Does replacement interact with quantum computers?

funkenstein

legendary

Activity: 1066

Merit: 1050

Khazad ai-menu!

Quote from: criptix on January 24, 2016, 03:51:39 PM

if ecdsa is broken through qc we can take a pubkey from a tx and compute the corresponding private key => steal funds from wallet.
the transaction itself would go through and you would not be able to steal it.

now with rbf activated you can even steal the funds in the transaction.

~~(although the timeframe should be quite short)~~

Ah OK, I think I see what you are saying. Of course just like nothing has stopped miners from doing a RBF or any other scheme they like for choosing TXes since block 1, nothing could stop them in this scenario from grabbing the privkey and taking the funds.

criptix

legendary

Activity: 2464

Merit: 1145

Quote from: funkenstein on January 24, 2016, 02:36:01 PM

Quote from: AlexGR on January 24, 2016, 09:58:40 AM

=>

Quote from: achow101 on January 21, 2016, 04:12:07 PM

An option has been recently merged into Bitcoin Core to disable RBF relaying. In the case that this scenario does happen, people can use that flag to disable RBF and thus we can have more protection against such an attack.

If it was the exact same thing with, or without RBF, then there would be no extra protection against such a scenario by disabling it, right?

Yes, I also don't understand what knightdk is talking about here

RBF is about which TX goes into a block. What does this have to do with ECDSAsec?

if ecdsa is broken through qc we can take a pubkey from a tx and compute the corresponding private key => steal funds from wallet.
the transaction itself would go through and you would not be able to steal it.

now with rbf activated you can even steal the funds in the transaction.

~~(although the timeframe should be quite short)~~

funkenstein

legendary

Activity: 1066

Merit: 1050

Khazad ai-menu!

Quote from: AlexGR on January 24, 2016, 09:58:40 AM

=>

Quote from: achow101 on January 21, 2016, 04:12:07 PM

An option has been recently merged into Bitcoin Core to disable RBF relaying. In the case that this scenario does happen, people can use that flag to disable RBF and thus we can have more protection against such an attack.

If it was the exact same thing with, or without RBF, then there would be no extra protection against such a scenario by disabling it, right?

Yes, I also don't understand what knightdk is talking about here

RBF is about which TX goes into a block. What does this have to do with ECDSAsec?

criptix

legendary

Activity: 2464

Merit: 1145

Quote from: achow101 on January 24, 2016, 11:30:35 AM

Quote from: CIYAM on January 24, 2016, 10:32:13 AM

Quote from: criptix on January 24, 2016, 10:24:18 AM

Last i read you should be able to change the whole tx which was kinda problematic because of double spending.

Oh - I hadn't realised this was the case (that makes me rather less enthusiastic about RBF - I can now envision someone creating a wallet with a "double spend" button).

It does allow for most of the transaction to be replaced (still has to include at least one input to actually be replacing something). However I don't think most wallets will give you the option to double spend. I think that most wallets will only have an option to boost your fee rather than double spend the transaction. Of course, if someone was being malicious, they probably don't even need a wallet that gives them the option to double spend.

Quote from: CIYAM on January 24, 2016, 10:32:13 AM

Quote from: criptix on January 24, 2016, 10:24:18 AM

I dont see a link between broken ecdsa and rbf.

A double-spend attempt is a double-spend attempt but perhaps the attempt itself is made easier with RBF.

If ECDSA is broken by QCs and the private key can be revealed from the public key in less than 10 minutes, an attacker with a QC could find that private key and attempt to double spend the inputs in the transaction that originally had the public key. With the current node policy, if they made a double spend attempt, it would probably fail due to the first seen behavior of nodes. Those nodes would already have seen the original transaction and thus reject the double spend. With RBF, if the attacker simply increased the fee in his malicious transaction, his transaction would be able to replace the original transaction if the original had opted in to RBF. This would make stealing the coins slightly easier, but only if the transaction opted in to RBF.

Yeah i see, you are correct.
I was just thinking about the publickey - privatekey relation not about the funds in the transaction itself.

achow101

staff

Activity: 3374

Merit: 6530

Just writing some code

Quote from: CIYAM on January 24, 2016, 10:32:13 AM

Quote from: criptix on January 24, 2016, 10:24:18 AM

Last i read you should be able to change the whole tx which was kinda problematic because of double spending.

Oh - I hadn't realised this was the case (that makes me rather less enthusiastic about RBF - I can now envision someone creating a wallet with a "double spend" button).

It does allow for most of the transaction to be replaced (still has to include at least one input to actually be replacing something). However I don't think most wallets will give you the option to double spend. I think that most wallets will only have an option to boost your fee rather than double spend the transaction. Of course, if someone was being malicious, they probably don't even need a wallet that gives them the option to double spend.

Quote from: CIYAM on January 24, 2016, 10:32:13 AM

Quote from: criptix on January 24, 2016, 10:24:18 AM

I dont see a link between broken ecdsa and rbf.

A double-spend attempt is a double-spend attempt but perhaps the attempt itself is made easier with RBF.

If ECDSA is broken by QCs and the private key can be revealed from the public key in less than 10 minutes, an attacker with a QC could find that private key and attempt to double spend the inputs in the transaction that originally had the public key. With the current node policy, if they made a double spend attempt, it would probably fail due to the first seen behavior of nodes. Those nodes would already have seen the original transaction and thus reject the double spend. With RBF, if the attacker simply increased the fee in his malicious transaction, his transaction would be able to replace the original transaction if the original had opted in to RBF. This would make stealing the coins slightly easier, but only if the transaction opted in to RBF.

pawel7777

legendary

Activity: 2436

Merit: 1561

Quote from: criptix on January 24, 2016, 10:24:18 AM

Quote from: CIYAM on January 24, 2016, 10:11:24 AM

My understanding was that RBF doesn't let you change the tx other than effectively its fee (i.e. inputs could be added but not outputs) - did I miss something?

Last i read you should be able to change the whole tx which was kinda problematic because of double spending.

I dont see a link between broken ecdsa and rbf.

Yup. The proposal to only allow changing fee was called FSS RBF (First-Seen-Safe Replace-by-Fee) but afaik it was too complicated to implement.

CIYAM

legendary

Activity: 1890

Merit: 1072

Ian Knowles - CIYAM Lead Developer

Quote from: criptix on January 24, 2016, 10:24:18 AM

Last i read you should be able to change the whole tx which was kinda problematic because of double spending.

Oh - I hadn't realised this was the case (that makes me rather less enthusiastic about RBF - I can now envision someone creating a wallet with a "double spend" button).

Quote from: criptix on January 24, 2016, 10:24:18 AM

I dont see a link between broken ecdsa and rbf.

A double-spend attempt is a double-spend attempt but perhaps the attempt itself is made easier with RBF.

criptix

legendary

Activity: 2464

Merit: 1145

Quote from: CIYAM on January 24, 2016, 10:11:24 AM

My understanding was that RBF doesn't let you change the tx other than effectively its fee (i.e. inputs could be added but not outputs) - did I miss something?

Last i read you should be able to change the whole tx which was kinda problematic because of double spending.

I dont see a link between broken ecdsa and rbf.

CIYAM

legendary

Activity: 1890

Merit: 1072

Ian Knowles - CIYAM Lead Developer

My understanding was that RBF doesn't let you change the tx other than effectively its fee (i.e. inputs could be added but not outputs) - did I miss something?

AlexGR

legendary

Activity: 1708

Merit: 1045

=>

Quote from: achow101 on January 21, 2016, 04:12:07 PM

An option has been recently merged into Bitcoin Core to disable RBF relaying. In the case that this scenario does happen, people can use that flag to disable RBF and thus we can have more protection against such an attack.

If it was the exact same thing with, or without RBF, then there would be no extra protection against such a scenario by disabling it, right?

funkenstein

legendary

Activity: 1066

Merit: 1050

Khazad ai-menu!

Quote from: AlexGR on January 24, 2016, 08:28:17 AM

RBF should make it much easier, no?

Am I missing something? I don't see how RBF changes anything here.

AlexGR

legendary

Activity: 1708

Merit: 1045

Quote from: funkenstein on January 23, 2016, 09:03:36 PM

Quote from: AlexGR on January 21, 2016, 01:33:30 PM

I just realized something about RBF - please correct any misunderstandings I may have, I'm not a btc developer.

We are all operating under the assumption that a quantum computer doesn't exist - but I'm not so sure that there isn't, or that there won't be pretty soon. In any case, the greatest safeguard we have against such a possibility is storing coins in addresses that have no prior spending in them. So when a QC is on the loose, the best one can do is to spend the full amount in order to not leave any coins behind for priv. key extrapolation and hacking. But this is based on a first seen-first serve scenario. RBF would allow an attacker to see a transaction, extrapolate the priv key and issue a respending with a higher fee, hijacking one's money.

So, from what I understand, RBF reduces the futureproofing / quantum resistance of BTC. Is there a way where it can only be implemented by honoring the initial transactions, plus a higher fee - for those desiring to jump the queue - and reject any other attempts to change the destination?

These things have zero to do with one another. If ECDSA is strongly broken somehow, in that the private key is obtainable from the public, then any transaction broadcast publicly spending a coin is stealable. Whether or not miners are implementing RBF or not doesn't matter.

RBF should make it much easier, no?

funkenstein

legendary

Activity: 1066

Merit: 1050

Khazad ai-menu!

Quote from: AlexGR on January 21, 2016, 01:33:30 PM

I just realized something about RBF - please correct any misunderstandings I may have, I'm not a btc developer.

We are all operating under the assumption that a quantum computer doesn't exist - but I'm not so sure that there isn't, or that there won't be pretty soon. In any case, the greatest safeguard we have against such a possibility is storing coins in addresses that have no prior spending in them. So when a QC is on the loose, the best one can do is to spend the full amount in order to not leave any coins behind for priv. key extrapolation and hacking. But this is based on a first seen-first serve scenario. RBF would allow an attacker to see a transaction, extrapolate the priv key and issue a respending with a higher fee, hijacking one's money.

So, from what I understand, RBF reduces the futureproofing / quantum resistance of BTC. Is there a way where it can only be implemented by honoring the initial transactions, plus a higher fee - for those desiring to jump the queue - and reject any other attempts to change the destination?

These things have zero to do with one another. If ECDSA is strongly broken somehow, in that the private key is obtainable from the public, then any transaction broadcast publicly spending a coin is stealable. Whether or not miners are implementing RBF or not doesn't matter.

watashi-kokoto

sr. member

Activity: 682

Merit: 268

I think migration to quantum proof system would be trivial. No funds would be lost.

AlexGR

legendary

Activity: 1708

Merit: 1045

Nice to have contingencies in place Cool

As for the bloat, I guess we'll have to wait for some kind of genius solution or workaround.

theymos

administrator

Activity: 5166

Merit: 12850

Quote from: AlexGR on January 21, 2016, 03:39:54 PM

Quote from: theymos_away on January 21, 2016, 02:14:47 PM

If QC comes into existence, then that is a very major problem which should be fixed ASAP in any case.

From a game theory perspective it doesn't make much sense for us to wait for the day where it is public knowledge that a QC exists. Given QC attributes as crypto-breaking machines, there's a history of similar crypto-breakthroughs remaining hidden.

It seems very unlikely to me that a QC will be created, then the tech will advance to the point that real-world keys can be broken in less than years, and all of this will be kept secret until it becomes an emergency. These government agencies are full of many people, and people are bad at keeping secrets. If this does happen, it can be survived due to the QC-resistance of Bitcoin addresses, but hurrying to plan for this seems like premature optimization. Especially when the current state-of-the-art in QC-proof signatures have massively larger signatures than ECDSA, and bandwidth is currently a pretty big bottleneck.

There is a flag for disabling the RBF policy, -permitrbf=0.

IIRC the Core devs do have code prepared for adding QC-proof signatures to Bitcoin as a softfork (using a variant of Lamport signatures optimized for minimal size, especially in the scriptPubKey), though AFAIK this code isn't public.

gmaxwell

staff

Activity: 4172

Merit: 8419

If the potential of your transaction being replaced would be disadvantageous to you, you simply wouldn't make the transaction non-final. Though, of course, miners can replace anyways because the transactions aren't confirmed yet.

A lot of the discussion above is suffering from common misunderstandings of what "first" means, in a asynchronous distributed network there is no such thing as a universal "first"-- what you see as first someone else will see as second. If not for this fundamental physical truth there would be no need for mining.

AlexGR

legendary

Activity: 1708

Merit: 1045

Quote from: achow101 on January 21, 2016, 04:28:41 PM

Quote from: AlexGR on January 21, 2016, 04:18:06 PM

Quote from: letsplayagame on January 21, 2016, 04:11:37 PM

Quote from: AlexGR on January 21, 2016, 01:53:03 PM

-would it be difficult to make RBF only relevant for a "I made a mistake by insterting a low fee, I want to raise it and skip the queue" scenario and nothing else, like sending money elsewhere or back to yourself?

That is likely to be both difficult to program and have unintended consequences limiting legitimate usage of RBF.

I'm trying to think about this algorithmically and I don't see why...

a) You broadcast your intention to bump up the fee, the other clients are programmed to accept it.
b) You broadcast your intention to bump up the fee and change the address or the amount or something, and the other client is programmed to reject it / consider it invalid if you do that.

If a miner mines transaction (b) and does not consider it invalid => he is orphaned by those who are running the proper client and say "what the fuck did you include in your block? GTFO"

It sounds trivial to me, but then again I'm not a coder so... I suspect the complexities arise from the soft forking approach and trying to satisfy everyone and retain compatibility with all.

No. RBF is not a consensus rule which causes forks. Transaction standardness is a node policy and should not be a consensus rule. By forcing transaction standardness to be a consensus rule and simply not node policy, then you are making experimentation with different transaction formats and nonstandard transactions be against consensus rules, which should not be allowed as that will make it more difficult to experiment and create new stuff.

RBF and relaying RBF transactions are simply node policy. Nonstandard transactions that make it into the blockchain are still accepted because although they aren't standard transactions, they are not technically invalid.

Ah yeah, network and miners division, right... makes sense. There could be no invalidation from ...competing broadcasts. Ok got it.

achow101

staff

Activity: 3374

Merit: 6530

Just writing some code

Quote from: AlexGR on January 21, 2016, 04:18:06 PM

Quote from: letsplayagame on January 21, 2016, 04:11:37 PM

Quote from: AlexGR on January 21, 2016, 01:53:03 PM

-would it be difficult to make RBF only relevant for a "I made a mistake by insterting a low fee, I want to raise it and skip the queue" scenario and nothing else, like sending money elsewhere or back to yourself?

That is likely to be both difficult to program and have unintended consequences limiting legitimate usage of RBF.

I'm trying to think about this algorithmically and I don't see why...

a) You broadcast your intention to bump up the fee, the other clients are programmed to accept it.
b) You broadcast your intention to bump up the fee and change the address or the amount or something, and the other client is programmed to reject it / consider it invalid if you do that.

If a miner mines transaction (b) and does not consider it invalid => he is orphaned by those who are running the proper client and say "what the fuck did you include in your block? GTFO"

It sounds trivial to me, but then again I'm not a coder so... I suspect the complexities arise from the soft forking approach and trying to satisfy everyone and retain compatibility with all.

No. RBF is not a consensus rule which causes forks. Transaction standardness is a node policy and should not be a consensus rule. By forcing transaction standardness to be a consensus rule and simply not node policy, then you are making experimentation with different transaction formats and nonstandard transactions be against consensus rules, which should not be allowed as that will make it more difficult to experiment and create new stuff.

RBF and relaying RBF transactions are simply node policy. Nonstandard transactions that make it into the blockchain are still accepted because although they aren't standard transactions, they are not technically invalid.

AlexGR

legendary

Activity: 1708

Merit: 1045

Quote from: letsplayagame on January 21, 2016, 04:11:37 PM

Quote from: AlexGR on January 21, 2016, 01:53:03 PM

-would it be difficult to make RBF only relevant for a "I made a mistake by insterting a low fee, I want to raise it and skip the queue" scenario and nothing else, like sending money elsewhere or back to yourself?

That is likely to be both difficult to program and have unintended consequences limiting legitimate usage of RBF.

I'm trying to think about this algorithmically and I don't see why...

a) You broadcast your intention to bump up the fee, the other clients are programmed to accept it.
b) You broadcast your intention to bump up the fee and change the address or the amount or something, and the other client is programmed to reject it / consider it invalid if you do that.

If a miner mines transaction (b) and does not consider it invalid => he is orphaned by those who are running the proper client and say "what the fuck did you include in your block? GTFO"

It sounds trivial to me, but then again I'm not a coder so... I suspect the complexities arise from the soft forking approach and trying to satisfy everyone and retain compatibility with all.

Topic: Does replacement interact with quantum computers? (Read 2067 times)