Author

Topic: freshly created address argument (50% attack) (Read 549 times)

member
Activity: 64
Merit: 10
I think you're right. Here is the scenario if receiver waits for 1 conf:
a)
1. block #x mined by network
2. attacker starts mining  2 blocks with hostile tx2
2. publish tx1
3. block #x+1 with tx1 mined by network
4. attacker gets product
5. attacker publish 2 mined blocks#x+1 and #x+2 with tx2
6. block #x+3 with tx2 mined by the network

b)
1. block #x mined by network
2. attacker starts mining block with tx1 and block with tx2
3. attacker publish block #x+1 with tx1 only to the receiver node and block #x+1 with tx2 to others
4. attacker gets product
5. block #x+2 mined by network with tx2

 
sr. member
Activity: 404
Merit: 362
in bitcoin we trust
So reading the bitcoin paper it is claimed that the recipient generating his
address at the last minute before accepting the payment makes him less
vulnerable to a 50% double spend attack.  This argument doesnt seem correct
to me, though creating new addresses serves as secondary purpose a mild
privacy feature.

Lets consider two attack approaches, a) where all users generate fresh
addresses to receive each payment and b) using prior knowledge of victims
address,

a) is the attack described in the paper: attacker tries to create a block
chain fork of longer length than the rest of the network by working on a
chain that he does not publish yet, spending a coin to himself on this for
now private chain.  Now and then with probability determined by his ratio of
network power he gets ahead of the network by 2 chain links, so he starts
the double spend attempt, paying it to the fresh address of a victim.  Once
the rest of the miners publish a block containing the victims confirmation,
and once victim to sees the confirmation, the attacker publishes his up to
now private chain which contains a different spend.  Now there is a network
fork, and the network will believe the 2 chain links branch over the 1 link
branch, for any coins that are spent in both.  The network has no way to
distinguish which spend to reject other than the CPU voting, and that is
indicated by the chain length.  The network abandons the short fork of the
chain, and the victim's received payment is considered a double spend by all
nodes.  If the victim accepts with 0 or 1 confirmations, he loses; if the
would be victim waits for 2 confirmations the attack fails as he would not
yet consider it valid.  (Analogous for n confirmations with correspondingy
longer private chain).

b) the attacker tries to gain some additional advantage from prior knowledge
of the victims address.  If the attacker accelerates the confirmation by
also computing the confirmation rather than letting the network do it, he
does work the network would do for him reducing his power to amass a
sufficient length private block chain that he must do privately, and so
reduces his chance of success to construct a n confirmation defeating
private chain.  And yet he gains no success advantage.  What he does do is
avoid make speculative payments to the victim.  However there will exist
payments that result in resellable virtual goods.  Or online gambling that
is approximately zero sum so those payments do not have to be considered a
loss or penalty, only the transaction fee & resale (virtual goods) or house
cut (online gambling).  eg Satoshi dice apparently is popular.

Maybe I am misunderstanding what Nakamoto meant in the paper, but I
dont see any 50% attack extra defense coming from choosing address just
before receiving payment.

Adam
Jump to: