Date: Fri, 19 Apr 2019 02:53:49 +0000
To: Ethan Heilman <eth3rs@gmail.com>
From: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Reply-To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Message-ID: <xNr214GpQ7_9duD4RV0j2nufLLMff4ipqPcZEAsDIsjLwWDan9UijTADW0iJ76pUuaXgYth_BHla-p6G3SOksaySbDZXKhQPLvIfLqo0JeA=@protonmail.com>
In-Reply-To: <CAEM=y+WVQz5x916sjCjWVmeEbRp4NoTyryxSH7uKNTHYz+Sdnw@mail.gmail.com>
References: <CAPv7TjYspkc1M=TKmBK8k0Zy857=bR7jSTarRDCr_5m2ktYHDQ@mail.gmail.com>
	<-tCD0qh97dAiz-VGkDQTwSbSQIm9cLF1kOzaWCnUDTI4dKdsmMgHJsGDntQhABZdE2_yBYpPAAdulm8EpdNxOB8o3lI6ZQJBJZWF1INzUrE=@protonmail.com>
	<CAEM=y+W==_+AW6ga9WMf=aAX-xPGUfhEJQFvUtdFodGGv-6eAg@mail.gmail.com>
	<xqVUmHu0RXeogboFL8ivsZywPQKEqLCsUZTV1NbsxNB4CYqrNqS8TpYsP8PJSowIGUeq8Nu1XPVd9N9Exg5Is11767ytI0Sq4lVp9MGdII4=@protonmail.com>
	<CAEM=y+WVQz5x916sjCjWVmeEbRp4NoTyryxSH7uKNTHYz+Sdnw@mail.gmail.com>
Feedback-ID: el4j0RWPRERue64lIQeq9Y2FP-mdB86tFqjmrJyEPR9VAtMovPEo9tvgA0CrTsSHJeeyPXqnoAu6DN-R04uJUg==:Ext:ProtonMail
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Improving SPV security with PoW fraud proofs
Precedence: list

Good morning Ethan,

Thank you for clarifying, I understand better now.

It seems that minority miners can disrupt SPV clients such that SPV clients=
 will download 2 blocks for every block the minority miner can find, not 1.

This can be done by simply making multiple 1-block chainsplits, rather than=
 a single persistent chainsplit, and alternating split-off and non-split-of=
f.

For instance, such a minority miner might split at S+1, forcing SPV clients=
 to download S+1 and S+2.
Then the minority miner splits at S+3, forcing SPV clients to download S+3 =
and S+4.
With a mere 33% hashrate, this can force SPV clients to download every bloc=
k, i.e. become a fullnode anyway.

Since there exist pools with >33% hashrate, the above attack is possible so=
 the only solution is to become a fullnode anyway.

Regards,
ZmnSCPxj


Sent with ProtonMail Secure Email.

=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me=
ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90
On Friday, April 19, 2019 9:13 AM, Ethan Heilman <eth3rs@gmail.com> wrote:

