It would have to be very expensive coffee for the attacker to do such a thing as they would make a lot more money just by submitting the blocks for the block reward. So in that sense it is quite expensive. and also each block that is mined makes reorging exponentially more expensive as jonald_fyookball states.

The idea of making a double spend more expensive is interesting though. However, since there wont be consensus on all nodes as to whether there even was a double spend (we are talking about the chain reorging here), then I dont see how you can make double spending a specific input require more PoW in a way to achieve global consensus.

Unless...

If there was a separately maintained consensus of all 1 conf transactions (I think it can be proven this cant be done with 0confs), then we would have a global consensus on any attempt to double spend any outputs from this 1 conf list. So theoretically it would be possible to make the weight of any new chain that is attempting to double spend any output from the 1 conf list to be arbitrarily lower.

Just need to maintain a tree of such 1 conf txlists, and each reorg would spawn some sort of alternate 1 conf list. I think it is quite a lot of work, but probably not impossible to do. However, considering this is a hardfork and orders of magnitude more difficult than fixing malleability, it is unlikely that it will ever be done.

James

Lets hardfork!

I have seen two pairs of identical txids, back around block 90000 and they are in the blockchain

To fix this once and for all, would need to have a first come first served allocation of txid, so duplicates would be rejected. Kind of a mess if a reorg happens though...

other than during the malleability attack last year, how often are random third parties messing with txids of others? There seems to be no gain from this, so just vandalism?

It just seems like preventing tampering of txid by unrelated third parties should be fixed after all these years. Any other solution is just a workaround and needless complexity

James

Thanks for everybody's feedback, its good to know I am not alone.

Anyway, it seems that there is the possibility that some vandal to just intercept, modify and rebroadcast transactions, which would invalidate the refund transaction and if Bob can wait out the expiration time for the other half of the trade, he could cash in the coins safely.

I sure hope some BIP in upcoming hardfork will fix this problem as allowing unrelated third parties to change the txid is just wrong.

So for big money transactions, even a small risk like this is not a good thing. Alternative is to break up the trade into multiple pieces, which already can be done just by not trading increments larger than pain threshold.

I will also add an optional third signer for the multisig address, so that in the event that the txid was changed via malleability, the refund will be processed. Since if the refund is processed, then Bob is not out anything and if he just spends the funds, Alice can approve the NXT tx, so it might even be something safe enough to automate.

James

It seems that bitcoin still allows unrelated third parties to change the txid and while this would just be vandalism, it sure would be nice to close this exposure.

I posted a proposed solution for this, which hopefully can be included in an upcoming hardfork
https://bitcointalk.org/index.php?topic=303088.msg12349816#msg12349816

James

Ignoring compatibility issues, the following would fix this once and for all, wouldnt it?

**********
#define SIGHASH_TXID 0x40

change https://en.bitcoin.it/wiki/OP_CHECKSIG:
Final signature check
An array of bytes is constructed from the serialized txCopy appended by four bytes for the hash type and if SIGHASH_TXID is set followed by the txid. This array is sha256 hashed twice, then the public key is used to check the supplied signature against the hash. The secp256k1 elliptic curve is used for the verification with the given public key.
**********

also the txid cant include the sig. Not sure why the txid calc isnt using the same data as the signature calc.

James

If Bob quits, then how does that invalidate the refund transaction?

Alice creates funding tx and doesnt broadcast this until she is satisfied that the refund tx (and phased tx) are all valid.

Funding tx -> Refund tx, but also Bob can spend the Funding tx -> Bob's spending

But in the latter case, the pubkeyhash is revealed and Alice can approve the phasedtx

Alice creates the funding tx, Alice broadcasts the funding tx, the refund tx uses the funding tx as its input. If Bob bails after he signed the refund tx, then Alice would wait for her refund tx to mature and then submit it. By giving control over the funding tx to the party that relies on it, I think this is they key reason that my protocol works. Having NXT involved in the process acts as a sort of an independent third party as it makes Bob's side totally atomic and with one side totally atomic it is possible (just barely) to make Alice's side secure.

So what is the fundamental problem?

James

I dont think there is a problem with the way I am doing it. require Bob to wait for the funding tx to be confirmed in the blockchain. At that point malleability is not an issue. So if Alice is trying to cheat by making the funding tx invalid, Bob never spends the funds (since the funds arent there he cant spend them anyway) and as long as he never uses the onetime address (prior to finish height), then his side of the tx within the NXT phased tx will never get confirmed.

The sequence is:

Bob sends Alice the pubkeyhash and a phased tx that can only be approved when the pubkey to that pubkeyhash is revealed and this must happen for Bob to be able to spend the output.

The unspent output is created by Alice, but only the unsigned txbytes and the txid is sent to Bob.

He can then send to Alice a signed refund transaction using the 2of2 multisig side. Alice verifies everything is good at this point she has a fully signed refund transaction, but she cannot submit it to the network yet as it is timelocked.

At this point if she fiddles with the funding txid taking advantage of malleability, then she is just making it so that she cant get her refund, so it doesnt seem to make sense for her to do. And even if she did, Bob wont spend the funds until it is in the blockchain.

The edge case is that it gets into the blockchain and then reorgs, giving Alice a chance to make it malleable, but Bob already disclosed his pubkey. However, Bob controls the timing of his spend (up to timelock deadline), so he can wait until he is comfortable with the risks.

The malleability is a nasty issue, but unless anybody can find a specific malleability that breaks the protocol, it would seem that I have solved this.

Alice is the one that creates the funding transaction and the refund will be based on the txid for this, so it is only Bob that is at risk and he controls this by making sure there are enough confirms.

Does anybody see a malleability issue that isnt solved by the protocol?

James

Based on Tier Nolan's idea, I have made a way to atomically trade between BTC and NXT/NXTassets. I should be able to combine two such swaps so effectively a BTC <-> ALT (that supports p2sh) would be able to be done.

I lobbied for NXT to support pay on reveal of secret (to specific destination) where the funds are locked using rmd160(sha256(secret)) and it is released when the secret that hashes to that value is submitted.

It took several attempts to solve this and there could well still be some edge cases, and this will be going into InstantDEX as a meta-exchange called "wallet". So best to find any flaws before it goes into beta test.

Here is the protocol:

0. Alice and Bob agree to the terms of the trade and share the pubkeys of their published address. Bob sends the rmd160(sha256(onetimepubkey)) to Alice along with a NXT release on secret linked to the same hash.

1. Both calculate the same p2sh address which allows redemption via 2of2 multisig or normal spend by Bob's onetimepubkey

2. Alice sends to Bob an unsigned funding transaction to the p2sh address for the amount agreed upon.

3. Bob creates a multisig refund tx for the entire amount back to Alice timelocked into the future, signs and sends to Alice.

4. Alice verifies the refund is proper and if it is, broadcasts the funding transaction, which creates a spendable output

5. Due to malleability, Bob needs to wait until it has enough confirms (1 should be enough?) for the value being traded. When he is satisfied, he spends the funds from the p2sh address using the normal path and this publishes his pubkey.

6. Alice submits this pubkey to release the NXT side of the transaction.

The above is the theory, in reality there are a few nasty surprises. If you use timelock and have a sequenceid of -1, timelock is ignored and it gets into the blockchain right away and the input is marked as spent immediately. If you have a sequenceid that is not -1, it is rejected with {"code":-26,"message":"64: non-final"}. So, Alice will have to keep in pocket the refund transaction and make sure to submit it if Bob hasnt revealed his pubkey.
 
This was from a manual run:

Alice addr:14XrJHhqMvDszMMwKR2d6u5PPvDeRieQoG -> 03b4143b6e7a064a78bc66dab0ca72251fea3d6fd8db1f4c48b91996d7af62dd05
Bob addr: 17Y5rr67RpTtuCd929dS6muyKZmjqJZQpr -> 037387677a21b8ebb472ff2d00892098dcd990a9a21b09b8e22aefece8b1cbbdc0
Bob's onetime addr 1NBKFDmmHSpSzFnP9bX5bDWnm9zqD6nUv4 -> 03c8a7e64c763e908549aa0f93974ab346a559b486eba32bf14338542b4282b916 -> e84e0808b8cd32c38fa2093a490efabc6be53d7a

Both can now calculate p2sh address of 37FsSwJ59z5UuRjNFjtfNYWVFquBEsUGHC from the redeemscript:
OP_IF OP_2 03b4143b6e7a064a78bc66dab0ca72251fea3d6fd8db1f4c48b91996d7af62dd05 037387677a21b8ebb472ff2d00892098dcd990a9a21b09b8e22aefece8b1cbbdc0 OP_2 OP_CHECKMULTISIG
OP_ELSE OP_DUP OP_HASH160 e84e0808b8cd32c38fa2093a490efabc6be53d7a OP_EQUALVERIFY OP_CHECKSIG
OP_ENDIF

I just combined a standard 2of2 and standard pubkeyhash into an conditional, but having never dealt with p2sh till this weekend, nor with signing of bitcoin tx, it was quite a lot of work to get this working as there doesnt seem to be any real support for custom p2sh scripts. Anyway, thanks to jgarzik's libbcoin, I was able to get the signing working in a day and stumbled about figuring out the "obvious" things about p2sh scripts.

