Re: [Bitcoin-development] Lexicographical Indexing of Transaction Inputs and Outputs
> > As for IsStandard() rules - let alone soft forks - better to leave > discussion of them out for now. Removed that bit as well. Latest version: https://github.com/kristovatlas/rfc/blob/master/bips/bip-li01.mediawiki -Kristov -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Lexicographical Indexing of Transaction Inputs and Outputs
Hey Peter, thanks for your experienced feedback. On Sat, Jun 6, 2015 at 10:35 PM, Peter Todd wrote: > Why mention SIGHASH_SINGLE at all? Its use-case is highly specialized > protocols; you haven't taken into account the needs of those protocols. > For BIP's it's better to stick to the use-cases where the need is clear > and there exists running code that to speculate too much on future uses. > With signature hashing in particular it's not yet clear at all what > future OP_CHECKSIG's will look like, let alone the various ways people > will use sighash for smart contract type stuff. > > You'd be better off presenting the BIP in terms of a generic statement > that "except when otherwise prevented by advanced signature hashing > requirements, wallet software must emit transactions sorted according to > the following" You can then specify the two common cases in detail: > > 1) SIGHASH_ALL: input and output order signed, so sort appropriately > > 2) SIGHASH_ANYONECANPAY: input order not signed, so software should emit >transactions sorted, recognising that the actual mined order may be >changed. > That makes sense. I updated the language as follows -- your thoughts? Keep in mind this BIP is informational, and so people are free to ignore it. "Applicability: This BIP applies to all transactions of signature hash type SIGHASH_ALL. Additionally, software compliant with this BIP that allows later parties to update the transaction (e.g. using signature hash types SIGHASH_NONE or a variant of SIGHASH_ANYONECANPAY) should emit lexicographically sorted inputs and outputs, although they may later be modified. Transactions that have index dependencies between transactions or within the same transaction are covered under the section of this BIP entitled “Handling Input/Output Dependencies.”" > As for IsStandard() rules - let alone soft forks - better to leave > discussion of them out for now. In particular, for the soft-fork case > mandating certain transaction orders will very likely cause problems in > the future for future OP_CHECKSIG upgrades. For SIGHASH_ANYONECANPAY, it > might be appropriate for nodes to enforce a certain ordering, but that > can be a separate BIP. (actually implementing that in Bitcoin Core would > be annoying and ugly right now; without replace-by-fee ANYONECANPAY has > a silly DoS attack (adding low-fee inputs) so I can't recommend wallets > use it in the general case yet) > > "and a sequence number currently set to 0x." <- Actually, this > will be changed in Bitcoin Core as of v0.11.0, which implements > anti-fee-sniping w/ nLockTime.(1) (I need to write up a full BIP > describing it) > Thanks for the heads-up; removed. > Do you have a patch implementing deterministic tx ordering for Bitcoin > Core yet? > I'm not a frequent C programmer, so I'd prefer to let someone else take care of it, as a frequent committer of code would do a faster and more stylistically consistent job of it. If no one else will, however, I will. -Kristov -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the blocksize limit
> Bitcoin is a global consensus system - if you're (sic) bandwidth isn't > sufficient to keep up you are not part of the consensus. Bandwidth can be purchased. Infrastructure to handled increasing transaction volume can be purchased. The very fees being paid by a spammer will be used to increase the miners' ability to absorb even more fees. The blocksize limit cannot respond in such a dynamic way to attacks. Miners cannot buy a greater blocksize limit in response to a spammer that is paying high fees to deny transaction confirmation to the rest of the planet in an attempt to destroy the network. The blocksize limit is creating an attack that can be maintained forever by any organization that can afford to fill the blocks. This attack would get incredibly cheaper once the BTCUSD market tanks in response to the lack of usability of the Bitcoin network, meaning it would be a self-reinforcing attack that would likely destroy Bitcoin for as long as an attacker wants to keep it up, or until you patch it to remove the limit after-the-fact, which might be too little too late. If this isn't fixed, I would expect to see it carried out at some point by someone with a large short position in BTCUSD. -Original Message- From: Peter Todd Sent: Monday, June 08, 2015 3:18 PM To: Raystonn . Cc: Patrick Mccorry (PGR) ; Bitcoin Dev Subject: Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the blocksize limit On Mon, Jun 08, 2015 at 03:01:34PM -0700, Raystonn . wrote: > >There will always be a blocksize limit based on technological > >considerations - the network has a finite bandwidth limit. > > A bandwidth limit is not the same as a blocksize limit. Bandwidth > is unique to every individual. Miners in China have different > bandwidth and connectivity than miners in the U.S., for example. > But the block size limit is dictated for eveyone. They are not > comparable. Bitcoin is a global consensus system - if you're bandwidth isn't sufficient to keep up you are not part of the consensus. The blocksize limit *is* what determines the minimum bandwidth required to stay in consensus. > >Without a blocksize limit the attacker would just flood the > >network until the bandwidth usage became so great that consensus > >would fail, rendering Bitcoin both worthless, and insecure. > > No, with no blocksize limit, a spammer would would flood the network > with transactions until they ran out of money. Meanwhile, everyone > would jump on board trying to mine the blocks to collect the fees > from the spammers. It could be one of the greatest transfers of > wealth ever. Bitcoin infrastructure would build up to handle the > required bandwidth, paid for by the very entity spamming the > network. Bitcoin would flourish, growing wildly as long as the fees > kept coming. This is antifragility at its best. Again, in your scenario if the bandwidth consumed by those transactions was sufficiently high, the network would collapse because consensus would fail. Why wouldn't that bandwidth be high enough to cause that collapse? Because of the blocksize limit! (combined with an intelligent mempool that increases the minimum fee/KB appropriately - we don't have that yet) > >The worst an attacker flooding the network with transactions with > >a blocksize limit can do is raise costs, without harming security. > > No, at attacker flooding the network with transactions with a > blocksize limit can keep their fees high enough that perhaps 1% of > transactions coming from real end-users go through. At this point > everyone would give up on Bitcoin as it would become completely > unusable. The BTCUSD market would tank, making it even easier to > pay the transaction fees to keep real transactions out of blocks, as > it would continue to become cheaper and eventually cost-free to > obtain the bitcoin fees through market purchase. I already did the math for you on that: the maximum transaction fee you'd see in that kind of attack is around $2.5 USD/tx. That definitely is not high enough to make Bitcoin non-viable - I personally could easily afford fees like that for about 90% of my transactions this year by value, as I mainly use Bitcoin to get paid by my clients around the world. In fact, just today O'Reilly paid $15 USD to send me a wire transfer for expenses related to a conference I was invited too. A much more realistic transaction flood scenario - one that didn't raise serious questions about whether or not the attacker could afford to 51% attack Bitcoin - would raise tx fees to something more like $0.25/tx -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the block size limit
On Mon, Jun 08, 2015 at 06:06:00PM -0400, Bob McElrath wrote: > There was this wonderful technology invented a few years ago to deal with > spam. It's called Hashcash. All these hacky heuristics like block size are > just dancing around the problem, and the natural solution is already present > in bitcoin: smaller blocks, (down to the point of individual transactions) > each mined. Don't relay things that haven't been mined. As spam or > transaction levels go up, mining targets for submission go up too. You know, you can think of Bitcoin as a system that maintains a ledger for transferrable hashcash... Which means transaction fees *are* paid in hashcash. -- 'peter'[:-1]@petertodd.org 127ab1d576dc851f374424f1269c4700ccaba2c42d97e778 signature.asc Description: Digital signature -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the block size limit
On Mon, Jun 08, 2015 at 10:13:10PM +, Patrick Mccorry (PGR) wrote: > With the 0.01mBTC/KB minimum > relay fee and $230 USD/BTC that works out to about $2.3kUSD/GB of ram > > IIRC, the fee is 0.1mBTC, so it's $23/MB (assuming 1,000 tx * 2.3 cents) and > $23k/GB (assuming $23 * 1000, as each $23 is 1mb). Only pointing out as it > highlights thats it's even more expense to do. Mike Hearn reduced the minimum relay fee to 0.01mBTC/KB: https://github.com/bitcoin/bitcoin/pull/3305 -- 'peter'[:-1]@petertodd.org 127ab1d576dc851f374424f1269c4700ccaba2c42d97e778 signature.asc Description: Digital signature -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the blocksize limit
On Mon, Jun 08, 2015 at 03:01:34PM -0700, Raystonn . wrote: > >There will always be a blocksize limit based on technological > >considerations - the network has a finite bandwidth limit. > > A bandwidth limit is not the same as a blocksize limit. Bandwidth > is unique to every individual. Miners in China have different > bandwidth and connectivity than miners in the U.S., for example. > But the block size limit is dictated for eveyone. They are not > comparable. Bitcoin is a global consensus system - if you're bandwidth isn't sufficient to keep up you are not part of the consensus. The blocksize limit *is* what determines the minimum bandwidth required to stay in consensus. > >Without a blocksize limit the attacker would just flood the > >network until the bandwidth usage became so great that consensus > >would fail, rendering Bitcoin both worthless, and insecure. > > No, with no blocksize limit, a spammer would would flood the network > with transactions until they ran out of money. Meanwhile, everyone > would jump on board trying to mine the blocks to collect the fees > from the spammers. It could be one of the greatest transfers of > wealth ever. Bitcoin infrastructure would build up to handle the > required bandwidth, paid for by the very entity spamming the > network. Bitcoin would flourish, growing wildly as long as the fees > kept coming. This is antifragility at its best. Again, in your scenario if the bandwidth consumed by those transactions was sufficiently high, the network would collapse because consensus would fail. Why wouldn't that bandwidth be high enough to cause that collapse? Because of the blocksize limit! (combined with an intelligent mempool that increases the minimum fee/KB appropriately - we don't have that yet) > >The worst an attacker flooding the network with transactions with > >a blocksize limit can do is raise costs, without harming security. > > No, at attacker flooding the network with transactions with a > blocksize limit can keep their fees high enough that perhaps 1% of > transactions coming from real end-users go through. At this point > everyone would give up on Bitcoin as it would become completely > unusable. The BTCUSD market would tank, making it even easier to > pay the transaction fees to keep real transactions out of blocks, as > it would continue to become cheaper and eventually cost-free to > obtain the bitcoin fees through market purchase. I already did the math for you on that: the maximum transaction fee you'd see in that kind of attack is around $2.5 USD/tx. That definitely is not high enough to make Bitcoin non-viable - I personally could easily afford fees like that for about 90% of my transactions this year by value, as I mainly use Bitcoin to get paid by my clients around the world. In fact, just today O'Reilly paid $15 USD to send me a wire transfer for expenses related to a conference I was invited too. A much more realistic transaction flood scenario - one that didn't raise serious questions about whether or not the attacker could afford to 51% attack Bitcoin - would raise tx fees to something more like $0.25/tx -- 'peter'[:-1]@petertodd.org 127ab1d576dc851f374424f1269c4700ccaba2c42d97e778 signature.asc Description: Digital signature -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the blocksize limit
Not forgetting, simply deferring discussion on that. We’ve a much smaller limit to deal with right now. But even that limit would have to go to remove this attack. From: Btc Drak Sent: Monday, June 08, 2015 3:07 PM To: Raystonn . Cc: Peter Todd ; Bitcoin Dev ; Patrick Mccorry (PGR) Subject: Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the blocksize limit On Mon, Jun 8, 2015 at 11:01 PM, Raystonn . wrote: No, with no blocksize limit, a spammer would would flood the network with transactions until they ran out of money. I think you are forgetting even if you remove the blocksize limit, there is still a hard message size limit imposed by the p2p protocol. Block would de-facto be limited to this size.-- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the blocksize limit
On Mon, Jun 8, 2015 at 11:01 PM, Raystonn . wrote: > No, with no blocksize limit, a spammer would would flood the network with > transactions until they ran out of money. I think you are forgetting even if you remove the blocksize limit, there is still a hard message size limit imposed by the p2p protocol. Block would de-facto be limited to this size. -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the block size limit
There was this wonderful technology invented a few years ago to deal with spam. It's called Hashcash. All these hacky heuristics like block size are just dancing around the problem, and the natural solution is already present in bitcoin: smaller blocks, (down to the point of individual transactions) each mined. Don't relay things that haven't been mined. As spam or transaction levels go up, mining targets for submission go up too. Of course this is a pretty serious redesign of bitcoin, and I'm not offering a concrete proposal at this time (but have one in the works, and I'd like to see others). I call the parameters of these hacky heuristics "Consensus Threatening Quantities" (CTQs) because changing them induces a hard fork. Bitcoin is full of them (block time, block size, target difficulty, retarget time, etc) and bitcoin would do well to face difficult redesign questions head on, and remove them entirely. (Proposal to appear...) On June 8, 2015 5:44:43 PM EDT, Peter Todd wrote: >On Mon, Jun 08, 2015 at 02:33:54PM -0700, Raystonn . wrote: >> > the attack would be expensive. >> >> For attacks being waged to destroy Bitcoin by filling all blocks with >spam transactions, the attack succeeds when the attacker is well >funded. This gives well-funded private and/or public entities the >means to destroy Bitcoin if they desire. This is only true after the >block size limit was implemented. Without the block size limit, the >spam doesn’t harm Bitcoin. It simply enriches miners at the cost of >the spammers, which is a nicely antifragile quality. > >There will always be a blocksize limit based on technological >considerations - the network has a finite bandwidth limit. > >Without a blocksize limit the attacker would just flood the network >until the bandwidth usage became so great that consensus would fail, >rendering Bitcoin both worthless, and insecure. > >The worst an attacker flooding the network with transactions with a >blocksize limit can do is raise costs, without harming security. Keep >in >mind, that at some point it'd be cheaper to just 51% attack the >network. >Based on the current block subsidy of 25BTC/MB that's at the point >where >transaction fees are 25mBTC/KB, which corresponds to <$2/tx fees - not >that cheap, but still quite affordable for a large percentage of >Bitcoin's users right now. And that's the *absolute worst-case* attack >possible. > >-- >'peter'[:-1]@petertodd.org >127ab1d576dc851f374424f1269c4700ccaba2c42d97e778 > > > > >-- > > >!DSPAM:55760d26244955859016385! > > > > >___ >Bitcoin-development mailing list >Bitcoin-development@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > >!DSPAM:55760d26244955859016385! -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the blocksize limit
> There will always be a blocksize limit based on technological > considerations - the network has a finite bandwidth limit. A bandwidth limit is not the same as a blocksize limit. Bandwidth is unique to every individual. Miners in China have different bandwidth and connectivity than miners in the U.S., for example. But the block size limit is dictated for eveyone. They are not comparable. > Without a blocksize limit the attacker would just flood the network until > the bandwidth usage became so great that consensus would fail, rendering > Bitcoin both worthless, and insecure. No, with no blocksize limit, a spammer would would flood the network with transactions until they ran out of money. Meanwhile, everyone would jump on board trying to mine the blocks to collect the fees from the spammers. It could be one of the greatest transfers of wealth ever. Bitcoin infrastructure would build up to handle the required bandwidth, paid for by the very entity spamming the network. Bitcoin would flourish, growing wildly as long as the fees kept coming. This is antifragility at its best. > The worst an attacker flooding the network with transactions with a > blocksize limit can do is raise costs, without harming security. No, at attacker flooding the network with transactions with a blocksize limit can keep their fees high enough that perhaps 1% of transactions coming from real end-users go through. At this point everyone would give up on Bitcoin as it would become completely unusable. The BTCUSD market would tank, making it even easier to pay the transaction fees to keep real transactions out of blocks, as it would continue to become cheaper and eventually cost-free to obtain the bitcoin fees through market purchase. -Original Message- From: Peter Todd Sent: Monday, June 08, 2015 2:44 PM To: Raystonn . Cc: Patrick Mccorry (PGR) ; Bitcoin Dev Subject: Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the blocksize limit On Mon, Jun 08, 2015 at 02:33:54PM -0700, Raystonn . wrote: > > the attack would be expensive. > > For attacks being waged to destroy Bitcoin by filling all blocks with spam > transactions, the attack succeeds when the attacker is well funded. This > gives well-funded private and/or public entities the means to destroy > Bitcoin if they desire. This is only true after the block size limit was > implemented. Without the block size limit, the spam doesn’t harm Bitcoin. > It simply enriches miners at the cost of the spammers, which is a nicely > antifragile quality. There will always be a blocksize limit based on technological considerations - the network has a finite bandwidth limit. Without a blocksize limit the attacker would just flood the network until the bandwidth usage became so great that consensus would fail, rendering Bitcoin both worthless, and insecure. The worst an attacker flooding the network with transactions with a blocksize limit can do is raise costs, without harming security. Keep in mind, that at some point it'd be cheaper to just 51% attack the network. Based on the current block subsidy of 25BTC/MB that's at the point where transaction fees are 25mBTC/KB, which corresponds to <$2/tx fees - not that cheap, but still quite affordable for a large percentage of Bitcoin's users right now. And that's the *absolute worst-case* attack possible. -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the block size limit
On Mon, Jun 08, 2015 at 02:33:54PM -0700, Raystonn . wrote: > > the attack would be expensive. > > For attacks being waged to destroy Bitcoin by filling all blocks with spam > transactions, the attack succeeds when the attacker is well funded. This > gives well-funded private and/or public entities the means to destroy Bitcoin > if they desire. This is only true after the block size limit was > implemented. Without the block size limit, the spam doesn’t harm Bitcoin. > It simply enriches miners at the cost of the spammers, which is a nicely > antifragile quality. There will always be a blocksize limit based on technological considerations - the network has a finite bandwidth limit. Without a blocksize limit the attacker would just flood the network until the bandwidth usage became so great that consensus would fail, rendering Bitcoin both worthless, and insecure. The worst an attacker flooding the network with transactions with a blocksize limit can do is raise costs, without harming security. Keep in mind, that at some point it'd be cheaper to just 51% attack the network. Based on the current block subsidy of 25BTC/MB that's at the point where transaction fees are 25mBTC/KB, which corresponds to <$2/tx fees - not that cheap, but still quite affordable for a large percentage of Bitcoin's users right now. And that's the *absolute worst-case* attack possible. -- 'peter'[:-1]@petertodd.org 127ab1d576dc851f374424f1269c4700ccaba2c42d97e778 signature.asc Description: Digital signature -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the blocksize limit
> the only way a transaction can be removed from a Bitcoin Core mempool is > through it getting mined, double-spent, or the node restarting. Right. And that results in some transactions with insufficient fees getting dropped today after many hours. > The protection that we have against that attack is that you need access to > a lot of bitcoins to pay enough fees. That's no protection against a well-funded private and/or public entity. Without the block size limit, this attack doesn't exist. It would simply result in a transfer of wealth from spammer to miners, which is a nicely antifragile response for the Bitcoin network. -Original Message- From: Peter Todd Sent: Monday, June 08, 2015 2:33 PM To: Raystonn . Cc: Patrick Mccorry (PGR) ; Bitcoin Dev Subject: Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the blocksize limit > > there is no memory pool cap currently > > Real hardware does not have an infinite amount of RAM. Memory pool sizes > cannot grow unbounded. Some transactions with insufficient fees do get > dropped today after many hours. Actually they don't, which is an unfortunate problem with the existing mempool implementation; the only way a transaction can be removed from a Bitcoin Core mempool is through it getting mined, double-spent, or the node restarting. The protection that we have against that attack is that you need access to a lot of bitcoins to pay enough fees. With the 0.01mBTC/KB minimum relay fee and $230 USD/BTC that works out to about $2.3kUSD/GB of ram consumed, and furthermore, actually getting that many transactions to propagate over the network is non-trivial. (no, I'm not going to tell you how) The obvious solution is to cap the size of the mempool and evict transactions lowest fee/KB first, but if you do that they you (further) break zeroconf security. On the other hand, if you don't break zeroconf security an attacker can prevent reasonable fee transactions from propagating. I probably should get around to fixing this... -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] [RFC] Canonical input and output ordering in transactions
On Mon, Jun 08, 2015 at 02:25:40PM -0700, Danny Thorpe wrote: > FWIW, The Open Assets colored coin protocol (CoinPrism) places special > significance on the zeroth input and the position of the OP_RETURN colored > coin marker output to distinguish colored coin issuance outputs from > transfer outputs. Reordering the inputs or the outputs breaks the colored > coin representation. > > Recommending sorting of the inputs and outputs as a best practice is fine > (and better than random, IMO), but not as part of IsStandard() or consensus > rules. There are cases where the order of the inputs and outputs is > significant. Timestamping is another case where order matters: if you put the digest in the last vout you can use SHA256 midstate's to reduce the size of the timestamp proof. Anyway, there's no reason to rush re: changes to IsStandard() -- 'peter'[:-1]@petertodd.org 127ab1d576dc851f374424f1269c4700ccaba2c42d97e778 signature.asc Description: Digital signature -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the block size limit
> the attack would be expensive. For attacks being waged to destroy Bitcoin by filling all blocks with spam transactions, the attack succeeds when the attacker is well funded. This gives well-funded private and/or public entities the means to destroy Bitcoin if they desire. This is only true after the block size limit was implemented. Without the block size limit, the spam doesn’t harm Bitcoin. It simply enriches miners at the cost of the spammers, which is a nicely antifragile quality. For attacks being waged to push up minimum fees for the benefit of miners, by filling the mempool with enough spam transactions with the floor fee to cover a new block every time another block is discovered, they stand to gain. Whatever fees they are paying, real transactions will have to pay more to get through. It can be a net gain depending on how many miners are participating. From: Patrick Mccorry (PGR) Sent: Monday, June 08, 2015 2:21 PM To: Raystonn . Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the block size limit If I were a miner under this attack, I would just use the spam to fill up blocks alongside normal transactions maximising my profit. You are assuming here that you can identify which transactions are spam, and which are not, and then segregate the spam into a separate channels of transactions for inclusion on a 50/50 basis alongside other transactions. There is no guarantee you will be able to identify those transactions. Sure, if you can do that, then the easy fix is just to put them into a lower class channel of transactions that guarantee no pressure on the non-spam transactions. But it's just not possible to do this in any meaningful way. If you wanted to try, it would certainly add quite a bit of cost and complexity on the miner's side, and you aren't going to get anything other than the simple spam that comes from the same set of addresses. Well it depends how the transactions spam - if you do a huge link of transactions (one after another, with the total bitcoins "sent" being reduced by a fee each time) this is easily identifiable - if you were to do it using unlinked transactions then this would require 2x the setup (do a lot of mixing to get 1 million unlinked outputs and then commence attack) which doubles the cost of the attack. If I were to spam a lot of transactions to fill the memory pool it would cost $120 every 10 minutes You need to account for the transactions coming from real users. Every real transaction is approximately one less spam transaction you need to fill the blocks. I was suggesting the cost of an adversary to send the spam - if he did manage to fill the entire block each time that's the maximum charge. Of course the costs get spread out if normal transactions are included. there is no memory pool cap currently Real hardware does not have an infinite amount of RAM. Memory pool sizes cannot grow unbounded. Some transactions with insufficient fees do get dropped today after many hours. That's true that's why I used 250mb as an example to cost $30k. Cheap laptops today (around £300) come with 6gb ram - so the attack would be expensive. I do doubt the miners codes probably are not prepared for an attack of this type - but it is really expensive to pull off from what I can see. Sent from my iPhone On 8 Jun 2015, at 22:14, Raystonn . wrote: If I were a miner under this attack, I would just use the spam to fill up blocks alongside normal transactions maximising my profit. You are assuming here that you can identify which transactions are spam, and which are not, and then segregate the spam into a separate channels of transactions for inclusion on a 50/50 basis alongside other transactions. There is no guarantee you will be able to identify those transactions. Sure, if you can do that, then the easy fix is just to put them into a lower class channel of transactions that guarantee no pressure on the non-spam transactions. But it's just not possible to do this in any meaningful way. If you wanted to try, it would certainly add quite a bit of cost and complexity on the miner's side, and you aren't going to get anything other than the simple spam that comes from the same set of addresses. If I were to spam a lot of transactions to fill the memory pool it would cost $120 every 10 minutes You need to account for the transactions coming from real users. Every real transaction is approximately one less spam transaction you need to fill the blocks. there is no memory pool cap currently Real hardware does not have an infinite amount of RAM. Memory pool sizes cannot grow unbounded. Some transactions with insufficient fees do get dropped today after many hours. -Original Message- From: Patrick Mccorry (PGR) Sent: Monday, June 08, 2015 1:28 PM To:
Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the block size limit
On Mon, Jun 08, 2015 at 02:14:01PM -0700, Raystonn . wrote: > > there is no memory pool cap currently > > Real hardware does not have an infinite amount of RAM. Memory pool sizes > cannot grow unbounded. Some transactions with insufficient fees do get > dropped today after many hours. Actually they don't, which is an unfortunate problem with the existing mempool implementation; the only way a transaction can be removed from a Bitcoin Core mempool is through it getting mined, double-spent, or the node restarting. The protection that we have against that attack is that you need access to a lot of bitcoins to pay enough fees. With the 0.01mBTC/KB minimum relay fee and $230 USD/BTC that works out to about $2.3kUSD/GB of ram consumed, and furthermore, actually getting that many transactions to propagate over the network is non-trivial. (no, I'm not going to tell you how) The obvious solution is to cap the size of the mempool and evict transactions lowest fee/KB first, but if you do that they you (further) break zeroconf security. On the other hand, if you don't break zeroconf security an attacker can prevent reasonable fee transactions from propagating. I probably should get around to fixing this... -- 'peter'[:-1]@petertodd.org 127ab1d576dc851f374424f1269c4700ccaba2c42d97e778 signature.asc Description: Digital signature -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] [RFC] Canonical input and output ordering in transactions
FWIW, The Open Assets colored coin protocol (CoinPrism) places special significance on the zeroth input and the position of the OP_RETURN colored coin marker output to distinguish colored coin issuance outputs from transfer outputs. Reordering the inputs or the outputs breaks the colored coin representation. Recommending sorting of the inputs and outputs as a best practice is fine (and better than random, IMO), but not as part of IsStandard() or consensus rules. There are cases where the order of the inputs and outputs is significant. -Danny On Fri, Jun 5, 2015 at 9:42 PM, Rusty Russell wrote: > Title: Canonical Input and Output Ordering > Author: Rusty Russell > Discussions-To: "Bitcoin Dev" > Status: Draft > Type: Standards Track > Created: 2015-06-06 > > Abstract > > This BIP provides a canonical ordering of inputs and outputs when > creating transactions. > > Motivation > > Most bitcoin wallet implementations randomize the outputs of > transactions they create to avoid trivial linkage analysis (especially > change outputs), however implementations have made mistakes in this area > in the past. > > Using a canonical ordering has the same effect, but is simpler, more > obvious if incorrect, and can eventually be enforced by IsStandard() and > even a soft-fork to enforce it. > > Specification > > Inputs should be ordered like so: > index (lower value first) > txid (little endian order, lower byte first) > > Outputs should be ordered like so: > amount (lower value first) > script (starting from first byte, lower byte first, shorter wins) > > Rationale > > Any single wallet is already free to implement this, but if other > wallets do not it would reduce privacy by making those transactions > stand out. Thus a BIP is appropriate, especially if this were to > become an IsStandard() rule once widely adopted. > > Because integers are fast to compare, they're sorted first, before the > lexographical ordering. > > The other input fields do not influence the sort order, as any valid > transactions cannot have two inputs with the same index and txid. > > Reference Implementation > > https://github.com/rustyrussell/bitcoin/tree/bip-in-out-ordering > > > -- > ___ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the block size limit
> If I were a miner under this attack, I would just use the spam to fill up > blocks alongside normal transactions maximising my profit. You are assuming here that you can identify which transactions are spam, and which are not, and then segregate the spam into a separate channels of transactions for inclusion on a 50/50 basis alongside other transactions. There is no guarantee you will be able to identify those transactions. Sure, if you can do that, then the easy fix is just to put them into a lower class channel of transactions that guarantee no pressure on the non-spam transactions. But it's just not possible to do this in any meaningful way. If you wanted to try, it would certainly add quite a bit of cost and complexity on the miner's side, and you aren't going to get anything other than the simple spam that comes from the same set of addresses. > If I were to spam a lot of transactions to fill the memory pool it would > cost $120 every 10 minutes You need to account for the transactions coming from real users. Every real transaction is approximately one less spam transaction you need to fill the blocks. > there is no memory pool cap currently Real hardware does not have an infinite amount of RAM. Memory pool sizes cannot grow unbounded. Some transactions with insufficient fees do get dropped today after many hours. -Original Message- From: Patrick Mccorry (PGR) Sent: Monday, June 08, 2015 1:28 PM To: Raystonn . Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the block size limit Please correct me if I'm wrong (hopefully understood it). I don't think normal users would need to pay a higher fee - as miners can just ignore the spam (since they will all be linked). If I were to spam a lot of transactions to fill the memory pool it would cost $120 every 10 minutes (assuming 4,000 tx can fit inside a block and 3 cents per transaction), anything exceeding that may be considered "spam" - although I don't know if it would be "free" as the miner will eventually claim all the fees, delayed payment is probably a better way to describe it. IIRC, there is no memory pool cap currently. To spam 1 million transactions would cost $30k which would take up approx 250 blocks (around 250mb) which is around 42 hours to process. I think the memory pool can handle this data today (someone more knowledgeable can check this for me) - so the attack is v.expensive to carry out. A good way to prevent this spamming the memory pool is to only accept up to a 'x' length of 0-confirmed transactions to make it more difficult to pull off (not impossible). If I were a miner under this attack, I would just use the spam to fill up blocks alongside normal transactions maximising my profit. Sent from my iPhone > On 8 Jun 2015, at 21:09, Raystonn . wrote: > > When implemented, the block size limit was put in place to prevent the > potential for a massive block to be used as an attack to benefit the miner > of that block. The theory goes that such a massive block would enrich its > miner by delaying other miners who are now busy downloading and validating > that huge block. The original miner of that large-block would be free to > continue hashing the next block, giving it an advantage. > > Unfortunately, this block size limit opened a different attack. Prior to > the limit, any attempt to spam the network by anyone other than someone > mining their own transactions would have been economically unfeasible. As > every transaction would have a fee, there would have been a real cost for > every minute of spam. The end result would have been a transfer of wealth > from spammer to Bitcoin miners, which would have harmed the spammers and > encouraged further mining of Bitcoin, a very antifragile outcome. > > But now we have the block size limit. Things are very different with this > feature in place. The beginning of a spam attack on the Bitcoin network > will incur transaction fees, just like before. But if spam continues at a > rate exceeding the block size limit long enough for transactions to be > dropped from mempools, the vast majority of spam transaction fees will > never > have to be paid. In fact, as real users gain in desperation and pay > higher > fees to get their transactions through in a timely manner, the spammers > will > adjust their fees to minimize the cost of the attack and maximize > effectiveness. Using this method, they keep their fees at a point that > causes most of the spam transactions to be dropped without confirmation > (free spam), while forcing a floor for transaction fees. Thus, while spam > could be used by attackers to disable the network entirely, by paying > high-enough fees to actually fill the blocks with spam, it can also be > used > by a single entity to force a transaction fee floor. Real users will be > forced to pay a transaction fee hig
[Bitcoin-development] New attack identified and potential solution described: Dropped-transaction spam attack against the block size limit
When implemented, the block size limit was put in place to prevent the potential for a massive block to be used as an attack to benefit the miner of that block. The theory goes that such a massive block would enrich its miner by delaying other miners who are now busy downloading and validating that huge block. The original miner of that large-block would be free to continue hashing the next block, giving it an advantage. Unfortunately, this block size limit opened a different attack. Prior to the limit, any attempt to spam the network by anyone other than someone mining their own transactions would have been economically unfeasible. As every transaction would have a fee, there would have been a real cost for every minute of spam. The end result would have been a transfer of wealth from spammer to Bitcoin miners, which would have harmed the spammers and encouraged further mining of Bitcoin, a very antifragile outcome. But now we have the block size limit. Things are very different with this feature in place. The beginning of a spam attack on the Bitcoin network will incur transaction fees, just like before. But if spam continues at a rate exceeding the block size limit long enough for transactions to be dropped from mempools, the vast majority of spam transaction fees will never have to be paid. In fact, as real users gain in desperation and pay higher fees to get their transactions through in a timely manner, the spammers will adjust their fees to minimize the cost of the attack and maximize effectiveness. Using this method, they keep their fees at a point that causes most of the spam transactions to be dropped without confirmation (free spam), while forcing a floor for transaction fees. Thus, while spam could be used by attackers to disable the network entirely, by paying high-enough fees to actually fill the blocks with spam, it can also be used by a single entity to force a transaction fee floor. Real users will be forced to pay a transaction fee higher than the majority of the spam to get their transactions confirmed. So this is an effective means for a minority of miners to force higher fees through spam attacks, even in the face of benevolent miners who would not support a higher fee floor by policy. Miners would simply have no way to fix this, as they can only put in the transactions that will fit under the block size limit. In the face of such a spam attack, Bitcoin's credibility and usability would be severely undermined. The block size limit enables this attack, and I now argue for its removal. But we can't just remove it and ignore the problem that it was intended to address. We need a new fix for the large-block problem described in the first paragraph that does not suffer from the dropped-transaction spam-attack problem that is enabled by the block size limit today. My proposal is likely to be controversial, and I'm very much open to hearing other better proposals. Large blocks created by a miner as a means to spam other miners out of competition is a problem because miners do not pay fees for their own transactions when they mine them. They collect the fees they pay. This breaks the economic barrier keeping people from spamming the network, as the spamming is essentially free. The proposed fix is to add a new rule on how fees are handled. Some amount of every fee should be considered as burned and can never be spent. I will propose 50% of the fee here, but there may be better numbers that can be discovered prior to putting this into place. If we'd like miners to continue to collect the same fees after this change, we can suggest the default fee per transaction to be doubled. Half of every fee would be burned and disappear forever, effectively distributing the value of those bitcoins across the entire money supply. The other half would be collected by the miner of the block as is done today. This solution would mean large blocks would cost a significant number of bitcoin to create, even when all of the transactions are created by the miner of that block. For this to work, we'd need to ensure a minimum fee is paid for most of the transactions in every block, and the new transaction fee rule is in place. Then the block size limit can be removed. Raystonn -- ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
