📅 Original date posted:2016-06-28
📝 Original message:On Jun 28, 2016, at 9:55 PM, Gregory Maxwell via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> wrote:
>> I understand the use, when coupled with a yet-to-be-devised identity system, with Bloom filter features. Yet these features
>
> This is a bit of a strawman, you've selected a single narrow usecase which isn't proposed by the BIP and then argue it is worthless. I agree that example doesn't have much value (and I believe that
> eventually the BIP37 bloom filters should be removed from the protocol).
I don't follow this comment. The BIP aims quite clearly at "SPV" wallets as its justifying scenario.
> Without something like BIP151 network participants cannot have privacy for the transactions they originate within the protocol against network observers.
And they won't get it with BIP151 either. Being a peer is easier than observing the network. If one can observe the encrypted traffic one can certainly use a timing attack to determine what the node has sent.
> Even if, through some extraordinary effort, their own first hop is encrypted, unencrypted later hops would rapidly
> expose significant information about transaction origins in the network.
As will remain the case until all connections are encrypted and authenticated, and all participants are known to be good guys. Starting to sound like PKI?
> Without something like BIP151 authenticated links are not possible, so
> manually curated links (addnode/connect) cannot be counted on to provide protection against partitioning sybils.
If we trust the manual links we don't need/want the other links. In fact retaining the other links enables the attack you described above. Of course there is no need to worry about Sybil attacks when all of your peers are authenticated. But again, let us not ignore the problems of requiring all peers on the network be authenticated.
> Along the way BIP151 appears that it will actually make the protocol faster.
>
>> Given that the BIP relies on identity
>
> This is untrue. The proposal is an ephemerally keyed opportunistic
> encryption system. The privacy against a network observer does not depend on authentication, much less "identity". And when used with authentication at all it makes interception strongly detectable after the fact.
Maybe I was insufficiently explicit. By "relies on identity" I meant that the BIP is not effective without it. I did not mean to imply that the BIP itself implements an identity scheme. I thought this was clear from the context.
>> The BIP does not [...] contemplate the significant problems associated with key distribution in any identity system
>
> Because it does not propose any "identity system" or authorization (also, I object to your apparent characterization of authentication as as an 'identity system'-- do you also call Bitcoin addresses an identity system?).
Please read more carefully what I wrote. I did not characterize authentication as an identity system. I proposed that key distribution has significant problems, and used identity systems as an example of systems with such problems. I could just have easily written "authentication systems", (and probably should have).
> That said, manually maintaining adds nodes to your own and somewhat trusted nodes is a recommend best practice for miners and other high value systems which is rendered much less effective due to a lack of
> authentication, there is no significant key distribution problem in that case
This is the only legitimate scenario that I am aware of. Doing this by IP address (as we do) is weak if there is no VPN.
Yet this scenario is very different than general authentication. This scenario is a set of nodes that is essentially a single logical node from the perspective of the Bitcoin security model. One entity controls the validation rules, or is collaborating with another entity to do so.
My concern is that a general authentication requirement expands this single logical node and gives control over if to the entity that controls key distribution - the hard problem that hasn't been addressed.
If there is no such entity restricting access to the network (which hopefully we can assume) then there is no reason to expect any effective improvement, since nodes will necessarily have to connect with anonymous peers. Anyone with a node and the ability to monitor traffic should remain very effective.
> and I expect the future auth BIP (Jonas had one before, but it was put aside for now to first focus on the link layer encryption)
> to address that case quite well.
Defining an auth implementation is not a hard problem, nor is it the concern I have raised.
e
Eric Voskuil [ARCHIVE] /
npub1sg…ppx3c
2023-06-07 17:51:46
in reply to nevent1q…fh0g
Author Public Key
npub1sgs97fe0n9wehe6zw7drcxdz4cy9yt9pfqjv8gasz5jlk4zezc0quppx3cSeen on
wss://relay.nostr.bandPublished at
2023-06-07 17:51:46Event JSON
{
"id": "3f350f121e83419042316dedd9691b7543172ed4ecb19e0bd49920957e097f0f",
"pubkey": "82205f272f995d9be742779a3c19a2ae08522ca14824c3a3b01525fb5459161e",
"created_at": 1686160306,
"kind": 1,
"tags": [
[
"e",
"d0e8bb25d553b30c0cc0d96d85855c267cf10b5981dd5042024df41c59046cbd",
"",
"root"
],
[
"e",
"6946cc0530acc188efac392bad001ed6c37659cb6c47d30f2b9709e5948a1870",
"",
"reply"
],
[
"p",
"4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73"
]
],
"content": "📅 Original date posted:2016-06-28\n📝 Original message:On Jun 28, 2016, at 9:55 PM, Gregory Maxwell via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\n\u003e\u003e I understand the use, when coupled with a yet-to-be-devised identity system, with Bloom filter features. Yet these features\n\u003e \n\u003e This is a bit of a strawman, you've selected a single narrow usecase which isn't proposed by the BIP and then argue it is worthless. I agree that example doesn't have much value (and I believe that\n\u003e eventually the BIP37 bloom filters should be removed from the protocol).\n\nI don't follow this comment. The BIP aims quite clearly at \"SPV\" wallets as its justifying scenario.\n\n\u003e Without something like BIP151 network participants cannot have privacy for the transactions they originate within the protocol against network observers.\n\nAnd they won't get it with BIP151 either. Being a peer is easier than observing the network. If one can observe the encrypted traffic one can certainly use a timing attack to determine what the node has sent.\n\n\u003e Even if, through some extraordinary effort, their own first hop is encrypted, unencrypted later hops would rapidly\n\u003e expose significant information about transaction origins in the network.\n\nAs will remain the case until all connections are encrypted and authenticated, and all participants are known to be good guys. Starting to sound like PKI?\n\n\u003e Without something like BIP151 authenticated links are not possible, so\n\u003e manually curated links (addnode/connect) cannot be counted on to provide protection against partitioning sybils.\n\nIf we trust the manual links we don't need/want the other links. In fact retaining the other links enables the attack you described above. Of course there is no need to worry about Sybil attacks when all of your peers are authenticated. But again, let us not ignore the problems of requiring all peers on the network be authenticated.\n\n\u003e Along the way BIP151 appears that it will actually make the protocol faster.\n\u003e \n\u003e\u003e Given that the BIP relies on identity\n\u003e \n\u003e This is untrue. The proposal is an ephemerally keyed opportunistic\n\u003e encryption system. The privacy against a network observer does not depend on authentication, much less \"identity\". And when used with authentication at all it makes interception strongly detectable after the fact.\n\nMaybe I was insufficiently explicit. By \"relies on identity\" I meant that the BIP is not effective without it. I did not mean to imply that the BIP itself implements an identity scheme. I thought this was clear from the context.\n\n\u003e\u003e The BIP does not [...] contemplate the significant problems associated with key distribution in any identity system\n\u003e \n\u003e Because it does not propose any \"identity system\" or authorization (also, I object to your apparent characterization of authentication as as an 'identity system'-- do you also call Bitcoin addresses an identity system?).\n\nPlease read more carefully what I wrote. I did not characterize authentication as an identity system. I proposed that key distribution has significant problems, and used identity systems as an example of systems with such problems. I could just have easily written \"authentication systems\", (and probably should have).\n\n\u003e That said, manually maintaining adds nodes to your own and somewhat trusted nodes is a recommend best practice for miners and other high value systems which is rendered much less effective due to a lack of\n\u003e authentication, there is no significant key distribution problem in that case\n\nThis is the only legitimate scenario that I am aware of. Doing this by IP address (as we do) is weak if there is no VPN.\n\nYet this scenario is very different than general authentication. This scenario is a set of nodes that is essentially a single logical node from the perspective of the Bitcoin security model. One entity controls the validation rules, or is collaborating with another entity to do so.\n\nMy concern is that a general authentication requirement expands this single logical node and gives control over if to the entity that controls key distribution - the hard problem that hasn't been addressed.\n\nIf there is no such entity restricting access to the network (which hopefully we can assume) then there is no reason to expect any effective improvement, since nodes will necessarily have to connect with anonymous peers. Anyone with a node and the ability to monitor traffic should remain very effective.\n\n\u003e and I expect the future auth BIP (Jonas had one before, but it was put aside for now to first focus on the link layer encryption)\n\u003e to address that case quite well.\n\nDefining an auth implementation is not a hard problem, nor is it the concern I have raised.\n\ne",
"sig": "4c84c13439a65553feb2df0d9ee6f84863e95a0702d226c3832ea56e97110077db535495d88c8dc11d9394ef73993964ea16cba99de162cf8bfbe20f583c1e73"
}