public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [Bitcoin-development] An initial replace-by-fee implementation is now available
@ 2013-05-09  9:58 John Dillon
  2013-05-09 11:19 ` Adam Back
  0 siblings, 1 reply; 5+ messages in thread
From: John Dillon @ 2013-05-09  9:58 UTC (permalink / raw)
  To: Bitcoin Dev

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

After some consultation with affected sites by myself and Peter we have decided
to release an initial replace-by-fee implementation and setup a server using
those rules on testnet. This implementation does not include recursive fee
evaluation, and is therefore vulnerable to DoS attack, so hopefully that will
continue to allow adoption to proceed gradually. We can-not recommend mining on
mainnet with it. It does not include an "undo" RPC command or an adjust fees,
and Peter says he has not implemented one yet.  Patches are welcome.

Specifically there were requests from vulnerable parties, which interestingly
included a site that knew they had bugs related to replacement but not
financial vulnerabilities, to put up a server on testnet to check wallet code.
The vulnerable requested to remain undisclosed. An additional consideration was
the upcoming anti-dust rules which are yet another example of why zero-conf is
so much more dangerous to accept than single-conf. Two of the people contacting
us brought up that issue in fact.

The code is on github:

    https://github.com/petertodd/bitcoin/tree/replace-by-fee

and a replace-by-fee server operating on testnet is available at
testnet-replace-by-fee.bitcoin.petertodd.org To test you will need to use the
raw transaction API and manually create the replacement transaction. Do note
that your wallet will retain the existing one and no mechanism yet exists to
delete the old transaction from your wallet. Again, a certain amount of
"cludgyness" to this is intentional to discourage premature non-testing use.


Regarding the reward, I've decided Peter will collect the full amount even
though the work is not %100 complete (the mempool aspect) due to his concern
about staging an implementation properly, working with vulnerable sites, and
overall genuine interest in the actual issues at hand rather than the reward.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBCAAGBQJRi3LeAAoJEEWCsU4mNhiPwscH/2CI0d3h/3jix3iyz2I9I8Sz
6nbP8eA01l9kzG37cH1rFAbt7C+fL/nardV4U1qmiwC0MN7NPpX6BFn5eQ2PUKbu
41+AnjgWicB2tnCC07ngboQ1JCeZ+RTfATepuMxEdWFBsc8ZQXs0apWS01FT+TDq
J/a7QkhNfTaAQzXyqmLp0TQO7/Z7ysmCftOhtGbfvfhF2o23BuphQiRVA9IOoUuj
Fgb5wrfQqJ8TjvXRXAUQ7SUlzfN9BlPxMkTc6NhbcgIpuq1Kb43mLoDl3s2irH4A
GtjRtobV5Cfozm1r+8KPtIYEoQoj0PqTjO5YMwD/vTaRfNzdS4Tse5LQLGT6Jug=
=M1mj
-----END PGP SIGNATURE-----



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Bitcoin-development] An initial replace-by-fee implementation is now available
  2013-05-09  9:58 [Bitcoin-development] An initial replace-by-fee implementation is now available John Dillon
@ 2013-05-09 11:19 ` Adam Back
  2013-05-09 11:46   ` Peter Todd
  0 siblings, 1 reply; 5+ messages in thread
From: Adam Back @ 2013-05-09 11:19 UTC (permalink / raw)
  To: John Dillon; +Cc: Bitcoin Dev

In this thread discussing this idea

https://bitcointalk.org/index.php?topic=179612.0 

it is suggested that the approach risks making 0-confirm double-spends
easier.

I dont see why this should be.  Cant part of the validation of accepting a
fee revision be that every aspct of the revision except the reward must be
unchanged, otherwise the revision is considered invalid and discarded?

(ie same payment amount, same input coins, same recipient and same change
address.)

