Placeholder Image

字幕列表 影片播放

  • The following content is provided under a Creative

  • Commons license.

  • Your support will help MIT OpenCourseWare

  • continue to offer high-quality, educational resources for free.

  • To make a donation or to view additional materials

  • from hundreds of MIT courses, visit MIT OpenCourseWare

  • at ocw.mit.edu.

  • NEHA NARULA: Welcome back.

  • Today, we are going to talk about forks.

  • So I think you guys have had a guest lecture last week

  • from Alin Tomescu, who talked about his project, Catena.

  • And one of the really interesting things about Catena

  • is that he's trying to prevent a server from equivocating.

  • So he's trying to keep a server from being

  • able to say one answer to some people and another answer

  • to another person.

  • That's kind of the goal of this whole blockchain thing.

  • But there's actually something really complex

  • that happens when we start to change what's

  • happening in the network, and we start

  • to change the software that's happening in the network.

  • And so this lecture is going to be about forks.

  • And I want you guys to feel free to raise your hands

  • and ask questions during class, because this stuff is actually

  • kind of non-intuitive sometimes.

  • So a blockchain is a chain of blocks which have previous hash

  • pointers inside of them.

  • So a question-- can a block point to two previous blocks

  • at the same time?

  • Anybody know the answer to this question?

  • No, exactly, that is the whole point.

  • There is exactly one spot in the block header

  • for a previous hash block.

  • And so a block can only point to one previous block.

  • A single block cannot point to two previous blocks.

  • However, can this happen?

  • Can two different blocks point to the same previous block

  • header?

  • Yes, yes, and this happens all the time.

  • Now, part of the reason that this happens all the time

  • is because the way that blocks are

  • found in the bitcoin network is completely probabilistic.

  • There are many people who are trying

  • to find the next block at the same time.

  • And it's entirely possible that two different miners

  • will get lucky in a time period that

  • is within the time it takes for a block to get gossipped

  • around the network.

  • And so, totally, two people can find the same block

  • at the same time.

  • This is actually what's known as a fork.

  • And you can kind of see why.

  • We have a fork in the chain right here.

  • But what does it really mean when

  • there's a fork in the chain?

  • I just told you that this is something

  • that happens all the time.

  • And these cryptocurrency networks seem to keep running.

  • They seem to be keep going.

  • So perhaps it's not as bad as it seems,

  • even though it seems to be violating

  • one of the major tenets of what a blockchain is.

  • Well, it is kind of bad, actually,

  • because when you have these two blocks here,

  • is there anything that makes one the right blockchain

  • over the other blockchain?

  • Just if this is one blockchain right here,

  • and this is another blockchain right there,

  • how is one supposed to distinguish between this?

  • Yeah?

  • AUDIENCE: The one with the most work.

  • NEHA NARULA: The one with the most work,

  • OK, that's a great sort of way of thinking about it.

  • What if they have similar amounts of proof of work.

  • Then what?

  • AUDIENCE: The one that's accepted

  • by the majority of the network.

  • NEHA NARULA: The one that's accepted

  • by the majority of the network.

  • How do we know which one is accepted

  • by the majority of the network?

  • It gets extended, OK, great.

  • So that's a really good way of looking at it.

  • Before we go into what that means,

  • do people understand why if this state were to persist

  • it would be a really bad situation?

  • One thing that we could have, given

  • that there's two blocks, what that really means

  • is that we have two versions of history.

  • We have two versions of the ledger

  • if these two things are not the same.

  • Different coins might be spent on one side of the fork,

  • versus on the other side of the fork.

  • In fact, the same coin might be spent in two different people

  • on either sides of these forks.

  • And so over here, Alice might be spending her coin to Bob.

  • Over here, Alex might be spending that same coin--

  • and, remember, coins can only be spent once.

  • Even if Alice has other coins, she

  • specifies which coin she's spending.

  • Alice might spend that coin over to Carol.

  • And so if Bob sees this, he thinks he got paid.

  • If Carol sees this, she thinks she got paid.

  • And we violated one of the fundamental tenets

  • of the blockchain, which is not to double spend coins.

  • You can't create money out of nowhere.

  • If these two things would persist,

  • if we don't resolve this fork somehow,

  • then we literally have two different versions

  • of the same currency.

  • This is kind of as though I took the money

  • in my pocket, my dollar bill, and I xeroxed them all,

  • and managed to convince some people that the Xerox was also

  • real.

  • This is the exact same thing as what's

  • happening when you have these two things persist.

  • OK, so how do we fix it?

  • Well, which is the right one?

  • And just given what I've shown you right here,

  • it is not clear which is the right one.

  • And like I also said, this happens all the time

  • in the bitcoin network because the bitcoin network

  • is probabilistic.

  • So the way that people figure out which one is the right one

  • is they wait.

  • They wait and see which side gets extended.

  • And by the nature of probability,

  • one side is going to eventually win out, and get extended

  • more often than the other side.

  • It's very unlikely for two forks to randomly sort

  • of probabilistically exist at roughly the same way

  • for the same amount of time for very long.

  • Now, as someone said, you might look at this.

  • How do you distinguish between these two things?

  • There is this common idea that in blockchains we

  • take the longest chain.

  • Longest is a little bit misleading actually.

  • It's not the longest chain.

  • It's the heaviest work chain.

  • So we pick the chain that has the most proof of work

  • on it, even if that happens to have

  • a smaller number of blocks.

  • Usually that's not the case.

  • That's not what happens.

  • The reason for that-- does anyone

  • know why we take the heaviest chain instead of the longest

  • chain?

  • AUDIENCE: So that nobody can cheat and lower

  • the level of difficulty.

  • NEHA NARULA: Right, so it's not very easy to do this.

  • But over time, someone could slowly

  • decrease difficulty level, and then

  • create a nice, really long chain with many low difficulty

  • blocks, and then say, hey, I've got the longest chain.

  • I have the most number of blocks.

  • Despite the fact that your chain has more proof of work on it,

  • you should all take my chain.

  • And they could do that with less than a majority

  • of the hash power.

  • Now, this is not easy attack to do.

  • But it is a possible attack.

  • And so that's why we take the heaviest chain, which

  • represents the most hash power in the system, the majority

  • of the system.

  • So forks happen all the time.

  • Forks are normal.

  • The way that people who see forks decide

  • which side of the fork to use, is they

  • check and see which one has the most proof of work,

  • the heaviest proof of work.

  • Now, one thing that's kind of cool,

  • is, as you probably learned about two classes ago,

  • even SPV nodes, even clients, can

  • tell which chain has the most proof of work

  • simply by looking at the headers, the block headers.

  • They can see what the difficulty is.

  • And they can measure for themselves

  • which side of the chain has the most proof of work.

  • They don't even need all of the chain.

  • So this is a nice property of light clients,

  • is that they can download all of the block headers

  • and immediately tell which side of a fork

  • has the most proof of work.

  • Great, we call the block that ends up-- so what

  • do we do with this block?

  • Does anyone know what actually happens with this block?

  • Anybody?

  • OK, so this book is basically abandoned.

  • This block is just left.

  • It exists.

  • It points into the chain.

  • That's great.

  • In bitcoin, in particular, it's meaningless.

  • It doesn't mean anything.

  • Every transaction that was in that block

  • is not considered to have happened.

  • So those transactions need to be replayed

  • on the chain that ends up being the longest chain.

  • And this happens, like I said, all the time.

  • We call that block an orphan, because it doesn't have anyone.

  • It's kind of the wrong way around.

  • I mean, I think of this as a child.

  • But, whatever, this block doesn't have a parent.

  • But we call those blocks orphans.

  • And, again, remember, we pick the side

  • of the chain that ends up having the most proof of work.

  • Now, we draw these figures in two different ways.

  • Sometimes we draw the figures like this,

  • like there's this blockchain that exists out there,

  • that is written down, and that everyone is sort of looking at.

  • There's one blockchain.

  • But this isn't a logical representation.

  • In reality, there are many, many, many, many different

  • blockchains.

  • In fact, every node in the system

  • has its own version of the blockchain.

  • And it's what those nodes are doing together

  • that ends up deciding what the blockchain actually is.

  • So if these are nodes that are running the bitcoin protocol,

  • and when I say nodes, what's the difference

  • between a miner and a node?

  • AUDIENCE: Nodes verify transactions,

  • but miners push blocks.

  • NEHA NARULA: Exactly, so miners actually

  • create blocks in the system.

  • Miners have write access to the blockchain.

  • They actually produce new blocks.

  • People think a lot about what the miners are,

  • and what the miners can do.

  • And there's a lot of game theory thinking about the miners.

  • And, oh, what if they collude, but the hash power does this?

  • And sometimes we forget that nodes in the bitcoin network

  • are actually incredibly important too,

  • because it's the nodes in the bitcoin network

  • that are now creating blocks.

  • And, to be clear, someone could be a miner

  • and a node at the same time.

  • They're distinct roles.

  • The same entity could certainly run a node and be a miner.

  • But nodes are doing something really important

  • as well, which is they're reading all of the blocks.

  • And they're deciding which side of a fork to take,

  • and which blocks to accept and which blocks not to accept.

  • So let's say that these are all bitcoin nodes.

  • And this is what the blockchain looks like right now.

  • And we've used this figure multiple times.

  • Every block has a previous hash, which acts as a pointer

  • to the previous block.

  • Every block has a set of transactions.

  • And every block has a nonce, such

  • that when you take the hash of the block header,

  • you end up with something that has a sufficient number

  • of leading zeros.

  • It has valid proof of work.

  • So let's say that this is the state of the system right now.

  • And then, we see this new block come along.

  • So what happens here is that a miner has produced this block,

  • and has sent it out over the bitcoin network.

  • They've started gossiping the block around the bitcoin

  • network.

  • And so every one of these nodes, hopefully, will eventually,

  • if they're well connected, will see this block.

  • They're going to see the block at different times.

  • And they're each going to make an independent decision

  • about the block.

  • So every node is going to decide when it sees

  • this block what to do with it.

  • And there's basically two things it can do with it.

  • One, it can add it to its own local version

  • of the blockchain.

  • And number two, it can reject it.

  • Does everyone see why that is?

  • So sure, every node is maintaining this local copy

  • of a blockchain.

  • There is no single, global copy that everyone

  • is referring to physically.

  • There's no single database running the blockchain.

  • Every node has its own local copy of the blockchain.

  • Every node is making its own local decisions about

  • whether or not a block is valid, and about whether or not

  • it's going to add that block to its own local copy

  • of its blockchain.

  • So the way that the node decides this

  • is that it has a set of validation rules.

  • So it has its own set of rules, which are specified

  • by the bitcoin protocol.

  • And it checks that block against its set of validation rules.

  • So every node, every bitcoin node,

  • is constantly validating, constantly validating blocks.

  • Here are just some of the validation rules.

  • And we've talked about a lot of these sort of off and on

  • during the class.

  • So first of all, there's a max block size.

  • And the way that this works is if at any point

  • you fail one of these validation rules, you reject the block.

  • So first, the block has to be smaller than this variable max

  • block size.

  • At the moment, max block size is set to 1 megabyte.

  • Every single transaction in the block also has to be valid.

  • And what does that mean?

  • Well, it needs to be formatted a certain way.

  • And it also means that when we concatenate the script pub

  • key and the script sig together, and then run that

  • through the interpreter to evaluate

  • the script on the stack, it ends up returning true.

  • And if at any point, any transaction-- and not just

  • any transaction, any input in any transaction,

  • does not satisfy this, we reject the entire block.

  • Another thing that each transaction

  • needs to satisfy if it's valid, is if the transaction specifies

  • an end lock time, than that end lock

  • time needs to be greater than whatever is specified

  • in the transaction.

  • That transaction is now is now far enough in the future

  • that it can be satisfied.

  • The block as a whole needs to have valid proof of work.

  • So it needs to have a nonce, such

  • that when you hash the block header,

  • you end up with a hash that has a certain number of leading

  • zeros.

  • And what's really interesting is the protocol also

  • specifies exactly how many leading zeros there need to be,

  • depending upon how many leading zeros there have

  • been in blocks in the past.

  • There cannot be any double spends.

  • So given the version of the blockchain that I, as a node,

  • have, this better not be double spending any outputs.

  • There are some rules around what the block

  • can have as its timestamp.

  • It cannot be more than--

  • if I see a block that has a timestamp that's

  • more than two hours in the future from my own timestamp,

  • I will reject it.

  • And if it isn't after some point that's

  • the median of the previous block's timestamps,

  • then I'll also reject it.

  • And, of course, the block needs to actually point to a block

  • that I've seen before.

  • And as a node, I will keep around

  • blocks which have a previous hash pointer that I

  • don't know about.

  • But I'm not going to keep them around forever,

  • because that's a potential Dos attack.

  • And in order for me to actually insert this block

  • into my version of a blockchain, I

  • need to know which block to put it after.

  • Note also, note what's not on here

  • is that it needs to be the only block pointing

  • to a previous block.

  • I'll keep around multiple blocks at the same level

  • until I have some sense of which one is going to win out,

  • because of the probabilistic nature

  • of maybe this block I'm seeing is not going to end up

  • being part of the blockchain.

  • Maybe it's going to be an orphan.

  • So these validation rules are what

  • are called consensus critical rules in the bitcoin network.

  • And what that means is that if you want to tweak these rules,

  • if you want to change them, then you

  • may end up changing which blocks nodes will accept,

  • and which blocks nodes won't accept.

  • Now, something that's kind of interesting to note here

  • is that the entire script interpreter in bitcoin

  • is consensus critical.

  • Yes?

  • AUDIENCE: If you reduce the amount of transactions,

  • does that reduce the size of the blocks as well?

  • NEHA NARULA: Yes, it can.

  • Yes, so you can definitely have a block--

  • so that's a great question actually.

  • So let's say that we had a block that was half a megabyte.

  • What would nodes do?

  • What do you think?

  • AUDIENCE: I think an advantageous miner would

  • potentially process it faster.

  • NEHA NARULA: That's true.

  • What would you as a node do.

  • If you're running the bitcoin protocol as it exists today,

  • and it has the following set of rules,

  • and I hand you a block that's half a megabyte,

  • what would you do?

  • You would say OK, exactly, because the rule that I

  • specified here just says the block has

  • to be less than 1 megabyte.

  • It didn't say it has to be greater than anything.

  • And is half a megabyte less than 1 megabyte?

  • Yes, so you're going to pass the checks.

  • And you're going to accept the block.

  • AUDIENCE: Is that a good thing for miners, so

  • maybe remove the transactions from a potential block,

  • because they want to process it faster?

  • NEHA NARULA: Sure, so the question is, should miners

  • remove transactions from a block,

  • or perhaps not put transactions in a block,

  • because it seems like they could process a small block faster

  • than a large block, right?

  • So that is very true.

  • Miners, if there are fewer transactions,

  • they have fewer things to verify.

  • So they can check and see if the book is valid faster.

  • However, the fewer transactions, the fewer the transaction fees.

  • And so the less the miner will earn from the block.

  • Yes?

  • AUDIENCE: And also, the energy put in, most of it mining,

  • is like mining the block, not actually verifying.

  • NEHA NARULA: Yeah.

  • So verifying transactions is nowhere near as CPU-intensive

  • as it is to actually find the nonce

  • and produce the proof of work.

  • However, miners should verify transactions

  • before even starting that process.

  • And so if a miner didn't verify transactions,

  • they would get a head start on the proof of work process.

  • So there's that sort of balance.

  • And, in fact, I think we've talked about this in this class

  • before, there have been times in history

  • where things have happened that have shown that miners actually

  • haven't been verifying blocks.

  • They'll just mine on whatever.

  • It's caused some problems.

  • And they ended up losing a lot of money

  • because they should have been verifying blocks.

  • Great.

  • So these rules are what are called consensus critical.

  • They are the rules that each node independently

  • uses to decide whether or not they're

  • going to accept the block.

  • Yes?

  • AUDIENCE: When you talk about nodes,

  • you talk about SPDs, right?

  • NEHA NARULA: No.

  • I'm not talking about SPDs when I talk about nodes.

  • I'm actually talking about full nodes.

  • So I'm talking about nodes that are holding

  • onto the entire bitcoin blockchain, that

  • are looking at every block, every transaction.

  • AUDIENCE: So the difference between a miner

  • and and a node are [INAUDIBLE]?

  • NEHA NARULA: A miner--

  • yeah, they're distinct roles.

  • So a miner is running this proof of work algorithm

  • to try to find--

  • to produce blocks.

  • A full node does not write blocks.

  • It doesn't create new blocks.

  • It receives blocks, and then validates them, or not,

  • and adds them to its local copy of the blockchain.

  • A miner might also be running a full node.

  • Yes?

  • AUDIENCE: Miners should be running full nodes.

  • NEHA NARULA: Yeah, they should be.

  • But it's not clear that that happens, for the reasons

  • we were talking about before.

  • I'm sorry?

  • AUDIENCE: You can force miners to [INAUDIBLE]

  • NEHA NARULA: OK, so let's go back to this image right here.

  • These nodes are all running some version of the software.

  • They see this transaction.

  • And they say, yes, this looks like a valid transaction to me.

  • And note that they have to--

  • or, sorry, block.

  • They look at this block.

  • Yes, this looks like a valid block to me.

  • And note that they kind of have to evaluate

  • that block with respect to all of the other blocks

  • that it's seen.

  • No double spends, all of the scripts eggs, the script pub

  • keys, work out correctly, it's the right size, et cetera,

  • et cetera.

  • And then once it's decided that that's all OK,

  • each node will independently make the same decision

  • to add that block to its blockchain.

  • So you can see here that determinism is actually

  • really important.

  • It can't be the case that there's

  • any randomness in this process.

  • It can't be the case that sort of randomly,

  • depending on the time of day, one node will decide

  • this is a valid block, one node will

  • decide it's not a valid block.

  • That's not the greatest situation to have happen.

  • We want this to be as deterministic as possible.

  • We want them to all independently arrive

  • at the same decision.

  • Great.

  • So this is how validation works.

  • This is what nodes do.

  • Major problem, though-- sometimes,

  • we need to change the validation rules.

  • Sometimes, we need to upgrade the software.

  • I mean, software is not a static thing.

  • The software that these nodes are running,

  • there's going to be bugs.

  • There might be security vulnerabilities.

  • We might want to add new features.

  • And so we're going to want to change the validation rules.

  • It's pretty much inevitable.

  • And, yet, given the nature of the system,

  • we can't upgrade every single node at the same time.

  • So I think a useful analogy here, something to think about,

  • is actually browsers.

  • So web browsers-- right now, a lot of people run Chrome.

  • But not everyone runs Chrome.

  • And Chrome actually has auto update

  • where it will push changes to your browser.

  • Google will automatically upgrade you.

  • But the way the browsers used to work

  • is that you didn't always have auto update.

  • Or it would bother you, and ask you

  • if you were OK with auto updating before.

  • And people would say, I don't deal with this right now.

  • I'm in the middle of something.

  • I don't want to auto update my browser,

  • and have to restart the whole thing.

  • And so what would end up happening

  • is you'd have significant numbers of people on very

  • different versions of browsers.

  • And this was kind of a disaster for the internet,

  • because people who were developing websites,

  • they wouldn't have any confidence

  • that the majority of their users,

  • or a significant majority of their users,

  • had upgraded to the new features.

  • So they had to support all these old versions of browsers.

  • And it was a nightmare.

  • So that's what we're dealing with here in cryptocurrencies,

  • except it's even worse.

  • So you definitely cannot guarantee that everyone will

  • upgrade their software at the same time.

  • You can't guarantee that everyone will even

  • upgrade ever.

  • And so the designers of the software,

  • when you want to create a new version of software,

  • you have to think really, really carefully about it.

  • So let's say that we're in this situation right

  • here, where these three nodes are running V1 of the software.

  • The developers have worked out V2.

  • V2 has some interesting new features,

  • which slightly changed the validation

  • rules about what a node running V2 will

  • consider valid or invalid.

  • So now, when we see this new block, and we ask the question,

  • is this block valid, these nodes might make different decisions.

  • In particular, maybe the old nodes will think it's valid.

  • Great, passes all the validation rules.

  • I will append this block to my blockchain.

  • And the new node will not think it's valid,

  • and will say, garbage block, fantastic.

  • I will not append this block to my blockchain.

  • And what we end up with when this happens

  • is we have two different versions of history.

  • The nodes running the old version of the software

  • think that there are four blocks in the blockchain.

  • The nodes that are running the new version of the software

  • have decided that that block is invalid.

  • And they only have three blocks in the blockchain.

  • So what does this mean?

  • First of all, is this like the situation we saw before,

  • where if we just wait for enough proof of work

  • this will sort itself out?

  • What do you guys think?

  • I'm seeing some people shaking their heads.

  • And, yes, this situation is different than the situation

  • we saw before, because the situation

  • we saw before, all the nodes still had the same validation

  • rules.

  • They just saw the blocks in different orders,

  • or they got later, whatever.

  • All of that can be resolved by looking at the proof of work.

  • Sometimes when this happens, sometimes

  • when nodes are actually running different versions

  • of validation software, things can

  • be resolved by just looking at proof of work.

  • But quite often, actually, they can't.

  • And so in this situation, what might happen

  • is another block comes along.

  • So this is a different block than this one.

  • And this set of nodes might decide

  • that this is the next block in the blockchain,

  • whereas the blue nodes will never, ever, ever validate

  • this block.

  • They will never decide that this block is valid,

  • given the version of the software they are running.

  • They will never switch to a blockchain

  • that has this block in it, even if it

  • has the most proof of work.

  • So I think this is a really important point.

  • And I think it sort of fundamentally

  • gets to why miners don't actually

  • have as much power in the system as one

  • might think that they do.

  • And the reason for that is that the way bitcoin is designed

  • is that a node will never accept a chain with a single invalid

  • transaction.

  • If, according to its set of rules,

  • a single transaction is invalid, it will completely

  • ignore that chain.

  • Doesn't matter if it has the most proof of work.

  • Does that make sense to everyone?

  • It's kind of intense.

  • It's kind of crazy, right?

  • Like, even if it has mountains upon mountains

  • of proof of work, it will completely

  • ignore that chain because there's

  • something invalid about it.

  • So miners can mine what they want.

  • But they better mine within the validation rules

  • set of the economic majority of the nodes.

  • Otherwise, those nodes are all going

  • to ignore whatever they mine.

  • And their money is not going to be worth anything.

  • Great.

  • So in this situation, we end up with two different blockchains.

  • And we actually end up with something quite irreconcilable,

  • unless we change the software again, somehow.

  • And what we've ended up with that's irreconcilable

  • is we now have a block over here, and a block over here.

  • This node will never accept a chain with this block in it.

  • And so we've got two different blockchains.

  • So when this happens, we call it a fork.

  • Now, the word fork can be used to mean many different things

  • in software.

  • For example, you fork a project on GitHub.

  • When you fork a project on GitHub,

  • you might make changes to it.

  • This is a little bit different because of the linearity

  • of history here.

  • When a fork happens in a cryptocurrency,

  • in particular a sort of a fork that can't easily be resolved,

  • that isn't just going to, oh, one

  • side has more proof of work, OK, great

  • we're all going to switch to that other side.

  • When you have a fork that can't be resolved

  • that easily then it's actually a pretty big deal,

  • because like we were saying earlier

  • we now have two versions of history, two different versions

  • of money.

  • It's like I took the dollar from my wallet,

  • and I photocopied it.

  • And now there's $2 where there was only one.

  • So maybe you like this kind of dollars.

  • Maybe you don't like that kind of dollars.

  • We've basically taken this entire network

  • that all sort of agreed on what this form of money was,

  • and we've divided it into two.

  • So there's two different kind of forks

  • that people will talk about mostly in this industry.

  • But forking is actually much more complicated than that.

  • You can't just talk about forks as

  • in-- so the two different kinds of forks

  • are soft forks and hard forks.

  • And I'm going to explain what a soft work is,

  • versus a hard fork.

  • But, actually, that delineation, it

  • gets much more nuanced because different things happen

  • in a soft fork versus a hard fork,

  • depending upon who's decided to adopt the rules.

  • OK, so a soft fork--

  • a soft fork is a fork which is backwards compatible.

  • So we have some rule set.

  • And under that rule set you apply

  • that rule set to every single possible one megabyte

  • chunk of data.

  • And we're going to end up with some set of what

  • are valid blocks.

  • A soft fork is when you add rules to the rule set,

  • such that the set of valid blocks actually shrinks.

  • So what does that mean?

  • We had a whole bunch of rules before.

  • Blocks have to be less than 1 megabyte.

  • Transactions all have to be valid.

  • It means that their scripts certify, like validate,

  • under the certain script interpreter,

  • et cetera, no double spends.

  • Let's take one of the rules that's actually pretty simple,

  • which is that blocks have to be less than one megabyte.

  • Let's say that I change that to blocks

  • have to be less than two megabytes.

  • Is that a soft fork?

  • AUDIENCE: Yes.

  • NEHA NARULA: Oh, wow, there's some actual dissent over this,

  • right?

  • OK, so someone who says no, why is the answer no?

  • AUDIENCE: Because you have something that is now accepted

  • that wasn't accepted before.

  • NEHA NARULA: Right, so remember, valid blocks

  • before newly valid blocks fit inside of this.

  • Now, someone who said yes it's a soft

  • fork, why do you think that?

  • AUDIENCE: All blocks still have less than two.

  • NEHA NARULA: Right.

  • So it's actually not a soft fork.

  • And the reason that it's not a soft fork

  • is because a block that is 1.75 megabytes, previously,

  • the old rule set, was invalid.

  • New rule set, it's valid.

  • But we just said everything that's newly valid

  • has to fit inside what used to be valid.

  • So a soft fork is restricting the set of valid things.

  • You can think of it as expanding the set of rules

  • that a block now has to comply with.

  • So a feature of this is that if you don't upgrade--

  • so V1 is the old rule software.

  • V2 is the new rule software.

  • If you don't upgrade, you will continue

  • to see the new blocks as valid.

  • And this is actually a very nice property,

  • because, remember what happened over here,

  • we had this property where the people on the blue side

  • were just never, ever going to accept

  • one of these blockchains.

  • And if it were the case that this were a soft fork,

  • the old side would never, ever--

  • well, if this sorry, if it were the case

  • that this weren't a soft work, the old nodes

  • would never accept this new stuff.

  • So soft forks are really nice, because they're

  • backwards compatible.

  • Old nodes will still see the new blocks as valid.

  • They won't reject them.

  • If that chain gets a ton of proof of work,

  • then the old nodes will happily switch over to that chain.

  • So, what does that mean?

  • So let's say that the black nodes are the old rules,

  • and the blue nodes are new rules, new rule blocks.

  • And, again, we have to look at this from two

  • different perspectives.

  • There are the people creating the blocks.

  • And there are the people reading the blocks.

  • And sometimes those are the same people.

  • Sometimes, they're not.

  • So we're looking at blocks here.

  • So these are people who are creating the blocks.

  • And, again, both of these sets of people

  • might upgrade or not upgrade.

  • So we might have miners who are following the old rules

  • and miners who were following the new rules.

  • Then we might have validating nodes

  • who are following the old rules, and validating nodes who

  • are following the new rules.

  • And this is not even talking about SPV yet.

  • OK, we're just talking about miners.

  • And we're talking about nodes.

  • So let's say some of the miners upgrade to the new rules,

  • but not all of the miners upgrade to the new rules.

  • The miners who didn't upgrade to the new rules

  • are going to continue producing old rule blocks.

  • They're going to continue producing V1 version blocks.

  • But if the majority of miners upgrade to the new rules,

  • remember, the new rule people have new rules.

  • So they have more restrictions on the set of blocks

  • that they will accept.

  • So they might not see that block as valid.

  • So they're never going to accept that chain, because it

  • has invalid things in it.

  • Once you've upgraded, you might no longer

  • accept the old chain as valid.

  • And so what's going to end up happening

  • is something that looks very much like the orphaning

  • situation that was happening before,

  • where if the majority of the hash powers, which

  • is over here, this chain is going to keep going bigger.

  • These guys might keep trying to produce old style blocks.

  • But they just keep getting orphaned off.

  • It's actually like very much in their economic interest

  • to hurry up and upgrade, so they're not wasting hash power

  • on orphan blocks.

  • Are there questions about soft forks?

  • Yes?

  • AUDIENCE: So are soft forks also used

  • for changing software other than validation?

  • NEHA NARULA: Yes, that's a great question.

  • Are soft forks also used for changing software other

  • than validation?

  • So we can certainly upgrade more than just the validation

  • parts of the bitcoin software.

  • If it doesn't change the set of blocks that would be accepted

  • or not accepted, we don't even bother calling it a fork.

  • So let's say that we wanted to change something about the peer

  • to peer network, or the way that things are stored on disk,

  • or something like that.

  • We would see that a change like that,

  • if it didn't change the set of blocks that would have been

  • accepted or not accepted, if after the change

  • a set of blocks accepted or not accepted is the exact same,

  • we don't call that a fork, a change that induces a fork.

  • It's only when the set of blocks are accepted or wouldn't be

  • accepted are actually changed.

  • Yes?

  • AUDIENCE: How often do updates get pushed on the network?

  • NEHA NARULA: Great question.

  • How often do updates get pushed on the network?

  • So Bitcoin is at version 0.16 right now.

  • And 0.16 came out like a week or two ago.

  • And I think it's sort of been on the order of a couple months

  • between different versions of Bitcoin.

  • Other cryptocurrencies release more frequently.

  • Some release less frequently.

  • Some do forks very, very regularly.

  • And we'll speak a little bit about that.

  • But the software is pretty much constantly getting updated.

  • Yeah?

  • AUDIENCE: So in practice, people are just

  • updating their versions?

  • NEHA NARULA: Yeah, so in Bitcoin in particular,

  • Bitcoin does not have an auto update function.

  • So in order to run the new version of the software,

  • you have to decide that you're going

  • to run the new version of the software.

  • Or there might be a way to decide to turn auto update on.

  • I can't remember.

  • But the point is that they try to leave it

  • in their user's hands.

  • Yes?

  • AUDIENCE: How are versions created?

  • So if you like on the GitHub, there are a ton of features,

  • and sometimes they're pushed forward.

  • Is there a subreddit, where they're like, OK, version?

  • NEHA NARULA: OK, how are versions created?

  • It's actually very similar to any other software project,

  • where the people who work on the software project

  • get together, and decide which pull requests are going

  • to be part of the new version.

  • So, yes, at some point, they're just

  • like, new version, release.

  • Yeah?

  • AUDIENCE: Do software get released as updated versions?

  • NEHA NARULA: Yes, soft forks are definitely

  • released as updated versions.

  • So that's a great question.

  • I think not every version has a soft fork in it.

  • But if there is a soft fork, it will definitely

  • be a new version.

  • Yes?

  • AUDIENCE: Why can't this black miner

  • not just look at the version in the blue block

  • and decide not to?

  • NEHA NARULA: Because it's not a blue block.

  • So you're talking about here, right?

  • OK, so the nodes are running different software.

  • And then a block comes along that--

  • ideally, yes the block would have a version number in it

  • that specifies which version of the software.

  • And this is a very useful field in the block header.

  • But that's not really--

  • so what it has a different version?

  • AUDIENCE: If it's lower than mine--

  • sorry, higher than mine, then I don't do it.

  • Then I won't update first.

  • NEHA NARULA: What do you mean by don't do it?

  • You mean, you ignore it?

  • AUDIENCE: No, I [INAUDIBLE] myself,

  • because I see that a higher version is in circulation.

  • NEHA NARULA: So that would be one way

  • of running the network, which is if I ever see anything that

  • indicates that there's newer software out there,

  • I just realize I'm old, and that I need to update.

  • I think that Bitcoin simply made a different design

  • decision, which was that older nodes should still be able to--

  • because think about nodes that were sort of set it

  • and forget it, they're out there running.

  • One tenant that is absolutely true

  • is that users will not upgrade.

  • They will not all upgrade.

  • It just won't happen.

  • You will have old versions of software running.

  • And given that you will have old versions of software running,

  • I think it's a question as to whether or not those

  • nodes should still be a part of the network,

  • or whether you just want to slice them off

  • because they're not running the latest version.

  • And I think in Bitcoin, they want

  • those nodes to still be a part of the network.

  • They want people to be able to make the active decision not

  • to upgrade.

  • Tadge actually, I think is still running 0.13, or some older

  • version of Bitcoin.

  • Still works great.

  • He can still validate transactions totally fine.

  • OK, so we just talked about soft forks.

  • And I think the important thing to remember about soft works

  • is that soft works are backwards compatible.

  • We also talked about an example that is not a hard fork, which

  • is if we decided that we wanted to allow blocks that

  • were less than two megabytes, instead of less

  • than one megabyte.

  • And so a 1.75 megabyte of block appears.

  • That is not a soft work.

  • What if we changed the rule to say

  • that, instead of only accepting blocks that

  • are less than one megabyte, we're

  • only going to accept blocks that are less than half a megabyte.

  • Is that a soft work or hard fork?

  • AUDIENCE: Soft fork.

  • NEHA NARULA: That's a soft work.

  • The reason that that's a soft fork,

  • is because a block that is less than half a megabyte

  • was also still less than one megabyte.

  • So it's still valid under the old set of rules.

  • So if the change made here was now we want smaller blocks.

  • So we're only going to take blocks that

  • are less than half a megabyte.

  • That's fine.

  • Everyone will still see this chain as valid.

  • This is still backwards compatible.

  • Just because your blocks are 300 kilobytes now

  • doesn't mean that they violate a rule.

  • AUDIENCE: Can I ask one last question in relation to that?

  • So what happens if I want to do something

  • with the old version, and [INAUDIBLE]..

  • And they realize, wow, I love [INAUDIBLE]..

  • NEHA NARULA: Right, so what happens

  • to all the previous stuff in my chain, right?

  • Now, ideally, the way that the rules

  • would be setup, the new rules, is that they would take effect

  • sometime in the future.

  • So you wouldn't apply those rules

  • retroactively to the things that you already put into the chain,

  • because then you just throw away all history.

  • And that would be kind of a bummer.

  • Instead, you say, after this block,

  • we are only going to accept blocks that

  • are less than half a megabyte.

  • AUDIENCE: So what happens if after that block,

  • so a majority of miners are running old software.

  • NEHA NARULA: Great question.

  • AUDIENCE: [INAUDIBLE]

  • NEHA NARULA: We'll get into that.

  • We'll get into what happens when the majority, versus minority,

  • of different parts of the ecosystem decide

  • to adopt the change, versus not adopt the change.

  • But first, we're going to talk about hard forks.

  • What is a hard fork?

  • A hard fork is not backwards compatible.

  • And so a hard fork is a fork where,

  • if this was the old set of rules,

  • under the new set of rules you actually accept

  • more blocks than you would have accepted before.

  • So just to be clear, under the new rules,

  • you might produce a block, which a node running

  • under the old rules will reject.

  • This is not backwards compatible,

  • because any chain that has this new type of block in it

  • will not be accepted by any of the old nodes, full stop.

  • It doesn't matter about proof of work at all.

  • OK, so the thing with hard forks is

  • that because they're not backwards compatible,

  • they're a little crazier and a little bit sort of harder

  • to manage in your network.

  • Because if you do a hard fork and not everyone upgrades,

  • you might end up with two chains, possibly forever.

  • If we assume that those nodes are not going to upgrade--

  • and let's say they're not upgrading because there's

  • no one really maintaining them.

  • Then they're not going to upgrade in the future.

  • And they're not going to upgrade to a change that

  • might fix what's going on here.

  • They're just going to keep doing their old time thing.

  • Then with a hard fork, these nodes

  • are never going to accept the new blocks.

  • It doesn't matter what the proof of work is on that chain.

  • So hard forks versus soft works--

  • hard forks, as I keep stressing, are not backwards compatible.

  • Guess what?

  • A fork can be a hard fork and a soft work at the same time.

  • Yay.

  • Super confusing, actually, because you

  • can both restrict the set of rules

  • and expand the set of rules at the same time.

  • Basically, it means it's a new, overlapping, but not entirely

  • inclusive or not inclusive, set of rules, very unfortunate.

  • In fact, most things should actually

  • be both, to avoid some of the things

  • that I'm going to show you in a minute.

  • Yes?

  • AUDIENCE: But then for all useful purposes,

  • isn't it just a hard fork, because that

  • means some nodes won't be inside the blocks.

  • NEHA NARULA: For all useful purposes,

  • it's not just a hard fork.

  • Let me see if I can--

  • The reason that it's not just a hard fork--

  • this is something that requires a little bit more thought.

  • It's not just a hard fork.

  • But I will think about how to explain this, and perhaps

  • say something on this.

  • Or, yeah?

  • AUDIENCE: [INAUDIBLE]

  • NEHA NARULA: It is.

  • But he's asking, isn't that just a hard fork?

  • And it's not just a hard fork, because I

  • think old nodes will do something different.

  • Ah, OK, so there's two reasons why it's not just a hard fork.

  • One is because of reorgs.

  • So different things will happen as the majority of hash power

  • starts to accept or not accept the change,

  • whether or not all nodes will switch over or not.

  • But if it's both a hard and a soft work,

  • they will never switch over.

  • But I think the question is whether old nodes can

  • even still function.

  • So I think one way to use combination

  • hard and soft works is to actually stop

  • the old nodes from being able to have blocks at all.

  • Like, you design things in such a way,

  • that given a majority of hash power moves over,

  • they're just going to end up with nothing.

  • But this is a really good question.

  • And we should go into more detail on this.

  • And I will try to figure out a way to get that to you guys.

  • OK, so who controls forks?

  • Yes?

  • Sorry?

  • AUDIENCE: The developers.

  • NEHA NARULA: OK, the developers, which I didn't even

  • write down as a note here.

  • OK, do the Bitcoin developers control forks?

  • Who thinks yes?

  • You're not even raising your hand.

  • Who thinks no?

  • Determines whether or not a fork is going to go through.

  • There's the Bitcoin developers, who are actually

  • writing the software, and who also

  • have a lot of influence in the system,

  • because presumably they understand it really well

  • if they're writing software.

  • So they can write some software, and decide

  • that they want to do a fork.

  • Does that mean that the fork is going to go through?

  • No, certainly not, everyone can ignore them.

  • And there have been situations in the past

  • where everyone ignored them for quite a long time,

  • and argued about it, and didn't push a fork through.

  • Well, miners are the ones who actually create the blocks.

  • Are they the ones who control forks?

  • I see a very strong head shake no.

  • Why do you shake your head?

  • AUDIENCE: So if the miners decide

  • to change what types of blocks they're putting out,

  • they can do that.

  • But the nodes that are actually validating it,

  • no one can say they're not going to accept it.

  • NEHA NARULA: Very true.

  • So as we saw before, there are times when nodes will not

  • accept a chain no matter how much proof of work

  • it has on it.

  • I think that's a very common misunderstanding.

  • The nodes run their own validation rules.

  • And so if I'm running a node, I can run whatever

  • validation rules I want.

  • And I can decide what chain is the one that

  • aligns with my interests.

  • Yes?

  • AUDIENCE: If you're doing a hard fork,

  • and you are accepting new blocks,

  • and they just never mined any blocks with those new rules.

  • NEHA NARULA: Exactly.

  • So there's certainly incentives in many different directions.

  • If all the miners decided to go to one side,

  • then I'm a full node with my side of validation rules

  • who has no new blocks.

  • Great, what am I going to do?

  • How am I going to make transactions?

  • How am I going to spend my money?

  • Also, let's say all the miners don't go to one side,

  • but most of them do, and most of the nodes go to the other side.

  • Then what am I going to do?

  • Who's going to listen to me?

  • Who's going to trade with me?

  • Who's going to take the coins on my side of the fork?

  • So I guess that's just to say that it's complicated.

  • There's the developers.

  • There's the miners.

  • There's nodes.

  • There's the users who determine the economic value

  • of these tokens, and which side they think

  • is more valuable or less valuable.

  • And we've seen this happen with lots

  • of cryptocurrencies multiple times.

  • And it's kind of exciting.

  • So Bitcoin has forked multiple times.

  • And every time it's forked so far,

  • it has created a whole new version of the coin.

  • So it's been like a pretty serious hard fork.

  • And so now, in addition to Bitcoin,

  • there's Bitcoin Cash, Bitcoin Gold, Bitcoin Diamond.

  • Ethereum also has fought.

  • In Ethereum's case, they tried to take along everyone

  • with them.

  • And so the hard fork was supposed

  • to be an upgrade to Ethereum.

  • But some people decided they didn't

  • want to go along with it.

  • So there's Ethereum Classic.

  • And there's Ethereum.

  • Both of them have value.

  • So it's really unclear who controls forks.

  • So now, let's talk about hash rate and forks.

  • So nodes are pretty--

  • OK, what nodes will do is they have a set of validation rules.

  • If a block validates under their set of validation rules,

  • they will accept it.

  • And if all the blocks validate under their validation rules,

  • they will accept the chain that those blocks are on.

  • And if there are two different chains where

  • all the blocks validate under their validation rules,

  • they'll take the one with the heaviest proof of work.

  • That's what nodes do.

  • So heaviest proof of work is clearly kind of important

  • here, if both sides of a fork validate.

  • So if both sides of a fork validate--

  • so we have to think about this from the perspective of nodes

  • who upgrade to the new software, and nodes who

  • don't upgrade to new software.

  • So it might be worth it to try to kind of write

  • this down a little bit.

  • So we have the old rule nodes, and the new rule nodes.

  • And let's just talk about one kind of work for now.

  • Now, let's say less than 50% of the miners upgrade.

  • And let's say greater than 50% of the miners upgrade.

  • OK, so let's use this chart, as we're

  • kind of trying to reason about what's

  • going to happen in the ecosystem for soft works and hard works.

  • So what happens if a soft fork does not obtain more than 50%

  • of the hash rate?

  • So we've got the old rules.

  • We've got nodes.

  • Some nodes have upgraded.

  • Some nodes haven't upgraded.

  • Less than 50% of the miners have upgraded.

  • So the old rule chain is going to be longer,

  • because they're going to continue mining

  • on the old rules.

  • By the way, sometimes they don't ignore things

  • with the new rules.

  • Sometimes they do.

  • It's very complicated.

  • But let's just pretend right now that they are ignoring things

  • with the new rules, because they haven't upgraded,

  • and they don't see that.

  • Or, sorry, they would see the new rules as valid.

  • But the majority of the hashing power is over here.

  • So what's going to happen?

  • Yes?

  • AUDIENCE: The benefits of the fork

  • aren't going to really be useful much, because be there'll

  • be some blocks with the new rules.

  • But the majority is just not going to change.

  • NEHA NARULA: Right, so it kind of depends on the soft fork.

  • So it depends on what the new rule nodes think of old blocks.

  • If they think that old blocks are still all valid,

  • then they're going to build upon old blocks just fine,

  • because they think they're valid.

  • If they think that old blocks are no longer valid,

  • then they're going to try to do their own chain.

  • But the majority of the hashing power is with the old side.

  • So they're just going to get reorged out.

  • Yes?

  • AUDIENCE: If it's a soft fork, but they also

  • think all the blocks are valid, how is it a fork at all?

  • NEHA NARULA: So an example of this

  • is taking what was an unused op code,

  • and now making it meaningful.

  • So it just so happens that none of the old rule nodes

  • ever used this silly unused op code.

  • Because they never used it, they never

  • had any invalid uses of the op code.

  • So the new nodes will still accept old blocks,

  • because none of them use this op code anyway.

  • But if they were to use the new op code,

  • and they used it as a no-op op code,

  • instead of what the new rules are then

  • it would be an invalid block.

  • Does that make sense?

  • So you have to think really carefully

  • about how you are designing these upgrades

  • to your software.

  • You have to think very carefully what

  • will happen to the old nodes.

  • What happens if 50% of the miners take this thing?

  • Well, under the old rules, was anyone actually using

  • this thing, that we are now maintaining

  • must be used in a new way?

  • Or pay to script hash is a good example of this as well.

  • Pay to script hash, technically, looks like you're just

  • paying to a hash.

  • So old nodes will see it, and say, OK,

  • if you can produce a signature that

  • shows that this is valid, blah, blah, whatever, whatever,

  • that's fine.

  • But nobody ever did that.

  • Nobody ever did that in a way that was

  • meaningful under the new rules.

  • No one ever used it.

  • So all the old things will still validate, simply

  • because no one ever did anything that

  • was under the subset of the new rules.

  • Sorry, this is very kind of complicated.

  • So what we have here is that if old rule blocks are still

  • valid, the software will get reorged out.

  • So no fork there, no fork there.

  • You're just not really going to end up

  • with stuff in the blockchain.

  • If old rule blocks are now invalid,

  • then we're going to end up with two chains.

  • Do people see why this is?

  • Because the new rule people are not

  • going to accept any chain that has an invalid thing in it.

  • So they're not going to reorg out.

  • They are going to continue.

  • And they are going to have their own chain.

  • And they're going to ignore all of the blocks

  • on the other chain, which they deem to be the invalid chain.

  • Yes?

  • AUDIENCE: Is this the case for Bitcoin Cash?

  • NEHA NARULA: No, it's not the case for Bitcoin Cash.

  • It's actually the case for something

  • called a user-activated soft fork, which the bitcoin

  • community threatened to do when the miners wouldn't

  • do a soft fork they wanted them to do.

  • They said, fine, you miners won't do the software

  • that we want you to do.

  • So, normally, people don't like the situation.

  • So you don't want this to happen.

  • So, normally, soft forks are written such

  • that if you don't get 95% of the miners to sign,

  • on the soft fork never activates.

  • So that's the way that, traditionally, soft works are

  • done in the Bitcoin ecosystem.

  • What does that mean?

  • It means 5.001% of the hash power

  • can stop a soft fork from going through.

  • So usually, things are written in such a way

  • that you really want to guarantee this two chain

  • thing never happens.

  • We see hash power is kind of voting.

  • And if you can get 95% of the hash power

  • to agree with the soft fork, then only will the soft fork

  • activate.

  • And the way that miners do this is they signal in their block

  • headers that they are going to adopt the soft fork.

  • And then the software is usually programmed in such a way

  • that it looks at some sliding window of block headers

  • to determine whether 95% of the hash power

  • has decided that they're going to go along with it.

  • And it only activates once that's the case.

  • So doing protocol upgrades is really hard.

  • It's not a trivial matter.

  • You don't just push some code.

  • So usually, it's the case that you

  • want to wait for a significant majority of the mining power

  • to indicate support for the soft fork.

  • And, by the way, they can indicate support

  • without actually running the soft fork.

  • This happens all the time.

  • But you want to wait for significant support

  • from the mining community before actually

  • activating the soft fork.

  • What happened recently with something

  • called Segregated Witness, which we'll talk about,

  • which was a soft fork to Bitcoin to introduce new functionality

  • that the miners opposed, was the community actually said,

  • forget it.

  • We are going to start running the new rules.

  • We're going to ignore you.

  • We don't care what the majority of the hash power does.

  • We are going to go ahead and create this two chain

  • situation, and follow the chain with the new rules.

  • Interestingly, this actually worked.

  • I think it was like 80 plus percent of the hash power

  • was not in favor of the soft fork.

  • And the users managed to create this kind of detente where they

  • forced everyone to go along with what they wanted,

  • super interesting.

  • They had no actual way to vote.

  • It was entirely sort of via Twitter.

  • AUDIENCE: [INAUDIBLE]

  • NEHA NARULA: Yes, so this is one of the major reasons,

  • and I think some of the strongest evidence,

  • that miners have nowhere near as much power

  • as you actually think they do in these ecosystems.

  • Certainly have power, and part of the power they

  • have is to do what's called an evil soft fork,

  • which I'm not going to talk about in this class,

  • but I think we probably should talk

  • about at some point in time.

  • OK, great.

  • Let's see.

  • OK, if the soft fork is greater than 50%,

  • old rule blocks will follow the new rule blocks automatically.

  • So we get soft fork successful.

  • We do not have two chains, because these will simply

  • be orphaned and abandoned.

  • And, in fact, there's actually pressure for the miners

  • to move over to the new rules so that their blocks aren't

  • abandoned.

  • Yes?

  • AUDIENCE: So [INAUDIBLE] making it easier

  • mine, are those considered types of forks?

  • NEHA NARULA: It depends.

  • So the question is around difficulty,

  • and the number of leading zeros required in the proof of work.

  • That changes all the time.

  • There's a formula which determines

  • what that number should be.

  • So, no, it doesn't require a fork.

  • But if you want to change the formula, that would be a fork.

  • Requiring more proof of work would be a soft work.

  • Requiring less proof of work would be a hard fork.

  • OK, now let's talk about hard forks.

  • So what happens if a hard fork doesn't

  • obtain 50% of the hash rate?

  • AUDIENCE: [INAUDIBLE]

  • NEHA NARULA: It depends, again.

  • It depends on if the old rule blocks are still valid.

  • So we're doing a hard fork.

  • We're changing the set of valid blocks.

  • If blocks are still valid under the old rules,

  • then we're going to end up with a situation like this.

  • If old rule blocks are still valid

  • according to the new rule nodes, then the new rule nodes

  • will just follow along.

  • OK, so basically no work happening here,

  • because the new rule nodes are going to produce blocks.

  • They're not going to have enough of the hash power.

  • And so they're not going to be considered valid

  • by the other set.

  • So they're going to end up following

  • along with the old rule nodes.

  • Yes?

  • AUDIENCE: Again, isn't the whole point of a hard fork

  • that you're expanding the set of things that are valid?

  • So aren't all old blocks going to be valid in a hard fork?

  • NEHA NARULA: Not if it's a combination hard fork,

  • soft fork.

  • So maybe I should split this up into

  • whether or not it's a combination

  • hard fork, soft fork, or not.

  • OK, so what happens if a hard fork doesn't obtain greater

  • than 50% of the hash rate?

  • What's going to happen then?

  • AUDIENCE: We'll be mining to the old rules.

  • NEHA NARULA: Yes, we're going to end up with two chains.

  • This is going to have chain--

  • whatever, the point is, there's going

  • to be an old chain and a new chain.

  • The old nodes are never going to accept the new nodes blocks.

  • And we're going to end up with two chains forever.

  • And this has happened multiple times.

  • Are there questions about hard forks?

  • Yes?

  • AUDIENCE: Are there ways for the hard fork to make life

  • really difficult for the smaller chain?

  • NEHA NARULA: Are there ways for a hard work to make life

  • really difficult for the smaller chain?

  • That is a good question.

  • I think it depends.

  • So there's multiple ways to make life difficult.

  • I think what you're asking is not,

  • what if the hard fork becomes more popular and more people

  • decide to move over to it, and abandon the smaller chain?

  • That's one way in which life could be more difficult.

  • But another way that life could be more difficult

  • is if the hard fork somehow made the previous chain no longer

  • a productive chain to be on.

  • And I think that the primary way that that would happen

  • would not actually be a hard fork,

  • but would be a combination hard fork, soft fork.

  • But there are definitely ways for miners

  • to play with hard forks and soft forks in such a way that-- see,

  • this is actually kind of ideal in some ways.

  • This is like, OK, we disagree on what the rules should be.

  • I want some new set of rules.

  • You don't want some new set of rules.

  • Fine, let's just split the ecosystem.

  • You guys go your way.

  • I'll go my way.

  • We'll have two different coins.

  • Life will be great.

  • What's kind of not so nice is when

  • one side tries to coerce the other side to go along,

  • which is kind of what a greater than 50% soft fork is.

  • You're kind of coercing the other side

  • to go along, because they have no way of opting out.

  • And there are ways that miners can make the side of the chain

  • with less harsh power basically useless.

  • This is totally something miners can do.

  • People talk about it occasionally.

  • It just doesn't seem like they figured out

  • that they can do it, or they haven't tried to do it.

  • I don't know.

  • Maybe they don't want to do it.

  • I'm not sure.

  • It would be pretty disruptive to the ecosystem.

  • OK, so question-- we've talked about what happens here

  • from the perspective of full nodes,

  • and from the perspective of miners.

  • What happens from the perspective of people

  • with wallets who might be running SPV?

  • What do we think?

  • Depends on which node they're connected to.

  • So one problem with SPV is that they don't actually

  • get the blocks.

  • So they don't actually validate blocks.

  • All they validate is proof of work.

  • Some changes that make a block invalid

  • might show up in the header.

  • But a lot of changes that might make a block invalid,

  • or new blocks valid, don't show up in the header.

  • So given what we've learned about how SPV works,

  • what happens when there's a fork?

  • So let's go back and take a look at what SPV wallets see.

  • They see the block headers.

  • You have to download all the headers, which

  • includes the nines for the proof of work,

  • the Merkle root for the transaction, timestamp,

  • stuff like that.

  • They also get Merkle paths for the transactions

  • that they've told the node they're interested in.

  • So what would happen if there were a soft work or hard fork?

  • What would happen to an SPV?

  • They don't really have a say in the situation.

  • They aren't really participating in validation.

  • They're not participating in mining.

  • And they're kind of at the mercy of whatever

  • node that they are talking to.

  • And, in fact, if they try to talk to multiple nodes,

  • they might get multiple different answers.

  • And they don't really know which answer is the right answer.

  • And this could get really tricky and complicated.

  • Now, I think probably it's fair to say

  • that the majority of the Bitcoin ecosystem, in terms of users,

  • actually does not run their own full nodes.

  • They interact with the Bitcoin network,

  • at best, through SPV, and at worst through a trusted

  • third party like Coinbase.

  • So what does the ecosystem have to say or do about

  • whether or not forks are accepted or not accepted?

  • Yeah?

  • AUDIENCE: They don't really have to.

  • NEHA NARULA: They don't really have a say.

  • They kind of I would say at like a meta level, in that users

  • can pressure Coinbase to start following Bitcoin Cash which

  • is a hard fork of bitcoin.

  • They kind of have a say at an economic level,

  • in that if Coinbase starts accepting Bitcoin Cash,

  • then the price of Bitcoin Cash will go up.

  • And so that's kind of a big deal.

  • But in terms of like a protocol level,

  • in terms of accepting or rejecting transactions,

  • they don't really have a say because they

  • can't see enough to determine whether or not

  • they're interested in following a fork or not following a fork.

  • In fact, it's even worse than that.

  • There were multiple situations where

  • we ended up with two chains.

  • So an SPV wallet might think that they received money

  • on one chain, and they didn't receive money

  • on the other chain.

  • So very bad things can happen to wallets and to SPV clients

  • during a fork.

  • And it's incredibly disruptive.

  • And people who create software on the behalf of users--

  • so not even running SPV, but like the Coinbase's

  • of the world, and the exchanges of the world--

  • they have to do a fair amount of work

  • to make sure that they aren't going to lose users' money when

  • there's a fork.

  • And the exchanges, and the Coinbase's of the world,

  • have screwed this up in the past.

  • There's been money lost.

  • There are ways to safely design your fork

  • so that it's less likely that wallets

  • will do the wrong thing.

  • But I think we're kind of just figuring out how

  • to really do that effectively.

  • AUDIENCE: [INAUDIBLE]

  • NEHA NARULA: Yeah, so this is kind of pretty bad,

  • because if Bitcoin is really going

  • to undergo a hard fork or soft fork,

  • everybody is paying attention.

  • If Ethereum is going to do it, everyone's paying attention.

  • But there's so many altcoins out there.

  • And, yeah, there's so much opportunity

  • for people to take advantage of the disarray that

  • happens when a fork happens.

  • So I think we're right in the middle of trying to figure out

  • best practices for handling forks safely, and also,

  • giving users some way of choosing what side of a fork

  • that they want, because there's this sort of thought

  • that eventually there will be economic pressure to--

  • for a long time, people thought that if Bitcoin hard forked,

  • one side would win, and the other side would go to zero.

  • And now, we've seen that that is absolutely not true.

  • In fact, when Bitcoin hard forked,

  • sometimes the total market cap of one side plus the other side

  • is bigger than the total market cap of what Bitcoin used to be.

  • So money is literally created out of nowhere.

  • So hard forking is very lucrative.

  • It literally gives every Bitcoin user more money.

  • So if you own Bitcoin within the past--

  • like, if you owned Bitcoin a year ago,

  • you probably have like four other coins right now.

  • I don't know.

  • You should go sell them, or sell the Bitcoin,

  • and buy the other coins, or whatever you want to do.

  • But the point is, you have more money

  • than you might have even known that you had,

  • because someone has done these forks.

  • Don't even like get started about the tax

  • consequences of this.

  • It's very confusing, extraordinarily confusing.

  • And people are trying to figure out what to do,

  • because you didn't ask for this fork.

  • Like, I as a holder of Bitcoin, didn't

  • decide that I wanted Bitcoin Cash to be a thing.

  • I didn't accept Bitcoin Cash.

  • But now, the same private keys I used to control my Bitcoin also

  • control the same amount of Bitcoin Cash.

  • It's kind of crazy.

  • Let's talk about forks in practice.

  • So soft forks in practice-- there

  • have been lots of soft forks.

  • Soft forks are very useful.

  • Soft forks are helpful.

  • This is the major way that people upgrade software.

  • And, again, the way that they do it

  • is they try to make sure 95%, or some huge majority

  • of the miners, are on board.

  • And that way, it's sort of like as non-disruptive

  • to the ecosystem as possible.

  • So pay to script has was a soft fork.

  • The introduction of Segwit was a soft fork.

  • In operation, check sequence verify

  • was added as a soft fork.

  • So that's kind of why they're all these like unused ops

  • out there.

  • In case we want to use one of them for something new,

  • we can do that with a soft fork.

  • Hard forks in practice--

  • there's lots of new Bitcoins, Bitcoin Cash, Gold, Diamond,

  • like I said.

  • Ethereum went through a really interesting hard fork.

  • And there's some cryptocurrencies that actually

  • hard fork quite frequently.

  • For instance, I learned the Monero hard forks

  • about every six months.

  • Vertcoin, how many hard forks have you guys done?

  • Three?

  • Three hard forks.

  • So, despite the way that I said that hard forks are

  • very disruptive, if you can get all the nodes to upgrade,

  • it's not really a big problem.

  • So for cryptocurrencies where the nodes are really well

  • connected, or they auto update, or things like that,

  • hard forks are much less disruptive.

  • So let's talk about the Ethereum hard fork for a moment.

  • So this happened two years ago--

  • a year ago?

  • I can't remember when this happened, two years ago,

  • I think, almost.

  • And so what happened was we haven't

  • talked a lot about Ethereum, so we'll

  • be coming to explain Ethereum in much greater detail.

  • But the point is Ethereum had a smart contract

  • which had a bug in it.

  • And someone hacked the contract, and started siphoning off ether

  • from the contract.

  • So the Ethereum team all got together, and decided,

  • we're going to rectify this wrong.

  • Now, rectifying the wrong--

  • I mean, I already said it's a hard fork.

  • But why is rectifying this wrong a hard fork not a soft fork?

  • AUDIENCE: Because you want to change history.

  • NEHA NARULA: Because you want to change history.

  • That's an interesting way of putting it.

  • And the way that we change history

  • is not by actually going back in time and editing history,

  • unless you are Accenture I guess,

  • which creates editable blockchains.

  • But the way that we edit history,

  • is we add something to the blockchain which

  • indicates that we're going to undo, or change, or rollback

  • or somehow create an operation, that

  • does something that effectively undoes

  • what happened in the past.

  • So the Ethereum developer got together.

  • And they originally tried to do this as a soft fork, actually.

  • So it could have been a soft fork.

  • And the way that the soft work would have worked

  • is that it just would have ignored

  • all of the transactions that were sort of--

  • I can't remember exactly how it worked.

  • But, basically, the general idea was, ignore

  • all of the transactions that might spend the hacker's money.

  • Ignore the transaction where people gave money

  • to the hacker, what ultimately became the hacker, which

  • is a new rule.

  • Now, you're shrinking the set of acceptable blocks.

  • And the problem was they realized

  • that if they did this as a soft fork, then

  • they were inadvertently creating an attack

  • vector, because people could now spam the network

  • and potentially waste the resources of the miners--

  • very challenging to do soft forks and hard forks correctly.

  • So they decided, OK, you know what?

  • We're just going to do it as a hard fork.

  • When this block comes about, block 1,920,000,

  • we are going to simply transfer around 12 million

  • either from the hacker's account into this other account,

  • this other contract, which is going to give the money back,

  • where people can reclaim their money.

  • So literally just hardcoded in this transfer.

  • 85% of the hash power in Ethereum went along with it.

  • So that means 15% didn't.

  • And that means that there are two currencies now.

  • There is Ethereum, and Ethereum Classic.

  • And they persist to this day, almost two years later.

  • And when I looked this morning, it was about a 30 to 1

  • ratio between Ethereum and Ethereum Classic.

  • Yes?

  • AUDIENCE: So Ethereum Classic says,

  • we are not OK with you guys undoing this hack.

  • NEHA NARULA: Exactly, so Ethereum Classic

  • says, we're not messing with people's accounts like that.

  • No, no, no.

  • What happened happened, fair and square.

  • We are not changing history.

  • And so in Ethereum Classic, the hacker has money.

  • On Ethereum, the hacker does not have money.

  • Yes?

  • AUDIENCE: [INAUDIBLE] one specific contract.

  • So the argument is we shouldn't be fixing people's mistakes.

  • They should learn--

  • Was this analogous to the Parity?

  • NEHA NARULA: Yes.

  • So here they decided, there was a bug

  • in someone's smart contract.

  • It was exploited.

  • We're going to give people their money back.

  • This happened again with a different type

  • of smart contract in a different way a couple months ago.

  • And they decided-- well, they could still decide to do it.

  • But so far, they decided not to give everyone's money back.

  • So there's about 90 million or something dollars

  • worth of ether that's locked up in these contracts,

  • due to a bug.

  • And in the case of the DAO, they decided, let's do it.

  • In the case of this Parity bug, they decided, let's not do it.

  • And if you talk to the Ethereum Foundation people,

  • they'll talk about governance.

  • And they'll say, well, we feel like this made sense

  • for these reasons.

  • But this doesn't make sense for these reasons.

  • But it's still it's a set of people

  • getting together and deciding whether or not

  • to give money back.

  • Yeah?

  • AUDIENCE: [INAUDIBLE]

  • NEHA NARULA: No, it's not the Ethereum Foundation.

  • The Ethereum Foundation was not a fan of Ethereum Classic.

  • It's a separate group of people.

  • AUDIENCE: [INAUDIBLE]

  • NEHA NARULA: No, actually, so it turned out,

  • interestingly enough-- and this was something

  • that I saw at a conference that looked

  • into who were the contributors to all

  • of these different forks, when trying

  • to understand governance?

  • It actually turns out that no one from the Ethereum

  • Foundation works on Ethereum Classic.

  • And no one who used to work on Bitcoin

  • works on Bitcoin Cash, Gold, or Diamond.

  • So it's entirely new sets of people.

  • Yes?

  • AUDIENCE: The former lead developer of Bitcoin core

  • is working on Bitcoin Cash.

  • NEHA NARULA: He's not actually.

  • You're talking about Gavin Andreessen?

  • Yeah, I don't think he actually makes commits to Bitcoin Cash.

  • AUDIENCE: In a general sense, he's

  • contributing on GitHub, not specifically

  • to any implementations.

  • But to protocol, block-level exchanges.

  • NEHA NARULA: Interesting.

  • Yes?

  • AUDIENCE: [INAUDIBLE]

  • NEHA NARULA: It depends on how you

  • define contribute, certainly.

  • This is a really interesting example of a hard fork.

  • In summary, just to wrap up here,

  • forks are extremely challenging.

  • Upgrading software in decentralized cryptocurrencies

  • is extremely challenging.

  • And so the lesson that I want you to take from this is,

  • unless you need what a decentralized cryptocurrency

  • has to offer, you will probably be better off not using

  • a decentralized cryptocurrency.

  • They are very hard to update.

  • They're very hard to upgrade.

  • There are frequently bugs.

  • And so I think that forks and the challenges around forks

  • are an excellent reason not to do this when you don't have to.

  • And also, what's really interesting, I think,

  • is that your traditional consensus systems

  • don't address this problem at all,

  • because your traditional distributed consensus

  • systems don't have any notion of what nodes

  • are going to find valid, or not valid,

  • or changing the rules of validity.

  • And so these problems really only

  • arise when you start to have these validity

  • rules that you're dealing with, and you

  • have nodes that might take one set of rules,

  • and nodes that might take another set of rules.

  • The consensus mechanism here ultimately

  • becomes irrelevant if you don't agree with the validity

  • of the blocks.

  • It doesn't matter that a majority of hash power

  • said that this is the blockchain.

  • It doesn't matter if a majority of signers

  • say this is the blockchain.

  • If you don't agree that the things in that blockchain

  • are valid, you're going to ignore that.

  • Majority be damned.

  • So it's very different than distributed consensus.

  • Okay, and so real quick, last thing...

  • on Wednesday we will have another guest lecturer. Her name is Sharon Goldberg.

  • She's a professor at Boston University and she's worked on a lot of really

  • interesting things. In particular, something really cool that she's worked

  • on is using the peer-to-peer network to create attacks in Bitcoin, and then very

  • recently she nor co-authors released a paper on peer-to-peer network attacks in

  • Ethereum. And so she's gonna be here to talk about the peer-to-peer networks

  • behind these things and to share some of the research that she's done.

The following content is provided under a Creative

字幕與單字

單字即點即查 點擊單字可以查詢單字解釋

B1 中級

8.叉子 (8. Forks)

  • 1 0
    林宜悉 發佈於 2021 年 01 月 14 日
影片單字