📅 Original date posted:2014-10-28
📝 Original message:On 10/27/2014 7:36 PM, Gregory Maxwell wrote:
> Consider a malicious miner can concurrently flood all other miners
> with orthogonal double spends (which he doesn't mine himself). These
> other miners will all be spending some amount of their time mining on
> these transactions before realizing others consider them
> double-spends.
If I understand correctly, the simplest example of this attack is three
transactions spending the same coin, distributed to two miners like this:
Miner A Miner B
Mempool tx1a tx1b
Relayed tx2 tx2
Since relay has to be limited, Miner B doesn't know about tx1a until it
is included in Miner A's block, so he delays that block (unless it
appears very quickly).
To create this situation, attacker has to transmit all three
transactions very quickly, or mempools will be too synchronized.
Attacker tries to make it so that everyone else has a tx1a conflict that
Miner A does not have. Ditto for each individual victim, with different
transactions (this seems very difficult).
Proposal shows that there is always a tiny risk to including tx1 when a
double-spend is known, and I agree that this attack can add something to
that risk. Miner A can neutralize his risk by excluding any tx1 known
to be double-spent, but as Thomas Zander wrote, that is an undesirable
outcome.
However, Miner A has additional information - he knows how soon he
received tx2 after receiving tx1a.
The attack has little chance of working if any of the malicious
transactions are sent even, say, 10 seconds apart from each other.
Dropping the labels for transmit-order numbering, if the 1->2 transmit
gap is large, mempools will agree on 1. If 1->2 gap is small, but the
gap to 3 is large, mempools will agree on the 1-2 pair, but possibly
have the order reversed. Either way, mempools won't disagree on the
existence of 1 unless the 1->3 gap is small.
So, I think it will be possible to quantify and target the risk of
including tx1a to an arbitrarily low level, based on the local
measurement of the time gap to tx2, and an effective threshold won't be
very high. It does highlight yet again, the shorter the time frame, the
greater the risk.
Tom Harding [ARCHIVE] /
npub1ms…pmwjy
2023-06-07 15:26:59
in reply to nevent1q…6ltx
Author Public Key
npub1msef5qkfwz4t7qacwxz775wgdtlytph78g2g2z903x90874u263sypmwjyPublished at
2023-06-07 15:26:59Event JSON
{
"id": "7a168fd304858a7ebe514e7864752c13e07a15497232b907d5da9497339a27df",
"pubkey": "dc329a02c970aabf03b87185ef51c86afe4586fe3a148508af898af3fabc56a3",
"created_at": 1686151619,
"kind": 1,
"tags": [
[
"e",
"e74239e906de2305dfdbe18a7ea8d1ac2c0b35e66c965ed70a3538c1b7174f36",
"",
"root"
],
[
"e",
"39f038f0567ab7873d0d7a595ada479ef14c5685733f9b17b5d170bdc8b46fd0",
"",
"reply"
],
[
"p",
"4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73"
]
],
"content": "📅 Original date posted:2014-10-28\n📝 Original message:On 10/27/2014 7:36 PM, Gregory Maxwell wrote:\n\u003e Consider a malicious miner can concurrently flood all other miners\n\u003e with orthogonal double spends (which he doesn't mine himself). These\n\u003e other miners will all be spending some amount of their time mining on\n\u003e these transactions before realizing others consider them\n\u003e double-spends.\n\nIf I understand correctly, the simplest example of this attack is three \ntransactions spending the same coin, distributed to two miners like this:\n\n Miner A Miner B\nMempool tx1a tx1b\nRelayed tx2 tx2\n\nSince relay has to be limited, Miner B doesn't know about tx1a until it \nis included in Miner A's block, so he delays that block (unless it \nappears very quickly).\n\nTo create this situation, attacker has to transmit all three \ntransactions very quickly, or mempools will be too synchronized. \nAttacker tries to make it so that everyone else has a tx1a conflict that \nMiner A does not have. Ditto for each individual victim, with different \ntransactions (this seems very difficult).\n\nProposal shows that there is always a tiny risk to including tx1 when a \ndouble-spend is known, and I agree that this attack can add something to \nthat risk. Miner A can neutralize his risk by excluding any tx1 known \nto be double-spent, but as Thomas Zander wrote, that is an undesirable \noutcome.\n\nHowever, Miner A has additional information - he knows how soon he \nreceived tx2 after receiving tx1a.\n\nThe attack has little chance of working if any of the malicious \ntransactions are sent even, say, 10 seconds apart from each other. \nDropping the labels for transmit-order numbering, if the 1-\u003e2 transmit \ngap is large, mempools will agree on 1. If 1-\u003e2 gap is small, but the \ngap to 3 is large, mempools will agree on the 1-2 pair, but possibly \nhave the order reversed. Either way, mempools won't disagree on the \nexistence of 1 unless the 1-\u003e3 gap is small.\n\nSo, I think it will be possible to quantify and target the risk of \nincluding tx1a to an arbitrarily low level, based on the local \nmeasurement of the time gap to tx2, and an effective threshold won't be \nvery high. It does highlight yet again, the shorter the time frame, the \ngreater the risk.",
"sig": "dae56e1bc354a2fda046c8f65892bf9e5786f7ecd9f1c46c2cfcae3640847024c9f828bc64023936151f9698c80895b6c7f632e0b8fb73776caf4e715b6baead"
}