* [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
@ 2017-06-06 20:43 Tao Effect
0 siblings, 0 replies; 21+ messages in thread
From: Tao Effect @ 2017-06-06 20:43 UTC (permalink / raw)
To: bitcoin-dev
[-- Attachment #1.1: Type: text/plain, Size: 2050 bytes --]
This is just me putting in my formal objection to BIP148 and BIP149 based on my experience with the ETH/ETC hard fork and involvement in that drama.
First, it's important to note that ETC/ETH HF is a very different situation from BIP148 and all other soft-forks. To those on this mailing list, the reasons should be self-evident (one results in two incompatible chains, the other doesn't).
However, replay attacks are common to both possibilities (i.e. when BIP148 has <51% hash power).
I believe the severity of replay attacks is going unvoiced and is not understood within the bitcoin community because of their lack of experience with them.
I further believe that replay attacks are the #1 issue with BIP148, BIP149, etc., superseding wipeout attacks in severity.
These are not baseless beliefs, they're born out of experience and I think anyone will reach the same conclusion upon study.
In a nutshell, replay attacks mean that all talk of there being potentially "two coins" as a result of BIP148 is basically nonsense.
Replay attacks effectively eliminate that possibility.
When users go to "sell their legacy coins", they've just sold their 148 coins, and vice versa.
Both of the coin-splitting techniques given so far by the proponents BIP148 are also untenable:
- Double-spending to self with nLockTime txns is insanely complicated, risky, not guaranteed to work, extremely time consuming, and would likely result in a massive increase in backlogged transactions and increased fees.
- Mixing with 148 coinbase txns destroys fungibility.
Without a coin, there is no real threat from BIP148. Without that threat, there is no point to BIP148, and the miners know this.
These and other concerns are outlined and explained in more detail in this conversation I had yesterday with John Light:
https://www.youtube.com/watch?v=33rL3-p8cPw <https://www.youtube.com/watch?v=33rL3-p8cPw>
Cheers,
Greg Slepak
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
[-- Attachment #1.2: Type: text/html, Size: 5266 bytes --]
[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
@ 2017-06-06 22:39 Tao Effect
2017-06-06 23:02 ` Gregory Maxwell
` (2 more replies)
0 siblings, 3 replies; 21+ messages in thread
From: Tao Effect @ 2017-06-06 22:39 UTC (permalink / raw)
To: Bitcoin Dev
[-- Attachment #1.1: Type: text/plain, Size: 2050 bytes --]
This is just me putting in my formal objection to BIP148 and BIP149 based on my experience with the ETH/ETC hard fork and involvement in that drama.
First, it's important to note that ETC/ETH HF is a very different situation from BIP148 and all other soft-forks. To those on this mailing list, the reasons should be self-evident (one results in two incompatible chains, the other doesn't).
However, replay attacks are common to both possibilities (i.e. when BIP148 has <51% hash power).
I believe the severity of replay attacks is going unvoiced and is not understood within the bitcoin community because of their lack of experience with them.
I further believe that replay attacks are the #1 issue with BIP148, BIP149, etc., superseding wipeout attacks in severity.
These are not baseless beliefs, they're born out of experience and I think anyone will reach the same conclusion upon study.
In a nutshell, replay attacks mean that all talk of there being potentially "two coins" as a result of BIP148 is basically nonsense.
Replay attacks effectively eliminate that possibility.
When users go to "sell their legacy coins", they've just sold their 148 coins, and vice versa.
Both of the coin-splitting techniques given so far by the proponents BIP148 are also untenable:
- Double-spending to self with nLockTime txns is insanely complicated, risky, not guaranteed to work, extremely time consuming, and would likely result in a massive increase in backlogged transactions and increased fees.
- Mixing with 148 coinbase txns destroys fungibility.
Without a coin, there is no real threat from BIP148. Without that threat, there is no point to BIP148, and the miners know this.
These and other concerns are outlined and explained in more detail in this conversation I had yesterday with John Light:
https://www.youtube.com/watch?v=33rL3-p8cPw <https://www.youtube.com/watch?v=33rL3-p8cPw>
Cheers,
Greg Slepak
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
[-- Attachment #1.2: Type: text/html, Size: 5538 bytes --]
[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-06 22:39 Tao Effect
@ 2017-06-06 23:02 ` Gregory Maxwell
2017-06-06 23:12 ` Tao Effect
2017-06-07 13:25 ` Nick Johnson
2017-06-06 23:08 ` Luke Dashjr
2017-06-06 23:20 ` Anthony Towns
2 siblings, 2 replies; 21+ messages in thread
From: Gregory Maxwell @ 2017-06-06 23:02 UTC (permalink / raw)
To: Tao Effect; +Cc: Bitcoin Dev
On Tue, Jun 6, 2017 at 10:39 PM, Tao Effect via bitcoin-dev
<bitcoin-dev@lists•linuxfoundation.org> wrote:
> I believe the severity of replay attacks is going unvoiced and is not
> understood within the bitcoin community because of their lack of experience
> with them.
Please don't insult our community-- the issues with replay were
pointed out by us to Ethereum in advance and were cited specifically
in prior hardfork discussions long before Ethereum started editing
their ledger for the economic benefit of its centralized
administrators.
The lack of extensive discussion on these issues you're seeing is
rather symptomatic of engineers that take stability seriously not
taking BIP148 seriously; not symptomatic of people not knowing about
them. The same concerns also applies to all these HF proposals (which
for some reason you don't mention), arguably even stronger. The same
basic pattern exists: There are people that just don't care about the
technical issues who have made up their minds, and so you don't see
technical discussion. Those people who do see the issues already
called out the proposals as being ill-advised. Replay isn't even the
largest of the technical issues (network partitioning, for example, is
a much larger one).
BIP149 is arguably something of another matter in particular because
it has a time-frame that allows dealing with replay and other issues--
and particularly because it has a time-frame that can allow for the
avoidance of a meaningful fork at all.
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-06 23:02 ` Gregory Maxwell
@ 2017-06-06 23:12 ` Tao Effect
2017-06-07 13:25 ` Nick Johnson
1 sibling, 0 replies; 21+ messages in thread
From: Tao Effect @ 2017-06-06 23:12 UTC (permalink / raw)
To: Gregory Maxwell; +Cc: Bitcoin Dev
[-- Attachment #1.1: Type: text/plain, Size: 2588 bytes --]
Hey Greg,
It wasn't my intention to insult anyone (a bit defensive?).
Maybe this is yet another example of a recurring criticism of Core: that core doesn't community these issues very well to journalists / reports / media / community outside of this list.
Because outside of this list it's been all about those 148 coins, and almost zero mention of replay attacks.
> BIP149 is arguably something of another matter in particular because
> it has a time-frame that allows dealing with replay and other issues--
> and particularly because it has a time-frame that can allow for the
> avoidance of a meaningful fork at all.
Are there other, more reasonable / feasible ways of addressing replay attacks in Bitcoin / BIP149 scenario?
Cheers,
Greg
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
> On Jun 6, 2017, at 4:02 PM, Gregory Maxwell <greg@xiph•org <mailto:greg@xiph•org>> wrote:
>
> On Tue, Jun 6, 2017 at 10:39 PM, Tao Effect via bitcoin-dev
> <bitcoin-dev@lists•linuxfoundation.org <mailto:bitcoin-dev@lists•linuxfoundation.org>> wrote:
>> I believe the severity of replay attacks is going unvoiced and is not
>> understood within the bitcoin community because of their lack of experience
>> with them.
>
> Please don't insult our community-- the issues with replay were
> pointed out by us to Ethereum in advance and were cited specifically
> in prior hardfork discussions long before Ethereum started editing
> their ledger for the economic benefit of its centralized
> administrators.
>
> The lack of extensive discussion on these issues you're seeing is
> rather symptomatic of engineers that take stability seriously not
> taking BIP148 seriously; not symptomatic of people not knowing about
> them. The same concerns also applies to all these HF proposals (which
> for some reason you don't mention), arguably even stronger. The same
> basic pattern exists: There are people that just don't care about the
> technical issues who have made up their minds, and so you don't see
> technical discussion. Those people who do see the issues already
> called out the proposals as being ill-advised. Replay isn't even the
> largest of the technical issues (network partitioning, for example, is
> a much larger one).
>
> BIP149 is arguably something of another matter in particular because
> it has a time-frame that allows dealing with replay and other issues--
> and particularly because it has a time-frame that can allow for the
> avoidance of a meaningful fork at all.
[-- Attachment #1.2: Type: text/html, Size: 5952 bytes --]
[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-06 23:02 ` Gregory Maxwell
2017-06-06 23:12 ` Tao Effect
@ 2017-06-07 13:25 ` Nick Johnson
2017-06-07 16:27 ` Tao Effect
1 sibling, 1 reply; 21+ messages in thread
From: Nick Johnson @ 2017-06-07 13:25 UTC (permalink / raw)
To: Gregory Maxwell, Tao Effect; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 834 bytes --]
On Wed, Jun 7, 2017 at 12:02 AM Gregory Maxwell via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> On Tue, Jun 6, 2017 at 10:39 PM, Tao Effect via bitcoin-dev
> <bitcoin-dev@lists•linuxfoundation.org> wrote:
> > I believe the severity of replay attacks is going unvoiced and is not
> > understood within the bitcoin community because of their lack of
> experience
> > with them.
>
> Please don't insult our community-- the issues with replay were
> pointed out by us to Ethereum in advance and were cited specifically
> in prior hardfork discussions long before Ethereum started editing
> their ledger for the economic benefit of its centralized
> administrators.
Please don't spread misinformation. Whatever you think of the DAO hard
fork, it's a simple fact that the Ethereum ledger was not edited.
-Nick Johnson
[-- Attachment #2: Type: text/html, Size: 1265 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-07 13:25 ` Nick Johnson
@ 2017-06-07 16:27 ` Tao Effect
2017-06-07 17:35 ` Nick Johnson
0 siblings, 1 reply; 21+ messages in thread
From: Tao Effect @ 2017-06-07 16:27 UTC (permalink / raw)
To: Nick Johnson; +Cc: Bitcoin Dev
[-- Attachment #1.1: Type: text/plain, Size: 1604 bytes --]
Nick,
> Please don't spread misinformation. Whatever you think of the DAO hard fork, it's a simple fact that the Ethereum ledger was not edited.
This sort of email is unhelpful to this conversation, and it certainly doesn't help with the perception that Ethereum is nothing but a bunch of hypocritical Bankers 2.0.
Everyone knows you didn't edit Ethereum Classic, but the the hard fork, which was re-branded as Ethereum, was edited.
- Greg
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
> On Jun 7, 2017, at 6:25 AM, Nick Johnson <nick@ethereum•org <mailto:nick@ethereum•org>> wrote:
>
> On Wed, Jun 7, 2017 at 12:02 AM Gregory Maxwell via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org <mailto:bitcoin-dev@lists•linuxfoundation.org>> wrote:
> On Tue, Jun 6, 2017 at 10:39 PM, Tao Effect via bitcoin-dev
> <bitcoin-dev@lists•linuxfoundation.org <mailto:bitcoin-dev@lists•linuxfoundation.org>> wrote:
> > I believe the severity of replay attacks is going unvoiced and is not
> > understood within the bitcoin community because of their lack of experience
> > with them.
>
> Please don't insult our community-- the issues with replay were
> pointed out by us to Ethereum in advance and were cited specifically
> in prior hardfork discussions long before Ethereum started editing
> their ledger for the economic benefit of its centralized
> administrators.
>
> Please don't spread misinformation. Whatever you think of the DAO hard fork, it's a simple fact that the Ethereum ledger was not edited.
>
> -Nick Johnson
[-- Attachment #1.2: Type: text/html, Size: 5059 bytes --]
[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-07 16:27 ` Tao Effect
@ 2017-06-07 17:35 ` Nick Johnson
2017-06-08 5:44 ` Conner Fromknecht
0 siblings, 1 reply; 21+ messages in thread
From: Nick Johnson @ 2017-06-07 17:35 UTC (permalink / raw)
To: Tao Effect; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 1948 bytes --]
On Wed, Jun 7, 2017 at 5:27 PM Tao Effect <contact@taoeffect•com> wrote:
> Nick,
>
> Please don't spread misinformation. Whatever you think of the DAO hard
> fork, it's a simple fact that the Ethereum ledger was not edited.
