[Bitcoin-development] A suggestion for reducing the size of the UTXO database

Discussion:

Jim Phillips

2015-05-09 17:09:32 UTC

Forgive me if this idea has been suggested before, but I made this
suggestion on reddit and I got some feedback recommending I also bring it
to this list -- so here goes.

I wonder if there isn't perhaps a simpler way of dealing with UTXO growth.
What if, rather than deal with the issue at the protocol level, we deal
with it at the source of the problem -- the wallets. Right now, the typical
wallet selects only the minimum number of unspent outputs when building a
transaction. The goal is to keep the transaction size to a minimum so that
the fee stays low. Consequently, lots of unspent outputs just don't get
used, and are left lying around until some point in the future.

What if we started designing wallets to consolidate unspent outputs? When
selecting unspent outputs for a transaction, rather than choosing just the
minimum number from a particular address, why not select them ALL? Take all
of the UTXOs from a particular address or wallet, send however much needs
to be spent to the payee, and send the rest back to the same address or a
change address as a single output? Through this method, we should wind up
shrinking the UTXO database over time rather than growing it with each
transaction. Obviously, as Bitcoin gains wider adoption, the UTXO database
will grow, simply because there are 7 billion people in the world, and
eventually a good percentage of them will have one or more wallets with
spendable bitcoin. But this idea could limit the growth at least.

The vast majority of users are running one of a handful of different wallet
apps: Core, Electrum; Armory; Mycelium; Breadwallet; Coinbase; Circle;
Blockchain.info; and maybe a few others. The developers of all these
wallets have a vested interest in the continued usefulness of Bitcoin, and
so should not be opposed to changing their UTXO selection algorithms to one
that reduces the UTXO database instead of growing it.

From the miners perspective, even though these types of transactions would

be larger, the fee could stay low. Miners actually benefit from them in
that it reduces the amount of storage they need to dedicate to holding the
UTXO. So miners are incentivized to mine these types of transactions with a
higher priority despite a low fee.

Relays could also get in on the action and enforce this type of behavior by
refusing to relay or deprioritizing the relay of transactions that don't
use all of the available UTXOs from the addresses used as inputs. Relays
are not only the ones who benefit the most from a reduction of the UTXO
database, they're also in the best position to promote good behavior.

--
*James G. Phillips IV*
<https://plus.google.com/u/0/113107039501292625391/posts>

*"Don't bunt. Aim out of the ball park. Aim for the company of immortals."
-- David Ogilvy*

*This message was created with 100% recycled electrons. Please think twice
before printing.*

Peter Todd

2015-05-09 18:45:18 UTC

Permalink

Post by Jim Phillips
The vast majority of users are running one of a handful of different wallet
apps: Core, Electrum; Armory; Mycelium; Breadwallet; Coinbase; Circle;
Blockchain.info; and maybe a few others. The developers of all these
wallets have a vested interest in the continued usefulness of Bitcoin, and
so should not be opposed to changing their UTXO selection algorithms to one
that reduces the UTXO database instead of growing it.

You can't assume that UTXO growth will be driven by walles at all; the
UTXO set's global consensus functionality is incredibly useful and will
certainly be used by all manner of applications, many having nothing to
do with Bitcoin.

As one of many examples, here's a proposal - with working code - to use
the UTXO set to get consensus over TLC certificate revocations. The
author, Christopher Allen, was one of the co-authors of the SSL
standard:

https://github.com/ChristopherA/revocable-self-signed-tls-certificates-hack

There's nothing we can do to stop these kinds of usages other than
forcing users to identify themselves to get permission to use the
Bitcoin blockchain. Using the Bitcoin blockchain gives their users
significantly better security in many cases than any alternatives, so
there's strong incentives to do so. Finally, the cost many of these
alternative uses are willing to pay pre UTXO/transaction is
significantly higher than the fees many existing Bitcoin users can pay
to make transactions.

--
'peter'[:-1]@petertodd.org
00000000000000000e7980aab9c096c46e7f34c43a661c5cb2ea71525ebb8af7

Jim Phillips

2015-05-09 19:02:11 UTC

Permalink

Post by Jim Phillips

Post by Jim Phillips
The vast majority of users are running one of a handful of different

wallet

Post by Jim Phillips
apps: Core, Electrum; Armory; Mycelium; Breadwallet; Coinbase; Circle;
Blockchain.info; and maybe a few others. The developers of all these
wallets have a vested interest in the continued usefulness of Bitcoin,

and

Post by Jim Phillips
so should not be opposed to changing their UTXO selection algorithms to

one

Post by Jim Phillips
that reduces the UTXO database instead of growing it.

You're correct in this point. Future UTXO growth will be coming from all
directions. But I'm a believer in the idea that whatever can be done should
be done. If we get Bitcoin devs into the mindset now that UTXOs are
expensive to those that have to store them, and that they should be good
netizens and do what they can to limit them, then hopefully that will ideal
will be passed down to future developers. I don't believe consolidating
UTXOs in the wallet is the only solution.. I just think it is a fairly easy
one to implement, and can only help the problem from getting worse in the
future.

--
*James G. Phillips IV*
<https://plus.google.com/u/0/113107039501292625391/posts>
<http://www.linkedin.com/in/ergophobe>

*"Don't bunt. Aim out of the ball park. Aim for the company of immortals."
-- David Ogilvy*

*This message was created with 100% recycled electrons. Please think twice
before printing.*

Andreas Schildbach

2015-05-09 19:00:33 UTC

Permalink

Actually your assumption is wrong. Bitcoin Wallet (and I think most, if
not all, other bitcoinj based wallets) picks UTXO by age, in order to
maximize priority. So it keeps the number of UTXOs low, though not as
low as if it would always pick *all* UTXOs.

Post by Jim Phillips
Forgive me if this idea has been suggested before, but I made this
suggestion on reddit and I got some feedback recommending I also bring
it to this list -- so here goes.
I wonder if there isn't perhaps a simpler way of dealing with UTXO
growth. What if, rather than deal with the issue at the protocol level,
we deal with it at the source of the problem -- the wallets. Right now,
the typical wallet selects only the minimum number of unspent outputs
when building a transaction. The goal is to keep the transaction size to
a minimum so that the fee stays low. Consequently, lots of unspent
outputs just don't get used, and are left lying around until some point
in the future.
What if we started designing wallets to consolidate unspent outputs?
When selecting unspent outputs for a transaction, rather than choosing
just the minimum number from a particular address, why not select them
ALL? Take all of the UTXOs from a particular address or wallet, send
however much needs to be spent to the payee, and send the rest back to
the same address or a change address as a single output? Through this
method, we should wind up shrinking the UTXO database over time rather
than growing it with each transaction. Obviously, as Bitcoin gains wider
adoption, the UTXO database will grow, simply because there are 7
billion people in the world, and eventually a good percentage of them
will have one or more wallets with spendable bitcoin. But this idea
could limit the growth at least.
The vast majority of users are running one of a handful of different
wallet apps: Core, Electrum; Armory; Mycelium; Breadwallet; Coinbase;
Circle; Blockchain.info; and maybe a few others. The developers of all
these wallets have a vested interest in the continued usefulness of
Bitcoin, and so should not be opposed to changing their UTXO selection
algorithms to one that reduces the UTXO database instead of growing it.
From the miners perspective, even though these types of transactions
would be larger, the fee could stay low. Miners actually benefit from
them in that it reduces the amount of storage they need to dedicate to
holding the UTXO. So miners are incentivized to mine these types of
transactions with a higher priority despite a low fee.
Relays could also get in on the action and enforce this type of behavior
by refusing to relay or deprioritizing the relay of transactions that
don't use all of the available UTXOs from the addresses used as inputs.
Relays are not only the ones who benefit the most from a reduction of
the UTXO database, they're also in the best position to promote good
behavior.
--
*James G. Phillips
IV* <https://plus.google.com/u/0/113107039501292625391/posts>
/"Don't bunt. Aim out of the ball park. Aim for the company of
immortals." -- David Ogilvy
/
/This message was created with 100% recycled electrons. Please think
twice before printing./
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development

Jim Phillips

2015-05-09 19:05:36 UTC

Permalink

Post by Andreas Schildbach
Actually your assumption is wrong. Bitcoin Wallet (and I think most, if
not all, other bitcoinj based wallets) picks UTXO by age, in order to
maximize priority. So it keeps the number of UTXOs low, though not as
low as if it would always pick *all* UTXOs.
Is it not fair to say though that UTXO database growth is not considered

when selecting the UTXOs to use? And that size of transaction is a priority
if not the top priority?

Pieter Wuille

2015-05-09 19:06:13 UTC

Permalink

It's a very complex trade-off, which is hard to optimize for all use cases.
Using more UTXOs requires larger transactions, and thus more fees in
general. In addition, it results in more linkage between coins/addresses
used, so lower privacy.

The only way you can guarantee an economical reason to keep the UTXO set
small is by actually having a consensus rule that punishes increasing its
size.

------------------------------------------------------------------------------

Post by Jim Phillips
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development

Jim Phillips

2015-05-09 19:16:46 UTC

Permalink

Post by Pieter Wuille
It's a very complex trade-off, which is hard to optimize for all use
cases. Using more UTXOs requires larger transactions, and thus more fees in
general.

Unless the miner determines that the reduction in UTXO storage requirements
is worth the lower fee. There's no protocol level enforcement of a fee as
far as I understand it. It's enforced by the miners and their willingness
to include a transaction in a block.

Post by Pieter Wuille
In addition, it results in more linkage between coins/addresses used, so
lower privacy.

Not if you only select all the UTXOs from a single address. A wallet that
is geared more towards privacy minded individuals may want to reduce the
amount of address linkage, but a wallet geared towards the general masses
probably won't have to worry so much about that.

Post by Pieter Wuille
The only way you can guarantee an economical reason to keep the UTXO set
small is by actually having a consensus rule that punishes increasing its
size.

There's an economical reason right now to keeping the UTXO set small. The
smaller it is, the easier it is for the individual to run a full node. The
easier it is to run a full node, the faster Bitcoin will spread to the
masses. The faster it spreads to the masses, the more valuable it becomes.

