CHIP 2021-08 ZCEs: Zero-Confirmation Escrows

What we were discussing is a different topic, you are moving the goalpost with this message.

The discussion was about your CHIP proposing a second way to make instant transactions secure, while we already have one which is active and operational. My question has always been about the business case. Why do you want the ecosystem to invest resources into this while there is a fully functional solution available that addresses the same problem. The business question is relevant because we have actual empircal data showing that the merchants don’t have a need to decrease zero-conf risk.

To put it in simple terms; you are asking everyone to put a lot of effort into a new virus killer for Linux, while all previous virus killers for Linux failed to get a userbase due to lack of interest.

It is not my job to push back, it is yours to convince the community that this is actually something they need to put time in.

Which reads:

For many businesses, assessing the risk of payment fraud against zero-confirmation BCH transactions is non-trivial.

This is mostly due to the point-of-sale software not incorporating double spend proofs. The rest is available, the support in the full nodes, the support in servers like Fulcrum. A point-of-sale software (should it be available open source) is not hard to adjust and this problem goes away.

Notice that incorporation of ZCE likewise needs adjustment of that exact same software. You may argue it is somehow a different workload, but as we are for both jobs talking about less than a week of work I have to ask why you are not advocating using of what is available on mainchain today. If for no other reason than speeding up the security of zero-conf.

In a previous post I probably was not clear, so I’ll say it plain.

Your “long term security” concern is based on a misunderstanding of how the p2p network operates and who secures the first seen rule. The result is that your point is not applicable to Bitcoin Cash and that section and that reason should be removed from the CHIP.

The first-seen rule is secured by the nodes on the edge, the ones that the SPV wallets actually talk to. Miners hide their nodes behind firewalls (because duh) and they are never going to even see double spend transactions. Should a miner implement replace-by-fee, it would have no effect.

First-seen is secured by the companies that depend on it working, not the miners.

Can you please update the CHIP to reflect those two points?

1. Provide a business case explaining from the current state of mainnet which has zero-conf security.
2. update (and likely remove) the long term security chapter.

I already found 2 which you conveniently skipped: Exchanges and Casinos (EDIT: Also crypto ATMs for instant Cash<->BCH transfers).

But I am sure there are more.

Try another argument please, this one is invalid.

I actually do not think they address the exact same problem. ZCE is more suited for automated payment flows as I stated above. DSPs might work wonders if you are buying a piece of gum from a physical person. But if you are buying it from a vending machine it’s basically risk free to do a double spend attempt. Worst case is that the vending machine sees the proof and waits for a confirmation (or a refund as specified by an applicable payment protocol).
With ZCE you loose the escrow when trying to do funny business.

Exchanges obviously not, some want 10+ blocks today. Last time I used a crypto ATM (it was in Poland/Lodz) it wanted more than one confirmation (BTC).

What makes you think that they would go for instant transactions? The amount of risk increase is not explained. No example that currently wants more than 1 confirmation (also on BTC) is a valid usecase for ZCE, because how could it be?
You are advertising based on emotions, not reality.

Please keep the tone more civil, please. Turns out your example was invalid.

A vending machine can, today, be implemented risk-free as well. All it needs to do is listen for double spend proofs and when one appears for the transaction (or a parent) it cancels the transaction. This happens FASTER than a credit-card transaction and is more secure than a card transaction (can’t be reversed).

With ZCE you loose the escrow when trying to do funny business.

And wtih DSP you lose your funds too. No difference in risk to merchants.

Additional advantage of using DSP is that the customer doesn’t have to tie up additional funds. You can actually buy that mars bar from your LAST coin with DSP.

Its a slight variation on the theme of this flowchart; The Double Spend flowchart

The variation is that you would not call the police but let the thief be the one that takes action. Exactly like with vending machines today.

Again, this is possible today on main-chain. Should people want to use it. No need to start a new CHIP or invent a new thing. It already works.

How long does it take for the machine to release the product? 10 seconds? The culprit can simply wait 10 seconds to get the product in his hands and then post his double-spend TX. Sure, there’s the “first seen” policy, but that is an externality the merchant can’t control, and there are no guarantees that it will always be widely adopted - so the point of creeping risk with our network growing still applies.

You don’t exactly lose - you still got the product you bought, and here a double-spend attempt is a free shot at trying to get your money back but keep the product. With ZCEs you’d lose an additional value on top of the money paid for the product, you’d pay double the price of product for attempting to cheat and get it for free.

I think you misunderstand.

The point is to convince them that they don’t want the confirmations.

They are not aware yet that ZECs exist and actually work. Once they gain confidence in the tech, I am sure instant deposits and withdrawals for sums less than $100.000 should be natural.

The risk is almost non-existent. This is the point. Which you missed.

This is my “civil level” right now. I am not going to tell you I love you, I am here to tell you your argument is invalid, not love you and be your boyfriend.

The point of discussion is to point out that somebody or something is wrong in order to reach the truth.

I will not discuss to be excessively polite to people. That does not make any sense.

This. With ZCE miners are incentivized to take the escrow but the product gets payed with the correct amount either way.

The culprit can simply wait 10 seconds to get the product in his hands and then post his double-spend TX.

If it is 10 seconds, then it is a lot of time. If the attacker is not the miner or the mining pool, then it is very hard to do that in practice. Satoshi addressed that issue long time ago (search: Bitcoin snack machine).

The network nodes only accept the first version of a transaction they receive to incorporate into the block they’re trying to generate. When you broadcast a transaction, if someone else broadcasts a double-spend at the same time, it’s a race to propagate to the most nodes first. If one has a slight head start, it’ll geometrically spread through the network faster and get most of the nodes.

A rough back-of-the-envelope example:

4         1
16        4
64        16
80%      20%

So if a double-spend has to wait even a second, it has a huge disadvantage.

“[Statistically] very hard to do that in practice” but without cost or risk it will be achieved given enough attempts.

This was the numbers on 5 second delays with a small miner bribe a couple of years ago. I don’t know what the numbers for “10 s delay” would be, but I assume not zero.

rizun829×537 73.8 KB

Yes, there was BU nodes on the network with non-standard relay policies that probably isn’t there today. But deploying nodes with such software isn’t particularly expensive.

Yup, nothing stops anyone from running a rogue mining pool that has a little network of nodes that can take bribe offers. Right now there’s no incentive to have that, but as we grow there may be and nothing anyone can do to stop it - other than having a way of spending where it doesn’t pay to try and cheat.

The problem is that “rogue” in this scenario actually means “(short-term) profit maximizer”. The incentives are currently lined up for a miner to take the transaction with highest fees, but ZCE shifts those incentives so the highest profits is achieved by claiming the escrow.

Yes, but I have thoroughly analyzed this possible scenario like 6 years ago, loooooong before DSPs and ZECs even existed and concluded it is not profitable for the mining pool at sums less than $10000-$50000.

This scenario is so hard to do, so costly and so difficult to make it profitable (huge reputation hit is also a factor), that there is no wonder why miners never did it to this day.

We(the community) have been talking about such scenarios for like 10 years, but they never actually happen. Zero Confrimation transactions are generally safe, even more with Double Spend Proofs and Zero Confirmation Escrows.

In my opinion “0-conf is not safe” was always only propaganda, never reality. 0-conf can be and is safe.

I’m not talking about reorgs, this is just about enabling an interface to take in “bribe” TX-es which they’d put instead of the 1st seen one while they mine a block. If they get lucky with a block - they will make more, if not - they will still get a regular block reward later, and the guy at the vending machine will get his thing at normal price instead of 0. ViaBTC has a website where you can post a raw TX, and it must obey relay rules. What’s stopping them from dropping the requirement and accepting cheater TXes? ZCEs would make it so that it pays more to cheat the cheater

I get that and I agree.

But such a bribe has the maximum chance of success equal to the percentage of the malicious mining pool.

Counting in the reputation hit, it is highly improbable that any pool that would accept such bribes would ever get more than 10% of mining power. Reputation would take a hit and miners would stop using such pool.

So this is why no mining pool ever (correct me if wrong) ever did that [in pre-2016 BTC and BCH all time].

When you factor in the cost, the super-low probability of success and reputation hit, it stops being profitable.

Yup, but it’s still a free shot… at 1% or 10% chance. You will not bother to do it for getting an one-off discount on piece of candy but here we’re trying to imagine how our network and adoption would look like in a success scenario where we have numbers that could make the game potentially interesting to criminal organizations.

What do SHA-256 hardware owners care about reputation? They’re anonymous, and get paid either way, and some may not care about morals and would join a pool because it pays more - by enabling others to steal. We don’t have to depend on morals when we have a tool that can make incentives right for desired behavior.

I don’t know, but I hope that we will move into unprecedented territory - like having consistent 2MB blocks And then we’ll start to get some data.

The problem is scale and incentives.

The only way to earn this way is to either:

• A: Get a large number of people to use it for smaller (<$1000) purchases
• B: Get few one time huge shots, but this would have to be really huge amounts, like $50000 to be profitable and worth the bother

Scenario A is not even doable anonymously. To get enough people to have any chance of success and significant profit, would require advertisements. To do large scale advertisements, you need to be a company.

Case closed.

Scenario B can be done anonymously, but only for large sums of money, otherwise it doesn’t make any sense on scale.

Obviously, they don’t. But a large mining pool has to have a website, so they have to report their profits to some government somewhere. Are there any fully anonymous large pools without a website and a company running them?

You can be sure that as soon as such a pool would appear, start advertising their “bribing” and grow beyond 10% of hashing power, that would mean huge legal troubles for them.

You can’t really do crime and bad things in general at large scale fully anonymously. Humans are the weakest link in chain, there is always a weak link.

You see, it is generally more profitable to just mine honestly, than trying such complicated large-scale shenanigans. If it was ever worth it, somebody would have already tried in the last 13 years of Bitcoin mining. Nobody ever did.

Therefore the only way I see such mining-bribe-attacks succeeding is via cheating a big sum ($50000 and more) once or few times. Which would mean cheating an exchange or an ATM.

Which is exactly why ATMs and exchanges and require confirmations. They understand this.

Did you miss my post further up?

Apparently 5.5% of the BCH hash rate did just that a few years ago.

Sorry, I probably did if you didn’t quote me.

I am aware of the “calculated number of total double spends” on the network you are quoting, I have seen it. This work of Peter Rizun was quite famous.

I have some doubts whether this data actually represents a real double spends of real internet/brick&mortar stores or whether this is just some testing or fluke of the network.

As far as I am aware, no merchant ever complained of being robbed this way on BCH network. So I am not really sure what this data means.

I was in the community all the time and if something like this happened, I would just know about it 100%. No such thing ever happened. No merchant was ever robbed of the goods using double spends on BCH network (even including pre-2016/pre-RBF BTC too).

To add even more, BCH has less than 1% hashrate and A LOT of enemies.

If such a miner-bribing attack was real-life doable and even better - profitable, it would have happened like 4-5 years ago, in 2017-2018 because it was easier to do back then. The enemy would do it just in order to prove that BCH cannot be P2P Electronic Cash, profit is not even needed.

I feel like we’re going in circles. I already had this discussion in 2018, at least 3 times. Back then the conclusion also was that “while the attack is theoretically doable, nobody ever did it, which proves it is most probably not practical in real-life, so nobody will use it”.

To sum it up:

• 0-conf is secure enough for everyday purchases ($<1000).
• 0-conf with Double Spend Proofs should be secure enough even for bigger amounts ($<10000) in ATMs.
• 0-conf with Zero Confirmation Escrows is practically completely secure for all means and purposes, assuming it works as advertised. BCH has become instant P2P currency.