1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
|
Return-Path: <eth3rs@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id C1FA32171
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 19 Apr 2019 01:13:45 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com
[209.85.215.171])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id C5111466
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 19 Apr 2019 01:13:44 +0000 (UTC)
Received: by mail-pg1-f171.google.com with SMTP id e6so1964869pgc.4
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 18 Apr 2019 18:13:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc:content-transfer-encoding;
bh=yT6PfSv443p4uDhw/igxyFr+3njN3i8ax0G8NvTnQjM=;
b=FHEpLZ75T5vhM8DpXMeHQUEBG2oH3eGe3rEd/pk3vfzdP3uy06RuHPNssJgorLfSun
RDlsz2J+ShR/cEJazQ1gFUdg5IEtMcvsCSsVRlMlZT8NJntfIKQHn2HL3t8agMdQY0ib
+1b2SrDoPEP/t7S7uyHbNiF+qwlVHUKbvMcdkx4xj46iCIaTaOU9ELvTft22ahHdzv9O
jSM2mCdkH0VscUlZrg5w35X8xjHvhMkbpj9TbZB1sCreV6LPpf6iDiyyfbYsA1V4K+2j
efTQpcJKyt1/Ko9ZKz977tD+EPYawrNYzdbyMbpq0kOM6FM67HmdppNFaBGH+7FEghym
fNXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc:content-transfer-encoding;
bh=yT6PfSv443p4uDhw/igxyFr+3njN3i8ax0G8NvTnQjM=;
b=kSSWlLQbfMaQ5CMfwGYVgXqSS8YCHkK9W0be0ZTgZXWGYczZdYgXom7Ig0bbgCmyPP
Xz+my34lc7/7Ycvms8xy0Gfh+qcgAnsE1E7buTUCkZnRpzGBjZDTpHU/L0YQBt0GyBEC
vUyyg/o0RJMY5KLP4HWb1vIr4HGcUpIEvsc1qOE3O4Vti9lX3JB4RhA9MUArMtEw7lVZ
QfaGQ9nI6vvMTfBAA4f8b2Azqhll99YrInX2jjWNmIy0qyJOenMqlMfb9gH8W4UfjigR
ewt3tNZ/8YpOmDzxPF/1tZdNjLTfkli0MtAJUTiVbJYJyzu6bJ2qOrqP/Ta4cJeFvQkw
T5ww==
X-Gm-Message-State: APjAAAXMgYUqLkAKzBtPZ+9yG4obucfs/0wg8F7TO1Vt2gv6d28+alAa
jERSmbUlePqYsbEYOlkrvirJdlqbAoHM714iT+k=
X-Google-Smtp-Source: APXvYqzTpSrluTw8tiinKIlfMa1OeqbliaNk0T5oHxR6oR+k1Tl0GNew/y4LKkG4viMXwiwG706S+3bQhTFDH5blwcw=
X-Received: by 2002:aa7:8096:: with SMTP id v22mr903329pff.94.1555636423952;
Thu, 18 Apr 2019 18:13:43 -0700 (PDT)
MIME-Version: 1.0
References: <CAPv7TjYspkc1M=TKmBK8k0Zy857=bR7jSTarRDCr_5m2ktYHDQ@mail.gmail.com>
<-tCD0qh97dAiz-VGkDQTwSbSQIm9cLF1kOzaWCnUDTI4dKdsmMgHJsGDntQhABZdE2_yBYpPAAdulm8EpdNxOB8o3lI6ZQJBJZWF1INzUrE=@protonmail.com>
<CAEM=y+W==_+AW6ga9WMf=aAX-xPGUfhEJQFvUtdFodGGv-6eAg@mail.gmail.com>
<xqVUmHu0RXeogboFL8ivsZywPQKEqLCsUZTV1NbsxNB4CYqrNqS8TpYsP8PJSowIGUeq8Nu1XPVd9N9Exg5Is11767ytI0Sq4lVp9MGdII4=@protonmail.com>
In-Reply-To: <xqVUmHu0RXeogboFL8ivsZywPQKEqLCsUZTV1NbsxNB4CYqrNqS8TpYsP8PJSowIGUeq8Nu1XPVd9N9Exg5Is11767ytI0Sq4lVp9MGdII4=@protonmail.com>
From: Ethan Heilman <eth3rs@gmail.com>
Date: Thu, 18 Apr 2019 21:13:07 -0400
Message-ID: <CAEM=y+WVQz5x916sjCjWVmeEbRp4NoTyryxSH7uKNTHYz+Sdnw@mail.gmail.com>
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Fri, 19 Apr 2019 13:57:03 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Improving SPV security with PoW fraud proofs
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Apr 2019 01:13:45 -0000
Hi ZmnSCPxj,
Let's see if I understand what you are saying. In your scenario chain
A consists of honest miners (10% of the hash rate) and chain B (90%
of the hash rate) consists of dishonest miners who are inflating the
coin supply.