Adam

On Thu, May 09, 2013 at 09:58:50AM +0000, John Dillon wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>After some consultation with affected sites by myself and Peter we have decided
>to release an initial replace-by-fee implementation and setup a server using
>those rules on testnet. This implementation does not include recursive fee
>evaluation, and is therefore vulnerable to DoS attack, so hopefully that will
>continue to allow adoption to proceed gradually. We can-not recommend mining on
>mainnet with it. It does not include an "undo" RPC command or an adjust fees,
>and Peter says he has not implemented one yet.  Patches are welcome.
>
>Specifically there were requests from vulnerable parties, which interestingly
>included a site that knew they had bugs related to replacement but not
>financial vulnerabilities, to put up a server on testnet to check wallet code.
>The vulnerable requested to remain undisclosed. An additional consideration was
>the upcoming anti-dust rules which are yet another example of why zero-conf is
>so much more dangerous to accept than single-conf. Two of the people contacting
>us brought up that issue in fact.
>
>The code is on github:
>
>    https://github.com/petertodd/bitcoin/tree/replace-by-fee
>
>and a replace-by-fee server operating on testnet is available at
>testnet-replace-by-fee.bitcoin.petertodd.org To test you will need to use the
>raw transaction API and manually create the replacement transaction. Do note
>that your wallet will retain the existing one and no mechanism yet exists to
>delete the old transaction from your wallet. Again, a certain amount of
>"cludgyness" to this is intentional to discourage premature non-testing use.
>
>
>Regarding the reward, I've decided Peter will collect the full amount even
>though the work is not %100 complete (the mempool aspect) due to his concern
>about staging an implementation properly, working with vulnerable sites, and
>overall genuine interest in the actual issues at hand rather than the reward.
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.11 (GNU/Linux)
>
>iQEcBAEBCAAGBQJRi3LeAAoJEEWCsU4mNhiPwscH/2CI0d3h/3jix3iyz2I9I8Sz
>6nbP8eA01l9kzG37cH1rFAbt7C+fL/nardV4U1qmiwC0MN7NPpX6BFn5eQ2PUKbu
>41+AnjgWicB2tnCC07ngboQ1JCeZ+RTfATepuMxEdWFBsc8ZQXs0apWS01FT+TDq
>J/a7QkhNfTaAQzXyqmLp0TQO7/Z7ysmCftOhtGbfvfhF2o23BuphQiRVA9IOoUuj
>Fgb5wrfQqJ8TjvXRXAUQ7SUlzfN9BlPxMkTc6NhbcgIpuq1Kb43mLoDl3s2irH4A
>GtjRtobV5Cfozm1r+8KPtIYEoQoj0PqTjO5YMwD/vTaRfNzdS4Tse5LQLGT6Jug=
>=M1mj
>-----END PGP SIGNATURE-----
>
>------------------------------------------------------------------------------
>Learn Graph Databases - Download FREE O'Reilly Book
>"Graph Databases" is the definitive new guide to graph databases and
>their applications. This 200-page book is written by three acclaimed
>leaders in the field. The early access version is available now.
>Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>_______________________________________________
>Bitcoin-development mailing list
>Bitcoin-development@lists•sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/bitcoin-development



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Bitcoin-development] An initial replace-by-fee implementation is now available
  2013-05-09 11:19 ` Adam Back
@ 2013-05-09 11:46   ` Peter Todd
  2013-05-09 12:07     ` Adam Back
  0 siblings, 1 reply; 5+ messages in thread
From: Peter Todd @ 2013-05-09 11:46 UTC (permalink / raw)
  To: Adam Back; +Cc: Bitcoin Dev

[-- Attachment #1: Type: text/plain, Size: 2043 bytes --]

On Thu, May 09, 2013 at 01:19:13PM +0200, Adam Back wrote:
> In this thread discussing this idea
> 
> https://bitcointalk.org/index.php?topic=179612.0 
> 
> it is suggested that the approach risks making 0-confirm double-spends
> easier.

The patch makes the concept of a 0-confirm double-spend obsolete
basically. The model is rather than having some vague, insecure, easily
broken, de-facto no-replacement rule it replaces it with something very
easy to reason about: you are bidding for blockchain space, and you can
adjust your bid after the fact.

The reality is zero-conf double-spends aren't that big of a problem
because the vast majority of payments have other mechanisms they can use
instead of relying on the defacto behavior of dozens of major miners and
nodes.

Long story short, we're better off if we don't give people a false sense
of security.

> I dont see why this should be.  Cant part of the validation of accepting a
> fee revision be that every aspct of the revision except the reward must be
> unchanged, otherwise the revision is considered invalid and discarded?

A node has no idea which transaction output is change and which one
isn't; if nodes could distinguish change from payment your privacy would
be badly violated.

By allowing simple replacement without further rules the fee adjustment
process can go on as long as required, without you running out of
additional transaction inputs and without causing the transaction to get
bigger and bigger each time.

It also allows more interesting use cases, like adding additional
outputs to a transaction after the fact as more payees become known, or
if two unrelated parties decide to combine their transactions to save on
blockchain space and preserve their privacy.

Eventually the P2P protocol can have delta compression support, so the
network bandwidth required to merge two transactions into one will be
minimal.

-- 
'peter'[:-1]@petertodd.org
000000000000014c26728a13e351b4dd7a32e99e28d43a960b5ac5f98696ae5b

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Bitcoin-development] An initial replace-by-fee implementation is now available
  2013-05-09 11:46   ` Peter Todd
@ 2013-05-09 12:07     ` Adam Back
  2013-05-09 12:20       ` Peter Todd
  0 siblings, 1 reply; 5+ messages in thread
From: Adam Back @ 2013-05-09 12:07 UTC (permalink / raw)
  To: Peter Todd; +Cc: Bitcoin Dev

I have to say I do not think you want to have it be random as to who gets
paid (by having conflicting double spends floating around with different
payee & change addresses all from the same sending address.)  

About current defacto no replacement: it is the best bitcoin currently has,
and it has value, with it you need to do a net-split to attack eg
1-confirmation, and this proposal weakens it.  Net-splits are possible but
not trivial.  This proposal moves them into spec - ie free.

About privacy: I think you are going to inherently disclose which is the
change address, because you will decrease the change when you increase the
fee.  There is no coin management in the client, and as far as I saw so far,
no privacy management of which coins to reduce coin cross linking.  Who's to
say the client has 100s of times as many coins as the payment.

If people dont want to reveal which is change and which payment, they need
to put a big enough fee up front based on a margin over prevailing fee
statistics.

It would also be better to try to get the fee right first time than to create
more traffic revising it due to experience.  Though the ability to revise
the fee IFF the best effort fee doesnt work empirically after a couple of
blocks seems like a good feature.  (But not with revised recipient/change
addresses.

Also if the bids are too flexibly different how do you stop both bids being
processed (eg one in a block, the next in the next block).

Adam

On Thu, May 09, 2013 at 07:46:05AM -0400, Peter Todd wrote:
>On Thu, May 09, 2013 at 01:19:13PM +0200, Adam Back wrote:
>> In this thread discussing this idea
>>
>> https://bitcointalk.org/index.php?topic=179612.0
>>
>> it is suggested that the approach risks making 0-confirm double-spends
>> easier.
>
>The patch makes the concept of a 0-confirm double-spend obsolete
>basically. The model is rather than having some vague, insecure, easily
>broken, de-facto no-replacement rule it replaces it with something very
>easy to reason about: you are bidding for blockchain space, and you can
>adjust your bid after the fact.
>
>The reality is zero-conf double-spends aren't that big of a problem
>because the vast majority of payments have other mechanisms they can use
>instead of relying on the defacto behavior of dozens of major miners and
>nodes.
>
>Long story short, we're better off if we don't give people a false sense
>of security.
>
>> I dont see why this should be.  Cant part of the validation of accepting a
>> fee revision be that every aspct of the revision except the reward must be
>> unchanged, otherwise the revision is considered invalid and discarded?
>
>A node has no idea which transaction output is change and which one
>isn't; if nodes could distinguish change from payment your privacy would
>be badly violated.
>
>By allowing simple replacement without further rules the fee adjustment
>process can go on as long as required, without you running out of
>additional transaction inputs and without causing the transaction to get
>bigger and bigger each time.
>
>It also allows more interesting use cases, like adding additional
>outputs to a transaction after the fact as more payees become known, or
>if two unrelated parties decide to combine their transactions to save on
>blockchain space and preserve their privacy.
>
>Eventually the P2P protocol can have delta compression support, so the
>network bandwidth required to merge two transactions into one will be
>minimal.
>
>-- 
>'peter'[:-1]@petertodd.org
>000000000000014c26728a13e351b4dd7a32e99e28d43a960b5ac5f98696ae5b





^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Bitcoin-development] An initial replace-by-fee implementation is now available
  2013-05-09 12:07     ` Adam Back
@ 2013-05-09 12:20       ` Peter Todd
  0 siblings, 0 replies; 5+ messages in thread
From: Peter Todd @ 2013-05-09 12:20 UTC (permalink / raw)
  To: Adam Back; +Cc: Bitcoin Dev

[-- Attachment #1: Type: text/plain, Size: 2463 bytes --]

On Thu, May 09, 2013 at 02:07:23PM +0200, Adam Back wrote:
> I have to say I do not think you want to have it be random as to who gets
> paid (by having conflicting double spends floating around with different
> payee & change addresses all from the same sending address.)

Indeed. That's the point of the blockchain, to take all those potential
inconsistencies and vote on a true transaction history to achieve
consensus.

> About current defacto no replacement: it is the best bitcoin currently has,
> and it has value, with it you need to do a net-split to attack eg
> 1-confirmation, and this proposal weakens it.  Net-splits are possible but
> not trivial.  This proposal moves them into spec - ie free.

Right now we don't have double-spend proof propagation, so the
"net-split" attack is actually totally trivial: just broadcast two
different, mutually incompatible, transactions at the same time. About
half the time the recipient will get the payment, the other half of the
time the payment they thought they were going to get is invalidated.

It's very, very rare for sites to have protection against that;
blockchain.info's shared-send mixer is one of the few exceptions. But
the have access to a whole network monitoring service with connections
to nodes all over the planet.

> About privacy: I think you are going to inherently disclose which is the
> change address, because you will decrease the change when you increase the
> fee.  There is no coin management in the client, and as far as I saw so far,
> no privacy management of which coins to reduce coin cross linking.  Who's to
> say the client has 100s of times as many coins as the payment.
>
> If people dont want to reveal which is change and which payment, they need
> to put a big enough fee up front based on a margin over prevailing fee
> statistics.

It's not ideal, but it still protects against after-the-fact blockchain
analysis.

Statistics is hard - you can't get it right all the time. Besides, what
happens when everyone adds a safety margin? Some people can afford to
wait, so for them starting at a low bid and raises it makes a lot of
sense.

> Also if the bids are too flexibly different how do you stop both bids being
> processed (eg one in a block, the next in the next block).

Think about that problem a bit harder. :)

-- 
'peter'[:-1]@petertodd.org
00000000000000220dc3b283e651068535f8e934096cfef35342bc688d8ee578

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2013-05-09 12:20 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-05-09  9:58 [Bitcoin-development] An initial replace-by-fee implementation is now available John Dillon
2013-05-09 11:19 ` Adam Back
2013-05-09 11:46   ` Peter Todd
2013-05-09 12:07     ` Adam Back
2013-05-09 12:20       ` Peter Todd

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox