralized, but has significant UX hurdles.) We believe we've found a solution. We are proud to present: DAIHard v0.9.2 - Almost Definitely Not Broken This Time If you want to jump right in, we recommend first watching our latest usage demo (7 min), then diving in and giving it a shot with a small amount of Dai. (Try it on Kovan first if mainnet is too scary!) DAIHard extends many of the promises of crypto (borderless, anonymous, limitless, unstoppable) into the exchange mechanism itself, allowing anyone, anywhere to bypass centralized exchanges and the control they impose. More concretely, DAIHard is a platform, run on smart contracts, for forming one-off crypto/fiat exchanges with other users, in which: • The method of fiat transfer is open-ended, but agreed upon up-front (for example: bank transfer, cash handoff, transfer of online credit, cash drop...). • You and the counterparty can communicate via end-to-end encrypted chat to coordinate the fiat transfer (i.e. communicate bank account number or reveal a cash drop location). • Crucially, in the last phase, the Seller can choose to burn the Dai instead of releasing it to the Buyer (but he can't get it back). This credible threat of burn is what makes the platform reliable in the absence of a centralized group of arbitrators or moderators. For more on this see the DAIHard Game Theory medium article (10 min read). Again, our latest usage demo (7 min) shows this process in action. Two drawbacks You Need either xDai, or both Dai and Ether, to Use The Tool (At Least For Now) If you want to buy Dai on DAIHard, you must already have Dai--1/3 of the amount you want to purchase--to put up as a burnable deposit. For example, if you only have 10 Dai now, you can only commit to buying 30 Dai, and must complete that trade before using the newly bought Dai to open up a bigger offer (for up to 120 Dai that time). Most tragically of course, this means that if you don't already have some crypto, you can't use this tool to get crypto--this is why we avoid calling DAIHard an onramp specifically. This comes from the fact that both parties must have "skin in the game" for the game theory to work, and a smart contract can only threaten to burn crypto. We have some ideas on how to address this drawback in the not-too-distant future, which we'll write about soon. For now it's time to launch this thing and get some users! Dangerous and Scary To Use In rare cases, a user may have to burn Dai and face a loss on the entire trade amount. The necessity of this ever-present risk is explained in detail in DAIHard Game Theory. However, a cautious, rational user can gather information (possibly via our [subreddit](daihard)!) about how people have used the tool, successfully and unsuccessfully. They can then create a buy or sell offer with wisely chosen settings based on what has worked for others. Other cautious, rational users can find this offer and commit to the trade if they dare. We expect the vast majority of committed trades should involve rational, cautious users, and should therefore resolve happily. Still, inevitably there will be sloppy trades that result in burns. As the tool is used, we'll be keeping a close eye on the frequency of burns and keeping you guys updated (perhaps via a "System Status" utility similar to the one found on MakerDao's explorer). In the end, though, we expect the risk in using DAIHard to be comparable to the risk of using any exchange or DNM: ever-present but low enough for the platform to be useful as whole. So, while DAIHard will never shut down and can't perform an exit scam, the bad news is it's not risk-free. Users will have to approach DAIhard with the same level of caution they would with any new exchange (albeit for different reasons and with a different approach). So what's the good news? The Good News While these drawbacks are significant, they enable some remarkable features that no other crypto/fiat exchange mechanism can boast. Unkillable (Correction: Bisq seems to have a decentralized arbitration system) We are aware of no other crypto/fiat exchange platform that is truly unkillable. Bisq and localethereum comes close, but both localethereum relies on centralized processes of arbitration. This means their fraud-and-scam-prevention system can be sued, jailed, or otherwise harrassed--and if that part stops working, it doesn't matter how decentralized the rest of the system was. DAIHard, in contrast, gives the users the power to police and punish each other, via the aforementioned credible threat of burn. This is simple game theory, and the rules of this game are etched permanently into the DAIHard Factory and Trade contract code: impervious to litigation, regulation, and political pressure. This Factory contract has no owner and no suicide or pause code. It cannot be stopped by us or anyone else. Like Toastycoin, this thing was immortal the moment it was deployed (even more immortal than RadarRelay, for example, which does rely on an ownership role). Both DAIHard and Toastycoin (and probably whatever we build next) will last for as long as a single Ethereum node continues mining, and it will remain easy to use as long as someone can find the HTML/JS front-end and a web3 wallet. (The HTML/JS front-end (built in Elm, by the way, with the lovely elm-ethereum!) is currently hosted on Github pages, which is centralized--but even if Github takes down the page and deletes the code, it's a minor step to get the page hosted on IPFS, something that is on our near-term roadmap in any case) No KYC, No Limits It's smart contracts all the way down, so DAIHard never asks any nosy questions--if you have Metamask or some other web3 wallet installed and set up, with some ETH and Dai (or just xDai), you can immediately open or commit to a trade. You don't even need a username! (In fact, we're so inclusive, even machines are allowed--no CAPTCHA here!) You're limited only by the collateral you put up, so if you have 10,000 Dai you could open up a buy offer for 30,000 Dai (or a sell offer for 10,000 Dai) right now. We do reccommend trying the tool out first with a small amount of Dai... But we're not your mom! Do what you want! Borderless It simply doesn't matter where you are, because DAIHard doesn't need to interface with any particular jurisdiction or payment system to work. DIAHard works by incentivizing people (or robots?) to navigate the particular real-world hurdles of bank transfers, cash drops, or other fiat transfer methods. These incentives work whether you're in America, Zimbabwe, or the Atlantic; they work whether the fiat is USD, EUR, ZAR, seashells, or Rai Stones; and they work whether your counterparty is a human, an organization, a script, or a particularly intelligent dog with Internet access. Any Fiat Type, and Highly Customizeable Here are some examples of the types of trades you might create or find on DAIHard. • Sell 5 xDai for$5 USD, sent via TransferWise.
• Sell 200 Dai for $180 USD, granted they bring the cash to you by tomorrow afternoon in Central Park, NYC. • Buy 20 Dai with a$30 gift card for Amazon AWS that you were never going to use.
• Sell 20 Dai in exchange for a $20 Steam game. • While in Vietnam, sell 200 Dai to someone for €180 anytime in the next two weeks, provided they deposit it into your German bank account. • While in Germany, sell 20 Dai to someone in exchange for them refilling your pre-paid Vietnamese phone plan. • Buy 30 Dai for 8,000 ZWD, which you deliver anonymously by cash drop in Hume Park, Bulawayo, sometime within the next month. (If there's one place that could use unstoppable access to crypto, it's Zimbabwe, and you don't need to take our word for it.) • Buy 500 Dai for$550 via PayPal, but wait 3 weeks for before the Dai is released (so the paypal transaction can't be reversed).
As the DAIHard community grows, users will doubtless find much more creative ways to use the system, and we will discover together which types of trades are reliable and which are more risky. Because users can set their own prices and phase timeout settings, we expect the risky trades to charge a premium or have longer time windows, while the reliable ones rapidly multiply at close to a 1:1 price ratio, with quick turnaround times.

Extensible (with profit) by Third Parties

Not satisfied with our interface? Do you have some nifty idea for how to display and organize user reputation? Or maybe some idea for how trades could be chained togeher? Maybe you'd like to design a notification system for DAIHard? Maybe you just want a different color scheme!
Well, you won't need our permission to do any of this. Any tool that watches the same Factory contract will share the pool of trades, regardless of which tool actually creates the trade. This means we don't even have to fight over network effects!
And if you look closely at our fee structure, you might notice that only half of the 1% DAIHard fee is "hardcoded" into the Factory contract. The other half is set and charged by our interface. What does this mean for you? If you go out and make a better interface, you can essentially replace half of our 1% fee with your own fee--it's up to you whether it's smaller or larger than the replaced 0.5%.
The reason for this is to explicitly welcome other developers to extend what we've built. For as long as our team is the only one improving the platform, a threat to us is a threat to future upgrades. But if others begin extending the DAIHard platform too, then DAIHard will not only be unstoppable as it is today, but also grow unstoppably.

(For Real This Time) This Is a Big Fucking Deal

DAIHard is a turning point in crypto and a breakthrough in decentralized markets, and is an irreversible augmentation of the Ethereum platform.
What we've built is a gateway to crypto completely devoid of centralized components--rendering entry and exit to crypto unkillable, flexible, borderless, and private. Centralized exchanges, and the control they impose, can now be bypassed by anyone with Dai and a web3 wallet.

What's New in v0.9.2

There have been many changes made since our first failed launch, but there are two rather important ones: xDai support and reputation tools.

xDai support

DAIHard is now operational on xDai, a sidechain whose native token (xDai) is pegged to the Dai (and therefore $1). Add the xDai network to your Metamask (or just install Nifty Wallet), then switch to the xDai network in your wallet, to try it out. xDai has some pretty incredible benefits, compared to vanilla Ethereum: • Price: On xDai, a single DAIHard trade costs on the order of$0.01 to run start-to-finish, rather than the accumulated \$2.40 (with the best-case-scenario 1gwei gas price) you'll spend on vanilla Ethereum.
• Speed: Trade actions mine much faster, and don't require ERC20 'approve' transactions, making the whole process way snappier.
• Gas priced in xDai: the main benefit here is that you only need one token (xDai) rather than two (Dai and Eth). Also, it's just nice having the gas cost expressed in (essentially) USD!

Reputation tools

We now have a few reputation tools. First, on any open trade, there is a widget showing the number of releases, aborts, and burns the given address has been involved in as that role (buyer or seller). Clicking on this expands the widget to show more detailed information, and also provides a link to a page that lists each trade this user has been or is involved in.

What's next?

We have tons of ideas on how to improve the product--too many, in fact, to commit to any before we get a good chunk of user feedback. Here are some of our favorite ideas:

Near-Term, Smaller Features

1. Lots of usability improvements.
2. A "System Status" utility similar to the one found on MakerDao's explorer).
3. Marketplace / My Trades rework.
4. A "QuickTrade" page, offering Trade Templates as an alternative to the current Create Offer page.

Big Exciting Features

1. Bootstrapping people with no DAI via other mechanisms and community outreach.
2. Partial commits to trades. eg. Place a 10,000 DAI trade and allow it to be picked up in blocks larger than 500 DAI at a time.
3. More chains, get this thing working on Bitcoin via Rootstock, on Ethereum Classic and Binance Chain.

Stay Informed!

A lot of the above features will be prioritized more clearly as we get user feedback, and we will be posting fairly frequent updates and articles on our info site. If you don't want to miss anything, note the subscribe widget and sign up!

Technical: The SIGHASH_NOINPUT Debate! Chaperones and output tagging and signature replay oh my!

Bitcoin price isn't moving oh no!!! You know WHAT ELSE isn't moving?? SIGHASH_NOINPUT that's what!!!
Now as you should already know, Decker-Russell-Osuntokun ("eltoo") just ain't possible without SIGHASH_NOINPUT of some kind or other. And Decker-Russell-Osuntokun removes the toxic waste problem (i.e. old backups of your Poon-Dryja LN channels are actively dangerous and could lose your funds if you recover from them, or worse, your most hated enemy could acquire copies of your old state and make you lose funds). Decker-Russell-Osuntokun also allows multiparticipant offchain cryptocurrency update systems, without the drawback of a large unilateral close timeout that Decker-Wattenhofer does, making this construction better for use at the channel factory layer.
Now cdecker already wrote a some code implementing SIGHASH_NOINPUT before, which would make it work in current pre-SegWit P2PKH, P2SH, as well as SegWit v0 P2WPKH and P2WSH. He also made and published BIP 118.
But as is usual for Bitcoin Core development, this triggered debate, and thus many counterproposals were made and so on. Suffice it to say that the simple BIP 118 looks like it won't be coming into Bitcoin Core anytime soon (or possibly at all).
First things first: This link contains all that you need to know, but hey, maybe you'll find my take more amusing.

