ð
Original date posted:2018-06-09
ð Original message:Yo can fool a SPV wallet even if it requires a thousands confirmations
using this attack, and you don't need a Sybil attack, so yes, it impacts
SPV wallets also. The protections a SPV node should have to prevent this
attack are different, so it must be considered separately.
It should be said that a SPV node can avoid accepting payments if any
Merkle node is at the same time a valid transaction, and that basically
almost eliminates the problem.
SPV Wallet would reject valid payments with a astonishingly low probability.
On Sat, Jun 9, 2018 at 2:45 PM Peter Todd <pete at petertodd.org> wrote:
> On Sat, Jun 09, 2018 at 02:21:17PM +0200, Sergio Demian Lerner wrote:
> > Also it must be noted that an attacker having only 1.3M USD that can
> > brute-force 72 bits (4 days of hashing on capable ASICs) can perform the
> > same attack, so the attack is entirely feasible and no person should
> accept
> > more than 1M USD using a SPV wallet.
>
> That doesn't make any sense. Against a SPV wallet you don't need that
> attack;
> with that kind of budget you can fool it by just creating a fake block at
> far
> less cost, along with a sybil attack. Sybils aren't difficult to pull off
> when
> you have the budget to be greating fake blocks.
>
> > Also the attack can be repeated: once you create the "extension point"
> > block, you can attack more and more parties without any additional
> > computation.
>
> That's technically incorrect: txouts can only be spent once, so you'll
> need to
> do 2^40 work each time you want to repeat the attack to grind the matching
> part
> of the prevout again.
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180609/567e1527/attachment.html>;
Sergio Demian Lerner [ARCHIVE] /
npub1fvâŠ3vq7f
2023-06-07 18:12:58
in reply to nevent1qâŠ9z46
Author Public Key
npub1fvuxqdqg7klqqgy3yy8gdxjv4phu92sll5y8zqm2qe5qdrhxymhqf3vq7fPublished at
2023-06-07 18:12:58Event JSON
{
"id": "9602e45e62e63d79fc6eb44163ff0944cc2c439e7a4f9d156647de0ba2338dae",
"pubkey": "4b38603408f5be002091210e869a4ca86fc2aa1ffd0871036a0668068ee626ee",
"created_at": 1686161578,
"kind": 1,
"tags": [
[
"e",
"7a6928115f0482ae6ba69f7494f1e58497a12608fbde58f7bb3fa58e19c8ae03",
"",
"root"
],
[
"e",
"6e0fd3e53cccd7c4acb61fc2aeeb5d65b7308d293731ced9f6ee06df1f03a919",
"",
"reply"
],
[
"p",
"daa2fc676a25e3b5b45644540bcbd1e1168b111427cd0e3cf19c56194fb231aa"
]
],
"content": "ð
Original date posted:2018-06-09\nð Original message:Yo can fool a SPV wallet even if it requires a thousands confirmations\nusing this attack, and you don't need a Sybil attack, so yes, it impacts\nSPV wallets also. The protections a SPV node should have to prevent this\nattack are different, so it must be considered separately.\n\nIt should be said that a SPV node can avoid accepting payments if any\nMerkle node is at the same time a valid transaction, and that basically\nalmost eliminates the problem.\n\nSPV Wallet would reject valid payments with a astonishingly low probability.\n\n\n\nOn Sat, Jun 9, 2018 at 2:45 PM Peter Todd \u003cpete at petertodd.org\u003e wrote:\n\n\u003e On Sat, Jun 09, 2018 at 02:21:17PM +0200, Sergio Demian Lerner wrote:\n\u003e \u003e Also it must be noted that an attacker having only 1.3M USD that can\n\u003e \u003e brute-force 72 bits (4 days of hashing on capable ASICs) can perform the\n\u003e \u003e same attack, so the attack is entirely feasible and no person should\n\u003e accept\n\u003e \u003e more than 1M USD using a SPV wallet.\n\u003e\n\u003e That doesn't make any sense. Against a SPV wallet you don't need that\n\u003e attack;\n\u003e with that kind of budget you can fool it by just creating a fake block at\n\u003e far\n\u003e less cost, along with a sybil attack. Sybils aren't difficult to pull off\n\u003e when\n\u003e you have the budget to be greating fake blocks.\n\u003e\n\u003e \u003e Also the attack can be repeated: once you create the \"extension point\"\n\u003e \u003e block, you can attack more and more parties without any additional\n\u003e \u003e computation.\n\u003e\n\u003e That's technically incorrect: txouts can only be spent once, so you'll\n\u003e need to\n\u003e do 2^40 work each time you want to repeat the attack to grind the matching\n\u003e part\n\u003e of the prevout again.\n\u003e\n\u003e --\n\u003e https://petertodd.org 'peter'[:-1]@petertodd.org\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180609/567e1527/attachment.html\u003e",
"sig": "381cd18322d90ec333f1bc7ab23c5ee13747d9dfd7f14cf8b42132fd62ca562ba959f81214ea9e937bd56d8cf1e219362cb1e4a2ccb7c2512ba2c0220a0694c5"
}