Topic: Two Bitcoins at the Price of One - page 2. (Read 13447 times)

+1
Also, won't using escrowed funds through an m-of-n transaction mitigate the risk of a zero-confirmation double-spend? The action of unlocking the funds using multiple keys should be more time consuming that unlocking a single address. I would think that these transactions would require a fee to confirm through most bit-auditors miners, which would also deter spend 2x.

Why not to take it a step further and simply do not propagate a transaction message if receiving address belongs to the vendor/owner of the node. This effectively turns all vendor’s peers into listening posts.

It is also hard to judge which node is the farthest. On internet distance can be quite tricky: ping time, trace hoops, BitCoin hoops, geographic distance. While it is hard to find farthest one, it is quite easy to locate peers which are close to each other, the difference in timing of messages from two close nodes will have low variation.

Seems obvious now but I'd completely overlooked it. I was thinking that you could wait and see if you hear another with the same inputs.

I read the suggestions presented in the paper, and I've personally proposed both over a year ago.  Looks to me like someone has been lurking the forum and turned that into a school project.  The 'listening post' solution that they present isn't even as hard as they imply, because there is a flaw in how they perceive transactions propagate.  Normally, a transaction is transmitted to every peer once verified, but do not propagate those that fail validity at all.  So any particular vendor is unlikely to ever receive both transactions in a race attack, as the only nodes that get both are, by definition, the "front" where the propagation waves of each transaction meet.  Yet if a vendor, who accepts 0/conf transactions, were to modify his own client to send transactions to all peers except one (preferablely as far from himself along the network topology as he could determine) then that client could simply wait to get the 'correct' transaction from both his "nearby" peers and his chosen special peer from across the network.  If they match & are good, then a (successful) race attack is very unlikely.  If they don't match or the special peer never sees either transaction, then something has gone wrong and the trade should not be approved.

This method doesn't require that a special service or a distant node owned by the vendor exist.

I can agree that the marketing ring to the article was a bit negative. However, it is a constructive article. Authors propose an improvement which will make 0-confirmation transactions safer.

If you read it carefully, the proposed alert mechanism may be very useful. The only problem I can see, is that overspending a coin N times may generate O(N^2) alerts. Hence generation and propagation of alerts must be a little bit smarter than authors of the paper envisioned. Before rising or propagating and alert, nodes must search their cache of alerts not only for an exact match, but also for any other alert that contains transactions with the same inputs.

Over all, it is a valuable food for thought.

The ten second window has been (intuitively) known among most of the old salts of this forum for two or three years.  This might be the first time that it was confirmed with any kind of experiment, or perhaps not.  Many methods of reducing exposure risk to a 0/conf race attack have been proposed, but none yet implimented simply because they don't have any current demand in the marketplace.  I've personally suggested more than one method, myself.  Furthermore, since there are so many different tactics at reducing said exposure, there is no practical way that an attacker could know in advance which method, if any, his mark may be employing.  The simplest method of all would be to simply delay the completion of the transaction for ten seconds.  How often have you seen an electronic check or a cc transaction take longer than that?

Yes, waiting 29.9 seconds is terribly dangerous.

I didn't read it all, but I'd suggest a title of "wait 30 seconds and you're in the clear"

I doubt you'll come across it in a peer-reviewed venue.


No.  It's a problem for 0-confirm transactions, which has been obvious since the original Bitcoin paper.

"Fast" transactions can mean lots of things.  Sounds like the "researchers" who wrote this paper concocted the new term so they could flaunt the problems it has.  Pointing out the flaws in "I didn't wait for confirmations and got hacked" doesn't have quite the same ring to it.

The authors need to re-title their paper "here is yet another reason you shouldn't accept 0-confirmation payment for non-recourse transactions".

so many great bitcoin start ups Iv never heard of. thanks for the link

The method used in the research paper relied on the ability to know the IP address for the vendor and to directly connect to that vendor's node.  (which presumes that the vendor's firewall has UPnP enabled and/or the port for Bitcoin is accessible from the outside, such as when the network's firewall has port forwarding enabled and is routing that traffic to the host that the Bitcoin node runs from.)

And shock of all shocks, a race attack was successful in nearly every attempt.

Here were recommendations for merchants not considered by these researchers:


 - http://bitcoin.stackexchange.com/questions/2622#2625

Exactly.  You may as well just run out of the establishment with the goods in hand.  It'd be the same result either way.

The suggested double spend alert would be hard to do as it would open doors for DOS attacks.

I see only green addresses or to a degree well connected clients to do instant payment for now.

In the end I wouldn't worry too much about brick and mortar fraud as here the client has a face to loose within 10s. It would just be too risky to actually see my double spend attempt being identified as such even within 10s.

I'm still reading it but it was already a recommendation that the merchant not allow incoming network traffic (and disable UPnP) and to explicitly connect only to well-known nodes, preferably the mining pools.

I don't see anything in the report yet that indicates they tested using this configuration.

Gotta love bitcoin 

And there you go!  An intermediary processor that takes the risk of double-spends in exchange for a fee.

http://zipconf.com

This will be the solution for 0 confirmation transactions. This service will only work with exchanges at the moment, but its only a matter of time before BitPay or coinDL use a similar system to protect them from double-spends.

The 0-confirm double spend is something which has been known and studies for some time.

That being said a 10 sec window for real world face to face transactions is just asinine.

Counter experiment.
Go to starbucks, order, swipe your credit card.
START STOPWATCH
wait for coffee ... wait .... wait ... get coffee ... walk to door ... get in car ... drive out of line of site.
STOP STOP WATCH

I am 99% certain the elapsed time is going to be >10 sec.

There are methods to reduce (but likely never eliminate) the fraud risk of 0-confirm double spends.  That being said no payment system is without risk.

Cash:  counterfeit bills, theft, bank processing fees (which is why stores "generously" allow cashback)
Credit cards: stolen cards, friendly fraud,  never ending cut to VISA/MC.

The goal isn't to reduce fraud/theft/loss to 0%.  Doing that likely will drive away consumers.  The goal is to reduce the COST OF PROCESSING transactions which includes everything from employee training to fraud to bank fees to infrastructure/logistics.  

Any service that uses 0-conf is usually for cheap, low-dollar goods.  Businesses take the same risk when they sell goods that might potentially be bought with counterfeit dollars, a stolen credit card, or a bad check.  Bad funds received are just a part of doing business.

It's not likely that many people will go through the trouble of doing a 0-conf double spend, and those that do will need to cover their tracks well.  It can be days before a business knows that they received a bad check - 10 seconds means the criminal needs to get out of a physical location quickly!  For digital downloads and such, if enough people do it, then they'll simply wait a bit longer to give away the download link, or whatever it is they are waiting on.