From: Peter Todd <pete@petertodd•org>
To: "David A. Harding" <dave@dtrt•org>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Why Full-RBF Makes DoS Attacks on Multiparty Protocols Significantly More Expensive
Date: Fri, 13 Jan 2023 18:37:04 -0500 [thread overview]
Message-ID: <Y8HrINYYYiw+V9v+@petertodd.org> (raw)
In-Reply-To: <6cebd312ca960e634729cc574c2e97b0@dtrt.org>
[-- Attachment #1: Type: text/plain, Size: 3574 bytes --]
On Tue, Jan 10, 2023 at 10:14:47AM -1000, David A. Harding wrote:
> On 2023-01-10 00:06, Peter Todd wrote:
> > Remember, we'd like decentralized coinjoin implementations like
> > Joinmarket to
> > work. How does a decentralized coinjoin implement "conflict monitoring"?
>
> 1. Run a relay node with a conflict-detection patch. Stock Bitcoin Core
> with -debug=mempoolrej will tell you when it rejects a transaction
> for conflicting with a transaction already in the mempool, e.g.:
>
> 2022-11-01T02:53:17Z
> 867b85d68d7a7244c1d65c4797006b56973110ac243ab5ee15a8c4d220060c58 from
> peer=58 was not accepted: txn-mempool-conflict
>
> I think it would be easy to extend this facility to list the inputs
> which conflicted. So if Alice sees a conflict created by Mallory,
> she can create a new coinjoin transaction without Mallory. This
> method has the advantage of being fast and attributing fault,
> although it does require Alice's node be online at the time Mallory's
> conflict is propagated.
So for something as simple as reliable coinjoining - an important privacy
feature that we'd like all wallets to use - you expect people to run
well-connected 24/7 nodes running specialty software?
Even if you run a node as you suggest, there's certainly no guarantee that
you'd learn about any double-spend without doing a severe sybil attack against
the network; the 8 outgoing nodes a typical node has samples a tiny fraction of
the network. And *even if* you sybil attack to try to detect conflicts there's
still no guarantee as attackers can use all kinds of special techniques to get
transactions into miner mempools and not others.
> 2. Simply assume a conflict exists for otherwise unexplainable failures.
> For example, if Alice sees several new blocks whose bottom feerates
> are well below the feerates of an unconfirmed coinjoin transaction
> that Alice helped create and broadcast, she can assume it's a
> conflict that is preventing preventing confirmation of the coinjoin.
> She can find an entirely different set of collaborators and create a
> non-conflicting transaction without ever needing to know which inputs
> from the original transaction conflicted. This method has the
> disadvantage of being slow (on the order of hours) and not attributing
> fault, although it doesn't require Alice has any information beyond
> copies
> of recent blocks.
You're suggesting that to avoid enabling full-rbf, coinjoin's and other
decentralized multi-party protocols risk getting coins tied up for hours trying
to do conflict resolution rather than just fixing the underlying problem with
what's literally a one-line code change that 17% of the v24.x nodes have
decided to enable.
> I didn't list these methods or others before because the specific method
> used to
> detect conflicts doesn't matter to the realization that software which
> uses conflict detection and evasion to defeat the $17.00 attack also
> defeats the $0.05 attack without any need for full-RBF.
Fact is, full-rbf defeats those attacks much better. And I'm amazed that you
don't consider raising the cost of attacks on coinjoins and similar
decentralized protocols by almost three orders of magnitude to be important:
why are you prioritizing a few highly centralized, often AML/KYC'd, unconfirmed
tx acceptance services over decentralized protocols which provide privacy and
security to a lot more users?
--
https://petertodd.org 'peter'[:-1]@petertodd.org
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2023-01-13 23:37 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-09 22:18 Peter Todd
2023-01-10 7:11 ` David A. Harding
2023-01-10 8:47 ` Peter Todd
2023-01-10 10:02 ` David A. Harding
2023-01-10 10:06 ` Peter Todd
2023-01-10 20:14 ` David A. Harding
2023-01-13 23:37 ` Peter Todd [this message]
2023-01-10 9:19 ` alicexbt
2023-01-10 10:03 ` Peter Todd
2023-01-10 17:10 ` alicexbt
2023-01-13 23:46 ` Peter Todd
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y8HrINYYYiw+V9v+@petertodd.org \
--to=pete@petertodd$(echo .)org \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
--cc=dave@dtrt$(echo .)org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox