From: Sergio Demian Lerner <sergio.d.lerner@gmail•com>
To: bram@chia•net, bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Trusted merkle tree depth for safe tx inclusion proofs without a soft fork
Date: Sat, 9 Jun 2018 14:24:49 +0200 [thread overview]
Message-ID: <CAKzdR-ruTk_fgFosQU=DeNhbLNd=rvRd_r1hAogEDu=d4oySTQ@mail.gmail.com> (raw)
In-Reply-To: <CAKzdR-rz2-D5pbcoSw0CK9tR-UY46ybYaZDmUMYTjBgvkL6ugg@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 4245 bytes --]
Here is our internal report, if you want more details on the problem.
(our reported attack complexity may slightly differ from what Peter has
provided, but the attack complexity depends on the funds the attacker is
willing to lock).
regards,
Sergio.
On Sat, Jun 9, 2018 at 2:21 PM Sergio Demian Lerner <
sergio.d.lerner@gmail•com> wrote:
> Also it must be noted that an attacker having only 1.3M USD that can
> brute-force 72 bits (4 days of hashing on capable ASICs) can perform the
> same attack, so the attack is entirely feasible and no person should accept
> more than 1M USD using a SPV wallet.
>
> Also the attack can be repeated: once you create the "extension point"
> block, you can attack more and more parties without any additional
> computation.
>
>
> On Sat, Jun 9, 2018 at 1:03 PM Sergio Demian Lerner <
> sergio.d.lerner@gmail•com> wrote:
>
>> Hi Peter,
>> We reported this as CVE-2017-12842, although it may have been known by
>> developers before us.
>> There are hundreds of SPV wallets out there, without even considering
>> other more sensitive systems relying on SPV proofs.
>> As I said we, at RSK, discovered this problem in 2017. For RSK it's very
>> important this is fixed because our SPV bridge uses SPV proofs.
>> I urge all people participating in this mailing list and the rest of the
>> Bitcoin community to work on this issue for the security and clean-design
>> of Bitcoin.
>>
>> My suggestion is to use in the version bits 4 bits indicating the tree
>> depth (-1), as a soft-fork, so
>> 00=1 depth,
>> 0F = 16 depth (maximum 64K transactions). Very clean.
>>
>> The other option is to ban transaction with size lower or equal to 64.
>>
>> Best regards,
>> Sergio.
>>
>> On Sat, Jun 9, 2018 at 5:31 AM Bram Cohen via bitcoin-dev <
>> bitcoin-dev@lists•linuxfoundation.org> wrote:
>>
>>> So are you saying that if fully validating nodes wish to prune they can
>>> maintain the ability to validate old transactions by cacheing the number of
>>> transactions in each previous block?
>>>
>>> On Thu, Jun 7, 2018 at 3:20 PM, Peter Todd <pete@petertodd•org> wrote:
>>>
>>>> On Thu, Jun 07, 2018 at 02:15:35PM -0700, Bram Cohen wrote:
>>>> > Are you proposing a soft fork to include the number of transactions
>>>> in a
>>>> > block in the block headers to compensate for the broken Merkle
>>>> format? That
>>>> > sounds like a good idea.
>>>> >
>>>> > On Thu, Jun 7, 2018 at 10:13 AM, Peter Todd via bitcoin-dev <
>>>> > bitcoin-dev@lists•linuxfoundation.org> wrote:
>>>> >
>>>> > > It's well known that the Bitcoin merkle tree algorithm fails to
>>>> distinguish
>>>> > > between inner nodes and 64 byte transactions, as both txs and inner
>>>> nodes
>>>> > > are
>>>> > > hashed the same way. This potentially poses a problem for tx
>>>> inclusion
>>>> > > proofs,
>>>> > > as a miner could (with ~60 bits of brute forcing) create a
>>>> transaction that
>>>> > > committed to a transaction that was not in fact in the blockchain.
>>>> > >
>>>> > > Since odd-numbered inner/leaf nodes are concatenated with
>>>> themselves and
>>>> > > hashed
>>>> > > twice, the depth of all leaves (txs) in the tree is fixed.
>>>> > >
>>>> > > It occured to me that if the depth of the merkle tree is known, this
>>>> > > vulnerability can be trivially avoided by simply comparing the
>>>> length of
>>>> > > the
>>>> > > merkle path to that known depth. For pruned nodes, if the depth is
>>>> saved
>>>> > > prior
>>>> > > to pruning the block contents itself, this would allow for
>>>> completely safe
>>>> > > verification of tx inclusion proofs, without a soft-fork; storing
>>>> this
>>>> ^^^^^^^^^^^^^^^^^^^
>>>>
>>>> Re-read my post: I specifically said you do not need a soft-fork to
>>>> implement
>>>> this. In fact, I think you can argue that this is an accidental
>>>> feature, not a
>>>> bug, as it further encourages the use of safe full verifiaction rather
>>>> than
>>>> unsafe lite clients.
>>>>
>>>> --
>>>> https://petertodd.org 'peter'[:-1]@petertodd.org
>>>>
>>>
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists•linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>>
[-- Attachment #1.2: Type: text/html, Size: 6287 bytes --]
[-- Attachment #2: Vulnerability in Bitcoin Merkle Tree Design.pdf --]
[-- Type: application/pdf, Size: 402454 bytes --]
next prev parent reply other threads:[~2018-06-09 12:25 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-07 17:13 Peter Todd
2018-06-07 21:15 ` Bram Cohen
2018-06-07 22:20 ` Peter Todd
2018-06-09 3:29 ` Bram Cohen
2018-06-09 11:03 ` Sergio Demian Lerner
2018-06-09 12:21 ` Sergio Demian Lerner
2018-06-09 12:24 ` Sergio Demian Lerner [this message]
2018-06-09 12:45 ` Peter Todd
2018-06-09 12:51 ` Sergio Demian Lerner
2018-06-09 13:02 ` Peter Todd
2018-06-09 12:50 ` Peter Todd
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKzdR-ruTk_fgFosQU=DeNhbLNd=rvRd_r1hAogEDu=d4oySTQ@mail.gmail.com' \
--to=sergio.d.lerner@gmail$(echo .)com \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
--cc=bram@chia$(echo .)net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox