Translate

An Overview Of The Tradeoffs For Different Sidechain Implementations

Each Bitcoin sidechain implementation brings about different centralization and consensus issues to weigh and consider.

This is an opinion editorial by Shinobi, a self-taught educator in the Bitcoin space and tech-oriented Bitcoin podcast host.

This article is the last in a series diving into the major sidechain designs that exist for Bitcoin. It is highly recommended to read the preceding pieces before this: (1) Spacechains, (2) Spacechain Use Cases, (3) Softchains, (4) Drivechains, (5) Federated Chains.

What are sidechains in a nutshell? Blockchains that allow you to move your bitcoin from the Bitcoin blockchain to this other sidechain. Therein lies the issue and the difficulty with designing a sidechain — you can't actually do that. You can't move bitcoin from the Bitcoin blockchain to another blockchain; that's not possible because the only place your bitcoin actually exists is on the Bitcoin blockchain. They can't actually exist anywhere else. All that is really possible to do is to lock your bitcoin in some way on the Bitcoin blockchain and then create other tokens on a different chain to represent those bitcoin. The highest aspiration of a sidechain is to do so in a way where it is verifiable that these tokens only exist 1:1 with real bitcoin (easy), and where the only way to unlock bitcoin on the mainchain in any situation is to verifiably lock tokens you legitimately control on the other chain (very hard to do in a trustless way that doesn't make bitcoin itself more expensive to verify).

Almost all the difficulties around designing a sidechain come down to how this locking and unlocking mechanism is designed: how locking them works, what conditions are required to unlock them and how those conditions are verified and enforced. One-way mechanisms, where you can only lock coins and never unlock them, are trivially simple. Just burn some bitcoin with OP_RETURN and require verifying that to mint tokens on the new chain and you're done. Two-way mechanisms, supporting both locking and unlocking, are a lot more complicated. So far there is no designed two-way mechanism except ones that increase the validation cost of the main Bitcoin blockchain (softchains), or ones that introduce new trust assumptions on the security of coins locked "in the sidechain" (drivechains and federated chains).

The holy grail of sidechains is a mechanism for locking and unlocking coins that does not require any trust to enforce it, and that does not increase the validation costs of the main Bitcoin blockchain (i.e. a single sidechain interaction with the mainchain is no more expensive, give or take, to verify than a single Bitcoin transaction). Currently nothing accomplishes that, so time to go through the downsides.

Mining Centralization

All of the different designs I've gone through, except for Liquid, in one way or another depend on Bitcoin miners to provide security for the sidechain. RSK, even though it is a federated peg, still uses Bitcoin miners. Softchains could in theory use something else, but if it did not provide as much proof-of-work (PoW) security as Bitcoin miners, then it would be opening the Bitcoin blockchain up to denial-of-service (DoS) attacks. So, in reality, if a softchain were deployed, it would use Bitcoin miners. Spacechains PoW is based explicitly on Bitcoin miners confirming a commitment transaction for the sidechain. Drivechains are specifically designed for merge mining by Bitcoin miners. There is no escaping getting miners involved in sidechains if anything more except a pure federated sidechain is all that is ever deployed.

One clear distinction needs to be made before going into this risk: the difference between miners themselves (hardware operators) and mining coordinators (pools; the node constructing blocks). Pools are necessary to collect a reward regularly if you do not have a very significant amount of physical mining hardware and are a legitimate point of centralization. Mining centralization/decentralization is not a simple topic (more here) and there are important nuances in how different aspects of mining being centralized interact with other aspects of mining. Without mining pools, a miner’s income is a totally erratic, unpredictable revenue stream. This in, combination with the very real risk of potential regulation of mining pools in future (they are a custodial entity; they custody users' funds until withdrawal), makes mining pools a very dangerous point of centralization for the space.

Miners have to validate the blockchain in order to mine, regardless of whether or not this function is outsourced. Without validating the chain, they have no clue whether the block they are mining contains only valid transactions; all it takes is a single invalid one to invalidate the block they find and lose them all the money they could have earned. This requirement for validation is, however, not the reason mining pools are used: it's the predictability of rewards. A miner with 1% of the hashrate will only very rarely find a block and collect the whole reward, while a miner with 1% of the hashrate using a pool will regularly collect roughly 1% of the block reward that the pool collectively earns. The validation cost is tiny. The reward predictability is the selling point, which is why developers are trying to find a way to get those same benefits without requiring a centralized pool. This would allow miners to not depend on a centralized entity that has control over which transactions go into a block.

Now imagine if the validation costs were higher. There is no limit to the number of spacechains that can be created. And while they are not pegged to bitcoin in price like other designs, any of them that holds a significant value would be worth it for mining pools (and miners) to run in order to gain more money. Miners who did so would be more competitive than those who didn't, and if mining in the long term becomes an industry with razor-thin profit margins, this effectively becomes a requirement to mine these other chains. If you don't you aren't profitable. Miners who do run them can drive costs higher for miners who don't and still profit, driving the others out of business.

Also remember, there is no limitation on the validation costs of a sidechain. It can be very costly to validate some cryptographic functions, arbitrary complexity like Ethereum or even full-on gigablock stupidity like BSV. Softchains have the exact same risk, in addition to increasing the validation cost of regular users running full nodes. The only "saving grace," if you want to call it that, is the requirement to activate a single sidechain at a time with a unique softfork. That at least means that each individual proposal and its validation cost will be heavily scrutinized before being activated.