> Hi ZmnSCPxj,
>
> Let's see if I understand what you are saying. In your scenario chain
> A consists of honest miners (10% of the hash rate) and chain B (90%
> of the hash rate) consists of dishonest miners who are inflating the
> coin supply.
>
> Chain A: S, S+1
> Chain B: S, S+1 (invalid), S+2, S+3, S+4, S+5, S+6, S+7, S+8, S+9
>
> Chain B S+1 has a invalid coinbase
>
> > At around height S+9, the minority miners generate an alternate block a=
t height S+1. So SPV nodes download S+9 and S+8 on the longer chain, and se=
e nothing wrong with those blocks.
>
> What I am suggesting is that when the minority miners generate an
> alternate block at S+1 (chain A) the SPV node would download blocks
> S+1 and S+2 from chain B (the dishonest chain). Since S+1 has the
> invalid coinbase the SPV node would learn that chain B is invalid and
> abandon it.
>
> Bitcoin is in big trouble if a malicious party controls 90% of the
> mining power. The malicious miners can spend +11% of their mining
> power ensuring that the honest chain never reaches consensus by
> continuously forking it. The malicious miners can then extend their
> favored chain using the other 79% of the mining power. This would
> produce a scenario in which users are forced to choose between a
> stable chain that violates a consensus rule and an unstable honest
> chain that is completely unusable and which never pays out mining
> rewards. I agree that SPV nodes and many wallets would make this even
> worse especially in their current condition where they just trust the
> hash rate/wallet provider and there are no fraud proofs.
>
> On Thu, Apr 18, 2019 at 8:25 PM ZmnSCPxj ZmnSCPxj@protonmail.com wrote:
>
> > Good morning Ethan,
> > Sent with ProtonMail Secure Email.
> > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Origina=
l Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=
=90
> > On Friday, April 19, 2019 4:12 AM, Ethan Heilman eth3rs@gmail.com wrote=
:
> >
> > > I'm probably repeating a point which has been said before.
> > >
> > > > I suppose a minority miner that wants to disrupt the network could =
simply create a valid block at block N+1 and deliberately ignore every othe=
r valid block at N+1, N+2, N+3 etc. that it did not create itself.
> > >
> > > If this minority miner has > 10% of network hashrate, then the rule o=
f
> > > thumb above would, on average, give it the ability to disrupt the
> > > SPV-using network.
> > > Proposed rule:
> > > Whenever a chainsplit occurs SPV clients should download and validate
> > > the "longest chain" up to more than one block greater than the height
> > > of the losing chain.
> > > Lets say a block split causes chain A and chain B: Chain A is N block=
s
> > > long, chain B is M blocks long, and N < M. Then the SPV client should
> > > download all the block data of N+1 blocks from Chain B to verify
> > > availability of chain B. Once the SPV client has verified that chain =
B
> > > is available they can use fraud proofs determine if chain B is valid.
> >
> > Let us then revert to the original scenario.
> > Suppose a supermajority (90%) of miners decide to increase inflation of=
 the currency.
> > They do this by imposing the rule:
> >
> > 1.  For 1 block, the coinbase is 21,000,000 times the pre-fork coinbase=
 value.
> > 2.  For 9 blocks, the coinbase is the pre-fork value.
> > 3.  Repeat this pattern every 10 blocks.
> >
> > The above is a hardfork.
> > However, as they believe that SPV nodes dominate the economy, this mini=
ng supermajority believes it can take over the network hashpower and impose=
 its will on the network.
> > At height S+1, they begin the above rule.
> > This implies that at heights S+1, S+11, S+21, s+31... the coinbase viol=
ates the pre-hardfork rules.
> > At around height S+9, the minority miners generate an alternate block a=
t height S+1.
> > So SPV nodes download S+9 and S+8 on the longer chain, and see nothing =
wrong with those blocks.
> > At around height S+18, the minority miners generate an alternate block =
at height S+2.
> > So SPV nodes download S+18, S+17, S+16 and again see nothing wrong with=
 those blocsk.
> > This can go on for a good amount of time.
> > With a "rare enough" inflation event, miners may even be able to spend =
some coinbases on SPV nodes that SPV nodes become unwilling to revert to th=
e minority pre-hardfork chain, economically locking in the post-hardfork in=
flation.
> > Again: every rule is an opportunity to loophole.
> > Regards,
> > ZmnSCPxj
> >
> > > An attacker could use this to force SPV clients to download 1 block
