π
Original date posted:2017-02-23
π Original message:This kind of thing is long overdue!
I think itβs a great idea to attempt this without soft forking TXO
commitments yet so we can see what works best.
- E
On Wed, Feb 22, 2017 at 5:11 PM, Peter Todd via bitcoin-dev <
bitcoin-dev at lists.linuxfoundation.org> wrote:
> Something I've recently realised is that TXO commitments do not need to be
> implemented as a consensus protocol change to be useful. All the benefits
> they
> provide to full nodes with regard to allowing for old UTXO data to be
> pruned -
> and thus solving the UTXO bloat problem - can be implemented even without
> having miners commit to the TXO commitment itself. This has a significant
> deployment advantage too: we can try out multiple TXO commitment schemes,
> in
> production, without the need for consensus changes.
>
>
> # Reasoning
>
> 1) Like any other merkelized data structure, a TXO commitment allows a
> data set
> - the TXO set - to be securely provided by an untrusted third party,
> allowing
> the data itself to be discarded. So if you have a valid TXO commitment,
> you can
> discard the TXO data itself, and rely on untrusted entities to provide you
> that
> data on demand.
>
> 2) The TXO set is a super-set of the UTXO set; all data in the UTXO set is
> also
> present in the TXO set. Thus a TXO commitment with spent TXO's pruned is
> equivalent to a UTXO set, doubly so if inner nodes in the commitment tree
> commit to the sum-unspent of their children.
>
> 3) Where a outpoint-indexed UTXO set has a uniform access pattern, an
> insertion-ordered TXO set has a delibrately *non-uniform* access pattern:
> not
> only are new entries to the TXO set always appended to the end - an
> operation
> that requires a known, log2(n), sized set of merkle tips - but due to lost
> coins alone we can guarantee that older entries in the TXO set will be less
> frequently updated than newer entries.
>
> 4) Thus a full node that doesn't have enough local storage to maintain the
> full
> UTXO set can instead keep track of a TXO commitment, and prune older UTXO's
> from it that are unlikely to be spent. In the event those UTXO's are spent,
> transactions and blocks spending them can trustlessly provide the necessary
> data to temporarily fill-in the node's local TXO set database, allowing the
> next commitment to be calculated.
>
> 5) By *not* committing the TXO commitment in the block itself, we obsolete
> my
> concept of delayed TXO commitments: you don't need to have calculated the
> TXO
> commitment digest to validate a block anyway!
>
>
> # Deployment Plan
>
> 1) Implement a TXO commitment scheme with the ability to efficiently store
> the
> last n versions of the commitment state for the purpose of reorgs (a
> reference-counted scheme naturally does this).
>
> 2) Add P2P support for advertising to peers what parts of the TXO set
> you've
> pruned.
>
> 3) Add P2P support to produce, consume, and update TXO unspentness proofs
> as
> part of transaction and block relaying.
>
> 4) Profit.
>
>
> # Bootstrapping New Nodes
>
> With a TXO commitment scheme implemented, it's also possible to produce
> serialized UTXO snapshots for bootstrapping new nodes. Equally, it's
> obviously
> possible to distribute those snapshots, and have people you trust attest
> to the
> validity of those snapshots.
>
> I argue that a snapshot with an attestation from known individuals that you
> trust is a *better* security model than having miners attest to validity:
> the
> latter is trusting an unknown set of unaccountable, anonymous, miners.
>
> This security model is not unlike the recently implemented -assumevalid
> scheme(1), in that auditing the validity of the assumed valid TXO
> commitments
> is something anyone can do provided they have a full node. Similarly, we
> could
> ship Bitcoin nodes with an assumed-valid TXO commitment, and have those
> nodes
> fill in the UTXO data from their peers.
>
> However it is a weaker security model, in that a false TXO commitment can
> more
> easily be used to trick a node into accepting invalid transactions/blocks;
> assumed valid blocks requires proof-of-work to pull off this attack. A
> compromise may be to use assumed valid TXO commitments, extending my
> partial
> UTXO set(2) suggestion of having nodes validate the chain backwards, to
> eventually validate 100% of the chain.
>
>
> # References
>
> 1) https://github.com/bitcoin/bitcoin/pull/9484
> 2) [Bitcoin-development] SPV bitcoind? (was: Introducing
> BitcoinKit.framework),
> Peter Todd, Jul 17th 2013, Bitcoin development mailing list,
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/
> 2013-July/002917.html
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20170222/cabff956/attachment.html>;
Eric Lombrozo [ARCHIVE] /
npub1azβ¦t2krq
2023-06-07 17:56:28
in reply to nevent1qβ¦0vk7
Author Public Key
npub1azvhdrf9fu6n0tm7yez4j6zcxcedp2ct6nrcq3z74naqs7kgpk8s5t2krqPublished at
2023-06-07 17:56:28Event JSON
{
"id": "ac39422d9fe6c12a1d9fb7b516a285b5a6f47e6b53e507598526b30760093a32",
"pubkey": "e899768d254f3537af7e26455968583632d0ab0bd4c780445eacfa087ac80d8f",
"created_at": 1686160588,
"kind": 1,
"tags": [
[
"e",
"a0b524bf2f2752d90819b6de72593123747d751d12083bfe67597e028020ed0d",
"",
"root"
],
[
"e",
"17898615ec54f1dc6aa0e25b480d904222d8b10e0f53daee12225f883a0ec140",
"",
"reply"
],
[
"p",
"daa2fc676a25e3b5b45644540bcbd1e1168b111427cd0e3cf19c56194fb231aa"
]
],
"content": "π
Original date posted:2017-02-23\nπ Original message:This kind of thing is long overdue!\n\nI think itβs a great idea to attempt this without soft forking TXO\ncommitments yet so we can see what works best.\n\n\n- E\n\nOn Wed, Feb 22, 2017 at 5:11 PM, Peter Todd via bitcoin-dev \u003c\nbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\n\u003e Something I've recently realised is that TXO commitments do not need to be\n\u003e implemented as a consensus protocol change to be useful. All the benefits\n\u003e they\n\u003e provide to full nodes with regard to allowing for old UTXO data to be\n\u003e pruned -\n\u003e and thus solving the UTXO bloat problem - can be implemented even without\n\u003e having miners commit to the TXO commitment itself. This has a significant\n\u003e deployment advantage too: we can try out multiple TXO commitment schemes,\n\u003e in\n\u003e production, without the need for consensus changes.\n\u003e\n\u003e\n\u003e # Reasoning\n\u003e\n\u003e 1) Like any other merkelized data structure, a TXO commitment allows a\n\u003e data set\n\u003e - the TXO set - to be securely provided by an untrusted third party,\n\u003e allowing\n\u003e the data itself to be discarded. So if you have a valid TXO commitment,\n\u003e you can\n\u003e discard the TXO data itself, and rely on untrusted entities to provide you\n\u003e that\n\u003e data on demand.\n\u003e\n\u003e 2) The TXO set is a super-set of the UTXO set; all data in the UTXO set is\n\u003e also\n\u003e present in the TXO set. Thus a TXO commitment with spent TXO's pruned is\n\u003e equivalent to a UTXO set, doubly so if inner nodes in the commitment tree\n\u003e commit to the sum-unspent of their children.\n\u003e\n\u003e 3) Where a outpoint-indexed UTXO set has a uniform access pattern, an\n\u003e insertion-ordered TXO set has a delibrately *non-uniform* access pattern:\n\u003e not\n\u003e only are new entries to the TXO set always appended to the end - an\n\u003e operation\n\u003e that requires a known, log2(n), sized set of merkle tips - but due to lost\n\u003e coins alone we can guarantee that older entries in the TXO set will be less\n\u003e frequently updated than newer entries.\n\u003e\n\u003e 4) Thus a full node that doesn't have enough local storage to maintain the\n\u003e full\n\u003e UTXO set can instead keep track of a TXO commitment, and prune older UTXO's\n\u003e from it that are unlikely to be spent. In the event those UTXO's are spent,\n\u003e transactions and blocks spending them can trustlessly provide the necessary\n\u003e data to temporarily fill-in the node's local TXO set database, allowing the\n\u003e next commitment to be calculated.\n\u003e\n\u003e 5) By *not* committing the TXO commitment in the block itself, we obsolete\n\u003e my\n\u003e concept of delayed TXO commitments: you don't need to have calculated the\n\u003e TXO\n\u003e commitment digest to validate a block anyway!\n\u003e\n\u003e\n\u003e # Deployment Plan\n\u003e\n\u003e 1) Implement a TXO commitment scheme with the ability to efficiently store\n\u003e the\n\u003e last n versions of the commitment state for the purpose of reorgs (a\n\u003e reference-counted scheme naturally does this).\n\u003e\n\u003e 2) Add P2P support for advertising to peers what parts of the TXO set\n\u003e you've\n\u003e pruned.\n\u003e\n\u003e 3) Add P2P support to produce, consume, and update TXO unspentness proofs\n\u003e as\n\u003e part of transaction and block relaying.\n\u003e\n\u003e 4) Profit.\n\u003e\n\u003e\n\u003e # Bootstrapping New Nodes\n\u003e\n\u003e With a TXO commitment scheme implemented, it's also possible to produce\n\u003e serialized UTXO snapshots for bootstrapping new nodes. Equally, it's\n\u003e obviously\n\u003e possible to distribute those snapshots, and have people you trust attest\n\u003e to the\n\u003e validity of those snapshots.\n\u003e\n\u003e I argue that a snapshot with an attestation from known individuals that you\n\u003e trust is a *better* security model than having miners attest to validity:\n\u003e the\n\u003e latter is trusting an unknown set of unaccountable, anonymous, miners.\n\u003e\n\u003e This security model is not unlike the recently implemented -assumevalid\n\u003e scheme(1), in that auditing the validity of the assumed valid TXO\n\u003e commitments\n\u003e is something anyone can do provided they have a full node. Similarly, we\n\u003e could\n\u003e ship Bitcoin nodes with an assumed-valid TXO commitment, and have those\n\u003e nodes\n\u003e fill in the UTXO data from their peers.\n\u003e\n\u003e However it is a weaker security model, in that a false TXO commitment can\n\u003e more\n\u003e easily be used to trick a node into accepting invalid transactions/blocks;\n\u003e assumed valid blocks requires proof-of-work to pull off this attack. A\n\u003e compromise may be to use assumed valid TXO commitments, extending my\n\u003e partial\n\u003e UTXO set(2) suggestion of having nodes validate the chain backwards, to\n\u003e eventually validate 100% of the chain.\n\u003e\n\u003e\n\u003e # References\n\u003e\n\u003e 1) https://github.com/bitcoin/bitcoin/pull/9484\n\u003e 2) [Bitcoin-development] SPV bitcoind? (was: Introducing\n\u003e BitcoinKit.framework),\n\u003e Peter Todd, Jul 17th 2013, Bitcoin development mailing list,\n\u003e https://lists.linuxfoundation.org/pipermail/bitcoin-dev/\n\u003e 2013-July/002917.html\n\u003e\n\u003e --\n\u003e https://petertodd.org 'peter'[:-1]@petertodd.org\n\u003e\n\u003e _______________________________________________\n\u003e bitcoin-dev mailing list\n\u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n\u003e\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20170222/cabff956/attachment.html\u003e",
"sig": "9cb9e13d13528d6fd0f375c259b61b887d0b821fc9ff174ff42768c33c4f6a15d99b08b0ec05413636c77e18077338de9f6ec5e799a836ca8ba0b6c7cd8a9447"
}