summaryrefslogtreecommitdiff
path: root/01/ef176040e7edfb5b27d7d506317ba6e475944a
blob: 472f3dddab7f1dc569a5e15d6f79a77b06a6ae7c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
Return-Path: <elombrozo@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 82B641EC3
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed,  7 Oct 2015 16:25:54 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pa0-f41.google.com (mail-pa0-f41.google.com
	[209.85.220.41])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id D60AD219
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed,  7 Oct 2015 16:25:53 +0000 (UTC)
Received: by padhy16 with SMTP id hy16so25797624pad.1
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed, 07 Oct 2015 09:25:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=user-agent:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding:subject:from:date:to:message-id;
	bh=dA3mwWRLxSihdJ1DwG3fWOGZAj7e6CwDK3rzpWihzBg=;
	b=T9BgT6bYHXCAUlnhf3b6IEODMfgCwVyRTUZfj9ArsuNHkhhi5lkoc/ryvZeGP4nOVT
	N/dDgmkaurlIqmvMrQ9WqhAHEl72G3cmumcWSkfJOFbPMRDSuSFO0t6XTckfFhSK97BO
	3zUOy8WyQd1b/ffBuhXl/7RI8wzwX5CTXuk6yk3u0+5LRGT9CxHKLZFz+KBehveYDItI
	pTYNLGazhEN5k5VatId4d7YfmD8L33SUiCOhKXlw0aUGELEm+71lIOHMc2N4v9CdAlFq
	hWJDSqPXJDoGkUjR0yQvaqszyUj9c4ZFAYiOqe4PidhokBguPahoJhkhx8PW6IuIUCPY
	6yyw==
X-Received: by 10.68.194.73 with SMTP id hu9mr2088644pbc.146.1444235153558;
	Wed, 07 Oct 2015 09:25:53 -0700 (PDT)
Received: from [192.168.1.100] (cpe-76-167-237-202.san.res.rr.com.
	[76.167.237.202]) by smtp.gmail.com with ESMTPSA id
	pu5sm40368295pbc.58.2015.10.07.09.25.52
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 07 Oct 2015 09:25:52 -0700 (PDT)
User-Agent: K-9 Mail for Android
In-Reply-To: <B7359445-2B91-4A12-8222-9730D91572C7@gmail.com>
References: <20150927185031.GA20599@savin.petertodd.org>
	<CA+w+GKRCVr-9TVk66utp7xLRgTxNpxYoj3XQE-6y_N8JS6eO6Q@mail.gmail.com>
	<CAAS2fgSEDGBd67m7i8zCgNRqtmQrZyZMj7a5TsYo41Dh=tdhHQ@mail.gmail.com>
	<20151007150014.GA21849@navy>
	<A763EBF7-4FA5-4FE4-9595-01317B264B0A@toom.im>
	<B7359445-2B91-4A12-8222-9730D91572C7@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----GZ9I3VXTVGYXC557AB2HAEGWEI17U1"
Content-Transfer-Encoding: 8bit
From: Eric Lombrozo <elombrozo@gmail.com>
Date: Wed, 07 Oct 2015 09:25:53 -0700
To: "Jonathan Toomim (Toomim Bros)" <j@toom.im>,
	"Jonathan Toomim (Toomim Bros) via bitcoin-dev"
	<bitcoin-dev@lists.linuxfoundation.org>, Anthony Towns <aj@erisian.com.au>
Message-ID: <4A595469-D2E7-4C6A-9EDC-2DF82B0BD212@gmail.com>
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] Let's deploy BIP65 CHECKLOCKTIMEVERIFY!
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Development Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2015 16:25:54 -0000

------GZ9I3VXTVGYXC557AB2HAEGWEI17U1
Content-Transfer-Encoding: 8bit
Content-Type: text/plain;
 charset=UTF-8

You're right about the potential for 1 bad confirmation even with very low frequency...but with an overwhelming supermajority of hashpower, 2 bad confirmations become quite unlikely, n bad confirmations becomes exponentially unlikely in n.

As part of such soft fork deployments, it's true that old nodes might see a bad confirmation on occasion (even assuming overwhelming supermajority hashpower adoptance). So yes, old nodes and SPV clients should probably require more confirmations right around such a transition...or should upgrade. It is entirely possible to make clients warn the user if the block version is unrecognized, which will help to prevent anyone from accepting bad blocks (although SPV security necessarily relies on miners to validate for them).

On October 7, 2015 9:02:14 AM PDT, Eric Lombrozo <elombrozo@gmail.com> wrote:
>That's why it's important to measure miner adoptance. Note that this
>isn't a vote - it's an adoption metric for what is presumably a fairly
>uncontroversial upgrade. If there's contentious controversy amongst
>miner all bets are off.
>
>Our current mechanisms are imperfect in this regard...as we've seen in
>the past, miners have deliberately disabled checks despite signaling
>adoption in their blocks. But a real hashpower supermajority would make
>such attacks hard to pull off in practice.
>
>- Eric
>
>On October 7, 2015 8:46:08 AM PDT, "Jonathan Toomim (Toomim Bros) via
>bitcoin-dev" <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>On Oct 7, 2015, at 8:00 AM, Anthony Towns via bitcoin-dev
>><bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> *But* a soft fork that only forbids transactions that would
>>previously
>>> not have been mined anyway should be the best of both worlds, as it
>>> automatically reduces the liklihood of old miners building newly
>>invalid
>>> blocks to a vanishingly small probability; which means that upgraded
>>> bitcoin nodes, non-upgraded bitcoin nodes, /and/ SPV clients *all*
>>> continuing to work fine during the upgrade.
>>
>>I agree with pretty much everything you wrote except the above
>>paragraph.
>>
>>An attacker can create a transaction that would be valid if it were an
>>OP_NOP, but not valid if it were any more restrictive transaction. For
>>example, an attacker might send 1 BTC to an address with  . An old
>node
>>would consider that OP_CLTV to be OP_NOP, so no signature is necessary
>>for old nodes. Then the attacker buys something from a merchant
>running
>>old node code or an SPV client, and spends the 1 BTC in that address
>in
>>a way that is invalid according to OP_CLTV but valid according to
>>OP_NOP, and includes a hefty fee. A miner on the old version includes
>>this transaction into a block, thereby making the block invalid
>>according to the new rules, and rejected by new-client miners. The
>>merchant sees the 1-conf, and maybe even 2-conf, rejoices, and ships.
>>The attacker then has until the OP_CLTV matures to double-spend the
>>coin with new nodes using a valid signature.
>>
>>Basically, it's trivial to create transactions that exploit the
>>difference in validation rules as long as miners are still on the old
>>version to mine them. Transactions can be created that are guaranteed
>>to be orphaned and trivially double-spendable. Attackers never have to
>>risk actual losses. This can be done as long as miners continue to
>mine
>>old-version blocks, regardless of their frequency.
>>
>>Those of you who know Script better than me: would this be an example
>>of a transaction that would be spendable with a valid sig XOR with
>(far
>>future date OR old code)?
>>
>>OP_DUP OP_HASH160 <pubkeyhash> OP_EQUALVERIFY OP_CHECKSIGVERIFY
>>OP_PUSHDATA <locktime far in the future> OP_CLTV
>>
>>
>>------------------------------------------------------------------------
>>
>>_______________________________________________
>>bitcoin-dev mailing list
>>bitcoin-dev@lists.linuxfoundation.org
>>https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>-- 
>Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
------GZ9I3VXTVGYXC557AB2HAEGWEI17U1
Content-Type: text/html;
 charset=utf-8
Content-Transfer-Encoding: 8bit

<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii" /></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">You&#39;re right about the potential for 1 bad confirmation even with very low frequency...but with an overwhelming supermajority of hashpower, 2 bad confirmations become quite unlikely, n bad confirmations becomes exponentially unlikely in n.<br>
<br>
As part of such soft fork deployments, it&#39;s true that old nodes might see a bad confirmation on occasion (even assuming overwhelming supermajority hashpower adoptance). So yes, old nodes and SPV clients should probably require more confirmations right around such a transition...or should upgrade. It is entirely possible to make clients warn the user if the block version is unrecognized, which will help to prevent anyone from accepting bad blocks (although SPV security necessarily relies on miners to validate for them).<br><br><div class="gmail_quote">On October 7, 2015 9:02:14 AM PDT, Eric Lombrozo &lt;elombrozo@gmail.com&gt; wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
That&#39;s why it&#39;s important to measure miner adoptance. Note that this isn&#39;t a vote - it&#39;s an adoption metric for what is presumably a fairly uncontroversial upgrade. If there&#39;s contentious controversy amongst miner all bets are off.<br />
<br />
Our current mechanisms are imperfect in this regard...as we&#39;ve seen in the past, miners have deliberately disabled checks despite signaling adoption in their blocks. But a real hashpower supermajority would make such attacks hard to pull off in practice.<br />
<br />
- Eric<br /><br /><div class="gmail_quote">On October 7, 2015 8:46:08 AM PDT, &quot;Jonathan Toomim (Toomim Bros) via bitcoin-dev&quot; &lt;bitcoin-dev@lists.linuxfoundation.org&gt; wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br /><div><div>On Oct 7, 2015, at 8:00 AM, Anthony Towns via bitcoin-dev &lt;<a href="mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a>&gt; wrote:</div><br class="Apple-interchange-newline" /><blockquote type="cite"><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;">*But* a soft fork that only forbids transactions that would previously</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" /><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;">not have been mined anyway should be the best of both worlds, as it</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" /><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start
 ;
text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;">automatically reduces the liklihood of old miners building newly invalid</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" /><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;">blocks to a vanishingly small probability; which means t
 hat
upgraded</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" /><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;">bitcoin nodes, non-upgraded bitcoin nodes, /and/ SPV clients *all*</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" /><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;">continuing to work fine during the upgrade.</span><br style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" /></blockquote></div><br /><div>I agree with pretty much everything you wrote except the above paragraph.&nbsp;</div><div><br /></div><div>An at
 tacker
can create a transaction that would be valid if it were an OP_NOP, but not valid if it were any more restrictive transaction. For example, an attacker might send 1 BTC to an address with &nbsp;. An old node would consider that OP_CLTV to be OP_NOP, so no signature is necessary for old nodes. Then the attacker buys something from a merchant running old node code or an SPV client, and spends the 1 BTC in that address in a way that is invalid according to OP_CLTV but valid according to OP_NOP, and includes a hefty fee. A miner on the old version includes this transaction into a block, thereby making the block invalid according to the new rules, and rejected by new-client miners. The merchant sees the 1-conf, and maybe even 2-conf, rejoices, and ships. The attacker then has until the OP_CLTV matures to double-spend the coin with new nodes using a valid signature.</div><div><br /></div><div>Basically, it's trivial to create transactions that exploit the difference in validation ru
 les as
long as miners are still on the old version to mine them. Transactions can be created that are guaranteed to be orphaned and trivially double-spendable. Attackers never have to risk actual losses. This can be done as long as miners continue to mine old-version blocks, regardless of their frequency.</div><div><br /></div><div>Those of you who know Script better than me: would this be an example of a transaction that would be spendable with a valid sig XOR with (far future date OR old code)?</div><div><br /></div><div>OP_DUP OP_HASH160 &lt;pubkeyhash&gt; OP_EQUALVERIFY OP_CHECKSIGVERIFY OP_PUSHDATA &lt;locktime far in the future&gt; OP_CLTV</div><p style="margin-top: 2.5em; margin-bottom: 1em; border-bottom: 1px solid #000"></p><pre class="k9mail"><hr /><br />bitcoin-dev mailing list<br />bitcoin-dev@lists.linuxfoundation.org<br /><a href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a><br
/></pre></blockquote></div><br /></blockquote></div><br>
-- <br>
Sent from my Android device with K-9 Mail. Please excuse my brevity.</body></html>
------GZ9I3VXTVGYXC557AB2HAEGWEI17U1--