Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the block size limit
The proposed fix is to add a new rule on how fees are handled. Some amount of every fee should be considered as burned and can never be spent. I will propose 50% of the fee here, but there may be better numbers that can be discovered prior to putting this into place. If we'd like miners to continue to collect the same fees after this change, we can suggest the default fee per transaction to be doubled I would propose another practical rule rather than burning 50% of the fee. For example, you can credit 50% of the transaction fee to the next block. Thus, the attacker cannot perform the attack with 0-fee any more, yet you don't have to double the price of the TX fee for the fix. Thanks, Loi Luu. On Tue, Jun 9, 2015 at 4:07 AM, Raystonn . rayst...@hotmail.com wrote: When implemented, the block size limit was put in place to prevent the potential for a massive block to be used as an attack to benefit the miner of that block. The theory goes that such a massive block would enrich its miner by delaying other miners who are now busy downloading and validating that huge block. The original miner of that large-block would be free to continue hashing the next block, giving it an advantage. Unfortunately, this block size limit opened a different attack. Prior to the limit, any attempt to spam the network by anyone other than someone mining their own transactions would have been economically unfeasible. As every transaction would have a fee, there would have been a real cost for every minute of spam. The end result would have been a transfer of wealth from spammer to Bitcoin miners, which would have harmed the spammers and encouraged further mining of Bitcoin, a very antifragile outcome. But now we have the block size limit. Things are very different with this feature in place. The beginning of a spam attack on the Bitcoin network will incur transaction fees, just like before. But if spam continues at a rate exceeding the block size limit long enough for transactions to be dropped from mempools, the vast majority of spam transaction fees will never have to be paid. In fact, as real users gain in desperation and pay higher fees to get their transactions through in a timely manner, the spammers will adjust their fees to minimize the cost of the attack and maximize effectiveness. Using this method, they keep their fees at a point that causes most of the spam transactions to be dropped without confirmation (free spam), while forcing a floor for transaction fees. Thus, while spam could be used by attackers to disable the network entirely, by paying high-enough fees to actually fill the blocks with spam, it can also be used by a single entity to force a transaction fee floor. Real users will be forced to pay a transaction fee higher than the majority of the spam to get their transactions confirmed. So this is an effective means for a minority of miners to force higher fees through spam attacks, even in the face of benevolent miners who would not support a higher fee floor by policy. Miners would simply have no way to fix this, as they can only put in the transactions that will fit under the block size limit. In the face of such a spam attack, Bitcoin's credibility and usability would be severely undermined. The block size limit enables this attack, and I now argue for its removal. But we can't just remove it and ignore the problem that it was intended to address. We need a new fix for the large-block problem described in the first paragraph that does not suffer from the dropped-transaction spam-attack problem that is enabled by the block size limit today. My proposal is likely to be controversial, and I'm very much open to hearing other better proposals. Large blocks created by a miner as a means to spam other miners out of competition is a problem because miners do not pay fees for their own transactions when they mine them. They collect the fees they pay. This breaks the economic barrier keeping people from spamming the network, as the spamming is essentially free. The proposed fix is to add a new rule on how fees are handled. Some amount of every fee should be considered as burned and can never be spent. I will propose 50% of the fee here, but there may be better numbers that can be discovered prior to putting this into place. If we'd like miners to continue to collect the same fees after this change, we can suggest the default fee per transaction to be doubled. Half of every fee would be burned and disappear forever, effectively distributing the value of those bitcoins across the entire money supply. The other half would be collected by the miner of the block as is done today. This solution would mean large blocks would cost a significant number of bitcoin to create, even when all of the transactions are created by the miner of that block. For this to work, we'd need to ensure a minimum fee is paid for most of
Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the block size limit
On Tue, Jun 9, 2015 at 2:36 PM, Gavin Andresen gavinandre...@gmail.com wrote: How about this for mitigating this potential attack: 1. Limit the memory pool to some reasonable number of blocks-worth of transactions (e.g. 11) 2. If evicting transactions from the memory pool, prefer to evict transactions that are part of long chains of unconfirmed transactions. 3. Allow blocks to grow in size in times of high transaction demand. I think 2 should just be fee per kB. If the pool is full and a transaction arrives, it has to have a fee per kB that is higher than the lowest transaction in the pool. The effect is that the fee per kB threshold for getting a transaction into the memory pool increases as the attack proceeds. This means that the cost to maintain the attack increases. With replace by fee, the new transaction would have to have a fee that is more than a fixed amount more than the lowest already in the pool. I think the replace by fee code already does this. This prevents transactions with fees that increase by 1 Satoshi at a time being relayed. For allowing large blocks when block space is in high demand, you could limit the average block size. If the average was set to 1MB, the rule could be that blocks must be 2MB or lower and the total size of the a block and the previous 99 must be 100MB or lower. This gives an average of 1MB per block, but allows bursts. -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the block size limit
That does sound good on the surface, but how do we enforce #1 and #2? They seem to be unenforceable, as a miner can adjust the size of the memory pool in his local source. From: Gavin Andresen Sent: Tuesday, June 09, 2015 6:36 AM To: Loi Luu Cc: Raystonn . ; Bitcoin Dev Subject: Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the block size limit How about this for mitigating this potential attack: 1. Limit the memory pool to some reasonable number of blocks-worth of transactions (e.g. 11) 2. If evicting transactions from the memory pool, prefer to evict transactions that are part of long chains of unconfirmed transactions. 3. Allow blocks to grow in size in times of high transaction demand. The combination of (1) and (2) means an attacker needs to prepare lots of confirmed inputs to pull off the attack. By itself that means they MUST pay transaction fees. (3) further mitigates the attack because it allows miners to just absorb fees that the attacker is throwing at miners. On Tue, Jun 9, 2015 at 5:33 AM, Loi Luu loi.luu...@gmail.com wrote: The proposed fix is to add a new rule on how fees are handled. Some amount of every fee should be considered as burned and can never be spent. I will propose 50% of the fee here, but there may be better numbers that can be discovered prior to putting this into place. If we'd like miners to continue to collect the same fees after this change, we can suggest the default fee per transaction to be doubled I would propose another practical rule rather than burning 50% of the fee. For example, you can credit 50% of the transaction fee to the next block. Thus, the attacker cannot perform the attack with 0-fee any more, yet you don't have to double the price of the TX fee for the fix. Thanks, Loi Luu. On Tue, Jun 9, 2015 at 4:07 AM, Raystonn . rayst...@hotmail.com wrote: When implemented, the block size limit was put in place to prevent the potential for a massive block to be used as an attack to benefit the miner of that block. The theory goes that such a massive block would enrich its miner by delaying other miners who are now busy downloading and validating that huge block. The original miner of that large-block would be free to continue hashing the next block, giving it an advantage. Unfortunately, this block size limit opened a different attack. Prior to the limit, any attempt to spam the network by anyone other than someone mining their own transactions would have been economically unfeasible. As every transaction would have a fee, there would have been a real cost for every minute of spam. The end result would have been a transfer of wealth from spammer to Bitcoin miners, which would have harmed the spammers and encouraged further mining of Bitcoin, a very antifragile outcome. But now we have the block size limit. Things are very different with this feature in place. The beginning of a spam attack on the Bitcoin network will incur transaction fees, just like before. But if spam continues at a rate exceeding the block size limit long enough for transactions to be dropped from mempools, the vast majority of spam transaction fees will never have to be paid. In fact, as real users gain in desperation and pay higher fees to get their transactions through in a timely manner, the spammers will adjust their fees to minimize the cost of the attack and maximize effectiveness. Using this method, they keep their fees at a point that causes most of the spam transactions to be dropped without confirmation (free spam), while forcing a floor for transaction fees. Thus, while spam could be used by attackers to disable the network entirely, by paying high-enough fees to actually fill the blocks with spam, it can also be used by a single entity to force a transaction fee floor. Real users will be forced to pay a transaction fee higher than the majority of the spam to get their transactions confirmed. So this is an effective means for a minority of miners to force higher fees through spam attacks, even in the face of benevolent miners who would not support a higher fee floor by policy. Miners would simply have no way to fix this, as they can only put in the transactions that will fit under the block size limit. In the face of such a spam attack, Bitcoin's credibility and usability would be severely undermined. The block size limit enables this attack, and I now argue for its removal. But we can't just remove it and ignore the problem that it was intended to address. We need a new fix for the large-block problem described in the first paragraph that does not suffer from the dropped-transaction spam-attack problem that is enabled by the block size limit today. My proposal is
Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the block size limit
On Tue, Jun 9, 2015 at 1:52 PM, Raystonn . rayst...@hotmail.com wrote: That does sound good on the surface, but how do we enforce #1 and #2? They seem to be unenforceable, as a miner can adjust the size of the memory pool in his local source. It doesn't have to be enforced. As long as a reasonable percentage of hash rate is following that policy an attacker that tries to flood the network will fail to prevent normal transaction traffic from going through and will just end up transferring some wealth to the miners. Although the existing default mining policy (which it seems about 70% of hashpower follows) of setting aside some space for high-priority transactions regardless of fee might also be enough to cause this attack to fail in practice. -- -- Gavin Andresen -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Lexicographical Indexing of Transaction Inputs and Outputs
On Mon, Jun 08, 2015 at 06:53:54PM -0400, Kristov Atlas wrote: Two other things: On Sat, Jun 6, 2015 at 10:35 PM, Peter Todd p...@petertodd.org wrote: Why mention SIGHASH_SINGLE at all? Its use-case is highly specialized protocols; you haven't taken into account the needs of those protocols. For BIP's it's better to stick to the use-cases where the need is clear and there exists running code that to speculate too much on future uses. With signature hashing in particular it's not yet clear at all what future OP_CHECKSIG's will look like, let alone the various ways people will use sighash for smart contract type stuff. You'd be better off presenting the BIP in terms of a generic statement that except when otherwise prevented by advanced signature hashing requirements, wallet software must emit transactions sorted according to the following You can then specify the two common cases in detail: 1) SIGHASH_ALL: input and output order signed, so sort appropriately 2) SIGHASH_ANYONECANPAY: input order not signed, so software should emit transactions sorted, recognising that the actual mined order may be changed. That makes sense. I updated the language as follows -- your thoughts? Keep in mind this BIP is informational, and so people are free to ignore it. Applicability: This BIP applies to all transactions of signature hash type SIGHASH_ALL. Additionally, software compliant with this BIP that allows later parties to update the transaction (e.g. using signature hash types SIGHASH_NONE or a variant of SIGHASH_ANYONECANPAY) should emit lexicographically sorted inputs and outputs, although they may later be modified. Transactions that have index dependencies between transactions or within the same transaction are covered under the section of this BIP entitled “Handling Input/Output Dependencies.” I'd keep it even simpler than that, and just say for now that such use-cases are out of the scope of this BIP, however those standards should come up with some kind of deterministic standard that meets the needs of the protocol. Again, there's a bunch of possible use-cases here and we just can't predict them; focus on the fact that the *spirit* of what this BIP is about is applicable and future standards should be developed. So I'd change the Applicability section to: This BIP applies to all transactions where the order of inputs and outputs does not matter. This is true for the vast majority of transactions as they simply move funds from one place to another. Currently this generally refers to transactions where SIGHASH_ALL is used, in which case the signatures commit to the exact order of input and outputs. In the case where SIGHASH_ANYONECANPAY and/or SIGHASH_NONE has been used (e.g. crowdfunds) the order of inputs and/or outputs may not be signed, however compliant software should still emit transactions with sorted inputs and outputs, even though they may later be modified by others. In the event that future protocol upgrades introduce new signature hash types, compliant software should apply the lexographic ordering principle analogously. While out of scope of this BIP, protocols that do require a specified order of inputs/outputs (e.g. due to use of SIGHASH_SINGLE) should consider the goals of this BIP and how best to adapt them to the specifics needs of those protocols. Then remove the handling input/output deps section. Do you have a patch implementing deterministic tx ordering for Bitcoin Core yet? I'm not a frequent C programmer, so I'd prefer to let someone else take care of it, as a frequent committer of code would do a faster and more stylistically consistent job of it. If no one else will, however, I will. re: the actual ordering algorithm, having txids be sorted by with the hex-based algorithm is odd. I'd simply say they're sorted as little-endian byte arrays, or in other words, with the bytearr_cmp() function, but with the order of bytes reversed. You also should say that we're doing that to make the user see them in visually sorted order to match expectations because txids are displayed as little-endian. For outputs, don't say locking script, say scriptPubKey. Secondly, scriptPubKeys are not in little-endian representation - they have no endianness to them. With output amount, there's no need to say that they're unsigned or little-endian satoshies, just say they're sorted largest/smallest amount first. For the sake of efficiency, amounts will be considered first for sorting, since they contain fewer bytes of information (7 bytes) compared to a standard P2PKH locking script (800 bytes). - where the heck did you get these numbers from? Amounts are 8 bytes, and P2PKH scriptPubKeys are 25 bytes. Backwards Compatibility - I'd just remove this whole section; we're unlikely to make this an IsStandard() rule anytime soon. -- 'peter'[:-1]@petertodd.org 127ab1d576dc851f374424f1269c4700ccaba2c42d97e778
Re: [Bitcoin-development] Consensus-enforced transaction replacement via sequence numbers
Tier Nolan tier.no...@gmail.com writes: What are the use cases for relative lock time verify? I have 1 and I think that is the kind of thing it is useful for. I think that most cases are just to guarantee that the other party has a chance to react. This means that 8191 blocks should be more than enough (and most would set it lower). For long term, the absolute version is just as good. That depends on use cases. You can't take step 4 until 3 months after step 3 has completed doesn't seem useful. Lightning channels want them exactly like this to revoke old transactions, which could be ancient on long-lived channels. Cheers, Rusty. -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
