Scaling bitcoin hong kong youtube watch
So I am Pieter Wuille. I'll be talking about segregated witness for Bitcoin. Before I can explain this, I want to give some context. We all know how bitcoin transactions work. Every bitcoin transaction gets inputs, which refer scaling bitcoin hong kong youtube watch previous outputs being spent.
Every input has the txid and the signature to prove that it is allowed, plus an amount and script in every output. What this presentation will mostly be about is the question of whether all of this data is equally important. In particular, we are going to be talking about signatures. It's important to realize here that signatures are really only needed for fully-validating nodes. As a light-weight client, you are not validating signatures, even though they are part of the transactions you still have to download them.
If you are using a full-node that is syncing historical data, you don't actually validate all of the signatures in there. Currently there is a mechanism in there using checkpoints, which we want to deprecate soon, but the result will still be that we're not validating all signatures from years ago in deep history.
These signatures are only needed at time of validation. They don't go into the UTXO set, the database of all unspent coins.
These unspent transaction outputs don't enter scaling bitcoin hong kong youtube watch the UTXO set. This is a significant cost on the resources of both keeping a node running but also the speed of propagation and access to the UTXO set needs to be fast. Segregated witness is about ignoring this whenever possible. Where does the name witness come from? For now, it's motsly a word to refer to the scriptSig in scaling bitcoin hong kong youtube watch or signatures inside transactions.
Later I will extend scaling bitcoin hong kong youtube watch meaning. The reason for this name is because signatures are not part of the transaction. They don't describe what the transaction is doing. The only thing htey are doing is proving that the transaction is authorized by the previous owners of the coins. There are usually multiple possible valid signature for the same transaction. We don't really care what the signature is, all we care about is that at scaling bitcoin hong kong youtube watch one signature for that existed.
Such an example of where something exists is known as a witness. We don't care that what it is, well we do for auditing purposes, like in multi-sign setup where you have 1-of-3 people that are able to spend a particular output, perhaps you would really like to know which person signed, which we will solve later.
Inside a transaction, you still don't care. Wouldn't it be nice to just drop the signatures? The reason why we can't do this is because the signature is part of the transaction hash. If we would just drop the sig from the transaction, the block wouldn't validate, you wouldn't be able to prove an output spend came from that transaction, so that's not something we could do. But let's simplify the problem. What if we could scaling bitcoin hong kong youtube watch Bitcoin from scratch? What if you're designing an altcoin, there's really no reason why you would want to do this in Bitcoin.
This is actually something we did in sidechain alpha. You would mark the signature data as special. You are indicated by green color on this slide. Everything but the green part goes into the hash of a transaction. It's just a piece of data that's still there, but we don't consider it part of the transaction. This redesign would allow you to drop this data. There are anti-tamper reasons. A node relaying a fully-valid block with all signatures in it that are all valid, I would relay it to another node, and then just change the signature data.
This node does not see that the block is being tampered with. The node would see an invalid block, and you don't want that to happen. So we still need to make the blocks themselves, not the transactions, but the blocks need to commit to the signatures of transactions. One way scaling bitcoin hong kong youtube watch do this is change the merkle tree that blocks have to commit to the transaction IDs, into two-sided tree where one side refers to the transaction IDs without the signatures, and then there's a second tree, exactly constructed in the same way, but it contains the hashes without the signatures.
What are the advantages of this? It allows you to drop the signatures from relay whenever you are relaying to a node that is not actually doing full-validation at the time. It also allows us to effectively prune this data from history, maybe we're fine with not all nodes in the network actually maintaining these gigabytes of signatures that are buried under years of proof-of-work now. To show you how much data this actually is, here's the red line is the blockchain data today, the green line is what it would look like without the signatures.
It's a significant difference. Maybe more importantly, this change also solves all forms of potential malleability. This is a big problem right now for all sorts of more complicated contracts that scaling bitcoin hong kong youtube watch on being able to spend outputs of unconfirmed zero-confirmation transactions. The inherent problem is that the signature data already does not go into the data being signed, but it does go into the transaction id txid.
And we use the txid to refer to previous transactions, as a result the txid can change and without impacting the validity. I recently withdrew bip62 because bip62 cannot solve various forms of important malleability. In particular, ECDSA which we are using for signatures, has an inherent problem namely you can, as a signer, as someone who has the private key, you can just change the scaling bitcoin hong kong youtube watch into something else. This means that even with strong restrictions on what can be changed, you can never change, such as in 2-of-3 multisig, you cannot prevent only 1-of-3 from changing their signature.
This is a form of malleability. The only people you want to construct the valid transactions are those who have that right, only for all of them. Separating signature data from the transaction completely solves this problem. There are still malleability problems that remain, like Bitcoin selecting which part of the transaction is being signed, like the sighash flags.
This remains possible, obviously. That's something that you opt-in to, though. This directly has an effect on scalability for various network payment transaction channels and systems like lightning and others. This brings us to the actual full title of my talk, Bitcoin scalability with segwit. So far, I was talking hypothetically about the scheme presented so far, because the deployment would not be easy.
All transaction data structures would have to be changed, which is a huge deployment friction. This scaling bitcoin hong kong youtube watch like a hard problem. I personally dismissed this as a solution for a long time as something non-viable, until Luke-Jr discovered that it's possible to do this as a soft-fork. What we're going to do is inputs, we just deprecate the signature field inside of inputs.
It's going to be an empty string from now on. Obviously, an empty signature is not going to be able to spend an actual output that requires a signature. Instead, the outputs do not push these scripts that we required to be satisfied, they would be encapsulated, it would be pushed as a piece of data. It's just an output that pushes data on the stack, the output doesn't do anything else.
In a soft-fork, we can add a new rule that restricts what's valid. We can add a rule like, whenever we see, we could say it's a new type of script that is able to scaling bitcoin hong kong youtube watch of updating its inputs from the signature field, it takes it from the witness instead. The witness becomes a third part of the transaction in addition to the inputs and outputs of a transaction. For now it would only contain a signature. So doesn't this change a transaction completely?
It's just a realization that, whenever we relay data to an old node, we can drop the witness. To them, the transaction is valid without it. Because the witness does not impact the txid, you can say it's not really a part of the transaction, it's just another piece of data we relay along with the transaction instead.
The scheme we were using before, to make blocks commit to the witness data, is not possible because we cannot change the structure of the merkle tree because that would be a hard-fork. But we can build two seperate merkle tree, one with commitments to witnesses, and one with commitments to transactions as it is now.
The roots of the merkle tree would be stored in the coinbase transaction. This gives us almost the same power, except now it can be deployed as a soft-fork. There are more things we can do here. These were discovered while this solution was being thought of.
One is, we're scaling bitcoin hong kong youtube watch adding a new script type, and this script gets encapsulated in a PUSH op now. We could say every script could begin with a version byte. The reason for doing so is making it easier to do soft-forks. Even if it returns true, someone could add a negation after it, which would make something that went from valid to invalid, go from invalid to valid, which would make it a hard-fork.
There are way, way more nice improvements to Script that we could imagine. This allows us to make any change at all in the Script language, like introducing new signature types like Schnorr signatureswhich increase scalability by reducing the size of multisig transactions dramatically, or other proposals like merklized abstract syntax trees which is a research topic mostly. But there really are a lot of ideas for potential improvement to Script that we cannot do right now.
This would enable it for free by just adding one more byte to all Script scripts. Another thing it allows us is fraud proofs. Bitcoin right now only has two real security models.
God Bless. News: The warning which may be displayed by Bitcoin Core about unknown versions is related to BIP91, and can be safely ignored. Except for the trading strategies you ll need to write those yourself.
The term Algorithmic strategies might sound very fancy or too complicated but concept simple understand seasonalgo first only designed seasonal try enjoy such as backtesting, optimization window.