1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
|
Return-Path: <sergio.d.lerner@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 555B31758
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 9 Jun 2018 12:52:34 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-lf0-f41.google.com (mail-lf0-f41.google.com
[209.85.215.41])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 86A1C604
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 9 Jun 2018 12:52:33 +0000 (UTC)
Received: by mail-lf0-f41.google.com with SMTP id v135-v6so24003173lfa.9
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 09 Jun 2018 05:52:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=GMobQMdpSUcPPiuKYPOIC/pbBeM4j2kVDA3T4L7B7lk=;
b=aN8293G4qlioXJrwNt3zfCT7k9Suf/r8VaKcSCzVuA5lcmfrzRXhu/RE64NlxHI0rW
5Tg+s5KUybL8UPwjV6rApAlUUXdjYRMLV1Gr8bobSnq6HffExdcBKmKvBl5z9JvqmcQZ
1oD41ZvXdTEGfqsGrCoYCawqxeAlQ/CVlJ0BPi4drfT8U+P8KcEFJAckHr9eDm3FGPQy
swEBb2jPJvvnT2KEVEt9dCMl5c25m+rWXB29vLJDlgZZ2mbX46eIDMhMHMZ8UVPJR0t/
k+Gl6dHbRwVuncyAyMI38f/KB9QcvRPDx5onjmlFkB6d8ulht+ER2KgTBYcKfhtwbwK0
woYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=GMobQMdpSUcPPiuKYPOIC/pbBeM4j2kVDA3T4L7B7lk=;
b=gMorkHTwxdN/CgIx35VJSORLs/8LGLN3DQSyPW+5LRoz+/xqNCflSzooS8U0Og5huy
ZrkqBMdMq5l8r7fqLawauUP1bwUXCTiz+QtjrtRZtRsAAXnX1/6kYbR4U5p5roTkka7X
HOS0ch5dJ65GA1sPWgG0Bnah9s26NUek9Im1s7ClmUaKY3eG9gobG8oCYLqx31v5IRZl
kj3sQCNypf3boU7b2cHQxRcAkyQ/9pDJNiSMSIjozvMStgF4HTcqnA4w842xMFPnTKym
6ZNCzPki62q3UlDFb72BE6pErcm8HEvHrvibHA0SnWIyEIwH+UYXwx+GzKYDVAR5PRF/
RIMQ==
X-Gm-Message-State: APt69E1Rr09KOHrDn9WfJXITglxOvW1bpouZJ7uDVsomZ50L8LUpQdVd
+9473uWIbQg+R/MSkf7v1ZWEV9h0oV97iDk+jR0=
X-Google-Smtp-Source: ADUXVKLjdXOuPfVESJUW/QrSd7G7q205wW8+6l1lYCMPWMHFs3gymTzJRgiZihvMlBufmb4pii1X/S6AygP3B72BMSc=
X-Received: by 2002:a2e:c41:: with SMTP id o1-v6mr7003715ljd.87.1528548751884;
Sat, 09 Jun 2018 05:52:31 -0700 (PDT)
MIME-Version: 1.0
References: <20180607171311.6qdjohfuuy3ufriv@petertodd.org>
<CAHUJnBB7UL3mH6SixP_M4yooMVP3DgZa+5hiQOmF=AiqfdpfOg@mail.gmail.com>
<20180607222028.zbva4vrv64dzrmxy@petertodd.org>
<CAHUJnBCj8wnjP1=jobfpg7jkfjkX9iSBLeeAOyQCpobh6-AhUA@mail.gmail.com>
<CAKzdR-paqYgOxToikaVD=0GMsCjHBaynX3WgB-CN6Sn7B7kRXw@mail.gmail.com>
<CAKzdR-rz2-D5pbcoSw0CK9tR-UY46ybYaZDmUMYTjBgvkL6ugg@mail.gmail.com>
<20180609124516.6ms6t7r5t7ikved6@petertodd.org>
In-Reply-To: <20180609124516.6ms6t7r5t7ikved6@petertodd.org>
From: Sergio Demian Lerner <sergio.d.lerner@gmail.com>
Date: Sat, 9 Jun 2018 14:51:55 +0200
Message-ID: <CAKzdR-omk7wCk5c_9T28O2Hc-Uzui5S4B_BuDLFt27RWSFzdJw@mail.gmail.com>
To: Peter Todd <pete@petertodd.org>
Content-Type: multipart/alternative; boundary="00000000000060c77a056e34fdd1"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,LOTS_OF_MONEY,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Sat, 09 Jun 2018 14:58:55 +0000
Cc: bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Trusted merkle tree depth for safe tx inclusion
proofs without a soft fork
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Jun 2018 12:52:34 -0000
--00000000000060c77a056e34fdd1
Content-Type: text/plain; charset="UTF-8"
Yo can fool a SPV wallet even if it requires a thousands confirmations
using this attack, and you don't need a Sybil attack, so yes, it impacts
SPV wallets also. The protections a SPV node should have to prevent this
attack are different, so it must be considered separately.
It should be said that a SPV node can avoid accepting payments if any
Merkle node is at the same time a valid transaction, and that basically
almost eliminates the problem.
SPV Wallet would reject valid payments with a astonishingly low probability.
On Sat, Jun 9, 2018 at 2:45 PM Peter Todd <pete@petertodd.org> wrote:
> On Sat, Jun 09, 2018 at 02:21:17PM +0200, Sergio Demian Lerner wrote:
> > Also it must be noted that an attacker having only 1.3M USD that can
> > brute-force 72 bits (4 days of hashing on capable ASICs) can perform the
> > same attack, so the attack is entirely feasible and no person should
> accept
> > more than 1M USD using a SPV wallet.
>
> That doesn't make any sense. Against a SPV wallet you don't need that
> attack;
> with that kind of budget you can fool it by just creating a fake block at
> far
> less cost, along with a sybil attack. Sybils aren't difficult to pull off
> when
> you have the budget to be greating fake blocks.
>
> > Also the attack can be repeated: once you create the "extension point"
> > block, you can attack more and more parties without any additional
> > computation.
>
> That's technically incorrect: txouts can only be spent once, so you'll
> need to
> do 2^40 work each time you want to repeat the attack to grind the matching
> part
> of the prevout again.
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
>
--00000000000060c77a056e34fdd1
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Yo can fool a SPV wallet even if it requires a thousands c=
onfirmations using this attack, and you don't need a Sybil attack, so y=
es, it impacts SPV wallets also. The protections a SPV node should have to =
prevent this attack are=C2=A0 different, so it must be considered separatel=
y.<div><br></div><div>It should be said that a SPV node can avoid accepting=
payments if any Merkle node is at the same time a valid transaction, and t=
hat basically almost eliminates the problem.=C2=A0</div><div><br></div><div=
>SPV Wallet would reject valid payments with a astonishingly low probabilit=
y.</div><div><br></div><div><div><div><br></div></div></div></div><br><div =
class=3D"gmail_quote"><div dir=3D"ltr">On Sat, Jun 9, 2018 at 2:45 PM Peter=
Todd <<a href=3D"mailto:pete@petertodd.org">pete@petertodd.org</a>> =
wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8e=
x;border-left:1px #ccc solid;padding-left:1ex">On Sat, Jun 09, 2018 at 02:2=
1:17PM +0200, Sergio Demian Lerner wrote:<br>
> Also it must be noted that an attacker having only 1.3M USD that can<b=
r>
> brute-force 72 bits (4 days of hashing on capable ASICs) can perform t=
he<br>
> same attack, so the attack is entirely feasible and no person should a=
ccept<br>
> more than 1M USD using a SPV wallet.<br>
<br>
That doesn't make any sense. Against a SPV wallet you don't need th=
at attack;<br>
with that kind of budget you can fool it by just creating a fake block at f=
ar<br>
less cost, along with a sybil attack. Sybils aren't difficult to pull o=
ff when<br>
you have the budget to be greating fake blocks.<br>
<br>
> Also the attack can be repeated: once you create the "extension p=
oint"<br>
> block, you can attack more and more parties without any additional<br>
> computation.<br>
<br>
That's technically incorrect: txouts can only be spent once, so you'=
;ll need to<br>
do 2^40 work each time you want to repeat the attack to grind the matching =
part<br>
of the prevout again.<br>
<br>
-- <br>
<a href=3D"https://petertodd.org" rel=3D"noreferrer" target=3D"_blank">http=
s://petertodd.org</a> 'peter'[:-1]@<a href=3D"http://petertodd.org"=
rel=3D"noreferrer" target=3D"_blank">petertodd.org</a><br>
</blockquote></div>
--00000000000060c77a056e34fdd1--
|
