summaryrefslogtreecommitdiff
path: root/1a/9b65fb14d5f52e7b2c6d709c2bb2f336ff6578
blob: e940f8437c40eb0b1d7176ac97a7242e1737f901 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194]
	helo=mx.sourceforge.net)
	by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <natanael.l@gmail.com>) id 1YPXlu-0000IO-Gs
	for bitcoin-development@lists.sourceforge.net;
	Sun, 22 Feb 2015 14:44:38 +0000
Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com
	designates 74.125.82.44 as permitted sender)
	client-ip=74.125.82.44; envelope-from=natanael.l@gmail.com;
	helo=mail-wg0-f44.google.com; 
Received: from mail-wg0-f44.google.com ([74.125.82.44])
	by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
	(Exim 4.76) id 1YPXls-0007MN-CQ
	for bitcoin-development@lists.sourceforge.net;
	Sun, 22 Feb 2015 14:44:38 +0000
Received: by mail-wg0-f44.google.com with SMTP id k14so21310420wgh.3
	for <bitcoin-development@lists.sourceforge.net>;
	Sun, 22 Feb 2015 06:44:30 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.194.200.233 with SMTP id jv9mr13673283wjc.51.1424616270320; 
	Sun, 22 Feb 2015 06:44:30 -0800 (PST)
Received: by 10.194.28.170 with HTTP; Sun, 22 Feb 2015 06:44:30 -0800 (PST)
Received: by 10.194.28.170 with HTTP; Sun, 22 Feb 2015 06:44:30 -0800 (PST)
In-Reply-To: <CAAt2M18fPgYOsfdebmU1Tk6ATnndPBn0k2PN-4fUJs1iTBTqnQ@mail.gmail.com>
References: <CALqxMTGBVdMX2RkuXNhkJ38XRM6DgAj+OmQTfHWuVF=emD-06Q@mail.gmail.com>
	<20150222123428.GA6570@savin.petertodd.org>
	<CAAt2M18fPgYOsfdebmU1Tk6ATnndPBn0k2PN-4fUJs1iTBTqnQ@mail.gmail.com>
Date: Sun, 22 Feb 2015 15:44:30 +0100
Message-ID: <CAAt2M191ZnfofpJejNV_4uNaAVDyV89_+Zu5z7MT8sOhp7PQ7w@mail.gmail.com>
From: Natanael <natanael.l@gmail.com>
To: Peter Todd <pete@petertodd.org>
Content-Type: multipart/alternative; boundary=047d7bb70c7ebbdb50050fae52f6
X-Spam-Score: -0.6 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
	(natanael.l[at]gmail.com)
	-0.0 SPF_PASS               SPF: sender matches SPF record
	1.0 HTML_MESSAGE           BODY: HTML included in message
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1YPXls-0007MN-CQ
Cc: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] alternate proposal opt-in miner takes
 double-spend (Re: replace-by-fee v0.10.0rc4)
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Sun, 22 Feb 2015 14:44:38 -0000

--047d7bb70c7ebbdb50050fae52f6
Content-Type: text/plain; charset=UTF-8

Den 22 feb 2015 14:29 skrev "Natanael" <natanael.l@gmail.com>:
>
>
> Den 22 feb 2015 13:36 skrev "Peter Todd" <pete@petertodd.org>:
>
> > Implementing it as a general purpose scripting language improvement has
> > a lot of advantages, not least of which is that you no longer need to
> > rely entirely on inherently unreliable P2P networking: Promise to never
> > create two signatures for a specific BIP32 root pubkey and make
> > violating that promise destroy and/or reallocate a fidelity bond whose
> > value is locked until some time into the future. Since the fidelity bond
> > is a separate pool of funds, detection of the double-spend can happen
> > later.
>
> Somebody sent me a zero-confirmation transaction, or one that got
orphaned after one block. I created a transaction spending that UTXO, and
another.
>
> So at that point I have UTXO_orphaned based on the sender's UTXO_origin
and my UTXO_old (because I've had it unspent for a long time), both in one
transaction, creating UTXO_new.
>
> Now he doublespend UTXO_origin to create a UTXO_doublespend (which
conflicts with UTXO_orphaned). He conspires with a miner to get it into a
block.
>
> Now what? Can my UTXO_old effectively be tainted forever because UTXO_new
got invalidated together with UTXO_orphaned? Will that transaction be a
valid proof of doublespend against a new UTXO_replacement I created?
>
> Or otherwise, if only transactions where all UTXO's are currently valid
works as doublespend proofs, aren't you still just left without protection
against any one miner that conspires with doublespend attempting thieves?
>
> In other words, you are unprotected and potentially at greater risk if
you create a transaction depending on another zero-confirmation transaction.

Additional comments:

If you punish the creation of UTXO_replacement, you will punish people who
was lead to think zero-confirmation transactions were safe and thus that
chains of zero-confirmation transactions also were safe.

If you don't, but STILL accept chains of zero-confirmation transactions
were not all of them are covered by fidelity bonds, then you failed to
protect yourself against thieves who creates chains of unconfirmed
transactions.

Another question: if all transactions in the chain are covered by fidelity
bonds for their own value, which one pays out to who? Does only the first
one pay out, and only to the last party in the chain? Or to every
subsequent party after him? In full or just a fraction? Why, why not? You
might not know which of these serviced their customers in full without
getting full value back in exchange due to the doublespend.

What if the fidelity bond is too small, do you stop accepting it as a
zero-confirmation transaction?

Do you even accept chains of unconfirmed transactions at all?

--047d7bb70c7ebbdb50050fae52f6
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr"><br>
Den 22 feb 2015 14:29 skrev &quot;Natanael&quot; &lt;<a href=3D"mailto:nata=
nael.l@gmail.com">natanael.l@gmail.com</a>&gt;:<br>
&gt;<br>
&gt;<br>
&gt; Den 22 feb 2015 13:36 skrev &quot;Peter Todd&quot; &lt;<a href=3D"mail=
to:pete@petertodd.org">pete@petertodd.org</a>&gt;:<br>
&gt;<br>
&gt; &gt; Implementing it as a general purpose scripting language improveme=
nt has<br>
&gt; &gt; a lot of advantages, not least of which is that you no longer nee=
d to<br>
&gt; &gt; rely entirely on inherently unreliable P2P networking: Promise to=
 never<br>
&gt; &gt; create two signatures for a specific BIP32 root pubkey and make<b=
r>
&gt; &gt; violating that promise destroy and/or reallocate a fidelity bond =
whose<br>
&gt; &gt; value is locked until some time into the future. Since the fideli=
ty bond<br>
&gt; &gt; is a separate pool of funds, detection of the double-spend can ha=
ppen<br>
&gt; &gt; later.<br>
&gt;<br>
&gt; Somebody sent me a zero-confirmation transaction, or one that got orph=
aned after one block. I created a transaction spending that UTXO, and anoth=
er.<br>
&gt;<br>
&gt; So at that point I have UTXO_orphaned based on the sender&#39;s UTXO_o=
rigin and my UTXO_old (because I&#39;ve had it unspent for a long time), bo=
th in one transaction, creating UTXO_new.<br>
&gt;<br>
&gt; Now he doublespend UTXO_origin to create a UTXO_doublespend (which con=
flicts with UTXO_orphaned). He conspires with a miner to get it into a bloc=
k.<br>
&gt;<br>
&gt; Now what? Can my UTXO_old effectively be tainted forever because UTXO_=
new got invalidated together with UTXO_orphaned? Will that transaction be a=
 valid proof of doublespend against a new UTXO_replacement I created?<br>
&gt;<br>
&gt; Or otherwise, if only transactions where all UTXO&#39;s are currently =
valid works as doublespend proofs, aren&#39;t you still just left without p=
rotection against any one miner that conspires with doublespend attempting =
thieves?<br>
&gt;<br>
&gt; In other words, you are unprotected and potentially at greater risk if=
 you create a transaction depending on another zero-confirmation transactio=
n.</p>
<p dir=3D"ltr">Additional comments:</p>
<p dir=3D"ltr">If you punish the creation of UTXO_replacement, you will pun=
ish people who was lead to think zero-confirmation transactions were safe a=
nd thus that chains of zero-confirmation transactions also were safe.</p>
<p dir=3D"ltr">If you don&#39;t, but STILL accept chains of zero-confirmati=
on transactions were not all of them are covered by fidelity bonds, then yo=
u failed to protect yourself against thieves who creates chains of unconfir=
med transactions.</p>
<p dir=3D"ltr">Another question: if all transactions in the chain are cover=
ed by fidelity bonds for their own value, which one pays out to who? Does o=
nly the first one pay out, and only to the last party in the chain? Or to e=
very subsequent party after him? In full or just a fraction? Why, why not? =
You might not know which of these serviced their customers in full without =
getting full value back in exchange due to the doublespend. </p>
<p dir=3D"ltr">What if the fidelity bond is too small, do you stop acceptin=
g it as a zero-confirmation transaction? </p>
<p dir=3D"ltr">Do you even accept chains of unconfirmed transactions at all=
? </p>

--047d7bb70c7ebbdb50050fae52f6--