Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 1328F1B7F for ; Fri, 19 Apr 2019 00:25:35 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-40136.protonmail.ch (mail-40136.protonmail.ch [185.70.40.136]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E0528108 for ; Fri, 19 Apr 2019 00:25:33 +0000 (UTC) Date: Fri, 19 Apr 2019 00:25:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1555633531; bh=YsILCjD5DPCDD03LHnreklXoClEyhMb1FFW8zUMY6mk=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=Qq2oA3PTK14VaWwLB0emurlVhI24g51xFrszvQAw0FaD/h4IAGnQ7l245Npf0Is7J ANExTXomr4+nn54O1gushFQHkEG67FZi56rDWYGlyivmFYpD7+Ws31zNQg91PYYCPN eLkVeOvtX06kOY75p3FKNOiBK6W/44eu5cihm5Cc= To: Ethan Heilman From: ZmnSCPxj Reply-To: ZmnSCPxj Message-ID: In-Reply-To: References: <-tCD0qh97dAiz-VGkDQTwSbSQIm9cLF1kOzaWCnUDTI4dKdsmMgHJsGDntQhABZdE2_yBYpPAAdulm8EpdNxOB8o3lI6ZQJBJZWF1INzUrE=@protonmail.com> Feedback-ID: el4j0RWPRERue64lIQeq9Y2FP-mdB86tFqjmrJyEPR9VAtMovPEo9tvgA0CrTsSHJeeyPXqnoAu6DN-R04uJUg==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, FROM_LOCAL_NOVOWEL, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Fri, 19 Apr 2019 13:57:03 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Improving SPV security with PoW fraud proofs X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Apr 2019 00:25:35 -0000 Good morning Ethan, Sent with ProtonMail Secure Email. =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Friday, April 19, 2019 4:12 AM, Ethan Heilman wrote: > I'm probably repeating a point which has been said before. > > > I suppose a minority miner that wants to disrupt the network could simp= ly create a valid block at block N+1 and deliberately ignore every other va= lid block at N+1, N+2, N+3 etc. that it did not create itself. > > If this minority miner has > 10% of network hashrate, then the rule of > thumb above would, on average, give it the ability to disrupt the > SPV-using network. > > Proposed rule: > Whenever a chainsplit occurs SPV clients should download and validate > the "longest chain" up to more than one block greater than the height > of the losing chain. > > Lets say a block split causes chain A and chain B: Chain A is N blocks > long, chain B is M blocks long, and N < M. Then the SPV client should > download all the block data of N+1 blocks from Chain B to verify > availability of chain B. Once the SPV client has verified that chain B > is available they can use fraud proofs determine if chain B is valid. Let us then revert to the original scenario. Suppose a supermajority (90%) of miners decide to increase inflation of the= currency. They do this by imposing the rule: 1. For 1 block, the coinbase is 21,000,000 times the pre-fork coinbase val= ue. 2. For 9 blocks, the coinbase is the pre-fork value. 3. Repeat this pattern every 10 blocks. The above is a hardfork. However, as they believe that SPV nodes dominate the economy, this mining s= upermajority believes it can take over the network hashpower and impose its= will on the network. At height S+1, they begin the above rule. This implies that at heights S+1, S+11, S+21, s+31... the coinbase violates= the pre-hardfork rules. At around height S+9, the minority miners generate an alternate block at he= ight S+1. So SPV nodes download S+9 and S+8 on the longer chain, and see nothing wron= g with those blocks. At around height S+18, the minority miners generate an alternate block at h= eight S+2. So SPV nodes download S+18, S+17, S+16 and again see nothing wrong with tho= se blocsk. This can go on for a good amount of time. With a "rare enough" inflation event, miners may even be able to spend some= coinbases on SPV nodes that SPV nodes become unwilling to revert to the mi= nority pre-hardfork chain, economically locking in the post-hardfork inflat= ion. Again: every rule is an opportunity to loophole. Regards, ZmnSCPxj > An attacker could use this to force SPV clients to download 1 block > per block the attacker mines. This is strictly weaker security than > provided by a full-node because chain B will only be validated if the > client knows chain A exists. If the SPV client's view of the > blockchain is eclipsed then the client will never learn that chain A > exists and thus never validate chain B's availability nor will the > client be able to learn fraud proofs about chain B. A full node in > this circumstance would notice that the chain B is invalid and reject > it because a full node would not depend on fraud proofs. That being > said this rule would provide strictly more security than current SPV > clients. > > On Thu, Apr 18, 2019 at 3:08 PM ZmnSCPxj via bitcoin-dev > bitcoin-dev@lists.linuxfoundation.org wrote: > > > Good morning Ruben, > > Sent with ProtonMail Secure Email. > > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Origina= l Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80= =90 > > On Thursday, April 18, 2019 9:44 PM, Ruben Somsen via bitcoin-dev bitco= in-dev@lists.linuxfoundation.org wrote: > > > > > Simplified-Payment-Verification (SPV) is secure under the assumption > > > that the chain with the most Proof-of-Work (PoW) is valid. As many > > > have pointed out before, and attacks like Segwit2x have shown, this i= s > > > not a safe assumption. What I propose below improves this assumption > > > -- invalid blocks will be rejected as long as there are enough honest > > > miners to create a block within a reasonable time frame. This still > > > doesn=E2=80=99t fully inoculate SPV clients against dishonest miners,= but is a > > > clear improvement over regular SPV (and compatible with the privacy > > > improvements of BIP157[0]). > > > The idea is that a fork is an indication of potential misbehavior -- > > > its block header can serve as a PoW fraud proof. Conversely, the lack > > > of a fork is an indication that a block is valid. If a fork is create= d > > > from a block at height N, this means a subset of miners may disagree > > > on the validity of block N+1. If SPV clients download and verify this > > > block, they can judge for themselves whether or not the chain should > > > be rejected. Of course it could simply be a natural fork, in which > > > case we continue following the chain with the most PoW. > > > > I presume you mean a chain split? > > > > > The way Bitcoin currently works, it is impossible to verify the > > > validity of block N+1 without knowing the UTXO set at block N, even i= f > > > you are willing to assume that block N (and everything before it) is > > > valid. This would change with the introduction of UTXO set > > > commitments, allowing block N+1 to be validated by verifying whether > > > its inputs are present in the UTXO set that was committed to in block > > > N. An open question is whether a similar result can be achieved > > > without a soft fork that commits to the UTXO set[0][1]. > > > If an invalid block is created and only 10% of the miners are honest, > > > on average it would take 100 minutes for a valid block to appear. > > > During this time, the SPV client will be following the invalid chain > > > and see roughly 9 confirmations before the chain gets rejected. It ma= y > > > therefore be prudent to wait for a number of confirmations that > > > corresponds to the time it may take for the conservative percentage o= f > > > miners that you think may behave honestly to create a block (includin= g > > > variance). > > > > I suppose a minority miner that wants to disrupt the network could simp= ly create a valid block at block N+1 and deliberately ignore every other va= lid block at N+1, N+2, N+3 etc. that it did not create itself. > > If this minority miner has > 10% of network hashrate, then the rule of = thumb above would, on average, give it the ability to disrupt the SPV-using= network. > > > > > 10% of network hashrate to disrupt the SPV-using nodes would be a rat= her low bar to disruption. > > > Consider that SPV-using nodes would be disrupted, without this rule, = only by >50% network hashrate. > > > > It is helpful to consider that every rule you impose is potentially a l= oophole by which a new attack is possible. > > Regards, > > ZmnSCPxj > > > > bitcoin-dev mailing list > > bitcoin-dev@lists.linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev