summaryrefslogtreecommitdiff
path: root/35/16415734e05686c7807984f8c5dab4f709c432
blob: 83380ced5fecb07133fb0e0cab2fc9fbeb254959 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
	helo=mx.sourceforge.net)
	by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <danny.thorpe@gmail.com>) id 1YxMHD-0002TJ-03
	for bitcoin-development@lists.sourceforge.net;
	Tue, 26 May 2015 21:20:43 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com
	designates 209.85.218.54 as permitted sender)
	client-ip=209.85.218.54; envelope-from=danny.thorpe@gmail.com;
	helo=mail-oi0-f54.google.com; 
Received: from mail-oi0-f54.google.com ([209.85.218.54])
	by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
	(Exim 4.76) id 1YxMHA-0002d0-Vo
	for bitcoin-development@lists.sourceforge.net;
	Tue, 26 May 2015 21:20:42 +0000
Received: by oiww2 with SMTP id w2so88227692oiw.0
	for <bitcoin-development@lists.sourceforge.net>;
	Tue, 26 May 2015 14:20:35 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.60.33.74 with SMTP id p10mr5861241oei.62.1432675235524; Tue,
	26 May 2015 14:20:35 -0700 (PDT)
Received: by 10.60.2.105 with HTTP; Tue, 26 May 2015 14:20:35 -0700 (PDT)
In-Reply-To: <20150526051305.GA23502@savin.petertodd.org>
References: <20150526051305.GA23502@savin.petertodd.org>
Date: Tue, 26 May 2015 14:20:35 -0700
Message-ID: <CAJN5wHXRMfZigtgJ4JTKqRMkoQgkZ-d8sZ5rkpspqySwFEQEKg@mail.gmail.com>
From: Danny Thorpe <danny.thorpe@gmail.com>
To: Peter Todd <pete@petertodd.org>
Content-Type: multipart/alternative; boundary=089e0115eef87df893051702b287
X-Spam-Score: -0.6 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
	(danny.thorpe[at]gmail.com)
	-0.0 SPF_PASS               SPF: sender matches SPF record
	1.0 HTML_MESSAGE           BODY: HTML included in message
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1YxMHA-0002d0-Vo
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] First-Seen-Safe Replace-by-Fee
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 21:20:43 -0000

--089e0115eef87df893051702b287
Content-Type: text/plain; charset=UTF-8

Apologies if this has already been stated and I missed it, but:

Can transactions in a buried block be overridden/replaced by RBF?

Or is RBF strictly limited to transactions that have not yet been
incorporated into a block?

Thanks,
-Danny

On Mon, May 25, 2015 at 10:13 PM, Peter Todd <pete@petertodd.org> wrote:

> Summary
> -------
>
> First-seen-safe replace-by-fee (FSS RBF) does the following:
>
> 1) Give users effective ways of getting "stuck" transactions unstuck.
> 2) Use blockchain space efficiently.
>
> without:
>
> 3) Changing the status quo with regard to zeroconf.
>
> The current Bitcoin Core implementation has "first-seen" mempool
> behavior. Once transaction t1 has been accepted, the transaction is
> never removed from the mempool until mined, or double-spent by a
> transaction in a block. The author's previously proposed replace-by-fee
> replaced this behavior with simply accepting the transaction paying the
> highest fee.
>
> FSS RBF is a compromise between these two behaviors. Transactions may be
> replaced by higher-fee paying transactions, provided that all outputs in
> the previous transaction are still paid by the replacement. While not as
> general as standard RBF, and with higher costs than standard RBF, this
> still allows fees on transaction to be increased after the fact with
> less cost and higher efficiency than child-pays-for-parent in many
> common situations; in some situations CPFP is unusable, leaving RBF as
> the only option.
>
>
> Semantics
> ---------
>
> For reference, standard replace-by-fee has the following criteria for
> determining whether to replace a transaction.
>
> 1) t2 pays > fees than t1
>
> 2) The delta fees pay by t2, t2.fee - t1.fee, are >= the minimum fee
>    required to relay t2. (t2.size * min_fee_per_kb)
>
> 3) t2 pays more fees/kb than t1
>
> FSS RBF adds the following additional criteria to replace-by-fee before
> allowing a transaction t1 to be replaced with t2:
>
> 1) All outputs of t1 exist in t2 and pay >= the value in t1.
>
> 2) All outputs of t1 are unspent.
>
> 3) The order of outputs in t2 is the same as in t1 with additional new
>    outputs at the end of the output list.
>
> 4) t2 only conflicts with a single transaction, t1
>
> 5) t2 does not spend any outputs of t1 (which would make it an invalid
>    transaction, impossible to mine)
>
> These additional criteria respect the existing "first-seen" behavior of
> the Bitcoin Core mempool implementation, such that once an address is
> payed some amount of BTC, all subsequent replacement transactions will
> pay an equal or greater amount. In short, FSS-RBF is "zeroconf safe" and
> has no affect on the ability of attackers to doublespend. (beyond of
> course the fact that any changes what-so-ever to mempool behavior are
> potential zeroconf doublespend vulnerabilities)
>
>
> Implementation
> --------------
>
> Pull-req for git HEAD: https://github.com/bitcoin/bitcoin/pull/6176
>
> A backport to v0.10.2 is pending.
>
> An implementation of fee bumping respecting FSS rules is available at:
>
> https://github.com/petertodd/replace-by-fee-tools/blob/master/bump-fee.py
>
>
> Usage Scenarios
> ---------------
>
> Case 1: Increasing the fee on a single tx
> -----------------------------------------
>
> We start with a 1-in-2-out P2PKH using transaction t1, 226 bytes in size
> with the minimal relay fee, 2.26uBTC. Increasing the fee while
> respecting FSS-RBF rules requires the addition of one more txin, with
> the change output value increased appropriately, resulting in
> transaction t2, size 374 bytes. If the change txout is sufficient for
> the fee increase, increasing the fee via CPFP requires a second
> 1-in-1-out transaction, 192 bytes, for a total of 418 bytes; if another
> input is required, CPFP requires a 2-in-1-out tx, 340 bytes, for a total
> of 566 bytes.
>
> Benefits: 11% to 34%+ cost savings, and RBF can increase fees even in
>           cases where the original transaction didn't have a change
>           output.
>
>
> Case 2: Paying multiple recipients in succession
> ------------------------------------------------
>
> We have a 1-in-2-out P2PKH transaction t1, 226 bytes, that pays Alice.
> We now need to pay Bob. With plain RBF we'd just add a new outptu and
> reduce the value of the change address, a 90% savings. However with FSS
> RBF, decreasing the value is not allowed, so we have to add an input.
>
> If the change of t1 is sufficient to pay Bob, a second 1-in-2-out tx can
> be created, 2*226=452 bytes in total. With FSS RBF we can replace t1
> with a 2-in-3-out tx paying both, increasing the value of the change
> output appropriately, resulting in 408 bytes transaction saving 10%
>
> Similar to the above example in the case where the change address of t1
> is insufficient to pay Bob the end result is one less transaction output
> in the wallet, defragmenting it. Spending these outputs later on would
> require two 148 byte inputs compared to one with RBF, resulting in an
> overall savings of 25%
>
>
> Case 3: Paying the same recipient multiple times
> ------------------------------------------------
>
> For example, consider the situation of an exchange, Acme Bitcoin Sales,
> that keeps the majority of coins in cold storage. Acme wants to move
> funds to cold storage at the lowest possible cost, taking advantage of
> periods of higher capacity. (inevitable due to the poisson nature of
> block creation) At the same time they would like to defragment their
> incoming outputs to keep redemption costs low, particularly since
> spending their high-security 3-of-7 P2SH multisigs is expensive. Acme
> creates a low fee transaction with a single output to cold storage,
> periodically adding new inputs as funds need to be moved to storage.
> Estimating the cost savings here is complex, and depends greatly on
> details of Acme's business, but regardless the approach works from a
> technical point of view. For instance if Acme's business is such that
> the total hotwallet size needed heavily depends on external factors like
> volatility, as hotwallet demand decreases throughout a day they can add
> inputs to the pending transaction. (simply asking customers to deposit
> funds directly to the cold storage is also a useful strategy)
>
> However this is another case where standard RBF is significantly more
> useful. For instance, as withdrawal requests come in the exchange can
> quickly replace their pending transactions sending funds to cold storage
> with transactions sending those funds to customers instead, each time
> avoiding multiple costly transactions. In particular, by reducing the
> need to access cold storage at all, the security of the cold-stored
> funds is increased.
>
>
> Wallet Compatibility
> --------------------
>
> All wallets should treat conflicting incoming transactions as equivalent
> so long as the transaction outputs owned by them do not change. In
> addition to compatibility with RBF-related practices, this prevents
> unnecessary user concern if transactions are mutated. Wallets must not
> assume TXIDs are fixed until confirmed in the blockchain; a fixed TXID
> is not guaranteed by the Bitcoin protocol.
>
> --
> 'peter'[:-1]@petertodd.org
> 00000000000000000c7ea0fcac58a9d7267fef8551b9d6a5206bf42b849618cb
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>

