public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Peter Todd <pete@petertodd.org>
To: Sergio Demian Lerner <sergio.d.lerner@gmail.com>
Cc: bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Trusted merkle tree depth for safe tx inclusion proofs without a soft fork
Date: Sat, 9 Jun 2018 08:50:58 -0400	[thread overview]
Message-ID: <20180609125058.sk3rdoyl7li73qdo@petertodd.org> (raw)
In-Reply-To: <CAKzdR-paqYgOxToikaVD=0GMsCjHBaynX3WgB-CN6Sn7B7kRXw@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1382 bytes --]

On Sat, Jun 09, 2018 at 01:03:53PM +0200, Sergio Demian Lerner wrote:
> Hi Peter,
> We reported this as CVE-2017-12842, although it may have been known by
> developers before us.

It's been known so long ago that I incorrectly thought the attack was ok to
discuss in public; I had apparently incorrectly remembered a conversation I had
with Greg Maxwell over a year ago where I thought he said it was fine to
discuss because it was well known.

My apologies to anyone who thinks my post was jumping the gun by discussing
this in public; cats out of the bag now anyway.

> There are hundreds of SPV wallets out there, without even considering other
> more sensitive systems relying on SPV proofs.
> As I said we, at RSK, discovered this problem in 2017. For RSK it's very
> important this is fixed because our SPV bridge uses SPV proofs.
> I urge all people participating in this mailing list and the rest of the
> Bitcoin community to work on this issue for the security and clean-design
> of Bitcoin.

My post is arguing that we *don't* need to fix the attack, because we can make
pruned nodes invulerable to it while retaining the ability to verify merkle
path tx inclusion proofs.

As for SPV, there is no attack to fix: they can be attacked at much lower cost
by simply generating fake blocks.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

      parent reply	other threads:[~2018-06-09 12:51 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-07 17:13 [bitcoin-dev] Trusted merkle tree depth for safe tx inclusion proofs without a soft fork Peter Todd
2018-06-07 21:15 ` Bram Cohen
2018-06-07 22:20   ` Peter Todd
2018-06-09  3:29     ` Bram Cohen
2018-06-09 11:03       ` Sergio Demian Lerner
2018-06-09 12:21         ` Sergio Demian Lerner
2018-06-09 12:24           ` Sergio Demian Lerner
2018-06-09 12:45           ` Peter Todd
2018-06-09 12:51             ` Sergio Demian Lerner
2018-06-09 13:02               ` Peter Todd
2018-06-09 12:50         ` Peter Todd [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180609125058.sk3rdoyl7li73qdo@petertodd.org \
    --to=pete@petertodd.org \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=sergio.d.lerner@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox