New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC 003 RTVF] RTA Transaction Validation Flow #191
Comments
Regarding "Privacy leakage" and "This design is non-trustless" comments - |
Regarding "selfish mining double-spending attack" - |
It is unnecessary and undermines the privacy that less than two months ago you posted about as being a key difference in the GRAFT payment network:
But now you are saying:
And that merchants who actually want the proclaimed privacy will have to have the expertise to run, update and keep secure their own proxy SN.
What operations, exactly, do you think cannot be done on mobile hardware? Are you not aware of mobile wallets for several cryptonote coins such as monerujo (for Monero), Loki Wallet, or Haven Protocol Wallet, to name just a few, which are able to handle CryptoNote just fine without leaking privacy and security to a remote proxy? Or that a Raspberry Pi (which has essentially the same computational power as the slowest Verifone Carbon device) is perfectly capable of running not only dozens of CryptoNote wallets simultaneously, but also multiple whole cryptonode nodes simultaneously?
No, it is not "somewhat" trust. It is entirely trusted. In this design, the proxy SN is the one that tells the merchant without verifiable proof that a payment has been approved by the network. It is a huge target for attacks and said attacks will be difficult to detect until long after the fact. This single point of attack effectively undermines the entire security of the RTA mechanism, to the point where you might as well not even have RTA: you could literally do the entire authorization in just the proxy SN and have just as much security as you are getting here because your weakest link would be the same. The entire point of using a random sample on a decentralized network is the security it brings, because someone would have to own or compromise a very large share of the network in order to compromise the security of the network. Hacking an RTA supernode or coercing its operator would gain you absolutely nothing. The design in this RFC, however, specifies a trusted, centralized component that must exist in every single RTA transaction; a component that can be hacked or have its operator coerced to compromise the security and privacy of any and all merchants using that node. This is not an responsible or acceptable design. |
This comment was marked as abuse.
This comment was marked as abuse.
RTA must have end to end encryption for the protection of node owners. Zero knowledge proof of knowledge. Disclosing information to a node presents unlimited liability for whomever operates it. Anyone who understands this will not operate a node since the risks greatly outweigh the benefits. |
This comment was marked as abuse.
This comment was marked as abuse.
@jagerman Thanks for the valuable and constructive criticism.
The RFC is updated, we tried to address most of the concerns. Note that though the total amount is still open, no association between transaction and recipient wallet address can be built.
We know it's an open issue and still weighing our options here.
It's a work around the fact we could often observe mempool sync required extra time. |
Comments. Two major, a few smaller issues.
Privacy leakage.
This design leaks privacy to the PoS proxy, the auth sample, and the wallet proxy. To quote from https://www.graft.network/2018/11/21/how-graft-is-similar-to-and-at-the-same-time-different-from-visa-and-other-payment-card-networks-part-2/
This design, however, does not accomplish that: the PoS proxy is able to identify all payments received by the PoS, and all SNs involved in the transaction see the amount sent (even if they can't see the recipient address).
A cryptocurrency that is only private as long as you have to trust a single party (the PoS proxy) is no longer a privacy coin.
But it gets worse: from the description in the RFC it is possible for various network participants other than the receiving and paying wallets to get "serialized payment data" which consists of "serialized payment data – list of purchased items, price and amount of each item, etc.".
So, to summarize the privacy leaks that seem to be here:
Other comments
(
4. Regular key image checking (double spent checking.)
does nothing against the above attack: the key image isn't spent on the network visible to the SNs until the private block is released.)There is a huge amount of complexity added here for little apparent reason. You set the success/failure conditions at 6/3 replies so that you have can have a consistent concensus among the SNs, which I understand, but you don't need this success/failure concensus when you have a single party that is in charge: the PoS proxy.
If you simply changed the rules so that the PoS proxy is always the one to distribute the block, you would simplify the traffic (SN auth sample results can be unicast to the PoS proxy, and the payment success can simply be a state variable that never needs to be broadcast over the network), but more importantly you would allow a 6/1 success/failure trigger without incurring any consistency problem.
Allowing 2 failures is a recipe for fee cheating: hack your wallet to reduce two of the eight SN fees to zero (or just leave them out) in every transaction to give yourself a small rebate.
What happens if there are 5 successes, 2 failures, and one timeout?
Which is done how, exactly? In particular, how much deviation from what it thinks is correct will it allow? This needs to be specified.
Why is this needed at all? Success can already been seen (and is already transmitted across the network) by the fact that the transaction enters the mempool. Can't the wallet just check for that instead?
This design is non-trustless!
This design puts far too much centralized control in the hands of the proxy SN. The design here puts this single node as RTA transaction gatekeeper, with the possibility to lie to the PoS about transaction validity—a lie here could be deliberate, or could be because the proxy SN in use was hacked. This is not how a decentralized cryptocurrency should work: it needs to be possible to trust no one on the network and yet have the network still work.
A non-trustless design like this should be a non-starter.
The text was updated successfully, but these errors were encountered: