MIME-Version: 1.0
References: <6D57649F-0236-4FBA-8376-4815F5F39E8A@gmail.com>
	<CADZtCSgKu1LvjePNPT=0C0UYQvb47Ca0YN+B_AfgVNTpcOno4w@mail.gmail.com>
	<CDAFC2F7-A0AD-460B-B5B1-A717F7EC700E@gmail.com>
In-Reply-To: <CDAFC2F7-A0AD-460B-B5B1-A717F7EC700E@gmail.com>
From: Olaoluwa Osuntokun <laolu32@gmail.com>
Date: Mon, 4 Feb 2019 17:42:57 -0800
Message-ID: <CAO3Pvs_gvYy99Bch=7RwVszM_0PFTKUyqDVok=xfm4OOcqwaaQ@mail.gmail.com>
To: Tamas Blummer <tamas.blummer@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000003b403205811bbb84"
Cc: Jim Posen <jimpo@coinbase.com>,
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Interrogating a BIP157 server,
	BIP158 change proposal
Precedence: list

--0000000000003b403205811bbb84
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Tamas,

This is how the filter worked before the switch over to optimize for a
filter containing the minimal items needed for a regular wallet to function=
.
When this was proposed, I had already implemented the entire proposal from
wallet to full-node. At that point, we all more or less decided that the
space savings (along with intra-block compression) were worthwhile, we
weren't cutting off any anticipated application level use cases (at that
point we had already comprehensively integrated both filters into lnd), and
that once committed the security loss would disappear.

I think it's too late into the current deployment of the BIPs to change
things around yet again. Instead, the BIP already has measures in place for
adding _new_ filter types in the future. This along with a few other filter
types may be worthwhile additions as new filter types.

-- Laolu

On Mon, Feb 4, 2019 at 12:59 PM Tamas Blummer <tamas.blummer@gmail.com>
wrote:

> I participated in that discussion in 2018, but have not had the insight
> gathered by now though writing both client and server implementation of
> BIP157/158
>
> Pieter Wuille considered the design choice I am now suggesting here as
> alternative (a) in:
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-June/016064.=
html
> In his evaluation he recognized that a filter having spent output and
> output scripts would allow decision on filter correctness by knowing the
> block only.
> He did not evaluate the usefulness in the context of checkpoints, which I
> think are an important shortcut here.
>
> Yes, a filter that is collecting input and output scripts is shorter if
> script re-use is frequent, but I showed back in 2018 in the same thread
> that this saving is not that significant in recent history as address reu=
se
> is no longer that frequent.
>
> A filter on spent outpoint is just as useful for wallets as is one on
> spent script, since they naturally scan the blockchain forward and thereb=
y
> learn about their coins by the output script before they need to check
> spends of those outpoints.
>
> It seems to me that implementing an interrogation by evtl. downloading
> blocks at checkpoints is much simpler than following multiple possible
> filter paths.
>
> A spent outpoint filter allows us to decide on coin availability based on
> immutable store, without updated and eventually rolled back UTXO store. T=
he
> availability could be decided by following the filter path to current tip
> to genesis and
> check is the outpoint was spent earlier. False positives can be sorted ou=
t
> with a block download. Murmel implements this if running in server mode,
> where blocks are already there.
>
> Therefore I ask for a BIP change based on better insight gained through
> implementation.
>
> Tamas Blummer
>
> On Feb 4, 2019, at 21:18, Jim Posen <jim.posen@gmail.com> wrote:
>
> Please see the thread "BIP 158 Flexibility and Filter Size" from 2018
> regarding the decision to remove outpoints from the filter [1].
>
> Thanks for bringing this up though, because more discussion is needed on
> the client protocol given that clients cannot reliably determine the
> integrity of a block filter in a bandwidth-efficient manner (due to the
> inclusion of input scripts).
