Bitcoin Forum
May 30, 2024, 04:37:44 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1]
1  Bitcoin / Development & Technical Discussion / Re: what could prevent the sender from preparing a chain of blocks ahead of time? on: May 19, 2014, 04:57:54 PM
Quote from: jonald_fyookball on May 19, 2014, 06:25:03 AM
Quote from: zhongzyd on May 19, 2014, 06:07:59 AM
Quote from: DeathAndTaxes on May 18, 2014, 03:53:04 PM
What video?

What you described is a double spend.  It becomes progressively more difficulty for Alice to build the longer chain unless she hash a majority of the computing power.  It doesn't matter if Alice starts building the attack chain first or makes the legitimate deposit and then starts building the attack chain the probability she will outrace the network starting from a block behind is unlikely.  The more confirmations the less likely it becomes.


For a deposit of 1,000 BTC the exchange should probably require more than three confirmations.  Meni wrote a very good paper on the economics of double spending.  If Alice has 10% of the network computing power her chance of being successful is 1.712% for 3 confirmations,  0.546% for 4 confirmations, 0.178% for 5 confirmations, and 0.059% for 6 confirmations.  The exchange can also protect itself by validating KYC information for users involved in large transactions.  https://bitcoil.co.il/Doublespend.pdf

As for your quote.  I don't know what Satoshi was talking about in the quoted section as it doesn't make any sense to me either.  You are right, the attacker doesn't need the victims PubKey in order to build the chain because the "attack chain" will contain the double spend not the spend to the victim.  I can only conclude that Satoshi was either mistaken or he is talking about something else and is unclear in the wording.  The paper was written at a theoretical level about a year before the first version of the client was completed.

This video: http://www.youtube.com/watch?v=Lx9zgZCMqXE .  At around 14:00 minutes, it explains why one can't preparing blocks ahead of time. I think what it says is incorrect.

Meni assumes one block was pre-mined by the attacker. All his calculation is base on this assumption.
My case is that the attacker pre-mines all the blocks he needs, Which makes him sure he can double spend the coins. The calculation should be different between my case and Meni's case.
I think if someone really want to double spend coins, he should pre-mine all the blocks he needs.
The reasons are:
1. When he is successfully pre-mine the blocks he needs, he is 100% sure he can double spend the coins.
2. When he pre-mine the blocks, he can abandon his hidden chain when his chain becomes shorter than the honest chain, and works on another hidden chain after the honest chain. This is more efficient. In Meni's case, unless the attacker gives up his attack, after the he spent the coins in the honest chain, he can't abandon his hidden chain even if the honest chain becomes longer than his chain.

The video is not incorrect.

Are you sure you understand the part where they said the previous blocks output is used as input to the next block?

you would need a tremendous amount of hashing power to outmine the network for even a few blocks.



I sure I understand.
Preparing a chain of blocks ahead of time is possible, that why I said the video was incorrect.
2  Bitcoin / Development & Technical Discussion / Re: what could prevent the sender from preparing a chain of blocks ahead of time? on: May 19, 2014, 06:07:59 AM
Quote from: DeathAndTaxes on May 18, 2014, 03:53:04 PM
What video?

What you described is a double spend.  It becomes progressively more difficulty for Alice to build the longer chain unless she hash a majority of the computing power.  It doesn't matter if Alice starts building the attack chain first or makes the legitimate deposit and then starts building the attack chain the probability she will outrace the network starting from a block behind is unlikely.  The more confirmations the less likely it becomes.


For a deposit of 1,000 BTC the exchange should probably require more than three confirmations.  Meni wrote a very good paper on the economics of double spending.  If Alice has 10% of the network computing power her chance of being successful is 1.712% for 3 confirmations,  0.546% for 4 confirmations, 0.178% for 5 confirmations, and 0.059% for 6 confirmations.  The exchange can also protect itself by validating KYC information for users involved in large transactions.  https://bitcoil.co.il/Doublespend.pdf

As for your quote.  I don't know what Satoshi was talking about in the quoted section as it doesn't make any sense to me either.  You are right, the attacker doesn't need the victims PubKey in order to build the chain because the "attack chain" will contain the double spend not the spend to the victim.  I can only conclude that Satoshi was either mistaken or he is talking about something else and is unclear in the wording.  The paper was written at a theoretical level about a year before the first version of the client was completed.

This video: http://www.youtube.com/watch?v=Lx9zgZCMqXE .  At around 14:00 minutes, it explains why one can't preparing blocks ahead of time. I think what it says is incorrect.

Meni assumes one block was pre-mined by the attacker. All his calculation is base on this assumption.
My case is that the attacker pre-mines all the blocks he needs, Which makes him sure he can double spend the coins. The calculation should be different between my case and Meni's case.
I think if someone really want to double spend coins, he should pre-mine all the blocks he needs.
The reasons are:
1. When he is successfully pre-mine the blocks he needs, he is 100% sure he can double spend the coins.
2. When he pre-mine the blocks, he can abandon his hidden chain when his chain becomes shorter than the honest chain, and works on another hidden chain after the honest chain. This is more efficient. In Meni's case, unless the attacker gives up his attack, after the he spent the coins in the honest chain, he can't abandon his hidden chain even if the honest chain becomes longer than his chain.
3  Bitcoin / Development & Technical Discussion / Re: what could prevent the sender from preparing a chain of blocks ahead of time? on: May 18, 2014, 03:44:44 PM
Quote from: jonald_fyookball on May 17, 2014, 02:53:28 PM
You can't prepare any chain ahead of time because you always have to build on the blocks that came before it.  So by the time you solve the next block, someone else will likely also solve it, and the network will use their block if you try to keep yours hidden.

What about this case?
If Alice keeps working on a chain of blocks secretly. When she is lucky enough to get a secret block chain longer than the honest chain of 3 blocks. Let's assume the length of honest chain is 1000, and hers is 1003. In her No.1003 block, Alice redeem a output of 1000BTC to herself. And then Alice makes a transaction which sends this 1000BTC to a exchange. This transaction is accepted in the No.1001 block of the honest chain . Then Alice sells the coins in the exchange, and withdraws the money. Let's assume this withdrawal is successful when the length of the honest chain increases to 1003, and the length of Alice's secret chain increases to 1004. Then Alice send her secret chain to public. Her chain is the longest chain and will be accepted by others. She will get back the 1000BTC.
In this case, I think nothing could prevent Alice from preparing her secret chain. This case is different from the video's case. In the video's case, it is assumed that Alice has to build her secret chain after the block 1. But in fact, Alice doesn't have to do this. She can keep trying until she gets a chain longer than the honest chain of enough blocks. When she get such a chain, she can surely double spend her coins.
4  Bitcoin / Development & Technical Discussion / Re: what could prevent the sender from preparing a chain of blocks ahead of time? on: May 16, 2014, 03:12:37 PM
Quote from: Evil-Knievel on May 15, 2014, 07:43:19 PM
Basically, I want to double spend the coins i want to send to you.
I prepare two chains.

a 6 long chain with your TX in the first block
a 7 long chain with your TX doublespent in the first block.

Then I submit the first chain,
you send me the stuff and immediately I release the 7 long chain charging back the money.

When releasing the Pubkey shortly before payment, this is not possible.


Why this is not possible? The 7 long chain doesn't contain the my Pubkey. You can prepare the 7 long chain without knowing my Pubkey. Because you send the coins to your own pubkey in the 7 long chain, not my Pubkey.
5  Bitcoin / Development & Technical Discussion / what could prevent the sender from preparing a chain of blocks ahead of time? on: May 15, 2014, 05:34:35 PM
In Satoshi's paper, it says:
"The receiver generates a new key pair and gives the public key to the sender shortly before
signing. This prevents the sender from preparing a chain of blocks ahead of time by working on
it continuously until he is lucky enough to get far enough ahead, then executing the transaction at
that moment."

But the sender doesn't need the receiver's public key to prepare the blocks. So why this could prevent the sender from preparing a chain of blocks ahead of time?

Is I miss something? Please explain it to me, thanks~

If this can't work, what could prevent the sender from preparing a chain of blocks ahead of time?
Pages: [1]
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!