Ross Nicoll

2015-05-09 19:43:33 UTC

Permalink

I think potential fee subsidies for cleaning up UTXO (and/or penalties
for creating more UTXO than you burn) are worth thinking about. As
Gavin's post ( gavinandresen.ninja/utxo-uhoh ) indicates, UTXO cost is
far higher than block storage, so charging differently for the in/out
mismatches should make good economic sense.

Ross

Post by Pieter Wuille
It's a very complex trade-off, which is hard to optimize for all
use cases. Using more UTXOs requires larger transactions, and thus
more fees in general.
Unless the miner determines that the reduction in UTXO storage
requirements is worth the lower fee. There's no protocol level
enforcement of a fee as far as I understand it. It's enforced by the
miners and their willingness to include a transaction in a block.
In addition, it results in more linkage between coins/addresses
used, so lower privacy.
Not if you only select all the UTXOs from a single address. A wallet
that is geared more towards privacy minded individuals may want to
reduce the amount of address linkage, but a wallet geared towards the
general masses probably won't have to worry so much about that.
The only way you can guarantee an economical reason to keep the
UTXO set small is by actually having a consensus rule that
punishes increasing its size.
There's an economical reason right now to keeping the UTXO set small.
The smaller it is, the easier it is for the individual to run a full
node. The easier it is to run a full node, the faster Bitcoin will
spread to the masses. The faster it spreads to the masses, the more
valuable it becomes.
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development

Raystonn

2015-05-09 19:25:16 UTC

Permalink

Jim Phillips

2015-05-09 19:33:21 UTC

Permalink

Lack of privacy is viral. We shouldn't encourage policy in most wallets
that discourages privacy. It adversely affects privacy across the entire
network.

How about this as a happy medium default policy: Rather than select UTXOs
based solely on age and limiting the size of the transaction, we select as
many UTXOs as possible from as few addresses as possible, prioritizing
which addresses to use based on the number of UTXOs it contains (more being
preferable) and how old those UTXOs are (in order to reduce the fee)?

Jim Phillips

2015-05-09 19:28:12 UTC

Permalink

On Sat, May 9, 2015 at 2:12 PM, Patrick Mccorry (PGR) <

Not necessarily. If you want to ensure privacy, you could limit the
selection of UTXOs to a single address, and even go so far as to send
change back to that same address. This wouldn't be as effective as
combining the UTXOs from multiple addresses, but it would help. The key is
to do everything that can be done when building a transaction to ensure
that as many inputs as possible are consolidated into as few outputs as
possible.
I would agree if you have multiple utxo for a single address then it
makes sense since there is no privacy loss. However sending the change back
to the same address would damage privacy (Hive does this) as it is then
obvious from looking at the transaction which output is change and which
output is sending funds.

I tend to agree with you here. But the change output could just as easily
be sent to a new change address.

Also not everyone is concerned with their own privacy, and I'm not aware
of any HD-wallet implementations that won't already combine inputs from
multiple addresses within that wallet without user input.
For people who do not care for privacy then it would work fine. But
adding it into the wallet as default behaviour would deter those who do
care for privacy - and making it a customisable option just adds complexity
for the users. Wallets do need to combine utxo at times to spend bitcoins
which is how people can be tracked today, using the minimum set of utxo
tries to reduce the risk.
Different wallets are targeted at different demographics. Some are geared

towards more mainstream users (for whom the privacy issue is less a
concern) and some (such as DarkWallet) are geared more towards the privacy
advocates. These wallets may choose to set their defaults at oposite ends
of the spectrum as to how they choose to select and link addresses and
UTXOs, but they can all improve on their current algorithms and promote
some degree of consolidation.

Additionally, large wallets that have lots of addresses owned by
multiple users like exchanges, blockchain.info, and Coinbase can
consolidate UTXOs very effectively when building transactions
That's true - I'm not sure how they would feel about it though. I
imagine they probably are already to minimise key management.
That's what these discussions are for. Hopefully this thread will be seen

by developers of these wallets and give them something to consider.

Raystonn

2015-05-09 19:43:55 UTC

Permalink

Jim Phillips

2015-05-09 19:52:26 UTC

Permalink

Post by Jim Phillips
How about this as a happy medium default policy: Rather than select UTXOs

Post by Jim Phillips
based solely on age and limiting the size of the transaction, we select as
many UTXOs as possible from as few addresses as possible, prioritizing
which addresses to use based on the number of UTXOs it contains (more being
preferable) and how old those UTXOs are (in order to reduce the fee)?

If selecting older UTXOs gives higher priority for a lesser (or at least
not greater) fee, that is an incentive for a rational user to use the older
UTXOs. Such policy needs to be defended or removed. It doesn't support
privacy or a reduction in UTXOs.

Before starting this thread, I had completely forgotten that age was even a
factor in determining which UTXOs to use. Frankly, I can't think of any
reason why miners care how old a particular UTXO is when determining what
fees to charge. I'm sure there is one, I just don't know what it is. I just
tossed it in there as homage to Andreas who pointed out to me that it was
still part of the selection criteria.

Raystonn

2015-05-09 20:20:06 UTC

Permalink

Pieter Wuille

2015-05-09 20:38:56 UTC

Permalink

Miners do not care about the age of a UTXO entry, apart for two exceptions.
It is also economically irrelevant.
* There is a free transaction policy, which sets a small portion of block
space aside for transactions which do not pay sufficient fee. This is
mostly an altruistic way of encouraging Bitcoin adoption. As a DoS
prevention mechanism, there is a requirement that these free transactions
are of sufficient priority (computed as BTC-days-destroyed per byte),
essentially requiring these transactions to consume another scarce
resource, even if not money.
* Coinbase transaction outputs can, as a consensus rule, only be spent
after 100 confirmations. This is to prevent random reorganisations from
invalidating transactions that spend young coinbase transactions (which
can't move to the new chain). In addition, wallets also select more
confirmed outputs first to consume, for the same reason.

That policy is included in Bitcoin Core. Miners use it because it is the
default. The policy was likely intended to help real transactions get
through in the face of spam. But it favors those with more bitcoin, as the
priority is determined by amount spent multiplied by age of UTXOs. At the
very least the amount spent should be removed as a factor, or fees are
unlikely to ever be paid by those who can afford them. We can reassess the
role age plays later. One change at a time is better.
How about this as a happy medium default policy: Rather than select UTXOs
based solely on age and limiting the size of the transaction, we select as
many UTXOs as possible from as few addresses as possible, prioritizing
which addresses to use based on the number of UTXOs it contains (more being
preferable) and how old those UTXOs are (in order to reduce the fee)?
If selecting older UTXOs gives higher priority for a lesser (or at least
not greater) fee, that is an incentive for a rational user to use the older
UTXOs. Such policy needs to be defended or removed. It doesn't support
privacy or a reduction in UTXOs.
Before starting this thread, I had completely forgotten that age was even
a factor in determining which UTXOs to use. Frankly, I can't think of any
reason why miners care how old a particular UTXO is when determining what
fees to charge. I'm sure there is one, I just don't know what it is. I just
tossed it in there as homage to Andreas who pointed out to me that it was
still part of the selection criteria.

Jim Phillips

2015-05-09 21:11:57 UTC

Permalink

Makes sense.. So with that said, I'd propose the following criteria for
selecting UTXOs:

1. Select the smallest possible set of addresses that can be linked in
order to come up with enough BTC to send to the payee.
2. Given multiple possible sets, select the one that has the largest number
of UTXOs.
3. Given multiple possible sets, choose the one that contains the largest
amount of total BTC.
4. Given multiple possible sets, select the one that destroys the most
bitcoin days.
5. If there's still multiple possible sets, just choose one at random.

Once the final set of addresses has been identified, use ALL UTXOs from
that set, sending appropriate outputs to the recipient(s), a new change
address, and a mining fee.

Miners should be cognisant of and reward the fact that the user is making
an effort to consolidate UTXOs. They can easily spot these transactions by
looking at whether all possible UTXOs from each input addresses have been
used. Since most miners use Bitcoin Core, and its defaults, this test can
be built into Bitcoin Core's logic for determining which transactions to
include when mining a block.

--
*James G. Phillips IV*
<https://plus.google.com/u/0/113107039501292625391/posts>
<http://www.linkedin.com/in/ergophobe>

*"Don't bunt. Aim out of the ball park. Aim for the company of immortals."
-- David Ogilvy*

*This message was created with 100% recycled electrons. Please think twice
before printing.*

Post by Pieter Wuille
Miners do not care about the age of a UTXO entry, apart for two
exceptions. It is also economically irrelevant.
* There is a free transaction policy, which sets a small portion of block
space aside for transactions which do not pay sufficient fee. This is
mostly an altruistic way of encouraging Bitcoin adoption. As a DoS
prevention mechanism, there is a requirement that these free transactions
are of sufficient priority (computed as BTC-days-destroyed per byte),
essentially requiring these transactions to consume another scarce
resource, even if not money.
* Coinbase transaction outputs can, as a consensus rule, only be spent
after 100 confirmations. This is to prevent random reorganisations from
invalidating transactions that spend young coinbase transactions (which
can't move to the new chain). In addition, wallets also select more
confirmed outputs first to consume, for the same reason.

Matt Whitlock

2015-05-10 02:11:13 UTC

Permalink

Minimizing the number of UTXOs in a wallet is sometimes not in the best interests of the user. In fact, quite often I've wished for a configuration option like "Try to maintain _[number]_ UTXOs in the wallet." This is because I often want to make multiple spends from my wallet within one block, but spends of unconfirmed inputs are less reliable than spends of confirmed inputs, and some wallets (e.g., Andreas Schildbach's wallet) don't even allow it - you can only spend confirmed UTXOs. I can't tell you how aggravating it is to have to tell a friend, "Oh, oops, I can't pay you yet. I have to wait for the last transaction I did to confirm first." All the more aggravating because I know, if I have multiple UTXOs in my wallet, I can make multiple spends within the same block.

From the miners perspective, even though these types of transactions would

be larger, the fee could stay low. Miners actually benefit from them in
that it reduces the amount of storage they need to dedicate to holding the
UTXO. So miners are incentivized to mine these types of transactions with a
higher priority despite a low fee.
Relays could also get in on the action and enforce this type of behavior by
refusing to relay or deprioritizing the relay of transactions that don't
use all of the available UTXOs from the addresses used as inputs. Relays
are not only the ones who benefit the most from a reduction of the UTXO
database, they're also in the best position to promote good behavior.
--
*James G. Phillips IV*
<https://plus.google.com/u/0/113107039501292625391/posts>
*"Don't bunt. Aim out of the ball park. Aim for the company of immortals."
-- David Ogilvy*
*This message was created with 100% recycled electrons. Please think twice
before printing.*

Jim Phillips

2015-05-10 12:11:53 UTC

Permalink

I feel your pain. I've had the same thing happen to me in the past. And I
agree it's more likely to occur with my proposed scheme but I think with HD
wallets there will still be UTXOs left unspent after most transactions
since, for privacy sake it's looking for the smallest set of addresses that
can be linked.

Post by Matt Whitlock
Minimizing the number of UTXOs in a wallet is sometimes not in the best
interests of the user. In fact, quite often I've wished for a configuration
option like "Try to maintain _[number]_ UTXOs in the wallet." This is
because I often want to make multiple spends from my wallet within one
block, but spends of unconfirmed inputs are less reliable than spends of
confirmed inputs, and some wallets (e.g., Andreas Schildbach's wallet)
don't even allow it - you can only spend confirmed UTXOs. I can't tell you
how aggravating it is to have to tell a friend, "Oh, oops, I can't pay you
yet. I have to wait for the last transaction I did to confirm first." All
the more aggravating because I know, if I have multiple UTXOs in my wallet,
I can make multiple spends within the same block.

growth.

Post by Jim Phillips
What if, rather than deal with the issue at the protocol level, we deal
with it at the source of the problem -- the wallets. Right now, the

typical

Post by Jim Phillips
wallet selects only the minimum number of unspent outputs when building a
transaction. The goal is to keep the transaction size to a minimum so

that

Post by Jim Phillips
the fee stays low. Consequently, lots of unspent outputs just don't get
used, and are left lying around until some point in the future.
What if we started designing wallets to consolidate unspent outputs? When
selecting unspent outputs for a transaction, rather than choosing just

the

Post by Jim Phillips
minimum number from a particular address, why not select them ALL? Take

all

Post by Jim Phillips
of the UTXOs from a particular address or wallet, send however much needs
to be spent to the payee, and send the rest back to the same address or a
change address as a single output? Through this method, we should wind up
shrinking the UTXO database over time rather than growing it with each
transaction. Obviously, as Bitcoin gains wider adoption, the UTXO

database

Post by Jim Phillips
will grow, simply because there are 7 billion people in the world, and
eventually a good percentage of them will have one or more wallets with
spendable bitcoin. But this idea could limit the growth at least.
The vast majority of users are running one of a handful of different

wallet

and

Post by Jim Phillips
so should not be opposed to changing their UTXO selection algorithms to

one

Post by Jim Phillips
that reduces the UTXO database instead of growing it.

From the miners perspective, even though these types of transactions

would

Post by Jim Phillips
be larger, the fee could stay low. Miners actually benefit from them in
that it reduces the amount of storage they need to dedicate to holding

the

Post by Jim Phillips
UTXO. So miners are incentivized to mine these types of transactions

with a

Post by Jim Phillips
higher priority despite a low fee.
Relays could also get in on the action and enforce this type of behavior

Post by Jim Phillips
refusing to relay or deprioritizing the relay of transactions that don't
use all of the available UTXOs from the addresses used as inputs. Relays
are not only the ones who benefit the most from a reduction of the UTXO
database, they're also in the best position to promote good behavior.
--
*James G. Phillips IV*
<https://plus.google.com/u/0/113107039501292625391/posts>
*"Don't bunt. Aim out of the ball park. Aim for the company of

immortals."

Post by Jim Phillips
-- David Ogilvy*
*This message was created with 100% recycled electrons. Please think

twice

Post by Jim Phillips
before printing.*

Mike Hearn

2015-05-25 18:41:06 UTC

Permalink

Post by Matt Whitlock
some wallets (e.g., Andreas Schildbach's wallet) don't even allow it - you
can only spend confirmed UTXOs. I can't tell you how aggravating it is to
have to tell a friend, "Oh, oops, I can't pay you yet. I have to wait for
the last transaction I did to confirm first." All the more aggravating
because I know, if I have multiple UTXOs in my wallet, I can make multiple
spends within the same block.

Andreas' wallet hasn't done that for years. Are you repeating this from
some very old memory or do you actually see this issue in reality?

The only time you're forced to wait for confirmations is when you have an
unconfirmed inbound transaction, and thus the sender is unknown.

Matt Whitlock

2015-05-25 20:03:28 UTC

Permalink

This post might be inappropriate. Click to display it.

Andreas Schildbach

2015-05-25 20:29:26 UTC

Permalink

Post by Matt Whitlock

Post by Mike Hearn

Andreas' wallet hasn't done that for years. Are you repeating this from
some very old memory or do you actually see this issue in reality?
The only time you're forced to wait for confirmations is when you have an
unconfirmed inbound transaction, and thus the sender is unknown.

I see this behavior all the time. I am using the latest release, as far as I know. Version 4.30.
The same behavior occurs in the Testnet3 variant of the app. Go in there with an empty wallet and receive one payment and wait for it to confirm. Then send a payment and, before it confirms, try to send another one. The wallet won't let you send the second payment. It'll say something like, "You need x.xxxxxx more bitcoins to make this payment." But if you wait for your first payment to confirm, then you'll be able to make the second payment.
If it matters, I configure the app to connect only to my own trusted Bitcoin node, so I only ever have one active connection at most. I notice that outgoing payments never show as "Sent" until they appear in a block, presumably because the app never sees the transaction come in over any connection.

Yes, that's the issue. Because you're connecting only to one node, you
don't get any instant confirmations -- due to a Bitcoin protocol
limitation you can only get them from nodes you don't post the tx to.

Peter Todd

2015-05-25 21:05:41 UTC

Permalink

Post by Andreas Schildbach

Post by Matt Whitlock
I see this behavior all the time. I am using the latest release, as far as I know. Version 4.30.
The same behavior occurs in the Testnet3 variant of the app. Go in there with an empty wallet and receive one payment and wait for it to confirm. Then send a payment and, before it confirms, try to send another one. The wallet won't let you send the second payment. It'll say something like, "You need x.xxxxxx more bitcoins to make this payment." But if you wait for your first payment to confirm, then you'll be able to make the second payment.
If it matters, I configure the app to connect only to my own trusted Bitcoin node, so I only ever have one active connection at most. I notice that outgoing payments never show as "Sent" until they appear in a block, presumably because the app never sees the transaction come in over any connection.

Odd, I just tried the above as well - with multiple peers connected -
and had the exact same problem.

--
'peter'[:-1]@petertodd.org
00000000000000000e83c311f4244e4eefb54aa845abb181e46f16d126ab21e1

Andreas Schildbach

2015-05-26 12:40:28 UTC

Permalink

Post by Peter Todd

Post by Andreas Schildbach

Odd, I just tried the above as well - with multiple peers connected -
and had the exact same problem.

It should work, I'm testing this regularly. Can you report an issue
through the app and attach your log when this happens again?

Warren Togami Jr.

2015-05-25 21:14:46 UTC

Permalink

On Mon, May 25, 2015 at 1:29 PM, Andreas Schildbach

Post by Andreas Schildbach
Yes, that's the issue. Because you're connecting only to one node, you
don't get any instant confirmations -- due to a Bitcoin protocol
limitation you can only get them from nodes you don't post the tx to.

Is it really wise to call this a "confirmation"? All this is really
telling you is one seemingly random peer has relayed the transaction
back to you that you sent to a presumably different seemingly random
peer.

Warren

Mike Hearn

2015-05-25 21:12:58 UTC

Permalink

Post by Matt Whitlock
If it matters, I configure the app to connect only to my own trusted
Bitcoin node, so I only ever have one active connection at most.

Ah, I see, non default configuration. Because the Bitcoin network can and
does change in backwards incompatible ways, the app wants to see that the
transaction it made actually propagated across the network. If you set a
trusted node it won't see that.

Probably the logic should be tweaked so if you set a trusted node you're
just assumed to know what you're doing and we assume the transactions we
make ourselves always work.

Bob McElrath

2015-05-10 13:35:25 UTC

Permalink

This is my biggest headache with practical bitcoin usage. I'd love to hear it if
anyone has any clever solutions to the wallet/utxo locked problem. Spending
unconfirmed outputs really requires a different security model on the part of
the receiver than #confirmations, but isn't inherently bad if the receiver has a
better security model and knows how to compute the probability that an
unconfirmed-spend will get confirmed. Of course the bigger problem is wallet
software that refuses to spend unconfirmed outputs.

I've thought a bit about a fork/merge design: if the change were computed by the
network instead of the submitter, two transactions having the same change
address and a common input could be straightforwardly merged or split (in a
reorg), where with bitcoin currently it would be considered a double-spend. Of
course that has big privacy implications since it directly exposes the change
address, and is a hard fork, but is much closer to what people expect of a
debit-based "account" in traditional banking.

The fact of the matter is that having numerous sequential debits on an account
is an extremely common use case, and bitcoin is obtuse in this respect.

From the miners perspective, even though these types of transactions

would
be larger, the fee could stay low. Miners actually benefit from them in
that it reduces the amount of storage they need to dedicate to holding the
UTXO. So miners are incentivized to mine these types of transactions with a
higher priority despite a low fee.
Relays could also get in on the action and enforce this type of
behavior by
refusing to relay or deprioritizing the relay of transactions that don't
use all of the available UTXOs from the addresses used as inputs. Relays
are not only the ones who benefit the most from a reduction of the UTXO
database, they're also in the best position to promote good behavior.
--
*James G. Phillips IV*
<https://plus.google.com/u/0/113107039501292625391/posts>
*"Don't bunt. Aim out of the ball park. Aim for the company of
immortals."
-- David Ogilvy*
*This message was created with 100% recycled electrons. Please think twice
before printing.*
!DSPAM:554e4e5450787476022393!
------------------------------------------------------------------------
------------------------------------------------------------------------------
One dashboard for servers and applications across
Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable
Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
!DSPAM:554e4e5450787476022393!
------------------------------------------------------------------------
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development
!DSPAM:554e4e5450787476022393!

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Jeff Garzik

2015-05-10 14:33:56 UTC

Permalink

This has been frequently explored on IRC.

My general conclusion is "dollar bills" - pick highly common denominations
of bitcoins. Aggregate to obtain these denominations, but do not aggregate
further.

This permits merge avoidance (privacy++), easy coinjoin where many hide in
the noise (privacy++), wallet dust de-fragmentation, while avoiding the
over-aggregation problem where you have consolidated down to one output.

Thus a wallet would have several consolidation targets.

Another strategy is simply doubling outputs. Say you pay 0.1 BTC to
Starbucks. Add another 0.1 BTC output to yourself, and a final change
output. Who can say which output goes to Starbucks?

There are many iterations and trade-offs between fragmentation and privacy.

Post by Bob McElrath
This is my biggest headache with practical bitcoin usage. I'd love to hear it if
anyone has any clever solutions to the wallet/utxo locked problem. Spending
unconfirmed outputs really requires a different security model on the part of
the receiver than #confirmations, but isn't inherently bad if the receiver has a
better security model and knows how to compute the probability that an
unconfirmed-spend will get confirmed. Of course the bigger problem is wallet
software that refuses to spend unconfirmed outputs.
I've thought a bit about a fork/merge design: if the change were computed by the
network instead of the submitter, two transactions having the same change
address and a common input could be straightforwardly merged or split (in a
reorg), where with bitcoin currently it would be considered a
double-spend. Of
course that has big privacy implications since it directly exposes the change
address, and is a hard fork, but is much closer to what people expect of a
debit-based "account" in traditional banking.
The fact of the matter is that having numerous sequential debits on an account
is an extremely common use case, and bitcoin is obtuse in this respect.

From the miners perspective, even though these types of transactions

would
be larger, the fee could stay low. Miners actually benefit from them in
that it reduces the amount of storage they need to dedicate to holding the
UTXO. So miners are incentivized to mine these types of transactions with a
higher priority despite a low fee.
Relays could also get in on the action and enforce this type of behavior by
refusing to relay or deprioritizing the relay of transactions that don't
use all of the available UTXOs from the addresses used as inputs. Relays
are not only the ones who benefit the most from a reduction of the UTXO
database, they're also in the best position to promote good behavior.
--
*James G. Phillips IV*
<https://plus.google.com/u/0/113107039501292625391/posts>
*"Don't bunt. Aim out of the ball park. Aim for the company of immortals."
-- David Ogilvy*
*This message was created with 100% recycled electrons. Please think twice
before printing.*
!DSPAM:554e4e5450787476022393!
------------------------------------------------------------------------
------------------------------------------------------------------------------
One dashboard for servers and applications across
Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable
Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
!DSPAM:554e4e5450787476022393!
------------------------------------------------------------------------
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development
!DSPAM:554e4e5450787476022393!

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
This is my biggest headache with practical bitcoin usage. I'd love to hear
it if anyone has any clever solutions to the wallet/utxo locked problem.
Spending unconfirmed outputs really requires a different security model on
the part of the receiver than #confirmations, but isn't inherently bad if
the receiver has a better security model and knows how to compute the
probability that an unconfirmed-spend will get confirmed. Of course the
bigger problem is wallet software that refuses to spend unconfirmed outputs.
I've thought a bit about a fork/merge design: if the change were computed
by the network instead of the submitter, two transactions having the same
change address could be straightforwardly merged or split (in a reorg). Of
course that has big privacy implications and is pretty far from bitcoin's
design, but is much closer to what people expect of a debit-based "account"
in traditional banking.
The fact of the matter is that having numerous sequential debits on an
account is an extremely common use case, and bitcoin is obtuse in this
respect.

Post by Jim Phillips
Forgive me if this idea has been suggested before, but I made this
suggestion on reddit and I got some feedback recommending I also bring it
to this list -- so here goes.
I wonder if there isn't perhaps a simpler way of dealing with UTXO
growth. What if, rather than deal with the issue at the protocol level, we
deal with it at the source of the problem -- the wallets. Right now, the
typical wallet selects only the minimum number of unspent outputs when
building a transaction. The goal is to keep the transaction size to a
minimum so that the fee stays low. Consequently, lots of unspent outputs
just don't get used, and are left lying around until some point in the
future.
What if we started designing wallets to consolidate unspent outputs? When
selecting unspent outputs for a transaction, rather than choosing just the
minimum number from a particular address, why not select them ALL? Take all
of the UTXOs from a particular address or wallet, send however much needs
to be spent to the payee, and send the rest back to the same address or a
change address as a single output? Through this method, we should wind up
shrinking the UTXO database over time rather than growing it with each
transaction. Obviously, as Bitcoin gains wider adoption, the UTXO database
will grow, simply because there are 7 billion people in the world, and
eventually a good percentage of them will have one or more wallets with
spendable bitcoin. But this idea could limit the growth at least.
The vast majority of users are running one of a handful of different
wallet apps: Core, Electrum; Armory; Mycelium; Breadwallet; Coinbase;
Circle; Blockchain.info; and maybe a few others. The developers of all
these wallets have a vested interest in the continued usefulness of
Bitcoin, and so should not be opposed to changing their UTXO selection
algorithms to one that reduces the UTXO database instead of growing it.
From the miners perspective, even though these types of transactions
would be larger, the fee could stay low. Miners actually benefit from them
in that it reduces the amount of storage they need to dedicate to holding
the UTXO. So miners are incentivized to mine these types of transactions
with a higher priority despite a low fee.
Relays could also get in on the action and enforce this type of behavior
by refusing to relay or deprioritizing the relay of transactions that don't
use all of the available UTXOs from the addresses used as inputs. Relays
are not only the ones who benefit the most from a reduction of the UTXO
database, they're also in the best position to promote good behavior.
--
*James G. Phillips IV*
<https://plus.google.com/u/0/113107039501292625391/posts>
*"Don't bunt. Aim out of the ball park. Aim for the company of
immortals." -- David Ogilvy*
*This message was created with 100% recycled electrons. Please think
twice before printing.*
!DSPAM:554e4e5450787476022393!
------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
!DSPAM:554e4e5450787476022393!
------------------------------
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development
!DSPAM:554e4e5450787476022393!

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAlVPXp0ACgkQjwioWRGe9K1+2ACfViY0D2ksVFe29SwhxbtmNSC3
TQAAnRoJLI9wW3DQRPqQ7PorKxelC2S2
=Er51
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development

--
Jeff Garzik
Bitcoin core developer and open source evangelist
BitPay, Inc. https://bitpay.com/

Bob McElrath

2015-05-10 14:42:54 UTC

Permalink

That's a lot of work, a lot of extra utxo's, and a lot of blockchain spam, just
so I can do a convoluted form of arithmetic on my balance.

If a tx contained an explicit miner fee and a change address, but did not
compute the change, letting the network compute it (and therefore merge
transactions spending the same utxo), could one add some form of ring signature
a la Dash to alleviate the worsened privacy implications?

Post by Jeff Garzik
This has been frequently explored on IRC.
My general conclusion is "dollar bills" - pick highly common denominations of
bitcoins. Aggregate to obtain these denominations, but do not aggregate
further.
This permits merge avoidance (privacy++), easy coinjoin where many hide in the
noise (privacy++), wallet dust de-fragmentation, while avoiding the
over-aggregation problem where you have consolidated down to one output.
Thus a wallet would have several consolidation targets.
Another strategy is simply doubling outputs. Say you pay 0.1 BTC to
Starbucks. Add another 0.1 BTC output to yourself, and a final change output.
Who can say which output goes to Starbucks?
There are many iterations and trade-offs between fragmentation and privacy.

--
Cheers, Bob McElrath

"The individual has always had to struggle to keep from being overwhelmed by
the tribe. If you try it, you will be lonely often, and sometimes frightened.
But no price is too high to pay for the privilege of owning yourself."
-- Friedrich Nietzsche

Danny Thorpe

2015-05-12 19:50:16 UTC

Permalink

Having thousands of utxos floating around for a single address is clearly a
bad thing - it creates a lot of memory load on bitcoin nodes.

However, having only one utxo for an address is also a bad thing, for
concurrent operations.

Having "several" utxos available to spend is good for parallelism, so that
2 or more tasks which are spending from the same address don't have to line
up single file waiting for one of the tasks to publish a tx first so that
the next task can spend the (unconfirmed) change output of the first.
Requiring/Forcing/Having a single output carry the entire balance of an
address does not work at scale. (Yes, this presumes that the tasks are
coordinated so that they don't attempt to spend the same outputs. Internal
coordination is solvable.)

In multiple replies, you push for having "all" utxos of an address spent in
one transaction. Why all? If the objective is to reduce the size of the
utxo pool, it would be sufficient simply to recommend that wallets and
other spenders consume more utxos than they create, on average.

I'm ok with "consume more utxos than you generate" as a good citizen / best
practices recommendation, but a requirement that all prior outputs must be
spent in one transaction seems excessive and impractical.

