1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
|
Return-Path: <elombrozo@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id D1C7EE2B
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 18 Dec 2015 03:02:38 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pa0-f44.google.com (mail-pa0-f44.google.com
[209.85.220.44])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 4E8AA110
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 18 Dec 2015 03:02:38 +0000 (UTC)
Received: by mail-pa0-f44.google.com with SMTP id q3so32504772pav.3
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 17 Dec 2015 19:02:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=from:to:subject:cc:date:message-id:in-reply-to:reply-to:user-agent
:mime-version:content-type;
bh=zuhS2XTz5Z1UsshuBhpRBF13QWvcLpPd8UD9eoCvcj0=;
b=oUt7eXYjAo0Th5tQRQoMINLQoIoB9RqGDXKdXxOczPFld9q5bltwso063Mdhd69lVF
8xR17efPAyUoK+1zeXwFUmZU1JntvHXBHvlgw/46walqzxcGAtaydYuSffDR/vxTrzXP
6iDY1YepeMLTfCArpP1CtDUE3kpZMYZHSg/+2F4J/OWyI/Ib0O/WcZKDZqHD4u5iB4d9
Cyn0QZP8Lr06pnbFqfn/FZp+8YAkqiYqLK0WJdDjQG4GBQC+aej/w6wAeNMqa1WXJAJO
zajZkRil7MLcsUhm8lt5hozNhOdvgQ9H90ExwAfz8uPpjbZJiEOQjFWkPE2Gjyc++0c3
IiyQ==
X-Received: by 10.66.55.105 with SMTP id r9mr1678751pap.137.1450407758056;
Thu, 17 Dec 2015 19:02:38 -0800 (PST)
Received: from [192.168.1.108] (cpe-76-167-237-202.san.res.rr.com.
[76.167.237.202]) by smtp.gmail.com with ESMTPSA id
f89sm14101855pfd.10.2015.12.17.19.02.36
(version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
Thu, 17 Dec 2015 19:02:37 -0800 (PST)
From: "Eric Lombrozo" <elombrozo@gmail.com>
To: "Jonathan Toomim" <j@toom.im>, "Pieter Wuille" <pieter.wuille@gmail.com>
Date: Fri, 18 Dec 2015 03:02:36 +0000
Message-Id: <em9d607452-50c0-4aa2-941e-7b637a287a70@platinum>
In-Reply-To: <E76D5BF9-41BF-4AF5-BBAC-06F4EF574EBE@toom.im>
Reply-To: "Eric Lombrozo" <elombrozo@gmail.com>
User-Agent: eM_Client/6.0.23181.0
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="------=_MB5BED5328-D5EE-4309-8CC3-05B819EFB065"
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW
autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] On the security of softforks
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Development Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2015 03:02:38 -0000
--------=_MB5BED5328-D5EE-4309-8CC3-05B819EFB065
Content-Type: text/plain; format=flowed; charset=utf-8
Content-Transfer-Encoding: quoted-printable
First of all, that's an expensive beer!
Second of all, any consensus rule change risks non-full-validating or=20
non-upgraded nodes seeing invalid confirmations...but assuming a large=20
supermajority (i.e. > 95%) of hashing power is behind the new rule, it=20
is extremely unlikely that very many invalid confirmations will ever be=20
seen by anyone. The number of confirmations you require depends on your=20
use case security requirements...and especially during a new rule=20
activation, it is probably not a good idea for non-validating nodes or=20
non-upgraded nodes to accept coins with low confirmation counts unless=20
the risk is accounted for in the use case (i.e. a web hosting provider=20
that can shut the user out if fraud is later detected).
Third of all, as long as the rule change activation is signaled in=20
blocks, even old nodes will be able to detect that something is fishy=20
and warn users to be more cautious (i.e. wait more confirmations or=20
immediately upgrade or connect to a different node that has upgraded,=20
etc...)
I honestly don't see an issue here - unless you're already violating=20
fundamental security assumptions that would make you vulnerable to=20
exploitation even without rule changes.
- Eric
------ Original Message ------
From: "Jonathan Toomim via bitcoin-dev"=20
<bitcoin-dev@lists.linuxfoundation.org>
To: "Pieter Wuille" <pieter.wuille@gmail.com>
Cc: "Bitcoin Dev" <bitcoin-dev@lists.linuxfoundation.org>
Sent: 12/17/2015 6:47:14 PM
Subject: Re: [bitcoin-dev] On the security of softforks
>
>On Dec 18, 2015, at 10:30 AM, Pieter Wuille via bitcoin-dev=20
><bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>>1) The risk of an old full node wallet accepting a transaction that is
>>invalid to the new rules.
>>
>>The receiver wallet chooses what address/script to accept coins on.
>>They'll upgrade to the new softfork rules before creating an address
>>that depends on the softfork's features.
>>
>>So, not a problem.
>
>Mallory wants to defraud Bob with a 1 BTC payment for some beer. Bob=20
>runs the old rules. Bob creates a p2pkh address for Mallory to use.=20
>Mallory takes 1 BTC, and creates an invalid SegWit transaction that Bob=
=20
>cannot properly validate and that pays into one of Mallory's wallets.=20
>Mallory then immediately spends the unconfirmed transaction into Bob's=20
>address. Bob sees what appears to be a valid transaction chain which is=
=20
>not actually valid.
>
>Clueless Carol is one of the 4.9% of miners who forgot to upgrade her=20
>mining node. Carol sees that Mallory included an enormous fee in his=20
>transactions, so Carol makes sure to include both transactions in her=20
>block.
>
>Mallory gets free beer.
>
>Anything I'm missing?
--------=_MB5BED5328-D5EE-4309-8CC3-05B819EFB065
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD>
<STYLE id=3DeMClientCss>blockquote.cite { margin-left: 5px; margin-right:=
0px; padding-left: 10px; padding-right:0px; border-left: 1px solid #cccccc=
}
blockquote.cite2 {margin-left: 5px; margin-right: 0px; padding-left: 10px;=
padding-right:0px; border-left: 1px solid #cccccc; margin-top: 3px; paddin=
g-top: 0px; }
.plain pre, .plain tt { font-family: monospace; font-size: 100%; font-weigh=
t: normal; font-style: normal; white-space: pre-wrap; }
a img { border: 0px; }body {font-family: Tahoma;font-size: 12pt;}
.plain pre, .plain tt {font-family: Tahoma;font-size: 12pt;}
</STYLE>
<STYLE></STYLE>
</HEAD>
<BODY scroll=3Dauto class>
<DIV>First of all, that's an expensive beer!</DIV>
<DIV> </DIV>
<DIV>Second of all, any consensus rule change risks non-full-validating =
or non-upgraded nodes seeing invalid confirmations...but assuming a large=
supermajority (i.e. > 95%) of hashing power is behind the new rule, =
it is extremely unlikely that very many invalid confirmations will ever =
be seen by anyone. The number of confirmations you require depends on your=
use case security requirements...and especially during a new rule activati=
on, it is probably not a good idea for non-validating nodes or non-upgraded=
nodes to accept coins with low confirmation counts unless the risk is acco=
unted for in the use case (i.e. a web hosting provider that=
can shut the user out if fraud is later detected).</DIV>
<DIV> </DIV>
<DIV>Third of all, as long as the rule change activation is signaled in =
blocks, even old nodes will be able to detect that something is fishy and=
warn users to be more cautious (i.e. wait more confirmations or immediatel=
y upgrade or connect to a different node that has upgraded, etc...)</DIV>
<DIV> </DIV>
<DIV>I honestly don't see an issue here - unless you're already violating=
fundamental security assumptions that would make you vulnerable to exploit=
ation even without rule changes.</DIV>
<DIV> </DIV>
<DIV>- Eric</DIV>
<DIV> </DIV>
<DIV>------ Original Message ------</DIV>
<DIV>From: "Jonathan Toomim via bitcoin-dev" <<A href=3D"mailto:bitcoin-=
dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</A>>=
;</DIV>
<DIV>To: "Pieter Wuille" <<A href=3D"mailto:pieter.wuille@gmail.com">pie=
ter.wuille@gmail.com</A>></DIV>
<DIV>Cc: "Bitcoin Dev" <<A href=3D"mailto:bitcoin-dev@lists.linuxfoundat=
ion.org">bitcoin-dev@lists.linuxfoundation.org</A>></DIV>
<DIV>Sent: 12/17/2015 6:47:14 PM</DIV>
<DIV>Subject: Re: [bitcoin-dev] On the security of softforks</DIV>
<DIV> </DIV>
<DIV id=3Dx3e2d1b6db74e43a5a23c7578ce14d4e2 style=3D"WORD-WRAP: break-word;=
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space">
<BLOCKQUOTE class=3Dcite2 cite=3DE76D5BF9-41BF-4AF5-BBAC-06F4EF574EBE@toom.=
im type=3D"cite"><BR>
<DIV>
<DIV>On Dec 18, 2015, at 10:30 AM, Pieter Wuille via bitcoin-dev <<A =
href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.lin=
uxfoundation.org</A>> wrote:</DIV><BR class=3DApple-interchange-newline>
