Date: Wed, 22 Mar 2017 21:51:08 +0000
In-Reply-To: <CA+KqGkqD0z1O6+pCNaB-vCu_YW2-eO9nmrwcnQ--574t95hghg@mail.gmail.com>
References: <201703220847.31303.luke@dashjr.org>
	<CA+KqGkqD0z1O6+pCNaB-vCu_YW2-eO9nmrwcnQ--574t95hghg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----WMB90IH5HHH2R7QIVJ4S753EOBQ0KJ"
Content-Transfer-Encoding: 7bit
To: Bram Cohen <bram@bittorrent.com>,
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
	Bram Cohen via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>,
	Luke Dashjr <luke@dashjr.org>
From: Matt Corallo <lf-lists@mattcorallo.com>
Message-ID: <30FB8B13-135D-4905-B1B4-76D79341CA02@mattcorallo.com>
Subject: Re: [bitcoin-dev] Fraud proofs for block size/weight
Precedence: list

------WMB90IH5HHH2R7QIVJ4S753EOBQ0KJ
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable

It works today and can be used to prove exact size: the key observation is =
that all you need to show the length and hash of a transaction is the final=
 SHA256 midstate and chunk (max 64 bytes)=2E It also uses the observation t=
hat a valid transaction must be at least 60 bytes long for compression (tho=
ugh much of that compression possibility goes away if you're proving someth=
ing other than "too large")=2E

On March 22, 2017 1:49:08 PM PDT, Bram Cohen via bitcoin-dev <bitcoin-dev@=
lists=2Elinuxfoundation=2Eorg> wrote:
>Some questions:
>
>Does this require information to be added to blocks, or can it work
>today
>on the existing format?
>
>Does this count number of transactions or their total length? The block
>limit is in bytes rather than number of transactions, but transaction
>number can be a reasonable proxy if you allow for some false negatives
>but
>want a basic sanity check=2E
>
>Does this allow for proofs of length in the positive direction,
>demonstrating that a block is good, or does it only serve to show that
>blocks are bad? Ideally we'd like an extension to SPV protocol so light
>clients require proofs of blocks not being too big, given the credible
>threat of there being an extremely large-scale attack on the network of
>that form=2E
>
>
>On Wed, Mar 22, 2017 at 1:47 AM, Luke Dashjr via bitcoin-dev <
>bitcoin-dev@lists=2Elinuxfoundation=2Eorg> wrote:
>
>> Despite the generalised case of fraud proofs being likely impossible,
>there
>> have recently been regular active proposals of miners attacking with
>simply
>> oversized blocks in an attempt to force a hardfork=2E This specific
>attack
>> can
>> be proven, and reliably so, since the proof cannot be broken without
>also
>> breaking their attempted hardfork at the same time=2E
>>
>> While ideally all users ought to use their own full node for
>validation
>> (even
>> when using a light client for their wallet), many bitcoin holders
>still do
>> not=2E As such, they are likely to need protection from these attacks,
>to
>> ensure
>> they remain on the Bitcoin blockchain=2E
>>
>> I've written up a draft BIP for fraud proofs and how light clients
>can
>> detect
>> blockchains that are simply invalid due to excess size and/or weight:
>>
>>   =20
>https://github=2Ecom/luke-jr/bips/blob/bip-sizefp/bip-sizefp=2Emediawiki
>>
>> I believe this draft is probably ready for implementation already,
>but if
>> anyone has any idea on how it might first be improved, please feel
>free to
>> make suggestions=2E
>>
>> Luke
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists=2Elinuxfoundation=2Eorg
>> https://lists=2Elinuxfoundation=2Eorg/mailman/listinfo/bitcoin-dev
>>

------WMB90IH5HHH2R7QIVJ4S753EOBQ0KJ
Content-Type: text/html;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head></head><body>It works today and can be used to prove exact size=
: the key observation is that all you need to show the length and hash of a=
 transaction is the final SHA256 midstate and chunk (max 64 bytes)=2E It al=
so uses the observation that a valid transaction must be at least 60 bytes =
long for compression (though much of that compression possibility goes away=
 if you&#39;re proving something other than &quot;too large&quot;)=2E<br><b=
r><div class=3D"gmail_quote">On March 22, 2017 1:49:08 PM PDT, Bram Cohen v=
ia bitcoin-dev &lt;bitcoin-dev@lists=2Elinuxfoundation=2Eorg&gt; wrote:<blo=
ckquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0=2E8ex; border-=
left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div dir=3D"ltr">Some questions:<div><br /></div><div>Does this require in=
formation to be added to blocks, or can it work today on the existing forma=
t?</div><div><br /></div><div>Does this count number of transactions or the=
ir total length? The block limit is in bytes rather than number of transact=
ions, but transaction number can be a reasonable proxy if you allow for som=
e false negatives but want a basic sanity check=2E</div><div><br /></div><d=
iv>Does this allow for proofs of length in the positive direction, demonstr=
ating that a block is good, or does it only serve to show that blocks are b=
ad? Ideally we'd like an extension to SPV protocol so light clients require=
 proofs of blocks not being too big, given the credible threat of there bei=
ng an extremely large-scale attack on the network of that form=2E</div><div=
><br /></div></div><div class=3D"gmail_extra"><br /><div class=3D"gmail_quo=
te">On Wed, Mar 22, 2017 at 1:47 AM, Luke Dashjr via bitcoin-dev <span dir=
=3D"ltr">&lt;<a href=3D"mailto:bitcoin-dev@lists=2Elinuxfoundation=2Eorg" t=
arget=3D"_blank">bitcoin-dev@lists=2Elinuxfoundation=2Eorg</a>&gt;</span> w=
rote:<br /><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =2E8ex;b=
order-left:1px #ccc solid;padding-left:1ex">Despite the generalised case of=
 fraud proofs being likely impossible, there<br />
have recently been regular active proposals of miners attacking with simpl=
y<br />
oversized blocks in an attempt to force a hardfork=2E This specific attack=
 can<br />
be proven, and reliably so, since the proof cannot be broken without also<=
br />
breaking their attempted hardfork at the same time=2E<br />
<br />
While ideally all users ought to use their own full node for validation (e=
ven<br />
when using a light client for their wallet), many bitcoin holders still do=
<br />
not=2E As such, they are likely to need protection from these attacks, to =
ensure<br />
they remain on the Bitcoin blockchain=2E<br />
<br />
I've written up a draft BIP for fraud proofs and how light clients can det=
ect<br />
blockchains that are simply invalid due to excess size and/or weight:<br /=
>
<br />
&nbsp; &nbsp; <a href=3D"https://github=2Ecom/luke-jr/bips/blob/bip-sizefp=
/bip-sizefp=2Emediawiki" rel=3D"noreferrer" target=3D"_blank">https://githu=
b=2Ecom/luke-jr/<wbr />bips/blob/bip-sizefp/bip-<wbr />sizefp=2Emediawiki</=
a><br />
<br />
I believe this draft is probably ready for implementation already, but if<=
br />
anyone has any idea on how it might first be improved, please feel free to=
<br />
make suggestions=2E<br />
<br />
Luke<br />
______________________________<wbr />_________________<br />
bitcoin-dev mailing list<br />
<a href=3D"mailto:bitcoin-dev@lists=2Elinuxfoundation=2Eorg">bitcoin-dev@l=
ists=2E<wbr />linuxfoundation=2Eorg</a><br />
<a href=3D"https://lists=2Elinuxfoundation=2Eorg/mailman/listinfo/bitcoin-=
dev" rel=3D"noreferrer" target=3D"_blank">https://lists=2Elinuxfoundation=
=2E<wbr />org/mailman/listinfo/bitcoin-<wbr />dev</a><br />
</blockquote></div><br /></div>
</blockquote></div></body></html>
------WMB90IH5HHH2R7QIVJ4S753EOBQ0KJ--