New transaction malleability attack wave? Another stresstest? - page 8.

mikeymillie

sr. member

Activity: 370

Merit: 250

Quote from: amaclin on October 05, 2015, 02:30:29 PM

Quote from: unamis76 on October 05, 2015, 02:22:44 PM

Besides this, Satoshi seems to have had quite a few reasons to develop
Bitcoin such as fleeing from banks, creating a trustless system, etc.

OK. So my reason is to protect your life savings from this ponzi scheme called bitcoin

I want to prove that decentralized trustless system can not exists in long term.
It either transforms to centralized system or loses its security.

>>> It either transforms to centralized system or loses its security.

This is correct. I disagree about the "Ponzi" comment, but that is irrelevant really.

I wonder if anyone in Bitcoin has ever thought about how this pure decentralized system has no counterpart in nature? None.

A game: cite of an example where the universe has evolved a natural system exhibiting coordination of behavior by a full decentralization of group consensus, and I will tell you why it is wrong.

Bitcoin isn't supernatural, it's not special just because humans made it and can "outsmart" the constraints of the medium they exist in.

Energy loss, signal propagation limits, information entropy, nature itself abhors decentralization (of the Bitcoin sort) and will tend to centralize due to self-signalling feedback effects, or lose signal integrity due to entropy. Consensus, when confronted with the hard limits of signalling in the medium it is sustained, must specialize by losing least significant inputs or decompose into fragments.

No getting around this. Bitcoin cannot "win" the battle to scale while remaining decentralized; there is no possible win condition unless the criteria for "decentralization" are loosened (which, abstractly, is what larger blocks and overlay/sidechains both do).

amaclin

legendary

Activity: 1260

Merit: 1019

Quote from: monsterer on October 07, 2015, 03:23:23 AM

What makes you think that trustless systems always have to tend towards centralisation?

Because it is more economically reasonable solution in long term.
The centralized system takes less energy. Always. Point. No exceptions. Look around. Look to yourself.
Decentralized system either takes more energy or less secure in long term.

monsterer

legendary

Activity: 1008

Merit: 1007

Quote from: amaclin on October 07, 2015, 03:17:44 AM

This stress-test wasn't direct attempt to prove anything.
I do not how to explain it. It is like a chess-game.
You can donate a chess piece to your opponent or make a nonclear turn to win a game.

What makes you think that trustless systems always have to tend towards centralisation?

amaclin

legendary

Activity: 1260

Merit: 1019

Quote from: monsterer on October 07, 2015, 03:12:56 AM

Quote from: amaclin on October 05, 2015, 02:30:29 PM

OK. So my reason is to protect your life savings from this ponzi scheme called bitcoin

I want to prove that decentralized trustless system can not exists in long term.
It either transforms to centralized system or loses its security.

You are failing to prove that...

This stress-test wasn't direct attempt to prove anything.
I do not how to explain it. It is like a chess-game.
You can donate a chess piece to your opponent or make a nonclear turn to win a game.

monsterer

legendary

Activity: 1008

Merit: 1007

Quote from: amaclin on October 05, 2015, 02:30:29 PM

OK. So my reason is to protect your life savings from this ponzi scheme called bitcoin

I want to prove that decentralized trustless system can not exists in long term.
It either transforms to centralized system or loses its security.

You are failing to prove that... In fact, you are actually helping to prove that you *need* a consensus to make accepting transactions safe.

achow101

staff

Activity: 3458

Merit: 6793

Just writing some code

Quote from: GermanGiant on October 06, 2015, 05:47:19 PM

How do I determine whether it is signed with highS or not ?

According to BIP 62, Low S is between 0x01 and 0x7FFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 5D576E73 57A4501D DFE92F46 681B20A0 (inclusive). If it is bigger than that number, it is considered high S.

GermanGiant

hero member

Activity: 784

Merit: 501

Quote from: gmaxwell on October 05, 2015, 12:56:05 PM

People don't even need to be developers to help-- I posted a list of highS producing addresses, if we can identify more software which produces this form and get it fixed then we'll be well positioned to move forward. Why are people still whining here instead of sluthing? Come on-- I'm not even asking anyone to write code.

From the list, how do we understand which addresses are creating Tx using which wallet software ? It would be like finding a needle in a haystack. Instead, if you please provide some script, that would allow us to run on Tx hashes and tell us whether they are using highS, then we can report that to you.

I'd also like to know, how this highS is determined. Say, this is an example Tx...

36d047abcb966f58aa668f050d60254730a3c07c9fd51e869e8b1a773c05d516

This is the Tx Hex...

Code:

0100000001c2a66993d8bf1997dc134ce74c96f47e26c1c4043523abfe7ff04eb3eff573be000000006b483045022100bf7c30e07374ab9aac0163fd7ba10ae3c9b4b9324993bfd984d9670edf707ea502206a5611667d1eb147d6a7352cbf37a2ddec8d9b37fcad17a0c9a9c6caff287f24012102f148462ebe0250cf2b057017f5a8435f47468a3c3385befa4475b57292ff88e2feffffff02e0930400000000001976a914f219f28b2be61ba587b0f4dbe4191155c93c388688ac091e1600000000001976a914a86d009f3d9e2e8380b9bcb53b83ac332ae4e4fc88acacc30500

This is the raw Tx...

Code:

{
    "received": "2015-10-06T22:53:03.821252153Z", 
    "inputs": [
        {
            "script_type": "pay-to-pubkey-hash", 
            "prev_hash": "be73f5efb34ef07ffeab233504c4c1267ef4964ce74c13dc9719bfd89369a6c2", 
            "addresses": [
                "1PGCqwTrnqcHybfBknfj22pUrDhrW97Vmi"
            ], 
            "script": "483045022100bf7c30e07374ab9aac0163fd7ba10ae3c9b4b9324993bfd984d9670edf707ea502206a5611667d1eb147d6a7352cbf37a2ddec8d9b37fcad17a0c9a9c6caff287f24012102f148462ebe0250cf2b057017f5a8435f47468a3c3385befa4475b57292ff88e2", 
            "output_value": 1749713, 
            "age": 7, 
            "sequence": 4294967294, 
            "output_index": 0
        }
    ], 
    "confirmations": 0, 
    "vout_sz": 2, 
    "addresses": [
        "1PGCqwTrnqcHybfBknfj22pUrDhrW97Vmi", 
        "1P57cHP5wRycFLtAYy248FVsh5DUpfnToA", 
        "1GMZ6rFQLatu8o6LGB1Ky5HHkyBXsqEUKd"
    ], 
    "fees": 232, 
    "size": 226, 
    "preference": "low", 
    "hash": "36d047abcb966f58aa668f050d60254730a3c07c9fd51e869e8b1a773c05d516", 
    "double_spend": false, 
    "total": 1749481, 
    "lock_time": 377772, 
    "vin_sz": 1, 
    "block_height": -1, 
    "ver": 1, 
    "outputs": [
        {
            "script_type": "pay-to-pubkey-hash", 
            "addresses": [
                "1P57cHP5wRycFLtAYy248FVsh5DUpfnToA"
            ], 
            "value": 300000, 
            "script": "76a914f219f28b2be61ba587b0f4dbe4191155c93c388688ac"
        }, 
        {
            "script_type": "pay-to-pubkey-hash", 
            "addresses": [
                "1GMZ6rFQLatu8o6LGB1Ky5HHkyBXsqEUKd"
            ], 
            "value": 1449481, 
            "script": "76a914a86d009f3d9e2e8380b9bcb53b83ac332ae4e4fc88ac"
        }
    ], 
    "relayed_by": "54.166.175.155"
}

How do I determine whether it is signed with highS or not ?

gmaxwell

staff

Activity: 4242

Merit: 8672

If you are changing bitcoin core in response to this you are likely doing something wrong.

You can simply test anything here on your own too, just use two wallets in regtest mode and sign a transaction twice to get two versions.

Running this attack makes it hard to collect data on which signer software needs to be updated to produce lowS signatures-- which is important for fixing the behavior--, so it would certainly be preferable if it weren't going on. (... not like this thread actually gives a darn about fixing the behavior. Sad

)

Zombier0

sr. member

Activity: 435

Merit: 250

Quote from: amaclin on October 05, 2015, 11:38:35 PM

Quote from: TooDumbForBitcoin on October 05, 2015, 11:22:33 PM

If there is no Madoff (or more respectfully, no Ponzi), there is no ponzi scheme.

Wrong logic.

Will u re-run it soon? I have made a small fork of qt and would like to test it

unamis76

legendary

Activity: 1512

Merit: 1012

Quote from: Zombier0 on October 06, 2015, 10:34:50 AM

Is the attack still going?

Apparently not. Source

Zombier0

sr. member

Activity: 435

Merit: 250

Is the attack still going?

hhanh00

sr. member

Activity: 467

Merit: 267

Quote from: gmaxwell on October 05, 2015, 06:28:14 PM

This is a fine thing to do (though it requires first getting the amount of non-canonical producers down to a negligible amount, something I've been trying to accomplish for two years!);

Wouldn't seeing their transaction rejected by the miners be a good incentive for them to update their code or put pressure on their wallet developer to do so?

Mickeyb

hero member

Activity: 798

Merit: 1000

Move On !!!!!!

Quote from: BitcoinNewsMagazine on October 05, 2015, 05:03:58 PM

Quote from: Mickeyb on October 05, 2015, 04:50:26 PM

So is malleability attack still under way? I have a friend that had to move coins very urgently, he has just called me and asked me what's wrong and what should he do.

His transaction is not showing up on the other side.

Thanks guys!

Supposedly you can check if the attack is on at Satoshi - Transactios third chart down. Right now the attack is off per the chart.

Oh ok, this is very handy. I will let my friend know about this site. Thanks for the help!

amaclin

legendary

Activity: 1260

Merit: 1019

Quote from: TooDumbForBitcoin on October 05, 2015, 11:22:33 PM

If there is no Madoff (or more respectfully, no Ponzi), there is no ponzi scheme.

Wrong logic.

TooDumbForBitcoin

legendary

Activity: 1638

Merit: 1001

Quote from: amaclin on October 05, 2015, 02:30:29 PM

Quote from: unamis76 on October 05, 2015, 02:22:44 PM

Besides this, Satoshi seems to have had quite a few reasons to develop
Bitcoin such as fleeing from banks, creating a trustless system, etc.

OK. So my reason is to protect your life savings from this ponzi scheme called bitcoin

I want to prove that decentralized trustless system can not exists in long term.
It either transforms to centralized system or loses its security.

In the one million instances where someone has lazily called Bitcoin a ponzi scheme, I have yet to see anyone provide the answer to this obvious, but heretofore unasked, question:

If Bitcoin is a ponzi scheme, who is Bitcoin's Bernie Madoff? If there is no Madoff (or more respectfully, no Ponzi), there is no ponzi scheme.

Investors (speculators) in Bitcoin are not relinquishing their capital to anyone for nothing in immediate return, with the expectation of nothing more than a high-interest yield on that capital. They are buying a commodity/tool/currency. They may have an expectation of return/profit/yield/revolution/utility that will not materialize to their satisfaction, but they also holding something in their hand while they're waiting. They have not turned control of their capital over to a central actor - Madoff, or Ponzi, or whatever imaginary unnamed actor the "ponzi scheme" gossips are inadvertently invoking.

Bitcoin may be something imperfect doomed to failure, even doomed to manipulation, but it is not a ponzi scheme.

One by one - everyone should stop malleating the vocabulary of the criminal financial world.

dexX7

legendary

Activity: 1106

Merit: 1026

Quote from: gmaxwell on October 05, 2015, 06:28:14 PM

This is a fine thing to do (though it requires first getting the amount of non-canonical producers down to a negligible amount, something I've been trying to accomplish for two years!); but it does not achieve the goals of BIP62, which is to make transactions involving refunds safe... doing that requires that the solution not depend on miner honesty.

I actually considered it as first step to pave the way, not as ultimate solution. Besides reducing the rate of rejected legit transactions (edit: just to clarify, the reduced rate of rejected transactions is only applicable, if there a mechanism in place to block non-canonical signatures), users whose transactions are mutated in a favorable format are likely still annoyed to some degree, so it's a bit like shaking a tree, and seeing what falls down (i.e. which wallet implementations are mentioned, if users complain about the mutations).

gmaxwell

staff

Activity: 4242

Merit: 8672

Quote from: dooglus on October 05, 2015, 06:06:49 PM

Yes, and that sounds like a good solution. Miners could mutate all transactions into their 'canonical' state before mining them. That way well behaved wallets aren't affected, and wallets creating weird transactions still have their transactions mined, but with a different txid.

This is a fine thing to do (though it requires first getting the amount of non-canonical producers down to a negligible amount, something I've been trying to accomplish for two years!); but it does not achieve the goals of BIP62, which is to make transactions involving refunds safe... doing that requires that the solution not depend on miner honesty.

Thus BIP62... that it fixes third party txid aggravation for a subset of transactions is a helpful side effect (though first/second party txid changes and malleability will _always_ remain in general, because it's a feature.. not a bug. And wallets do need to handle it sanely).

But it seems people are much more interested in whining here than working even the basic detective work to cut out the last of the non-canonical users on the network (which I've asked people to do _twice_ in this thread, and not a single message has made progress towards that). Come on people, don't prove Amaclin right about the Tragedy_of_the_commons comment.

dooglus

legendary

Activity: 2940

Merit: 1333

Quote from: ElectricMucus on October 05, 2015, 03:44:15 AM

Quote from: dooglus on October 04, 2015, 09:28:36 PM

Quote from: ElectricMucus on October 04, 2015, 03:46:55 PM

The really juicy bit about this thing is that the core developers don't want to fix it because it might prevent future vaporware uses of the bitcoin protocol to be established.
https://np.reddit.com/r/Bitcoin/comments/3nfb2y/eli5_for_double_spends_bitcoin_being_sent_twice/cvnl2wo

Any idea what this is referring to?

Quote

schemes that make malleability irrelevant are subject to dangerous signature replay attacks if not handled very carefully

Is he saying that implementing BIP 62 opens up a new known attack vector?

What I meant was the idea that what goes into transaction should be "open to the user".
Imagine you had a database and added to the ability to store arbitrary information into each row, this is why rational databases exist which require you to define the type of data you want to store before you do add that information. The game of whack-a-mole is because even when they remove malleability for necessary transaction data it still doesn't prevent that attack because each entry has "scrap space" after that.
My suggestion is to abandon that concept because it's not a sane approach to storing data but a software engineering nightmare.

Sorry, but I still don't get it. If BIP62 was implemented, what new attack vector does it open up? What's this "scrap space" you mention? BIP62 appears to shut down all the different ways to maleate a transaction and specifically addresses "Superfluous scriptSig operations" in step 6, which is the closest I can find to anything that might be considered "scrap space".

Quote from: rawbot on October 05, 2015, 05:17:01 AM

And you guys have the nerve to call other crypocurrencies "shitcoins".

Well, they are mostly just clones of bitcoin anyway, and so have exactly the same issue unless they fixed it themselves. It's not like copying the bitcoin source and changing a few numbers fixes anything.

Quote from: ?? on ??

This is great news. It exposes the vulnerabilities and weaknesses of bitcoin and allows for better cryptocurrencies, like Litecoin, to grow.

How was this fixed in Litecoin? Do you have a link to the pull request please?

Quote from: amaclin on October 05, 2015, 02:30:29 PM

So my reason is to protect your life savings from this ponzi scheme called bitcoin

I want to prove that decentralized trustless system can not exists in long term.
It either transforms to centralized system or loses its security.

But this attack proves no such thing.

Quote from: dexX7 on October 05, 2015, 04:54:53 PM

The ongoing active mutation of transactions made me wonder, whether targeted mutation could be leveraged - by miners or nodes - to facilitate the process:

Yes, and that sounds like a good solution. Miners could mutate all transactions into their 'canonical' state before mining them. That way well behaved wallets aren't affected, and wallets creating weird transactions still have their transactions mined, but with a different txid.

coins101

legendary

Activity: 1456

Merit: 1000

Quote from: amaclin on October 05, 2015, 03:50:50 PM

Quote

You are confusing the price volatility of bitcoin with the utility of being able to transact internationally without the pain of banks or middle men.

Price to any currency does not matter. Currencies volatile to each other, so it is not possible to create non-volatile crypto.
If the price is not volatile to dollar - it will volatile to brasilian real.

You see. You proved the point. Economic speculation.

BitcoinNewsMagazine

legendary

Activity: 1806

Merit: 1164

Quote from: Mickeyb on October 05, 2015, 04:50:26 PM

So is malleability attack still under way? I have a friend that had to move coins very urgently, he has just called me and asked me what's wrong and what should he do.

His transaction is not showing up on the other side.

Thanks guys!

Supposedly you can check if the attack is on at Satoshi - Transactios third chart down. Right now the attack is off per the chart.

Topic: New transaction malleability attack wave? Another stresstest? - page 8. (Read 41229 times)