Clearing the FUD around segwit

[freetrader]

@achow101 : Since we are talking about an attacker ...

What if we assume he is running a modified version of the software which does allow him to self-mine such an invalid tx .

He is basing his attack on the premise that the majority of hashing power (not running SegWit at that time) will be unable to reject the block.

How is he wrong?

 

[cypherdoc]

How does an attacking miner get an unsigned invalid tx into his block in the first place? It won't be confirmed or relayed so it has no chance to get buried 2000 blocks deep.

Remember that this SW unsigned invalid tx has been proposed to get inserted into a block in today's environment of non SW miners and non SW full nodes.

 

[freetrader]

Since it's a transaction of his own making, the attacker doesn't need to propagate it. He only propagates the mined block.

Once it's mined, I thought non-upgraded nodes cannot determine that it's an invalid block, because of how SegWit is being forked in (non-SegWit nodes could only say "nothing I can see here, move along") ?

Since the non-upgraded miners would be in the majority at that stage, they would accept it as part of the longest valid chain, no?

If this goes on for a while, I could see how the invalid tx could be deeply embedded in the chain.

 

[achow101]

franky went on irc to try to explain his scenario. this is the part of the exchange that matters because this is wher ethe flaw in his attack is explained. Franky is testicools here.

testicools> ok.. lets try this from a different angle. maybe that would clarify it. i make a transaction to spend satoshis 2009 stash.. BEFORE the checkpoint. if your saying anyone can spend that transaction after i have made it.. then goodluck
<CodeShark> how do you intend to spend satoshi's 2009 stash unless you have satoshi's private keys?
<testicools> because im using segwit code before its released so the signature doesnt get validated..
<CodeShark> you still need to have valid signatures to spend satoshi's stash
<CodeShark> satoshi's stash is not held in anyone-can-spend outputs
<testicools> old clients wont see the signature area..
<CodeShark> those signatures will be in the old area
<CodeShark> to spend a nonsegwit output you use a nonsegwit input
<testicools> not if i write a segwit transaction
<sipa> that would be invalid
<sipa> he output being soent determines where the signatures go
<testicools> but sgwit transactions are not invalid because old clients just treat them as funky transactions
<sipa> the outout being soent determines where the signatures go
<sipa> you can't use a segwit transaction to spend satoshi's coins. not to old clients, not to new ones
<sipa> please read up on the design
<testicools> so no one can move coins between old and new.. that makes segwit useless ..
<sipa> yes you can
<sipa> being segwit is a per-input and per-output thing
<CodeShark> to spend a nonsegwit output you use a nonsegwit input - the transaction containing this input can still have segwit outputs
<sipa> you can have a transaction that spends from a segwit output and moves to a normal one or the other way around
<sipa> but to spend a non-segwit output, you need non-segwit input
<sipa> and the other way aroundt

 

[freetrader]

Thanks for that, @achow101 . Any links to the full IRC log?

I thought franky1's attack was meant to hi-jack a legit non-SegWit transaction by mining a SegWit mutation thereof:

the transaction grabbed a random input from anyone

- i.e. wouldn't the attacker have access to a signed input that could be re-used with the attacker's segwit output, thus making a tx that old nodes would not reject?

 

[cypherdoc]

Is that where the irc conversation stopped?

 

[achow101]

@freetrader I don't have links to the irc log. I don't think the channel was logged, it was the #segwit-dev channel.

The scenario you described still wouldn't work because bitcoin signatures, with sighash all, cover all parts of the transaction (except the Sig itself) so that attackers cannot change the transaction. Segwit doesn't change this.

@cypherdoc pretty much. There are a few lines after where sipa tells him to leave because it was off topic for the channel once he was basically asking for an explanation of how bitcoin transactions work and then testicools basically told him off.

 

[freetrader]

The scenario you described still wouldn't work because bitcoin signatures, with sighash all, cover all parts of the transaction (except the Sig itself) so that attackers cannot change the transaction. Segwit doesn't change this.

Thanks, I believe the attack would not work. Breathing easier

 

[cypherdoc]

what's interesting is that someone like Satoshi could self mine his stash into an ANYONECANSPEND output today with the SW code from github, and yes, anyone could spend it to themselves. the difference being that in today's non SW enforced miner environment, the self mined block with it's Satoshi ANYONECANSPEND tx would be validated and relayed around the network by full nodes causing a free for all scramble for the funds by anyone. whereas, once SW activates with 95% miner enforcement of ANYONECANSPEND outputs, it can't be spent by anyone except it's rightful owner, Satoshi.

 

[Lee Adams]

Satoshi ANYONECANSPEND tx would be validated and relayed around the network by full node

and then spent by the lucky miner who found the next block after the transactions were relayed.

whereas, once SW activates

Exactly the same thing will be possible.

 

[Dusty]

what's interesting is that someone like Satoshi could self mine his stash into an ANYONECANSPEND output today with the SW code from github

You don't need the SW code to broadcast such a transition, why bother with it?

Also, if you would create now a SW transaction, all its witness data would not be not understood nor relayed from the network, so it would be useless.

 

[cypherdoc]

and then spent by the lucky miner who found the next block after the transactions were relayed.

not just a miner; anyone.

Exactly the same thing will be possible.

i don't get what you're saying.

if Satoshi, post SW activation, creates an ANYONECANSPEND tx to himself, then only he can spend from it, not just anyone.
[doublepost=1459786908,1459785932][/doublepost]

Also, if you would create now a SW transaction, all its witness data would not be not understood nor relayed from the network, so it would be useless.

i don't get your point b/c you're not specifying who is creating this SW tx.

a user cannot create a SW tx today b/c it is non standard and won't be validated nor relayed by other nodes across the network. otoh, a miner can self mine his own SW tx from an address he controls with his privkey into a non standard SW tx into his block and it will be propagated by other nodes across the network thus freeing up those funds for a free for all.

 

[cypherdoc]

@achow101

doesn't SW specify a 4MB maxblocksize somewhere in it's code?

 

[Lee Adams]

not just a miner; anyone.

It's whoever gets to it first. By default this will be the miner that mines the block.
[doublepost=1459796600][/doublepost]

if Satoshi, post SW activation, creates an ANYONECANSPEND tx to himself, then only he can spend from it, not just anyone.

Nope, pretty much anyone, but the lucky miner will get there first. Same as it is now, hence why it is known as anyonecanspend. Seg wit will not change this... unless the anyonecan spend is a seg wit, which would then be enforced by the new rules. If the miner tries to include this to himself, the block would be rejected/orphaned.

 

[achow101]

if Satoshi, post SW activation, creates an ANYONECANSPEND tx to himself, then only he can spend from it, not just anyone.

This is confusing. Satoshi could create a generic anyonecanspend transaction and anyone could spend from it. However, if his output is a segwit output, then only he would be able to spend from it after segwit activation. Before activation, then anyone could spend from that segwit output.

@achow101

doesn't SW specify a 4MB maxblocksize somewhere in it's code?

Yes. See https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki#Block_size

 

[sickpig]

@achow101

doesn't SW specify a 4MB maxblocksize somewhere in it's code?

https://github.com/sipa/bitcoin/blob/1aeea99471e830491b0dc929b3dbaff350c5a72d/src/primitives/block.cpp#L35

sipa uses cost rather than size in commenting the code, the actual thing remain the same, hence the block size could reach 4MB.

 

[rebuilder]

Can someone clarify: Is the discount given to the witness when calculating total cost arbitrary or based on some clear metric?

 

[achow101]

@rebuilder It's a bit convoluted. The idea is that they want to keep the actual amount of data less than 4 Mb.

I think this is how the math works (with some help from ajtowns from here: https://bitco.in/forum/threads/gold-collapsing-bitcoin-up.16/page-308#post-11291)
Let "t" be the transaction data without the witness and "w" be the witness data. We need t to be the same to everyone for compatibility so it cannot change. However, the witness data w can be multiplied by some factor "x" to change the way that it is counted so that it is easier for implementation and keeps one limit, the block size limit.

The total amount of data being sent cannot exceed 4Mb because it was determined that most nodes and miners now can support a 4Mb block size limit (the effective increase this could go to).

So t+wx<1 and t+w<4
t+wx<1 can be rearranged to t+w-(1-x)w<1 which is t+w<1+(w/x) so then this becomes 1+(1-x)w<4 because of the earlier inequality. Then if we solve for x, we get (1-x)w<3. However w is still a variable and we need to get rid of it, so we take the highest it could possible be, (1/x) which comes from t+wx<1 where we assume t=0 for maximum w.The equation becomes (1-x)(1/x)<3. Then solving for x gets (1/x)-1<3 then 1/x<4 then x>1/4.Thus the witness data is multiplied by 1/4 (x=1/4) so that t+wx<1

 

[cypherdoc]

@rebuilder

For the most part its arbitrary based on work by jtoomim, wuille, gmax, and probably the Cornell Study that estimates that the true blocksize that the network can handle is in fact 4MB.
[doublepost=1459811642][/doublepost]@Lee Adams @achow101

Ok, some confusion in definitional terms by me. in my above Satoshi example, I was using the term ANYONECANSPEND interchangeably for both a "segwit" output by your definition (which can only be spent by the owner of it's privkey) and ANYONECANSPEND that can truly be spent by "anyone".

 

[cypherdoc]

It's whoever gets to it first. By default this will be the miner that mines the block.

yeah, i think that makes sense. it wouldn't matter if a user sent a tx around the network that took funds from the ANYONECANSPEND address first when a miner is the one that can intervene and cement his own version of the stealing tx into his own block.
[doublepost=1459812512][/doublepost]

This is confusing. Satoshi could create a generic anyonecanspend transaction and anyone could spend from it. However, if his output is a segwit output, then only he would be able to spend from it after segwit activation. Before activation, then anyone could spend from that segwit output.


Yes. See https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki#Block_size

then why does Luke Jr give me convoluted answers like this?: