Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 73937727 for ; Thu, 26 Jan 2017 08:59:30 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-oi0-f53.google.com (mail-oi0-f53.google.com [209.85.218.53]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 42893123 for ; Thu, 26 Jan 2017 08:59:29 +0000 (UTC) Received: by mail-oi0-f53.google.com with SMTP id w204so132462196oiw.0 for ; Thu, 26 Jan 2017 00:59:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=4XiIZrO272/vNZLJ5aWAphEjgTopUaNwolkddo5/Kdc=; b=tsRNQ4Xnv04tPSlXX0BpIUV07pvN0OAbZj6XPzoFwsUasJgUUZGOwtY5EjKY1RmgNW rmrd11OkPfWLryE5dSJ75WpMtVgX4I4uVFb/B+73vCJ4R4fLPLogqaz4SvBhJg3XINWy IjhGt31BmOabzbr5/SC0+kQC0lrcHmZqKBsPKBI9wRllASTjY1t8G83zI7YICWWNsKPk RJDJ3VdBu8LduR/NiG0IOLoyrYYeF/sPchdmO+ajSZ4AfSyOiQnK/pdQlB1DkCE2yJaR jk/uMOu2QveSGeRBkd2rfpd0Q5P5p4ulb/sNfgToZ4x9wDCsJJ+Ppu4uY8NCRA5CYTCF hqfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=4XiIZrO272/vNZLJ5aWAphEjgTopUaNwolkddo5/Kdc=; b=cvTfvua+fcnkzcUXlguNwrl/J82qSufYrwuWrcP9/m+qMKMpxWCfZdbO2bDCkYMYQH Zz5z4J8iuCySLRwmM0TAcmfvHMSadXyxD1ULACPBYdORnGuA0LCIJn8Ogh+VrKhX7pVY TQxWBV66W4Onwm/OZS0LF1qPdcK656FCVLtP4eEVu/yif+Lvfkw3iEU1f6OSn3RENl+P gndIJ/7y394+5tponhiLK9udbxQ4QEPRwceI9nmtVtkDt1DLDSnS3C6wyKHbliqWhrHN +tvsvb/+EqKGngpNAoBa4IRXRiO8tLGbA4mGjcObMevmf1k29t8R7L7YAUC0x8FU4/Rb 2GQw== X-Gm-Message-State: AIkVDXKv2JP+Rsm12IwQfCJ2LV5k9jcNoPzOAn4vV4keFNQhxC3HG5HTC0XvfY/JJjbe2LttGpYdO6uuQxiJZw== X-Received: by 10.202.231.204 with SMTP id e195mr977436oih.141.1485421168327; Thu, 26 Jan 2017 00:59:28 -0800 (PST) MIME-Version: 1.0 Sender: nbvfour@gmail.com Received: by 10.182.167.68 with HTTP; Thu, 26 Jan 2017 00:59:27 -0800 (PST) In-Reply-To: References: <93ac7433-470c-d59e-e085-29f0f1613676@mattcorallo.com> From: Chris Priest Date: Thu, 26 Jan 2017 00:59:27 -0800 X-Google-Sender-Auth: UA3gVXoNXBgdSJdczUWYQf5t4xk Message-ID: To: Johnson Lau Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Thu, 26 Jan 2017 09:32:36 +0000 Cc: bitcoin-dev Subject: Re: [bitcoin-dev] Anti-transaction replay in a hardfork X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2017 08:59:30 -0000 > If there is a split, it becomes 2 incompatible ledgers. Not necessarily. When the BIP50 hard fork happened, it didn't create two incompatible ledgers. It *could* have, but it didn't. If every single transaction mined during that time has been "double spent" on the other chain, then it would have created a very bad situation. When one side of the fork gets abandoned, actual users would have lost money. Since only one person was able to perform this double spend, only the miners and that one double spender lost money when the one side was abandoned. If there had been a significant number of users who had value only on the chain that was eventually abandoned, that chain would have incentive to not be abandoned and that *would* have resulted in a permanent incompatible split. It was essentially the replay *effect* (not "attack") that allowed bitcoin to survive that hard fork. BIP50 was written before the term "replay attack" or "replay effect" has been coined, so it doesn't say much about how transactions replayed... On 1/25/17, Johnson Lau wrote: > I don=E2=80=99t think this is how the blockchain consensus works. If ther= e is a > split, it becomes 2 incompatible ledgers. Bitcoin is not a trademark, and > you don=E2=80=99t need a permission to hardfork it. And what you suggest = is also > technically infeasible, as the miners on the new chain may not have a > consensus only what=E2=80=99s happening in the old chain. > >> On 26 Jan 2017, at 15:03, Chris Priest wrote: >> >> I don't think the solution should be to "fix the replay attack", but >> rather to "force the replay effect". The fact that transactions can be >> relayed should be seen as a good thing, and not something that should >> be fixed, or even called an "attack". >> >> The solution should be to create a "bridge" that replays all >> transactions from one network over to the other, and vice-versa. A >> fork should be transparent to the end-user. Forcing the user to choose >> which network to use is bad, because 99% of people that use bitcoin >> don't care about developer drama, and will only be confused by the >> choice. When a user moves coins mined before the fork date, both >> blockchains should record that transaction. Also a rule should be >> introduced that prevents users "tainting" their prefork-mined coins >> with coins mined after the fork. All pre-fork mined coins should >> "belong" to the network with hashpower majority. No other networks >> should be able to claim pre-forked coins as being part of their >> issuance (and therefore part of market cap). Market cap may be >> bullshit, but it is used a lot in the cryptosphere to compare coins to >> each other. >> >> The advantage of pre-fork coins being recorded on both forks is that >> if one fork goes extinct, no one loses any money. This setup >> encourages the minority chain to die,and unity returned. If pre-fork >> coins change hands on either fork (and not on the other), then holders >> have an incentive to not let their chain die, and the networks will be >> irreversibly split forever. The goal should be unity not permanent >> division. >> >> On 1/25/17, Matt Corallo via bitcoin-dev >> wrote: >>> "A. For users on both existing and new fork, anti-replay is an option, >>> not mandatory" >>> >>> To maximize fork divergence, it might make sense to require this. Any >>> sensible proposal for a hard fork would include a change to the sighash >>> anyway, so might as well make it required, no? >>> >>> Matt >>> >>> On 01/24/17 14:33, Johnson Lau via bitcoin-dev wrote: >>>> This is a pre-BIP. Just need some formatting to make it a formal BIP >>>> >>>> Motivation: >>>> >>>> In general, hardforks are consensus rule changes that make currently >>>> invalid transactions / blocks valid. It requires a very high degree of >>>> consensus and all economic active users migrate to the new rules at th= e >>>> same time. If a significant amount of users refuse to follow, a >>>> permanent ledger split may happen, as demonstrated by Ethereum (=E2=80= =9CDAO >>>> hardfork"). In the design of DAO hardfork, a permanent split was not >>>> anticipated and no precaution has been taken to protect against >>>> transaction replay attack, which led to significant financial loss for >>>> some users. >>>> >>>> A replay attack is an attempt to replay a transaction of one network o= n >>>> another network. It is normally impossible, for example between Bitcoi= n >>>> and Litecoin, as different networks have completely different ledgers. >>>> The txid as SHA256 hash guarantees that replay across network is >>>> impossible. In a blockchain split, however, since both forks share the >>>> same historical ledger, replay attack would be possible, unless some >>>> precautions are taken. >>>> >>>> Unfortunately, fixing problems in bitcoin is like repairing a flying >>>> plane. Preventing replay attack is constrained by the requirement of >>>> backward compatibility. This proposal has the following objectives: >>>> >>>> A. For users on both existing and new fork, anti-replay is an option, >>>> not mandatory. >>>> >>>> B. For transactions created before this proposal is made, they are not >>>> protected from anti-replay. The new fork has to accept these >>>> transactions, as there is no guarantee that the existing fork would >>>> survive nor maintain any value. People made time-locked transactions i= n >>>> anticipation that they would be accepted later. In order to maximise >>>> the >>>> value of such transactions, the only way is to make them accepted by >>>> any >>>> potential hardforks. >>>> >>>> C. It doesn=E2=80=99t require any consensus changes in the existing ne= twork to >>>> avoid unnecessary debate. >>>> >>>> D. As a beneficial side effect, the O(n^2) signature checking bug coul= d >>>> be fixed for non-segregated witness inputs, optionally. >>>> >>>> Definitions: >>>> >>>> =E2=80=9CNetwork characteristic byte=E2=80=9D is the most significant = byte of the >>>> nVersion field of a transaction. It is interpreted as a bit vector, an= d >>>> denotes up to 8 networks sharing a common history. >>>> >>>> =E2=80=9CMasked version=E2=80=9D is the transaction nVersion with the = network >>>> characteristic byte masked. >>>> >>>> =E2=80=9CExisting network=E2=80=9D is the Bitcoin network with existin= g rules, before a >>>> hardfork. =E2=80=9CNew network=E2=80=9D is the Bitcoin network with ha= rdfork rules. (In >>>> the case of DAO hardfork, Ethereum Classic is the existing network, an= d >>>> the now called Ethereum is the new network) >>>> >>>> =E2=80=9CExisting network characteristic bit=E2=80=9D is the lowest bi= t of network >>>> characteristic byte >>>> >>>> =E2=80=9CNew network characteristic bit=E2=80=9D is the second lowest = bit of network >>>> characteristic byte >>>> >>>> Rules in new network: >>>> >>>> 1. If the network characteristic byte is non-zero, and the new network >>>> characteristic bit is not set, this transaction is invalid in the new >>>> network. (softfork) >>>> >>>> 2. If the network characteristic byte is zero, go to 4 >>>> >>>> 3. If the network characteristic byte is non-zero, and the new network >>>> characteristic bit is set, go to 4, regardless of the status of the >>>> other bits. >>>> >>>> 4. If the masked version is 2 or below, the new network must verify th= e >>>> transaction with the existing script rules. (no change) >>>> >>>> 5. If the masked version is 3 or above, the new network must verify th= e >>>> signatures with a new SignatureHash algorithm (hardfork). Segwit and >>>> non-segwit txs will use the same algorithm. It is same as BIP143, >>>> except >>>> that 0x2000000 is added to the nHashType before the hash is calculated= . >>>> >>>> Rules in the existing network: >>>> >>>> 6. No consensus rule changes is made in the existing network. >>>> >>>> 7. If the network characteristic byte is non-zero, and the existing >>>> network characteristic bit is not set, this transaction is not relayed >>>> nor mined by default (no change) >>>> >>>> 8. If the network characteristic byte is zero, no change >>>> >>>> 9. If the network characteristic byte is non-zero, and the existing >>>> network characteristic bit is set, the masked version is used to >>>> determine whether a transaction should be mined or relayed (policy >>>> change) >>>> >>>> 10. Wallet may provide an option for setting the existing network >>>> characteristic bit. >>>> >>>> >>>> Rationales (by rule number): >>>> >>>> 1. This makes sure transactions with only existing network >>>> characteristic bit set is invalid in the new network (opt-in >>>> anti-replay >>>> for existing network transactions on the new network, objective A) >>>> >>>> 2+4. This makes sure time-locked transactions made before this >>>> proposals >>>> are valid in the new network (objective B) >>>> >>>> 2+5. This makes sure transactions made specifically for the new networ= k >>>> are invalid in the existing network (anti-replay for new network >>>> transactions on the old network); also fixing the O(n^2) bug >>>> (objectives >>>> A and D) >>>> >>>> 3. This is to prepare for the next hardfork from the new network >>>> (objective A) >>>> >>>> 6, 7, 8. These minimise the change to the existing network (objective >>>> C) >>>> >>>> 9, 10. These are not strictly needed until a hardfork is really >>>> anticipated. Without a significant portion of the network and miners >>>> implement this policy, however, no one should create such transactions= . >>>> (objective A) >>>> >>>> >>>> Limitations: >>>> >>>> * It is not possible to protect transactions made before the proposal. >>>> To avoid a replay of such transactions, users should first spend at >>>> least a relevant UTXO on the new network so the replay transaction >>>> would >>>> be invalidated. >>>> >>>> * It is up to the designer of a hardfork to decide whether this >>>> proposal >>>> is respected. As the DAO hardfork has shown how harmful replay attack >>>> could be, all hardfork proposals (except trivial and totally >>>> uncontroversial ones) should take this into account >>>> >>>> * The size of network characteristic byte is limited to 8 bits. >>>> However, >>>> if we are sure that some of the networks are completely abandoned, the >>>> bits might be reused. >>>> >>>> >>>> Reference implementation: >>>> >>>> A demo is available in my forcenet2 >>>> branch: >>>> https://github.com/jl2012/bitcoin/commit/7c2593946c4f3e210683110782d82= f55473c682a >>>> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-January/0= 13472.html >>>> >>>> >>>> _______________________________________________ >>>> bitcoin-dev mailing list >>>> bitcoin-dev@lists.linuxfoundation.org >>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >>>> >>> _______________________________________________ >>> bitcoin-dev mailing list >>> bitcoin-dev@lists.linuxfoundation.org >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >>> > > >