đź“™
[EN] The Book of Satoshi by Phil Champagne (beta)
source
  • The Book of Satoshi : The Collected Writings of Bitcoin Creator Satoshi Nakamoto by Phil Champagne
  • About the Cover Picture
  • Acknowledgements
  • Who This Book is Intended For
  • Foreword
  • 1. Introduction
  • 2. How and Why Bitcoin Works
  • 3. The First Post on Crypto Mailing List
  • 4. Scalability Concerns
  • 5. The 51% Attack
  • 6. About Centrally Controlled Networks Versus Peer-to-Peer Networks
  • 7. Satoshi on the Initial Inflation Rate of 35%
  • 8. About Transactions
  • 9. On the Orphan Blocks
  • 10. About Synchronization of Transactions
  • 11. Satoshi Discusses Transaction Fees
  • 12. On Confirmation and Block Time
  • 13. The Byzantine General's Problem
  • 14. On Block Time, an Automated Test, and the Libertarian Viewpoint
  • 15. More on Double Spend, Proof-of-Work and Transaction Fees
  • 16. On Elliptic Curve Cryptography, Denial of Service Attacks, and Confirmation
  • 17. More in the Transaction Pool, Networking Broadcast, and Coding Details
  • 18. First Release of Bitcoin
  • 19. On the Purpose For Which Bitcoin Could Be Used First
  • 20. "Proof-of-Work" Tokens and Spammers
  • 21. Bitcoin Announced on P2P Foundation
  • 22. On Decentralization as Key to Success
  • 23. On the Subject of Money Supply
  • 24. Release of Bitcoin Vo.1.3
  • 25. On Timestamping Documents
  • 26. Bitcointalk Forum Welcome Message
  • 27. On Bitcoin Maturation
  • 28. How Anonymous Are Bitcoins?
  • 29. A Few Questions Answered By Satoshi
  • 30. On "Natural Deflation"
  • 31. Bitcoin Version 0.2 is Here!
  • 32. Recommendation on Ways to Do a Payment for An Order
  • 33. On the Proof-of-Work Difficulty
  • 34. On the Bitcoin Limit and Profitability of Nodes
  • 35. On the Possibility of Bitcoin Address Collisions
  • 36. QR Code
  • 37. Bitcoin Icon/Logo
  • 38. GPL License Versus MIT License
  • 39. On Money Transfer Regulations
  • 40. On the Possibility of a Cryptographic Weakness
  • 41. On a Variety of Transaction Types
  • 42. First Bitcoin Faucet
  • 43. Bitcoin 0.3 Released!
  • 44. On The Segmentation or "Internet Kill Switch"
  • 45. On Cornering the Market
  • 46. On Scalability and Lightweight Clients
  • 47. On Fast Transaction Problems
  • 48. Wikipedia Article Entry on Bitcoin
  • 49. On the Possibility of Stealing Coins
  • 50. Major Flaw Discovered
  • 51. On Flood Attack Prevention
  • 52. Drainage of Bitcoin Faucet
  • 53. Transaction to IP Address Rather Than Bitcoin Address
  • 54. On Escrow and Multi-Signature Transactions
  • 55. On Bitcoin Mining as a Waste of Resources
  • 56. On an Alternate Type of Block Chain with Just Hash Records
  • 57. On the Higher Cost of Mining
  • 58. On the Development of an Alert System
  • 59. On the Definition of Money and Bitcoin
  • 60. On the Requirement of a Transaction Fee
  • 61. On Sites with CAPTCHA and Paypal Requirements
  • 62. On Short Messages in the Block Chain
  • 63. On Handling a Transaction Spam Flood Attack
  • 64. On Pool Mining Technicalities
  • 65. On WikiLeaks Using Bitcoin
  • 66. On a Distributed Domain Name Server
  • 67. On a PC World Article on Bitcoin and WikiLeaks Kicking the Hornet's Nest
  • 68. Satoshi's Last Forum Post: Release of Bitcoin 0.3-19
  • 69. Emails to Dustin Trammell
  • 70. Last Private Correspondence
  • 71. Bitcoin and Me (Hal Finney)
  • 72. Conclusion
  • Bitcoin: A Peer-to-Peer Electronic Cash System
  • Terms & Definitions
  • Index
Powered by GitBook
On this page
  • 16
  • On Elliptic Curve Cryptography, Denial of Service Attacks, and Confirmation

16. On Elliptic Curve Cryptography, Denial of Service Attacks, and Confirmation

16

On Elliptic Curve Cryptography, Denial of Service Attacks, and Confirmation

SATOSHI COVERS transaction signatures, adds a bit more on denial of service attacks, and, finally, revisits transaction speed. A merchant could wait for 2 minutes after the consumer has made the transaction with his smartphone. Then the merchant (or the Bitcoin payment service company the merchant has chosen) would watch for double spend transactions on the Bitcoin network. Imagine that a consumer makes a transaction which we will call “X” in which he or she pays 1.5 BTC from a Bitcoin address ABC that holds 2 BTC. The consumer’s balance then falls to 0.5 BTC once the payment has been fully confirmed. Discussed here are the actions the merchant has to perform in order to monitor the network to see if any other transactions involving bitcoin address ABC appear and, if so, if the amount involved exceeds 0.5 BTC. If transactions meeting this criterion are detected within say, 2 minutes, the payment is considered not valid. Waiting for 2 minutes gives plenty of lead for transaction “X” to clear prior to any competing transactions coming later from Bitcoin address ABC. This indicates to the merchant that transaction “X” is very likely to be included in the current block of the majority of Bitcoin miners on which they are working and hence assures its eventual inclusion in the block chain.

Re: Bitcoin P2P e-cash paper

Satoshi Nakamoto Mon, 17 Nov 2008 09:06:020800

Ray Dillinger wrote:

One way to do this would be to have the person recieving the coin generate an asymmetric key pair, and then have half ofit published with the transaction. In order to spend the coin later, s/he must demonstrate posession of the other half of the asymmetric key pair, probably by using it to sign the key provided by the new seller.

Right, it’s ECC digital signatures. A new key pair is used for every transaction.

It’s not pseudonymous in the sense of nyms identifying people, but it is at least a little pseudonymous in that the next action on a coin can be identified as being from the owner of that coin.

Mmmm. I don’t know if I’m comfortable with that. You’re saying there’s no effort to identify and exclude nodes that don’t cooperate? I suspect this will lead to trouble and possible DOS attacks.

There is no reliance on identifying anyone. As you’ve said, it’s futile and can be trivially defeated with sock puppets.

The credential that establishes someone as real is the ability to supply CPU power.

Until . . . until what? How does anybody know when a transaction has become irrevocable? Is “a few” blocks three? Thirty? A hundred? Does it depend on the number of nodes? Is it logarithmic or linear in number of nodes?

Section 11 calculates the worst case under attack. Typically, 5 or 10 blocks is enough for that. If you’re selling something that doesn’t merit a network-scale attack to steal it, in practice you could cut it closer.

But in the absence of identity, there’s no downside to them if spends become invalid, if they’ve already received the goods they double-spent for (access to website, download, whatever). The merchants are left holding the bag with “invalid” coins, unless they wait that magical “few blocks” (and how can they know how many?) before treating the spender as having paid.

The consumers won’t do this if they spend their coin and it takes an hour to clear before they can do what they spent their coin on. The merchants won’t do it if there’s no way to charge back a customer when they find the that their coin is invalid because the customer has doublespent.

This is a version 2 problem that I believe can be solved fairly satisfactorily for most applications.

The race is to spread your transaction on the network first. Think6 degrees of freedom it spreads exponentially. It would only take something like 2 minutes for a transaction to spread widely enough that a competitor starting late would have little chance of grabbing very many nodes before the first one is overtaking the whole network.

During those 2 minutes, the merchant’s nodes can be watching for a double-spent transaction. The double-spender would not be able to blast his alternate transaction out to the world without the merchant getting it, so he has to wait before starting.

If the real transaction reaches 90% and the double-spent tx reaches 10%, the double-spender only gets a 10% chance of not paying, and 90% chance his money gets spent. For almost any type of goods, that’s not going to be worth it for the scammer.

Information based goods like access to website or downloadsare non-fencible. Nobody is going to be able to make a living off stealing access to websites or downloads. They can go to the file sharing networks to steal that. Most instant-access products aren’t going to have a huge incentive to steal.

If a merchant actually has a problem with theft, they can make the customer wait 2 minutes, or wait for something in e-mail, which many already do. If they really want to optimize, and it’s a large download, they could cancel the download in the middle if the transaction comes back double-spent. If it’s website access, typically it wouldn’t be a big deal to let the customer have access for 5 minutes and then cut off access if it’s rejected. Many such sites have a free trial anyway.

Satoshi Nakamoto

The Cryptography Mailing List

Previous15. More on Double Spend, Proof-of-Work and Transaction FeesNext17. More in the Transaction Pool, Networking Broadcast, and Coding Details

Last updated 12 months ago