From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 555B31758 for ; Sat, 9 Jun 2018 12:52:34 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-lf0-f41.google.com (mail-lf0-f41.google.com [209.85.215.41]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 86A1C604 for ; Sat, 9 Jun 2018 12:52:33 +0000 (UTC) Received: by mail-lf0-f41.google.com with SMTP id v135-v6so24003173lfa.9 for ; Sat, 09 Jun 2018 05:52:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GMobQMdpSUcPPiuKYPOIC/pbBeM4j2kVDA3T4L7B7lk=; b=aN8293G4qlioXJrwNt3zfCT7k9Suf/r8VaKcSCzVuA5lcmfrzRXhu/RE64NlxHI0rW 5Tg+s5KUybL8UPwjV6rApAlUUXdjYRMLV1Gr8bobSnq6HffExdcBKmKvBl5z9JvqmcQZ 1oD41ZvXdTEGfqsGrCoYCawqxeAlQ/CVlJ0BPi4drfT8U+P8KcEFJAckHr9eDm3FGPQy swEBb2jPJvvnT2KEVEt9dCMl5c25m+rWXB29vLJDlgZZ2mbX46eIDMhMHMZ8UVPJR0t/ k+Gl6dHbRwVuncyAyMI38f/KB9QcvRPDx5onjmlFkB6d8ulht+ER2KgTBYcKfhtwbwK0 woYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GMobQMdpSUcPPiuKYPOIC/pbBeM4j2kVDA3T4L7B7lk=; b=gMorkHTwxdN/CgIx35VJSORLs/8LGLN3DQSyPW+5LRoz+/xqNCflSzooS8U0Og5huy ZrkqBMdMq5l8r7fqLawauUP1bwUXCTiz+QtjrtRZtRsAAXnX1/6kYbR4U5p5roTkka7X HOS0ch5dJ65GA1sPWgG0Bnah9s26NUek9Im1s7ClmUaKY3eG9gobG8oCYLqx31v5IRZl kj3sQCNypf3boU7b2cHQxRcAkyQ/9pDJNiSMSIjozvMStgF4HTcqnA4w842xMFPnTKym 6ZNCzPki62q3UlDFb72BE6pErcm8HEvHrvibHA0SnWIyEIwH+UYXwx+GzKYDVAR5PRF/ RIMQ== X-Gm-Message-State: APt69E1Rr09KOHrDn9WfJXITglxOvW1bpouZJ7uDVsomZ50L8LUpQdVd +9473uWIbQg+R/MSkf7v1ZWEV9h0oV97iDk+jR0= X-Google-Smtp-Source: ADUXVKLjdXOuPfVESJUW/QrSd7G7q205wW8+6l1lYCMPWMHFs3gymTzJRgiZihvMlBufmb4pii1X/S6AygP3B72BMSc= X-Received: by 2002:a2e:c41:: with SMTP id o1-v6mr7003715ljd.87.1528548751884; Sat, 09 Jun 2018 05:52:31 -0700 (PDT) MIME-Version: 1.0 References: <20180607171311.6qdjohfuuy3ufriv@petertodd.org> <20180607222028.zbva4vrv64dzrmxy@petertodd.org> <20180609124516.6ms6t7r5t7ikved6@petertodd.org> In-Reply-To: <20180609124516.6ms6t7r5t7ikved6@petertodd.org> From: Sergio Demian Lerner Date: Sat, 9 Jun 2018 14:51:55 +0200 Message-ID: To: Peter Todd Content-Type: multipart/alternative; boundary="00000000000060c77a056e34fdd1" X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,LOTS_OF_MONEY, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sat, 09 Jun 2018 14:58:55 +0000 Cc: bitcoin-dev Subject: Re: [bitcoin-dev] Trusted merkle tree depth for safe tx inclusion proofs without a soft fork X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jun 2018 12:52:34 -0000 --00000000000060c77a056e34fdd1 Content-Type: text/plain; charset="UTF-8" Yo can fool a SPV wallet even if it requires a thousands confirmations using this attack, and you don't need a Sybil attack, so yes, it impacts SPV wallets also. The protections a SPV node should have to prevent this attack are different, so it must be considered separately. It should be said that a SPV node can avoid accepting payments if any Merkle node is at the same time a valid transaction, and that basically almost eliminates the problem. SPV Wallet would reject valid payments with a astonishingly low probability. On Sat, Jun 9, 2018 at 2:45 PM Peter Todd wrote: > On Sat, Jun 09, 2018 at 02:21:17PM +0200, Sergio Demian Lerner wrote: > > Also it must be noted that an attacker having only 1.3M USD that can > > brute-force 72 bits (4 days of hashing on capable ASICs) can perform the > > same attack, so the attack is entirely feasible and no person should > accept > > more than 1M USD using a SPV wallet. > > That doesn't make any sense. Against a SPV wallet you don't need that > attack; > with that kind of budget you can fool it by just creating a fake block at > far > less cost, along with a sybil attack. Sybils aren't difficult to pull off > when > you have the budget to be greating fake blocks. > > > Also the attack can be repeated: once you create the "extension point" > > block, you can attack more and more parties without any additional > > computation. > > That's technically incorrect: txouts can only be spent once, so you'll > need to > do 2^40 work each time you want to repeat the attack to grind the matching > part > of the prevout again. > > -- > https://petertodd.org 'peter'[:-1]@petertodd.org > --00000000000060c77a056e34fdd1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Yo can fool a SPV wallet even if it requires a thousands c= onfirmations using this attack, and you don't need a Sybil attack, so y= es, it impacts SPV wallets also. The protections a SPV node should have to = prevent this attack are=C2=A0 different, so it must be considered separatel= y.

It should be said that a SPV node can avoid accepting= payments if any Merkle node is at the same time a valid transaction, and t= hat basically almost eliminates the problem.=C2=A0

SPV Wallet would reject valid payments with a astonishingly low probabilit= y.



On Sat, Jun 9, 2018 at 2:45 PM Peter= Todd <pete@petertodd.org> = wrote:
On Sat, Jun 09, 2018 at 02:2= 1:17PM +0200, Sergio Demian Lerner wrote:
> Also it must be noted that an attacker having only 1.3M USD that can > brute-force 72 bits (4 days of hashing on capable ASICs) can perform t= he
> same attack, so the attack is entirely feasible and no person should a= ccept
> more than 1M USD using a SPV wallet.

That doesn't make any sense. Against a SPV wallet you don't need th= at attack;
with that kind of budget you can fool it by just creating a fake block at f= ar
less cost, along with a sybil attack. Sybils aren't difficult to pull o= ff when
you have the budget to be greating fake blocks.

> Also the attack can be repeated: once you create the "extension p= oint"
> block, you can attack more and more parties without any additional
> computation.

That's technically incorrect: txouts can only be spent once, so you'= ;ll need to
do 2^40 work each time you want to repeat the attack to grind the matching = part
of the prevout again.

--
http= s://petertodd.org 'peter'[:-1]@petertodd.org
--00000000000060c77a056e34fdd1--