> > > per block the attacker mines. This is strictly weaker security than
> > > provided by a full-node because chain B will only be validated if the
> > > client knows chain A exists. If the SPV client's view of the
> > > blockchain is eclipsed then the client will never learn that chain A
> > > exists and thus never validate chain B's availability nor will the
> > > client be able to learn fraud proofs about chain B. A full node in
> > > this circumstance would notice that the chain B is invalid and reject
> > > it because a full node would not depend on fraud proofs. That being
> > > said this rule would provide strictly more security than current SPV
> > > clients.
> > > On Thu, Apr 18, 2019 at 3:08 PM ZmnSCPxj via bitcoin-dev
> > > bitcoin-dev@lists.linuxfoundation.org wrote:
> > >
> > > > Good morning Ruben,
> > > > Sent with ProtonMail Secure Email.
> > > > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Ori=
ginal Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=
=E2=80=90
> > > > On Thursday, April 18, 2019 9:44 PM, Ruben Somsen via bitcoin-dev b=
itcoin-dev@lists.linuxfoundation.org wrote:
> > > >
> > > > > Simplified-Payment-Verification (SPV) is secure under the assumpt=
ion
> > > > > that the chain with the most Proof-of-Work (PoW) is valid. As man=
y
> > > > > have pointed out before, and attacks like Segwit2x have shown, th=
is is
> > > > > not a safe assumption. What I propose below improves this assumpt=
ion
> > > > > -- invalid blocks will be rejected as long as there are enough ho=
nest
> > > > > miners to create a block within a reasonable time frame. This sti=
ll
> > > > > doesn=E2=80=99t fully inoculate SPV clients against dishonest min=
ers, but is a
> > > > > clear improvement over regular SPV (and compatible with the priva=
cy
> > > > > improvements of BIP157[0]).
> > > > > The idea is that a fork is an indication of potential misbehavior=
 --
> > > > > its block header can serve as a PoW fraud proof. Conversely, the =
lack
> > > > > of a fork is an indication that a block is valid. If a fork is cr=
eated
> > > > > from a block at height N, this means a subset of miners may disag=
ree
> > > > > on the validity of block N+1. If SPV clients download and verify =
this
> > > > > block, they can judge for themselves whether or not the chain sho=
uld
> > > > > be rejected. Of course it could simply be a natural fork, in whic=
h
> > > > > case we continue following the chain with the most PoW.
> > > >
> > > > I presume you mean a chain split?
> > > >
> > > > > The way Bitcoin currently works, it is impossible to verify the
> > > > > validity of block N+1 without knowing the UTXO set at block N, ev=
en if
> > > > > you are willing to assume that block N (and everything before it)=
 is
> > > > > valid. This would change with the introduction of UTXO set
> > > > > commitments, allowing block N+1 to be validated by verifying whet=
her
> > > > > its inputs are present in the UTXO set that was committed to in b=
lock
> > > > > N. An open question is whether a similar result can be achieved
> > > > > without a soft fork that commits to the UTXO set[0][1].
> > > > > If an invalid block is created and only 10% of the miners are hon=
est,
> > > > > on average it would take 100 minutes for a valid block to appear.
> > > > > During this time, the SPV client will be following the invalid ch=
ain
> > > > > and see roughly 9 confirmations before the chain gets rejected. I=
t may
> > > > > therefore be prudent to wait for a number of confirmations that
> > > > > corresponds to the time it may take for the conservative percenta=
ge of
> > > > > miners that you think may behave honestly to create a block (incl=
uding
> > > > > variance).
> > > >
> > > > I suppose a minority miner that wants to disrupt the network could =
simply create a valid block at block N+1 and deliberately ignore every othe=
r valid block at N+1, N+2, N+3 etc. that it did not create itself.
> > > > If this minority miner has > 10% of network hashrate, then the rule=
 of thumb above would, on average, give it the ability to disrupt the SPV-u=
sing network.
> > > >
> > > > > 10% of network hashrate to disrupt the SPV-using nodes would be a=
 rather low bar to disruption.
> > > > > Consider that SPV-using nodes would be disrupted, without this ru=
le, only by >50% network hashrate.
> > > >
> > > > It is helpful to consider that every rule you impose is potentially=
 a loophole by which a new attack is possible.
> > > > Regards,
> > > > ZmnSCPxj
> > > > bitcoin-dev mailing list
> > > > bitcoin-dev@lists.linuxfoundation.org
> > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev