Author

Topic: Safer instant txs - The nuclear option (Read 1406 times)

member
Activity: 89
Merit: 13
February 05, 2012, 07:20:46 PM
#7
hero member
Activity: 772
Merit: 501
February 05, 2012, 06:19:29 PM
#6
Quote
I'm suggesting that we can improve matters without knowing which is which. BOTH versions of the tx become invalid and the money is effectively destroyed. Therefore, the merchant doesn't get paid, but the cheating customer does not get his money back either. Importantly, both the paying output and the change  
is destroyed.

I can't see any holes in this. It would pretty much eliminate the double spending problem and make instant transactions possible for all circumstances.

One variation on this to avoid contraction of the bitcoin supply would be to redirect the destroyed coins to transaction fees for the miner that discovers the block six blocks after the one where the double spend occurred.

I suggest six blocks because that would mean that a miner perpetrating the Finney attack would need to create six blocks in a row, which is nearly impossible unless they have close to 50% of all mining power, to earn back the destroyed coins.
full member
Activity: 169
Merit: 100
Firstbits : 1Hannes
February 05, 2012, 04:07:28 PM
#5
I think a vending machine is the least likely attack location for double spend.

Don't really want to get this further off topic, but I can't resist. What is the most likely attack location for a double spend according to you?

Keep in mind that any supplier not in meatspace will  have little qualms with making you wait. If not for a block, then at least for a minute or two. Unlike meatspace retailers, their other clients are not waiting in line behind you, so the 1 minute waiting time is not cumulative. If you take care to broadcast the tx to the best connected nodes and those with the most mining capacity and you surveil the network carefully for the next minute, the risk of a double spend succeeding dwindles to zero real quick.
donator
Activity: 1218
Merit: 1079
Gerald Davis
February 05, 2012, 03:41:41 PM
#4
I think a vending machine is the least likely attack location for double spend.

Low value product, in meatspace.  One could also counterfeit $1 bills to defraud vending machines but nobody does.  Most commonly attacks on vending machines are to steal the money not the product and that is a risk Bitcoin eliminates.
full member
Activity: 169
Merit: 100
Firstbits : 1Hannes
February 05, 2012, 02:55:34 PM
#3
Valid concern... as far as I can see.. But user does not have to spend 10 times same amount.

For example, I have 100 BTC on some address. I make 1 BTC transaction. The minute later I make another transaction for 100 BTC.

I'm not sure that I understand your objection. The protocol would not enforce any ratio between the amount spent and the amount available. So what you describe is perfectly possible, and in that case the entire 100 BTC would get burnt (well, 50 BTC would go to a miner and 50 BTC would become unspendable forever).

Where some ratio might be enforced, is by the vendor. So if I pay for a 1BTC cold drink from a vending machine with an output worth 1BTC and I subsequently try to double spend, then the vendor loses his cash. BUT, if I pay from an output or outputs worth 10 BTC and get 9 BTC change, then the vendor can dispense the product, since any attempt by me to defraud them of the 1 BTC would result in me losing 9 BTC. Therefore rational behaviour by the vendor would be to accept both kinds of payments, but in the first case I will have to wait for one or two confirmations before getting my drink, In the second case I can get it immediately. If the reasoning about how much harm a thieving user would do to himself does not reassure you as vendor, you could always take out insurance on your receiving address. No sane person could offer such insurance in the current system, because you would see insurance fraud on a massive scale, with people executing double spends against themselves and claiming against their insurance.

I figure if Mutually assured destruction could keep two superpowers from war for 46 years, surely it can protect my 1 BTC from a double spend for 10 minutes. Smiley
hero member
Activity: 558
Merit: 500
February 05, 2012, 02:27:41 PM
#2
Valid concern... as far as I can see.. But user does not have to spend 10 times same amount.

For example, I have 100 BTC on some address. I make 1 BTC transaction. The minute later I make another transaction for 100 BTC.
full member
Activity: 169
Merit: 100
Firstbits : 1Hannes
February 05, 2012, 04:13:32 AM
#1
I've been thinking about 0-confirmation txs and how accepting them can be made safer. I'm of the opinion that they are already safe (well safer than competing options) for most applications. If you are buying something from a bricks-and-mortar retailer and attempting a double spend shortly after leaving the paypoint, there is a real chance that you can still be apprehended. The longer you wait before sending the second tx, the smaller the chance of being caught gets, but the chance of a successful double spend also shrinks very rapidly. In addition, CCTV footage of the paypoint means that you can still be identified and blacklisted, even if your double spend attempt failed.

However, there are applications where a customer could attempt a double spend with essentially zero risk of negative consequences. It is these that are of real interest. One example is a bitcoin vending machine. The second tx can be sent as soon as the machine dispenses the product, and the machine cannot reasonably delay more than a few seconds after receiving the first tx. CCTV could also be trivially defeated in this case (masks, hoodies, or even just holding your hand  in front of your face). The chance of a successful double spend is  still low, but since the risk is almost non-existent, we can expect many double spend attempts and consequently, some successes.

My proposal hinges on the way that miners handle the case when they see multiple conflicting txs. Today, they are supposed to accept only the first tx seen, but this behaviour cannot be enforced. A profit-optimising miner would accept whichever version carries the largest tx fee and no-one would be able to prove that it wasn't following the rules. This allows for miner bribing double spend attacks, where a larger tx fee is offered in order to increase the odds of one version of a tx winning the race into a block.

Others have proposed earlier that miners should include BOTH of these txs in a special "double-spend alert" section of the block. The problem remains that we have no way of knowing which of the versions goes to the merchant and which is the back-to-self version. I'm suggesting that we can improve matters without knowing which is which. BOTH versions of the tx become invalid and the money is effectively destroyed. Therefore, the merchant doesn't get paid, but the cheating customer does not get his money back either. Importantly, both the paying output and the change 
is destroyed.

So, if I am a vending machine operator, I may "safely" accept instant txs for a value of X, conditional that the input(s) used to pay me add up to at least 10 X (or some other multiplier of my choice, the more paranoid I am the higher). Then I know that the cash I accepted can still be burnt after I dispensed the product, but the customer would also burn 9 times as much of his own money in the process. This seems pretty safe to me. If I was really paranoid, I could buy insurance against events like these. The premium would be incredibly small, because there is no possibility of defrauding the insurance company. The only way to claim X would be to burn 10 X. In a rational world that never happens. In the real world, it happens very rarely and with very small amounts.

An improved variation, would be to burn only half the money and award the other half to the miner who reported the double spend attempt. This incentivises miners to mine these, while eliminating the "bribe-a-miner" attack.

Then the only way for someone to safely execute a successful double spend is to not broadcast the second tx and mine the block containing it themselves. This radically reduces the number of potential  perpetrators (essentially only a pool-op has a non-negligible chance of doing this). If we wanted to close this theoretical loophole as well, we could allow a double spend report to occur, one or two blocks AFTER the first tx had allready made it into the chain). This complicates book-keeping, since the tx fee reward for the first block is now effectively less than what is stated in the block, but it is certainly possible.

I realise that it is probably too late for this to be used in bitcoin as it would require a hard fork of the blockchain. Might be useful for an alt-chain though. Or am I missing something?
Jump to: