Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1X7O4B-0008Ku-HD for bitcoin-development@lists.sourceforge.net; Wed, 16 Jul 2014 12:12:11 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of bitpay.com designates 209.85.212.176 as permitted sender) client-ip=209.85.212.176; envelope-from=jgarzik@bitpay.com; helo=mail-wi0-f176.google.com; Received: from mail-wi0-f176.google.com ([209.85.212.176]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1X7O46-0007g7-0T for bitcoin-development@lists.sourceforge.net; Wed, 16 Jul 2014 12:12:11 +0000 Received: by mail-wi0-f176.google.com with SMTP id bs8so6079540wib.9 for ; Wed, 16 Jul 2014 05:11:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=kPc6UumKsrtSyZ0NrQGh8PQPz8CNO+o9pU+rcUy8iTY=; b=N5MOzNBnGQJ2F0RiKVMuyeW55YHxztKx692AQVS1xHgnK9a8SG/NNN28/DQbJ2XEIc 1A+CteX+Oz09NK3xQKnteSEgGKZtnlpCMsyaQXM1onY1VT/jlM4Sm1kuDjHNWqwT/EEu Xol+zJ4JNU7aGvURPdVdlIxLeQEG8jLbOkimUdNEZGl2zKa8M5p8WG20oXbNhZbR+vu1 bDp6Yy5cAPzoA+uSEEIkJ5Kx9X/Yf8OrmCEPlbD/i4lZtS5b5tpU1GyjYfO1ICDCv7/y OzDdYePrx1QGVVjSehmCx9sDcbhpTHksAsle0dWdikNt2E62IXPDqTFLCx9ARXduE6zQ DjFA== X-Gm-Message-State: ALoCoQm/013UB3Ni9ldnKa6h+L1gdQlrRlaGPa9PfW878acWmUb4zdUy8tSD85omcqdOGdsiXS6a X-Received: by 10.194.172.167 with SMTP id bd7mr35636913wjc.74.1405512719479; Wed, 16 Jul 2014 05:11:59 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.5.67 with HTTP; Wed, 16 Jul 2014 05:11:39 -0700 (PDT) In-Reply-To: References: From: Jeff Garzik Date: Wed, 16 Jul 2014 08:11:39 -0400 Message-ID: To: Mike Hearn Content-Type: multipart/alternative; boundary=089e013c6c225f552704fe4e6e8c X-Spam-Score: -0.6 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1X7O46-0007g7-0T Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Draft BIP for geutxos message X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jul 2014 12:12:11 -0000 --089e013c6c225f552704fe4e6e8c Content-Type: text/plain; charset=UTF-8 Thanks Mike. The BIPS process is ideally an implementation & draft BIP, like IETF RFCs. Thanks for being a model citizen. :) Having an idea is good; having an implementation is better. Reviewing the code at the pull request, it appears OK, and I did give it a quick test. I have a few minor nits that I'll put in the PR, that are not worth mentioning here. Being able to query UTXOs is obviously useful. Many existing applications have been built on top of bitcoind (gettxout RPC), insight and other existing tools that make this query available. This is not a new feature. That effectively reduces our evaluation to 1. Why implement in P2P protocol, versus RPC or external API? Neither your pull request nor email addresses this much. I do understand your app uses "getutxos" But it is entirely fair and reasonable to ask why all bitcoind users should carry this feature. Turning to the protocol itself, "getutxos" does what is expected: Return that node's view of the UTXO set. This bring us to the main issue I and others raised in the pull request, 2. This view of UTXO is entirely untrusted, may be malicious or wrong. Why export potentially dangerous information to victims? What are the consequences to the victims of receiving targeted, maliciously wrong returned data? Let us assume for the sake of progress that #2 is answered to satisfaction. In my view, the BIP (and implementation? haven't looked at lighthouse) is missing 3. An explicit solution to #2. If one implements your BIP in a naive manner -- simply find a node, and issue a single query -- they are dangerously exposed to malicious information. The BIP should describe this major security issue, and describe at least one method of solving it (ditto implementation, if lighthouse has not already solved this). Comparison between this and BIP 35 (mempool command) are not apt, as miners and full nodes treat "mempool" returned data just like any other randomly solicited "tx" command on the network. Unlike "mempool" cmd, this "getutxos" cmd proffers post-verification trusted data. I fear that this addition will lead to people building insecure apps, when they could have just as easily queried a slightly-more-trusted-than-just-a-random-P2P-peer network of N bitcoind's or N Insight servers running somewhere (akin to Electrum servers). On Thu, Jul 10, 2014 at 10:29 AM, Mike Hearn wrote: > I opened up a pull req for a draft BIP for getutxo. > > https://github.com/bitcoin/bips/pull/88 > > I include a rendering below for your reading convenience. If you'd like to > comment on design/security/etc then please first familiarise yourself with > the long discussions that were already had here: > > https://github.com/bitcoin/bitcoin/pull/4351 > > > > BIP: 45 > Title: getutxo message > Author: Mike Hearn > Status: Draft > Type: Standards Track > Created: 2014-06-10 > > Table of Contents > > - Abstract > > - Motivation > > - Specification > > - Backward compatibility > > - Authentication > > - Implementation > > > > > Abstract > > This document describes a small P2P protocol extension that performs UTXO > lookups given a set of outpoints. > > > Motivation > > All full Bitcoin nodes maintain a database called the unspent transaction > output set. This set is how double spending is checked for: to be valid a > transaction must identify unspent outputs in this set using an identifier > called an "outpoint", which is merely the hash of the output's containing > transaction plus an index. > > The ability to query this can sometimes be useful for a lightweight/SPV > client which does not have the full UTXO set at hand. For example, it can > be useful in applications implementing assurance contracts to do a quick > check when a new pledge becomes visible to test whether that pledge was > already revoked via a double spend. Although this message is not strictly > necessary because e.g. such an app could be implemented by fully > downloading and storing the block chain, it is useful for obtaining > acceptable performance and resolving various UI cases. > > Another example of when this data can be useful is for performing floating > fee calculations in an SPV wallet. This use case requires some other > changes to the Bitcoin protocol however, so we will not dwell on it here. > > > Specification > > Two new messages are defined. The "getutxos" message has the following > structure: > > Field Size DescriptionData typeComments 1check mempoolbool Whether to > apply mempool transactions during the calculation, thus exposing their > UTXOs and removing outputs that they spend. ?outpointsvector The list of > outpoints to be queried. Each outpoint is serialized in the same way it is > in a tx message. > > The response message "utxos" has the following structure: > > Field Size DescriptionData typeComments 4chain heightuint32 The height > of the chain at the moment the result was calculated. 32chain tip hash > uint256 Block hash of the top of the chain at the moment the result was > calculated. ?hit bitmapbyte[] An array of bytes encoding one bit for each > outpoint queried. Each bit indicates whether the queried outpoint was found > in the UTXO set or not. ?result utxosresult[] A list of result objects > (defined below), one for each outpoint that is unspent (i.e. has a bit set > in the bitmap). > > The result object is defined as: > > Field Size DescriptionData typeComments 4tx versionuint32 The version > number of the transaction the UTXO was found in. 4heightuint256 The > height of the block containing the defining transaction, or 0x7FFFFFFF if > the tx is in the mempool. ?outputCTxOut The output itself, serialized in > the same way as in a tx message. > Backward > compatibility > > Nodes indicate support by advertising a protocol version above 70003 and > by setting a new NODE_GETUTXO flag in their nServices field, which has a > value of 2 (1 > > > Authentication > > The UTXO set is not currently authenticated by anything. There are > proposals to resolve this by introducing a new consensus rule that commits > to a root hash of the UTXO set in blocks, however this feature is not > presently available in the Bitcoin protocol. Once it is, the utxos message > could be upgraded to include Merkle branches showing inclusion of the UTXOs > in the committed sets. > > If the requesting client is looking up outputs for a signed transaction > that they have locally, the client can partly verify the returned output by > running the input scripts with it. Currently this verifies only that the > script is correct. A future version of the Bitcoin protocol is likely to > also allow the value to be checked in this way. It does not show that the > output is really unspent or was ever actually created in the block chain > however. > > If the requesting client has a mapping of chain heights to block hashes in > the best chain e.g. obtained via getheaders, then they can obtain a proof > that the output did at one point exist by requesting the block and > searching for the output within it. When combined with Bloom filtering this > can be reasonably efficient. > > Note that even when the outputs are being checked against something this > protocol has the same security model as Bloom filtering: a remote node can > lie through omission by claiming the requested UTXO does not exist / was > already spent (they are the same, from the perspective of a full node). > Querying multiple nodes and combining their answers can be a partial > solution to this, although as nothing authenticates the Bitcoin P2P network > a man in the middle could still yield incorrect results. > > > Implementation > > https://github.com/bitcoin/bitcoin/pull/4351/files > > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > -- Jeff Garzik Bitcoin core developer and open source evangelist BitPay, Inc. https://bitpay.com/ --089e013c6c225f552704fe4e6e8c Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Thanks Mike.= =C2=A0 The BIPS process is ideally an implementation & draft BIP, like = IETF RFCs.=C2=A0 Thanks for being a model citizen.=C2=A0 :)=C2=A0 Having an= idea is good; having an implementation is better.

Reviewing the code at the pull request, it appears OK, and I= did give it a quick test.=C2=A0 I have a few minor nits that I'll put = in the PR, that are not worth mentioning here.

Being able= to query UTXOs is obviously useful.=C2=A0 Many existing applications have = been built on top of bitcoind (gettxout RPC), insight and other existing to= ols that make this query available.=C2=A0 This is not a new feature.=C2=A0 = That effectively reduces our evaluation to

=C2=A0=C2=A0=C2=A0=C2=A0 1. Why implement in P2P protocol, = versus RPC or external API?

Neither your pull request nor= email addresses this much.=C2=A0 I do understand your app uses "getut= xos"=C2=A0 But it is entirely fair and reasonable to ask why all bitco= ind users should carry this feature.

Turning to the protocol itself, "getutxos" d= oes what is expected:=C2=A0 Return that node's view of the UTXO set.=C2= =A0 This bring us to the main issue I and others raised in the pull request= ,

=C2=A0=C2=A0=C2=A0=C2=A0 2. This view of UTXO is entirely untrusted, = may be malicious or wrong.=C2=A0 Why export potentially dangerous informati= on to victims?=C2=A0 What are the consequences to the victims of receiving = targeted, maliciously wrong returned data?

Let us assume for the sake of progress that #2 is answered to sat= isfaction.=C2=A0 In my view, the BIP (and implementation? haven't looke= d at lighthouse) is missing

=C2=A0=C2=A0=C2=A0=C2=A0 3. An exp= licit solution to #2.

If one implements your BIP in a naive manner -- simply find a nod= e, and issue a single query -- they are dangerously exposed to malicious in= formation.=C2=A0 The BIP should describe this major security issue, and des= cribe at least one method of solving it (ditto implementation, if lighthous= e has not already solved this).

Comparison between this and BIP 35 (mempool command) are not apt,= as miners and full nodes treat "mempool" returned data just like= any other randomly solicited "tx" command on the network.=C2=A0 = Unlike "mempool" cmd, this "getutxos" cmd proffers post= -verification trusted data.

I fear that this addition will lead to people building insecure a= pps, when they could have just as easily queried a slightly-more-trusted-th= an-just-a-random-P2P-peer network of N bitcoind's or N Insight servers = running somewhere (akin to Electrum servers).






=


On Thu, Jul 10, 2014 at 10:29 AM, = Mike Hearn <mike@plan99.net> wrote:
I opened up a pull req= for a draft BIP for getutxo.

=C2=A0 =C2=A0https://github.co= m/bitcoin/bips/pull/88

I include a rendering below for your reading convenienc= e. If you'd like to comment on design/security/etc then please first fa= miliarise yourself with the long discussions that were already had here:




  BIP: 45
  Title: getutxo message
  Author: Mike Hearn <hearn@vinumeris.com>
  Status: Draft
  Type: Standards Track
  Created: 2014-06-10

Table of Contents

Abstract

This d= ocument describes a small P2P protocol extension that performs UTXO lookups= given a set of outpoints.

Motivation

All fu= ll Bitcoin nodes maintain a database called the unspent transaction output = set. This set is how double spending is checked for: to be valid a transact= ion must identify unspent outputs in this set using an identifier called an= "outpoint", which is merely the hash of the output's contain= ing transaction plus an index.

The ab= ility to query this can sometimes be useful for a lightweight/SPV client wh= ich does not have the full UTXO set at hand. For example, it can be useful = in applications implementing assurance contracts to do a quick check when a= new pledge becomes visible to test whether that pledge was already revoked= via a double spend. Although this message is not strictly necessary becaus= e e.g. such an app could be implemented by fully downloading and storing th= e block chain, it is useful for obtaining acceptable performance and resolv= ing various UI cases.

Anothe= r example of when this data can be useful is for performing floating fee ca= lculations in an SPV wallet. This use case requires some other changes to t= he Bitcoin protocol however, so we will not dwell on it here.

Specifica= tion

Two ne= w messages are defined. The "getutxos" message has the following = structure:

=
Field Size DescriptionData typeComments
1check mempool<= /td>bool Whether to= apply mempool transactions during the calculation, thus exposing their UTX= Os and removing outputs that they spend.
?outpointsvector The list of outpoints to be queried. Each outpoint is serialized in the sam= e way it is in a tx message.

The response message "utxos" has the following structure:

chain tip has= h=
Field Size DescriptionData typeComments
4chain heightuint32<= /td> The height= of the chain at the moment the result was calculated.
32uint= 256 Block hash= of the top of the chain at the moment the result was calculated.
?hit bitmapbyte[] An array o= f bytes encoding one bit for each outpoint queried. Each bit indicates whet= her the queried outpoint was found in the UTXO set or not.
?result utxosresult[= ] A list of = result objects (defined below), one for each outpoint that is unspent (i.e.= has a bit set in the bitmap).

The result object is defined as:

4uint256<= td style=3D"padding:6px 13px;border:1px solid rgb(221,221,221)"> The height of the block containing the defining transaction, or 0x7FFFFFFF = if the tx is in the mempool.CTxOut The output itself, serialized in the same way as in a tx message.=
Field Size DescriptionData typeComments
4tx versionuint32 The versio= n number of the transaction the UTXO was found in.
height
?output

Backward compatibility

Nodes = indicate support by advertising a protocol version above 70003 and by setti= ng a new NODE_GETUTXO flag in their nServices field, which has a value of 2= (1

Authen= tication

The UT= XO set is not currently authenticated by anything. There are proposals to r= esolve this by introducing a new consensus rule that commits to a root hash= of the UTXO set in blocks, however this feature is not presently available= in the Bitcoin protocol. Once it is, the utxos message could be upgraded t= o include Merkle branches showing inclusion of the UTXOs in the committed s= ets.

If the= requesting client is looking up outputs for a signed transaction that they= have locally, the client can partly verify the returned output by running = the input scripts with it. Currently this verifies only that the script is = correct. A future version of the Bitcoin protocol is likely to also allow t= he value to be checked in this way. It does not show that the output is rea= lly unspent or was ever actually created in the block chain however.

If the= requesting client has a mapping of chain heights to block hashes in the be= st chain e.g. obtained via getheaders, then they can obtain a proof that th= e output did at one point exist by requesting the block and searching for t= he output within it. When combined with Bloom filtering this can be reasona= bly efficient.

Note t= hat even when the outputs are being checked against something this protocol= has the same security model as Bloom filtering: a remote node can lie thro= ugh omission by claiming the requested UTXO does not exist / was already sp= ent (they are the same, from the perspective of a full node). Querying mult= iple nodes and combining their answers can be a partial solution to this, a= lthough as nothing authenticates the Bitcoin P2P network a man in the middl= e could still yield incorrect results.

Implem= entation

https://github.com/bitcoin/bitcoin/pull/4351/files


-----------------------------------------------------------------------= -------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition=
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.ne= t/sfu/Bonitasoft
_______________________________________________
Bitcoin-development mailing list
Bitcoin-develo= pment@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment




--
Jeff Garzik
Bitc= oin core developer and open source evangelist
BitPay, Inc. =C2=A0 =C2=A0= =C2=A0https://bitpay.com= /
--089e013c6c225f552704fe4e6e8c--