Peter Todd [ARCHIVE] on Nostr: 📅 Original date posted:2023-01-13 🗒️ Summary of this message: Two methods for ...
📅 Original date posted:2023-01-13
🗒️ Summary of this message: Two methods for decentralized coinjoin conflict monitoring are proposed: running a relay node with a conflict-detection patch or assuming a conflict exists for unexplainable failures.
📝 Original message:On Tue, Jan 10, 2023 at 10:14:47AM -1000, David A. Harding wrote:
> On 2023-01-10 00:06, Peter Todd wrote:
> > Remember, we'd like decentralized coinjoin implementations like
> > Joinmarket to
> > work. How does a decentralized coinjoin implement "conflict monitoring"?
>
> 1. Run a relay node with a conflict-detection patch. Stock Bitcoin Core
> with -debug=mempoolrej will tell you when it rejects a transaction
> for conflicting with a transaction already in the mempool, e.g.:
>
> 2022-11-01T02:53:17Z
> 867b85d68d7a7244c1d65c4797006b56973110ac243ab5ee15a8c4d220060c58 from
> peer=58 was not accepted: txn-mempool-conflict
>
> I think it would be easy to extend this facility to list the inputs
> which conflicted. So if Alice sees a conflict created by Mallory,
> she can create a new coinjoin transaction without Mallory. This
> method has the advantage of being fast and attributing fault,
> although it does require Alice's node be online at the time Mallory's
> conflict is propagated.
So for something as simple as reliable coinjoining - an important privacy
feature that we'd like all wallets to use - you expect people to run
well-connected 24/7 nodes running specialty software?
Even if you run a node as you suggest, there's certainly no guarantee that
you'd learn about any double-spend without doing a severe sybil attack against
the network; the 8 outgoing nodes a typical node has samples a tiny fraction of
the network. And *even if* you sybil attack to try to detect conflicts there's
still no guarantee as attackers can use all kinds of special techniques to get
transactions into miner mempools and not others.
> 2. Simply assume a conflict exists for otherwise unexplainable failures.
> For example, if Alice sees several new blocks whose bottom feerates
> are well below the feerates of an unconfirmed coinjoin transaction
> that Alice helped create and broadcast, she can assume it's a
> conflict that is preventing preventing confirmation of the coinjoin.
> She can find an entirely different set of collaborators and create a
> non-conflicting transaction without ever needing to know which inputs
> from the original transaction conflicted. This method has the
> disadvantage of being slow (on the order of hours) and not attributing
> fault, although it doesn't require Alice has any information beyond
> copies
> of recent blocks.
You're suggesting that to avoid enabling full-rbf, coinjoin's and other
decentralized multi-party protocols risk getting coins tied up for hours trying
to do conflict resolution rather than just fixing the underlying problem with
what's literally a one-line code change that 17% of the v24.x nodes have
decided to enable.
> I didn't list these methods or others before because the specific method
> used to
> detect conflicts doesn't matter to the realization that software which
> uses conflict detection and evasion to defeat the $17.00 attack also
> defeats the $0.05 attack without any need for full-RBF.
Fact is, full-rbf defeats those attacks much better. And I'm amazed that you
don't consider raising the cost of attacks on coinjoins and similar
decentralized protocols by almost three orders of magnitude to be important:
why are you prioritizing a few highly centralized, often AML/KYC'd, unconfirmed
tx acceptance services over decentralized protocols which provide privacy and
security to a lot more users?
--
https://petertodd.org 'peter'[:-1]@petertodd.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20230113/5516cb92/attachment.sig>
🗒️ Summary of this message: Two methods for decentralized coinjoin conflict monitoring are proposed: running a relay node with a conflict-detection patch or assuming a conflict exists for unexplainable failures.
📝 Original message:On Tue, Jan 10, 2023 at 10:14:47AM -1000, David A. Harding wrote:
> On 2023-01-10 00:06, Peter Todd wrote:
> > Remember, we'd like decentralized coinjoin implementations like
> > Joinmarket to
> > work. How does a decentralized coinjoin implement "conflict monitoring"?
>
> 1. Run a relay node with a conflict-detection patch. Stock Bitcoin Core
> with -debug=mempoolrej will tell you when it rejects a transaction
> for conflicting with a transaction already in the mempool, e.g.:
>
> 2022-11-01T02:53:17Z
> 867b85d68d7a7244c1d65c4797006b56973110ac243ab5ee15a8c4d220060c58 from
> peer=58 was not accepted: txn-mempool-conflict
>
> I think it would be easy to extend this facility to list the inputs
> which conflicted. So if Alice sees a conflict created by Mallory,
> she can create a new coinjoin transaction without Mallory. This
> method has the advantage of being fast and attributing fault,
> although it does require Alice's node be online at the time Mallory's
> conflict is propagated.
So for something as simple as reliable coinjoining - an important privacy
feature that we'd like all wallets to use - you expect people to run
well-connected 24/7 nodes running specialty software?
Even if you run a node as you suggest, there's certainly no guarantee that
you'd learn about any double-spend without doing a severe sybil attack against
the network; the 8 outgoing nodes a typical node has samples a tiny fraction of
the network. And *even if* you sybil attack to try to detect conflicts there's
still no guarantee as attackers can use all kinds of special techniques to get
transactions into miner mempools and not others.
> 2. Simply assume a conflict exists for otherwise unexplainable failures.
> For example, if Alice sees several new blocks whose bottom feerates
> are well below the feerates of an unconfirmed coinjoin transaction
> that Alice helped create and broadcast, she can assume it's a
> conflict that is preventing preventing confirmation of the coinjoin.
> She can find an entirely different set of collaborators and create a
> non-conflicting transaction without ever needing to know which inputs
> from the original transaction conflicted. This method has the
> disadvantage of being slow (on the order of hours) and not attributing
> fault, although it doesn't require Alice has any information beyond
> copies
> of recent blocks.
You're suggesting that to avoid enabling full-rbf, coinjoin's and other
decentralized multi-party protocols risk getting coins tied up for hours trying
to do conflict resolution rather than just fixing the underlying problem with
what's literally a one-line code change that 17% of the v24.x nodes have
decided to enable.
> I didn't list these methods or others before because the specific method
> used to
> detect conflicts doesn't matter to the realization that software which
> uses conflict detection and evasion to defeat the $17.00 attack also
> defeats the $0.05 attack without any need for full-RBF.
Fact is, full-rbf defeats those attacks much better. And I'm amazed that you
don't consider raising the cost of attacks on coinjoins and similar
decentralized protocols by almost three orders of magnitude to be important:
why are you prioritizing a few highly centralized, often AML/KYC'd, unconfirmed
tx acceptance services over decentralized protocols which provide privacy and
security to a lot more users?
--
https://petertodd.org 'peter'[:-1]@petertodd.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20230113/5516cb92/attachment.sig>