-Danny

Post by Jim Phillips
Forgive me if this idea has been suggested before, but I made this
suggestion on reddit and I got some feedback recommending I also bring it
to this list -- so here goes.
I wonder if there isn't perhaps a simpler way of dealing with UTXO growth.
What if, rather than deal with the issue at the protocol level, we deal
with it at the source of the problem -- the wallets. Right now, the typical
wallet selects only the minimum number of unspent outputs when building a
transaction. The goal is to keep the transaction size to a minimum so that
the fee stays low. Consequently, lots of unspent outputs just don't get
used, and are left lying around until some point in the future.
What if we started designing wallets to consolidate unspent outputs? When
selecting unspent outputs for a transaction, rather than choosing just the
minimum number from a particular address, why not select them ALL? Take all
of the UTXOs from a particular address or wallet, send however much needs
to be spent to the payee, and send the rest back to the same address or a
change address as a single output? Through this method, we should wind up
shrinking the UTXO database over time rather than growing it with each
transaction. Obviously, as Bitcoin gains wider adoption, the UTXO database
will grow, simply because there are 7 billion people in the world, and
eventually a good percentage of them will have one or more wallets with
spendable bitcoin. But this idea could limit the growth at least.
The vast majority of users are running one of a handful of different
wallet apps: Core, Electrum; Armory; Mycelium; Breadwallet; Coinbase;
Circle; Blockchain.info; and maybe a few others. The developers of all
these wallets have a vested interest in the continued usefulness of
Bitcoin, and so should not be opposed to changing their UTXO selection
algorithms to one that reduces the UTXO database instead of growing it.
From the miners perspective, even though these types of transactions would
be larger, the fee could stay low. Miners actually benefit from them in
that it reduces the amount of storage they need to dedicate to holding the
UTXO. So miners are incentivized to mine these types of transactions with a
higher priority despite a low fee.
Relays could also get in on the action and enforce this type of behavior
by refusing to relay or deprioritizing the relay of transactions that don't
use all of the available UTXOs from the addresses used as inputs. Relays
are not only the ones who benefit the most from a reduction of the UTXO
database, they're also in the best position to promote good behavior.
--
*James G. Phillips IV*
<https://plus.google.com/u/0/113107039501292625391/posts>
*"Don't bunt. Aim out of the ball park. Aim for the company of immortals."
-- David Ogilvy*
*This message was created with 100% recycled electrons. Please think
twice before printing.*
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development

Mike Hearn

2015-05-25 18:44:18 UTC

Permalink

Wallets are incentivised to do a better job with defragmentation already,
as if you have lots of tiny UTXOs then your fees end up being huge when
trying to make a payment.

The reason they largely don't is just one of manpower. Nobody is working on
it.

As a wallet developer myself, one way I'd like to see this issue be fixed
by making free transactions more reliable. Then wallets can submit free
transactions to the network to consolidate UTXOs together, e.g. at night
when the user is sleeping. They would then fit into whatever space is
available in the block during periods of low demand, like on Sunday.

If we don't do this then wallets won't automatically defragment, as we'd be
unable to explain to the user why their money is slowly leaking out of
their wallet without them doing anything. Trying to explain the existing
transaction fees is hard enough already ("I thought bitcoin doesn't have
banks" etc).

There is another way: as the fee is based on a rounded 1kb calculation, if
you go into the next fee band adding some more outputs and making a bigger
change output becomes "free" for another output or two. But wallets don't
exploit this today.

Peter Todd

2015-05-25 21:26:38 UTC

Permalink

Post by Mike Hearn
Wallets are incentivised to do a better job with defragmentation already,
as if you have lots of tiny UTXOs then your fees end up being huge when
trying to make a payment.
The reason they largely don't is just one of manpower. Nobody is working on
it.
As a wallet developer myself, one way I'd like to see this issue be fixed
by making free transactions more reliable. Then wallets can submit free
transactions to the network to consolidate UTXOs together, e.g. at night
when the user is sleeping. They would then fit into whatever space is
available in the block during periods of low demand, like on Sunday.

This can cause problems as until those transactions confirm, even more
of the user's outputs are unavailable for spending, causing confusion as
to why they can't send their full balance. It's also inefficient, as in
the case where the user does try to send a small payment that could be
satisfied by one or more of these small UTXO's, the wallet has to use a
larger UTXO.

With replace-by-fee however this problem goes away, as you can simply
double-spend the pending defragmentation transactions instead if they
are still unconfirmed when you need to use them.

--
'peter'[:-1]@petertodd.org
00000000000000000aa9033c06c10d6131eafa3754c3157d74c2267c1dd2ca35

Mike Hearn

2015-05-25 22:03:09 UTC

Permalink

CPFP also solves it just fine.

Peter Todd

2015-05-26 00:10:34 UTC

Permalink

Post by Mike Hearn
CPFP also solves it just fine.

CPFP is a significantly more expensive way of paying fees than RBF,
particularly for the use-case of defragmenting outputs, with cost
savings ranging from 30% to 90%

Case 1: CPFP vs. RBF for increasing the fee on a single tx
----------------------------------------------------------

Creating an spending a P2PKH output uses 34 bytes of txout, and 148
bytes of txin, 182 bytes total.

Let's suppose I have a 1 BTC P2PKH output and I want to pay 0.1 BTC to
Alice. This results in a 1in/2out transaction t1 that's 226 bytes in size.
I forget to click on the "priority fee" option, so it goes out with the
minimum fee of 2.26uBTC. Whoops! I use CPFP to spend that output,
creating a new transaction t2 that's 192 bytes in size. I want to pay
1mBTC/KB for a fast confirmation, so I'm now paying 418uBTC of
transaction fees.

On the other hand, had I use RBF, my wallet would have simply
rebroadcast t1 with the change address decreased. The rules require you
to pay 2.26uBTC for the bandwidth consumed broadcasting it, plus the new
fee level, or 218uBTC of fees in total.

Cost savings: 48%

Case 2: Paying multiple recipients in succession
------------------------------------------------

Suppose that after I pay Alice, I also decide to pay Bob for his hard
work demonstrating cryptographic protocols. I need to create a new
transaction t2 spending t1's change address. Normally t2 would be
another 226 bytes in size, resulting in 226uBTC additional fees.

With RBF on the other hand I can simply double-spend t1 with a
transaction paying both Alice and Bob. This new transaction is 260 bytes
in size. I have to pay 2.6uBTC additional fees to pay for the bandwidth
consumed broadcasting it, resulting in an additional 36uBTC of fees.

Cost savings: 84%

Case 3: Paying multiple recipients from a 2-of-3 multisig wallet
----------------------------------------------------------------

The above situation gets even worse with multisig. t1 in the multisig
case is 367 bytes; t2 another 367 bytes, costing an additional 367uBTC
in fees. With RBF we rewrite t1 with an additional output, resulting in
a 399 byte transaction, with just 36uBTC in additional fees.

Cost savings: 90%

Case 4: Dust defragmentation
----------------------------

My wallet has a two transaction outputs that it wants to combine into
one for the purpose of UTXO defragmentation. It broadcasts transaction
t1 with two inputs and one output, size 340 bytes, paying zero fees.

Prior to the transaction confirming I find I need to spend those funds
for a priority transaction at the 1mBTC/KB fee level. This transaction,
t2a, has one input and two outputs, 226 bytes in size. However it needs
to pay fees for both transactions at once, resulting in a combined total
fee of 556uBTC. If this situation happens frequently, defragmenting
UTXOs is likely to cost more in additional fees than it saves.

With RBF I'd simply doublespend t1 with a 2-in-2-out transaction 374
bytes in size, paying 374uBTC. Even better, if one of the two inputs is
sufficiently large to cover my costs I can doublespend t1 with a
1-in-2-out tx just 226 bytes in size, paying 226uBTC.

Cost savings: 32% to 59%, or even infinite if defragmentation w/o RBF
costs you more than you save

--
'peter'[:-1]@petertodd.org
0000000000000000134ce6577d4122094479f548b997baf84367eaf0c190bc9f

Danny Thorpe

2015-05-26 18:22:00 UTC

Permalink

What prevents RBF from being used for fraudulent payment reversals?

Pay 1BTC to Alice for hard goods, then after you receive the goods
broadcast a double spend of that transaction to pay Alice nothing? Your
only cost is the higher network fee of the 2nd tx.

Thanks,
-Danny

Post by Peter Todd

Post by Mike Hearn
CPFP also solves it just fine.

CPFP is a significantly more expensive way of paying fees than RBF,
particularly for the use-case of defragmenting outputs, with cost
savings ranging from 30% to 90%
Case 1: CPFP vs. RBF for increasing the fee on a single tx
----------------------------------------------------------
Creating an spending a P2PKH output uses 34 bytes of txout, and 148
bytes of txin, 182 bytes total.
Let's suppose I have a 1 BTC P2PKH output and I want to pay 0.1 BTC to
Alice. This results in a 1in/2out transaction t1 that's 226 bytes in size.
I forget to click on the "priority fee" option, so it goes out with the
minimum fee of 2.26uBTC. Whoops! I use CPFP to spend that output,
creating a new transaction t2 that's 192 bytes in size. I want to pay
1mBTC/KB for a fast confirmation, so I'm now paying 418uBTC of
transaction fees.
On the other hand, had I use RBF, my wallet would have simply
rebroadcast t1 with the change address decreased. The rules require you
to pay 2.26uBTC for the bandwidth consumed broadcasting it, plus the new
fee level, or 218uBTC of fees in total.
Cost savings: 48%
Case 2: Paying multiple recipients in succession
------------------------------------------------
Suppose that after I pay Alice, I also decide to pay Bob for his hard
work demonstrating cryptographic protocols. I need to create a new
transaction t2 spending t1's change address. Normally t2 would be
another 226 bytes in size, resulting in 226uBTC additional fees.
With RBF on the other hand I can simply double-spend t1 with a
transaction paying both Alice and Bob. This new transaction is 260 bytes
in size. I have to pay 2.6uBTC additional fees to pay for the bandwidth
consumed broadcasting it, resulting in an additional 36uBTC of fees.
Cost savings: 84%
Case 3: Paying multiple recipients from a 2-of-3 multisig wallet
----------------------------------------------------------------
The above situation gets even worse with multisig. t1 in the multisig
case is 367 bytes; t2 another 367 bytes, costing an additional 367uBTC
in fees. With RBF we rewrite t1 with an additional output, resulting in
a 399 byte transaction, with just 36uBTC in additional fees.
Cost savings: 90%
Case 4: Dust defragmentation
----------------------------
My wallet has a two transaction outputs that it wants to combine into
one for the purpose of UTXO defragmentation. It broadcasts transaction
t1 with two inputs and one output, size 340 bytes, paying zero fees.
Prior to the transaction confirming I find I need to spend those funds
for a priority transaction at the 1mBTC/KB fee level. This transaction,
t2a, has one input and two outputs, 226 bytes in size. However it needs
to pay fees for both transactions at once, resulting in a combined total
fee of 556uBTC. If this situation happens frequently, defragmenting
UTXOs is likely to cost more in additional fees than it saves.
With RBF I'd simply doublespend t1 with a 2-in-2-out transaction 374
bytes in size, paying 374uBTC. Even better, if one of the two inputs is
sufficiently large to cover my costs I can doublespend t1 with a
1-in-2-out tx just 226 bytes in size, paying 226uBTC.
Cost savings: 32% to 59%, or even infinite if defragmentation w/o RBF
costs you more than you save
--
0000000000000000134ce6577d4122094479f548b997baf84367eaf0c190bc9f
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development

Allen Piscitello

2015-05-26 18:38:08 UTC

Permalink

What prevents you from writing a bad check using today's systems?

Post by Danny Thorpe
What prevents RBF from being used for fraudulent payment reversals?
Pay 1BTC to Alice for hard goods, then after you receive the goods
broadcast a double spend of that transaction to pay Alice nothing? Your
only cost is the higher network fee of the 2nd tx.
Thanks,
-Danny

Post by Peter Todd

Post by Mike Hearn
CPFP also solves it just fine.

CPFP is a significantly more expensive way of paying fees than RBF,
particularly for the use-case of defragmenting outputs, with cost
savings ranging from 30% to 90%
Case 1: CPFP vs. RBF for increasing the fee on a single tx
----------------------------------------------------------
Creating an spending a P2PKH output uses 34 bytes of txout, and 148
bytes of txin, 182 bytes total.
Let's suppose I have a 1 BTC P2PKH output and I want to pay 0.1 BTC to
Alice. This results in a 1in/2out transaction t1 that's 226 bytes in size.
I forget to click on the "priority fee" option, so it goes out with the
minimum fee of 2.26uBTC. Whoops! I use CPFP to spend that output,
creating a new transaction t2 that's 192 bytes in size. I want to pay
1mBTC/KB for a fast confirmation, so I'm now paying 418uBTC of
transaction fees.
On the other hand, had I use RBF, my wallet would have simply
rebroadcast t1 with the change address decreased. The rules require you
to pay 2.26uBTC for the bandwidth consumed broadcasting it, plus the new
fee level, or 218uBTC of fees in total.
Cost savings: 48%
Case 2: Paying multiple recipients in succession
------------------------------------------------
Suppose that after I pay Alice, I also decide to pay Bob for his hard
work demonstrating cryptographic protocols. I need to create a new
transaction t2 spending t1's change address. Normally t2 would be
another 226 bytes in size, resulting in 226uBTC additional fees.
With RBF on the other hand I can simply double-spend t1 with a
transaction paying both Alice and Bob. This new transaction is 260 bytes
in size. I have to pay 2.6uBTC additional fees to pay for the bandwidth
consumed broadcasting it, resulting in an additional 36uBTC of fees.
Cost savings: 84%
Case 3: Paying multiple recipients from a 2-of-3 multisig wallet
----------------------------------------------------------------
The above situation gets even worse with multisig. t1 in the multisig
case is 367 bytes; t2 another 367 bytes, costing an additional 367uBTC
in fees. With RBF we rewrite t1 with an additional output, resulting in
a 399 byte transaction, with just 36uBTC in additional fees.
Cost savings: 90%
Case 4: Dust defragmentation
----------------------------
My wallet has a two transaction outputs that it wants to combine into
one for the purpose of UTXO defragmentation. It broadcasts transaction
t1 with two inputs and one output, size 340 bytes, paying zero fees.
Prior to the transaction confirming I find I need to spend those funds
for a priority transaction at the 1mBTC/KB fee level. This transaction,
t2a, has one input and two outputs, 226 bytes in size. However it needs
to pay fees for both transactions at once, resulting in a combined total
fee of 556uBTC. If this situation happens frequently, defragmenting
UTXOs is likely to cost more in additional fees than it saves.
With RBF I'd simply doublespend t1 with a 2-in-2-out transaction 374
bytes in size, paying 374uBTC. Even better, if one of the two inputs is
sufficiently large to cover my costs I can doublespend t1 with a
1-in-2-out tx just 226 bytes in size, paying 226uBTC.
Cost savings: 32% to 59%, or even infinite if defragmentation w/o RBF
costs you more than you save
--
0000000000000000134ce6577d4122094479f548b997baf84367eaf0c190bc9f
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development

Aaron Voisine

2015-05-26 18:42:37 UTC

Permalink

See the "first-seen-safe replace-by-fee" thread

Aaron Voisine
co-founder and CEO
breadwallet.com

Post by Peter Todd

Post by Mike Hearn
CPFP also solves it just fine.

CPFP is a significantly more expensive way of paying fees than RBF,
particularly for the use-case of defragmenting outputs, with cost
savings ranging from 30% to 90%
Case 1: CPFP vs. RBF for increasing the fee on a single tx
----------------------------------------------------------
Creating an spending a P2PKH output uses 34 bytes of txout, and 148
bytes of txin, 182 bytes total.
Let's suppose I have a 1 BTC P2PKH output and I want to pay 0.1 BTC to
Alice. This results in a 1in/2out transaction t1 that's 226 bytes in size.
I forget to click on the "priority fee" option, so it goes out with the
minimum fee of 2.26uBTC. Whoops! I use CPFP to spend that output,
creating a new transaction t2 that's 192 bytes in size. I want to pay
1mBTC/KB for a fast confirmation, so I'm now paying 418uBTC of
transaction fees.
On the other hand, had I use RBF, my wallet would have simply
rebroadcast t1 with the change address decreased. The rules require you
to pay 2.26uBTC for the bandwidth consumed broadcasting it, plus the new
fee level, or 218uBTC of fees in total.
Cost savings: 48%
Case 2: Paying multiple recipients in succession
------------------------------------------------
Suppose that after I pay Alice, I also decide to pay Bob for his hard
work demonstrating cryptographic protocols. I need to create a new
transaction t2 spending t1's change address. Normally t2 would be
another 226 bytes in size, resulting in 226uBTC additional fees.
With RBF on the other hand I can simply double-spend t1 with a
transaction paying both Alice and Bob. This new transaction is 260 bytes
in size. I have to pay 2.6uBTC additional fees to pay for the bandwidth
consumed broadcasting it, resulting in an additional 36uBTC of fees.
Cost savings: 84%
Case 3: Paying multiple recipients from a 2-of-3 multisig wallet
----------------------------------------------------------------
The above situation gets even worse with multisig. t1 in the multisig
case is 367 bytes; t2 another 367 bytes, costing an additional 367uBTC
in fees. With RBF we rewrite t1 with an additional output, resulting in
a 399 byte transaction, with just 36uBTC in additional fees.
Cost savings: 90%
Case 4: Dust defragmentation
----------------------------
My wallet has a two transaction outputs that it wants to combine into
one for the purpose of UTXO defragmentation. It broadcasts transaction
t1 with two inputs and one output, size 340 bytes, paying zero fees.
Prior to the transaction confirming I find I need to spend those funds
for a priority transaction at the 1mBTC/KB fee level. This transaction,
t2a, has one input and two outputs, 226 bytes in size. However it needs
to pay fees for both transactions at once, resulting in a combined total
fee of 556uBTC. If this situation happens frequently, defragmenting
UTXOs is likely to cost more in additional fees than it saves.
With RBF I'd simply doublespend t1 with a 2-in-2-out transaction 374
bytes in size, paying 374uBTC. Even better, if one of the two inputs is
sufficiently large to cover my costs I can doublespend t1 with a
1-in-2-out tx just 226 bytes in size, paying 226uBTC.
Cost savings: 32% to 59%, or even infinite if defragmentation w/o RBF
costs you more than you save
--
0000000000000000134ce6577d4122094479f548b997baf84367eaf0c190bc9f
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development

Adam Back

2015-05-26 18:47:39 UTC

Permalink

The general idea for replace by fee is that it would be restricted so
as to make it safe, eg all the original addresses should receive no
less bitcoin (more addresses can be added).

The scorched earth game theory stuff (allowing removing recipients) is
kind of orthogonal.

Adam

Post by Danny Thorpe
What prevents RBF from being used for fraudulent payment reversals?
Pay 1BTC to Alice for hard goods, then after you receive the goods broadcast
a double spend of that transaction to pay Alice nothing? Your only cost is
the higher network fee of the 2nd tx.
Thanks,
-Danny

Post by Peter Todd

Post by Mike Hearn
CPFP also solves it just fine.

CPFP is a significantly more expensive way of paying fees than RBF,
particularly for the use-case of defragmenting outputs, with cost
savings ranging from 30% to 90%
Case 1: CPFP vs. RBF for increasing the fee on a single tx
----------------------------------------------------------
Creating an spending a P2PKH output uses 34 bytes of txout, and 148
bytes of txin, 182 bytes total.
Let's suppose I have a 1 BTC P2PKH output and I want to pay 0.1 BTC to
Alice. This results in a 1in/2out transaction t1 that's 226 bytes in size.
I forget to click on the "priority fee" option, so it goes out with the
minimum fee of 2.26uBTC. Whoops! I use CPFP to spend that output,
creating a new transaction t2 that's 192 bytes in size. I want to pay
1mBTC/KB for a fast confirmation, so I'm now paying 418uBTC of
transaction fees.
On the other hand, had I use RBF, my wallet would have simply
rebroadcast t1 with the change address decreased. The rules require you
to pay 2.26uBTC for the bandwidth consumed broadcasting it, plus the new
fee level, or 218uBTC of fees in total.
Cost savings: 48%
Case 2: Paying multiple recipients in succession
------------------------------------------------
Suppose that after I pay Alice, I also decide to pay Bob for his hard
work demonstrating cryptographic protocols. I need to create a new
transaction t2 spending t1's change address. Normally t2 would be
another 226 bytes in size, resulting in 226uBTC additional fees.
With RBF on the other hand I can simply double-spend t1 with a
transaction paying both Alice and Bob. This new transaction is 260 bytes
in size. I have to pay 2.6uBTC additional fees to pay for the bandwidth
consumed broadcasting it, resulting in an additional 36uBTC of fees.
Cost savings: 84%
Case 3: Paying multiple recipients from a 2-of-3 multisig wallet
----------------------------------------------------------------
The above situation gets even worse with multisig. t1 in the multisig
case is 367 bytes; t2 another 367 bytes, costing an additional 367uBTC
in fees. With RBF we rewrite t1 with an additional output, resulting in
a 399 byte transaction, with just 36uBTC in additional fees.
Cost savings: 90%
Case 4: Dust defragmentation
----------------------------
My wallet has a two transaction outputs that it wants to combine into
one for the purpose of UTXO defragmentation. It broadcasts transaction
t1 with two inputs and one output, size 340 bytes, paying zero fees.
Prior to the transaction confirming I find I need to spend those funds
for a priority transaction at the 1mBTC/KB fee level. This transaction,
t2a, has one input and two outputs, 226 bytes in size. However it needs
to pay fees for both transactions at once, resulting in a combined total
fee of 556uBTC. If this situation happens frequently, defragmenting
UTXOs is likely to cost more in additional fees than it saves.
With RBF I'd simply doublespend t1 with a 2-in-2-out transaction 374
bytes in size, paying 374uBTC. Even better, if one of the two inputs is
sufficiently large to cover my costs I can doublespend t1 with a
1-in-2-out tx just 226 bytes in size, paying 226uBTC.
Cost savings: 32% to 59%, or even infinite if defragmentation w/o RBF
costs you more than you save
--
0000000000000000134ce6577d4122094479f548b997baf84367eaf0c190bc9f
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development

Matt Whitlock

2015-05-26 20:18:06 UTC

Permalink

The "First-Seen-Safe" replace-by-fee presently being discussed on this list disallows fraudulent payment reversals, as it disallows a replacing transaction that pays less to any output script than the replaced transaction paid.

