đź“… Original date posted:2021-06-29
đź“ť Original message:Good morning Raymo,
> Hey Alex,
>
> Your scenario works perfectly unless we put some restrictions on
> accepting transaction by creditor (in our case Bob).
> These are restrictions:
> Alice has to use a UTXO (or some UTXOs) worth at least 40,000 Sat as
> transaction input.
> Alice has to reserve 10,000 Sat as transaction fee (for MT transaction)
> regardless of transaction length or input/output amounts.
> Alice always pays at least 4,000 Sat of BTC-transaction-fee, and the
> 6,000 remined fee must be paid by she and Bob in proportion to their
> outputs amounts)
> Alice can issue a transaction the has maximum 20,000 outputs for
> creditors (Bob and others).
> The rest (if exist) is change back to Alice address.
> The GT is formed based on MT.
> Bob considers a transaction couple (MT, GT) valid only if they respect
> these rules.
>
> Let’s put it in practice using some numbers (although you can find more
> detailed explanation in paper).
>
> The MT would be like that:
> Input: 40,000 Satoshi
> Outputs:
> Bob: 20,000
> BTC-fee: 10,000
> Change back to Alice: 10,000
>
> Based on this MT the GT will be
> Input: 40,000 Satoshi
> Outputs:
> Bob: 20,000 – 20,00070% = 6,000
> BTC-fee: 10,000 + (14,000 of Bob’s output) + (1,500 of Alice’s change
> back) = 25,500
> Change back to Alice: 10,000 – 10,00015% = 8,500
>
> Now if Alice wants to spend UTXO to Charlie with higher fee, she has to
> pay at least 25,500 + 1 Satoshi as BTC fee in order to convince miners
> to put his fraudulent transaction instead the GT in next block.
> Alice already got 20,000 Sat profit from Bob. Now she can earn another
> 14,999 Sat profit from Charlie because of same UTXO worth 40,000
> Satoshi.
> Indeed, she spent 40,000 Sat and in total got equal to 34,999 Sat goods
> or services.
> Is she a winner?
> I am not sure!
> What do you think?
You assume here that Alice the issuer only has a single UTXO and that it creates a single transaction spending that UTXO.
It is helpful to remember that miners consider fee*rate*, but your security analysis is dependent on *fee* and not fee*rate*.
Now consider, what if Alice creates 1000 UTXOs, promises GTs and MTs to 1000 different Bobs?
Now, a GT has one input and two outputs.
1000 GTs have 1000 overheads (`nLockTime` and `nVersion` and so on), 1000 inputs, and 2000 outputs.
Now Alice the issuer, being the sole signer, can create a fraudulent transaction that spends all 1000 UTXOs and spends it to a single Carol output.
This fraudulent transaction has 1 overhead, 1000 inputs, and 1 output.
Do you think Alice can get a better fee*rate* on that transaction while paying a lower aggregate *fee* than all the GTs combined?
Remember, you based your security analysis on Alice being forced to pay a larger *fee*, but neglect that miners judge transactions based on fee*rate*, which is subtly different and not what you are relying on.
I am sure that there exists some large enough number of UTXOs where a single aggregating fraudulent transaction will be far cheaper than the tons of little GTs your security analysis depends on.
This is why we do not use 1-of-1 signers in safe offchain protocols.
Not your keys, not your coins.
--
In addition, your analysis is based on assuming that miners are perfect rational beings of perfect rationality, ***and*** are omniscient.
In reality, miners possess bounded knowledge, i.e. they do not know everything.
Even if Alice is in possession of only a single UTXO, Alice can still feed miners a transaction with lower feerate than the MT, then feed the rest of the network with a valid MT.
Because transactions propagate through the network but this propagation is ***not*** instantaneous, it is possible for the MT to reach the miners later than the fraudulent transaction.
In this window of time, a block may be mined that includes the fraudulent transaction, simply because the lucky miner never managed to hear of the correct MT.
This attack is essentially costless to Alice, especially for big enough transactions where mining fees are a negligible part of the payment.
This is why we do not use 1-of-1 signers in safe offchain protocols.
Not your keys, not your coins.
Regards,
ZmnSCPxj
ZmnSCPxj [ARCHIVE] /
npub1g5…3ms3l
2023-06-07 22:55:02
in reply to nevent1q…mesd
Author Public Key
npub1g5zswf6y48f7fy90jf3tlcuwdmjn8znhzaa4vkmtxaeskca8hpss23ms3lPublished at
2023-06-07 22:55:02Event JSON
{
"id": "cd537e1da9915875f2cf207dd7db6099e74493c3c05f75a243a1f2d32fb99f9d",
"pubkey": "4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861",
"created_at": 1686178502,
"kind": 1,
"tags": [
[
"e",
"3ebd7f928d32c4622a16cd89abc93b788e957c8f9779a11f751efe89917c69af",
"",
"root"
],
[
"e",
"1f65f02ee355ad27a6756f875cde81cd8129f9c68536f3cf6e1ea9d135adcc2c",
"",
"reply"
],
[
"p",
"e36b7110c1aec7ad324a0dff547934e4613f97664e1e5054ea68afa001b4e173"
]
],
"content": "📅 Original date posted:2021-06-29\n📝 Original message:Good morning Raymo,\n\n\u003e Hey Alex,\n\u003e\n\u003e Your scenario works perfectly unless we put some restrictions on\n\u003e accepting transaction by creditor (in our case Bob).\n\u003e These are restrictions:\n\u003e Alice has to use a UTXO (or some UTXOs) worth at least 40,000 Sat as\n\u003e transaction input.\n\u003e Alice has to reserve 10,000 Sat as transaction fee (for MT transaction)\n\u003e regardless of transaction length or input/output amounts.\n\u003e Alice always pays at least 4,000 Sat of BTC-transaction-fee, and the\n\u003e 6,000 remined fee must be paid by she and Bob in proportion to their\n\u003e outputs amounts)\n\u003e Alice can issue a transaction the has maximum 20,000 outputs for\n\u003e creditors (Bob and others).\n\u003e The rest (if exist) is change back to Alice address.\n\u003e The GT is formed based on MT.\n\u003e Bob considers a transaction couple (MT, GT) valid only if they respect\n\u003e these rules.\n\u003e\n\u003e Let’s put it in practice using some numbers (although you can find more\n\u003e detailed explanation in paper).\n\u003e\n\u003e The MT would be like that:\n\u003e Input: 40,000 Satoshi\n\u003e Outputs:\n\u003e Bob: 20,000\n\u003e BTC-fee: 10,000\n\u003e Change back to Alice: 10,000\n\u003e\n\u003e Based on this MT the GT will be\n\u003e Input: 40,000 Satoshi\n\u003e Outputs:\n\u003e Bob: 20,000 – 20,00070% = 6,000\n\u003e BTC-fee: 10,000 + (14,000 of Bob’s output) + (1,500 of Alice’s change\n\u003e back) = 25,500\n\u003e Change back to Alice: 10,000 – 10,00015% = 8,500\n\u003e\n\u003e Now if Alice wants to spend UTXO to Charlie with higher fee, she has to\n\u003e pay at least 25,500 + 1 Satoshi as BTC fee in order to convince miners\n\u003e to put his fraudulent transaction instead the GT in next block.\n\u003e Alice already got 20,000 Sat profit from Bob. Now she can earn another\n\u003e 14,999 Sat profit from Charlie because of same UTXO worth 40,000\n\u003e Satoshi.\n\u003e Indeed, she spent 40,000 Sat and in total got equal to 34,999 Sat goods\n\u003e or services.\n\u003e Is she a winner?\n\u003e I am not sure!\n\u003e What do you think?\n\nYou assume here that Alice the issuer only has a single UTXO and that it creates a single transaction spending that UTXO.\n\nIt is helpful to remember that miners consider fee*rate*, but your security analysis is dependent on *fee* and not fee*rate*.\n\nNow consider, what if Alice creates 1000 UTXOs, promises GTs and MTs to 1000 different Bobs?\n\nNow, a GT has one input and two outputs.\n\n1000 GTs have 1000 overheads (`nLockTime` and `nVersion` and so on), 1000 inputs, and 2000 outputs.\n\nNow Alice the issuer, being the sole signer, can create a fraudulent transaction that spends all 1000 UTXOs and spends it to a single Carol output.\n\nThis fraudulent transaction has 1 overhead, 1000 inputs, and 1 output.\n\nDo you think Alice can get a better fee*rate* on that transaction while paying a lower aggregate *fee* than all the GTs combined?\nRemember, you based your security analysis on Alice being forced to pay a larger *fee*, but neglect that miners judge transactions based on fee*rate*, which is subtly different and not what you are relying on.\nI am sure that there exists some large enough number of UTXOs where a single aggregating fraudulent transaction will be far cheaper than the tons of little GTs your security analysis depends on.\n\nThis is why we do not use 1-of-1 signers in safe offchain protocols.\nNot your keys, not your coins.\n\n--\n\nIn addition, your analysis is based on assuming that miners are perfect rational beings of perfect rationality, ***and*** are omniscient.\n\nIn reality, miners possess bounded knowledge, i.e. they do not know everything.\n\nEven if Alice is in possession of only a single UTXO, Alice can still feed miners a transaction with lower feerate than the MT, then feed the rest of the network with a valid MT.\nBecause transactions propagate through the network but this propagation is ***not*** instantaneous, it is possible for the MT to reach the miners later than the fraudulent transaction.\nIn this window of time, a block may be mined that includes the fraudulent transaction, simply because the lucky miner never managed to hear of the correct MT.\n\nThis attack is essentially costless to Alice, especially for big enough transactions where mining fees are a negligible part of the payment.\n\nThis is why we do not use 1-of-1 signers in safe offchain protocols.\nNot your keys, not your coins.\n\nRegards,\nZmnSCPxj",
"sig": "9f2a23121938233ae4510534b437b6b90ea9c28fb85af43b21e6edbcfa538db1fc702bc17278c913e224c07d5039814263fec6eafd54cee4d000e618ed87f381"
}