Topic: "Surprisingly, Tail Emission Is Not Inflationary" -- A post by Peter Todd - page 6. (Read 2760 times)

The entire point of having a supply cap is to prevent dilution of one's bitcoin hoard.

Taking coins from hodlers to provide security while preserving this limit is thus sheer folly.

Miners can't force you to create transactions, though. That's what this problem is all about in the end. Not having enough transactions in the main chain.

Taking 1 satoshi for every 0.01 BTC (for example) is the same as having tail emission. It violates the resistance to arbitrary monetary policy.

So, the idea is: Mine in the main chain with no main chain reward, but with X reward in sidechains. Therefore, we're talking about a slow transition to sidechains. So what will the sidechains' reward be if there cannot be any new coins brought into circulation?

What's this smell? Proof-of-Stake? 

Why? Miners enforce fees, and they can make transactions with too low fees non-standard, it is a matter of changing some parameters in the Core client, no forks are needed at all to make fees lower or higher. Any node operator can do that, and any mining pool can enforce that. Then, whales will be forced to sell some of their coins, to invest into mining.

Another thing is that tail supply can be reached by taking coins from people, without increasing 21 million coins limit. Then, it will be obvious to everyone, what this proposal is truly about. Because if more coins will be produced, then it is more sneaky, because many people don't understand, how inflation works, but if they will start losing satoshis, then they will see that in a crystal clear way.

True, there will be some activity, related to peg-ins and peg-outs, in the same way, as LN channels are opened and closed. The same will happen in the sidechain. You can imagine a sidechain as a one, huge, N-of-N multisig, where you have a single sidechain output that is pushed forward. But it is not the whole picture, because more things are needed, to allow making the whole flow, without always interacting with all participants (because if someone has 1 BTC on the sidechain, and if that amount is left untouched, then no activity from that person should be needed to make changes in the sidechain).

Not really, because even if you can see zero on-chain reward in the coinbase transaction, then the whole block is still needed as a Proof of Work confirmation for everything, that is attached into it. So, if the coinbase reward on-chain is zero, it doesn't mean that there is no activity. It could mean as well, that the whole activity is in connected networks, and then, if you reorg it, you will make all people angry, that are inside those networks, so the total security budget is the on-chain coinbase reward, plus all rewards from all connected networks.

To put it in other words: if you have a chain, where there are no coins at all, zero coin supply, only zero amounts are allowed by consensus rules (because some network started in that way, or because all coins were burned or lost, it doesn't matter), and you have block headers with 80 zero bits, then tell me: is that network strong? Because I think it is, even if it is just a source of the Proof of Work for things that are attached into it. Because to reorg a block, you need to mine another block with 80 zero bits. And it is hard, no matter if the coinbase reward is zero or one million coins. And imagine that those zero satoshi outputs could just trigger things on other chains, just by requiring a valid signature for that output. Is it safe? Because I think it is.

True, and I think it will be easier to resist that "tail supply attack" than make it real. Or maybe people will be forced to make it in some less obscured way, when all additional coins will be explicitly listed, or when all additional coins will be explicitly taken from users, and passed to miners in a direct way, because that's what this proposal is about.

Oh. So sidechain's difficulty is based on main chain's difficulty. That makes sense.

P2Pool.io? I'll have to study further as I'm not knowledgeable enough on this field. My understanding goes as following:

• Pool gathers shares, until one of them is below the target.
• Miners work on hashing block headers that reward pool's address.
• Once a miner finds it, he sends it to the pool, and the pool rewards everyone accordingly to their shares.

Can't think of a decentralized alternative, but I'll read the link.

That was not my point. My point was: For sidechain X to work properly, there has to be activity in the main chain. But, the usage of the sidechain X reduces the activity of the main chain, and therefore contributes to make itself useless.

For example, if every bitcoin user eventually switched to Lightning and made nearly zero transactions on-chain, the fees wouldn't be sufficient for the system's security. And if there's no security, there's no Lightning utility either.

Just because we're criticizing it, it doesn't mean it's a "pipe dream". We're making discussion here.

The way I see it:

* tail emission of a fixed number of bitcoin trends towards 0 inflation and is therefore not different in the long run from a fixed supply.
* tail emission as a fixed percent of bitcoin is forever inflation. This does have an effect, but as noted by many in the "Bitcoin covenants are inevitable" email thread on the dev mailing list (which went off the rails as a discussion of blockchain security and targeting/funding of that security), doing this does increase the amount of security (all other things kept equal). However, choosing an arbitrary forever-inflation-rate does not ensure that blockchain security will always be sufficiently funded, unless we can find some upper bound on required blockchain security (in terms of percentage of total coin supply).
* Some have mentioned that people lose coins. I don't think this fact is worth considering - ie its not significant. The future rate of lost coins will decrease towards 0, and is likely already nearly 0 today.

If for some reason we determine that we *can't* sufficiently fund miners with fees alone (which I think is a very real, but unlikely possibility), then adding a percentage-based tail emission would be basically our only option. However, I agree with most that until we find that to be the case, its likely a very dangerous thing to attempt to do to bitcoin. Even tho there are reasons of economic efficiency for holders to pay some of the cost of bitcoin's security (via inflation) in addition to transactors (via fees).

Its not, there will be enough nodes that will never accept this change, so there will always be a fixed supply Bitcoin.

Bitcoins are backed up in a physical way(Steel, paper, whatever) and stored like any other valuable item. Is all gold lost, if we stopped finding new one? I dont think so. There is maybe 2 kinds of different people, the people that dont manage to take care of it well enough, and people that find ways to do it, and never/barely lose anything.

Backups can also be found again/stolen, or Coins can be transfered into a new wallet with a new backup, if the backup was lost but theres still access to them. This assumption will probably fail in practice, lets prove it, instead of claiming the species that is hoarding the most ridiculous things, is unable to hoard Bitcoin back ups at all, that are actually valuable.

So then we also have new ways to eliminate single points of failure trough multi sig, you can store seeds in different places and it doesnt matter if you lost however many seeds you specified beforehand. This is something not even gold or anything else has, imagine you could recover a full 5 ounces of gold, if you just need to manage to store 3 of them safely(or 3 of 5 access keys, if we want to be more accurate). And then its always possible to update the security model by just transfering coins into another wallet for example, if you have already noticed that 1 seed is lost/ compromised.

If theyre backed up digitally, its also likely for them to get into some hand that knows how to store them safely, after enough tries.

Bitcoins success wil likey depend on the properties it offers and not on the amount of coins in circulation. It can store the same amount of value, no matter if theres 15 million or 5 million coins in circulation, then it just incentivises people to even take more care of their satoshis, as the value of each individual satoshi rises. And rewards the people that keep them secure. Bitcoin is highly divisible, the circulation can actually be handled by subdividing it into smaller parts, this wont mess people up, that didnt mess up themselves, that is the subtle difference to inflation.

A tail emission is like debasing a currency, if we start to mix copper into gold, we can act like we have gold more coins, but once people realise this they will switch into alternatives again and the value of each individual coin falls in value. And the properties of your currency changed, so more and more people might not even want it anymore. There has been many attemps troughout history to fix problems trough debasement, but it never brought desirable results for the majority of users and never lead to a ultimately successfull currency.

Even if all coins will be lost or burned, then still, the system could work. By extending Script, you can treat Bitcoin as the source of Proof of Work, and execute any contract on that. Also, if all coins will be lost, then it is still possible to put " OP_DROP" inside zero satoshi outputs, and handle them correctly. And you can go far beyond that, you can use OP_ADD to sum amounts, you can execute the whole "a coin in a coin" scheme. So, losing all coins is not a limitation to the protocol.

But I think it is very unrealistic assumption that all single satoshis will be lost, and there will be no coins at all. Another thing is if we assume that, then it is possible to build another protocol on top of that, where burned coins will be treated as a one-way-ticket from Bitcoin to some altcoin, if it will be based on Proof of Burn. Because if someone is worried about matching lost coins properly, then that person should have any algorithm to predict, how many coins are truly lost. Counting OP_RETURN, taking less coins in the coinbase, and other obvious things is simple. But what about trap addresses? What about coins that didn't move for N years? It is an open question to those altcoin creators, how they want to count that.

So a respected bitcoin developer is now putting out the idea that there should be more than 21 million bitcoin. Guess bitcoin's fixed supply is maybe just a pipedream...because as peter todd points out,

"An intuitive explanation for this result is that in the long run, the initial supply N0 doesn’t matter, because approximately all of those coins will eventually be lost."

too bad for people that thought the solution is just to subdivide bitcoin into smaller parts. those will eventually be lost too. and so on.

Why? You have one Bitcoin block with 7 BTC reward, and you have 700 sidechain blocks, 0.01 BTC each, and doing 51% attack to revert this 7 BTC should be as hard on that sidechain, as it is on Bitcoin. So, it is about tracking the difficulty, and about the same security for a given amount. You can measure that simply by relying on difficulty and amount: a combination of those two things should give you an answer about the security budget, and about the amount of work you need, if you want to reorg that.

On NameCoin, it is completely separated, where it should be joined: Merge-Mined chains should track the chain of the heaviest Proof of Work, and their block rewards should reflect that. So, NameCoin is an example of Merged Mining done wrong, because you can have a few percent of Bitcoin's hashrate, and they don't track all Bitcoin headers, but only those that are properly constructed, so you can attack them, even if you don't have enough power to attack Bitcoin. And that should be changed, to prevent that attack.

The same mistake was made by chains like BCH: if they have 1% of the BTC hashrate, then they should receive 1% of the coinbase amount, if that's what they need to maintain 10 minutes block time. Another mistake is that they splitted monetary base completely, instead of making transactions, that would be also valid on BTC, but would be just confirmed later, because of the block size limit.
I mean there is no reason to do that in a centralized way. There were some alternative ways, like P2Pool, and things should go further in that way, maybe also into LN rewards, sidechain rewards, and things like that.

The difference is that it should be cryptographically secured. I thought about things like "pay to block hash address", when you could lock some coins on some address, and they could be taken, only by performing block validation. And I thought about compressing repeated parts, so something like that:
But that's too heavy, so it should be simplified to some proofs that are more compressed, and take less space on-chain. Also, because transactions in mempools are similar, it is possible to validate repeated parts once, and then only track changes in some deterministic way. The main problem is about data compression, because technically it is possible to perform such "delayed validation" (and burn coins if someone will pass a fake block header hash or something). So, I can see two options:
1) validating basic things, and assigning coins to miners (or burning if they lied and are unable to provide a proof)
2) validating everything, and assigning coins to miners (if there are enough resources to validate everything on time)

If you count all traffic on the main chain, all traffic inside LN, all traffic inside sidechains, and all Bitcoin-related traffic in general, and it is still not enough, then there are two options:
1) we live in a strange world, where there are no transactions at all, in any other monetary systems, because 99% people died or something
2) there are transactions in other networks, so we should think, if Bitcoin still has all needed features, and why people don't want to use it

These two seem contradictory:
If some blocks are included in the main chain's block headers and some other represent "exclusively" sidechain's block headers that are not included in the main chain, then attacking the sidechain (by reversing sidechain "exclusive" blocks) is definitely easier to accomplish.

"Wasted" hashes aren't passed to centralized pools for no reason. They work as shares, so that if one of the miners solves a block, the reward is distributed accordingly to the shares. Unless you meant those that don't work that way.

Decentralized mining does sound very cool. But, how will Lightning or a sidechain contribute to it? You still pass your shares to a third party which pays you via Lightning; isn't this the general idea?

But, that's true as long as the system is sustainable. Sure, I can make a few sats by either staking or merged-mining in a sidechain, but since everything depends on the main chain, these are irrelevant to sustainability.

Yes, it is based on the same consensus algorithm. But it can extend it, by adding more features, that are not present on the main chain (for example by using homomorphic encryption, then things can be first encrypted, then executed in a trustless way, and then decrypted and broadcasted to the main chain).

Some of them are, some of them are not. Because if the sidechain contains (tracks, traces, it has to be aware of it) the heaviest chain of SHA-256d headers, then it can be used to decide, how much work is needed to assign 0.01 BTC to some sidechain miner. It should be as hard as on Bitcoin, so (unlike Namecoin) it should be possible to 51% attack any sidechain only if you can 51% attack Bitcoin. Also, the sidechain can contain more block headers than Bitcoin, then each Bitcoin header is a valid sidechain header, but not the other way around, so only some sidechain headers push the whole sidechain forward, by adding commitments to the main chain.

That is true, this is what Merged Mining is about: you want 0.01 BTC tail emission? No problem, just mine Bitcoin, and instead of receiving 7 BTC (6.25 BTC plus 0.75 BTC in fees), mine 700 times easier block, and get 0.01 BTC on the sidechain.

Exactly.

Also true. Currently, those "wasted" hashes are passed to centralized pools for no reason, because technically, that problem could be solved in a pure P2P way, and that's what decentralized mining is about (using sidechains is just an option, you can decentralize mining by receiving rewards in LN as well, there are many possible solutions to that problem).

Not exactly, because you can get some sidechain fees, LN fees, or whatever fees there are in other networks. And if you are a small miner, it is reasonable to get for example 100 satoshis, by confirming some coffee-buying transaction, and it is not strictly necessary to push all of such transactions to the main chain directly. This is why other networks are needed: to allow further scaling, and to allow batching N small transactions into one huge mainchain transaction.

I had talked about Merged-Mining with stwenhao, but that was Proof-of-Stake based.

Correct me wherever I'm wrong:

• Sidechain is a "child" of the main layer. Therefore, it inherits the same consensus algorithm.
• Sidechain blocks' hashes are included in the main layer's blocks' headers. Therefore, to mine from sidechain, you need to provide computational power to the main layer.
• Miners either find a hash that's lower from sidechain's target and higher from the main layer's target (and can only propagate it to the sidechain network), or find a hash that's lower from both and propagate their success to both networks.

So miners can mine on one chain, and the "wasted" hashes are used to secure another chain. It's reasonable to work as long as there's enough reward from the main layer. Correct?

So, what is wrong with increasing block rewards by Merged Mining? If you have sidechains, you still need to handle transactions that will put coins in and out. If someone will move some coins on the main chain, then miners will earn some fees. If someone will move coins on the side chain, then miners will use Merged Mining to mine this sidechain, and will also earn some fees. So, why not Merged Mining?

A CoinPool-like sidechain could provide Lightning's efficiency squared.

This topic raises the issue of whether it is desirable to have transaction activity in the main layer or to scale with sidechains. If we have the former, the system is sustainable but not operatable. If we have the latter, the opposite. Therefore, we have to find a way to make it both sustainable and operatable, but the solution is not to rely on the main layer (as it makes it non-operatable), but neither to push people on sidechains (as it makes it non-sustainable).

And the solution can't include changes to the inflation schedule as it makes it susceptible to arbitrary monetary policy.

It is true only if you assume 2-of-2 multisigs. But since Taproot, we have N-of-N multisigs, so we can onboard N users per address. And that's also another reason to think seriously about sidechains: scalability is directly related to compression. And better compression could be achieved if some users will stay on some second layers, for example inside LN. And as long as each user has to touch the main network directly, it is a bottleneck, and it needs some solution (for example sidechains, but I think it should be done in a bit different way than Paul Sztorc proposed, it should be unlimited and permissionless, so the mainchain should only track the UTXO set, and should be unaware of the number of existing sidechains, and their internal state).

Just in case anyone has missed it, there is another relevant discussion taking place on the mailing list over the last 24 hours. It starts here: Security problems with relying on transaction fees for security

I was quite interested to read this snippet from Peter Kroll:

It is similar to what I said in a post last year: https://bitcointalksearch.org/topic/m.57236745

So "all" that is required to ensure the long term sustainability of the security budget is to achieve global adoption. As things currently stands, this would guarantee consistently full blocks with a competitive fee market.

Exactly. Changing total Bitcoin supply would make Bitcoin immutability questionable. And if the community let such major change happen, IMO it's just matter of time before another major change happen.


Wrong, what they have is dynamic block size. It also has minimum and maximum allowed block size limit.

I will get to Monero's case. There, iirc, there's "no" block size/limit. That might affect the equation - might make it different than what we have for Bitcoin, where miners can force (by plugging out vast quantities of hashrate now and then) a cluttered mempool and bigger block rewards (I know that they have to add that hashrate back before the difficulty change/detection, I know that's overly simplified and may be wrong, but it feels possible that Bitcoin miners would do dirty tricks for more money if need be).

So you're right, tail emission size may depend on more variables than we can now think of. I don't know if it's impossible to get it right ("never say never", you know), still, close to that indeed.

Yes, and that's why it should be introduced in a different way. The mainchain should not know, how many sidechains there are, and if there are any sidechains at all. It should be made in the "always was possible" way, for example by signing coins. By looking at some output, nobody should know, if it is a part of the sidechain or not, in the same way as you don't know, how many parties there are in a single Taproot address.

You can't get tail emission right. A good TE value in a certain market conditions is an awful TE in different market conditions. The success of tail emission depends entirely on whether the number of miners stay almost-constant thoughout the lifetime on the coin. Just like in economics, there is a break-even point in the number of miners where more miners joining the network will not see an increased reward - as the price (which is dependent on users buying and selling) works independently from miners.

By supplying Tail Emission you constrain the network to a certain number of miners, and since there is no noticeable increase in hashrate, there is no corresponding increase in coin scarcity either, hence no price increase - miners will have to support themselves on a block reward (i.e. TE value) which has a fixed USD value forever.

EDIT: Let me also clarify that when I said "Miners will not see increased prices on their rewards", I meant the mining difficulty will continue to go up but less blocks will be found by each miner due to increased competition, hence the profits for each miner decrease as competition increases, as the block reward and price stay constant. Hence the network security and therefore the user capacity is constrained (capped). Which is why coins like monero have a small market of people.

As I hinted in my previous reply here, the userbase capacity is tied to the block reward, which must decrease gradually in order to support more users over time. Rushing it will not bring the desired user capacity faster; it must occur natually every halvening.

In this case, the user capacity you have when the block reward converges to zero is the capacity you're going to end up with forever [assuming no protocol changes are made]. At the current rate of adoption, I'm estimating this capacity to be scores higher than VISA and Paypal (scalability is a different topic altogether). But we are most likely not going to utilize all that capacity - after all, there are only so many people in the world.
[END OF EDIT]

---

I don't like BMM not because of any technical problems with it, but for a political reason - it will confirm the association of bitcoin with other shitcoins, on a protocol level [bad press confirmed].

edit 2: spelling