Minting sidechains: market-driven extensions to Bitcoin

1. Introduction

Bitcoin runs by consensus: rules can only be changed when everyone agrees to a change.  This is the defining trait of Bitcoin which we are not going to challenge.  However, this rigidity seriously limits useful improvements to the protocol that were historically limited to obviously harmless soft-forks.

Major upgrades such as confidential transactions, advanced smart contract functionality and custom token issuance involve complicated trade offs that preclude the use of traditional extension mechanism.

Complex experimental features must be deployed and tried out in the adversarial environment first, then reach universal consensus and adoption. Soft forks follow a reversed path: obtain the consensus first, deploy afterwards.

2. Alternatives considered

For the above reasons, all non-trivial innovations in cryptocurrencies were tested as altcoins, with their own mechanisms to prevent double-spends, disconnected from Bitcoin.

Let’s review the available choices:

Federated BFT consensus is quite centralized: you start with a club, and then you are stuck with it.  Even as an interim solution this does not allow trying out the system in a real adversarial environment.

Open-federation consensus with proof-of-stake suffers from both issues: first, it may be stuck in a “small club” mode. Second, proof-of-stake does not adequately define finality: even if the punishment is guaranteed to happen on any fork, that by itself does not help selecting the correct fork automatically. Proposed “weak subjectivity” methods depart from the original security model.

Alternative proof-of-work suffers from low-hashrate attacks: until sidechain has powerful mining farms from day one, it can be trivially reorganized by some rented hardware. Requiring large capital commitment up front brings us back to the original problem: the need to reach consensus before we reach the consensus.

Ethereum VM is flexible enough to try out a wide range of protocols and economic models, but it is grossly inefficient and does not have a clear scaling path.

3. Our proposal

We propose operating extension sidechain to Bitcoin using a separate fully peer-to-peer consensus protocol where nodes cooperatively convert bitcoins into sidechain coins.

Instead of using proof of work, sidechain minters (as opposed to miners) lock up bitcoins permanently.  Minters work on extending a single history by cooperatively chaining blocks of transactions.  Coordination is done on best effort basis over an unstructured peer-to-peer network.

In case a conflicting history appears, software automatically switches to the chain with the largest weight, as determined by the total amount of coins locked up.  Weight is computed non-linearly and tied to the Bitcoin chain to limit the range of possible attacks.

As an incentive, the sidechain issues a built-in token at a predetermined schedule as a reward for each valid block.  All minters working on a single block split the reward in proportion to their contributed coins.

Over time, reward shifts away from inflation and towards transaction fees.  If the sidechain network proves to be highly useful, it may eventually become part of Bitcoin via a soft fork.

4. Network operation

Every node participates in two peer-to-peer networks simultaneously: the Bitcoin network and the sidechain network.

Like in Bitcoin, the sidechain network relays new transactions that wait in memory pools until they are “confirmed” by the network by inclusion in the sidechain.

Confirmation is done in two steps.

First, the sidechain minters select a subset of sidechain transactions and sign commit transactions on Bitcoin chain.  Commit transaction locks up some amount of bitcoins on a predicate that cannot be satisfied:

   RETURN PUSH:<sidechain marker><subset hash>

Minters announce their subset to sidechain peers and their commit transaction to Bitcoin peers.

Second, they collect all known valid, non-conflicting subsets and deterministically arrive at a sidechain block (ignoring duplicate transactions).  The next subset points to the hash of that block, committing not only to new transaction, but to the entire preceding chain.

Minters collectively solve a knapsack problem by trying to select the combination of commits that yields maximum weight, while fitting within the size limit imposed by the sidechain network.

The schedule of sidechain blocks is tied to the bitcoin block schedule:

1. Every commit transaction is time-locked to its corresponding bitcoin block height.

2. If a commit transaction is confirmed by Bitcoin network late by N blocks (with respect to its target block height) its weight is reduced by 2^N.

5. Incentive

Minters convert bitcoins into the sidechain coin reward that consists of scheduled inflation (that slowly approaches the maximum supply) and transaction fees voluntarily paid by transaction authors.

The reward is split among the creators of commits in proportion to bitcoins they locked up.

Inflation is split among all commits, while transaction fees are only split among commits that include the corresponding transactions.  Empty commits are valid, but do not earn any transaction fees.

Nodes lose bitcoins if they do not aggregate known commits in the exact same blocks, so they are incentivized to connect well, propagate their committed data in time and combine known commits greedily in order to maximize chances of arriving at the same block with the maximum weight.

6. Security

Honest nodes connect to each other on best effort basis and cooperate on extending the single chain by committing to non-conflicting subsets of transactions and rejecting double-spends.

In case of a split (due to imperfect connectivity or an attack), nodes automatically switch to a chain with the most cumulative chain weight.  Chain weight is a sum of binary logarithms of individual commit weights.

Using logarithm (or any similarly non-linear function) to weigh individual commits in a chain of blocks helps against concentrated attacks, such as arbitrarily rolling back the history with a single high-value commit.  An attacker would have to spend exponentially more resources on their fork if they do not mint at the same rate, in real time, as all honest participants combined.  This ensures the attack attempt is visible to the entire network: nodes could increase their spending to make the attacker run out of capital, and halt acceptance of the transactions until the dust settles.

Support from a small fraction of Bitcoin miners helps raise costs of the attacks considerably: by rejecting attempts to mint a fork (without appropriately published sidechain data), miners force attackers to delay publication of their commits. This leads to an exponential increase in attack costs as the number of supporting miners increases.  If all miners participate in the sidechain network, forking the sidechain is only possible by forking Bitcoin chain itself.

7. Performance

Sidechains inherit latency of the Bitcoin network: sidechain blocks cannot be minted faster than Bitcoin blocks are mined.

Throughput of sidechains is inherently limited in the same way as in Bitcoin. However, sidechains may trade some security for increased block capacity.  Regardless of its throughput, each sidechain itself acts as an "extension block" and therefore increases the throughput of Bitcoin.

Transaction volume can be scaled via payment channel protocols by using a sidechain as a settlement layer.  Sidechains may also employ advanced cryptographic schemes to optimize transaction verification.

8. Applications

Sidechains can implement arbitrary economic models and use a wide range of technology with varying trade offs.

One benefit of the presented design is a secure price beacon: the average cost of minting always stays within the spread between bids and asks for the sidechain coins.  This enables fully peer-to-peer cash-settled futures contracts anchored to that price.  The short side of the contract receives stable bitcoin value redeemable in sidechain coins, which makes the contract a secure proxy for the bitcoin itself, but directly available inside a sidechain with all its functionality.

The peer-to-peer market for trading sidechain coins for bitcoins can be enabled directly in the sidechain software via atomic cross-chain swaps, since it tracks both chains anyway. Users may support the network simply by installing the node software, loading it up with bitcoins and performing conversion of bitcoins in and out of a sidechain without trusted third parties.

9. Conclusion

We have presented a market-driven mechanism to deploy an extension to Bitcoin: users convert bitcoins into sidechain coins at a market rate, while securing the chain against double spends. As a sidechain proves to be useful, it may get gradually supported by Bitcoin miners, who, in turn, make it more secure against “rich troll” attacks.  Ultimately, that sidechain may become a part of Bitcoin via a soft fork. Finally, the minting process leaves a precise and public price record that enables peer-to-peer futures contracts, bringing the bitcoin value into a sidechain without trusted third parties.