Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id C4C2BC000E for ; Wed, 30 Jun 2021 12:21:32 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id ABEC3402AC for ; Wed, 30 Jun 2021 12:21:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.8 X-Spam-Level: X-Spam-Status: No, score=-2.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (1024-bit key) header.d=riseup.net Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uNr8zMsmp4Ue for ; Wed, 30 Jun 2021 12:21:28 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) by smtp2.osuosl.org (Postfix) with ESMTPS id 96BF7402A6 for ; Wed, 30 Jun 2021 12:21:28 +0000 (UTC) Received: from fews2.riseup.net (fews2-pn.riseup.net [10.0.1.84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4GFL6v6z07zDrvH; Wed, 30 Jun 2021 05:21:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1625055688; bh=/DSbwXhNZyTaFkKnHPt0BcG8nLAFWvYpe0lsVqwEz6U=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=J8UeNnAfqUV25cs4yjfYAns285d80jpEb7Dk+qwu+R60ZnT2SHQiod6VZ8D/JTdzd PCNNWgkh7SiINHbq2mLfN5L6UAMINexrOkPVF2cUnJRfCbHr81rraGoMdi4EgREuz2 meWxUlXNn3DeWklHEzlDebD6JRy9sDW3Tr2xCQNg= X-Riseup-User-ID: 65A74C22F09AC55796BAC58E5FE3302513A7B3449CE9E130E2599D1C246098AC Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews2.riseup.net (Postfix) with ESMTPSA id 4GFL6v53yPz1yj4; Wed, 30 Jun 2021 05:21:27 -0700 (PDT) MIME-Version: 1.0 Date: Wed, 30 Jun 2021 05:21:27 -0700 From: raymo@riseup.net To: ZmnSCPxj In-Reply-To: References: <16131549ac084b58fc6cde894e43babe@riseup.net> <878e0de9f6b08d8aad07fc7b7760e01b@riseup.net> Message-ID: <9c15ed5aa08038093565552f27104c54@riseup.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Wed, 30 Jun 2021 12:44:40 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Boost Bitcoin circulation, Million Transactions Per Second with stronger privacy X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2021 12:21:32 -0000 Dear ZmnSCPxj Thanks for dedicating time to read carefully the Sabu proposal and many thanks for your accurate point. So, lets fix it. I didn’t suppose Alice has only one UTXO, instead I expect every issuer use hundreds or even millions UTXOs (for optimal benefit each worth exactly 40,000 Satoshi) in Sabu protocol in order to earn notable Sabu-transactions-fees daily. Your scenario is correct and Alice can send a batch transaction which has higher feeRate, but less fee amount comparing total fees of N number of GT transaction. It is true, the batch transaction will win the race and will go to next block instead of N small GT transactions. But Alice herself is not the winner, since she paid a huge transaction fee to miner, while in honest acting didn’t have to pay at all. Let’s show it by numbers. Imagine Alice convinced some people to pay her money and accept the MT and GT transactions in exchange. Alice issued N transactions and delivered to these guys. Till now Alice got money equal to N * Maximum debt per transaction, which is 20,000 N. A single GT length = length of Critical part of GT (named C) + length of Redundant part of GT (named R) Coefficient of Honesty benefits (called H) = C/R The bigger H means less Redundant part, means less benefit in batch transaction. The worst H would be 1 or less than 1. I can guess H in Bitcoin transaction is 4 or higher, but for now we take it 4. Probably you can help us and tell what H is exactly. The N GTs length = N * (C + R) One batch transaction length = (N * C) + R The GT feeRate = GTfee / (C + R) The batch transaction feeRate = batchFee / ((N * C) + R) We need to batch transaction feeRate be higher than each single GT feeRate (more or less the feeRate for all GTs are same). Thus batchFee / ((N * C) + R) must be bigger or at least equal to GTfee / (C + R) so, batchFee / ((N * C) + R) >= GTfee / (C + R) we already knew H = C/R then C = HR after simplifying batchFee >= (GTfee * ((N * H) + 1)) / (H + 1) So, this is the minimum fee that Alice has to pay for her batch transaction in order to compete with GTs feeRate. Let’s put the numbers From my previous example for @Alex Schoof, we already knew that the GTfee is 25,500 Satoshi H is 4 (please let me know what is more realistic number) I think N in max exploitation is 10,000. If Alice takes entire block space, she won’t be able to put more than 10,000 inputs in a single transaction in one block. So, batchFee must be higher than (25,500 * ((10,000 * 4) + 1)) / (4 + 1) batchFee must be higher than 2.04 Bitcoins. While if Alice was acting honestly, she had to pay zero BTC-transaction-fee, since the Sabu transactions are aimed to be circulated in Sabu network forever. But how much benefit Alice got? We already knew that Alice had fooled Some people by 10,000 transactions and got 10,000 transaction * 20,000 Max debt per transaction. She got 2 Bitcoins. After all, she lost 0.04 BTC. She definitely is a loser, unless she has conspiracy with miners which is another scenario and I already explained it. Note these facts: H is higher than 4. It is impossible to fit a batch transaction with 10,000 inputs and one output in one block. And after all we can simply hedge batch transaction benefits by fine tuning the “maximum allowed debt per transaction”. Finally, the complementary protection to cover 0.01% remind risk of issuer irrationality, would be the BIPxxx “for flagging/unflagging promised UTXOs” which is my suggestion. It will be good for Sabu. It will be good for adapting wide range of innovative smart contracts on top of current Bitcoin with no risk and cost. @James Hilliard If it implemented wisely, never won't affect on network stability. > your analysis is based on assuming that miners are perfect rational beings of perfect rationality, > ***and*** are omniscient. That’s not true! The proposal just assume miners are looking for more profit. The suggested BIPxxx “for flagging/unflagging promised UTXOs” (if community accept it) would prepare a knowledge about promised UTXOs for miner. > Even if Alice is in possession of only a single UTXO, Alice can still feed miners a transaction > with lower feerate than the MT, then feed the rest of the network with a valid MT. It is not important in what order Alice propagate which (MT, or whatever transaction) to Bitcoin network. The point is, before putting this transaction in next block, the creditor wallet will be aware of this renege and will send the GT to network. The rest is miner’s decision to put transaction with higher fee rate to next block. > This attack is essentially costless to Alice, > especially for big enough transactions where mining fees are a negligible part of the payment. No, in Sabu we have not big payments. Each big payment must be managed through N small transactions with each transaction max output less than 20,000 Satoshi. Regards Raymo On 2021-06-29 21:42, ZmnSCPxj wrote: > Good morning Raymo, > >> Hey Alex, >> >> Your scenario works perfectly unless we put some restrictions on >> accepting transaction by creditor (in our case Bob). >> These are restrictions: >> Alice has to use a UTXO (or some UTXOs) worth at least 40,000 Sat as >> transaction input. >> Alice has to reserve 10,000 Sat as transaction fee (for MT transaction) >> regardless of transaction length or input/output amounts. >> Alice always pays at least 4,000 Sat of BTC-transaction-fee, and the >> 6,000 remined fee must be paid by she and Bob in proportion to their >> outputs amounts) >> Alice can issue a transaction the has maximum 20,000 outputs for >> creditors (Bob and others). >> The rest (if exist) is change back to Alice address. >> The GT is formed based on MT. >> Bob considers a transaction couple (MT, GT) valid only if they respect >> these rules. >> >> Let’s put it in practice using some numbers (although you can find more >> detailed explanation in paper). >> >> The MT would be like that: >> Input: 40,000 Satoshi >> Outputs: >> Bob: 20,000 >> BTC-fee: 10,000 >> Change back to Alice: 10,000 >> >> Based on this MT the GT will be >> Input: 40,000 Satoshi >> Outputs: >> Bob: 20,000 – 20,00070% = 6,000 >> BTC-fee: 10,000 + (14,000 of Bob’s output) + (1,500 of Alice’s change >> back) = 25,500 >> Change back to Alice: 10,000 – 10,00015% = 8,500 >> >> Now if Alice wants to spend UTXO to Charlie with higher fee, she has to >> pay at least 25,500 + 1 Satoshi as BTC fee in order to convince miners >> to put his fraudulent transaction instead the GT in next block. >> Alice already got 20,000 Sat profit from Bob. Now she can earn another >> 14,999 Sat profit from Charlie because of same UTXO worth 40,000 >> Satoshi. >> Indeed, she spent 40,000 Sat and in total got equal to 34,999 Sat goods >> or services. >> Is she a winner? >> I am not sure! >> What do you think? > > You assume here that Alice the issuer only has a single UTXO and that > it creates a single transaction spending that UTXO. > > It is helpful to remember that miners consider fee*rate*, but your > security analysis is dependent on *fee* and not fee*rate*. > > Now consider, what if Alice creates 1000 UTXOs, promises GTs and MTs > to 1000 different Bobs? > > Now, a GT has one input and two outputs. > > 1000 GTs have 1000 overheads (`nLockTime` and `nVersion` and so on), > 1000 inputs, and 2000 outputs. > > Now Alice the issuer, being the sole signer, can create a fraudulent > transaction that spends all 1000 UTXOs and spends it to a single Carol > output. > > This fraudulent transaction has 1 overhead, 1000 inputs, and 1 output. > > Do you think Alice can get a better fee*rate* on that transaction > while paying a lower aggregate *fee* than all the GTs combined? > Remember, you based your security analysis on Alice being forced to > pay a larger *fee*, but neglect that miners judge transactions based > on fee*rate*, which is subtly different and not what you are relying > on. > I am sure that there exists some large enough number of UTXOs where a > single aggregating fraudulent transaction will be far cheaper than the > tons of little GTs your security analysis depends on. > > This is why we do not use 1-of-1 signers in safe offchain protocols. > Not your keys, not your coins. > > -- > > In addition, your analysis is based on assuming that miners are > perfect rational beings of perfect rationality, ***and*** are > omniscient. > > In reality, miners possess bounded knowledge, i.e. they do not know everything. > > Even if Alice is in possession of only a single UTXO, Alice can still > feed miners a transaction with lower feerate than the MT, then feed > the rest of the network with a valid MT. > Because transactions propagate through the network but this > propagation is ***not*** instantaneous, it is possible for the MT to > reach the miners later than the fraudulent transaction. > In this window of time, a block may be mined that includes the > fraudulent transaction, simply because the lucky miner never managed > to hear of the correct MT. > > This attack is essentially costless to Alice, especially for big > enough transactions where mining fees are a negligible part of the > payment. > > This is why we do not use 1-of-1 signers in safe offchain protocols. > Not your keys, not your coins. > > Regards, > ZmnSCPxj