Bitcoin Forum
December 07, 2016, 08:20:12 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: Defence against double spending, even 0-confirmation  (Read 2543 times)
Serith
Sr. Member
****
Offline Offline

Activity: 269


View Profile
April 13, 2012, 02:23:43 AM
 #21

I think the proposal have a flaw, consider next scenario.

1. Transaction 1 is broadcasted
2. Merchant accepts Transaction 1 with 0-confirmations and release the purchase
3. Transaction 2, which is double spend of Transaction 1, is broadcasted
4. Miner gets all the coins from Transaction 1
5. Merchant eats the loss.
1481142012
Hero Member
*
Offline Offline

Posts: 1481142012

View Profile Personal Message (Offline)

Ignore
1481142012
Reply with quote  #2

1481142012
Report to moderator
1481142012
Hero Member
*
Offline Offline

Posts: 1481142012

View Profile Personal Message (Offline)

Ignore
1481142012
Reply with quote  #2

1481142012
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481142012
Hero Member
*
Offline Offline

Posts: 1481142012

View Profile Personal Message (Offline)

Ignore
1481142012
Reply with quote  #2

1481142012
Report to moderator
jevon
Jr. Member
*
Offline Offline

Activity: 36


View Profile
April 13, 2012, 02:49:14 PM
 #22

"Double spend = same input, different outputs."

You would still need to reconsider the changed tx fee. That would require you to change the amount of the "change" adress, and/or add new inputs and/or outputs to the transaction (if the too-low-fee transaction also included inputs with too low value to be able to increase the fee) so the new fee add up correctly in equation.

Its hard to check in a safe way. I think a tx expiration feature would be better then.
We could allow the amount of only one output to change. The only thing they can do with that is change the fee, they can't take any money back.

I prefer a cleaner way to increase the fee that doesn't require messy double spending and can be done by either side: The recipient can spend the low fee txn with a larger fee so miners have to include both transactions to get the larger fee. The payer can also do that by spending the change.

Unfortunately, Theymos is right, tx expiration is not possible.

I think the proposal have a flaw, consider next scenario.

1. Transaction 1 is broadcasted
2. Merchant accepts Transaction 1 with 0-confirmations and release the purchase
3. Transaction 2, which is double spend of Transaction 1, is broadcasted
4. Miner gets all the coins from Transaction 1
5. Merchant eats the loss.
The customer doesn't get anything back by doing that. There's no incentive.

If you believe as some do that miners can be bribed with fees, then that's already possible. The customer could double spend it all to fee.

The double-spend-becomes-fee model is strictly superior to the fee bribe model. Under fee bribe, part of the payment can be taken back by increasing the fee.

Under this new model, any attempt to steal a payment back becomes proof the miner can use to take the whole amount. Under both models, they can give the entire amount to fee, but under this model, that's the only thing the double spender can do. He can't benefit from double spending.
Revalin
Hero Member
*****
Offline Offline

Activity: 728


165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g


View Profile
April 13, 2012, 05:32:15 PM
 #23

He can if he's also the miner: Purchase goods with zero confirmations; try to mine a double-spend; usually end up getting the goods for a fair price, but occasionally successfully solve the next block and get the entire forfeited amount back as fees.

This is also still open to Finney attacks: mine until he solves a block (including the conflicting transaction); purchase goods with zero confirmations; then release the block.  This succeeds unless someone else solves a block between making the payment and the delivery of goods.

      War is God's way of teaching Americans geography.  --Ambrose Bierce
Bitcoin is the Devil's way of teaching geeks economics.  --Revalin 165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
April 13, 2012, 05:37:56 PM
 #24

He can if he's also the miner: Purchase goods with zero confirmations; try to mine a double-spend; usually end up getting the goods for a fair price, but occasionally successfully solve the next block and get the entire forfeited amount back as fees.

This is also still open to Finney attacks: mine until he solves a block (including the conflicting transaction); purchase goods with zero confirmations; then release the block.  This succeeds unless someone else solves a block between making the payment and the delivery of goods.

But as you indicated that attack ALREADY exists.  0-confirm irreversible tx which are anonymous and available on demand that also  have high enough value to make Finney attack worthwhile are essentially non-existent. 

Hopefully in time the cost to have even 1% of network hashing power makes that even less of an academical risk.
Serith
Sr. Member
****
Offline Offline

Activity: 269


View Profile
April 13, 2012, 05:44:37 PM
 #25


I think the proposal have a flaw, consider next scenario.

1. Transaction 1 is broadcasted
2. Merchant accepts Transaction 1 with 0-confirmations and release the purchase
3. Transaction 2, which is double spend of Transaction 1, is broadcasted
4. Miner gets all the coins from Transaction 1
5. Merchant eats the loss.

The customer doesn't get anything back by doing that. There's no incentive.


I would love to see secure solution for 0-confirmation transaction, but yours is not. People will perform the attack just because they can or to screw a merchant, put yourself into the merchant position, there is no way he would tolerate that kind of risk to accept 0-confirmation transactions.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
April 13, 2012, 05:49:56 PM
 #26

I would love to see secure solution for 0-confirmation transaction, but yours is not. People will do it just because they can or to screw a merchant, put yourself into the merchant position, there is no way he would tolerate that kind of risk to accept 0-confirmation transactions.

Reputation matters and will always matter.

By your logic multi-sig escrow is also useless because all buyers will always screw over the merchant just ... because? despite having no financial gain (and lose of reputation) from the attack.

Generally speaking 0-confirm tx will be either low value, traceable, or reversible.

Say a porn site accepted 0-confirm tx.  You double spend they detect it immediately and cut off your access.  You lose full purchase price, merchant loses 1-10 minute of website access.  The same thing would apply for essentially any "service over time" (advertising, webhosting, VPN access, etc).

0-confirm will never be used to transfer $1B in bearer bonds via tor network.

Revalin
Hero Member
*****
Offline Offline

Activity: 728


165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g


View Profile
April 13, 2012, 05:51:35 PM
 #27

But as you indicated that attack ALREADY exists.  0-confirm irreversible tx which are anonymous and available on demand that also  have high enough value to make Finney attack worthwhile are essentially non-existent.

Yes, that's the current situation, but the whole thread is about trying to make 0-confirmation transactions safe even for high value irreversible exchanges.  There COULD be a demand for those if it was safe to do.

I'm just saying it doesn't work because it's still vulnerable to essentially the same attacks.

      War is God's way of teaching Americans geography.  --Ambrose Bierce
Bitcoin is the Devil's way of teaching geeks economics.  --Revalin 165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
April 13, 2012, 05:58:42 PM
 #28

Yes, that's the current situation, but the whole thread is about trying to make 0-confirmation transactions safe even for high value irreversible exchanges.  There COULD be a demand for those if it was safe to do.

I'm just saying it doesn't work because it's still vulnerable to essentially the same attacks.

I don't recall anyone saying 0-confirm would be immune to all attacks.

It would make double spends even on 0-confirms less economical. 

I mean there isn't blank and white.  Either you can transfer $1B anonymously via 0-confirm or the incremental value is worthless.

Finney attack is just one method of a double spend and require significant resources to achieve.
Serith
Sr. Member
****
Offline Offline

Activity: 269


View Profile
April 13, 2012, 06:07:24 PM
 #29

I would love to see secure solution for 0-confirmation transaction, but yours is not. People will do it just because they can or to screw a merchant, put yourself into the merchant position, there is no way he would tolerate that kind of risk to accept 0-confirmation transactions.

By your logic multi-sig escrow is also useless because all buyers will always screw over the merchant just ... because? despite having no financial gain (and lose of reputation) from the attack.


Precisely because of the same logic etotheipi outlined escrow where both parties have monetary incentive  to complete transaction.

  • If Bob doesn't have a risk deposit, he has no incentive to complete the transaction after he receives the merchandise (besides being a good person). If Alice isn't required to put in a risk deposit -- she could have Bob create the 2-of-3 transaction (or 2-of-2!) with her address, and then she backs out and leaves the money stranded. Then Bob will have to pay Charles to help unlock the money. Or if it's a 2-of-2 -- it's just locked forever.
jevon
Jr. Member
*
Offline Offline

Activity: 36


View Profile
April 13, 2012, 07:26:37 PM
 #30

Precisely because of the same logic etotheipi outlined escrow where both parties have monetary incentive  to complete transaction.

  • If Bob doesn't have a risk deposit, he has no incentive to complete the transaction after he receives the merchandise (besides being a good person). If Alice isn't required to put in a risk deposit -- she could have Bob create the 2-of-3 transaction (or 2-of-2!) with her address, and then she backs out and leaves the money stranded. Then Bob will have to pay Charles to help unlock the money. Or if it's a 2-of-2 -- it's just locked forever.

Then there's your solution. The transaction must have some change the payer will lose if he double spends.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
April 13, 2012, 07:48:46 PM
 #31

Precisely because of the same logic etotheipi outlined escrow where both parties have monetary incentive  to complete transaction.

  • If Bob doesn't have a risk deposit, he has no incentive to complete the transaction after he receives the merchandise (besides being a good person). If Alice isn't required to put in a risk deposit -- she could have Bob create the 2-of-3 transaction (or 2-of-2!) with her address, and then she backs out and leaves the money stranded. Then Bob will have to pay Charles to help unlock the money. Or if it's a 2-of-2 -- it's just locked forever.

Then there's your solution. The transaction must have some change the payer will lose if he double spends.


Payer would lose the change if tx was either destroyed or given to miner.
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!