On Mon, Nov 03, 2014 at 06:01:46PM +0200, Alex Mizrahi wrote: > > Yes, but "harder" isn't same as "unlikely". >
We are aware of the distintion between hardness (expected work) and likelihood of successful attack -- much of Appendix B talks about this, in the context of producing compact SPV proofs which are (a) hard to forge, and (b) very unlikely to be forgeries. We did spend some time formalizing this but due to space constraints (and it being somewhat beside the point of the whitepaper beyond "we believe it is possible to do"), we did not explore this in as great depth as we'd have liked. > Another problem with this section is that it only mentions reorganizations. > But a fraudulent transfer can happen without a reorganization, as an > attacker can produce an SPV proof which is totally fake. So this is not > similar to double-spending, attacker doesn't need to own coins to perform > an attack. > Well, even in the absense of a reorganization, the attacker's false proof will just be invalidated by a proof of longer work on the real chain. And there is still a real cost to producing the false proof. -- Andrew Poelstra Mathematics Department, University of Texas at Austin Email: apoelstra at wpsoftware.net Web: http://www.wpsoftware.net/andrew
pgpHV90RFPrEv.pgp
Description: PGP signature
------------------------------------------------------------------------------
_______________________________________________ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
