Isn't there a timing risk here, where Bob is lucky enough to have his transaction included in a solved block, before Alice managed to reveal that she has won? Maybe we can disallow anyone to spending Bob's output for several blocks and allow Alice to spend the inputs even after Bob's transaction was included in a block, but it's a little messy for the Bitcoin nodes to verify that?
What the BUT clause allows is to claim the win if the loser intentionally disconnects. To avoid problems that you mention, as you also suggest, probably you would want to place a lock-time on the "loser aborted" win proceeds transaction. The point is I have the proof he aborted in the form of his commitment and the absence of his reveal. Now if the messages are offline there is one further permutation which is a false "loser aborted" (where party A did receive message 3 but falsely claims not to have) however that is easily remedied by the loser broadcasting message 3. Since Bob should be able to spend the bet inputs if Alice aborts instead of revealing her committed random secret r=a, we could try to have a nicer option where Bob broadcasts to the Bitcoin network a transaction that must have some sort of locktime which specifies that the Bitcoin miners should keep this transaction in their memory pool and must not include it inside a solved block for the next few blocks, but Bob could still try to mine the block himself or bribe other miners to include his transaction. The thing is that there should be some point in time where it's valid for Bob's transaction to be included in a block, and therefore Bob could broadcast it just before that point in time. So in order to deal with the timing issue, it seems to me that we must allow Alice to spend the bet inputs even after the random value b that Bob chose (and hashed with w and signed) is included in a block. I'm still not sure what'd be the cleanest way to do it, maybe if Alice aborts then Bob should first broadcast some special "reveal" transaction that doesn't specify outputs, and either Alice or Bob could spend the bet inputs after this "reveal" transaction is included in a block. If I'm missing some simple observations and there are cleaner ways to handle the timing issue, please explain. |
|
|
|
So setup as before using your example, first both parties create a multi-input coin with a game script plus a lock-time refund in case of failure (1 btc each in and 1btc each change and payment after lock-time).
Then normal interactive proof is A->B: witness (w), B->A: challenge (c), A->B response (r)
1. A->B: w=H(a), SIG(A,w) for random a
2. B->A: c=H(b,w,SIG(A,w)),SIG(B,c) for random b
[optional 3. A->B: r=a TEST(a+b mod n > n/2)]
If we say that the signature 2. is valid already and B can claim the winnings just by providing c of the given form and his signature (which verification goes in the original script). This default win script clause is chosen so it proves who went first because the challenge includes the witness (which includes a signature from A), and the challenge is itself signed by B.
Then we allow an override (higher priority OR or a separable BUT clause) which says A can claim he won instead if he can show that is the case (eg a+b mod n > n/2).
This overcomes the problem that A coming last has an incentive to abort if he loses and wait for the lock-time to return his funds. If he aborts he already lost. As he lost his incentive to cheat, he may instead (non-hacked game clients) could actually reveal preimage a even if he lost. If A does not reveal losing preimages B may elect to not play further games. The motivation to want preimage a to be revealed normally anyway is that it starts the confirmation clock rolling earlier if users want confirmations, and even with 0-confirmation users probably want to have assurance they won before betting more.
Adam
So in your step (2) Bob will broadcast to the Bitcoin network a transaction that references b,c,SIG(B,c),w,SIG(A,w) and spends the inputs of the bet, and if Alice wishes to win the bet then she has to broadcast to the Bitcoin network her competing transaction before Bob's transaction is included in a block, and her transaction will reference a,b,c,SIG(B,c),w,SIG(A,w) to show that TEST(a+b mod n > n/2) passes? And because of the special override op that the script specifies, the miners will respect Alice's transaction and remove Bob's transaction from their memory pool? Isn't there a timing risk here, where Bob is lucky enough to have his transaction included in a solved block, before Alice managed to reveal that she has won? Maybe we can disallow anyone to spending Bob's output for several blocks and allow Alice to spend the inputs even after Bob's transaction was included in a block, but it's a little messy for the Bitcoin nodes to verify that? |
|
|
|
But I have a simpler more generic new idea - let the committing party win by default, the loser if he loses has nothing to do, and if he wins he overrides the committing party. It would require the introduction of the concept of an override (like this signature wins, but this signature can override it).