>
> I see three possibilities:
> 1) Introduce a new P2P message to retrieve all prev-outputs for a given
> block (essentially the undo data in Core), and verify the scripts against
> the block by executing them. While this permits some forms of input scrip=
t
> malleability (and thus cannot discriminate between all valid and invalid
> filters), it restricts what an attacker can do. This was proposed by Laol=
u
> AFAIK, and I believe this is how btcd is proceeding.
> 2) Clients track multiple possible filter header chains and essentially
> consider the union of their matches. So if any filter received for a
> particular block header matches, the client downloads the block. The clie=
nt
> can ban a peer if they 1) ever return a filter omitting some data that is
> observed in the downloaded block, 2) repeatedly serve filters that trigge=
r
> false positive block downloads where such a number of false positives is
> statistically unlikely, or 3) repeatedly serves filters that are
> significantly larger than the expected size (essentially padding the actu=
al
> filters with garbage to waste bandwidth). I have not done the analysis ye=
t,
> but we should be able to come up with some fairly simple banning heuristi=
cs
> using Chernoff bounds. The main downside is that the client logic to trac=
k
> multiple possible filter chains and filters per block is more complex and
> bandwidth increases if connected to a malicious server. I first heard abo=
ut
> this idea from David Harding.
> 3) Rush straight to committing the filters into the chain (via witness
> reserved value or coinbase OP_RETURN) and give up on the pre-softfork BIP
> 157 P2P mode.
>
> I'm in favor of option #2 despite the downsides since it requires the
> smallest number of changes and is supported by the BIP 157 P2P protocol a=
s
> currently written. (Though the recommended client protocol in the BIP nee=
ds
> to be updated to account for this). Another benefit of it is that it
> removes some synchronicity assumptions where a peer with the correct
> filters keeps timing out and is assumed to be dishonest, while the
> dishonest peer is assumed to be OK because it is responsive.
>
> If anyone has other ideas, I'd love to hear them.
>
> -jimpo
>
> [1]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-June/016057.=
html
>
>
>
> On Mon, Feb 4, 2019 at 10:53 AM Tamas Blummer via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> TLDR: a change to BIP158 would allow decision on which filter chain is
>> correct at lower bandwith use
>>
>> Assume there is a BIP157 client that learned a filter header chain
>> earlier and is now offered an alternate reality by a newly connected BIP=
157
>> server.
>>
>> The client notices the alternate reality by routinely asking for filter
>> chain checkpoints after connecting to a new BIP157 server. A divergence =
at
>> a checkpoint means that the server disagrees the client's history at or
>> before the first diverging checkpoint. The client would then request the
>> filter headers between the last matching and first divergent checkpoint,
>> and quickly figure which block=E2=80=99s filter is the first that does n=
ot match
>> previous assumption, and request that filter from the server.
>>
>> The client downloads the corresponding block, checks that its header fit=
s
>> the PoW secured best header chain, re-calculates merkle root of its
>> transaction list to know that it is complete and queries the filter to s=
ee
>> if every output script of every transaction is contained in there, if no=
t
>> the server is lying, the case is closed, the server disconnected.
>>
>> Having all output scripts in the filter does not however guarantee that
>> the filter is correct since it might omit input scripts. Inputs scripts =
are
>> not part of the downloaded block, but are in some blocks before that.
>> Checking those are out of reach for lightweight client with tools given =
by
>> the current BIP.
>>
>> A remedy here would be an other filter chain on created and spent
>> outpoints as is implemented currently by Murmel. The outpoint filter cha=
in
>> must offer a match for every spent output of the block with the divergen=
t
>> filter, otherwise the interrogated server is lying since a PoW secured
>> block can not spend coins out of nowhere. Doing this check would already
>> force the client to download the outpoint filter history up-to the point=
 of
>> divergence. Then the client would have to download and PoW check every
>> block that shows a match in outpoints until it figures that one of the
>> spent outputs has a script that was not in the server=E2=80=99s filter, =
in which
>> case the server is lying. If everything checks out then the previous
>> assumption on filter history was incorrect and should be replaced by the
>> history offered by the interrogated server.
>>
>> As you see the interrogation works with this added filter but is highly
>> ineffective. A really light client should not be forced to download lots=
 of
>> blocks just to uncover a lying filter server. This would actually be an
>> easy DoS on light BIP157 clients.
>>
>> A better solution is a change to BIP158 such that the only filter
>> contains created scripts and spent outpoints. It appears to me that this
>> would serve well both wallets and interrogation of filter servers well:
>>
>> Wallets would recognize payments to their addresses by the filter as
>> output scripts are included, spends from the wallet would be recognized =
as
>> a wallet already knows outpoints of its previously received coins, so it
>> can query the filters for them.
>>
>> Interrogation of a filter server also simplifies, since the filter of th=
e
>> block can be checked entirely against the contents of the same block. Th=
e
>> decision on filter correctness does not require more bandwith then downl=
oad
>> of a block at the mismatching checkpoint. The client could only be force=
d
>> at max. to download 1/1000 th of the blockchain in addition to the filte=
r
>> header history.
>>
>> Therefore I suggest to change BIP158 to have a base filter, defined as:
>>
>> A basic filter MUST contain exactly the following items for each
>> transaction in a block:
>>         =E2=80=A2 Spent outpoints
>>         =E2=80=A2 The scriptPubKey of each output, aside from all OP_RET=
URN
>> output scripts.
>>
>> Tamas Blummer
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
>

--0000000000003b403205811bbb84
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>Hi Tamas,=C2=A0</div><div><br></div><div>This is=
 how the filter worked before the switch over to optimize for a</div><div>f=
ilter containing the minimal items needed for a regular wallet to function.=
</div><div>When this was proposed, I had already implemented the entire pro=
posal from</div><div>wallet to full-node. At that point, we all more or les=
s decided that the</div><div>space savings (along with intra-block compress=
ion) were worthwhile, we</div><div>weren&#39;t cutting off any anticipated =
application level use cases (at that</div><div>point we had already compreh=
ensively integrated both filters into lnd), and</div><div>that once committ=
ed the security loss would disappear.</div><div><br></div><div>I think it&#=
39;s too late into the current deployment of the BIPs to change</div><div>t=
hings around yet again. Instead, the BIP already has measures in place for<=
/div><div>adding _new_ filter types in the future. This along with a few ot=
her filter</div><div>types may be worthwhile additions as new filter types.=
</div><div><br></div><div>-- Laolu</div></div></div><br><div class=3D"gmail=
_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Feb 4, 2019 at 12:59 =
PM Tamas Blummer &lt;<a href=3D"mailto:tamas.blummer@gmail.com">tamas.blumm=
er@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" styl=
e=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div st=
yle=3D"word-wrap:break-word"><div>I participated in that discussion in 2018=
, but have not had the insight gathered by now though writing both client a=
nd server implementation of BIP157/158</div><div><br></div><div>Pieter Wuil=
le considered the design choice I am now suggesting here as alternative (a)=
 in:=C2=A0<a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-de=
v/2018-June/016064.html" target=3D"_blank">https://lists.linuxfoundation.or=
g/pipermail/bitcoin-dev/2018-June/016064.html</a></div><div>In his evaluati=
on he recognized that a filter having spent output and output scripts would=
 allow decision on filter correctness by knowing the block only.</div><div>=
He did not evaluate the usefulness in the context of checkpoints, which I t=
hink are an important shortcut here.</div><div><br></div><div>Yes, a filter=
 that is collecting input and output scripts is shorter if script re-use is=
 frequent, but I showed back in 2018 in the same thread that this saving is=
 not that significant in recent history as address reuse is no longer that =
frequent.</div><div><br></div><div>A filter on spent outpoint is just as us=
eful for wallets as is one on spent script, since they naturally scan the b=
lockchain forward and thereby learn about their coins by the output script =
before they need to check spends of those outpoints.</div><div><br></div><d=
iv>It seems to me that implementing an interrogation by evtl. downloading b=
locks at checkpoints is much simpler than following multiple possible filte=
r paths.</div><div><br></div><div>A spent outpoint filter allows us to deci=
de on coin availability based on immutable store, without updated and event=
ually rolled back UTXO store. The availability could be decided by followin=
g the filter path to current tip to genesis and</div><div>check is the outp=
oint was spent earlier. False positives can be sorted out with a block down=
load. Murmel implements this if running in server mode, where blocks are al=
ready there.</div><div><br></div><div>Therefore I ask for a BIP change base=
d on better insight gained through implementation.</div></div><div style=3D=
"word-wrap:break-word"><div><br></div><div>Tamas Blummer</div></div><div st=
yle=3D"word-wrap:break-word"><br><div><blockquote type=3D"cite"><div>On Feb=
 4, 2019, at 21:18, Jim Posen &lt;<a href=3D"mailto:jim.posen@gmail.com" ta=
rget=3D"_blank">jim.posen@gmail.com</a>&gt; wrote:</div><br class=3D"m_-913=
6702741533784210Apple-interchange-newline"><div><div dir=3D"ltr"><div dir=
=3D"ltr">Please see the thread &quot;BIP 158 Flexibility and Filter Size&qu=
ot; from 2018 regarding the decision to remove outpoints from the filter [1=
].</div><div dir=3D"ltr"><br></div><div>Thanks for bringing this up though,=
 because more discussion is needed on the client protocol given that client=
s cannot reliably determine the integrity of a block filter in a bandwidth-=
efficient manner (due to the inclusion of input scripts).</div><div><br></d=
iv><div>I see three possibilities:</div><div>1) Introduce a new P2P message=
 to retrieve all prev-outputs for a given block (essentially the undo data =
in Core), and verify the scripts against the block by executing them. While=
 this permits some forms of input script malleability (and thus cannot disc=
riminate between all valid and invalid filters), it restricts what an attac=
ker can do. This was proposed by Laolu AFAIK, and I believe this is how btc=
d is proceeding.</div><div>2) Clients track multiple possible filter header=
 chains and essentially consider the union of their matches. So if any filt=
er received for a particular block header matches, the client downloads the=
 block. The client can ban a peer if they 1) ever return a filter omitting =
some data that is observed in the downloaded block, 2) repeatedly serve fil=
ters that trigger false positive block downloads where such a number of fal=
se positives is statistically unlikely, or 3) repeatedly serves filters tha=
t are significantly larger than the expected size (essentially padding the =
actual filters with garbage to waste bandwidth). I have not done the analys=
is yet, but we should be able to come up with some fairly simple banning he=
uristics using Chernoff bounds. The main downside is that the client logic =
to track multiple possible filter chains and filters per block is more comp=
lex and bandwidth increases if connected to a malicious server. I first hea=
rd about this idea from David Harding.</div><div>3) Rush straight to commit=
ting the filters into the chain (via witness reserved value or coinbase OP_=
RETURN) and give up on the pre-softfork BIP 157 P2P mode.</div><div><br></d=
iv><div>I&#39;m in favor of option #2 despite the downsides since it requir=
es the smallest number of changes and is supported by the BIP 157 P2P proto=
col as currently written. (Though the recommended client protocol in the BI=
P needs to be updated to account for this). Another benefit of it is that i=
t removes some synchronicity assumptions where a peer with the correct filt=
ers keeps timing out and is assumed to be dishonest, while the dishonest pe=
er is assumed to be OK because it is responsive.</div><div><br></div><div>I=
f anyone has other ideas, I&#39;d love to hear them.</div><div><br></div><d=
iv>-jimpo</div><div><br></div><div dir=3D"ltr">[1] <a href=3D"https://lists=
.linuxfoundation.org/pipermail/bitcoin-dev/2018-June/016057.html" target=3D=
"_blank">https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-June/=
016057.html</a></div><div dir=3D"ltr"><br></div><div dir=3D"ltr"><br></div>=
</div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">=
On Mon, Feb 4, 2019 at 10:53 AM Tamas Blummer via bitcoin-dev &lt;<a href=
=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">bitcoin=
-dev@lists.linuxfoundation.org</a>&gt; wrote:<br></div><blockquote class=3D=
"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(2=
04,204,204);padding-left:1ex">TLDR: a change to BIP158 would allow decision=
 on which filter chain is correct at lower bandwith use<br>
<br>
Assume there is a BIP157 client that learned a filter header chain earlier =
and is now offered an alternate reality by a newly connected BIP157 server.=
<br>
<br>
The client notices the alternate reality by routinely asking for filter cha=
in checkpoints after connecting to a new BIP157 server. A divergence at a c=
heckpoint means that the server disagrees the client&#39;s history at or be=
fore the first diverging checkpoint. The client would then request the filt=
er headers between the last matching and first divergent checkpoint, and qu=
ickly figure which block=E2=80=99s filter is the first that does not match =
previous assumption, and request that filter from the server.<br>
<br>
The client downloads the corresponding block, checks that its header fits t=
he PoW secured best header chain, re-calculates merkle root of its transact=
ion list to know that it is complete and queries the filter to see if every=
 output script of every transaction is contained in there, if not the serve=
r is lying, the case is closed, the server disconnected.<br>
<br>
Having all output scripts in the filter does not however guarantee that the=
 filter is correct since it might omit input scripts. Inputs scripts are no=
t part of the downloaded block, but are in some blocks before that. Checkin=
g those are out of reach for lightweight client with tools given by the cur=
rent BIP.<br>
<br>
A remedy here would be an other filter chain on created and spent outpoints=
 as is implemented currently by Murmel. The outpoint filter chain must offe=
r a match for every spent output of the block with the divergent filter, ot=
herwise the interrogated server is lying since a PoW secured block can not =
spend coins out of nowhere. Doing this check would already force the client=
 to download the outpoint filter history up-to the point of divergence. The=
n the client would have to download and PoW check every block that shows a =
match in outpoints until it figures that one of the spent outputs has a scr=
ipt that was not in the server=E2=80=99s filter, in which case the server i=
s lying. If everything checks out then the previous assumption on filter hi=
story was incorrect and should be replaced by the history offered by the in=
terrogated server. <br>
<br>
As you see the interrogation works with this added filter but is highly ine=
ffective. A really light client should not be forced to download lots of bl=
ocks just to uncover a lying filter server. This would actually be an easy =
DoS on light BIP157 clients.<br>
<br>
A better solution is a change to BIP158 such that the only filter contains =
created scripts and spent outpoints. It appears to me that this would serve=
 well both wallets and interrogation of filter servers well:<br>
<br>
Wallets would recognize payments to their addresses by the filter as output=
 scripts are included, spends from the wallet would be recognized as a wall=
et already knows outpoints of its previously received coins, so it can quer=
y the filters for them.<br>
<br>
Interrogation of a filter server also simplifies, since the filter of the b=
lock can be checked entirely against the contents of the same block. The de=
cision on filter correctness does not require more bandwith then download o=
f a block at the mismatching checkpoint. The client could only be forced at=
 max. to download 1/1000 th of the blockchain in addition to the filter hea=
der history.<br>
<br>
Therefore I suggest to change BIP158 to have a base filter, defined as:<br>
<br>
A basic filter MUST contain exactly the following items for each transactio=
n in a block:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =E2=80=A2 Spent outpoints<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =E2=80=A2 The scriptPubKey of each output, asid=
e from all OP_RETURN output scripts.<br>
<br>
Tamas Blummer<br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
</div></blockquote></div><br></div></blockquote></div>

--0000000000003b403205811bbb84--