From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 7142BB4B for ; Tue, 6 Jun 2017 23:19:42 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from homiemail-a38.g.dreamhost.com (homie.mail.dreamhost.com [208.97.132.208]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 8505315F for ; Tue, 6 Jun 2017 23:19:41 +0000 (UTC) Received: from homiemail-a38.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a38.g.dreamhost.com (Postfix) with ESMTP id 0138010AFB8; Tue, 6 Jun 2017 16:19:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=taoeffect.com; h= content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; s=taoeffect.com; bh=QEkg0vSJ1wCXOB/XN /F6vlju6KI=; b=b7cj0P4jFY3omoNN1QExs+aefjRpOe8J2wWeYGlIKdqJUobSJ OvVjv6pJO6kqovWgBq/XI3o3sxpP8MeIMz7GBtybXs/3uEzDw/djvl6ausPKvKS6 R2+TKfqFRiWEqUO9PaHTIs5stbzSIAXJQrOLuvsxCijb+bVoOkdDz1Jllk= Received: from [192.168.42.64] (184-23-255-227.fiber.dynamic.sonic.net [184.23.255.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: contact@taoeffect.com) by homiemail-a38.g.dreamhost.com (Postfix) with ESMTPSA id 8ECAC10AFB5; Tue, 6 Jun 2017 16:19:40 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_A0050C50-2F62-4F4F-9D06-517E94EA3996"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) From: Tao Effect In-Reply-To: <201706062308.12531.luke@dashjr.org> Date: Tue, 6 Jun 2017 16:19:39 -0700 X-Mao-Original-Outgoing-Id: 518483979.256879-77d63ffa95455ed930001d8844c73281 Message-Id: <3F598630-86AA-4ACC-AD71-BB594767276C@taoeffect.com> References: <31833011-7179-49D1-A07E-8FD9556C4534@taoeffect.com> <201706062308.12531.luke@dashjr.org> To: Luke Dashjr X-Mailer: Apple Mail (2.3273) X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Tue, 06 Jun 2017 23:27:03 +0000 Cc: bitcoin-dev@lists.linuxfoundation.org Subject: Re: [bitcoin-dev] Replay attacks make BIP148 and BIP149 untennable X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2017 23:19:42 -0000 --Apple-Mail=_A0050C50-2F62-4F4F-9D06-517E94EA3996 Content-Type: multipart/alternative; boundary="Apple-Mail=_9F7FD7C8-3EB9-475B-8F88-E8A90F1E2D63" --Apple-Mail=_9F7FD7C8-3EB9-475B-8F88-E8A90F1E2D63 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > Replay is a solved problem. Point to this solved problem? Your "solution" here is not a solution: = https://www.reddit.com/r/Bitcoin/comments/6f1urd/i_think_its_time_we_have_= an_educated_discussion/diey21t/?context=3D3 = > This is nothing but unfounded FUD. It is very simple to implement and > guaranteed to work eventually. It may be time consuming, but that is = the only > truth here. The only risk is that of a long reorg, the same as double = spend > attacks. Let's assume you invented a simple way to double-spend txns to self = (which you haven't, fyi), then that is an issue in of itself as the = point of bitcoin is to *prevent* double-spending to self. There would need to be much more time for the community to discuss the = implications of wallets have a "double-spend to self" button in them. > What kind of "fungibility" does this FUD claim it destroys? Destroying = cross- > chain fungibility is the very *intent* of replay protection. And it = does not > destroy same-chain fungibility any more than any other miner spending. Yes it does destroy same-chain fungibility, as discussed on twitter [1], = you're making miner coins special on both chains. > Lack of replay protection does not mean there is no coin. It effectively does. If people want to proceed blindly, ignoring replay, = they're welcome to read about the consequences [2]. [1] https://twitter.com/taoeffect/status/872226556571131905 = [2] http://gist.github.com/taoeffect/c910ebb16d9f6d248e9f1f3c6e10b1b8 = -- Please do not email me anything that you are not comfortable also = sharing with the NSA. > On Jun 6, 2017, at 4:08 PM, Luke Dashjr > wrote: >=20 > On Tuesday 06 June 2017 10:39:28 PM Tao Effect via bitcoin-dev wrote: >> I believe the severity of replay attacks is going unvoiced and is not >> understood within the bitcoin community because of their lack of >> experience with them. >=20 > Replay is a solved problem. It can be improved on and made simpler, = but at > this point, replay only occurs when the sender is either negligent or > intending it. >=20 >> Both of the coin-splitting techniques given so far by the proponents = BIP148 >> are also untenable: >>=20 >> - Double-spending to self with nLockTime txns is insanely = complicated, >> risky, not guaranteed to work, extremely time consuming, and would = likely >> result in a massive increase in backlogged transactions and increased >> fees. >=20 > This is nothing but unfounded FUD. It is very simple to implement and > guaranteed to work eventually. It may be time consuming, but that is = the only > truth here. The only risk is that of a long reorg, the same as double = spend > attacks. >=20 >> - Mixing with 148 coinbase txns destroys fungibility. >=20 > What kind of "fungibility" does this FUD claim it destroys? Destroying = cross- > chain fungibility is the very *intent* of replay protection. And it = does not > destroy same-chain fungibility any more than any other miner spending. >=20 >> Without a coin, there is no real threat from BIP148. >=20 > Lack of replay protection does not mean there is no coin. Replay = protection is > equally a concern for the main (BIP148) chain and any legacy chains = malicious > miners might choose to split off. And none of this changes the fact = that such > miners will be unable to sell their legacycoins at Bitcoin market = prices, > because whether other transactions are replayed or not, *their* coins = won't be > valid on the main chain. >=20 > Luke --Apple-Mail=_9F7FD7C8-3EB9-475B-8F88-E8A90F1E2D63 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
Replay is a solved = problem.