>
>
> This sort of email is unhelpful to this conversation, and it certainly
> doesn't help with the perception that Ethereum is nothing but a bunch of
> hypocritical Bankers 2.0.
>
>
> Everyone knows you didn't edit Ethereum Classic, but the the hard fork,
> which was re-branded as Ethereum, was edited.
>
That's not what I was suggesting. My point is that the ledger was never
edited. An 'irregular state change' was added at a specific block height,
but the ledger remains inviolate.
I'm sure I don't have to explain the difference between the ledger and the
state to you, or why it's significant that the ledger wasn't (and can't be,
practically) modified.
-Nick
> - Greg
>
> --
> Please do not email me anything that you are not comfortable also sharing with
> the NSA.
>
> On Jun 7, 2017, at 6:25 AM, Nick Johnson <nick@ethereum•org> wrote:
>
> On Wed, Jun 7, 2017 at 12:02 AM Gregory Maxwell via bitcoin-dev <
> bitcoin-dev@lists•linuxfoundation.org> wrote:
>
>> On Tue, Jun 6, 2017 at 10:39 PM, Tao Effect via bitcoin-dev
>> <bitcoin-dev@lists•linuxfoundation.org> wrote:
>> > I believe the severity of replay attacks is going unvoiced and is not
>> > understood within the bitcoin community because of their lack of
>> experience
>> > with them.
>>
>> Please don't insult our community-- the issues with replay were
>> pointed out by us to Ethereum in advance and were cited specifically
>> in prior hardfork discussions long before Ethereum started editing
>> their ledger for the economic benefit of its centralized
>> administrators.
>
>
> Please don't spread misinformation. Whatever you think of the DAO hard
> fork, it's a simple fact that the Ethereum ledger was not edited.
>
> -Nick Johnson
>
>
>
[-- Attachment #2: Type: text/html, Size: 5476 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-07 17:35 ` Nick Johnson
@ 2017-06-08 5:44 ` Conner Fromknecht
2017-06-08 6:38 ` Nick Johnson
0 siblings, 1 reply; 21+ messages in thread
From: Conner Fromknecht @ 2017-06-08 5:44 UTC (permalink / raw)
To: Nick Johnson, Tao Effect; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 3060 bytes --]
I don't normally post here, but I'm sorry, if you don't see those two as
equal, then I think you have misunderstood the *entire* value proposition
of cryptocurrencies.
The state of any cryptocurrency should entirely (and only) be defined by
its ledger. If the state of the system can be altered outside of the rules
governing its ledger, then the system isn't secure. It doesn't matter
whether the people making those changes are the ones that are leading the
project or not. An "irregular state change" is a fancy term for a bailout.
I'm sure I speak for more than myself in saying that an "irregular state
change" is equivalent to modifying the underlying ledger. Let's not let
semantics keep us from recognizing what actually took place.
-Conner
On Wed, Jun 7, 2017 at 14:14 Nick Johnson via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> On Wed, Jun 7, 2017 at 5:27 PM Tao Effect <contact@taoeffect•com> wrote:
>
>> Nick,
>>
>> Please don't spread misinformation. Whatever you think of the DAO hard
>> fork, it's a simple fact that the Ethereum ledger was not edited.
>>
>>
>> This sort of email is unhelpful to this conversation, and it certainly
>> doesn't help with the perception that Ethereum is nothing but a bunch of
>> hypocritical Bankers 2.0.
>>
>
>
>>
>> Everyone knows you didn't edit Ethereum Classic, but the the hard fork,
>> which was re-branded as Ethereum, was edited.
>>
>
> That's not what I was suggesting. My point is that the ledger was never
> edited. An 'irregular state change' was added at a specific block height,
> but the ledger remains inviolate.
>
> I'm sure I don't have to explain the difference between the ledger and the
> state to you, or why it's significant that the ledger wasn't (and can't be,
> practically) modified.
>
> -Nick
>
>
>> - Greg
>>
>> --
>> Please do not email me anything that you are not comfortable also sharing with
>> the NSA.
>>
>> On Jun 7, 2017, at 6:25 AM, Nick Johnson <nick@ethereum•org> wrote:
>>
>> On Wed, Jun 7, 2017 at 12:02 AM Gregory Maxwell via bitcoin-dev <
>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>
>>> On Tue, Jun 6, 2017 at 10:39 PM, Tao Effect via bitcoin-dev
>>> <bitcoin-dev@lists•linuxfoundation.org> wrote:
>>> > I believe the severity of replay attacks is going unvoiced and is not
>>> > understood within the bitcoin community because of their lack of
>>> experience
>>> > with them.
>>>
>>> Please don't insult our community-- the issues with replay were
>>> pointed out by us to Ethereum in advance and were cited specifically
>>> in prior hardfork discussions long before Ethereum started editing
>>> their ledger for the economic benefit of its centralized
>>> administrators.
>>
>>
>> Please don't spread misinformation. Whatever you think of the DAO hard
>> fork, it's a simple fact that the Ethereum ledger was not edited.
>>
>> -Nick Johnson
>>
>>
>> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 7234 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-08 5:44 ` Conner Fromknecht
@ 2017-06-08 6:38 ` Nick Johnson
0 siblings, 0 replies; 21+ messages in thread
From: Nick Johnson @ 2017-06-08 6:38 UTC (permalink / raw)
To: Conner Fromknecht, Tao Effect; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 3530 bytes --]
On Thu, Jun 8, 2017 at 6:44 AM Conner Fromknecht <conner@enigma•co> wrote:
> I don't normally post here, but I'm sorry, if you don't see those two as
> equal, then I think you have misunderstood the *entire* value proposition
> of cryptocurrencies.
>
> The state of any cryptocurrency should entirely (and only) be defined by
> its ledger. If the state of the system can be altered outside of the rules
> governing its ledger, then the system isn't secure.
This is true of any blockchain: you can always change the rules with the
consent of the participants.
> It doesn't matter whether the people making those changes are the ones
> that are leading the project or not. An "irregular state change" is a fancy
> term for a bailout.
>
> I'm sure I speak for more than myself in saying that an "irregular state
> change" is equivalent to modifying the underlying ledger. Let's not let
> semantics keep us from recognizing what actually took place.
>
It's not; modifying the ledger would rewrite history, erasing the record of
the original transactions. That's a fundamentally different operation, both
technically and semantically.
> -Conner
>
> On Wed, Jun 7, 2017 at 14:14 Nick Johnson via bitcoin-dev <
> bitcoin-dev@lists•linuxfoundation.org> wrote:
>
>> On Wed, Jun 7, 2017 at 5:27 PM Tao Effect <contact@taoeffect•com> wrote:
>>
>>> Nick,
>>>
>>> Please don't spread misinformation. Whatever you think of the DAO hard
>>> fork, it's a simple fact that the Ethereum ledger was not edited.
>>>
>>>
>>> This sort of email is unhelpful to this conversation, and it certainly
>>> doesn't help with the perception that Ethereum is nothing but a bunch of
>>> hypocritical Bankers 2.0.
>>>
>>
>>
>>>
>>> Everyone knows you didn't edit Ethereum Classic, but the the hard fork,
>>> which was re-branded as Ethereum, was edited.
>>>
>>
>> That's not what I was suggesting. My point is that the ledger was never
>> edited. An 'irregular state change' was added at a specific block height,
>> but the ledger remains inviolate.
>>
>> I'm sure I don't have to explain the difference between the ledger and
>> the state to you, or why it's significant that the ledger wasn't (and can't
>> be, practically) modified.
>>
>> -Nick
>>
>>
>>> - Greg
>>>
>>> --
>>> Please do not email me anything that you are not comfortable also sharing with
>>> the NSA.
>>>
>>> On Jun 7, 2017, at 6:25 AM, Nick Johnson <nick@ethereum•org> wrote:
>>>
>>> On Wed, Jun 7, 2017 at 12:02 AM Gregory Maxwell via bitcoin-dev <
>>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>>
>>>> On Tue, Jun 6, 2017 at 10:39 PM, Tao Effect via bitcoin-dev
>>>> <bitcoin-dev@lists•linuxfoundation.org> wrote:
>>>> > I believe the severity of replay attacks is going unvoiced and is not
>>>> > understood within the bitcoin community because of their lack of
>>>> experience
>>>> > with them.
>>>>
>>>> Please don't insult our community-- the issues with replay were
>>>> pointed out by us to Ethereum in advance and were cited specifically
>>>> in prior hardfork discussions long before Ethereum started editing
>>>> their ledger for the economic benefit of its centralized
>>>> administrators.
>>>
>>>
>>> Please don't spread misinformation. Whatever you think of the DAO hard
>>> fork, it's a simple fact that the Ethereum ledger was not edited.
>>>
>>> -Nick Johnson
>>>
>>>
>>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists•linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
[-- Attachment #2: Type: text/html, Size: 8381 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-06 22:39 Tao Effect
2017-06-06 23:02 ` Gregory Maxwell
@ 2017-06-06 23:08 ` Luke Dashjr
2017-06-06 23:19 ` Tao Effect
2017-06-06 23:20 ` Anthony Towns
2 siblings, 1 reply; 21+ messages in thread
From: Luke Dashjr @ 2017-06-06 23:08 UTC (permalink / raw)
To: bitcoin-dev, Tao Effect
On Tuesday 06 June 2017 10:39:28 PM Tao Effect via bitcoin-dev wrote:
> I believe the severity of replay attacks is going unvoiced and is not
> understood within the bitcoin community because of their lack of
> experience with them.
Replay is a solved problem. It can be improved on and made simpler, but at
this point, replay only occurs when the sender is either negligent or
intending it.
> Both of the coin-splitting techniques given so far by the proponents BIP148
> are also untenable:
>
> - Double-spending to self with nLockTime txns is insanely complicated,
> risky, not guaranteed to work, extremely time consuming, and would likely
> result in a massive increase in backlogged transactions and increased
> fees.
This is nothing but unfounded FUD. It is very simple to implement and
guaranteed to work eventually. It may be time consuming, but that is the only
truth here. The only risk is that of a long reorg, the same as double spend
attacks.
> - Mixing with 148 coinbase txns destroys fungibility.
What kind of "fungibility" does this FUD claim it destroys? Destroying cross-
chain fungibility is the very *intent* of replay protection. And it does not
destroy same-chain fungibility any more than any other miner spending.
> Without a coin, there is no real threat from BIP148.
Lack of replay protection does not mean there is no coin. Replay protection is
equally a concern for the main (BIP148) chain and any legacy chains malicious
miners might choose to split off. And none of this changes the fact that such
miners will be unable to sell their legacycoins at Bitcoin market prices,
because whether other transactions are replayed or not, *their* coins won't be
valid on the main chain.
Luke
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-06 23:08 ` Luke Dashjr
@ 2017-06-06 23:19 ` Tao Effect
0 siblings, 0 replies; 21+ messages in thread
From: Tao Effect @ 2017-06-06 23:19 UTC (permalink / raw)
To: Luke Dashjr; +Cc: bitcoin-dev
[-- Attachment #1.1: Type: text/plain, Size: 3764 bytes --]
> Replay is a solved problem.
Point to this solved problem?
Your "solution" here is not a solution:
https://www.reddit.com/r/Bitcoin/comments/6f1urd/i_think_its_time_we_have_an_educated_discussion/diey21t/?context=3 <https://www.reddit.com/r/Bitcoin/comments/6f1urd/i_think_its_time_we_have_an_educated_discussion/diey21t/?context=3>
> This is nothing but unfounded FUD. It is very simple to implement and
> guaranteed to work eventually. It may be time consuming, but that is the only
> truth here. The only risk is that of a long reorg, the same as double spend
> attacks.
Let's assume you invented a simple way to double-spend txns to self (which you haven't, fyi), then that is an issue in of itself as the point of bitcoin is to *prevent* double-spending to self.
There would need to be much more time for the community to discuss the implications of wallets have a "double-spend to self" button in them.
> What kind of "fungibility" does this FUD claim it destroys? Destroying cross-
> chain fungibility is the very *intent* of replay protection. And it does not
> destroy same-chain fungibility any more than any other miner spending.
Yes it does destroy same-chain fungibility, as discussed on twitter [1], you're making miner coins special on both chains.
