1. A Segwit Coin is not a Bitcoin
1 July 2017
Peter Rizun
2. “Cryptocurrency is more theology than science”
Skepticism Fanaticism
Alan Turing Medieval theologist
Null hypothesis Divine scriptures
3. “Cryptocurrency is more theology than science”
III
Thou shalt download code
from only the bitcoin core
repo, for only it is divine
IV
Thou shalt mine no block
larger than the holy
number of 1 MB
Passage from the Book of Blockstream/Core
4. I
Bitcoin can move from place to place
but cannot be created ex nihilo
II
In order for a bitcoin to move, the
transfer must be authorized by the
owner’s digital signature
What rules do I consider unchallengeable?
5. What rules do I consider unchallengeable?
I
Bitcoin can move from place to place
but cannot be created ex nihilo
II
In order for a bitcoin to move, the
transfer must be authorized by the
owner’s digital signature
With Bitcoin, both rules are on equal footings; with Segwit, the private
property rule is subordinate to the physical property rule.
Physical property rule
Private property rule
Manifestations of our ideologies
All rules could be seen as fanatical
Debate will not be settled by science
6. A Segwit Coin is not a Bitcoin
1. Segwit coins have a different definition than bitcoins, which gives
them different properties.
2. Unlike with bitcoins, miners can update their UTXO sets without
witnessing the previous owners’ digital signatures.
3. The previous owners’ digital signatures have significantly less
value to a miner for segwit coins than for bitcoins because miners
do not require them in order to claim fees.
4. Although a stable Nash equilibrium exists where all miners witness
the previous owners’ digital signatures for bitcoins, one does NOT
exist for segwit coins.
5. Segwit coins have a weaker security model than bitcoins.
Claims:
7. Simplifying Assumptions
• Miners are rational short-term profit-maximizing agents
• No miner will knowingly be complicit in fraud
• I.e., No miner will mine directly on top of a block that he knows to
contain a fraudulent transfer
8. A Segwit Coin is not a Bitcoin: talk outline
1. Segwit coins have a different definition than bitcoins, which gives
them different properties.
2. Unlike with bitcoins, miners can update their UTXO sets without
witnessing the previous owners’ digital signatures.
3. The previous owners’ digital signatures have significantly less
value to a miner for segwit coins than for bitcoins because miners
do not require them in order to claim fees.
4. Although a stable Nash equilibrium exists where all miners witness
the previous owners’ digital signatures for bitcoins, one does NOT
exist for segwit coins.
5. Segwit coins have a weaker private-property model than bitcoins.
9. What is the definition of a bitcoin?
Good place
to look
10. What is the definition of a bitcoin?
Find it on page 2
18. How is a Segwit coin different?
A bitcoin A segwit coin
Signatures are an integral
part of the chain
Signatures are outside
of the chain
19. How is a Segwit coin different?
A bitcoin A segwit coin
A bitcoin is a chain of digital signatures while a segwit coin is not
How does this change the coin’s properties?
20. A Segwit Coin is not a Bitcoin: talk outline
1. Segwit coins have a different definition than bitcoins, which gives
them different properties.
2. Unlike with bitcoins, miners can update their UTXO sets without
witnessing the previous owners’ digital signatures.
3. The previous owners’ digital signatures have significantly less
value to a miner for segwit coins than for bitcoins because miners
do not require them in order to claim fees.
4. Although a stable Nash equilibrium exists where all miners witness
the previous owners’ digital signatures for bitcoins, one does NOT
exist for segwit coins.
5. Segwit coins have a weaker security model than bitcoins.
21. Transferring Ownership
Without Witnessing the
Signatures
• Each node maintains a ledger of
which coins belong to which entities
(UTXO set)
• Upon receiving a new block, miner
parses transactions, removing spent
outputs from his UTXO set and
adding newly-created outputs
• For bitcoins, since outputs are
identified by hash, miner cannot
update his UTXO set without
witnessing the signatures that
authorize the transfer
• For segwit coins, miners can update
their UTXO set
Hash Public key
A46E Alice’s
58F1 David’s
88CE Ethyl's
UTXO set
22. Transferring Ownership
Without Witnessing the
Signatures
Hash Public key
A46E Alice’s
58F1 David’s
88CE Ethyl's
UTXO set
✓
• Each node maintains a ledger of
which coins belong to which entities
(UTXO set)
• Upon receiving a new block, miner
parses transactions, removing spent
outputs from his UTXO set and
adding newly-created outputs
• For bitcoins, since outputs are
identified by hash, miner cannot
update his UTXO set without
witnessing the signatures that
authorize the transfer
• For segwit coins, miners can update
their UTXO set
23. Transferring Ownership
Without Witnessing the
Signatures
Hash Public key
A46E Alice’s
58F1 David’s
88CE Ethyl's
B56A Bob’s
UTXO set
• Each node maintains a ledger of
which coins belong to which entities
(UTXO set)
• Upon receiving a new block, miner
parses transactions, removing spent
outputs from his UTXO set and
adding newly-created outputs
• For bitcoins, since outputs are
identified by hash, miner cannot
update his UTXO set without
witnessing the signatures that
authorize the transfer
• For segwit coins, miners can update
their UTXO set
B56A
Must witness
signature for
bitcoins
24. Transferring Ownership
Without Witnessing the
Signatures
Hash Public key
A46E Alice’s
58F1 David’s
88CE Ethyl's
F31A Bob’s
UTXO set
F31AWitnessing
signature is not
necessary for
segwit coins
Not part
of hash
• Each node maintains a ledger of
which coins belong to which entities
(UTXO set)
• Upon receiving a new block, miner
parses transactions, removing spent
outputs from his UTXO set and
adding newly-created outputs
• For bitcoins, since outputs are
identified by hash, miner cannot
update his UTXO set without
witnessing the signatures that
authorize the transfer
• For segwit coins, this does not hold
25. A Segwit Coin is not a Bitcoin: talk outline
1. Segwit coins have a different definition than bitcoins, which gives
them different properties.
2. Unlike with bitcoins, miners can update their UTXO sets without
witnessing the previous owners’ digital signatures.
3. The previous owners’ digital signatures have significantly less
value to a miner for segwit coins than for bitcoins because miners
do not require them in order to claim fees.
4. Although a stable Nash equilibrium exists where all miners witness
the previous owners’ digital signatures for bitcoins, one does NOT
exist for segwit coins.
5. Segwit coins have a weaker security model than bitcoins.
26. Segwit signatures are less valuable
Bitcoin Segwit
Profit with sigs Reward + Fees – Cost Reward + Fees – Cost
Profit without Reward x (1-P) – Cost
(Reward + Fees)(1-P) –
Cost
Value of sigs P x Reward + Fees P x (Reward + Fees)
As P → 0 Fees 0
- -
Note: P is probability that previous block was invalid
27. A Segwit Coin is not a Bitcoin: talk outline
1. Segwit coins have a different definition than bitcoins, which gives
them different properties.
2. Unlike with bitcoins, miners can update their UTXO sets without
witnessing the previous owners’ digital signatures.
3. The previous owners’ digital signatures have significantly less
value to a miner for segwit coins than for bitcoins because miners
do not require them in order to claim fees.
4. Although a stable Nash equilibrium exists where all miners witness
the previous owners’ digital signatures for bitcoins, one does NOT
exist for segwit coins.
5. Segwit coins have a weaker security model than bitcoins.
28. To witness or not to witness?
A Nash equilibrium is stable if
a small change for one player
leads to a situation where two
conditions hold:
1. the players who did not
change have no better
strategy in the new
circumstance
2. the player who did change
is now playing with a strictly
worse strategy
Bitcoins
29. To witness or not to witness?
A Nash equilibrium is stable if
a small change for one player
leads to a situation where two
conditions hold:
1. the players who did not
change have no better
strategy in the new
circumstance
2. the player who did change
is now playing with a strictly
worse strategy
Witnessing becomes
more profitable
Bitcoins:
stable equilibrium
30. To witness or not to witness?
A Nash equilibrium is stable if
a small change for one player
leads to a situation where two
conditions hold:
1. the players who did not
change have no better
strategy in the new
circumstance
2. the player who did change
is now playing with a strictly
worse strategy
Segwit coins:
multiple equilibriums
31. To witness or not to witness?
A Nash equilibrium is stable if
a small change for one player
leads to a situation where two
conditions hold:
1. the players who did not
change have no better
strategy in the new
circumstance
2. the player who did change
is now playing with a strictly
worse strategy
Segwit coins:
multiple equilibriums
32. To witness or not to witness?
A Nash equilibrium is stable if
a small change for one player
leads to a situation where two
conditions hold:
1. the players who did not
change have no better
strategy in the new
circumstance
2. the player who did change
is now playing with a strictly
worse strategy
Segwit coins:
multiple equilibriums
33. To witness or not to witness? Segwit coins:
multiple equilibriums
Only stable
equilibrium
34. A Segwit Coin is not a Bitcoin: talk outline
1. Segwit coins have a different definition than bitcoins, which gives
them different properties.
