[bitcoin-dev] Boost Bitcoin circulation, Million Transactions Per Second with stronger privacy

ZmnSCPxj ZmnSCPxj at protonmail.com
Tue Jun 29 21:42:26 UTC 2021 

Good morning Raymo,

> Hey Alex,
>
> Your scenario works perfectly unless we put some restrictions on
> accepting transaction by creditor (in our case Bob).
> These are restrictions:
> Alice has to use a UTXO (or some UTXOs) worth at least 40,000 Sat as
> transaction input.
> Alice has to reserve 10,000 Sat as transaction fee (for MT transaction)
> regardless of transaction length or input/output amounts.
> Alice always pays at least 4,000 Sat of BTC-transaction-fee, and the
> 6,000 remined fee must be paid by she and Bob in proportion to their
> outputs amounts)
> Alice can issue a transaction the has maximum 20,000 outputs for
> creditors (Bob and others).
> The rest (if exist) is change back to Alice address.
> The GT is formed based on MT.
> Bob considers a transaction couple (MT, GT) valid only if they respect
> these rules.
>
> Let’s put it in practice using some numbers (although you can find more
> detailed explanation in paper).
>
> The MT would be like that:
> Input: 40,000 Satoshi
> Outputs:
> Bob: 20,000
> BTC-fee: 10,000
> Change back to Alice: 10,000
>
> Based on this MT the GT will be
> Input: 40,000 Satoshi
> Outputs:
> Bob: 20,000 – 20,00070% = 6,000
> BTC-fee: 10,000 + (14,000 of Bob’s output) + (1,500 of Alice’s change
> back) = 25,500
> Change back to Alice: 10,000 – 10,00015% = 8,500
>
> Now if Alice wants to spend UTXO to Charlie with higher fee, she has to
> pay at least 25,500 + 1 Satoshi as BTC fee in order to convince miners
> to put his fraudulent transaction instead the GT in next block.
> Alice already got 20,000 Sat profit from Bob. Now she can earn another
> 14,999 Sat profit from Charlie because of same UTXO worth 40,000
> Satoshi.
> Indeed, she spent 40,000 Sat and in total got equal to 34,999 Sat goods
> or services.
> Is she a winner?
> I am not sure!
> What do you think?

You assume here that Alice the issuer only has a single UTXO and that it creates a single transaction spending that UTXO.

It is helpful to remember that miners consider fee*rate*, but your security analysis is dependent on *fee* and not fee*rate*.

Now consider, what if Alice creates 1000 UTXOs, promises GTs and MTs to 1000 different Bobs?

Now, a GT has one input and two outputs.

1000 GTs have 1000 overheads (`nLockTime` and `nVersion` and so on), 1000 inputs, and 2000 outputs.

Now Alice the issuer, being the sole signer, can create a fraudulent transaction that spends all 1000 UTXOs and spends it to a single Carol output.

This fraudulent transaction has 1 overhead, 1000 inputs, and 1 output.

Do you think Alice can get a better fee*rate* on that transaction while paying a lower aggregate *fee* than all the GTs combined?
Remember, you based your security analysis on Alice being forced to pay a larger *fee*, but neglect that miners judge transactions based on fee*rate*, which is subtly different and not what you are relying on.
I am sure that there exists some large enough number of UTXOs where a single aggregating fraudulent transaction will be far cheaper than the tons of little GTs your security analysis depends on.

This is why we do not use 1-of-1 signers in safe offchain protocols.
Not your keys, not your coins.

--

In addition, your analysis is based on assuming that miners are perfect rational beings of perfect rationality, ***and*** are omniscient.

In reality, miners possess bounded knowledge, i.e. they do not know everything.

Even if Alice is in possession of only a single UTXO, Alice can still feed miners a transaction with lower feerate than the MT, then feed the rest of the network with a valid MT.
Because transactions propagate through the network but this propagation is ***not*** instantaneous, it is possible for the MT to reach the miners later than the fraudulent transaction.
In this window of time, a block may be mined that includes the fraudulent transaction, simply because the lucky miner never managed to hear of the correct MT.

This attack is essentially costless to Alice, especially for big enough transactions where mining fees are a negligible part of the payment.

This is why we do not use 1-of-1 signers in safe offchain protocols.
Not your keys, not your coins.

Regards,
ZmnSCPxj

More information about the bitcoin-dev mailing list