[As an aside, if there is a way to verify that e84e0808b8cd32c38fa2093a490efabc6be53d7a is from the third pubkey of a 2of3 multisig address, then there would have been no need for any custom redeemscript. Just normal spends to a 2of3 multisig would have worked (with bob having 2 of the three addresses). Unfortunately I think it is crypto hard to go from msig address + pubkeyhash and 2 of 3 pubkeys to the third pubkey. And if that is not possible, then Alice has no way to know that bob didnt just give her a bogus pubkeyhash]

Bob sends to Alice: e84e0808b8cd32c38fa2093a490efabc6be53d7a
NXT tx: 1117487717739855000 hashed_secret:   cc863b881f35bbeca374b25d018d4e17dc4aa19b Hash:   RIPEMD160_SHA256

and Signed refund tx in pocket: 0100000001a9b3602a28960f1d855d1f52eea54f5e8b6fff469d54083ce433962b1c16dfe100000 000f800483045022100d1439b9170a6d14e07dc6a11dd5c1aab80df302fe4f1de77e12c7859ba20 361f02202dcc946b75995b62fb798b68e9bd443988c4004187f3c5cae52831b9415a712c0147304 40220754d43345edbeffd25cdfc6cbed16f59b1ef25c02092ff1752f0386e6a624e3d022075ef75 78ccb2bbd0a8c58394ed7e4c5803b6ee66691623342fe19862146fda9f01514c6363522103b4143 b6e7a064a78bc66dab0ca72251fea3d6fd8db1f4c48b91996d7af62dd0521037387677a21b8ebb4 72ff2d00892098dcd990a9a21b09b8e22aefece8b1cbbdc052ae6776a914e84e0808b8cd32c38fa 2093a490efabc6be53d7a88ac68a510ec550130750000000000001976a91426be0216d0089626b3 fc3a81f7d844f31a47e0fd88ac34b20500

then Alice broadcasts funding tx e1df161c2b9633e43c08549d46ff6f8b5e4fa5ee521f5d851d0f96282a60b3a9

Bob sees it on the blockchain and spends: 176026872b52b952c4649ee0b44026f87e2282aaaea7994117659a699662ae0a which reveals 03c8a7e64c763e908549aa0f93974ab346a559b486eba32bf14338542b4282b916.

Alice see's Bob's spend and submits an NXT phasing approval tx.

Prior to Alice funding the p2sh address, at worst some of Bob's temporary NXT reserves are held up for a time. After the trade is funded, we have a few cases:

a) Bob spends, Alice approves, both are happy
b) Bob doesnt spend to his address, then after timelock, Alice is able to submit the timelocked refund
c) edge cases: ?

clearly the timelocks need to be set properly, maybe 10 BTC blocks ahead and make it double the estimated time on the NXT side

All steps other than 5, can happen in seconds, so this is a BTC block timeframe in the mainstream case, 10 BTC blocks in the refund case. Not bad for a fully decentralized trade.

Once I verify a timelocked tx I am making can be submitted after the specified block, then I will fully integrate this into InstantDEX

James

as long as you used high entropy R value, your privkey should be safe. However, the destination address should be viewable by anybody that does a decoderawtransaction as it isnt encrypted and just packed in the txbytes https://en.bitcoin.it/wiki/Transaction

With ramchains I have encoded all unspents (actually all addresses and txids too) in a 32 bit integer (rawind). 4 billion should be enough for a while, though it will need to be expanded in size in a few years for some of the tables.

Internally all operations are 10x (or more) faster due to just dealing with small integers.

As long as this is used internally, it actually doesnt matter about reorgs where the renumbering that will be different on different nodes.  However, by having a strict ordering of each block, txid within a block, vin and vout within tx, then given that all nodes are in consensus then all the 32 bit rawinds will be in consensus.

Since the exact value associated with each rawind is not needed as much as the rawinds themselves, the actual values can be stored in a memory mapped file without any overhead for indexing since they are fixed size. Just multiply the rawind by the itemsize to get the offset in the file.

The total size of all the rawinds with enough information to construct multisig spends and update all address unspent balances in realtime, it is just several gigabytes and even counting all of the data, it is around 10gb, so it achieves a nice space savings, especially with about 70% of that in memory mapped files and not using up RAM. However I dont have this as the native block format yet, so it is in addition to the standard blockchain.

On top of the ramchain data structures, I have made an Lchain, which is a snapshot every 1000 blocks of the state of all the tables, along with a cumulative SHA256 for all changes to the state of the tables. This allows for different nodes to verify consensus of the exact state of all the internal tables at specific blocks, via a combined ledgerhash and if there is a discrepancy, the exact table that is mismatched is identified.

Internally, each block generates events that change the state of a dozen different tables. So the state at block N+1 is the state of block N as modified by all the events in that block. By having a snapshot every 1000 blocks, the state of any block can be recreated with an average of 500 blocks of event updates.

If all nodes are running Lchains, then the nodes can bootstrap by verifying getting the 370 Lchain snapshots in parallel and then also getting the events between each snapshot. I dont think it would need to do it redundantly (except maybe the most recent ones), as each snapshot must match exactly. I dont have this bootstrapping coded yet, but once it is in place, then the blockchain storage requirement for each node can be reduced by 90%+.

The way to do that is to have each node archive the Lchain events between 4 random snapshots and the next one. [all nodes can easily store all the 370 snapshots as they are not very large]

Since the archive will be decentralized with TOTALNODES/100 coverage, this seems adequate, though some archival nodes would probably want to keep a complete history. This way, all nodes can have a complete distilled blockchain and the ability to reconstruct the total state as of any block quite efficiently.

I am quite busy with my projects and I dont think I will have a chance to improve the ramchains/Lchain codebase for a while, so I hope some other devs will be interested. With improvements in this area, a lot more transactions will fit into 1MB.

James

https://github.com/jl777/btcd/blob/master/libjl777/plugins/coins/coins777.c
https://github.com/jl777/btcd/blob/master/libjl777/plugins/ramchain/ramchain.c

How does http://blog.cr.yp.to/20140205-entropy.html relate to the assertion that bounded entropy is bad? Bitcoin's reused R value attacks arise since it requires new entropy for each transaction, while with the curve25519 this does not seem to be the case.

James

how is getting corecoin and XT coin both, instead of just one of them speculative?
It would seem that someone could make some sort of mathematical proof that (corecoin + XTcoin) >= corecoin and also that (corecoin + XTcoin) >= XTcoin

Then again, math is my weak point so I must be missing something

James

I never thought there will be the day I agree with icebreaker

Let us not quibble over exact details, since it is not possible to predict exact amount. So using your numbers of 90/10 split:

"The backlog will only begin to clear when the difficulty is readjusted and the block rate returns to ~10-15 min.  The adjustment happens every 2100 blocks, with is normally 2 weeks but in that chain will be 20 weeks."

OK, it is 6 months later and blocks are back to normalish rates. With all of the existing bitcoin infrastructure are you saying that it wont be a viable altcoin? That LTC is worth more than old bitcoin? That NMC is worth more then old bitcoin?

Did you consider that there are a lot of people that use bitcoin and if dont update to a new wallet and they see that they received an old bitcoin, maybe they just accept it. doesnt even the Mtgox bitcoins sell for amounts > $0?

To be so confident that multibillion dollars of existing value will just vanish within weeks, this just does not pass the common sense test.

James

I dont understand how if 1MB bitcoin survives (as losing fork) how there will be a growing backlog of unconfirmed tx? The assumption is that  if it loses, fewer people will use it, but maybe if all the miners abandon it CPU mining would become viable again. As long as the diff readjustments happen, the blocktimes will eventually get back to the 10 minutes per block.

but if as you say that the XT miners will aggressively attack the original to kill it, then it seems the tyranny of the majority. To be able to make the real bitcoin into an altcoin.... I never imagined this would be possible

James

I would think that all merge mined altcoins will still work with which ever BTC survives, maybe each such altcoin might need to hardfork too. not sure on the details, but i dont see this as any insoluble issue for merge mined alts

If bitcoin was fully centralized and had a command structure where everybody had to obey, then maybe 2 weeks for a global update would be ok, though still on the edge of doable.

As it is, with the protocol design, the likely outcome is that the combined market cap will be split between the two variants as long as either has any chance of winning and even after a clear winner emerges, the remaining altcoin (be it original or XT) will still hang on for months

What I dont understand is why is this ultimatum sort of mechanism even existing?