Can you please elaborate? How would the winner of the bet be chosen if only one party commits? I should say that the two advantageous properties of the OP are (1) it works with Bitcoin as it is now so there's no need to fork the Bitcoin protocol, and (2) bets of relatively small amounts can be instant because 0-confirmations security is enough. If we don't care for these two properties, then I think that we can have a much more simple protocol by adding to the Bitcoin scripting language an opcode that puts on the stack the hash of the block in which the transaction resides. This way the script can access a pseudorandom value that neither Alice nor Bob can control, and the winner of the bet can be selected according to (say) the LSB of this value. If Alice has say 10% of the total hashpower then the best that she can do is not to broadcast the block that she solved if its LSB would cause her to lose the bet, i.e. 90% of the total hashpower is working to generate a fair coin toss, 5% of the total hashpower is working to generate a coin toss where Alice wins the bet, and 5% of the total hashpower doesn't participate. |
|
|
|
How much coins are we talking about that we want to avoid a third-party? Or is this just an academic exercise? For real world usage, just ask a third party. I'll gladly handle your coin toss for 1000 BTC.
Tipping the dealer is optional, but appreciated.
Just to clarify, when you play against a centralized service such as SatoshiDice or Just-Dice, there is no third party, i.e. if we use the same terminology then the centralized service is Alice and you are Bob. When these centralized services proclaim that they are "provably fair", they neglect to mention that their protocol only gives "security with aborts", i.e. it's fair only under the assumption that the parties don't abort. So if you bet a very large amount X by supplying your seed that's supposed to be hashed with the preimage of the public value that the centralized server published, then the centralized server can claim "technical error, our data was lost, please try again" instead of revealing the preimage in case it sees that it'd lose. Granted, the reputation of these centralized services is important to them so they wouldn't try to pull this trick, but on the other hand there's a house edge (i.e. it's not a fair coin) because these centralized services are suppose to generate a profit. The purpose of this protocol is to allow two individuals Alice and Bob to do an atomic fair coin toss, meaning that if either Alice or Bob aborts then nothing happens (i.e. they both retain the X coins that they started with), and if both of them follow the protocol then one of them receives the 2X coins and the other loses, with equal probability. Using an escrow/dealer as you suggested is unneeded, and entails risks. When the amount X of the bet is relatively small then this entire protocol can be instant (0-confirmations security), and when X is relatively large then the parties can wait for the Bitcoin network to generate one or more blocks, according to the security level that they wish to have. This basic protocol could be used on some centralized gambling site where the centralized site just allows individuals to play with each other, or the centralized site can play against an individual in a completely secure way. BTW because Alice and Bob commit a secret that consists of many bits, we can easily do bets with a biased coin where the party who has the worse odds would win the larger amount. |
|
|
|
My suggestion: 1. Alice and Bob each lock up 3x the amount of bet using special insurance transaction: https://bitcointalk.org/index.php?topic=273539.02. Alice shows SHA256(X) to Bob. 3. Bob shows SHA256(Y) to Alice. 4. Then they share X and Y. If first bit of SHA256(X + Y) is 1, Alice wins. Otherwise, Bob wins. 5. Loser sends money to winner using normal transaction. 6. Repeat until they fed up. Then both unlock their deposit from step 1 and go home. This scheme is super-flexible because they can establish real trust with locked deposit and then play with any rules imaginable without being limited by Bitcoin or anything. This doesn't solve the possible extortion scenarios. For example if Alice loses then she can say that she's only willing to pay x/2 coins instead of the x coins that she lost in the bet, and if Bob doesn't agree then he loses the 3x coins that he locked. Another example is that Alice simply aborts after your step (1) and tells Bob to send her (say) 0.1 coins or else his 3x coins will be locked forever. |
|
|
|
It seems multiple people studied this protocol by now and there are no issues, so I'll add it in a few days if nobody else comes up with improvements.
I now edited step (10) of the OP to clarify that the only risk with this protocol is that the "Reveal2" transaction will be reversed. I guess that it's too optimistic to expect that we could have a 0-confirmations protocol with absolutely no risk involved, but any improvements are of course welcome. This summer Matt and myself gained quite some experience of implementing complicated multi-step contracts protocols when we did the micropayment channels system in bitcoinj. You could use that work as a template. I'm happy to lay out how one might implement such a thing using bitcoinj, if you like.
Cool. If you prefer to lay it out in a public thread or in the mailing-list or in wiki then maybe more people would begin to implement this kind of protocols. If it's better to do it in private then maybe that can work well too, I'll email this thread now to the persons that I discussed it with. |
|
|
|
With regard to reading the LSB, there's OP_MOD in the Bitcoin script language that could be used, no?
Nope, disabled and re-enabling it would require a hardfork. (though it could be replaced with a soft fork and a v2 p2sh) The best I think you can do now is hash the two secrets and compare to half way through the possible output space. I see, OP_XOR is also disabled so we cannot xor and then get the MSB by using OP_GREATERTHAN to compare with a constant. I guess that we can do nested if/else to get the MSB via OP_GREATERTHAN for each of the secrets of Alice and Bob, though your suggestion to hash the two secrets and then do a single comparison is probably more simple. |
|
|
|
Nice one iddo. Perhaps we should add that to the contracts wiki page.
So are you gonna try implementing it?
I'll be honored if it gets added to the contracts wiki, if everyone agrees that there isn't anything unsound here  It can be contrasted to the theoretical result that says that any coin toss protocol in R rounds will have 1/R bias, but with a Bitcoin-based protocol it's not so surprising that we can do better when we have a blackbox that lets both parties lock funds and be refunded after a timeout unless some other condition holds. About implementing it, this idea came up in a conversation after a Bitcoin meetup that Meni organized last month, where there seemed to be an interest in implemented a gambling system that doesn't involve a 3rd-party like SatoshiDice, so we can eliminate the house edge. The person who asked Meni and myself regarding whether it can be done sounded excited about it, so maybe he would like to code it. I'll try to ask. |
|
|
|
The loser could do this if they're not using iddo's protocol.
The point is that if they use iddo's protocol, the loser can't hold up because he has more tied up (which he'll lose if communications stop) than he has riding on the bet.
Ah, I only saw the first three steps and accidentally scrolled past the rest. I went on to propose a spirituality similar protocol. I think thats fine (upto practical details, such as not being able to read the LSB in script; that it falls down if the transactions take longer to confirm than your timeouts, etc). With regard to reading the LSB, there's OP_MOD in the Bitcoin script language that could be used, no? About the possibility that the transaction would take longer to confirm than the locktime timeouts, note that (unlike your similar suggestion in post #6 here) there is no symmetry between the "Reveal1" transaction of step ( 6 ) and the "Reveal2" transaction of step ( 8 ), so if Alice insists that the "Reveal2" transaction will be mined into a block before she signs and broadcasts her "Reveal1" transaction then we're safe in the sense that the bet is atomic, i.e. either both parties reveal their committed bit, or nothing happens and both parties get their refund. In practice it should be enough for Alice just to see that Bob broadcasted the "Reveal2" transaction, assuming that neither Alice nor Bob control a significant enough amount of the hashpower and that the transaction uses a standard fee (I suppose that it's possible to try to bribe the miners, though I don't really see how to do it under the assumption that the hashpower is decentralized). Edit: this is now mentioned in step (10) of the OP. With 0-confirms it could be easy enough to reverse "Reveal2" and maybe shouldn't even be considered a "bribe", and I remember that we had discussions on more sophisticated bribe attacks (for example link). |
|
|
|
The updated system requires the hashing function and the signing algorithm to be broken at around the same time.
You need a preimage attack on the hash function where the preimage is a valid pubkey for which you know the corresponding privkey. There are about 2^256 pubkeys and 2^160 hashed addresses, so the attacker has to find one ECDSA keypair as the preimage out of about 2^96 possible candidates. It's true to say that if the hash function is resistant to preimage attacks then we have 160 bits of security, compared to the 128 bits of security of ECDSA with 256 bit security parameter. But saying that the attacker must break both the hash function and ECDSA is too strong. |
|
|
|
If you have non-memory access related power or timing side channels (e.g. like adders leaking data, which is what would be required for HMAC-SHA512 to leak) then there is going to be no way to avoid the ECDSA point math leaking like crazy. Using non-deterministic DSA does not save you from side channels. Maybe deterministic makes a really side-channel heavy implementation more vulnerable, but people have already demonstrated recovery on devices with randomized DSA, so I am a little skeptical that it matters. Some masking behavior would be fine, but it wouldn't require making the output non-deterministic.
I'm not sure that in general it's completely true that a side-channel attack on a hash function like SHA512 involves only non-memory access, because the input to the hash function probably resides in memory, so there might be side-channel attacks that involve cache misses etc., though I suspect that in this case you're right because the input is short (privkey + hash of the message), and even if there was a possible danger here then there are probably side-channel resistance techniques to mitigate the risk. More importantly, in the specific case of ECDSA it's enough to recover the output of k=hash(privkey, msg) rather than the input (privkey, msg) because if k leaks then the privkey also leaks. Therefore, it doesn't really matter if we use deterministic signatures via k=hash(privkey, msg) or random signatures via e.g. k=hash(privkey xor random, msg) because carrying out a side-channel attack that recovers the output of the hash function should be much easier than carrying out a side-channel attack that recovers the input to the hash function. And more generally, side-channels attacks against symmetric crypto primitives like AES and SHA2 are a lot more difficult than side-channel attacks on public-key/asymmetric crypto primitives, so the risk of possible side-channel attacks on either the input or the output of SHA512 are probably not so significant. Maybe there should be a parameter (on by default as in OpenSSL ?) to toggle the protection from side-channels attacks, and if the user wishes to have the best possible protection then he could specify via this parameter that the input to the hash function should be masked with randomness, which would imply random signatures because it cannot be unmasked. I'm not sure if we're missing anything interesting here, so it'd be a good idea to consult with experts on side-channel attacks before having deterministic signatures as the default. |
|
|
|
I reached out to Colin Percival ( who wrote scrypt, for example) for his thoughts/comments on RFC 6979. Here's what he had to say (with his permission): I don't see any concrete problems with this proposal, but using the private key
as part of the hashed input does make me a bit nervous.
Personally, I'd prefer to feed these into an HMAC-DRBG to be used for entropy
*in addition to* normal seeding of entropy from the operating system -- unless
you really need deterministic signatures. This seems to be in agreement with pretty much everyone else's opinion on RFC 6979, which is good to see. ::sigh:: If adding the secret to the input were problematic the entire signing function would very likely be insecure: Computing a collision is easier than recovering an unknown pre-image, doubly so because the next thing you do is multiply K by G to get R, which both reduces the space of the output, and makes K unrecoverable from unless you can solve a discrete log problem.
The cost of this is that you produce a device whos correct behavior is not measurable. It could have backdoors inserted in several forms which would be very difficult to discover, or it could have flawed operation.
e.g. if it gets hot there are random bitflips in the multiply used to derive R from K, because the twist of secp256k1 is a smooth field where solving the DLP is relatively easy a single bit-flip in the multiply can result in a R value from which K can be recovered in about 2^51 work.
I'm probably missing something here, but it seems to me that the argument that you're giving is similar to what Colin Percival had in mind, though you're interpreting it in the opposite way than he, and I don't exactly understand your argument yet. I think that the concern is that there might be side-channel attacks on the hash function (heat as in your example, acoustic noise, timing, etc.) that may recover the input that it's invoked with. On the other hand, while it is true that the privkey and K are also used in the next calculations that finally derive the signature, those calculations can be masked in order to protect from such side-channel attacks (like multiplying k by a fresh random value before calculating k^{-1} and then unmasking). For the hash function, there's no way to do these masking tricks, hence the concern? I suppose that it's a good idea that deterministic signatures would be a user configurable option, but the important question still remains regarding whether the default behavior should be deterministic or random. Other than this supposed protection from side-channel attacks, does anyone know if there are any other advantages or practical use cases for random signatures (as is obviously the case with random encryption so that it'd be semantically secure) ? |
|
|
|
If you go around disallowing a bunch of K values then you're decreasing security not increasing it... Though I would agree that this specific test is perhaps mildly useful as a "RNG fatally broken, do not pass go" check.
I don't see why K==d is more indicative of a faulty RNG than the infamous K==11 ? Are you seriously suggesting that we should test here whether we're dealing with RNG that always returns the same value, or is there something else that I'm missing? |
|
|
|
|
Huh? You're describing how to carry out one particular attack that succeeds with probability 2^{-n} where n=order(G), but that's always the case, i.e. you can always carry out an attack that succeeds with probability 2^{-n} simply by guessing d (or k).
The checks that you mentioned in your first sentence are done to avoid invalid values and to have uniform probability over the range of valid values, k==d is valid and therefore it shouldn't be excluded as a potential value.
|
|
|
|
One was my request for an audit of my deterministic wallet solution, which does generate public keys in the wallet, but is supposed to be "resistant" when one on the private keys gets compromised. I did not get much feedback here, but since nobody has stolen my coins yet, I'm guessing it's somehow secured enough  Your type-3 appears to inferior to type-1: with type-1 there's one master secret, and in case that master secret leaks then all the other privkeys in your wallet also leak, but in the case that certain privkeys themselves leak the all the other privkeys don't leak. With your type-3, for efficiency the user's client may opt to store many seed[n] values, and if any of those seed[n] leak, then all the subsequent privkeys leak too. And just like with type-1, with your type-3 wallet if the master secret leaks then the entire wallet leaks. You haven't explicitly tried to claim what's the supposed advantage of type-3 over type-1, but maybe what you had in mind is that in order to generate the next privkey the user wouldn't need to access the most sensitive piece of data which is the master secret, and will only need to access the seed[n-1] data instead, We have discussed similar properties here before. If you think that your type-3 has any advantage over type-1, please describe with precise details how the client software is supposed to retrieve an arbitrary privkey[k] without access to the master secret. Do you propose to have multiple layers of encryption every time that a new seed is derived? The second issue was the privacy of the deterministic wallets, as they are being implemented now, by other parties; the kind of solution where you can generate further public addresses without having an access to the actual wallet. My concern was: how easy it will be for the attacker to figure out the secret/chaincode, while already having a couple of public keys from such a deterministic solution... From what you said, it won't be possible to figure out the chaincode, even having millions of consecutive public keys, or in other words: as long as you keep the chaincode secret, nobody can just calculate it from your public addresses. That's good to know - thanks.
If SHA2 is pseudorandom then it's infeasible to figure out chaincodes from the pubkeys. The more tricky question is whether you could carry out a related-key attack after seeing many signatures, and the answer is "no". In practical settings, the issue that concerned us is that if you're running a listening-only server that doesn't have access to the privkeys but does have access to chaincodes, and your server is compromised, so if an attacker could obtain a single privkey from another source (not from the listening-only server because that server doesn't even know the privkeys) then all the privkeys in your wallet will leak. Our solution is to use type-1 derivation for the root of the branch that the listening-server would be using, so that any leakage of privkeys will be confined only to that branch, and the user is advised to store privkeys that control high amounts of coins in different "cold storage" branches. |
|
|
|
Well that's the thing really: you don't actually need SCIP to do covenants - SCIP just tends to make them a lot more efficient and easy. In my mind the biggest difference is that it makes them hard to _forbid_, if SCIP-scripts just were implemented in the most obvious way (add a OP_CHECKSCIP) we would have likely gotten the ability to create covenants without even realizing or intending it because the technology is just so _generally_ powerful. If I make it sound like a negative thing it's because covenants can screw up fungibility (as our whimsical examples show), so while they can be useful and important to some protocols, we might want to take care in how we enable them. (Or at least consciously decide that they're a net win! ... and yes, sure, I wouldn't turn down SCIP in order to avoid covenants) Hard to forbid or impossible to forbid? Instead of OP_CHECKSCIP, can there be a way to incorporate SCIP into Bitcoin scripts in a way that disallows covenants? |
|
|
|
- it-feels-good-to-pretend-to-be-regular covenant: Spending block is required to have a timestamp exactly 600 seconds ahead of previous block.
I was going to say that you can't do this one: The SCIP-script can't have a completely free form input like "what time was the last block" because you must know all the inputs when you run the prover and the prover takes time and so does confirmation. But you actually could, with the right opcodes which would effectively be a transaction which requires the miner to lie about their time. In general ones which are the function of the _last_ blocks directly become tricky, because if you want the SCIP to actually process the block you have to have it. (Easier if you have script operations to test these things and just push their test ID and result onto the stack, so you can compute the proof in advance assuming those things to be true). I failed to understand (for example I have no idea why you said "lie about their time"), could you please try to explain the above in a way that might be more clear? One thing that I can see is that the Bitcoin script language could be extended to include a new opcode (unrelated to SCIP) that puts on the stack the timestamp of the block in which this transaction resides, and similarly an opcode that puts on the stack the timestamp of the previous block (relative to the block in which this transaction resides), and then bind the SCIP program to use these two public inputs, and the SCIP program would be completely trivial i.e. it would just check the difference between its two inputs. So except for enforcing the covenant, SCIP isn't needed here, because the regular Bitcoin script can directly check the condition on the difference between the two timestamp values. Another thing that I can see is that the specified SCIP program (verification key) will have the hash of the genesis block (or a more recent checkpoint block hash) hardcoded into it, and will receive non-public input which is the all the next blocks, and the SCIP program checks that the entire hash chain is valid, and fetches the timestamp value from the last block that it hashed. But this way you can only fetch the timestamp of the previous block, not the current block? |
|
|
|
I agree in general that it's a good idea to make the Bitcoin client operate (by default) in a simple way that influences users to conform with security guidelines and match the vast majority of common use cases.
However, we should consider whether what you suggested indeed covers all the common use cases. One particular point that we should keep in mind is that BIP32 is a standard for creating keys rather than Bitcoin scripts/addresses. So for example if the user wishes to enhance his security by using a P2SH address that can be redeemed via one privkey that resides on his smartphone and one privkey that resides on his laptop, then he will need to give the sender a pair of account numbers (one that belongs to his smartphone's BIP32 wallet and one that belongs to his laptop's BIP32 wallet), and each time that the sender wishes to send a payment he will construct a script from two fresh pubkeys and thereby derive the P2SH address to send the coins to?
I don't really understand P2SH. I thought that all the user would need to provide to the sender is a hash. Yes you only need give a hash to the sender. I meant that if the user wishes to take advantage of the key homomorphism property of ECDSA/BIP32, he can give the sender the account numbers of his smartphone and laptop accounts, and then the sender could generate fresh addresses by himself, instead of asking the user for a new address every time. We've discussed use cases for this, start for example at https://bitcointalk.org/index.php?topic=19137.msg1496121#msg1496121 |
|
|
|
|
I tried to convince Meni that it cannot easily be done if the party that learns the outcome first can abort and hence bias the result, though it can still be done via gradual release techniques.
So, any comments on this Bitcoin-based coin toss scheme? Anyone?
|
|
|
|
|
Show Posts
