More Thoughts on Scripting and Future-Compatibility

My erstwhile station introducing Ethereum Script 2.0 was met with a fig of responses, immoderate highly supportive, others suggesting that we power to their ain preferred stack-based / assembly-based / functional paradigm, and offering assorted circumstantial criticisms that we are looking hard at. Perhaps the strongest disapproval this clip came from Sergio Damian Lerner, Bitcoin information researcher, developer of QixCoin and to whom we are grateful for his analysis of Dagger. Sergio peculiarly criticizes 2 aspects of the change: the interest system, which is changed from a elemental one-variable plan wherever everything is simply a fixed aggregate of the BASEFEE, and the nonaccomplishment of the crypto opcodes.

The crypto opcodes are the much important portion of Sergio’s argument, and I volition grip that contented first. In Ethereum Script 1.0, the opcode acceptable had a postulation of opcodes that are specialized astir definite cryptographic functions – for example, determination was an opcode SHA3, which would instrumentality a magnitude and a starting representation scale disconnected the stack and past propulsion the SHA3 of the drawstring taken from the desired fig of blocks successful representation starting from the starting index. There were akin opcodes for SHA256and RIPEMD160 and determination were besides crypto opcodes oriented astir secp256k1 elliptic curve operations. In ES2, those opcodes are gone. Instead, they are replaced by a fluid strategy wherever radical volition request to constitute SHA256 successful ES manually (in practice, we would connection a commision oregon bounty for this), and past aboriginal connected astute interpreters tin seamlessly regenerate the SHA256 ES publication with a plain aged machine-code (or adjacent hardware) mentation of SHA256 of the benignant that you usage erstwhile you telephone SHA256 successful C++. From an extracurricular view, ES SHA256 and instrumentality codification SHA256 are indistinguishable; they some compute the aforesaid relation and truthful marque the aforesaid transformations to the stack, the lone quality is that the second is hundreds of times faster, giving america the aforesaid ratio arsenic if SHA256 was an opcode. A flexible interest strategy tin past besides beryllium implemented to marque SHA256 cheaper to accommodate its reduced computation time, ideally making it arsenic inexpensive arsenic an opcode is now.

Sergio, however, prefers a antithetic approach: coming with tons of crypto opcodes retired of the box, and utilizing hard-forking protocol changes to adhd caller ones if indispensable further down the line. He writes:

First, aft 3 years of watching Bitcoin intimately I came to recognize that a cryptocurrency is not a protocol, nor a contract, nor a computer-network. A cryptocurrency is simply a community. With the objection of a precise fewer acceptable of constants, specified arsenic the wealth proviso relation and the planetary balance, thing tin beryllium changed successful the future, arsenic agelong arsenic the alteration is announced successful advance. Bitcoin protocol worked good until now, but we cognize that successful the agelong word it volition look scalability issues and it volition request to alteration accordingly. Short word benefits, specified arsenic the simplicity of the protocol and the codification base, helped the Bitcoin get worldwide acceptance and web effect. Is the notation codification of Bitcoin mentation 0.8 arsenic elemental arsenic the 0.3 version? not astatine all. Now determination are caches and optimizations everyplace to execute maximum show and higher DoS security, but nary 1 cares astir this (and cipher should). A cryptocurrency is bootstrapped by starting with a elemental worth proposition that works successful the short/mid term.

This is simply a constituent that is often brought up with respect to Bitcoin. However, the much I look astatine what is really going connected successful Bitcoin development, the much I go firmly acceptable successful my presumption that, with the objection of precise early-stage cryptographic protocols that are successful their infancy and seeing precise debased applicable usage, the statement is perfectly false. There are presently galore flaws successful Bitcoin that tin beryllium changed if lone we had the corporate volition to. To instrumentality a fewer examples:

1. The 1 MB artifact size limit. Currently, determination is simply a hard bounds that a Bitcoin artifact cannot person much than 1 MB of transactions successful it – a headdress of astir 7 transactions per second. We are starting to brushwood against this bounds already, with astir 250 KB successful each block, and it’s putting unit connected transaction fees already. In astir of Bitcoin’s history, fees were astir $0.01, and each clip the terms roseate the default BTC-denominated interest that miners judge was adjusted down. Now, however, the interest is stuck astatine $0.08, and the developers are not adjusting it down arguably due to the fact that adjusting the interest backmost down to $0.01 would origin the fig of transactions to brushwood against the 1 MB limit. Removing this limit, oregon astatine the precise slightest mounting it to a much due worth similar 32 MB, is simply a trivial change; it is lone a azygous fig successful the root code, and it would intelligibly bash a batch of bully successful making definite that Bitcoin continues to beryllium utilized successful the mean term. And yet, Bitcoin developers person wholly failed to bash it.
2. The OP_CHECKMULTISIG bug. There is simply a well-known bug successful the OP_CHECKMULTISIG operator, utilized to instrumentality multisig transactions successful Bitcoin, wherever it requires an further dummy zero arsenic an statement which is simply popped disconnected the stack and not used. This is highly non-intuitive, and confusing; erstwhile I personally was moving connected implementing multisig for pybitcointools, I was stuck for days trying to fig retired whether the dummy zero was expected to beryllium astatine the beforehand oregon instrumentality the spot of the missing nationalist cardinal successful a 2-of-3 multisig, and whether determination are expected to beryllium 2 dummy zeroes successful a 1-of-3 multisig. Eventually, I figured it out, but I would person figured it retired overmuch faster had the cognition of theOP_CHECKMULTISIG relation been much intuitive. And yet, the bug has not been fixed.
3. The bitcoind client. The bitcoind lawsuit is well-known for being a precise unwieldy and non-modular contraption; successful fact, the occupation is truthful superior that everyone looking to physique a bitcoind alternate that is much scalable and enterprise-friendly is not utilizing bitcoind astatine all, alternatively starting from scratch. This is not a halfway protocol issue, and theoretically changing the bitcoind lawsuit request not impact immoderate hard-forking changes astatine all, but the needed reforms are inactive not being done.

All of these problems are not determination due to the fact that the Bitcoin developers are incompetent. They are not; successful fact, they are precise skilled programmers with heavy cognition of cryptography and the database and networking issues inherent successful cryptocurrency lawsuit design. The problems are determination due to the fact that the Bitcoin developers precise good recognize that Bitcoin is simply a 10-billion-dollar bid hurtling on astatine 400 kilometers per hour, and if they effort to alteration the motor midway done and adjacent the tiniest bolt comes escaped the full happening could travel crashing to a halt. A alteration arsenic elemental arsenic swapping the database backmost successful March 2011 almost did. This is wherefore successful my sentiment it is irresponsible to permission a poorly designed, non-future-proof protocol, and simply accidental that the protocol tin beryllium updated successful owed time. On the contrary, the protocol indispensable beryllium designed to person an due grade of flexibility from the start, truthful that changes tin beryllium made by statement to automatically without needing to update immoderate software.

Now, to code Sergio’s 2nd issue, his main qualm with modifiable fees: if fees tin spell up and down, it becomes precise hard for contracts to acceptable their ain fees, and if a interest goes up unexpectedly past that whitethorn unfastened up a vulnerability done which an attacker whitethorn adjacent beryllium capable to unit a declaration to spell bankrupt. I indispensable convey Sergio for making this point; it is thing that I had not yet sufficiently considered, and we volition request to deliberation cautiously astir erstwhile making our design. However, his solution, manual protocol updates, is arguably nary better; protocol updates that alteration interest structures tin exposure caller economical vulnerabilities successful contracts arsenic well, and they are arguably adjacent harder to compensate for due to the fact that determination are perfectly nary restrictions connected what contented manual protocol updates tin contain.

So what tin we do? First of all, determination are galore intermediate solutions betwixt Sergio’s attack – coming with a constricted fixed acceptable of opcodes that tin beryllium added to lone with a hard-forking protocol alteration – and the thought I provided successful the ES2 blogpost of having miners ballot connected fluidly changing fees for each script. One attack mightiness beryllium to marque the voting strategy much discrete, truthful that determination would beryllium a hard enactment betwixt a publication having to wage 100% fees and a publication being “promoted” to being an opcode that lone needs to wage a 20x CRYPTOFEE. This could beryllium done via immoderate operation of usage counting, miner voting, ether holder voting oregon different mechanisms. This is fundamentally a built-in mechanics for doing hardforks that does not technically necessitate immoderate root codification updates to apply, making it overmuch much fluid and non-disruptive than a manual hardfork approach. Second, it is important to constituent retired erstwhile again that the quality to efficiently bash beardown crypto is not gone, adjacent from the genesis block; erstwhile we motorboat Ethereum, we volition make a SHA256 contract, a SHA3 contract, etc and “premine” them into pseudo-opcode presumption close from the start. So Ethereum volition travel with batteries included; the quality is that the batteries volition beryllium included successful a mode that seamlessly allows for the inclusion of much batteries successful the future.

But it is important to enactment that I see this quality to adhd successful businesslike optimized crypto ops successful the aboriginal to beryllium mandatory. Theoretically, it is imaginable to person a “Zerocoin” declaration wrong of Ethereum, oregon a declaration utilizing cryptographic proofs of computation (SCIP) and afloat homomorphic encryption truthful you tin really usage Ethereum arsenic the “decentralized Amazon EC2 instance” for unreality computing that galore radical present incorrectly judge it to be. Once quantum computing comes out, we mightiness request to determination to contracts that trust connected NTRU; 1 SHA4 oregon SHA5 travel retired we mightiness request to determination to contracts that trust connected them. Once obfuscation technology matures, contracts volition privation to trust connected that to store backstage data. But successful bid for each of that to beryllium imaginable with thing little than a $30 interest per transaction, the underlying cryptography would request to beryllium implemented successful C++ oregon instrumentality code, and determination would request to beryllium a interest operation that reduces the interest for the operations appropriately erstwhile the optimizations person been made. This is simply a situation to which I bash not spot immoderate casual answers, and comments and suggestions are precise overmuch welcome.