Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1XavZv-0000Ds-5f for bitcoin-development@lists.sourceforge.net; Sun, 05 Oct 2014 23:51:03 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.213.171 as permitted sender) client-ip=209.85.213.171; envelope-from=gmaxwell@gmail.com; helo=mail-ig0-f171.google.com; Received: from mail-ig0-f171.google.com ([209.85.213.171]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1XavZu-0007zv-CA for bitcoin-development@lists.sourceforge.net; Sun, 05 Oct 2014 23:51:03 +0000 Received: by mail-ig0-f171.google.com with SMTP id h15so1758991igd.16 for ; Sun, 05 Oct 2014 16:50:57 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.51.17.66 with SMTP id gc2mr16929491igd.40.1412553056953; Sun, 05 Oct 2014 16:50:56 -0700 (PDT) Received: by 10.107.168.5 with HTTP; Sun, 5 Oct 2014 16:50:56 -0700 (PDT) In-Reply-To: References: <5431CD8D.7050508@certimix.com> Date: Sun, 5 Oct 2014 16:50:56 -0700 Message-ID: From: Gregory Maxwell To: Sergio Lerner Content-Type: text/plain; charset=UTF-8 X-Spam-Score: -1.6 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (gmaxwell[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1XavZu-0007zv-CA Cc: Bitcoin Development Subject: Re: [Bitcoin-development] The Bitcoin Freeze on Transaction Attack (FRONT) X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2014 23:51:03 -0000 On Sun, Oct 5, 2014 at 4:40 PM, Gregory Maxwell > I should point you to some of the tools that have been discussed in > the past which are potentially helpful here: Ah, I should also mention a somewhat more far out approach which helps here as a side effect: If transactions were using the BLS short signature scheme (a very compact EC signature based on pairing cryptography) there is a scheme so that you securely can aggregate the signatures from multiple messages into a single signature (also has nice bandwidth properties) and still verify it. It also works recursively, so aggregates can be further aggregated. A consequence of this is that you cannot remove a (set of) signature(s) from the aggregate without knowing the (set of) signature(s) by itself. If the coinbase transaction also contains a signature and if some non-trivial portion of fee paying users relayed their transaction privately to miners it, then other miners would only learn of the transaction in aggregated form. Without knowing the transaction by itself they could not pull it out of a block separately from the coinbase payment and add it to their own block in a fork. (In general this provides several anti-censorship properties, since if someone passed you an aggregate of several transactions you could only accept or reject them as a group unless you knew the members separately). The use in aggregation can be done in a way which is purely additive (e.g. in addition to regular DSA signatures), so even if the cryptosystem is broken the only harm would be allowing disaggregation... but unfortunately the pairing crypto is pretty slow (verification takes a 0.5ms-ish pairing operation per transaction).