1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
Return-Path: <ZmnSCPxj@protonmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id BF9291AC6
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 18 Apr 2019 16:55:18 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-40135.protonmail.ch (mail-40135.protonmail.ch
[185.70.40.135])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id CED10108
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 18 Apr 2019 16:55:17 +0000 (UTC)
Date: Thu, 18 Apr 2019 16:55:10 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
s=default; t=1555606515;
bh=znhM2Xad+0+6ShSg13BvTQuF8lBdWifr15nuaI9NLzw=;
h=Date:To:From:Reply-To:Subject:In-Reply-To:References:Feedback-ID:
From;
b=LBW7hoyeIpQIdEVwLyCWs8E0WDwjlRf6p5S6KD0XL/rycMn/ONTndEeG0tjqrL27M
nadEuiNyCRQiMipbwAzLQ45D2G/TGr3SSFL3+tXc+FT0Hea2cwS+MP1vNnx+aRGv0g
S7Y3gagiQr8S9baUy2tW7SSUgHea8bLIumv2+bGs=
To: Ruben Somsen <rsomsen@gmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
From: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Reply-To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Message-ID: <-tCD0qh97dAiz-VGkDQTwSbSQIm9cLF1kOzaWCnUDTI4dKdsmMgHJsGDntQhABZdE2_yBYpPAAdulm8EpdNxOB8o3lI6ZQJBJZWF1INzUrE=@protonmail.com>
In-Reply-To: <CAPv7TjYspkc1M=TKmBK8k0Zy857=bR7jSTarRDCr_5m2ktYHDQ@mail.gmail.com>
References: <CAPv7TjYspkc1M=TKmBK8k0Zy857=bR7jSTarRDCr_5m2ktYHDQ@mail.gmail.com>
Feedback-ID: el4j0RWPRERue64lIQeq9Y2FP-mdB86tFqjmrJyEPR9VAtMovPEo9tvgA0CrTsSHJeeyPXqnoAu6DN-R04uJUg==:Ext:ProtonMail
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, FROM_LOCAL_NOVOWEL,
RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Thu, 18 Apr 2019 19:07:53 +0000
Subject: Re: [bitcoin-dev] Improving SPV security with PoW fraud proofs
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2019 16:55:18 -0000
Good morning Ruben,
Sent with ProtonMail Secure Email.
=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me=
ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90
On Thursday, April 18, 2019 9:44 PM, Ruben Somsen via bitcoin-dev <bitcoin-=
dev@lists.linuxfoundation.org> wrote:
> Simplified-Payment-Verification (SPV) is secure under the assumption
> that the chain with the most Proof-of-Work (PoW) is valid. As many
> have pointed out before, and attacks like Segwit2x have shown, this is
> not a safe assumption. What I propose below improves this assumption
> -- invalid blocks will be rejected as long as there are enough honest
> miners to create a block within a reasonable time frame. This still
> doesn=E2=80=99t fully inoculate SPV clients against dishonest miners, but=
is a
> clear improvement over regular SPV (and compatible with the privacy
> improvements of BIP157[0]).
>
> The idea is that a fork is an indication of potential misbehavior --
> its block header can serve as a PoW fraud proof. Conversely, the lack
> of a fork is an indication that a block is valid. If a fork is created
> from a block at height N, this means a subset of miners may disagree
> on the validity of block N+1. If SPV clients download and verify this
> block, they can judge for themselves whether or not the chain should
> be rejected. Of course it could simply be a natural fork, in which
> case we continue following the chain with the most PoW.
I presume you mean a chain split?
>
> The way Bitcoin currently works, it is impossible to verify the
> validity of block N+1 without knowing the UTXO set at block N, even if
> you are willing to assume that block N (and everything before it) is
> valid. This would change with the introduction of UTXO set
> commitments, allowing block N+1 to be validated by verifying whether
> its inputs are present in the UTXO set that was committed to in block
> N. An open question is whether a similar result can be achieved
> without a soft fork that commits to the UTXO set[0][1].
>
> If an invalid block is created and only 10% of the miners are honest,
> on average it would take 100 minutes for a valid block to appear.
> During this time, the SPV client will be following the invalid chain
> and see roughly 9 confirmations before the chain gets rejected. It may
> therefore be prudent to wait for a number of confirmations that
> corresponds to the time it may take for the conservative percentage of
> miners that you think may behave honestly to create a block (including
> variance).
I suppose a minority miner that wants to disrupt the network could simply c=
reate a *valid* block at block N+1 and deliberately ignore every other vali=
d block at N+1, N+2, N+3 etc. that it did not create itself.
If this minority miner has > 10% of network hashrate, then the rule of thum=
b above would, on average, give it the ability to disrupt the SPV-using net=
work.
>10% of network hashrate to disrupt the SPV-using nodes would be a rather l=
ow bar to disruption.
Consider that SPV-using nodes would be disrupted, without this rule, only b=
y >50% network hashrate.
It is helpful to consider that every rule you impose is potentially a looph=
ole by which a new attack is possible.
Regards,
ZmnSCPxj
|