Issues with bitcoin PoW anchoring through anyone-can-spend output

[adambor]

Prime is supposed to be anchored to bitcoin with an anyone-can-spend single-use-seal that is spent, new block is committed in the spending transaction and new anyone-can-spend single-use-seal is created, if it so happens that there is not a proper commitment, a protocol reset happens through OP_RETURN announcement. Here are the problems I see along with possible solutions to them.

1. Selfish mining

Happens when a miner produces a valid commitment but doesn't release the prime block, instead he keeps the blocks for himself, and releases them at some point in the future causing a possibly massive re-org. With addition of secondary PoW (Prime PoW) this can be mitigated, but a party with >51% of Prime PoW would be able to cause massive re-orgs and double spends, so I don't see how this is necessary better than a separate blockchain with its own PoW.

A simple solution to this problem would be to publish whole prime blockheader on bitcoin, either through OP_RETURN or as a taproot inscription, then no miner can withold publishing of blockheader as it would be stored in the clear on bitcoin mainchain.

2. Replacement cycling attack

Anyone-can-spend outputs are prime candidates for attack via replacement cycling attack, as was recently discussed on the bitcoin mailing list, this would allow ANY malicous party to censor Prime blocks from being committed to bitcoin mainchain. You can find a good description of the attack here. Basically this is a way to evict any transaction trying to spend the anyone-can-spend output from the mempool, so it never gets mined.

Solution for this would be to change the output from anyone-can-spend to an output script which requires PoW to be spent, this can be done through signature grinding.

[cryptoquick]

I like these solutions a lot.
Would the signature grinding be over a hash of the block header? Or is the block header a hash?
Also, what if the signature difficulty is set too high (size too low)? Would that cause a protocol split? Or if there's multiple commitments, maybe the smallest signature is chosen by the protocol (the one with the fewest bytes and the most leading binary zeroes).

[adambor]

Would the signature grinding be over a hash of the block header? Or is the block header a hash?

Yep, Prime header would be committed in that very same transaction, so it will be part of the SIGHASH over which signature will be computed.

Also, what if the signature difficulty is set too high (size too low)?

Well, it cannot be set too high, otherwise it will be considered an invalid commitment. There will be a difficulty retargetting algorithm for Prime PoW, so if you commit a block and create a UTXO with a script that requires more work than what's defined by the algorithm, it would be considered invalid and protocol reset will happen through OP_RETURN.

Would that cause a protocol split?

There cannot be multiple commitments, as to create commitment you need to spend a UTXO, which can only be spent once. If it so happens that invalid commitment is made, an OP_RETURN protocol reset will happen, then out of all the OP_RETURN reset txns, only one is choosen, either based on lowest tx hash, or position inside the block.

Or if there's multiple commitments, maybe the smallest signature is chosen by the protocol (the one with the fewest bytes and the most leading binary zeroes).

Again, there cannot be multiple commitments, also we cannot enforce that the smallest signature wins the block, only that any signature < some size can commit to the new block, then whoever pays the highest miner fee on bitcoin gets to actually spend the UTXO and commit the new block. So there is actually competition on multiple levels - first a miner has to use PoW to compute a short enough signature, second is that he also needs to pay high enough bitcoin transaction fee to actually mine the Prime block.

[dr-orlovsky]

Very good points and suggestions. Just a one note:

I don't see how this is necessary better than a separate blockchain with its own PoW.

Separate blockchain with PoW will have poor security - until the hash rate exceeds the bitcoin blockchain hash rate. Thus we need both, since without separate PoW we will never be able to un-anchor from bitcoin blockchain - and without bitcoin PoW we will not have enough security during the bootstrap years.

[adambor]

Separate blockchain with PoW will have poor security - until the hash rate exceeds the bitcoin blockchain hash rate. Thus we need both, since without separate PoW we will never be able to un-anchor from bitcoin blockchain - and without bitcoin PoW we will not have enough security during the bootstrap years.

That was just pointing out the fact that if we only put a hash/commitment of Prime block to bitcoin (not whole Prime block), an attacker with >51% Prime hashrate can still 51% attack the network (re-org and double spend) by selfish mining and not releasing the block data (1st point in this issue).

So if we were to only put a hash/commitment of Prime block into bitcoin, the Prime network would be only as secure as Prime network's PoW - thus we get no benefit for anchoring into bitcoin (no inheriting bitcoin's PoW security).

This is solved by writing the whole Prime block into bitcoin as an inscription (as then no selfish mining and not releasing the block data can happen because all the data will be in the clear on bitcoin blockchain). This way we can inherit bitcoin's PoW security.

On a different note, this is also a very big problem for Abraxas, as Abraxas requires miners to release the ephemeral data of txIds (which could be up to ~24MB), and to have it fully secured by bitcoin's PoW all those 24MB would have to be inscribed into bitcoin - which of course is not possible. I invite you to check adambor/The9thProofOfFolding#11 and see if you have any ideas how to solve that. I also feel like there is similar problem with Prime itself, in case the miner doesn't provide any ephemeral data to the users, the number of challenges in the next block would be huge - possibly also surpassing 4MB bitcoin blocksize limit - making it impossible to inscribe whole Prime blockheader on bitcoin.