1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
|
Return-Path: <truthcoin@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 5A063C19
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 12 Dec 2017 22:29:43 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-qt0-f169.google.com (mail-qt0-f169.google.com
[209.85.216.169])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 891E0411
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 12 Dec 2017 22:29:42 +0000 (UTC)
Received: by mail-qt0-f169.google.com with SMTP id r39so1117487qtr.13
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 12 Dec 2017 14:29:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=subject:to:cc:references:from:message-id:date:user-agent
:mime-version:in-reply-to:content-transfer-encoding:content-language;
bh=urV9PzkCEbOO4ZPFnuGuKmTSUQnt4Lmggsomg/L1yYo=;
b=Nh6ke0rhgWq171IfxCZE1OqOWfeYoBijXHIwNk1ZWLCkbMVRzdizoPAb3qtJn4i1pQ
tCxPelFEer7psGgrKS1+syRV6VXyV3ixaWK83DMnctxCRMRYSH/O2tNuvdcbbLsmacSy
FP9cZuVYgVYBvkQItlv5j3m7QegBv/+QyhFrmYxabsO02sWQSl/q8doo9OOj9F2xjJFg
eKCQuFL/BfAg8wos4c7TMBBepJ+YiG54kleLkt0Zp+z5kS/FIn2e8rzs6vPJZmDrniYt
GTjgSAaZYXnVyY6aAC0UMDZHTq/IA5yXA7Soh9vwS3tPMrtwcO4zvjxxPYoSdvvzOtxN
NUbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:subject:to:cc:references:from:message-id:date
:user-agent:mime-version:in-reply-to:content-transfer-encoding
:content-language;
bh=urV9PzkCEbOO4ZPFnuGuKmTSUQnt4Lmggsomg/L1yYo=;
b=ElNrECWY26ORcqbO9HDAoGGU2UAyLgjX1MgzSepr38xE8amSSPDRXthBurxzywI9b0
O63hVtRvQtto25PcNN8nsId/+JP3EaLXeSusl1mNwlFsSH614cl8C8g8Sz30TR7HJb+P
/qccZWacJBrFCLrqDEVRgGgw8aj83jIMD5oGr1OCrA9pHRIvQr9xXUcvOgTVKEhDb+zY
XpeIbn0lwiQTSYwEmiR8rGdCkQuaBvJs4d9SNz7DCQ8UwvXk3ha21IVY7LuEwmpOAVrT
CSP1uq6mngEVa0+qqG8zNlVGx147u+dtIu+okvtfPi5u2M33BngSlcUQid13rrtBNhba
ogNg==
X-Gm-Message-State: AKGB3mIFQj3n2DBgusfs3K5AKMH2vB90dztbPCBLPchmu7TJziLq4/sl
vTXYHcRNCKx61nujbJnAdhNVdA==
X-Google-Smtp-Source: ACJfBovkKtAA95s/wjt1gUJgQOHSc06UU/TYmne8Ejy1nIgF36gI8LY1/+fOFZeNpqjXpvxyQukBOw==
X-Received: by 10.200.57.80 with SMTP id t16mr7857924qtb.98.1513117781076;
Tue, 12 Dec 2017 14:29:41 -0800 (PST)
Received: from [192.168.1.104] (ool-45726efb.dyn.optonline.net.
[69.114.110.251]) by smtp.googlemail.com with ESMTPSA id
c16sm122335qtd.80.2017.12.12.14.29.39
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Tue, 12 Dec 2017 14:29:40 -0800 (PST)
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>, Chris Stewart <chris@suredbits.com>
References: <d3497397-33c3-90c1-1be8-a733736eac0b@gmail.com>
<1bb6cccd-3f6d-d62a-2825-4e6f46a4b525@mattcorallo.com>
<dd2781a6-3e10-9f0c-6ee0-a2c070b7cf67@gmail.com>
<CAB+qUq4wNv=-ZSibUvVCwYSE7Qw8xe8EH91KG6znUp1d7X=mdA@mail.gmail.com>
<c898cc1c-d71c-de5c-aede-a2a4235656e0@gmail.com>
<XiOYlqnc-qXA7EdhRL5FyNeLDM6D5HissnTjnmuLlRrh8K2upymkEcnZb3drGUafY8CKkWjRbVQauYyUfA5cZrnIpNs5UAqWkcpahibEBpc=@protonmail.com>
From: Paul Sztorc <truthcoin@gmail.com>
Message-ID: <a29e72dd-f401-387b-6f54-473adf065166@gmail.com>
Date: Tue, 12 Dec 2017 17:29:39 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <XiOYlqnc-qXA7EdhRL5FyNeLDM6D5HissnTjnmuLlRrh8K2upymkEcnZb3drGUafY8CKkWjRbVQauYyUfA5cZrnIpNs5UAqWkcpahibEBpc=@protonmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Two Drivechain BIPs
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Dec 2017 22:29:43 -0000
Hi Zmn,
I'm actually not sure that the existence of these tools makes the
attacker's collective action problem that much easier to solve.
As I said: "...even the most straightforward attack (of "a 51% hashrate
group attacks a sidechain and distributes the proceeds to the group
proportional to hashpower") is actually one that contains a difficult
(and potentially interminable) negotiation."
But even under your scheme, there is someone who has to seek out the
Accomplices, and has to try to figure out what is acceptable to pay
them. This sparks a tiresome negotiation that drains both parties of
time and effort and might potentially last forever. Problematically,
there is a Market for Lemons problem with respect to how many blocks an
Accomplice "will" mine. If many people try to be Thieves at once, then
each individual Thief has less of an incentive to bother trying to steal
in the first place.
And so, even if your scheme does work, the improvement seems small. And
even if the improvement is very great, the remaining collective action
problem is still more difficult than the one in the comparative "reorg
case" (in which the problem is just to "pick the block number from which
to start the reorg").
Paul
On 12/5/2017 11:49 PM, ZmnSCPxj wrote:
> Good morning Paul and Chris,
>
> >3. Collective Action Problem
> >
> >There actually is a collective action problem inherent to fraudulent
> withdrawals.
> >
> >If miners wish to fraudulently withdraw from the sidechain, they need
> to choose the destination addresses (on mainchain Bitcoin Core) months
> in advance. Then they need to upvote/downvote this
> >destination, despite that fact that --during this time-- new
> hashpower might be coming online/offline, and/or hashers might be
> joining/leaving specific pools. I bring this up to demonstrate that
> even the most
> >straightforward attack (of "a 51% hashrate group attacks a sidechain
> and distributes the proceeds to the group proportional to hashpower")
> is actually one that contains a difficult (and potentially
> >interminable) negotiation. The effort required to initiate the
> negotiation is the source of the collective action problem here.
> >
> >I think that this collective action problem is actually more
> burdensome than Bitcoin's -- for mainchain Bitcoin miners merely need
> to decide which block height they intend to reorganize from.
>
> I actually devised a way to work around this collective action
> problem, and discussed it obliquely in a private e-mail with Chris,
> while I was preparing my article on sidechain weaknesses.=C2=A0 I remov=
ed
> it before publication of the sidechain weaknesses article, but perhaps
> I should not have.
>
> Collective action can be ensured by contract.=C2=A0 In a world where so=
me
> system can enforce certain actions programmatically, it is possible to
> ensure collective action via a program, i.e. a "smart contract".
>
> The thief pays out to the destination address that is a P2SH of the
> below script:
>
> OP_IF
> =C2=A0 OP_HASH160 <hash> OP_EQUALVERIFY
> =C2=A0 OP_DUP OP_HASH160 <thiefPubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
> OP_ELSE
> =C2=A0 <withdrawTime+1week> OP_CHECKLOCKTIMEVERIFY OP_DROP
> =C2=A0 OP_TRUE
> OP_ENDIF
>
> If the thief does not publish the preimage of the hash within 1 week
> of the withdrawal time, then it becomes possible for anyone to spend
> the above script; basically, some lucky miner who wins the first block
> past the specified time will get the entire winnings.=C2=A0 Let us call=
the
> above script, the Theft Contract.