Point to this = solved problem?

Your = "solution" here is not a solution:


This is nothing but unfounded FUD. It is very simple to = implement and 
guaranteed to work eventually. It may = be time consuming, but that is the only 
truth here. = The only risk is that of a long reorg, the same as double spend 
attacks.

Let's= assume you invented a simple way to double-spend txns to self (which = you haven't, fyi), then that is an issue in of itself as the point of = bitcoin is to *prevent* double-spending to self.

There would need to be much more time = for the community to discuss the implications of wallets have a = "double-spend to self" button in them.

What kind of "fungibility" does this FUD claim = it destroys? Destroying cross-
chain fungibility is the = very *intent* of replay protection. And it does not 
destroy same-chain fungibility any more than any other miner = spending.

Yes it does = destroy same-chain fungibility, as discussed on twitter [1], you're = making miner coins special on both chains.

Lack= of replay protection does not mean there is no coin.

It effectively does. If people want to = proceed blindly, ignoring replay, they're welcome to read about the = consequences [2].

[1] https://twitter.com/taoeffect/status/872226556571131905

--

Please do not email me anything that you are not = comfortable also sharing with the NSA.

On Jun 6, 2017, at 4:08 PM, Luke Dashjr <luke@dashjr.org> = wrote:

On Tuesday 06 June 2017 10:39:28 PM Tao Effect via = bitcoin-dev wrote:
I = believe the severity of replay attacks is going unvoiced and is not
understood within the bitcoin community because of their lack = of
experience with them.

Replay is a solved problem. It can be improved on and made = simpler, but at
this point, replay only occurs when the = sender is either negligent or
intending it.

Both of = the coin-splitting techniques given so far by the proponents BIP148
are also untenable:

- = Double-spending to self with nLockTime txns is insanely complicated,
risky, not guaranteed to work, extremely time consuming, and = would likely
result in a massive increase in backlogged = transactions and increased
fees.

This is nothing but unfounded = FUD. It is very simple to implement and
guaranteed to = work eventually. It may be time consuming, but that is the only
truth here. The only risk is that of a long reorg, the same = as double spend
attacks.

- Mixing with 148 = coinbase txns destroys fungibility.

What kind of "fungibility" does this FUD claim it destroys? = Destroying cross-
chain fungibility is the very *intent* = of replay protection. And it does not
destroy same-chain = fungibility any more than any other miner spending.

Without a coin, there is = no real threat from BIP148.

Lack= of replay protection does not mean there is no coin. Replay protection = is
equally a concern for the main (BIP148) chain and any = legacy chains malicious
miners might choose to split off. = And none of this changes the fact that such
miners will = be unable to sell their legacycoins at Bitcoin market prices,
because whether other transactions are replayed or not, = *their* coins won't be
valid on the main chain.

Luke

= --Apple-Mail=_9F7FD7C8-3EB9-475B-8F88-E8A90F1E2D63-- --Apple-Mail=_A0050C50-2F62-4F4F-9D06-517E94EA3996 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZNziLAAoJEOxnICvpCVJHjAcP/igl+MVBQJRU18xQ9kL65ihq thkqYIdRBawx5AAB7GOvArBrLirAp2BtWyrCO4FiICoRHwcxBOb44oVlyJulMnub Llt6k3PPJuqgWopJvm26B/QZyV08ye/AxB3JLMXzA/9hwGHDCCWg83s2cCzsfZpd 0PfKFDgM6XGypoPc//EidhLBScbhZlhbPIJuduiD2LxZo8hbG+PU9PuJIOtigJaF aL2n2xdK76axNwRUo+SqyugbDATLI86JTIZyrfk6P6/zDAUxoMPWTM+16nCaQ9/A 47uaBxistLhbbkREDfX+q9TXtZoWRgO7zb9rhTbG6G6elbv2QAiyv+o1ep0eqb6a aqrzeZKpkXAYXMMpD2GwZnJLVQ7cyB/aJZs4T+IQ8ew6RNGv7yVdM2bT+gTHHuZ1 JpfIbzMcELLKqD6weqH85C1icL+DmYgu7iPqiMIa6lZ+1KqQXVHG3+UDadyqf/0q UBqmBm3Oe6Gz7+HwXa998xdZ7tk5JudisvifUrb1+OPpExdzbXQIV6bxDR1OnVYd j+ZzTiI0saHc5vkP7FXcfNve9/xcDPl5ZRr1CKKsznvT2AwDIiAGLmCOMKOohUl2 jJt7dcPwYDkqF0iEtBuB4lkcf3716kReEFUFWcWj+ITraycZsyzbKM0Xc841Ztnc 3K6BoIvl2hH62RSwPWtd =C1co -----END PGP SIGNATURE----- --Apple-Mail=_A0050C50-2F62-4F4F-9D06-517E94EA3996--