📅 Original date posted:2012-01-02
📝 Original message:On 2012-01-02 14:41:10 -0800, Gregory Maxwell said:
> make this possible: https://bitcointalk.org/index.php?topic=21995.0
Neat! I had a similar idea but you've clearly beat me to [a big part of] it.
> Er, no— if a node controls the private keys for a transaction, and
> that transaction makes it into the chain then it can safely assume
> that its unspent (at least once its buried a few blocks into the
> chain).
I'm not so sure about that. If you accept X successor blocks as proof
that none of the transactions in a block re-used an output, then the
cost of attacking is X*50BTC since the hashpower needed for the attack
could have earned that much reward.
However, an attacker could use the same faked X-block sequence to
attack multiple clients by putting several double-spend transactions in
the first faked block. This would spread out the cost over more than
one attack. So simply checking that the value of the transaction is
less than X*50 isn't necessarily enough, although the logistics of the
attack aren't exactly easy.
There's also the question of knowing what the difficulty for those X
blocks ought to be. If the attacker controls your network connection
(e.g. your ISP attacks you) you wouldn't be able to get a second
opinion on how high the difficulty ought to be, and might get fooled by
X very-low-difficulty blocks that were each produced with a lot less
than 50BTC worth of hashpower.
- e
Elden Tyrell [ARCHIVE] /
npub1ew…56jzh
2023-06-07 02:54:33
in reply to nevent1q…azpd
Author Public Key
npub1ewgf27xpck6l48a49gps43j0x5lz6tn6jdm2vmc70zvcq9kjx5qqr56jzhPublished at
2023-06-07 02:54:33Event JSON
{
"id": "c8a63c07281ba073eea529976676604f519dd93e48855ca0005a222e817f7ee8",
"pubkey": "cb909578c1c5b5fa9fb52a030ac64f353e2d2e7a9376a66f1e78998016d23500",
"created_at": 1686106473,
"kind": 1,
"tags": [
[
"e",
"67d9df9b422f0a3c9a61b90726cf3ac3535a5c46f83503e498da2c23e50d0b04",
"",
"root"
],
[
"e",
"b43696c04e295ac984efb6502f454d238780a87bdcda0180e961292ce6279cc3",
"",
"reply"
],
[
"p",
"4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73"
]
],
"content": "📅 Original date posted:2012-01-02\n📝 Original message:On 2012-01-02 14:41:10 -0800, Gregory Maxwell said:\n\u003e make this possible: https://bitcointalk.org/index.php?topic=21995.0\n\nNeat! I had a similar idea but you've clearly beat me to [a big part of] it.\n\n\n\u003e Er, no— if a node controls the private keys for a transaction, and\n\u003e that transaction makes it into the chain then it can safely assume\n\u003e that its unspent (at least once its buried a few blocks into the\n\u003e chain).\n\nI'm not so sure about that. If you accept X successor blocks as proof \nthat none of the transactions in a block re-used an output, then the \ncost of attacking is X*50BTC since the hashpower needed for the attack \ncould have earned that much reward.\n\nHowever, an attacker could use the same faked X-block sequence to \nattack multiple clients by putting several double-spend transactions in \nthe first faked block. This would spread out the cost over more than \none attack. So simply checking that the value of the transaction is \nless than X*50 isn't necessarily enough, although the logistics of the \nattack aren't exactly easy.\n\nThere's also the question of knowing what the difficulty for those X \nblocks ought to be. If the attacker controls your network connection \n(e.g. your ISP attacks you) you wouldn't be able to get a second \nopinion on how high the difficulty ought to be, and might get fooled by \nX very-low-difficulty blocks that were each produced with a lot less \nthan 50BTC worth of hashpower.\n\n - e",
"sig": "6ad8465b709dfa66d297ff421a867b3dfd7b09d97c2ea7d1a335d5783a33e4542deb71e47dfb60d7b32ed8601903716f2856d26c2081fcbd9e75178ca98f2c46"
}