>
> The thief then recruits accomplices to the theft.=C2=A0 Note that the
> attack can be prepared and initiated before the accomplices are even
> recruited.
>
> The thief locks some coins (the "cut" the accomplice gets), to the
> below script, for each accomplice it tries to entice:
>
> OP_IF
> =C2=A0 OP_HASH160 <hash> OP_EQUALVERIFY
> =C2=A0 OP_DUP OP_HASH160 <accomplicePubKeyHash> OP_EQUALVERIFY OP_CHECK=
SIG
> OP_ELSE
> =C2=A0 <withdrawTime+2week> OP_CHECKLOCKTIMEVERIFY OP_DROP
> =C2=A0 OP_DUP OP_HASH160 <thiefPubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
> OP_ENDIF
>
> Let us call the above script, the Accomplice Contract.=C2=A0 If the
> accomplice accepts, he or she then starts to vote for the invalid
> withdrawal.
>
> If the invalid withdrawal succeeds, the thief acquires the entire
> theft price from the Theft Contract by publishing the preimage to the
> <hash>.=C2=A0 (If he or she does not, then, some randomly-selected mine=
r
> will acquire the money after the timeout, so the thief needs to
> publish the hash, before the timeout in the Theft Contract).
>
> This publishes the preimage on the blockchain.=C2=A0 Each accomplice ca=
n
> then acquire their "cut" of the theft by copying the preimage and
> claiming from the Accomplice Contract.
>
> If the theft never succeeds, then there is no reason for the thief to
> ever publish the preimage, and after the timeout on the Accomplice
> Contract, the thief can recover his or her offered funds at no loss
> (minus transaction fees),=C2=A0 This incentivizes accomplices to actual=
ly
> cooperate with the thief, as they will not get paid if the theft does
> not push through.
>
> All that is necessary is for a single "mastermind" thief to begin this
> process.=C2=A0 Accomplices can be recruited later, with the "cut" they =
get
> negotiated according to how much hashpower they can bring to bear on
> theft.
>
> Newly-created miners and mining pools can be enticed at the time they
> arise by offering an Accomplice Contract to them.=C2=A0 Thus, newly-cre=
ated
> miners and mining pools can be brought into cooperation with the thief
> as soon as they make a presence on the blockchain.
>
> Even if some mining pool makes a public statement that they will not
> assist in the theft, the thief may still commit an Accomplice Contract
> for them on-chain anyway, and publicize it, in order to put the
> integrity of that mining pool in question and drive out support from
> that mining pool.=C2=A0 True accomplices may pretend to initially be ho=
nest
> and then signal dishonestly later, in order to make it more plausible
> that a pool that "committed" to not support the theft is not trustable
> since they have an Accomplice Contract that will compensate them if
> they support the theft, creating further confusion and discord among
> honest miners.=C2=A0 The thief may also use the existence of such an
> Accomplice Contract while negotiating with more minor miners and
> mining pools, in order to entice those also to join, and thus gain
> additional buffer against the stochastic process of miner voting.
>
> With the Theft Contract and the Accomplice Contract, negotiation can
> be done in parallel with the theft attempt, reducing the cost of
> organizing collective action, as we have all hoped "smart contracts"
> would do.
>
> ----
>
> While it is true, that this requires that the thief have significant
> funds in reserve prior to theft (in order to fund the Accomplice
> Contracts he or she will have to offer to potential accomplices), we
> have always been assured that theft can be initiated by miners only,
> and that miners already have a significant amount of money they
> control.=C2=A0 So it will be no problem for a potential thief to reserv=
e
> some funds for paying to Accomplice Contracts.
>
> This vulnerability can be fixed if withdrawals are restricted to
> simple P2PKH or P2WPKH only, but in the presence of Scriptless Script
> and Bellare-Neven signatures, that may be sufficient to create the
> Theft Contract and the Accomplice Contract (but I know too little of
> Scriptless Script to be sure).
>
> Regards,
> ZmnSCPxj
|