Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Bitcoin Discussion
Re: ToominCoin aka "Bitcoin_Classic" #R3KT
by
gmaxwell
on 11/06/2016, 09:42:49 UTC
Latest "Classic" move,   https://www.reddit.com/r/btc/comments/4nkmzp/the_ultimate_defence_against_the_alleged/   "The ultimate defence against the alleged xthinblock attack is header-first mining"

So "unlimited" (and proposed for "classic" but classic, seems mostly dead) has an efficient block relay scheme (their homegrown analog of BIP152) with a design flaw.

The way it works is this: When I relay a block to you, I give you a list of the transaction IDs in the block so you can match them out of your mempool instead of getting them from me.  To save bandwidth instead of sending the whole ID I send only the first couple digits of it.  They reasoned that they sent enough digits that it would be really unlikely for two txn in your mempool to have the same truncated IDs by chance.

What they didn't account for is the well known result, often called the "birthday paradox", that it is _much_ easier to compute two messages sharing the same short hash than you'd expect.  Because of this, with the scheme in unlimited it's very easy for people to make pairs of transactions with matching short IDs and send them to the network. Any block that includes one of these TXN will propagate more slowly (because the reconstruction will fail, and it will have to take a round trip and retry with more data.).

This flaw is something I spotted back in 2014 while working on some of the design work which later became part of BIP152, and I came up with a simple solution: Instead of truncating the txid, you hash it with a keyed value that isn't known to the attacker (we just have the sender pick one).

It's not the biggest deal in the world, but that fix shuts down some easily perpetrated vandalism (which could also potentially performed for profit reasons) at basically no cost.

The "classic" response?  If miners don't verify anything at all, well then it doesn't matter to the miners how long it takes for block data to reach them. And since big miners and companies are all that are classically important, and SPV wallets (which make a strong security assumption that miners validate) are not... why bother fixing the flawed protocol?

Never-mind the fact that classic's attempt at this was already aborted.