π
Original date posted:2015-10-15
π Original message:Thanks, Matt. Response inline.
On Wed, Oct 14, 2015 at 2:57 PM, Matt Corallo <lf-lists at mattcorallo.com>
wrote:
> That conversation missed a second issue. Namely that there is no way to
> punish people if there is a double spend in a micro block that happens in
> key block which reorg'd away the first transaction. eg one miner mines a
> transaction in a micro block, another miner (either by not having seen the
> first yet, or being malicious - potentially the same miner) mines a key
> block which reorgs away the first micro block and then, in their first
> micro block, mines a double spend. This can happen at any time, so you end
> up having to fall back to regular full blocks for confirmation times :(.
>
If NG is to be used efficiently, microblocks are going to be very frequent,
and so such forks should occur at almost every key-block publication. Short
reorgs as you described are the norm. A user should wait before accepting a
transaction to make sure there was no key-block she missed. The wait time
is chosen according to the network propagation delay (+as much slack as the
user feels necessary). This is similar to the situation in Bitcoin when you
receive a block. To be confident that you have one confirmation you should
wait for the propagation time of the network to make sure there is no
branch you missed.
As for the malicious case: the attacker has to win the key-block, have the
to-be-inverted transaction in the previous epoch, and withhold his
key-block for a while. That being said, indeed our fraud proof scheme
doesn't catch such an event, as it is indistinguishable from benign
behavior.
> Also, Greg Slepak brought up a good point on twitter at
> https://twitter.com/taoeffect/status/654358023138209792. Noting that this
> model means users could no longer pick transactions in a mining pool which
> was set up in such a way (it could be tweaked to do so with separate
> rewards and pubkeys, but now the user can commit fraud at a much lower cost
> - their own pool reward, not the block's total reward).
>
Agreed x3: This is a good point, it is correct, and the tweak is dangerous.
Do you perceive this as a significant practical issue?
>
> On October 14, 2015 11:28:51 AM PDT, Ittay via bitcoin-dev <
> bitcoin-dev at lists.linuxfoundation.org> wrote:
>
>>
>> On Wed, Oct 14, 2015 at 2:12 PM, Bryan Bishop <kanzure at gmail.com> wrote:
>>
>>> On Wed, Oct 14, 2015 at 1:02 PM, Emin GΓΌn Sirer
>>> <bitcoin-dev at lists.linuxfoundation.org> wrote:
>>> > while the whitepaper has all the nitty gritty details:
>>> > http://arxiv.org/abs/1510.02037
>>>
>>> Taking reward compensation back by fraud proofs is not enough to fix
>>> the problems associated with double spending (such as, everyone has to
>>> wait for the "real" confirmations instead of the "possibly
>>> double-spend" confirmations). Some of this was discussed in -wizards
>>> recently:
>>> http://gnusha.org/bitcoin-wizards/2015-09-19.log
>>
>>
>> Fraud proof removes all the attacker's revenue. It's like the attacker
>> sacrifices an entire block for double spending in the current system. I
>> think Luke-Jr got it right at that discussion.
>>
>> Best,
>> Ittay
>>
>> ------------------------------
>>
>> bitcoin-dev mailing list
>> bitcoin-dev at lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20151015/784e0876/attachment.html>;
Ittay [ARCHIVE] /
npub1n8β¦637cg
2023-06-07 17:43:28
in reply to nevent1qβ¦530h
Author Public Key
npub1n8ytpf4jzavm7hl9t5zksuefcguu6k3frvztqqc4kgcdkwduqesq0637cgPublished at
2023-06-07 17:43:28Event JSON
{
"id": "3d43498d4a75c7f26855b867acc14a41ee74ea1d96b40d82b2ab39fcb53feada",
"pubkey": "99c8b0a6b21759bf5fe55d05687329c239cd5a291b04b00315b230db39bc0660",
"created_at": 1686159808,
"kind": 1,
"tags": [
[
"e",
"8b34bf2b799e8049f16f95541ce82646f95e8a9250529a9231a0af367eee7a3c",
"",
"root"
],
[
"e",
"d0436693b6dd989322e5790c61aa47d2028d677159c4d736ca0fe5da8b8d3bbf",
"",
"reply"
],
[
"p",
"cd753aa8fbc112e14ffe9fe09d3630f0eff76ca68e376e004b8e77b687adddba"
]
],
"content": "π
Original date posted:2015-10-15\nπ Original message:Thanks, Matt. Response inline.\n\nOn Wed, Oct 14, 2015 at 2:57 PM, Matt Corallo \u003clf-lists at mattcorallo.com\u003e\nwrote:\n\n\u003e That conversation missed a second issue. Namely that there is no way to\n\u003e punish people if there is a double spend in a micro block that happens in\n\u003e key block which reorg'd away the first transaction. eg one miner mines a\n\u003e transaction in a micro block, another miner (either by not having seen the\n\u003e first yet, or being malicious - potentially the same miner) mines a key\n\u003e block which reorgs away the first micro block and then, in their first\n\u003e micro block, mines a double spend. This can happen at any time, so you end\n\u003e up having to fall back to regular full blocks for confirmation times :(.\n\u003e\n\nIf NG is to be used efficiently, microblocks are going to be very frequent,\nand so such forks should occur at almost every key-block publication. Short\nreorgs as you described are the norm. A user should wait before accepting a\ntransaction to make sure there was no key-block she missed. The wait time\nis chosen according to the network propagation delay (+as much slack as the\nuser feels necessary). This is similar to the situation in Bitcoin when you\nreceive a block. To be confident that you have one confirmation you should\nwait for the propagation time of the network to make sure there is no\nbranch you missed.\n\nAs for the malicious case: the attacker has to win the key-block, have the\nto-be-inverted transaction in the previous epoch, and withhold his\nkey-block for a while. That being said, indeed our fraud proof scheme\ndoesn't catch such an event, as it is indistinguishable from benign\nbehavior.\n\n\n\u003e Also, Greg Slepak brought up a good point on twitter at\n\u003e https://twitter.com/taoeffect/status/654358023138209792. Noting that this\n\u003e model means users could no longer pick transactions in a mining pool which\n\u003e was set up in such a way (it could be tweaked to do so with separate\n\u003e rewards and pubkeys, but now the user can commit fraud at a much lower cost\n\u003e - their own pool reward, not the block's total reward).\n\u003e\n\nAgreed x3: This is a good point, it is correct, and the tweak is dangerous.\nDo you perceive this as a significant practical issue?\n\n\n\u003e\n\u003e On October 14, 2015 11:28:51 AM PDT, Ittay via bitcoin-dev \u003c\n\u003e bitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e\n\u003e\u003e\n\u003e\u003e On Wed, Oct 14, 2015 at 2:12 PM, Bryan Bishop \u003ckanzure at gmail.com\u003e wrote:\n\u003e\u003e\n\u003e\u003e\u003e On Wed, Oct 14, 2015 at 1:02 PM, Emin GΓΌn Sirer\n\u003e\u003e\u003e \u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e\u003e\u003e \u003e while the whitepaper has all the nitty gritty details:\n\u003e\u003e\u003e \u003e http://arxiv.org/abs/1510.02037\n\u003e\u003e\u003e\n\u003e\u003e\u003e Taking reward compensation back by fraud proofs is not enough to fix\n\u003e\u003e\u003e the problems associated with double spending (such as, everyone has to\n\u003e\u003e\u003e wait for the \"real\" confirmations instead of the \"possibly\n\u003e\u003e\u003e double-spend\" confirmations). Some of this was discussed in -wizards\n\u003e\u003e\u003e recently:\n\u003e\u003e\u003e http://gnusha.org/bitcoin-wizards/2015-09-19.log\n\u003e\u003e\n\u003e\u003e\n\u003e\u003e Fraud proof removes all the attacker's revenue. It's like the attacker\n\u003e\u003e sacrifices an entire block for double spending in the current system. I\n\u003e\u003e think Luke-Jr got it right at that discussion.\n\u003e\u003e\n\u003e\u003e Best,\n\u003e\u003e Ittay\n\u003e\u003e\n\u003e\u003e ------------------------------\n\u003e\u003e\n\u003e\u003e bitcoin-dev mailing list\n\u003e\u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e\u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n\u003e\u003e\n\u003e\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20151015/784e0876/attachment.html\u003e",
"sig": "13cfe8d2b3f85f3adec0ef45466e65d9007c44fcc13e922ba4688a13fa6c8e5633b9e5b80bd87d9fdf4b5865696bfad6420c28caf75c186ca366ac2a321ffccb"
}