Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id BF9291AC6 for ; Thu, 18 Apr 2019 16:55:18 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-40135.protonmail.ch (mail-40135.protonmail.ch [185.70.40.135]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id CED10108 for ; Thu, 18 Apr 2019 16:55:17 +0000 (UTC) Date: Thu, 18 Apr 2019 16:55:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1555606515; bh=znhM2Xad+0+6ShSg13BvTQuF8lBdWifr15nuaI9NLzw=; h=Date:To:From:Reply-To:Subject:In-Reply-To:References:Feedback-ID: From; b=LBW7hoyeIpQIdEVwLyCWs8E0WDwjlRf6p5S6KD0XL/rycMn/ONTndEeG0tjqrL27M nadEuiNyCRQiMipbwAzLQ45D2G/TGr3SSFL3+tXc+FT0Hea2cwS+MP1vNnx+aRGv0g S7Y3gagiQr8S9baUy2tW7SSUgHea8bLIumv2+bGs= To: Ruben Somsen , Bitcoin Protocol Discussion From: ZmnSCPxj Reply-To: ZmnSCPxj Message-ID: <-tCD0qh97dAiz-VGkDQTwSbSQIm9cLF1kOzaWCnUDTI4dKdsmMgHJsGDntQhABZdE2_yBYpPAAdulm8EpdNxOB8o3lI6ZQJBJZWF1INzUrE=@protonmail.com> In-Reply-To: References: Feedback-ID: el4j0RWPRERue64lIQeq9Y2FP-mdB86tFqjmrJyEPR9VAtMovPEo9tvgA0CrTsSHJeeyPXqnoAu6DN-R04uJUg==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, FROM_LOCAL_NOVOWEL, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Thu, 18 Apr 2019 19:07:53 +0000 Subject: Re: [bitcoin-dev] Improving SPV security with PoW fraud proofs X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Apr 2019 16:55:18 -0000 Good morning Ruben, Sent with ProtonMail Secure Email. =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Thursday, April 18, 2019 9:44 PM, Ruben Somsen via bitcoin-dev wrote: > Simplified-Payment-Verification (SPV) is secure under the assumption > that the chain with the most Proof-of-Work (PoW) is valid. As many > have pointed out before, and attacks like Segwit2x have shown, this is > not a safe assumption. What I propose below improves this assumption > -- invalid blocks will be rejected as long as there are enough honest > miners to create a block within a reasonable time frame. This still > doesn=E2=80=99t fully inoculate SPV clients against dishonest miners, but= is a > clear improvement over regular SPV (and compatible with the privacy > improvements of BIP157[0]). > > The idea is that a fork is an indication of potential misbehavior -- > its block header can serve as a PoW fraud proof. Conversely, the lack > of a fork is an indication that a block is valid. If a fork is created > from a block at height N, this means a subset of miners may disagree > on the validity of block N+1. If SPV clients download and verify this > block, they can judge for themselves whether or not the chain should > be rejected. Of course it could simply be a natural fork, in which > case we continue following the chain with the most PoW. I presume you mean a chain split? > > The way Bitcoin currently works, it is impossible to verify the > validity of block N+1 without knowing the UTXO set at block N, even if > you are willing to assume that block N (and everything before it) is > valid. This would change with the introduction of UTXO set > commitments, allowing block N+1 to be validated by verifying whether > its inputs are present in the UTXO set that was committed to in block > N. An open question is whether a similar result can be achieved > without a soft fork that commits to the UTXO set[0][1]. > > If an invalid block is created and only 10% of the miners are honest, > on average it would take 100 minutes for a valid block to appear. > During this time, the SPV client will be following the invalid chain > and see roughly 9 confirmations before the chain gets rejected. It may > therefore be prudent to wait for a number of confirmations that > corresponds to the time it may take for the conservative percentage of > miners that you think may behave honestly to create a block (including > variance). I suppose a minority miner that wants to disrupt the network could simply c= reate a *valid* block at block N+1 and deliberately ignore every other vali= d block at N+1, N+2, N+3 etc. that it did not create itself. If this minority miner has > 10% of network hashrate, then the rule of thum= b above would, on average, give it the ability to disrupt the SPV-using net= work. >10% of network hashrate to disrupt the SPV-using nodes would be a rather l= ow bar to disruption. Consider that SPV-using nodes would be disrupted, without this rule, only b= y >50% network hashrate. It is helpful to consider that every rule you impose is potentially a looph= ole by which a new attack is possible. Regards, ZmnSCPxj