Merge #9012: release-notes: Update from blog draft

99f5cf1 release-notes: Update from blog draft (Luke Dashjr)

1 files changed, 98 insertions, 24 deletions

diff --git a/doc/release-notes.md b/doc/release-notes.md
index dbb3d5f3f6..0941290c8c 100644
--- a/doc/release-notes.md
+++ b/doc/release-notes.md
@@ -44,28 +44,102 @@ Segregated witness soft fork
 
 Segregated witness (segwit) is a soft fork that, if activated, will
 allow transaction-producing software to separate (segregate) transaction
-signatures (witnesses) from the rest of the data in a transaction, and
-to allow miners to place those witnesses outside of the traditional
-block structure. This provides two immediate benefits:
-
-- **Elimination of malleability:** Segregating the witness allows both
-  existing software and upgraded software that receives transactions to
-  calculate the transaction identifier (txid) of segwit-using
-  transactions without referencing the witness. This solves all known
-  cases of unwanted third-party transaction malleability, which is a
-  problem that makes programming Bitcoin wallet software more difficult
-  and which seriously complicates the design of smart contracts for
-  Bitcoin.
-
-- **Capacity increase:** Moving witness data outside of the traditional
-  block structure (but still inside a new-style block structure) means
-  new-style blocks can hold more data than older-style blocks, allowing
-  a modest increase to the amount of transaction data that can fit in a
-  block.
-
-Segwit also simplifies the ability to add new features to Bitcoin and
-improves the efficiency of full nodes, which will help provide long-term
-benefits to Bitcoin users.
+signatures (witnesses) from the part of the data in a transaction that is
+covered by the txid. This provides several immediate benefits:
+
+- **Elimination of unwanted transaction malleability:** Segregating the witness
+  allows both existing and upgraded software to calculate the transaction
+  identifier (txid) of transactions without referencing the witness, which can
+  sometimes be changed by third-parties (such as miners) or by co-signers in a
+  multisig spend. This solves all known cases of unwanted transaction
+  malleability, which is a problem that makes programming Bitcoin wallet
+  software more difficult and which seriously complicates the design of smart
+  contracts for Bitcoin.
+
+- **Capacity increase:** Segwit transactions contain new fields that are not
+  part of the data currently used to calculate the size of a block, which
+  allows a block containing segwit transactions to hold more data than allowed
+  by the current maximum block size. Estimates based on the transactions
+  currently found in blocks indicate that if all wallets switch to using
+  segwit, the network will be able to support about 70% more transactions. The
+  network will also be able to support more of the advanced-style payments
+  (such as multisig) than it can support now because of the different weighting
+  given to different parts of a transaction after segwit activates (see the
+  following section for details).
+
+- **Weighting data based on how it affects node performance:** Some parts of
+  each Bitcoin block need to be stored by nodes in order to validate future
+  blocks; other parts of a block can be immediately forgotten (pruned) or used
+  only for helping other nodes sync their copy of the block chain.  One large
+  part of the immediately prunable data are transaction signatures (witnesses),
+  and segwit makes it possible to give a different "weight" to segregated
+  witnesses to correspond with the lower demands they place on node resources.
+  Specifically, each byte of a segregated witness is given a weight of 1, each
+  other byte in a block is given a weight of 4, and the maximum allowed weight
+  of a block is 4 million.  Weighting the data this way better aligns the most
+  profitable strategy for creating blocks with the long-term costs of block
+  validation.
+
+- **Signature covers value:** A simple improvement in the way signatures are
+  generated in segwit simplifies the design of secure signature generators
+  (such as hardware wallets), reduces the amount of data the signature
+  generator needs to download, and allows the signature generator to operate
+  more quickly.  This is made possible by having the generator sign the amount
+  of bitcoins they think they are spending, and by having full nodes refuse to
+  accept those signatures unless the amount of bitcoins being spent is exactly
+  the same as was signed.  For non-segwit transactions, wallets instead had to
+  download the complete previous transactions being spent for every payment
+  they made, which could be a slow operation on hardware wallets and in other
+  situations where bandwidth or computation speed was constrained.
+
+- **Linear scaling of sighash operations:** In 2015 a block was produced that
+  required about 25 seconds to validate on modern hardware because of the way
+  transaction signature hashes are performed.  Other similar blocks, or blocks
+  that could take even longer to validate, can still be produced today.  The
+  problem that caused this can't be fixed in a soft fork without unwanted
+  side-effects, but transactions that opt-in to using segwit will now use a
+  different signature method that doesn't suffer from this problem and doesn't
+  have any unwanted side-effects.
+
+- **Increased security for multisig:** Bitcoin addresses (both P2PKH addresses
+  that start with a '1' and P2SH addresses that start with a '3') use a hash
+  function known as RIPEMD-160.  For P2PKH addresses, this provides about 160
+  bits of security---which is beyond what cryptographers believe can be broken
+  today.  But because P2SH is more flexible, only about 80 bits of security is
+  provided per address. Although 80 bits is very strong security, it is within
+  the realm of possibility that it can be broken by a powerful adversary.
+  Segwit allows advanced transactions to use the SHA256 hash function instead,
+  which provides about 128 bits of security  (that is 281 trillion times as
+  much security as 80 bits and is equivalent to the maximum bits of security
+  believed to be provided by Bitcoin's choice of parameters for its Elliptic
+  Curve Digital Security Algorithm [ECDSA].)
+
+- **More efficient almost-full-node security** Satoshi Nakamoto's original
+  Bitcoin paper describes a method for allowing newly-started full nodes to
+  skip downloading and validating some data from historic blocks that are
+  protected by large amounts of proof of work.  Unfortunately, Nakamoto's
+  method can't guarantee that a newly-started node using this method will
+  produce an accurate copy of Bitcoin's current ledger (called the UTXO set),
+  making the node vulnerable to falling out of consensus with other nodes.
+  Although the problems with Nakamoto's method can't be fixed in a soft fork,
+  Segwit accomplishes something similar to his original proposal: it makes it
+  possible for a node to optionally skip downloading some blockchain data
+  (specifically, the segregated witnesses) while still ensuring that the node
+  can build an accurate copy of the UTXO set for the block chain with the most
+  proof of work.  Segwit enables this capability at the consensus layer, but
+  note that Bitcoin Core does not provide an option to use this capability as
+  of this 0.13.1 release.
+
+- **Script versioning:** Segwit makes it easy for future soft forks to allow
+  Bitcoin users to individually opt-in to almost any change in the Bitcoin
+  Script language when those users receive new transactions.  Features
+  currently being researched by Bitcoin Core contributors that may use this
+  capability include support for Schnorr signatures, which can improve the
+  privacy and efficiency of multisig transactions (or transactions with
+  multiple inputs), and Merklized Abstract Syntax Trees (MAST), which can
+  improve the privacy and efficiency of scripts with two or more conditions.
+  Other Bitcoin community members are studying several other improvements
+  that can be made using script versioning.
 
 Activation for the segwit soft fork is being managed using BIP9
 versionbits.  Segwit's version bit is bit 1, and nodes will begin
@@ -93,8 +167,8 @@ signaling support for a soft fork.
 Null dummy soft fork
 -------------------
 
-Combined with the segwit soft fork is a soft fork that turns a
-long-existing network relay policy into a consensus rule.  The
+Combined with the segwit soft fork is an additional change that turns a
+long-existing network relay policy into a consensus rule. The
 `OP_CHECKMULTISIG` and `OP_CHECKMULTISIGVERIFY` opcodes consume an extra
 stack element ("dummy element") after signature validation. The dummy
 element is not inspected in any manner, and could be replaced by any