2. Unlike with bitcoins, miners can update their UTXO sets without
witnessing the previous owners’ digital signatures.
3. The previous owners’ digital signatures have significantly less
value to a miner for segwit coins than for bitcoins because miners
do not require them in order to claim fees.
4. Although a stable Nash equilibrium exists where all miners witness
the previous owners’ digital signatures for bitcoins, one does NOT
exist for segwit coins.
5. Segwit coins have a weaker security model than bitcoins.
35. Kill Segwit and Earn a Profit
• Tempt other miners into
not witnessing the segwit
signatures
• Strategically withhold and
release witness extension
block using variant of
selfish-mining strategy
• γ is the fraction of miners
that mines on our block
when we have a block race
36. Kill Segwit and Earn a Profit
• Tempt other miners into
not witnessing the segwit
signatures
• Strategically withhold and
release witness extension
block using variant of
selfish-mining strategy
• γ is the fraction of miners
that mines on our block
when we have a block race
Keep
private
37. Kill Segwit and Earn a Profit
• Tempt other miners into
not witnessing the segwit
signatures
• Strategically withhold and
release witness extension
block using variant of
selfish-mining strategy
• γ is the fraction of miners
that mines on our block
when we have a block race
Now
release
38. Kill Segwit and Earn a Profit
• Tempt other miners into
not witnessing the segwit
signatures
• Strategically withhold and
release witness extension
block using variant of
selfish-mining strategy
• γ is the fraction of hash
power that mines on our
block when we have a block
race
This block more likely to
be orphaned. Punishes
miners who wait for
witness data.
39. Kill Segwit and Earn a Profit
• Tempt other miners into
not witnessing the segwit
signatures
• Strategically withhold and
release witness extension
block using variant of
selfish-mining strategy
• γ is the fraction of hash
power that mines on our
block when we have a block
race
γ = 1
Our strategy is
always more profitable
40. Kill Segwit and Earn a Profit
• Tempt other miners into
not witnessing the segwit
signatures
• Strategically withhold and
release witness extension
block using variant of
selfish-mining strategy
• γ is the fraction of hash
power that mines on our
block when we have a block
race
γ =0.5
Our strategy is more profitable if defectors
control more than 25% of the hash power
41. Kill Segwit and Earn a Profit
• Tempt other miners into
not witnessing the segwit
signatures
• Strategically withhold and
release witness extension
block using variant of
selfish-mining strategy
• γ is the fraction of hash
power that mines on our
block when we have a block
race
γ = 0
Our strategy is more profitable if defectors
control more than 33% of the hash power
42. • When we’re confident that the majority of the network is no
longer waiting for witness data then:
• Begin re-routing segwit transactions to our own personal addresses
• Never release the witness data (no valid witness exists)
• Blocks get built above confirming our fraudulent transfer
• No one has proof that a fraud occurred
• “Everyone must have pruned the witness data”
Kill Segwit and Earn a Profit
43. This wouldn’t work for the P2SH soft fork
• Variation of this attack for P2SH:
• Instead of withholding the segwit extension block, just withhold the signature
for a P2SH transaction
• Use same strategy to entice miners to mine on the block (missing only a
single signature for a single transaction)
• Doesn’t work!
• There is no way the other miners can be sure that the transactions that make
up the block actually correspond to the Merkle root in the block header.
• Any third party could have proposed that a different block corresponded to the
known block header! There’s no way to tell who is lying.
• Miners would have to mine empty blocks instead and the entire system
breaks down.
44. Thought Experiment
Imagine that you have 100 BTC in a segwit address and a few
days later you notice that they've been transferred to an address
that you do NOT control. You try to find the signature that
authorized the transfer to prove the theft (you're sure your private
keys were secure so you think the signature must be bogus) but
conveniently nobody seems to have it saved.
Can you prove that your funds were stolen?