📅 Original date posted:2017-04-05
📝 Original message:On Wed, Apr 05, 2017 at 11:37:22AM -0400, Greg Sanders via bitcoin-dev wrote:
> I'd appreciate the authors chiming in, but I read the PASDA differently:
>
> 1) If a transaction is mined with a certain bit set, it reserves 700 bytes
> for that particular block.
> 2) In that space, 2 transactions may happen:
> a) First, a transaction penalizing the "parent" transaction for fraud by
> spending the funds immediately
> b) Second, a "free rider" transaction that penalizes fraud within a ~2 week
> window
>
> This means during systematic flooding of closing transactions by
> Goldfinger, vigilant watchers of their channels can immediately punish the
> fraud in the same block using (a), and if they are unable to, need to find
> space within two weeks in (b).
>
> This is really in the LN weeds however, so I'll refrain from evaluating the
> efficacy of such a solution.
Yes, that is correct. I haven't had a chance to review Laolu's summary
yet, haven't had a chance to talk to him today since I was away from the
keyboard for most of the day, would have been unable to review things.
Section "b" above only allows for free riding on the first output of a
transaction with the bit set within the past 2016 blocks. It does not
allow free riding on outputs without that bit set in the transaction.
Additionally, the presumption is that the attacker fills up the
mempool with incorrect prior commitment transactions.
The attack scenario is Mallory asks everyone to open a channel with her.
Mallory only has 1 BTC. With sufficiently low tx fees, Mallory can use
that one bitcoin to open many ~1 BTC channels. All of those channels had
a prior state which Mallory had ~1 BTC, and a current state where she
has none. She broadcasts these thousands of prior states where she has
~1 BTC.
The presumption is the penalty transaction in many cases has a very
small fee, since it is already covered by the commitment.
This mitigates systemic goldfinger attacks since it is unlikely they can
get enough transactions in. Additionally the transactions waiting on the
mempool allows for many to be notified and fill up the first reserved
space. The attacker would likely be attempting to fill up the mempool
(longer block times help here with security!!!). It is presumed that
there is some small amount in reserve so there is some fee reward
covered for enforcing the penalty. This construction allows for the
amount in reserve to be significantly smaller and much more resilient
against even the largest of goldfinger attacks.
(This isn't a full mitigation, as there are certain conditions related
to miner-attacker coordination with high hashpower. Attacker-Miner
coordination is presumed to be out-of-scope, especially in relation to
51% attacks, since it's sort of a moot point, if they have the funds to
mount this attack so that it's profitable, it gets pretty close for them
to have a very significant hashpower anyway.)
I'll add a clarification to the specification on github soon. The intent
of this is to reduce the cost of setting up LN channels with funds in
reserve, with minimal code changes. Future changes which could be
desired if this is usable would be use additional tx flag bits to select
how many outputs in a transaction apply to enable a large payment of
funds pending in-flight.
--
Joseph Poon
Joseph Poon [ARCHIVE] /
npub1ej…p9cq8
2023-06-07 17:59:06
in reply to nevent1q…a0rq
Author Public Key
npub1ej6vep7y2km5l6awukffelg8yeppkth2vjkjk9jypd5w336rxggs3p9cq8Published at
2023-06-07 17:59:06Event JSON
{
"id": "c77c431964721af62dce1481fceb38e9ea2f5dcc5cf38e2ae627cd597080af1e",
"pubkey": "ccb4cc87c455b74febaee5929cfd0726421b2eea64ad2b16440b68e8c7433211",
"created_at": 1686160746,
"kind": 1,
"tags": [
[
"e",
"abf590933f2e25de977a5978c4ce56a216dbf30e8981b7754f54dbad96bc3e27",
"",
"root"
],
[
"e",
"62d0198c466fa4cc9ec4589f955718793be08f5f9af48612b3322e368e9ccbc4",
"",
"reply"
],
[
"p",
"937f10fc4f78d8676348562d9d886843fbb351d99d6c96423fe9970819962e19"
]
],
"content": "📅 Original date posted:2017-04-05\n📝 Original message:On Wed, Apr 05, 2017 at 11:37:22AM -0400, Greg Sanders via bitcoin-dev wrote:\n\u003e I'd appreciate the authors chiming in, but I read the PASDA differently:\n\u003e \n\u003e 1) If a transaction is mined with a certain bit set, it reserves 700 bytes\n\u003e for that particular block.\n\u003e 2) In that space, 2 transactions may happen:\n\u003e a) First, a transaction penalizing the \"parent\" transaction for fraud by\n\u003e spending the funds immediately\n\u003e b) Second, a \"free rider\" transaction that penalizes fraud within a ~2 week\n\u003e window\n\u003e \n\u003e This means during systematic flooding of closing transactions by\n\u003e Goldfinger, vigilant watchers of their channels can immediately punish the\n\u003e fraud in the same block using (a), and if they are unable to, need to find\n\u003e space within two weeks in (b).\n\u003e \n\u003e This is really in the LN weeds however, so I'll refrain from evaluating the\n\u003e efficacy of such a solution.\n\nYes, that is correct. I haven't had a chance to review Laolu's summary\nyet, haven't had a chance to talk to him today since I was away from the\nkeyboard for most of the day, would have been unable to review things.\n\nSection \"b\" above only allows for free riding on the first output of a\ntransaction with the bit set within the past 2016 blocks. It does not\nallow free riding on outputs without that bit set in the transaction.\n\nAdditionally, the presumption is that the attacker fills up the\nmempool with incorrect prior commitment transactions.\n\nThe attack scenario is Mallory asks everyone to open a channel with her.\nMallory only has 1 BTC. With sufficiently low tx fees, Mallory can use\nthat one bitcoin to open many ~1 BTC channels. All of those channels had\na prior state which Mallory had ~1 BTC, and a current state where she\nhas none. She broadcasts these thousands of prior states where she has\n~1 BTC.\n\nThe presumption is the penalty transaction in many cases has a very\nsmall fee, since it is already covered by the commitment.\n\nThis mitigates systemic goldfinger attacks since it is unlikely they can\nget enough transactions in. Additionally the transactions waiting on the\nmempool allows for many to be notified and fill up the first reserved\nspace. The attacker would likely be attempting to fill up the mempool\n(longer block times help here with security!!!). It is presumed that\nthere is some small amount in reserve so there is some fee reward\ncovered for enforcing the penalty. This construction allows for the\namount in reserve to be significantly smaller and much more resilient\nagainst even the largest of goldfinger attacks.\n\n(This isn't a full mitigation, as there are certain conditions related\nto miner-attacker coordination with high hashpower. Attacker-Miner\ncoordination is presumed to be out-of-scope, especially in relation to\n51% attacks, since it's sort of a moot point, if they have the funds to\nmount this attack so that it's profitable, it gets pretty close for them\nto have a very significant hashpower anyway.)\n\nI'll add a clarification to the specification on github soon. The intent\nof this is to reduce the cost of setting up LN channels with funds in\nreserve, with minimal code changes. Future changes which could be\ndesired if this is usable would be use additional tx flag bits to select\nhow many outputs in a transaction apply to enable a large payment of\nfunds pending in-flight.\n\n-- \nJoseph Poon",
"sig": "c702fccb2973621707106bb1b3f42859c87ad379652448cd42783330a97aee04158425efbeffd8865c3884e481a6c7fdb311463ffc191a10b4587c7e27b81ba7"
}