Drivechains? They claim to solve this issue, but the reality is they don't. The notion of a drivechain is that the block creator winds up paying most of the fees to miners to have their block mined, keeping only a small portion for themselves. That small portion in a world of razor-thin profit margins is more profit that can be had, which again comes back to being able to drive other miners out of business if you do it yourself. Even if you assume drivechain block creators keep none of the fees for themselves, giving 100% to miners, why would they do this if there was not some other aspect of this sidechain that they can monetize? That's likely a form of Miner Extractable Value (MEV) that miners could make money off of, having the same centralizing effect. In the long-term, any type of decentralized mining pool would have to involve miners running all of these sidechain nodes in addition to a mainchain node, which could wind up being a very unrealistic prospect for small-scale miners. That would put an artificial floor restricting how decentralized mining could be.

Only federated sidechains avoid this centralizing effect on Bitcoin mining because they in no way interact with miners, except by virtue of paying miner fees on transactions pegging coins out of the sidechain.

The Risks Of Pegs And Consensus

The process of how sidechains are mined presents risks to mining centralization and the process of how coins are locked and unlocked from a sidechain peg can present risks to consensus. Federated pegs and one-way pegs do not present a serious risk to consensus. In the case of a federated peg, because it is fundamentally not any different than a custodial exchange — you can deposit to and withdraw from them — it does not have any fundamental interaction with the consensus process that exchanges do and so presents no new risk. One-way pegs are simply a way to burn your bitcoin and make them irrecoverable. This is not a risk or interference in consensus. Softchains and drivechains, however, both in different ways present risks to Bitcoin consensus.

Softchains present a very clear consensus risk to the main Bitcoin network. Firstly it raises the cost of validation per softchain added for mainchain-only nodes, and depending on the size of blocks or complexity of rules to validate this, can be a marginal increase or a quite drastic increase. Secondly, any consensus split due to a non-deterministic bug could affect the mainchain. Such a bug was the cause of the chainsplit that occurred in 2013. Due to how the database Bitcoin uses to handle reading and writing data works, some nodes would "run out of" times they could read and write data and invalidate an otherwise invalid block. Because these operations were limited based on individual computer resources, there was no consistent situation that would cause this, as each individual node's resources are different.

Such an incident on a softchain presents a consensus risk to the mainchain because of how they are intertwined. Lastly, how the difficulty requirements are defined for mining a softchain can have huge implications for the validation cost of mainchain-only nodes. Any detection of a softchain chainsplit triggers downloading and validating every block down to the root of that chainsplit, which, depending on the validation costs of a specific softchain, could create a massive validation increase for mainchain nodes. If the mining difficulty is or can even be allowed to be too low of a percentage of the total Bitcoin hash rate, it could become very cheap to attack Bitcoin creating chainsplits on the softchain just to increase mainchain node costs.

Drivechains present a more subtle risk to consensus. As discussed above they do in fact have dynamics like other sidechain designs that create pressure further centralizing mining. This interacts very poorly with the fact that the peg is essentially just miners in total control of the coins in drivechains; a majority of them can effectively do whatever they want with coins locked in drivechains. The safety of all coins on drivechains depends on miners being decentralized enough to make 51% attacks not practical, but at the same time creates pressures that will likely in the long-term increase mining centralization.

If such a dynamic plays out with drivechains and miners steal coins from the peg, there is literally no option for users of that sidechain except a user-activated soft fork (UASF) to invalidate that peg out. This would be a very different dynamic than the last UASF; in 2017 users essentially played a game of chicken where they would have coins on both sides of the fork. Both options were available to people supporting a UASF. In the event of a UASF to stop drivechain theft, users would not have both options available. Only on the UASF side of the fork would they have coins; on the legacy chain they would have nothing. They literally have no incentive to come back to the legacy chain if the UASF fails and results in a chainsplit.

Some even argue that miners should attack certain "bad" sidechains (though it’s not certain what constitutes "bad" in a sidechain). If drivechains were widely adopted, this entire dynamic could fragment the Bitcoin blockchain and dilute its network effect. People victimized by a drivechain theft have every incentive in the world to keep a fork going, as letting it die means they have lost everything.

Wrap Up

It would be remiss of me to not mention federated sidechains in this piece; they do not present direct threats to Bitcoin consensus like other designs, but by their nature are effectively a trusted system. Users of such systems should consider deeply whether the utility offered by such systems are worth the trade off in security model, and whether the federation operating the system is trustworthy enough to hold custody of their funds.

In the end, no currently proposed sidechain design comes close to fulfilling the original promise of sidechains laid out in the original 2014 paper. They all either fail to provide the level of security desired in a pegging mechanism to move between chains or present risks to the main Bitcoin network itself. Maybe one day things like zero-knowledge proofs could provide a way to design a peg that does not impose increased validation costs on mainchain nodes like softchains, or not require new trust assumptions like drivechains or federated chains in terms of the security of users' funds. But as of now, no such concrete design exists. If you think truly trustless sidechains are an important improvement for Bitcoin, hopefully one day the technology to implement them will be developed, but currently nothing in existence has come close.

This is a guest post by Shinobi. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.


via bitcoinmagazine.com

Subscribe to receive free updates: