From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WGCcP-0005pO-FE for bitcoin-development@lists.sourceforge.net; Wed, 19 Feb 2014 19:15:41 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of taplink.co designates 50.117.27.232 as permitted sender) client-ip=50.117.27.232; envelope-from=jeremy@taplink.co; helo=mail.taplink.co; Received: from mail.taplink.co ([50.117.27.232]) by sog-mx-4.v43.ch3.sourceforge.com with smtp (Exim 4.76) id 1WGCcO-0003AJ-AO for bitcoin-development@lists.sourceforge.net; Wed, 19 Feb 2014 19:15:41 +0000 Received: from laptop-air ([192.168.168.135]) by mail.taplink.co ; Wed, 19 Feb 2014 11:15:45 -0800 Content-Type: multipart/alternative; boundary=----------F30ly8iv54fevWQyOqsWmx To: "Alan Reiner" , "Allen Piscitello" References: <20140210030048.GB31925@savin> Date: Wed, 19 Feb 2014 11:15:39 -0800 MIME-Version: 1.0 From: "Jeremy Spilman" Organization: TapLink Message-ID: In-Reply-To: User-Agent: Opera Mail/1.0 (Win32) X-Spam-Score: -1.2 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record -0.6 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1WGCcO-0003AJ-AO Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] [RFC] [BIP proposal] Dealing with malleability X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Feb 2014 19:15:41 -0000 ------------F30ly8iv54fevWQyOqsWmx Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit > Longer term it would be more ideal have a canonical identifier for the > transaction before it even gets to the chain to support these use cases, > even if >wallets are able to properly identify the status of it's > transactions. > -Allen > > One possible work-around to get back trusted transaction chaining for payment channels and locked refunds from multi-sig would be to make the initial transaction include zero fee, and depend on child-pays-for-parent in order to get the first and follow-on transactions into a block. This of course only works for protocols where the parties don't need the initial funding transaction to actually hit the blockchain right away. But this relies on two assumptions; 1) that miners won't include a zero-fee transaction in the blockchain, and 2) that miners actually implement child-pays-for-parent. It's definitely not the same security as-if you had immutable txid, but it's something to consider. 1) Mutants may cause wallet spam and difficulty calculating balance (and wallets will evolve to deal with it) 2) Mutants cause DoS because they can interfere with your own transaction chains, which for example makes batch off-line processing much more difficult 3) Mutants introduce a 3rd party attacker into any two-party protocol that relies on chains There's a lot to digest in the 'v3' transaction/block proposal. It sounds like there may be some uncertainty over whether we can *prove* that v3 transactions in v3 blocks would actually be guaranteed immutable with these changes? If we cannot fully prove a Tx is immutable, then is it actually worth taking steps to make it seem immutable, or is that just a false sense of security in the cases where chained transactions were actually expected to be reliable? Under that thinking, maybe it's best to accept mutants as a fact of life, and only consider protocols and techniques that cannot be broken by mutants. In what cases does reducing the sources of malleability, but not necessarily eliminating from a security proof perspective, actually help? Basically, if we don't know that we will succeed, isn't there really no point in trying? ------------F30ly8iv54fevWQyOqsWmx Content-Type: multipart/related; boundary=----------F30ly8iv54fevWYBgCGUP7 ------------F30ly8iv54fevWYBgCGUP7 Content-Type: text/html; charset=iso-8859-15 Content-ID: Content-Transfer-Encoding: Quoted-Printable

Longer term it = would be more ideal have a canonical identifier for the transaction befo= re it even gets to the chain to support these use cases, even if wallets= are able to properly identify the status of it's transactions.  

-Allen

One possible work-around to get back trusted transaction chaining f= or payment channels and locked refunds from multi-sig would be to make t= he initial transaction include zero fee, and depend on child-pays-for-pa= rent in order to get the first and follow-on transactions into a block. = This of course only works for protocols where the parties don't need the= initial funding transaction to actually hit the blockchain right away.<= /div>

But this relies on two assumptions; 1) that min= ers won't include a zero-fee transaction in the blockchain, and 2) that = miners actually implement child-pays-for-parent. It's definitely not the= same security as-if you had immutable txid, but it's something to consi= der.

1) Mutants may cause wallet spam and difficulty calculating balance= (and wallets will evolve to deal with it)
2) Mutants cause Do= S because they can interfere with your own transaction chains, which for= example makes batch off-line processing much more difficult
3= ) Mutants introduce a 3rd party attacker into any two-party protocol tha= t relies on chains

There's a lot to diges= t in the 'v3' transaction/block proposal. It sounds like there may be so= me uncertainty over whether we can *prove* that v3 transactions in v3 bl= ocks would actually be guaranteed immutable with these changes?

If we cannot fully prove a Tx is immutable, then is it = actually worth taking steps to make it seem immutable, or is that just a= false sense of security in the cases where chained transactions were ac= tually expected to be reliable? Under that thinking, maybe it's best to = accept mutants as a fact of life, and only consider protocols and techni= ques that cannot be broken by mutants.

In what = cases does reducing the sources of malleability, but not necessarily eli= minating from a security proof perspective, actually help? Basically, if= we don't know that we will succeed, isn't there really no point in tryi= ng?
------------F30ly8iv54fevWYBgCGUP7-- ------------F30ly8iv54fevWQyOqsWmx--