> Lack of replay protection does not mean there is no coin.
It effectively does. If people want to proceed blindly, ignoring replay, they're welcome to read about the consequences [2].
[1] https://twitter.com/taoeffect/status/872226556571131905 <https://twitter.com/taoeffect/status/872226556571131905>
[2] http://gist.github.com/taoeffect/c910ebb16d9f6d248e9f1f3c6e10b1b8 <http://gist.github.com/taoeffect/c910ebb16d9f6d248e9f1f3c6e10b1b8>
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
> On Jun 6, 2017, at 4:08 PM, Luke Dashjr <luke@dashjr•org <mailto:luke@dashjr•org>> wrote:
>
> On Tuesday 06 June 2017 10:39:28 PM Tao Effect via bitcoin-dev wrote:
>> I believe the severity of replay attacks is going unvoiced and is not
>> understood within the bitcoin community because of their lack of
>> experience with them.
>
> Replay is a solved problem. It can be improved on and made simpler, but at
> this point, replay only occurs when the sender is either negligent or
> intending it.
>
>> Both of the coin-splitting techniques given so far by the proponents BIP148
>> are also untenable:
>>
>> - Double-spending to self with nLockTime txns is insanely complicated,
>> risky, not guaranteed to work, extremely time consuming, and would likely
>> result in a massive increase in backlogged transactions and increased
>> fees.
>
> This is nothing but unfounded FUD. It is very simple to implement and
> guaranteed to work eventually. It may be time consuming, but that is the only
> truth here. The only risk is that of a long reorg, the same as double spend
> attacks.
>
>> - Mixing with 148 coinbase txns destroys fungibility.
>
> What kind of "fungibility" does this FUD claim it destroys? Destroying cross-
> chain fungibility is the very *intent* of replay protection. And it does not
> destroy same-chain fungibility any more than any other miner spending.
>
>> Without a coin, there is no real threat from BIP148.
>
> Lack of replay protection does not mean there is no coin. Replay protection is
> equally a concern for the main (BIP148) chain and any legacy chains malicious
> miners might choose to split off. And none of this changes the fact that such
> miners will be unable to sell their legacycoins at Bitcoin market prices,
> because whether other transactions are replayed or not, *their* coins won't be
> valid on the main chain.
>
> Luke
[-- Attachment #1.2: Type: text/html, Size: 7723 bytes --]
[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-06 22:39 Tao Effect
2017-06-06 23:02 ` Gregory Maxwell
2017-06-06 23:08 ` Luke Dashjr
@ 2017-06-06 23:20 ` Anthony Towns
2017-06-06 23:27 ` Tao Effect
2 siblings, 1 reply; 21+ messages in thread
From: Anthony Towns @ 2017-06-06 23:20 UTC (permalink / raw)
To: bitcoin-dev
On Tue, Jun 06, 2017 at 03:39:28PM -0700, Tao Effect via bitcoin-dev wrote:
> - Mixing with 148 coinbase txns destroys fungibility.
CoinJoin works as a method of both improving fungibility and mixing with
coinbase transactions.
You probably don't need to do anything clever to split a coin though:
if you send a transaction with a standard fee it will get confirmed
in a normal time on the higher hashrate chain, but won't confirm as
quickly on the lower hashrate chain (precisely because transactions are
valid on both chains, but blocks are found more slowly with the lower
hashrate). When it's confirmed on one chain, but not on the other, you
can then "double-spend" on the lower hashrate chain with a higher fee,
to end up with different coins on both chains.
(also, no double-n in untenable)
Cheers,
aj
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-06 23:20 ` Anthony Towns
@ 2017-06-06 23:27 ` Tao Effect
2017-06-06 23:31 ` Tao Effect
2017-06-06 23:59 ` Kekcoin
0 siblings, 2 replies; 21+ messages in thread
From: Tao Effect @ 2017-06-06 23:27 UTC (permalink / raw)
To: Anthony Towns; +Cc: bitcoin-dev
[-- Attachment #1.1: Type: text/plain, Size: 2524 bytes --]
> CoinJoin works as a method of both improving fungibility and mixing with
> coinbase transactions.
My understanding is that the two situations are quite different.
Unlike mixing to coin-split, CoinJoin doesn't create a high demand exclusively for coinbase transactions.
However, of the proposed methods, coin-mixing seems the better option, because it might be reasonably easy (I don't know) for exchanges to obtain 148 coinbase coins, and mix their coins with them, extending the coin-splitting capability beyond just miner coins and then using that to split incoming coins.
That seems like the most reasonable approach I've heard so far. Whether exchanges would be willing to do that is a separate question.
> When it's confirmed on one chain, but not on the other, you
> can then "double-spend" on the lower hashrate chain with a higher fee,
> to end up with different coins on both chains.
This method is time consuming and not guaranteed to work. CPFP can be used by an attacker to get your original txn into the 148 chain.
> (also, no double-n in untenable)
Why thank you aj, you're so good at spelling. :-)
Cheers,
Greg
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
> On Jun 6, 2017, at 4:20 PM, Anthony Towns via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org <mailto:bitcoin-dev@lists•linuxfoundation.org>> wrote:
>
> On Tue, Jun 06, 2017 at 03:39:28PM -0700, Tao Effect via bitcoin-dev wrote:
>> - Mixing with 148 coinbase txns destroys fungibility.
>
> CoinJoin works as a method of both improving fungibility and mixing with
> coinbase transactions.
>
> You probably don't need to do anything clever to split a coin though:
> if you send a transaction with a standard fee it will get confirmed
> in a normal time on the higher hashrate chain, but won't confirm as
> quickly on the lower hashrate chain (precisely because transactions are
> valid on both chains, but blocks are found more slowly with the lower
> hashrate). When it's confirmed on one chain, but not on the other, you
> can then "double-spend" on the lower hashrate chain with a higher fee,
> to end up with different coins on both chains.
