📅 Original date posted:2015-08-17
📝 Original message:Hi Chris, I don't speak for Peter, but here's my opinion on the matter
anyway.
On Mon, Aug 17, 2015 at 05:44:56PM -0400, Chris Pacia via bitcoin-dev wrote:
> Can you explain how the spv node fails against an attacker with a
> non-trivial amount of hash power where a full node doesn't? To attack an
> spv wallet that is waiting for 6 or 10 confirmations, you would not only
> need to Sybil them but also summon a massive amount of hashing power to
> create a chain of headers (while forgoing the opportunity to mine valid
> blocks with that hash power).
>
> But could someone with that much hash power not Sybil a full node and give
> them a chain for valid blocks (but on an orphan fork)? The failure model
> doesn't seem specific to spv to me.
With SPV, it is possible to create a transaction that spends from
non-existent coins. With sufficient hashpower, you can construct an SPV
proof which sends 1,000 bitcoin to the victim. The attack is
"overloadable" in the sense that the attacker is never out of money
(they never needed to have 1,000 BTC in the first place). Whereas if the
victim is running a full node, the attacker must be signing and spending
real outputs in their control, there is a possibility in a re-org that
the victim will eventually get their money if it gets re-orged back.
On a more fundamental level, the SPV attack isn't on re-orging real/live
transactions, it's an attack on *how much money you currently have*. If
the client is using SPV, they never had the money in the first place
when attacked, irrespective of re-orgs.
It is possible to attack thousands of people at once (everyone gets
1,000 bitcoin in false transactions) with a fraction of the hashpower
(lie in wait until you get a sufficiently long chain of blocks). If you
wished to attack a full-node, it requires you orphaning a chain of valid
blocks *live*, meaning you have to send real coins in a real transaction
to the victim first. With SPV validation, you only need to construct a
chain of invalid blocks off the current blockheight *whenever*. This
means you can attack with substantially less hashpower; you don't need
51% of the hashpower to attack SPV wallets. It may be economically
unviable to attack a single victim with a full node within a very short
timeframe, but it can be economically viable to attack thousands of
victims doing SPV validation in a long timeframe.
Note I'm not arguing that SPV should be compeletely avoided, I don't
have a solid opinion on that (and some threats can definitely be
mitigated in various ways, and I certainly like/appreciate the
convenience of SPV), but the current SPV security model is definitely
weaker than running a full node (if you're handling a lot of money, you
should be running a full node), are these issues not well-known by all
in the bitcoin community?
--
Joseph Poon
Joseph Poon [ARCHIVE] /
npub1ej…p9cq8
2023-06-07 17:35:59
in reply to nevent1q…czsj
Author Public Key
npub1ej6vep7y2km5l6awukffelg8yeppkth2vjkjk9jypd5w336rxggs3p9cq8Published at
2023-06-07 17:35:59Event JSON
{
"id": "4db675fdf768f84b8930ad2ad1113eddc50d66050da91eb2eded54f7902207e3",
"pubkey": "ccb4cc87c455b74febaee5929cfd0726421b2eea64ad2b16440b68e8c7433211",
"created_at": 1686159359,
"kind": 1,
"tags": [
[
"e",
"f45f1dda387dd9c830765e47c7cb80fbc85f83beb19737ba2cc6393c3ec72d0b",
"",
"root"
],
[
"e",
"be16a14667266e430fe15f7c9fbc6fdad79562c3ee1267f748bfd6874e62473a",
"",
"reply"
],
[
"p",
"905f29cc0a91b1227b531ae8d8419b0926baa4a18373f0c58693c8f32c26ffa4"
]
],
"content": "📅 Original date posted:2015-08-17\n📝 Original message:Hi Chris, I don't speak for Peter, but here's my opinion on the matter\nanyway.\n\nOn Mon, Aug 17, 2015 at 05:44:56PM -0400, Chris Pacia via bitcoin-dev wrote:\n\u003e Can you explain how the spv node fails against an attacker with a\n\u003e non-trivial amount of hash power where a full node doesn't? To attack an\n\u003e spv wallet that is waiting for 6 or 10 confirmations, you would not only\n\u003e need to Sybil them but also summon a massive amount of hashing power to\n\u003e create a chain of headers (while forgoing the opportunity to mine valid\n\u003e blocks with that hash power).\n\u003e \n\u003e But could someone with that much hash power not Sybil a full node and give\n\u003e them a chain for valid blocks (but on an orphan fork)? The failure model\n\u003e doesn't seem specific to spv to me.\n\nWith SPV, it is possible to create a transaction that spends from\nnon-existent coins. With sufficient hashpower, you can construct an SPV\nproof which sends 1,000 bitcoin to the victim. The attack is\n\"overloadable\" in the sense that the attacker is never out of money\n(they never needed to have 1,000 BTC in the first place). Whereas if the\nvictim is running a full node, the attacker must be signing and spending\nreal outputs in their control, there is a possibility in a re-org that\nthe victim will eventually get their money if it gets re-orged back.\n\nOn a more fundamental level, the SPV attack isn't on re-orging real/live\ntransactions, it's an attack on *how much money you currently have*. If\nthe client is using SPV, they never had the money in the first place\nwhen attacked, irrespective of re-orgs.\n\nIt is possible to attack thousands of people at once (everyone gets\n1,000 bitcoin in false transactions) with a fraction of the hashpower\n(lie in wait until you get a sufficiently long chain of blocks). If you\nwished to attack a full-node, it requires you orphaning a chain of valid\nblocks *live*, meaning you have to send real coins in a real transaction\nto the victim first. With SPV validation, you only need to construct a\nchain of invalid blocks off the current blockheight *whenever*. This\nmeans you can attack with substantially less hashpower; you don't need\n51% of the hashpower to attack SPV wallets. It may be economically\nunviable to attack a single victim with a full node within a very short\ntimeframe, but it can be economically viable to attack thousands of\nvictims doing SPV validation in a long timeframe.\n\nNote I'm not arguing that SPV should be compeletely avoided, I don't\nhave a solid opinion on that (and some threats can definitely be\nmitigated in various ways, and I certainly like/appreciate the\nconvenience of SPV), but the current SPV security model is definitely\nweaker than running a full node (if you're handling a lot of money, you\nshould be running a full node), are these issues not well-known by all\nin the bitcoin community?\n\n-- \nJoseph Poon",
"sig": "401e97c11e1f546e4b8e06411ee5896aa3c1ca6bd050b723d5b8cc84602a20100c28343013b6df1e73de524b62842c6a7455018a22d0917ccb04e0e6b1eb1824"
}