--089e0115eef87df893051702b287
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Apologies if this has already been stated and I missed it,=
 but:<div><br></div><div>Can transactions in a buried block be overridden/r=
eplaced by RBF? =C2=A0=C2=A0</div><div><br></div><div>Or is RBF strictly li=
mited to transactions that have not yet been incorporated into a block?<br>=
</div><div><br></div><div>Thanks,</div><div>-Danny</div></div><div class=3D=
"gmail_extra"><br><div class=3D"gmail_quote">On Mon, May 25, 2015 at 10:13 =
PM, Peter Todd <span dir=3D"ltr">&lt;<a href=3D"mailto:pete@petertodd.org" =
target=3D"_blank">pete@petertodd.org</a>&gt;</span> wrote:<br><blockquote c=
lass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;=
padding-left:1ex">Summary<br>
-------<br>
<br>
First-seen-safe replace-by-fee (FSS RBF) does the following:<br>
<br>
1) Give users effective ways of getting &quot;stuck&quot; transactions unst=
uck.<br>
2) Use blockchain space efficiently.<br>
<br>
without:<br>
<br>
3) Changing the status quo with regard to zeroconf.<br>
<br>
The current Bitcoin Core implementation has &quot;first-seen&quot; mempool<=
br>
behavior. Once transaction t1 has been accepted, the transaction is<br>
never removed from the mempool until mined, or double-spent by a<br>
transaction in a block. The author&#39;s previously proposed replace-by-fee=
<br>
replaced this behavior with simply accepting the transaction paying the<br>
highest fee.<br>
<br>
FSS RBF is a compromise between these two behaviors. Transactions may be<br=
>
replaced by higher-fee paying transactions, provided that all outputs in<br=
>
the previous transaction are still paid by the replacement. While not as<br=
>
general as standard RBF, and with higher costs than standard RBF, this<br>
still allows fees on transaction to be increased after the fact with<br>
less cost and higher efficiency than child-pays-for-parent in many<br>
common situations; in some situations CPFP is unusable, leaving RBF as<br>
the only option.<br>
<br>
<br>
Semantics<br>
---------<br>
<br>
For reference, standard replace-by-fee has the following criteria for<br>
determining whether to replace a transaction.<br>
<br>
1) t2 pays &gt; fees than t1<br>
<br>
2) The delta fees pay by t2, t2.fee - t1.fee, are &gt;=3D the minimum fee<b=
r>
=C2=A0 =C2=A0required to relay t2. (t2.size * min_fee_per_kb)<br>
<br>
3) t2 pays more fees/kb than t1<br>
<br>
FSS RBF adds the following additional criteria to replace-by-fee before<br>
allowing a transaction t1 to be replaced with t2:<br>
<br>
1) All outputs of t1 exist in t2 and pay &gt;=3D the value in t1.<br>
<br>
2) All outputs of t1 are unspent.<br>
<br>
3) The order of outputs in t2 is the same as in t1 with additional new<br>
=C2=A0 =C2=A0outputs at the end of the output list.<br>
<br>
4) t2 only conflicts with a single transaction, t1<br>
<br>
5) t2 does not spend any outputs of t1 (which would make it an invalid<br>
=C2=A0 =C2=A0transaction, impossible to mine)<br>
<br>
These additional criteria respect the existing &quot;first-seen&quot; behav=
ior of<br>
the Bitcoin Core mempool implementation, such that once an address is<br>
payed some amount of BTC, all subsequent replacement transactions will<br>
pay an equal or greater amount. In short, FSS-RBF is &quot;zeroconf safe&qu=
ot; and<br>
has no affect on the ability of attackers to doublespend. (beyond of<br>
course the fact that any changes what-so-ever to mempool behavior are<br>
potential zeroconf doublespend vulnerabilities)<br>
<br>
<br>
Implementation<br>
--------------<br>
<br>
Pull-req for git HEAD: <a href=3D"https://github.com/bitcoin/bitcoin/pull/6=
176" target=3D"_blank">https://github.com/bitcoin/bitcoin/pull/6176</a><br>
<br>
A backport to v0.10.2 is pending.<br>
<br>
An implementation of fee bumping respecting FSS rules is available at:<br>
<br>
<a href=3D"https://github.com/petertodd/replace-by-fee-tools/blob/master/bu=
mp-fee.py" target=3D"_blank">https://github.com/petertodd/replace-by-fee-to=
ols/blob/master/bump-fee.py</a><br>
<br>
<br>
Usage Scenarios<br>
---------------<br>
<br>
Case 1: Increasing the fee on a single tx<br>
-----------------------------------------<br>
<br>
We start with a 1-in-2-out P2PKH using transaction t1, 226 bytes in size<br=
>
with the minimal relay fee, 2.26uBTC. Increasing the fee while<br>
respecting FSS-RBF rules requires the addition of one more txin, with<br>
the change output value increased appropriately, resulting in<br>
transaction t2, size 374 bytes. If the change txout is sufficient for<br>
the fee increase, increasing the fee via CPFP requires a second<br>
1-in-1-out transaction, 192 bytes, for a total of 418 bytes; if another<br>
input is required, CPFP requires a 2-in-1-out tx, 340 bytes, for a total<br=
>
of 566 bytes.<br>
<br>
Benefits: 11% to 34%+ cost savings, and RBF can increase fees even in<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 cases where the original transaction did=
n&#39;t have a change<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 output.<br>
<br>
<br>
Case 2: Paying multiple recipients in succession<br>
------------------------------------------------<br>
<br>
We have a 1-in-2-out P2PKH transaction t1, 226 bytes, that pays Alice.<br>
We now need to pay Bob. With plain RBF we&#39;d just add a new outptu and<b=
r>
reduce the value of the change address, a 90% savings. However with FSS<br>
RBF, decreasing the value is not allowed, so we have to add an input.<br>
<br>
If the change of t1 is sufficient to pay Bob, a second 1-in-2-out tx can<br=
>
be created, 2*226=3D452 bytes in total. With FSS RBF we can replace t1<br>
with a 2-in-3-out tx paying both, increasing the value of the change<br>
output appropriately, resulting in 408 bytes transaction saving 10%<br>
<br>
Similar to the above example in the case where the change address of t1<br>
is insufficient to pay Bob the end result is one less transaction output<br=
>
in the wallet, defragmenting it. Spending these outputs later on would<br>
require two 148 byte inputs compared to one with RBF, resulting in an<br>
overall savings of 25%<br>
<br>
<br>
Case 3: Paying the same recipient multiple times<br>
------------------------------------------------<br>
<br>
For example, consider the situation of an exchange, Acme Bitcoin Sales,<br>
that keeps the majority of coins in cold storage. Acme wants to move<br>
funds to cold storage at the lowest possible cost, taking advantage of<br>
periods of higher capacity. (inevitable due to the poisson nature of<br>
block creation) At the same time they would like to defragment their<br>
incoming outputs to keep redemption costs low, particularly since<br>
spending their high-security 3-of-7 P2SH multisigs is expensive. Acme<br>
creates a low fee transaction with a single output to cold storage,<br>
periodically adding new inputs as funds need to be moved to storage.<br>
Estimating the cost savings here is complex, and depends greatly on<br>
details of Acme&#39;s business, but regardless the approach works from a<br=
>
technical point of view. For instance if Acme&#39;s business is such that<b=
r>
the total hotwallet size needed heavily depends on external factors like<br=
>
volatility, as hotwallet demand decreases throughout a day they can add<br>
inputs to the pending transaction. (simply asking customers to deposit<br>
funds directly to the cold storage is also a useful strategy)<br>
<br>
However this is another case where standard RBF is significantly more<br>
useful. For instance, as withdrawal requests come in the exchange can<br>
quickly replace their pending transactions sending funds to cold storage<br=
>
with transactions sending those funds to customers instead, each time<br>
avoiding multiple costly transactions. In particular, by reducing the<br>
need to access cold storage at all, the security of the cold-stored<br>
funds is increased.<br>
<br>
<br>
Wallet Compatibility<br>
--------------------<br>
<br>
All wallets should treat conflicting incoming transactions as equivalent<br=
>
so long as the transaction outputs owned by them do not change. In<br>
addition to compatibility with RBF-related practices, this prevents<br>
unnecessary user concern if transactions are mutated. Wallets must not<br>
assume TXIDs are fixed until confirmed in the blockchain; a fixed TXID<br>
is not guaranteed by the Bitcoin protocol.<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
--<br>
&#39;peter&#39;[:-1]@<a href=3D"http://petertodd.org" target=3D"_blank">pet=
ertodd.org</a><br>
00000000000000000c7ea0fcac58a9d7267fef8551b9d6a5206bf42b849618cb<br>
</font></span><br>---------------------------------------------------------=
---------------------<br>
One dashboard for servers and applications across Physical-Virtual-Cloud<br=
>
Widest out-of-the-box monitoring support with 50+ applications<br>
Performance metrics, stats and reports that give you Actionable Insights<br=
>
Deep dive visibility with transaction tracing using APM Insight.<br>
<a href=3D"http://ad.doubleclick.net/ddm/clk/290420510;117567292;y" target=
=3D"_blank">http://ad.doubleclick.net/ddm/clk/290420510;117567292;y</a><br>=
_______________________________________________<br>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
<br></blockquote></div><br></div>

--089e0115eef87df893051702b287--