Chain A: S, S+1
Chain B: S, S+1 (invalid), S+2, S+3, S+4, S+5, S+6, S+7, S+8, S+9
Chain B S+1 has a invalid coinbase
>At around height S+9, the minority miners generate an alternate block at h=
eight S+1. So SPV nodes download S+9 and S+8 on the longer chain, and see n=
othing wrong with those blocks.
What I am suggesting is that when the minority miners generate an
alternate block at S+1 (chain A) the SPV node would download blocks
S+1 and S+2 from chain B (the dishonest chain). Since S+1 has the
invalid coinbase the SPV node would learn that chain B is invalid and
abandon it.
Bitcoin is in big trouble if a malicious party controls 90% of the
mining power. The malicious miners can spend +11% of their mining
power ensuring that the honest chain never reaches consensus by
continuously forking it. The malicious miners can then extend their
favored chain using the other 79% of the mining power. This would
produce a scenario in which users are forced to choose between a
stable chain that violates a consensus rule and an unstable honest
chain that is completely unusable and which never pays out mining
rewards. I agree that SPV nodes and many wallets would make this even
worse especially in their current condition where they just trust the
hash rate/wallet provider and there are no fraud proofs.
On Thu, Apr 18, 2019 at 8:25 PM ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
>
> Good morning Ethan,
>
>
> Sent with ProtonMail Secure Email.
>
> =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original =
Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90
> On Friday, April 19, 2019 4:12 AM, Ethan Heilman <eth3rs@gmail.com> wrote=
:
>
> > I'm probably repeating a point which has been said before.
> >
> > > I suppose a minority miner that wants to disrupt the network could si=
mply create a valid block at block N+1 and deliberately ignore every other =
valid block at N+1, N+2, N+3 etc. that it did not create itself.
> >
> > If this minority miner has > 10% of network hashrate, then the rule of
> > thumb above would, on average, give it the ability to disrupt the
> > SPV-using network.
> >
> > Proposed rule:
> > Whenever a chainsplit occurs SPV clients should download and validate
> > the "longest chain" up to more than one block greater than the height
> > of the losing chain.
> >
> > Lets say a block split causes chain A and chain B: Chain A is N blocks
> > long, chain B is M blocks long, and N < M. Then the SPV client should
> > download all the block data of N+1 blocks from Chain B to verify
> > availability of chain B. Once the SPV client has verified that chain B
> > is available they can use fraud proofs determine if chain B is valid.
>
> Let us then revert to the original scenario.
> Suppose a supermajority (90%) of miners decide to increase inflation of t=
he currency.
>
> They do this by imposing the rule:
>
> 1. For 1 block, the coinbase is 21,000,000 times the pre-fork coinbase v=
alue.
> 2. For 9 blocks, the coinbase is the pre-fork value.
> 3. Repeat this pattern every 10 blocks.
>
> The above is a hardfork.
> However, as they believe that SPV nodes dominate the economy, this mining=
supermajority believes it can take over the network hashpower and impose i=
ts will on the network.
>
> At height S+1, they begin the above rule.
> This implies that at heights S+1, S+11, S+21, s+31... the coinbase violat=
es the pre-hardfork rules.
>
> At around height S+9, the minority miners generate an alternate block at =
height S+1.
> So SPV nodes download S+9 and S+8 on the longer chain, and see nothing wr=
ong with those blocks.
>
> At around height S+18, the minority miners generate an alternate block at=
height S+2.
> So SPV nodes download S+18, S+17, S+16 and again see nothing wrong with t=
hose blocsk.
>
> This can go on for a good amount of time.
> With a "rare enough" inflation event, miners may even be able to spend so=
me coinbases on SPV nodes that SPV nodes become unwilling to revert to the =
minority pre-hardfork chain, economically locking in the post-hardfork infl=
ation.
>
> Again: every rule is an opportunity to loophole.
>
> Regards,
> ZmnSCPxj
>
> > An attacker could use this to force SPV clients to download 1 block
> > per block the attacker mines. This is strictly weaker security than
> > provided by a full-node because chain B will only be validated if the
> > client knows chain A exists. If the SPV client's view of the
> > blockchain is eclipsed then the client will never learn that chain A
> > exists and thus never validate chain B's availability nor will the
> > client be able to learn fraud proofs about chain B. A full node in
> > this circumstance would notice that the chain B is invalid and reject
> > it because a full node would not depend on fraud proofs. That being
> > said this rule would provide strictly more security than current SPV
> > clients.
> >
> > On Thu, Apr 18, 2019 at 3:08 PM ZmnSCPxj via bitcoin-dev
> > bitcoin-dev@lists.linuxfoundation.org wrote:
> >
> > > Good morning Ruben,
> > > Sent with ProtonMail Secure Email.
> > > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Origi=
nal Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90
> > > On Thursday, April 18, 2019 9:44 PM, Ruben Somsen via bitcoin-dev bit=
coin-dev@lists.linuxfoundation.org wrote:
> > >
> > > > Simplified-Payment-Verification (SPV) is secure under the assumptio=
n
> > > > that the chain with the most Proof-of-Work (PoW) is valid. As many
> > > > have pointed out before, and attacks like Segwit2x have shown, this=
is
> > > > not a safe assumption. What I propose below improves this assumptio=
n
> > > > -- invalid blocks will be rejected as long as there are enough hone=
st
> > > > miners to create a block within a reasonable time frame. This still
> > > > doesn=E2=80=99t fully inoculate SPV clients against dishonest miner=
s, but is a
> > > > clear improvement over regular SPV (and compatible with the privacy
> > > > improvements of BIP157[0]).
> > > > The idea is that a fork is an indication of potential misbehavior -=
-
> > > > its block header can serve as a PoW fraud proof. Conversely, the la=
ck
> > > > of a fork is an indication that a block is valid. If a fork is crea=
ted
> > > > from a block at height N, this means a subset of miners may disagre=
e
> > > > on the validity of block N+1. If SPV clients download and verify th=
is
> > > > block, they can judge for themselves whether or not the chain shoul=
d
> > > > be rejected. Of course it could simply be a natural fork, in which
> > > > case we continue following the chain with the most PoW.
> > >
> > > I presume you mean a chain split?
> > >
> > > > The way Bitcoin currently works, it is impossible to verify the
> > > > validity of block N+1 without knowing the UTXO set at block N, even=
if
> > > > you are willing to assume that block N (and everything before it) i=
s
> > > > valid. This would change with the introduction of UTXO set
> > > > commitments, allowing block N+1 to be validated by verifying whethe=
r
> > > > its inputs are present in the UTXO set that was committed to in blo=
ck
> > > > N. An open question is whether a similar result can be achieved
> > > > without a soft fork that commits to the UTXO set[0][1].
> > > > If an invalid block is created and only 10% of the miners are hones=
t,
> > > > on average it would take 100 minutes for a valid block to appear.
> > > > During this time, the SPV client will be following the invalid chai=
n
> > > > and see roughly 9 confirmations before the chain gets rejected. It =
may
> > > > therefore be prudent to wait for a number of confirmations that
> > > > corresponds to the time it may take for the conservative percentage=
of
> > > > miners that you think may behave honestly to create a block (includ=
ing
> > > > variance).
> > >
> > > I suppose a minority miner that wants to disrupt the network could si=
mply create a valid block at block N+1 and deliberately ignore every other =
valid block at N+1, N+2, N+3 etc. that it did not create itself.
> > > If this minority miner has > 10% of network hashrate, then the rule o=
f thumb above would, on average, give it the ability to disrupt the SPV-usi=
ng network.
> > >
> > > > 10% of network hashrate to disrupt the SPV-using nodes would be a r=
ather low bar to disruption.
> > > > Consider that SPV-using nodes would be disrupted, without this rule=
, only by >50% network hashrate.
> > >
> > > It is helpful to consider that every rule you impose is potentially a=
loophole by which a new attack is possible.
> > > Regards,
> > > ZmnSCPxj
> > >
> > > bitcoin-dev mailing list
> > > bitcoin-dev@lists.linuxfoundation.org
> > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
|