>
> (also, no double-n in untenable)
>
> Cheers,
> aj
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org <mailto:bitcoin-dev@lists•linuxfoundation.org>
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
[-- Attachment #1.2: Type: text/html, Size: 6098 bytes --]
[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-06 23:27 ` Tao Effect
@ 2017-06-06 23:31 ` Tao Effect
2017-06-06 23:59 ` Kekcoin
1 sibling, 0 replies; 21+ messages in thread
From: Tao Effect @ 2017-06-06 23:31 UTC (permalink / raw)
To: Anthony Towns; +Cc: Anthony Towns via bitcoin-dev
[-- Attachment #1.1: Type: text/plain, Size: 1761 bytes --]
> CPFP can be used by an attacker to get your original txn into the 148 chain.
*err, my bad that's unlikely to happen, if I remember correctly CPFP can only be done by the person you're sending the coins to. Coin-mixing seems the better option of the two, but shouldn't the BIP148 folks wait until it's clear that will be supported by exchanges?
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
> On Jun 6, 2017, at 4:27 PM, Tao Effect <contact@taoeffect•com <mailto:contact@taoeffect•com>> wrote:
>
>> CoinJoin works as a method of both improving fungibility and mixing with
>> coinbase transactions.
>
> My understanding is that the two situations are quite different.
>
> Unlike mixing to coin-split, CoinJoin doesn't create a high demand exclusively for coinbase transactions.
>
> However, of the proposed methods, coin-mixing seems the better option, because it might be reasonably easy (I don't know) for exchanges to obtain 148 coinbase coins, and mix their coins with them, extending the coin-splitting capability beyond just miner coins and then using that to split incoming coins.
>
> That seems like the most reasonable approach I've heard so far. Whether exchanges would be willing to do that is a separate question.
>
>> When it's confirmed on one chain, but not on the other, you
>> can then "double-spend" on the lower hashrate chain with a higher fee,
>> to end up with different coins on both chains.
>
> This method is time consuming and not guaranteed to work. CPFP can be used by an attacker to get your original txn into the 148 chain.
>
>> (also, no double-n in untenable)
>
> Why thank you aj, you're so good at spelling. :-)
>
> Cheers,
> Greg
>
[-- Attachment #1.2: Type: text/html, Size: 5334 bytes --]
[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-06 23:27 ` Tao Effect
2017-06-06 23:31 ` Tao Effect
@ 2017-06-06 23:59 ` Kekcoin
2017-06-07 0:04 ` Tao Effect
1 sibling, 1 reply; 21+ messages in thread
From: Kekcoin @ 2017-06-06 23:59 UTC (permalink / raw)
To: Tao Effect; +Cc: bitcoin-dev, Anthony Towns
[-- Attachment #1: Type: text/plain, Size: 2826 bytes --]
You keep referring to 148 coinbase coins, what is the rationale behind this? Why would you prefer using 148 coinbases over legacy coinbases for this purpose?
Sent with [ProtonMail](https://protonmail.com) Secure Email.
-------- Original Message --------
Subject: Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
Local Time: June 7, 2017 2:27 AM
UTC Time: June 6, 2017 11:27 PM
From: bitcoin-dev@lists•linuxfoundation.org
To: Anthony Towns <aj@erisian•com.au>
bitcoin-dev@lists•linuxfoundation.org
CoinJoin works as a method of both improving fungibility and mixing with
coinbase transactions.
My understanding is that the two situations are quite different.
Unlike mixing to coin-split, CoinJoin doesn't create a high demand exclusively for coinbase transactions.
However, of the proposed methods, coin-mixing seems the better option, because it might be reasonably easy (I don't know) for exchanges to obtain 148 coinbase coins, and mix their coins with them, extending the coin-splitting capability beyond just miner coins and then using that to split incoming coins.
That seems like the most reasonable approach I've heard so far. Whether exchanges would be willing to do that is a separate question.
When it's confirmed on one chain, but not on the other, you
can then "double-spend" on the lower hashrate chain with a higher fee,
to end up with different coins on both chains.
This method is time consuming and not guaranteed to work. CPFP can be used by an attacker to get your original txn into the 148 chain.
(also, no double-n in untenable)
Why thank you aj, you're so good at spelling. :-)
Cheers,
Greg
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
On Jun 6, 2017, at 4:20 PM, Anthony Towns via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> wrote:
On Tue, Jun 06, 2017 at 03:39:28PM -0700, Tao Effect via bitcoin-dev wrote:- Mixing with 148 coinbase txns destroys fungibility.
CoinJoin works as a method of both improving fungibility and mixing with
coinbase transactions.
You probably don't need to do anything clever to split a coin though:
if you send a transaction with a standard fee it will get confirmed
in a normal time on the higher hashrate chain, but won't confirm as
quickly on the lower hashrate chain (precisely because transactions are
valid on both chains, but blocks are found more slowly with the lower
hashrate). When it's confirmed on one chain, but not on the other, you
can then "double-spend" on the lower hashrate chain with a higher fee,
to end up with different coins on both chains.
(also, no double-n in untenable)
Cheers,
aj
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists•linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
[-- Attachment #2: Type: text/html, Size: 5310 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-06 23:59 ` Kekcoin
@ 2017-06-07 0:04 ` Tao Effect
2017-06-07 0:19 ` Kekcoin
0 siblings, 1 reply; 21+ messages in thread
From: Tao Effect @ 2017-06-07 0:04 UTC (permalink / raw)
To: Kekcoin; +Cc: bitcoin-dev, Anthony Towns
[-- Attachment #1.1: Type: text/plain, Size: 776 bytes --]
> You keep referring to 148 coinbase coins, what is the rationale behind this? Why would you prefer using 148 coinbases over legacy coinbases for this purpose?
OK, maybe "post-UASF coinbase coins" is a better term? I just wanted to make it clear that this refers to coins that come from blocks generated after the UASF is activated.
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
> On Jun 6, 2017, at 4:59 PM, Kekcoin <kekcoin@protonmail•com <mailto:kekcoin@protonmail•com>> wrote:
>
> You keep referring to 148 coinbase coins, what is the rationale behind this? Why would you prefer using 148 coinbases over legacy coinbases for this purpose?
>
>
> Sent with ProtonMail <https://protonmail.com/> Secure Email.