Signature Replay Attack

• SIGHASH_NOINPUT basically means "I am authorizing the spend of any coin of this particular value protected by my key, to be spent to these addresses".
• Of note is that the default SIGHASH_ALL means "I am authorizing the spend of this particular coin of this particular value protected by my key, to be spent to these addresses".
• So suppose you were to engage in address reuse. This is highly discouraged behavior, but people are people, people are lazy, and etc. etc. In practice it happens.
• Now suppose you had two deposits of equal size, in the same address that you have been reusing.
• Now further suppose that for some reason, your wallet signs using SIGHASH_NOINPUT only. luke-jr has even promised to write one when SIGHASH_NOINPUT is implemented, so you don't even need to go search for one, you just pester luke-jr to release it.
• So you got two UTXOs, of equal value, to the same address.
• You spend one UTXO, signing with SIGHASH_NOINPUT, to pay almkglor because he's so awesome at explaining Bitcoin things and deserves to be paid for it.
• almkglor realizes you've used SIGHASH_NOINPUTand that you engaged in address reuse. He writes a new transaction spending your other UTXO of same value and same address, reusing the same signature ("Signature Replay") that was publicly attached to your previous tx. The signature authorizes the spend of any coin protected by that key.
• Since luke-jr is strongly against address reuse, he will just LOL at you for doing address reuse with his wallet software and mark your bugreports with wontfix, gendopose, allaccordingtothescenario.
The above is the Signature Replay Attack, and the reason why SIGHASH_NOINPUT has triggered debate as to whether it is safe at all and whether we can add enough stuff to it to ever make it safe.
Now of course you could point to SIGHASH_NONE which is even worse because all it does is say "I am authorizing the spend of this particular coin of this particular value protected by my key" without any further restrictions like which outputs it goes to. But then SIGHASH_NONE is intended to be used to sacrifice your money to the miners, for example if it's a dust attack trying to get you to spend, so you broadcast a SIGHASH_NONE signature and some enterprising miner will go get a bunch of such SIGHASH_NONE signatures and gather up the dust in a transaction that pays to nobody and gets all the funds as fees. And besides; even if we already have something you could do stupid things with, it's not a justification for adding more things you could do stupid things with.
So yes, SIGHASH_NOINPUT makes Bitcoin more powerful. Now, Bitcoin is a strong believer in "Principle of Least Power". So adding more power to Bitcoin via SIGHASH_NOINPUT is a violation of Principle of Least Power, at least to those arguing to add even more limits to SIGHASH_NOINPUT.
I believe nullc is one of those who strongly urges for adding more limits to SIGHASH_NOINPUT, because it distracts him from taking pictures of his autonomous non-human neighbor, a rather handsome gray fox, but also because it could be used as the excuse for the next MtGox, where a large exchange inadvertently pays to SIGHASH_NOINPUT-using addresses and becomes liable/loses track of their funds when signature replay happens.

Output Tagging

Making SIGHASH_NOINPUT safer by not allowing normal addresses use it.
Basically, we have 32 different SegWit versions. The current SegWit addresses are v0, the next version (v1) is likely to be the Schnorr+Taproot+MAST thing.
What output tagging proposes is to limit SegWit version ranges from 0->15 in the bech32 address scheme (instead of 0->31 it currently has). Versions 16 to 31 are then not valid bech32 SegWit addresses and exchanges shouldn't pay to it.
Then, we allow the use of SIGHASH_NOINPUT only for version 16. Version 16 might very well be Schnorr+Taproot+MAST, with a side serving of SIGHASH_NOINPUT.
This is basically output tagging. SIGHASH_NOINPUT can only be used if the output is tagged (by paying to version 16 SegWit) to allow it, and addresses do not allow outputs to be tagged as such, removing the potential liability of large custodial services like exchanges.
Now, Decker-Russell-Osuntokun channels have two options:
• Make the funding txo pay to a version 16 SegWit.
• Make the funding txo pay to a version 0/1 SegWit.
The tradeoffs in this case are:
• If the funding txo pays to a version 16 SegWit, then anyone analyzing the blockchain can point at a version 16 SegWit txo and conclude it was used for the Lightning Network, because seriously, there's little other use for SIGHASH_NOINPUT other than that (well there's certain limited kinds of vault-like constructions, but for the most part, the balance of probability will be that it's a LN channel).
• Of note is that even non-published channels will likely be trackable via the funding txo paying to version 16 SegWit, which is published onchain.
• Also, current already-closed published Poon-Dryja channels, that are closed by mutual close instead of unilateral, are indistinguishable onchain from ordinary spends. Trackers that want to keep track of Lightning usage need to store the information themselves, about such published channels that have been closed; the LN won't store it for them, so that at least moves the burden of storing that information to the surveillors, and fuck them anyway.
• If the funding txo pays to a version 0/1 SegWit, then in the unilateral case we need to have an additional transaction that takes the funding txo and pays to a version 16 SegWit. This adds more overhead in the unilateral close case, and unilateral close in Decker-Russell-Osuntokun already needs two txes (an update and settlement tx); this adds one more tx, a "converter" from version 0/1 SegWit to version 16 SegWit.
• This lets mutual closes indistinguishable from ordinary spends onchain. Unilateral closes are still obvious, but even today in the Poon-Dryja world unilateral closes are plenty darn obvious (very specific SCRIPT templates are used).
The latter tradeoff is probably what would be taken (because we're willing to pay for privacy) if Bitcoin Core decides in favor of tagged outputs.
Another issue here is --- oops, P2SH-Segwit wrapped addresses. P2SH can be used to wrap any SegWit payment script, including payments to any SegWit version, including v16. So now you can sneak in a SIGHASH_NOINPUT-enabled SegWit v16 inside an ordinary P2SH that wraps a SegWit payment. One easy way to close this is just to disallow P2SH-SegWit from being valid if it's spending to SegWit version >= 16.

Chaperone Signatures

Closing the Signature Replay Attack by adding a chaperone.
Now we can observe that the Signature Replay Attack is possible because only one signature is needed, and that signature allows any coin of appropriate value to be spent.
Adding a chaperone signature simply means requiring that the SCRIPT involved have at least two OP_CHECKSIG operations. If one signature is SIGHASH_NOINPUT, then at least one other signature (the chaperone) validated by the SCRIPT should be SIGHASH_ALL.
This is not so onerous for Decker-Russell-Osuntokun. Both sides can use a MuSig of their keys, to be used for the SIGHASH_NOINPUT signature (so requires both of them to agree on a particular update), then use a shared ECDH key, to be used for the SIGHASH_ALL signature (allows either of them to publish the unilateral close once the update has been agreed upon).
Of course, the simplest thing to do would be for a BOLT spec to say "just use this spec-defined private key k so we can sidestep the Chaperone Signatures thing". That removes the need to coordinate to define a shared ECDH key during channel establishment: just use the spec-indicated key, which is shared to all LN implementations.
But now look at what we've done! We've subverted the supposed solution of Chaperone Signatures, making them effectively not there, because it's just much easier for everyone to use a standard private key for the chaperone signature than to derive a separate new keypair for the Chaperone.
So chaperone signatures aren't much better than just doing SIGHASH_NOINPUT by itself, and you might as well just use SIGHASH_NOINPUT without adding chaperones.
I believe ajtowns is the primary proponent of this proposal.

Toys for the Big Boys

The Signature Replay Attack is Not A Problem (TM).
This position is most strongly held by RustyReddit I believe (he's the Rusty Russell in the Decker-Russell-Osuntokun). As I understand it, he is more willing to not see SIGHASH_NOINPUT enabled, than to have it enabled but with restrictions like Output Tagging or Chaperone Signatures.
Basically, the idea is: don't use SIGHASH_NOINPUT for normal wallets, in much the same way you don't use SIGHASH_NONE for normal wallets. If you want to do address reuse, don't use wallet software made by luke-jr that specifically screws with your ability to do address reuse.
SIGHASH_NOINPUT is a flag for use by responsible, mutually-consenting adults who want to settle down some satoshis and form a channel together. It is not something that immature youngsters should be playing around with, not until they find a channel counterparty that will treat this responsibility properly. And if those immature youngsters playing with their SIGHASH_NOINPUT flags get into trouble and, you know, lose their funds (as fooling around with SIGHASH_NOINPUT is wont to do), well, they need counseling and advice ("not your keys not your coins", "hodl", "SIGHASH_NOINPUT is not a toy, but something special, reserved for those willing to take on the responsibility of making channels according to the words of Decker-Russell-Osuntokun"...).

Conclusion

Dunno yet. It's still being debated! So yeah. SIGHASH_NOINPUT isn't moving, just like Bitcoin's price!!! YAAAAAAAAAAAAAAAAAAA.