Author: Natanael 2018-02-15 20:27:27
Published on: 2018-02-15T20:27:27+00:00
On February 15, 2018, Tim Ruffing sent a message to the bitcoin-dev mailing list regarding consensus rules for UTXOs (unspent transaction outputs) and commitments in the blockchain. According to Ruffing, a decommitment d = chal spends a UTXO with address H_addr(chal) if it meets certain conditions. These conditions include the existence of a commitment c in the blockchain that references the UTXO and is the first commitment to successfully decrypt with KDF(chal). The UTXO is then spent as described by the valid transaction tx. Commitments never expire.Ruffing goes on to describe two different situations related to commitment expiration and doubles in the blockchain. In Situation A, regardless of expiration of commitments, doubles are allowed. This means an attacker can block another user's transaction from confirming and make their own commitment and transaction. Miners would only see one transaction which matches a valid challenge and spends the UTXOs, but the attacker gains nothing from the commitment. In Situation B, conflicting commitments are not allowed and never expire. This allows an attacker to freeze everyone's funds easily with invalid commitments because you can't validate a commitment without seeing a valid transaction matching it. According to Ruffing, commitments work when the network can't easily be censored for long enough to deploy an attack, at least for 2-3 blocks worth of time. However, they fail when an attacker is capable of performing such an attack. To prevent such attacks, Ruffing suggests using a quantum-resistant Zero-knowledge proof algorithm or equivalent method of proving knowledge of the key without revealing any data that enables a quantum attack.
Updated on: 2023-06-13T00:30:08.555638+00:00