Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Segwit Coin is not a Bitcoin

609 views

Published on

This presentation explains how segwit coin have a weaker security model than bitcoins.

Published in: Internet
  • Be the first to comment

A Segwit Coin is not a Bitcoin

  1. 1. A Segwit Coin is not a Bitcoin 1 July 2017 Peter Rizun
  2. 2. “Cryptocurrency is more theology than science” Skepticism Fanaticism Alan Turing Medieval theologist Null hypothesis Divine scriptures
  3. 3. “Cryptocurrency is more theology than science” III Thou shalt download code from only the bitcoin core repo, for only it is divine IV Thou shalt mine no block larger than the holy number of 1 MB Passage from the Book of Blockstream/Core
  4. 4. I Bitcoin can move from place to place but cannot be created ex nihilo II In order for a bitcoin to move, the transfer must be authorized by the owner’s digital signature What rules do I consider unchallengeable?
  5. 5. What rules do I consider unchallengeable? I Bitcoin can move from place to place but cannot be created ex nihilo II In order for a bitcoin to move, the transfer must be authorized by the owner’s digital signature With Bitcoin, both rules are on equal footings; with Segwit, the private property rule is subordinate to the physical property rule. Physical property rule Private property rule Manifestations of our ideologies All rules could be seen as fanatical Debate will not be settled by science
  6. 6. A Segwit Coin is not a Bitcoin 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker security model than bitcoins. Claims:
  7. 7. Simplifying Assumptions • Miners are rational short-term profit-maximizing agents • No miner will knowingly be complicit in fraud • I.e., No miner will mine directly on top of a block that he knows to contain a fraudulent transfer
  8. 8. A Segwit Coin is not a Bitcoin: talk outline 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker private-property model than bitcoins.
  9. 9. What is the definition of a bitcoin? Good place to look
  10. 10. What is the definition of a bitcoin? Find it on page 2
  11. 11. What is the definition of a bitcoin?
  12. 12. What is the definition of a bitcoin?
  13. 13. What is the definition of a bitcoin?
  14. 14. What is the definition of a bitcoin?
  15. 15. What is the definition of a bitcoin?
  16. 16. What is the definition of a bitcoin?
  17. 17. What is the definition of a bitcoin?
  18. 18. How is a Segwit coin different? A bitcoin A segwit coin Signatures are an integral part of the chain Signatures are outside of the chain
  19. 19. How is a Segwit coin different? A bitcoin A segwit coin A bitcoin is a chain of digital signatures while a segwit coin is not How does this change the coin’s properties?
  20. 20. A Segwit Coin is not a Bitcoin: talk outline 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker security model than bitcoins.
  21. 21. Transferring Ownership Without Witnessing the Signatures • Each node maintains a ledger of which coins belong to which entities (UTXO set) • Upon receiving a new block, miner parses transactions, removing spent outputs from his UTXO set and adding newly-created outputs • For bitcoins, since outputs are identified by hash, miner cannot update his UTXO set without witnessing the signatures that authorize the transfer • For segwit coins, miners can update their UTXO set Hash Public key A46E Alice’s 58F1 David’s 88CE Ethyl's UTXO set
  22. 22. Transferring Ownership Without Witnessing the Signatures Hash Public key A46E Alice’s 58F1 David’s 88CE Ethyl's UTXO set ✓ • Each node maintains a ledger of which coins belong to which entities (UTXO set) • Upon receiving a new block, miner parses transactions, removing spent outputs from his UTXO set and adding newly-created outputs • For bitcoins, since outputs are identified by hash, miner cannot update his UTXO set without witnessing the signatures that authorize the transfer • For segwit coins, miners can update their UTXO set
  23. 23. Transferring Ownership Without Witnessing the Signatures Hash Public key A46E Alice’s 58F1 David’s 88CE Ethyl's B56A Bob’s UTXO set • Each node maintains a ledger of which coins belong to which entities (UTXO set) • Upon receiving a new block, miner parses transactions, removing spent outputs from his UTXO set and adding newly-created outputs • For bitcoins, since outputs are identified by hash, miner cannot update his UTXO set without witnessing the signatures that authorize the transfer • For segwit coins, miners can update their UTXO set B56A Must witness signature for bitcoins
  24. 24. Transferring Ownership Without Witnessing the Signatures Hash Public key A46E Alice’s 58F1 David’s 88CE Ethyl's F31A Bob’s UTXO set F31AWitnessing signature is not necessary for segwit coins Not part of hash • Each node maintains a ledger of which coins belong to which entities (UTXO set) • Upon receiving a new block, miner parses transactions, removing spent outputs from his UTXO set and adding newly-created outputs • For bitcoins, since outputs are identified by hash, miner cannot update his UTXO set without witnessing the signatures that authorize the transfer • For segwit coins, this does not hold
  25. 25. A Segwit Coin is not a Bitcoin: talk outline 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker security model than bitcoins.
  26. 26. Segwit signatures are less valuable Bitcoin Segwit Profit with sigs Reward + Fees – Cost Reward + Fees – Cost Profit without Reward x (1-P) – Cost (Reward + Fees)(1-P) – Cost Value of sigs P x Reward + Fees P x (Reward + Fees) As P → 0 Fees 0 - - Note: P is probability that previous block was invalid
  27. 27. A Segwit Coin is not a Bitcoin: talk outline 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker security model than bitcoins.
  28. 28. To witness or not to witness? A Nash equilibrium is stable if a small change for one player leads to a situation where two conditions hold: 1. the players who did not change have no better strategy in the new circumstance 2. the player who did change is now playing with a strictly worse strategy Bitcoins
  29. 29. To witness or not to witness? A Nash equilibrium is stable if a small change for one player leads to a situation where two conditions hold: 1. the players who did not change have no better strategy in the new circumstance 2. the player who did change is now playing with a strictly worse strategy Witnessing becomes more profitable Bitcoins: stable equilibrium
  30. 30. To witness or not to witness? A Nash equilibrium is stable if a small change for one player leads to a situation where two conditions hold: 1. the players who did not change have no better strategy in the new circumstance 2. the player who did change is now playing with a strictly worse strategy Segwit coins: multiple equilibriums
  31. 31. To witness or not to witness? A Nash equilibrium is stable if a small change for one player leads to a situation where two conditions hold: 1. the players who did not change have no better strategy in the new circumstance 2. the player who did change is now playing with a strictly worse strategy Segwit coins: multiple equilibriums
  32. 32. To witness or not to witness? A Nash equilibrium is stable if a small change for one player leads to a situation where two conditions hold: 1. the players who did not change have no better strategy in the new circumstance 2. the player who did change is now playing with a strictly worse strategy Segwit coins: multiple equilibriums
  33. 33. To witness or not to witness? Segwit coins: multiple equilibriums Only stable equilibrium
  34. 34. A Segwit Coin is not a Bitcoin: talk outline 1. Segwit coins have a different definition than bitcoins, which gives them different properties. 2. Unlike with bitcoins, miners can update their UTXO sets without witnessing the previous owners’ digital signatures. 3. The previous owners’ digital signatures have significantly less value to a miner for segwit coins than for bitcoins because miners do not require them in order to claim fees. 4. Although a stable Nash equilibrium exists where all miners witness the previous owners’ digital signatures for bitcoins, one does NOT exist for segwit coins. 5. Segwit coins have a weaker security model than bitcoins.
  35. 35. Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of miners that mines on our block when we have a block race
  36. 36. Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of miners that mines on our block when we have a block race Keep private
  37. 37. Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of miners that mines on our block when we have a block race Now release
  38. 38. Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of hash power that mines on our block when we have a block race This block more likely to be orphaned. Punishes miners who wait for witness data.
  39. 39. Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of hash power that mines on our block when we have a block race γ = 1 Our strategy is always more profitable
  40. 40. Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of hash power that mines on our block when we have a block race γ =0.5 Our strategy is more profitable if defectors control more than 25% of the hash power
  41. 41. Kill Segwit and Earn a Profit • Tempt other miners into not witnessing the segwit signatures • Strategically withhold and release witness extension block using variant of selfish-mining strategy • γ is the fraction of hash power that mines on our block when we have a block race γ = 0 Our strategy is more profitable if defectors control more than 33% of the hash power
  42. 42. • When we’re confident that the majority of the network is no longer waiting for witness data then: • Begin re-routing segwit transactions to our own personal addresses • Never release the witness data (no valid witness exists) • Blocks get built above confirming our fraudulent transfer • No one has proof that a fraud occurred • “Everyone must have pruned the witness data” Kill Segwit and Earn a Profit
  43. 43. This wouldn’t work for the P2SH soft fork • Variation of this attack for P2SH: • Instead of withholding the segwit extension block, just withhold the signature for a P2SH transaction • Use same strategy to entice miners to mine on the block (missing only a single signature for a single transaction) • Doesn’t work! • There is no way the other miners can be sure that the transactions that make up the block actually correspond to the Merkle root in the block header. • Any third party could have proposed that a different block corresponded to the known block header! There’s no way to tell who is lying. • Miners would have to mine empty blocks instead and the entire system breaks down.
  44. 44. Thought Experiment Imagine that you have 100 BTC in a segwit address and a few days later you notice that they've been transferred to an address that you do NOT control. You try to find the signature that authorized the transfer to prove the theft (you're sure your private keys were secure so you think the signature must be bogus) but conveniently nobody seems to have it saved. Can you prove that your funds were stolen?
  45. 45. Thank you! Peter Rizun peter.rizun@gmail.com

×