------------------------------------------------------------------------------

j***@airmail.cc

2015-05-26 20:30:48 UTC

Permalink

This post might be inappropriate. Click to display it.

Mark Friedenbach

2015-05-26 20:56:06 UTC

Permalink

Please let's at least have some civility and decorum on this list.

Post by j***@airmail.cc
You're the Chief Scientist of __ViaCoin__ a alt with 30 second blocks
and you have big banks as clients. Shit like replace-by-fee and leading
the anti-scaling mob is for your clients, not Bitcoin. Get the fuck out.
Peter Todd - 8930511 Canada Ltd.
1214-1423 Mississauga Valley Blvd.
Mississauga ON L5A 4A5
Canada
https://www.ic.gc.ca/app/scr/cc/CorporationsCanada/fdrlCrpDtls.html?corpId=8930511

Post by Peter Todd

Post by Mike Hearn
CPFP also solves it just fine.

CPFP is a significantly more expensive way of paying fees than RBF,
particularly for the use-case of defragmenting outputs, with cost
savings ranging from 30% to 90%
Case 1: CPFP vs. RBF for increasing the fee on a single tx
----------------------------------------------------------
Creating an spending a P2PKH output uses 34 bytes of txout, and 148
bytes of txin, 182 bytes total.
Let's suppose I have a 1 BTC P2PKH output and I want to pay 0.1 BTC to
Alice. This results in a 1in/2out transaction t1 that's 226 bytes in size.
I forget to click on the "priority fee" option, so it goes out with the
minimum fee of 2.26uBTC. Whoops! I use CPFP to spend that output,
creating a new transaction t2 that's 192 bytes in size. I want to pay
1mBTC/KB for a fast confirmation, so I'm now paying 418uBTC of
transaction fees.
On the other hand, had I use RBF, my wallet would have simply
rebroadcast t1 with the change address decreased. The rules require you
to pay 2.26uBTC for the bandwidth consumed broadcasting it, plus the new
fee level, or 218uBTC of fees in total.
Cost savings: 48%
Case 2: Paying multiple recipients in succession
------------------------------------------------
Suppose that after I pay Alice, I also decide to pay Bob for his hard
work demonstrating cryptographic protocols. I need to create a new
transaction t2 spending t1's change address. Normally t2 would be
another 226 bytes in size, resulting in 226uBTC additional fees.
With RBF on the other hand I can simply double-spend t1 with a
transaction paying both Alice and Bob. This new transaction is 260 bytes
in size. I have to pay 2.6uBTC additional fees to pay for the bandwidth
consumed broadcasting it, resulting in an additional 36uBTC of fees.
Cost savings: 84%
Case 3: Paying multiple recipients from a 2-of-3 multisig wallet
----------------------------------------------------------------
The above situation gets even worse with multisig. t1 in the multisig
case is 367 bytes; t2 another 367 bytes, costing an additional 367uBTC
in fees. With RBF we rewrite t1 with an additional output, resulting in
a 399 byte transaction, with just 36uBTC in additional fees.
Cost savings: 90%
Case 4: Dust defragmentation
----------------------------
My wallet has a two transaction outputs that it wants to combine into
one for the purpose of UTXO defragmentation. It broadcasts transaction
t1 with two inputs and one output, size 340 bytes, paying zero fees.
Prior to the transaction confirming I find I need to spend those funds
for a priority transaction at the 1mBTC/KB fee level. This transaction,
t2a, has one input and two outputs, 226 bytes in size. However it needs
to pay fees for both transactions at once, resulting in a combined total
fee of 556uBTC. If this situation happens frequently, defragmenting
UTXOs is likely to cost more in additional fees than it saves.
With RBF I'd simply doublespend t1 with a 2-in-2-out transaction 374
bytes in size, paying 374uBTC. Even better, if one of the two inputs is
sufficiently large to cover my costs I can doublespend t1 with a
1-in-2-out tx just 226 bytes in size, paying 226uBTC.
Cost savings: 32% to 59%, or even infinite if defragmentation w/o RBF
costs you more than you save

------------------------------------------------------------------------------

Post by Peter Todd
One dashboard for servers and applications across
Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable
Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development

------------------------------------------------------------------------------
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development

s7r

2015-05-26 21:29:28 UTC

Permalink

What is wrong with the man testing some ideas on his custom branch? This
is how improvements come to life. I saw in the BIPs some really
interesting ideas and nice brainstorming which came from Peter Todd.

Now, my question, if replace by fee doesn't allow me to change the
inputs or the outputs, I can only add outputs... what can I do with this
feature? If I sent a tx and want to replace it with a higher fee one,
the higher fee one can only have maybe additional change addresses or
another payment, if the inputs suffice? Do we have any real use cases?

P.S. is it planned to include this by default in bitcoin core 10.0.3 or
it will remain just on Peter's branch?

Post by Peter Todd

Post by Mike Hearn
CPFP also solves it just fine.

CPFP is a significantly more expensive way of paying fees than RBF,
particularly for the use-case of defragmenting outputs, with cost
savings ranging from 30% to 90%
Case 1: CPFP vs. RBF for increasing the fee on a single tx
----------------------------------------------------------
Creating an spending a P2PKH output uses 34 bytes of txout, and 148
bytes of txin, 182 bytes total.
Let's suppose I have a 1 BTC P2PKH output and I want to pay 0.1 BTC to
Alice. This results in a 1in/2out transaction t1 that's 226 bytes in size.
I forget to click on the "priority fee" option, so it goes out with the
minimum fee of 2.26uBTC. Whoops! I use CPFP to spend that output,
creating a new transaction t2 that's 192 bytes in size. I want to pay
1mBTC/KB for a fast confirmation, so I'm now paying 418uBTC of
transaction fees.
On the other hand, had I use RBF, my wallet would have simply
rebroadcast t1 with the change address decreased. The rules require you
to pay 2.26uBTC for the bandwidth consumed broadcasting it, plus the new
fee level, or 218uBTC of fees in total.
Cost savings: 48%
Case 2: Paying multiple recipients in succession
------------------------------------------------
Suppose that after I pay Alice, I also decide to pay Bob for his hard
work demonstrating cryptographic protocols. I need to create a new
transaction t2 spending t1's change address. Normally t2 would be
another 226 bytes in size, resulting in 226uBTC additional fees.
With RBF on the other hand I can simply double-spend t1 with a
transaction paying both Alice and Bob. This new transaction is 260 bytes
in size. I have to pay 2.6uBTC additional fees to pay for the bandwidth
consumed broadcasting it, resulting in an additional 36uBTC of fees.
Cost savings: 84%
Case 3: Paying multiple recipients from a 2-of-3 multisig wallet
----------------------------------------------------------------
The above situation gets even worse with multisig. t1 in the multisig
case is 367 bytes; t2 another 367 bytes, costing an additional 367uBTC
in fees. With RBF we rewrite t1 with an additional output, resulting in
a 399 byte transaction, with just 36uBTC in additional fees.
Cost savings: 90%
Case 4: Dust defragmentation
----------------------------
My wallet has a two transaction outputs that it wants to combine into
one for the purpose of UTXO defragmentation. It broadcasts transaction
t1 with two inputs and one output, size 340 bytes, paying zero fees.
Prior to the transaction confirming I find I need to spend those funds
for a priority transaction at the 1mBTC/KB fee level. This transaction,
t2a, has one input and two outputs, 226 bytes in size. However it needs
to pay fees for both transactions at once, resulting in a combined total
fee of 556uBTC. If this situation happens frequently, defragmenting
UTXOs is likely to cost more in additional fees than it saves.
With RBF I'd simply doublespend t1 with a 2-in-2-out transaction 374
bytes in size, paying 374uBTC. Even better, if one of the two inputs is
sufficiently large to cover my costs I can doublespend t1 with a
1-in-2-out tx just 226 bytes in size, paying 226uBTC.
Cost savings: 32% to 59%, or even infinite if defragmentation w/o RBF
costs you more than you save
------------------------------------------------------------------------------
One dashboard for servers and applications across
Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable
Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development

------------------------------------------------------------------------------

Adam Back

2015-05-26 22:06:42 UTC

Permalink

Well so for example it could have an additional input (to increase the
BTC paid into the transaction) and pay more to an existing change
address and higher fee, or add an additional change address, and leave
a larger fee, or if you had a right-sized coin add an additional input
that all goes to fees.

(As well as optionally tacking on additional pending payments to other
addresses funded from the higher input).

Adam

Post by s7r
What is wrong with the man testing some ideas on his custom branch? This
is how improvements come to life. I saw in the BIPs some really
interesting ideas and nice brainstorming which came from Peter Todd.
Now, my question, if replace by fee doesn't allow me to change the
inputs or the outputs, I can only add outputs... what can I do with this
feature? If I sent a tx and want to replace it with a higher fee one,
the higher fee one can only have maybe additional change addresses or
another payment, if the inputs suffice? Do we have any real use cases?
P.S. is it planned to include this by default in bitcoin core 10.0.3 or
it will remain just on Peter's branch?

Post by Peter Todd

Post by Mike Hearn
CPFP also solves it just fine.

CPFP is a significantly more expensive way of paying fees than RBF,
particularly for the use-case of defragmenting outputs, with cost
savings ranging from 30% to 90%
Case 1: CPFP vs. RBF for increasing the fee on a single tx
----------------------------------------------------------
Creating an spending a P2PKH output uses 34 bytes of txout, and 148
bytes of txin, 182 bytes total.
Let's suppose I have a 1 BTC P2PKH output and I want to pay 0.1 BTC to
Alice. This results in a 1in/2out transaction t1 that's 226 bytes in size.
I forget to click on the "priority fee" option, so it goes out with the
minimum fee of 2.26uBTC. Whoops! I use CPFP to spend that output,
creating a new transaction t2 that's 192 bytes in size. I want to pay
1mBTC/KB for a fast confirmation, so I'm now paying 418uBTC of
transaction fees.
On the other hand, had I use RBF, my wallet would have simply
rebroadcast t1 with the change address decreased. The rules require you
to pay 2.26uBTC for the bandwidth consumed broadcasting it, plus the new
fee level, or 218uBTC of fees in total.
Cost savings: 48%
Case 2: Paying multiple recipients in succession
------------------------------------------------
Suppose that after I pay Alice, I also decide to pay Bob for his hard
work demonstrating cryptographic protocols. I need to create a new
transaction t2 spending t1's change address. Normally t2 would be
another 226 bytes in size, resulting in 226uBTC additional fees.
With RBF on the other hand I can simply double-spend t1 with a
transaction paying both Alice and Bob. This new transaction is 260 bytes
in size. I have to pay 2.6uBTC additional fees to pay for the bandwidth
consumed broadcasting it, resulting in an additional 36uBTC of fees.
Cost savings: 84%
Case 3: Paying multiple recipients from a 2-of-3 multisig wallet
----------------------------------------------------------------
The above situation gets even worse with multisig. t1 in the multisig
case is 367 bytes; t2 another 367 bytes, costing an additional 367uBTC
in fees. With RBF we rewrite t1 with an additional output, resulting in
a 399 byte transaction, with just 36uBTC in additional fees.
Cost savings: 90%
Case 4: Dust defragmentation
----------------------------
My wallet has a two transaction outputs that it wants to combine into
one for the purpose of UTXO defragmentation. It broadcasts transaction
t1 with two inputs and one output, size 340 bytes, paying zero fees.
Prior to the transaction confirming I find I need to spend those funds
for a priority transaction at the 1mBTC/KB fee level. This transaction,
t2a, has one input and two outputs, 226 bytes in size. However it needs
to pay fees for both transactions at once, resulting in a combined total
fee of 556uBTC. If this situation happens frequently, defragmenting
UTXOs is likely to cost more in additional fees than it saves.
With RBF I'd simply doublespend t1 with a 2-in-2-out transaction 374
bytes in size, paying 374uBTC. Even better, if one of the two inputs is
sufficiently large to cover my costs I can doublespend t1 with a
1-in-2-out tx just 226 bytes in size, paying 226uBTC.
Cost savings: 32% to 59%, or even infinite if defragmentation w/o RBF
costs you more than you save
------------------------------------------------------------------------------
One dashboard for servers and applications across
Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable
Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development

------------------------------------------------------------------------------

Peter Todd

2015-05-27 01:25:21 UTC

Permalink

You're a bit mistaken there: standard RBF lets you change anything, and
FSS RBF lets you modify inputs and add outputs and/or make the value of
outputs higher.

Post by s7r
P.S. is it planned to include this by default in bitcoin core 10.0.3 or
it will remain just on Peter's branch?

Any significant change to mempool policy like RBF is very unlikely to be
incorporated in the Bitcoin Core v0.10.x branch, simply because it'd be
too large a change for a minor, mostly bugfix, release.

Having said that, I already maintain a standard RBF branch for v0.10.x,
and have been asked by a major minor to backport FSS RBF for v0.10.x as
well.

--
'peter'[:-1]@petertodd.org
00000000000000000b9e6c1ce35e6e06c01b1f381840bcd9297f307cb1e6aae8

s7r

2015-05-27 19:28:55 UTC

Permalink

Hi Peter,

Thanks for your reply.

I know and bookmarked your branch - nice work.

So, to clarify:
- bitcoin core (official / default) 0.10.x currently has First-seen
mempool behavior
- your custom branch uses replace by fee mempool behavior which allows
an user to change anything in a tx (I guess it needs just to have at
least one same input, so it can link it to another previously signed tx
with lower fee and substitute it in the mempool, correct?).

- First Seen Safe Replace by Fee (FSF-RBF) mempool behavior which allows
an user only to add inputs and/or increase the value of outputs will be
in yet another branch, maintained by you, but not in default / official
bitcoin core?

Another thing, if FSF-RBF lets you change TXes in the manner described
above, how does the client know which tx needs to be replaced in the
mempool? Since the txid naturally changes. How does it map tx1 with tx2
(to know tx2 has a higher fee and needs to substitute tx1) if quite a
lot of params from the transaction structure can change?

Thanks!

Post by Peter Todd

You're a bit mistaken there: standard RBF lets you change anything, and
FSS RBF lets you modify inputs and add outputs and/or make the value of
outputs higher.

Post by s7r
P.S. is it planned to include this by default in bitcoin core 10.0.3 or
it will remain just on Peter's branch?

Any significant change to mempool policy like RBF is very unlikely to be
incorporated in the Bitcoin Core v0.10.x branch, simply because it'd be
too large a change for a minor, mostly bugfix, release.
Having said that, I already maintain a standard RBF branch for v0.10.x,
and have been asked by a major minor to backport FSS RBF for v0.10.x as
well.

------------------------------------------------------------------------------

Jeff Garzik

2015-05-26 22:29:40 UTC

Permalink

That attitude and doxxing is not appropriate for this list.

Post by j***@airmail.cc
You're the Chief Scientist of __ViaCoin__ a alt with 30 second blocks
and you have big banks as clients. Shit like replace-by-fee and leading
the anti-scaling mob is for your clients, not Bitcoin. Get the fuck out.
<https://lists.sourceforge.net/lists/listinfo/bitcoin-development>

--
Jeff Garzik
Bitcoin core developer and open source evangelist
BitPay, Inc. https://bitpay.com/

Raystonn

2015-05-26 18:43:14 UTC

Permalink

------------------------------------------------------------------------------

Allen Piscitello

2015-05-26 20:12:41 UTC

Permalink

I am not the one presenting this as some kind of novel attack on
transactions in general.

Trust, regulation, law, and the threat of force. Are you serious?
What prevents you from writing a bad check using today's systems?
What prevents RBF from being used for fraudulent payment reversals?
Pay 1BTC to Alice for hard goods, then after you receive the goods
broadcast a double spend of that transaction to pay Alice nothing? Your
only cost is the higher network fee of the 2nd tx.
Thanks,
-Danny

Post by Mike Hearn
CPFP also solves it just fine.

CPFP is a significantly more expensive way of paying fees than RBF,
particularly for the use-case of defragmenting outputs, with cost
savings ranging from 30% to 90%
Case 1: CPFP vs. RBF for increasing the fee on a single tx
----------------------------------------------------------
Creating an spending a P2PKH output uses 34 bytes of txout, and 148
bytes of txin, 182 bytes total.
Let's suppose I have a 1 BTC P2PKH output and I want to pay 0.1 BTC to
Alice. This results in a 1in/2out transaction t1 that's 226 bytes in size.
I forget to click on the "priority fee" option, so it goes out with the
minimum fee of 2.26uBTC. Whoops! I use CPFP to spend that output,
creating a new transaction t2 that's 192 bytes in size. I want to pay
1mBTC/KB for a fast confirmation, so I'm now paying 418uBTC of
transaction fees.
On the other hand, had I use RBF, my wallet would have simply
rebroadcast t1 with the change address decreased. The rules require you
to pay 2.26uBTC for the bandwidth consumed broadcasting it, plus the new
fee level, or 218uBTC of fees in total.
Cost savings: 48%
Case 2: Paying multiple recipients in succession
------------------------------------------------
Suppose that after I pay Alice, I also decide to pay Bob for his hard
work demonstrating cryptographic protocols. I need to create a new
transaction t2 spending t1's change address. Normally t2 would be
another 226 bytes in size, resulting in 226uBTC additional fees.
With RBF on the other hand I can simply double-spend t1 with a
transaction paying both Alice and Bob. This new transaction is 260 bytes
in size. I have to pay 2.6uBTC additional fees to pay for the bandwidth
consumed broadcasting it, resulting in an additional 36uBTC of fees.
Cost savings: 84%
Case 3: Paying multiple recipients from a 2-of-3 multisig wallet
----------------------------------------------------------------
The above situation gets even worse with multisig. t1 in the multisig
case is 367 bytes; t2 another 367 bytes, costing an additional 367uBTC
in fees. With RBF we rewrite t1 with an additional output, resulting in
a 399 byte transaction, with just 36uBTC in additional fees.
Cost savings: 90%
Case 4: Dust defragmentation
----------------------------
My wallet has a two transaction outputs that it wants to combine into
one for the purpose of UTXO defragmentation. It broadcasts transaction
t1 with two inputs and one output, size 340 bytes, paying zero fees.
Prior to the transaction confirming I find I need to spend those funds
for a priority transaction at the 1mBTC/KB fee level. This transaction,
t2a, has one input and two outputs, 226 bytes in size. However it needs
to pay fees for both transactions at once, resulting in a combined total
fee of 556uBTC. If this situation happens frequently, defragmenting
UTXOs is likely to cost more in additional fees than it saves.
With RBF I'd simply doublespend t1 with a 2-in-2-out transaction 374
bytes in size, paying 374uBTC. Even better, if one of the two inputs is
sufficiently large to cover my costs I can doublespend t1 with a
1-in-2-out tx just 226 bytes in size, paying 226uBTC.
Cost savings: 32% to 59%, or even infinite if defragmentation w/o RBF
costs you more than you save
--
0000000000000000134ce6577d4122094479f548b997baf84367eaf0c190bc9f
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Bitcoin-development mailing list
https://lists.sourceforge.net/lists/listinfo/bitcoin-development