[-- Attachment #1.2: Type: text/html, Size: 3746 bytes --]
[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-07 0:04 ` Tao Effect
@ 2017-06-07 0:19 ` Kekcoin
2017-06-07 0:26 ` Tao Effect
0 siblings, 1 reply; 21+ messages in thread
From: Kekcoin @ 2017-06-07 0:19 UTC (permalink / raw)
To: Tao Effect; +Cc: bitcoin-dev, Anthony Towns
[-- Attachment #1: Type: text/plain, Size: 1630 bytes --]
Hmm, that's not the difference I was talking about. I was referring to the fact that using "post-chainsplit coinbases from the non-148 chain" to unilaterally (ie. can be done without action on the 148-chain) taint coins is more secure in extreme-adverserial cases such as secret-mining reorg attacks (as unfeasibly expensive they may be); the only large-scale (>100 block) reorganization the non-148 chain faces should be a resolution of the chainsplit and therefore render the replay threat moot.
Sent with [ProtonMail](https://protonmail.com) Secure Email.
-------- Original Message --------
Subject: Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
Local Time: June 7, 2017 3:04 AM
UTC Time: June 7, 2017 12:04 AM
From: contact@taoeffect•com
To: Kekcoin <kekcoin@protonmail•com>
Anthony Towns <aj@erisian•com.au>, bitcoin-dev@lists•linuxfoundation.org <bitcoin-dev@lists•linuxfoundation.org>
You keep referring to 148 coinbase coins, what is the rationale behind this? Why would you prefer using 148 coinbases over legacy coinbases for this purpose?
OK, maybe "post-UASF coinbase coins" is a better term? I just wanted to make it clear that this refers to coins that come from blocks generated after the UASF is activated.
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
On Jun 6, 2017, at 4:59 PM, Kekcoin <kekcoin@protonmail•com> wrote:
You keep referring to 148 coinbase coins, what is the rationale behind this? Why would you prefer using 148 coinbases over legacy coinbases for this purpose?
Sent with [ProtonMail](https://protonmail.com/) Secure Email.
[-- Attachment #2: Type: text/html, Size: 3275 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-07 0:19 ` Kekcoin
@ 2017-06-07 0:26 ` Tao Effect
2017-06-07 0:29 ` Kekcoin
0 siblings, 1 reply; 21+ messages in thread
From: Tao Effect @ 2017-06-07 0:26 UTC (permalink / raw)
To: Kekcoin; +Cc: bitcoin-dev, Anthony Towns
[-- Attachment #1.1: Type: text/plain, Size: 862 bytes --]
I don't know what you mean by "render the replay threat moot."
If you don't have replay protection, replay is always a threat. A very serious one.
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
> On Jun 6, 2017, at 5:19 PM, Kekcoin <kekcoin@protonmail•com <mailto:kekcoin@protonmail•com>> wrote:
>
> Hmm, that's not the difference I was talking about. I was referring to the fact that using "post-chainsplit coinbases from the non-148 chain" to unilaterally (ie. can be done without action on the 148-chain) taint coins is more secure in extreme-adverserial cases such as secret-mining reorg attacks (as unfeasibly expensive they may be); the only large-scale (>100 block) reorganization the non-148 chain faces should be a resolution of the chainsplit and therefore render the replay threat moot.
>
[-- Attachment #1.2: Type: text/html, Size: 3569 bytes --]
[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-07 0:26 ` Tao Effect
@ 2017-06-07 0:29 ` Kekcoin
2017-06-07 0:38 ` Tao Effect
0 siblings, 1 reply; 21+ messages in thread
From: Kekcoin @ 2017-06-07 0:29 UTC (permalink / raw)
To: Tao Effect; +Cc: bitcoin-dev, Anthony Towns
[-- Attachment #1: Type: text/plain, Size: 1423 bytes --]
Please read my email more carefully; the replay threat would be moot because there would be no alternative chain to replay the TX on, as the non-148 chain would have been reorganized into oblivion.
Sent with [ProtonMail](https://protonmail.com) Secure Email.
-------- Original Message --------
Subject: Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
Local Time: June 7, 2017 3:26 AM
UTC Time: June 7, 2017 12:26 AM
From: contact@taoeffect•com
To: Kekcoin <kekcoin@protonmail•com>
Anthony Towns <aj@erisian•com.au>, bitcoin-dev@lists•linuxfoundation.org <bitcoin-dev@lists•linuxfoundation.org>
I don't know what you mean by "render the replay threat moot."
If you don't have replay protection, replay is always a threat. A very serious one.
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
On Jun 6, 2017, at 5:19 PM, Kekcoin <kekcoin@protonmail•com> wrote:
Hmm, that's not the difference I was talking about. I was referring to the fact that using "post-chainsplit coinbases from the non-148 chain" to unilaterally (ie. can be done without action on the 148-chain) taint coins is more secure in extreme-adverserial cases such as secret-mining reorg attacks (as unfeasibly expensive they may be); the only large-scale (>100 block) reorganization the non-148 chain faces should be a resolution of the chainsplit and therefore render the replay threat moot.
[-- Attachment #2: Type: text/html, Size: 2787 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-07 0:29 ` Kekcoin
@ 2017-06-07 0:38 ` Tao Effect
2017-06-07 0:46 ` Kekcoin
0 siblings, 1 reply; 21+ messages in thread
From: Tao Effect @ 2017-06-07 0:38 UTC (permalink / raw)
To: Kekcoin; +Cc: bitcoin-dev, Anthony Towns
[-- Attachment #1.1: Type: text/plain, Size: 2597 bytes --]
> Please read my email more carefully; the replay threat would be moot because there would be no alternative chain to replay the TX on,
In order to *get to that point*, you need >51%.
Not only that, but, if you started out with <51%, then you need >>51% in order to *catch up* and replace the large number of blocks added to the legacy chain in the mean time.
So, since >51% is _required_ for BIP148 to succeed (and likely >>51%)... you might as well do as SegWit did originally, or lower the threshold to 80% or something (as BIP91 does).
Without replay protection at the outset, BIP148, as far as I can tell, isn't a threat to miners.
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
> On Jun 6, 2017, at 5:29 PM, Kekcoin <kekcoin@protonmail•com <mailto:kekcoin@protonmail•com>> wrote:
>
> Please read my email more carefully; the replay threat would be moot because there would be no alternative chain to replay the TX on, as the non-148 chain would have been reorganized into oblivion.
>
>
> Sent with ProtonMail <https://protonmail.com/> Secure Email.
>
>> -------- Original Message --------
>> Subject: Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
>> Local Time: June 7, 2017 3:26 AM
>> UTC Time: June 7, 2017 12:26 AM
>> From: contact@taoeffect•com <mailto:contact@taoeffect•com>
>> To: Kekcoin <kekcoin@protonmail•com <mailto:kekcoin@protonmail•com>>
>> Anthony Towns <aj@erisian•com.au <mailto:aj@erisian•com.au>>, bitcoin-dev@lists•linuxfoundation.org <mailto:bitcoin-dev@lists•linuxfoundation.org> <bitcoin-dev@lists•linuxfoundation.org <mailto:bitcoin-dev@lists•linuxfoundation.org>>
>>
>> I don't know what you mean by "render the replay threat moot."
>>
>> If you don't have replay protection, replay is always a threat. A very serious one.
>>
>> --
>> Please do not email me anything that you are not comfortable also sharing with the NSA.
>>
>>> On Jun 6, 2017, at 5:19 PM, Kekcoin <kekcoin@protonmail•com <mailto:kekcoin@protonmail•com>> wrote:
>>>
>>> Hmm, that's not the difference I was talking about. I was referring to the fact that using "post-chainsplit coinbases from the non-148 chain" to unilaterally (ie. can be done without action on the 148-chain) taint coins is more secure in extreme-adverserial cases such as secret-mining reorg attacks (as unfeasibly expensive they may be); the only large-scale (>100 block) reorganization the non-148 chain faces should be a resolution of the chainsplit and therefore render the replay threat moot.
>>>
>
[-- Attachment #1.2: Type: text/html, Size: 7260 bytes --]
[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
2017-06-07 0:38 ` Tao Effect
@ 2017-06-07 0:46 ` Kekcoin
0 siblings, 0 replies; 21+ messages in thread
From: Kekcoin @ 2017-06-07 0:46 UTC (permalink / raw)
To: Tao Effect; +Cc: bitcoin-dev, Anthony Towns
[-- Attachment #1: Type: text/plain, Size: 3345 bytes --]
I was merely describing that the only failure mode of using "post-split coinbases from the legacy chain" as seedcoins for cointainting purposes would be a resolution of the coinsplit, thereby rendering the cointainting redundant, therefore this would be an entirely safe approach to cointainting, as the only way coins could become untainted (and therefore subject to the threat of replay attacks) would coincide with a disappearance of the situation that gave rise to such replay attacks in the first place. This should sufficiently answer your concerns regarding lack of replay protection in case of medium-to-long-term chainsplits in general. If you fail to grok, please read again until you don't.
Sent with [ProtonMail](https://protonmail.com) Secure Email.
-------- Original Message --------
Subject: Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
Local Time: June 7, 2017 3:38 AM
UTC Time: June 7, 2017 12:38 AM
From: contact@taoeffect•com
To: Kekcoin <kekcoin@protonmail•com>
Anthony Towns <aj@erisian•com.au>, bitcoin-dev@lists•linuxfoundation.org <bitcoin-dev@lists•linuxfoundation.org>
Please read my email more carefully; the replay threat would be moot because there would be no alternative chain to replay the TX on,
In order to *get to that point*, you need >51%.
Not only that, but, if you started out with <51%, then you need >>51% in order to *catch up* and replace the large number of blocks added to the legacy chain in the mean time.
So, since >51% is _required_ for BIP148 to succeed (and likely >>51%)... you might as well do as SegWit did originally, or lower the threshold to 80% or something (as BIP91 does).
Without replay protection at the outset, BIP148, as far as I can tell, isn't a threat to miners.
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
On Jun 6, 2017, at 5:29 PM, Kekcoin <kekcoin@protonmail•com> wrote:
Please read my email more carefully; the replay threat would be moot because there would be no alternative chain to replay the TX on, as the non-148 chain would have been reorganized into oblivion.
Sent with [ProtonMail](https://protonmail.com/) Secure Email.
-------- Original Message --------
Subject: Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable
Local Time: June 7, 2017 3:26 AM
UTC Time: June 7, 2017 12:26 AM
From: contact@taoeffect•com
To: Kekcoin <kekcoin@protonmail•com>
Anthony Towns <aj@erisian•com.au>, bitcoin-dev@lists•linuxfoundation.org <bitcoin-dev@lists•linuxfoundation.org>
I don't know what you mean by "render the replay threat moot."
If you don't have replay protection, replay is always a threat. A very serious one.
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
On Jun 6, 2017, at 5:19 PM, Kekcoin <kekcoin@protonmail•com> wrote:
Hmm, that's not the difference I was talking about. I was referring to the fact that using "post-chainsplit coinbases from the non-148 chain" to unilaterally (ie. can be done without action on the 148-chain) taint coins is more secure in extreme-adverserial cases such as secret-mining reorg attacks (as unfeasibly expensive they may be); the only large-scale (>100 block) reorganization the non-148 chain faces should be a resolution of the chainsplit and therefore render the replay threat moot.
[-- Attachment #2: Type: text/html, Size: 6851 bytes --]
^ permalink raw reply [flat|nested] 21+ messages in thread
end of thread, other threads:[~2017-06-08 6:39 UTC | newest]
Thread overview: 21+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-06-06 20:43 [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable Tao Effect
2017-06-06 22:39 Tao Effect
2017-06-06 23:02 ` Gregory Maxwell
2017-06-06 23:12 ` Tao Effect
2017-06-07 13:25 ` Nick Johnson
2017-06-07 16:27 ` Tao Effect
2017-06-07 17:35 ` Nick Johnson
2017-06-08 5:44 ` Conner Fromknecht
2017-06-08 6:38 ` Nick Johnson
2017-06-06 23:08 ` Luke Dashjr
2017-06-06 23:19 ` Tao Effect
2017-06-06 23:20 ` Anthony Towns
2017-06-06 23:27 ` Tao Effect
2017-06-06 23:31 ` Tao Effect
2017-06-06 23:59 ` Kekcoin
2017-06-07 0:04 ` Tao Effect
2017-06-07 0:19 ` Kekcoin
2017-06-07 0:26 ` Tao Effect
2017-06-07 0:29 ` Kekcoin
2017-06-07 0:38 ` Tao Effect
2017-06-07 0:46 ` Kekcoin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox