
A simple explanation of Bitcoin “Sidechains” - nvk
http://gendal.wordpress.com/2014/10/26/a-simple-explanation-of-bitcoin-sidechains/
======
DavidSJ
Small point but:

> Bitcoin’s block interval is ten minutes so it takes about five minutes on
> average for a new transaction to find its way into a block

is wrong. The block interval is ten minutes _on average_ , but not ten minutes
uniformly. And in particular because hashing works via random trials whose
probabilities of finding a sufficiently long zeroed prefix are constant, the
amount of time since the last block is no information about how much more time
remains until the next one. It's _always_ ten minutes away from now, on
average, which means the average transaction takes ten minutes, not five.

The error here was in multiplying the average block interval (10 minutes) by
the average fraction of that interval remaining when transactions occur (0.5).
But the first operand is only valid if you assume the average block interval
weighted over all transactions is the same as the average block interval
weighted over all blocks, however transactions are over-represented among
blocks that take longer: on average a block which took 15 minutes will have
three times as many transactions as one which took 5.

~~~
gendal
Argghhh! This is EXTREMELY embarrassing... and you're not the first to point
it out. I've just corrected the post. Thanks :) Quick question: do I need to
return my mathematics degree certificate by post? Or do they send a courier?

------
DavidSJ
From the paper [1]:

> Essentially, an SPV proof is composed of (a) a list of blockheaders
> demonstrating proof-of-work, and (b) a cryptographic proof that an output
> was created in one of the blocks in the list. This allows verifiers to check
> that some amount of work has been committed to the existence of an output.
> Such a proof may be invalidated by another proof demonstrating the existence
> of a chain with more work which does not include the block which created the
> output.

which reads to me like embedding a full copy of the rules engine of one
blockchain inside the other, meaning 1) all chains likely need to be Turing
complete, and 2) a hard fork of one chain is a hard fork of all transitively
connected chains. These seem like undesirable properties to me, but it's
possible I've misunderstood something.

[1]
[http://www.blockstream.com/sidechains.pdf](http://www.blockstream.com/sidechains.pdf)

------
rainpl
I'm trying to get my head around it but one thing looks particularly
confusing.

The article says that "If the second blockchain has agreed to be a Bitcoin
sidechain, it now does something really special… it creates the exact same
number of tokens on its own network and gives you control of them."

Does "the exact same number of tokens" mean the same exact amount in Bitcoin?
Therefore, does it mean that there's no exchange rate and you always move
coins 1:1 between Bitcoin and a sidecoin?

This doesn't make much sense to me. How does the actual currency amount get
converted from BTC to a sidecoin?

~~~
semiel
There isn't any "sidecoin" here. One of the slogans for sidechains is
"altchains without altcoins". The idea is that you are in some sense still
using bitcoin tokens, even though you're doing so in an unorthodox way.

------
stepstep
What happens if a sidechain network is insecure, and someone creates coins out
of nowhere and integrates them back into the main bitcoin blockchain? Do
sidechains increase the surface area for bitcoin vulnerabilities?

~~~
gendal
My understanding is that the worst two things that can happen are: 1) an
attacker prevents a holder of bitcoins on a sidechain from reclaiming them on
the bitcoin network (e.g. by preventing the relevant transaction getting into
a block on the sidechain side)... this would be a net-plus for other bitcoin
holders, I guess... since they would then own relatively more of them. 2) an
attacker finds a way to release the coins on the bitcoin side. That would be
bad for the rightful owner, of course, but it has no impact on anybody else on
the bitcoin side.

------
habitue
Can anyone give the gist of how the bitcoin blockchain knows/cares that the
sidechain is not using them any more, and how it knows who to transfer them
to?

~~~
kolinko
With a small change to bitcoin protocol it should be possible in some cases.
But right now the only viable option is to use M of N oracles:

[https://github.com/orisi/wiki/wiki/Orisi-White-
Paper](https://github.com/orisi/wiki/wiki/Orisi-White-Paper)
[http://gavintech.blogspot.com/2014/06/bit-
thereum.html](http://gavintech.blogspot.com/2014/06/bit-thereum.html)

Basically, you choose a panel of up to 15 independent entities to verify that
the funds were locked indeed. The panel can be modified by a majority of votes
if some of the entities prove to be unreliable - kind of like the Supreme
Court works.

This obviously introduces a new vulnerability to the system, but is the best
solution available right now.

~~~
musername
well, if a vulnerabillity like this is the best it can do, I guess I will not
switch to the _best_ alternative to fiat, not anytime soon. /s

To be clear, IMHO it is a mitigation or heuristic, not a solution at all.

Disclaimer: slightly disgruntled and provokative because I don't really
understand the technicalities and a lot of hype makes it even more
unbelievable.

~~~
adrianmacneil
Note that this is only a compatibility measure (the equivalent of an IPv6
tunnel to move traffic between networks). The longer term solution is to add a
new opcode to bitcoin, which would natively support moving bitcoin between
sidechains.

------
tomwilde
Any side chain must therefore be able to generate currency out of the blue and
on-demand. This might be possible to do in other protocols but not bitcoin. So
the symmetry is basically lost. am I missing something?

~~~
joeyspn
The only thing that matters is that Y amount of sidechain issued
currency/protocol must be pegged to X amount of currency in the bitcoin
network. And this ownership must be verifiable by crypto. At the higher level,
it is basically a 2 way agreement.

The sidechain-coin could have many different features, for instance it could
be a clone of Ethereum and its "currency": "ether", being able to replicate
its functionalities like issuing subcurrencies or assets (out of the blue)
completely decoupled from the bitcoin blockchain. But the higher level
currency (the Y issued ether) is pegged to X amount of bitcoin.

The concept is not new and is similar to the proposed spin-offs...
[https://bitcointalk.org/index.php?topic=563972.0](https://bitcointalk.org/index.php?topic=563972.0)

------
williamcotton
How does mining and the coin generated by mined blocks work in a sidechain?

If a sidechain has a smaller blocktime and larger rewards, wouldn't that
undermine the two-way peg?

Or do sidechains not have their own mining?

~~~
adrianmacneil
Mining is entirely up to the sidechain. A simple sidechain could be merge
mined with bitcoin, and offer no block reward (only transaction fees). This
would allow the 1=1 exchange rate to be maintained.

If a different block reward is created, then the sidechain would need to be
inflationary (either the relative value of all bitcoin in the sidechain will
need to decrease, or in a network which natively supported multiple asset
types, the block reward could be denominated in a currency other than BTC).

Either way, the bitcoin blockchain will not allow more money to be withdrawn
from the sidechain than was put into it, so the sidechain creators must come
up with exchange rules which are fair to both those who import BTC into the
sidechain, and to the miners.

~~~
williamcotton
How can Bitcoin trust the sidechain?

How does the Bitcoin network keep track of the total currency amount and
therefor the inflation on the sidechain?

~~~
jdmichal
The Bitcoin chain only has to know how many Bitcoins exist in the sidechain,
and only that number of Bitcoins is permitted to be resurrected from the
sidechain's dead address. The rules for how units in the sidechain relate to
units on the Bitcoin chain don't matter; as long as the work is done to
resurrect a Bitcoin on the Bitcoin chain, then it will be resurrected and
decremented from the sidechain's count.

~~~
williamcotton
Step through this with me...

I've got 5 Bitcoins. I transfer all of them to a new sidechain for 50
Sidecoins. This Sidecoin sidechain has a different block reward. Let's say 3
weeks go by. Now there are 10,000 total Sidecoins. Let's say I've got 2,000 of
those Sidecoins because I've sold the rest. How do I convert them back to
Bitcoins? Can I only transfer 50 back? Can I transfer all 2,000 back? What are
they worth in Bitcoin now?

~~~
jdmichal
You freeze your 2000 Sidecoins. That is then converted into some number of
Bitcoins, the conversion of which is entirely dependent on how the Sidecoins
work. (Likely the ratio of the number of Bitcoins dedicated to the sidechain
to the number of existant Sidecoins.) A transaction is then submitted to the
main chain, submitting the required proofs that you have frozen / destroyed
the appropriate amount of Sidecoins to unfreeze a number of Bitcoins.

If the number of Bitcoins trying to be created exceeds the number committed to
the sidechain, the transaction will fail. Otherwise, it will succeed.

~~~
williamcotton
So the main Bitcoin network needs to be aware of and to be able to analyze the
entire Sidecoin sidechain?

So if only a total of 5 Bitcoin were ever sent/frozen to the sidechain, then
only 5 Bitcoin can ever be retrieved/unlocked?

So when the Sidecoin sidechain was first created each Sidecoin was worth 0.1
Bitcoin. So after three weeks there are now 10,000 Sidecoins, each worth
0.0005 Bitcoin? Is this a general rule for sidechains? Why did you say
"likely"? Is that because none of the details of sidechains have been worked
out?

Transactions on sidechains are mined in to blocks, right? So if someone mined
8,000 Sidecoins of those 10,000, they've now got 4 Bitcoin? If someone then
sent/froze an additional 5 Bitcoin to the Sidecoin sidechain, then that would
generate 10,000 new Sidechains?

So the incentives to mine Sidecoins would correspond to the total number of
Bitcoin that has been sent to the sidechain? If 5 Bitcoin were only ever sent
to Sidecoin, then all the mining in the world could only ever lead to a total
of 5 Bitcoins?

So for Sidecoins to be economically viable and therefor functional, someone
would need to be constantly injecting Bitcoin in to the sidechain, right?

