From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 5CEEC1373 for ; Fri, 2 Aug 2019 13:08:49 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-oln040092066046.outbound.protection.outlook.com [40.92.66.46]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 99880832 for ; Fri, 2 Aug 2019 13:08:47 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JoEEAUl9rL1ZZqVlFivWjvypS2o/x4Ube+u5av615onj+gT6znATJD/5kGog04Kq+3ybMm1F2stE1uaNcKw3/VM0nDKkBNn3pmskPqSZE0OyYgz7wYroti7sOpZ5LuP55iO5DSjOedYW99O4RMuhhjAwxyVr00vZPb52brEvgtO3x/d9HdkOPwzJOOzGqcjpEOP1UYbFIi6H2W/7KgFmYc7QLacIvNYEpW/nzvv3iAGuFUf7BLmkd2g7aDZi8jQ6aVZfjfBTdRIukOd7SY+N+wN4ROBSpVIS8hqvKkC4hDwLH7JI3fo/qcIErL4HFjCA8R839XG43bxGi49J6qwOgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=J6SQoA7d5xGUbdRzgD4h6q1VarJ/5+tXBbCTtBqAltQ=; b=d/mxq6fRsEyFhBZzjOqNh34ZoKbSkiADyVgLfEp8DgsLiCZl/007VPeCXn1XWuQrXifvb7u7tiXL98TO3MQGn+jXFGMQnF5SMgpWGS6d6etJCJCgl4PGsS2g/RWGKfr3pyLXrMYjrHUJIcLUZUneKRfreiblvQcSs3iXTpWZYyvfXSg3k+zmktxiOy9MF8qATmXlXfnkwSTTlX1FAOo38Va0AYNs3dP31xciHNFjKw4Y413YstJz4aoupaervWvdUyHwA1R3C+sIh/2zB2njCYEEkva3+cyikFWcYXdEMYti42xO2tZGkL8AesOvq+j5SrcyHQVtRRiaLQz6RDZhng== ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=none;dmarc=none;dkim=none;arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=J6SQoA7d5xGUbdRzgD4h6q1VarJ/5+tXBbCTtBqAltQ=; b=dCethdMG2Xm8NqT5ngaG4ZF2yqtC+GPOrHxmPixTfkmnnk61fC89N5CWA5lyfenwiwgGqlsaL+nMJf8ABaN5qvo1wqiamfLs2HvMrR+GUf5c9qHNJi4UiMmrxeGPdbhj/uYDPhfh4GrEDrVjMom5pn2CelLxF55K9BsdoWtFuyk4myvm/iVe43aEH2YEOj26QVIl2H5bLXLAtSdgN9WCs7LqFn/PH/0ZU/tAwiTgrECq98bMm0nNed6NS9OTVHEahPdmMXvseh4EQpSKqxiNL113+7IPs6X3AgqZqXqAe6ucncTY32S9N2C66jWPicP0aEKN29g/WRuCXaWsKCtjLA== Received: from HE1EUR01FT048.eop-EUR01.prod.protection.outlook.com (10.152.0.59) by HE1EUR01HT022.eop-EUR01.prod.protection.outlook.com (10.152.0.219) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.14; Fri, 2 Aug 2019 13:08:45 +0000 Received: from DB6PR10MB1832.EURPRD10.PROD.OUTLOOK.COM (10.152.0.56) by HE1EUR01FT048.mail.protection.outlook.com (10.152.1.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2136.14 via Frontend Transport; Fri, 2 Aug 2019 13:08:44 +0000 Received: from DB6PR10MB1832.EURPRD10.PROD.OUTLOOK.COM ([fe80::cc12:47f0:aa33:6b70]) by DB6PR10MB1832.EURPRD10.PROD.OUTLOOK.COM ([fe80::cc12:47f0:aa33:6b70%3]) with mapi id 15.20.2115.005; Fri, 2 Aug 2019 13:08:44 +0000 From: "Kenshiro []" To: Ethan Heilman , Bitcoin Dev Thread-Topic: [bitcoin-dev] Add a moving checkpoint to the Bitcoin protocol Thread-Index: AQHVR5sdyaW9NUkjL067/8euo+yr/KbkwSWAgAAJxaeAAAS0t4AC+h2AgAAG9aE= Date: Fri, 2 Aug 2019 13:08:44 +0000 Message-ID: References: <28454621.Lge63Ifvux@dprfs-d5766> , In-Reply-To: Accept-Language: en-US, es-ES Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-incomingtopheadermarker: OriginalChecksum:800749B4EB23B3C5485C905106106BA4FB54951513AD58E9CC7D0456164CD4D5; UpperCasedChecksum:7ECDDD0F7ECB4A02AE492B206A8E680506BD712F05E1B9E8DDEBF19A972B1DC9; SizeAsReceived:7130; Count:43 x-tmn: [XoCVeJ4N2KoJVxP3VmjNI8GepW8XwPnH] x-ms-publictraffictype: Email x-incomingheadercount: 43 x-eopattributedmessage: 0 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(5050001)(7020095)(20181119110)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031322404)(2017031323274)(2017031324274)(1601125500)(1603101475)(1701031045); SRVR:HE1EUR01HT022; x-ms-traffictypediagnostic: HE1EUR01HT022: x-ms-exchange-purlcount: 1 x-microsoft-antispam-message-info: /vk70iCmWLJCXcYq6kPxG8KY7vc1tif3y9ycluMtAN1VPSgOh82eQh8F+s5JVDc8rAsYq3Dsdvv1A5iPDQZFvqsL7Oi+3UAGAPlVzzKAErR3SjdhsPY3D8ay+m9SjrcwftowPKeBQ0HSG32t2FIm3vHyg3HQ/hnIyCaxu/lzZpVYAg6Ar9lMfpfaItnqRl/D Content-Type: multipart/alternative; boundary="_000_DB6PR10MB1832110D67FB7FBD1AF5E3EDA6D90DB6PR10MB1832EURP_" MIME-Version: 1.0 X-OriginatorOrg: hotmail.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 879fe915-8992-4756-c20e-08d7174a8c89 X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Aug 2019 13:08:44.8362 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1EUR01HT022 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Fri, 02 Aug 2019 14:36:21 +0000 Subject: Re: [bitcoin-dev] Add a moving checkpoint to the Bitcoin protocol X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Aug 2019 13:08:49 -0000 --_000_DB6PR10MB1832110D67FB7FBD1AF5E3EDA6D90DB6PR10MB1832EURP_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi all, Very good points. I did some clarifications in a private conversation, the = new rule is making the moving checkpoint valid only if the difference in bl= ocks between the main chain and the new fork is smaller than X blocks, like= for example 3 days of blocks, so after a long network split everyone can f= inally follow the longest chain: With the current protocol the fix to a network split is simple, the longest= chain win. But with the moving checkpoint I'm proposing we have a problem = if both chains began to differ more than N blocks ago, the forks are perman= ent. So we need an additional rule to ignore the moving checkpoint, a limit= of X blocks: If a node sees a fork longer than his main chain, and the fork has at least= X blocks more than the main chain, then the node ignore the moving checkpo= int rule, and it follows the fork, the longest chain. So as an example, the moving checkpoint could be 24 hours of blocks, and th= e limit of X blocks, the blocks of 3 days. So we have 2 possible situations to consider: - 51% attack: the blocks older than 24 hours are protected against a histo= ry rewrite during at least 3 days, in that time developers could release an= emergency release with another mining algorithm to stop the attack. - Network split: if the network split is older than N blocks, we have 2 per= manent forks (or chains), but in 3 days (or more) the blockchain heights wi= ll differ in more than X blocks (the blocks of 3 days) because there will b= e more miners in one chain than in the other so finally the loser chain wil= l be abandoned and everyone will follow the longest chain. It could be even more conservative, like 48 hours for the moving checkpoint= and a block limit of 7 days of blocks. Regards, ________________________________ From: Ethan Heilman Sent: Friday, August 2, 2019 14:19 To: Kenshiro [] ; Bitcoin Dev Cc: Alistair Mann Subject: Re: [bitcoin-dev] Add a moving checkpoint to the Bitcoin protocol Attack 1: I partition (i.e. eclipse) a bunch of nodes from the network this partition= contains no mining power . I then mine 145 blocks for this partition. I do= n't even need 51% of the mining power because I'm not competing with any ot= her miners. Under this rule this partition will hardfork from the network p= ermanently. Under current rules this partition will be able to rejoin the n= etwork as the least weight chain will be orphaned. Attack 2: I pre-mine 145 blocks. A node goes offline for 24 hours, when it rejoins I = feed it 145 blocks which fork off from the consensus chain. I have 24+24 ho= urs to mine these 145 blocks so I should be able to do this with 25% of the= current hash rate at the time the node went offline. Under your rule each = of these offline-->online nodes I attack this way will hardfork themselves = from the rest of the network. I believe a moving-checkpoint rule as describe above would make Bitcoin mor= e vulnerable to 51% attacks. A safer rule would be if a node detects a fork with both sides of the split= having length > 144 blocks, it halts and requests user intervention to de= termine which chain to follow. I don't think 144 blocks is a great number = to use here as 24 hours is very short. I suspect you could improve the secu= rity of the rule by making the number of blocks a fork most reach to halt t= he network proportional to the difference in time between the timestamp in = the block prior to the fork and the current time. I am **NOT** proposing Bi= tcoin adopt such a rule. NXT has a fundamentally different security model as it uses Proof-of-stake = rather than Proof-of-Work. On Wed, Jul 31, 2019 at 2:37 PM Kenshiro [] via bitcoin-dev > wrot= e: P.S.: To be clearer, in this example I set an N value of 144 blocks, which = is approximately 24 hours. ________________________________ From: Kenshiro [] > Sent: Wednesday, July 31, 2019 16:40 To: Alistair Mann >; Bitcoin Protocol Dis= cussion > Subject: Re: [bitcoin-dev] Add a moving checkpoint to the Bitcoin protocol >>> How would a (potentially, state-sponsored) netsplit lasting longer than= N be handled? It would be detected by the community much before reaching the reorg limit = of N blocks (it's 24 hours) so nodes could stop until the netsplit is fixed= . In the extreme case no one notice the network split during more than N bloc= ks (24 hours) and there are 2 permanent forks longer than N, nodes from one= branch could delete their local history so they would join the other branc= h. Regards, ________________________________ From: Alistair Mann > Sent: Wednesday, July 31, 2019 15:59 To: Kenshiro [] >; Bitcoin = Protocol Discussion > Subject: Re: [bitcoin-dev] Add a moving checkpoint to the Bitcoin protocol On Wednesday 31 Jul 2019 12:28:58 Kenshiro [] via bitcoin-dev wrote: > I would like to propose that a "moving checkpoint" is added to the Bitcoi= n > protocol. It's a very simple rule already implemented in NXT coin: > > - A node will ignore any new block under nodeBlockHeight - N, so the > blockchain becomes truly immutable after N blocks, even during a 51% atta= ck > which thanks to the moving checkpoint can't rewrite history older than th= e > last N blocks. How would a (potentially, state-sponsored) netsplit lasting longer than N b= e handled? -- Alistair Mann _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev --_000_DB6PR10MB1832110D67FB7FBD1AF5E3EDA6D90DB6PR10MB1832EURP_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi all,

Very good points. I did some clarifications in a private conversation, the = new rule is making the moving checkpoint valid only if the difference in bl= ocks between the main chain and the new fork is smaller than X blocks, like= for example 3 days of blocks, so after a long network split everyone can finally follow the longest chain:<= /div>

With the current protocol the fix to a network split is simple, the longest= chain win. But with the moving checkpoint I'm proposing we have a problem = if both chains began to differ more than N blocks ago, the forks are perman= ent. So we need an additional rule to ignore the moving checkpoint, a limit of X blocks:

If a node sees a fork longer than his main chain, and the fork has at = least X blocks more than the main chain, then the node ignore the moving ch= eckpoint rule, and it follows the fork, the longest chain.

So as an example, the moving checkpoint could be 24 hours of blocks, a= nd the limit of X blocks, the blocks of 3 days.

So we have 2 possible situations to consider:

- 51% attack:  the blocks older than 24 hours are protected again= st a history rewrite during at least 3 days, in that time developers could = release an emergency release with another mining algorithm to stop the atta= ck.

- Network split: if the network split is older than N blocks, we have= 2 permanent forks (or chains), but in 3 days (or more) the blockchain heig= hts will differ in more than X blocks (the blocks of 3 days) because there = will be more miners in one chain than in the other so finally the loser chain will be abandoned and everyon= e will follow the longest chain.

It could be even more conservative, like 48 hours for the moving checkpoint= and a block limit of 7 days of blocks.

Regards,




From: Ethan Heilman <eth= 3rs@gmail.com>
Sent: Friday, August 2, 2019 14:19
To: Kenshiro [] <tensiam@hotmail.com>; Bitcoin Dev <bitcoin= -dev@lists.linuxfoundation.org>
Cc: Alistair Mann <al@pectw.net>
Subject: Re: [bitcoin-dev] Add a moving checkpoint to the Bitcoin pr= otocol
 
Attack 1:
I partition (i.e. eclipse) a bunch of nodes from the network this partition= contains no mining power . I then mine 145 blocks for this partition. I do= n't even need 51% of the mining power because I'm not competing with any ot= her miners. Under this rule this partition will hardfork from the network permanently. Under current rules = this partition will be able to rejoin the network as the least weight chain= will be orphaned.

Attack 2:
I pre-mine 145 blocks. A node goes offline for 24 hours, when it rejoins I = feed it 145 blocks which fork off from the consensus chain. I have 24+2= 4 hours to mine these 145 blocks so I should be able to do this with 25% of= the current hash rate at the time the node went offline. Under your rule each of these offline-->online nodes= I attack this way will hardfork themselves from the rest of the network.
I believe a moving-checkpoint rule as describe above would make Bitcoin mor= e vulnerable to 51% attacks.

A safer rule would be if a node detects a fork with both sides of the split= having  length > 144 blocks, it halts and requests user interventi= on to determine which chain to follow.  I don't think 144 blocks is a = great number to use here as 24 hours is very short. I suspect you could improve the security of the rule by making the = number of blocks a fork most reach to halt the network proportional to the = difference in time between the timestamp in the block prior to the fork and= the current time. I am **NOT** proposing Bitcoin adopt such a rule.

NXT has a fundamentally different security model as it uses Proof-of-stake = rather than Proof-of-Work.

On Wed, Jul 31, 2019 at 2:37 PM Ken= shiro [] via bitcoin-dev <bitcoin-dev@lists.linuxfoun= dation.org> wrote:
P.S.: To be clearer, in this example I set an N value of 144 blocks, which = is approximately 24 hours.


From: Kenshiro [] <tensiam@hotmail.com>
Sent: Wednesday, July 31, 2019 16:40
To: Alistair Mann <al@pectw.net>; Bitcoin Protocol Discussion &l= t;bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Add a moving checkpoint to the Bitcoin pr= otocol
 
>>> How would a (potentially, state-sponsored) netsplit= lasting longer than N be
handled?  

It would be detected by the community much before reaching the reorg = limit of N blocks (it's 24 hours) so nodes could stop until the netsplit is= fixed. 

In the extreme case no one notice the network split during more than = N blocks (24 hours) and there are 2 permanent forks longer than N, n= odes from one branch could delete their local history so they would join th= e other branch.

Regards,



From: Alistair Mann <al@pectw.net>
Sent: Wednesday, July 31, 2019 15:59
To: Kenshiro [] <tensiam@hotmail.com>; Bitcoin Protocol D= iscussion <bitcoin-dev@lists.linuxfoundation.org&= gt;
Subject: Re: [bitcoin-dev] Add a moving checkpoint to the Bitcoin pr= otocol
 
On Wednesday 31 Jul 2019 12:28:58 Kenshiro [] via bitcoin-dev wrote:

> I would like to propose that a "moving checkpoint" is added = to the Bitcoin
> protocol. It's a very simple rule already implemented in NXT coin:
>
> - A node will ignore any new block under nodeBlockHeight - N, so the > blockchain becomes truly immutable after N blocks, even during a 51% a= ttack
> which thanks to the moving checkpoint can't rewrite history older than= the
> last N blocks.

How would a (potentially, state-sponsored) netsplit lasting longer than N b= e
handled? 
--
Alistair Mann

_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundati= on.org/mailman/listinfo/bitcoin-dev
--_000_DB6PR10MB1832110D67FB7FBD1AF5E3EDA6D90DB6PR10MB1832EURP_--