<BLOCKQUOTE class=3Dcite type=3D"cite"><SPAN style=3D"WHITE-SPACE: normal;=
WORD-SPACING: 0px; TEXT-TRANSFORM: none; FLOAT: none; FONT: 12px Helvetica=
; DISPLAY: inline !important; LETTER-SPACING: normal; TEXT-INDENT: 0px; =
-webkit-text-stroke-width: 0px">1) The risk of an old full node wallet acce=
pting a transaction that is</SPAN><BR style=3D"WHITE-SPACE: normal; WORD-SP=
ACING: 0px; TEXT-TRANSFORM: none; FONT: 12px Helvetica; LETTER-SPACING: =
normal; TEXT-INDENT: 0px; -webkit-text-stroke-width: 0px"><SPAN style=3D=
"WHITE-SPACE: normal; WORD-SPACING: 0px; TEXT-TRANSFORM: none; FLOAT: none;=
FONT: 12px Helvetica; DISPLAY: inline !important; LETTER-SPACING: normal;=
TEXT-INDENT: 0px; -webkit-text-stroke-width: 0px">invalid to the new rules=
.</SPAN><BR style=3D"WHITE-SPACE: normal; WORD-SPACING: 0px; TEXT-TRANSFORM=
: none; FONT: 12px Helvetica; LETTER-SPACING: normal; TEXT-INDENT: 0px; =
-webkit-text-stroke-width: 0px"><BR style=3D"WHITE-SPACE: normal; WORD-SPAC=
ING: 0px; TEXT-TRANSFORM: none; FONT: 12px Helvetica; LETTER-SPACING: norma=
l; TEXT-INDENT: 0px; -webkit-text-stroke-width: 0px"><SPAN style=3D"WHITE-S=
PACE: normal; WORD-SPACING: 0px; TEXT-TRANSFORM: none; FLOAT: none; FONT:=
12px Helvetica; DISPLAY: inline !important; LETTER-SPACING: normal; TEXT-I=
NDENT: 0px; -webkit-text-stroke-width: 0px">The receiver wallet chooses =
what address/script to accept coins on.</SPAN><BR style=3D"WHITE-SPACE: =
normal; WORD-SPACING: 0px; TEXT-TRANSFORM: none; FONT: 12px Helvetica; LETT=
ER-SPACING: normal; TEXT-INDENT: 0px; -webkit-text-stroke-width: 0px"><SPAN=
style=3D"WHITE-SPACE: normal; WORD-SPACING: 0px; TEXT-TRANSFORM: none; =
FLOAT: none; FONT: 12px Helvetica; DISPLAY: inline !important; LETTER-SPACI=
NG: normal; TEXT-INDENT: 0px; -webkit-text-stroke-width: 0px">They'll upgra=
de to the new softfork rules before creating an address</SPAN><BR style=3D=
"WHITE-SPACE: normal; WORD-SPACING: 0px; TEXT-TRANSFORM: none; FONT: 12px=
Helvetica; LETTER-SPACING: normal; TEXT-INDENT: 0px; -webkit-text-stroke-w=
idth: 0px"><SPAN style=3D"WHITE-SPACE: normal; WORD-SPACING: 0px; TEXT-TRAN=
SFORM: none; FLOAT: none; FONT: 12px Helvetica; DISPLAY: inline !important;=
LETTER-SPACING: normal; TEXT-INDENT: 0px; -webkit-text-stroke-width: 0px">=
that depends on the softfork's features.</SPAN><BR style=3D"WHITE-SPACE:=
normal; WORD-SPACING: 0px; TEXT-TRANSFORM: none; FONT: 12px Helvetica; =
LETTER-SPACING: normal; TEXT-INDENT: 0px; -webkit-text-stroke-width: 0px"><=
BR style=3D"WHITE-SPACE: normal; WORD-SPACING: 0px; TEXT-TRANSFORM: none;=
FONT: 12px Helvetica; LETTER-SPACING: normal; TEXT-INDENT: 0px; -webkit-te=
xt-stroke-width: 0px"><SPAN style=3D"WHITE-SPACE: normal; WORD-SPACING: =
0px; TEXT-TRANSFORM: none; FLOAT: none; FONT: 12px Helvetica; DISPLAY: inli=
ne !important; LETTER-SPACING: normal; TEXT-INDENT: 0px; -webkit-text-strok=
e-width: 0px">So, not a problem.</SPAN></BLOCKQUOTE></DIV>
<DIV><BR></DIV>
<DIV>Mallory wants to defraud Bob with a 1 BTC payment for some beer. Bob=
runs the old rules. Bob creates a p2pkh address for Mallory to use. Mallor=
y takes 1 BTC, and creates an invalid SegWit transaction that Bob cannot=
properly validate and that pays into one of Mallory's wallets. Mallory =
then immediately spends the unconfirmed transaction into Bob's address. =
Bob sees what appears to be a valid transaction chain which is not actually=
valid.</DIV>
<DIV><BR></DIV>
<DIV>Clueless Carol is one of the 4.9% of miners who forgot to upgrade her=
mining node. Carol sees that Mallory included an enormous fee in his trans=
actions, so Carol makes sure to include both transactions in her block.&nbs=
p;</DIV>
<DIV><BR></DIV>
<DIV>Mallory gets free beer.</DIV>
<DIV><BR></DIV>
<DIV>Anything I'm missing?</DIV></BLOCKQUOTE></DIV></BODY></HTML>
--------=_MB5BED5328-D5EE-4309-8CC3-05B819EFB065--
|
