π
Original date posted:2019-04-18
π Original message:Good morning Ruben,
Sent with ProtonMail Secure Email.
βββββββ Original Message βββββββ
On Thursday, April 18, 2019 9:44 PM, Ruben Somsen via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> wrote:
> Simplified-Payment-Verification (SPV) is secure under the assumption
> that the chain with the most Proof-of-Work (PoW) is valid. As many
> have pointed out before, and attacks like Segwit2x have shown, this is
> not a safe assumption. What I propose below improves this assumption
> -- invalid blocks will be rejected as long as there are enough honest
> miners to create a block within a reasonable time frame. This still
> doesnβt fully inoculate SPV clients against dishonest miners, but is a
> clear improvement over regular SPV (and compatible with the privacy
> improvements of BIP157[0]).
>
> The idea is that a fork is an indication of potential misbehavior --
> its block header can serve as a PoW fraud proof. Conversely, the lack
> of a fork is an indication that a block is valid. If a fork is created
> from a block at height N, this means a subset of miners may disagree
> on the validity of block N+1. If SPV clients download and verify this
> block, they can judge for themselves whether or not the chain should
> be rejected. Of course it could simply be a natural fork, in which
> case we continue following the chain with the most PoW.
I presume you mean a chain split?
>
> The way Bitcoin currently works, it is impossible to verify the
> validity of block N+1 without knowing the UTXO set at block N, even if
> you are willing to assume that block N (and everything before it) is
> valid. This would change with the introduction of UTXO set
> commitments, allowing block N+1 to be validated by verifying whether
> its inputs are present in the UTXO set that was committed to in block
> N. An open question is whether a similar result can be achieved
> without a soft fork that commits to the UTXO set[0][1].
>
> If an invalid block is created and only 10% of the miners are honest,
> on average it would take 100 minutes for a valid block to appear.
> During this time, the SPV client will be following the invalid chain
> and see roughly 9 confirmations before the chain gets rejected. It may
> therefore be prudent to wait for a number of confirmations that
> corresponds to the time it may take for the conservative percentage of
> miners that you think may behave honestly to create a block (including
> variance).
I suppose a minority miner that wants to disrupt the network could simply create a *valid* block at block N+1 and deliberately ignore every other valid block at N+1, N+2, N+3 etc. that it did not create itself.
If this minority miner has > 10% of network hashrate, then the rule of thumb above would, on average, give it the ability to disrupt the SPV-using network.
>10% of network hashrate to disrupt the SPV-using nodes would be a rather low bar to disruption.
Consider that SPV-using nodes would be disrupted, without this rule, only by >50% network hashrate.
It is helpful to consider that every rule you impose is potentially a loophole by which a new attack is possible.
Regards,
ZmnSCPxj
ZmnSCPxj [ARCHIVE] /
npub1g5β¦3ms3l
2023-06-07 18:17:39
in reply to nevent1qβ¦59gz
Author Public Key
npub1g5zswf6y48f7fy90jf3tlcuwdmjn8znhzaa4vkmtxaeskca8hpss23ms3lPublished at
2023-06-07 18:17:39Event JSON
{
"id": "dee8a0c7ff538ce6181a19ae74970af23cac2e3470de804667538048faca66f6",
"pubkey": "4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861",
"created_at": 1686161859,
"kind": 1,
"tags": [
[
"e",
"3a112aeaf906ea2c2bc5f1eab5f30d5f47638016a36241c89936d50319290b2b",
"",
"root"
],
[
"e",
"78aa36cb40de23395f32358306c77a4dd82037acccfae093f6f0b9708c3c7972",
"",
"reply"
],
[
"p",
"c4c73e48c7d7f313938a90d71ff5e4be5d01dd4157f98ed99adf14737bfb78e0"
]
],
"content": "π
Original date posted:2019-04-18\nπ Original message:Good morning Ruben,\n\n\nSent with ProtonMail Secure Email.\n\nβββββββ Original Message βββββββ\nOn Thursday, April 18, 2019 9:44 PM, Ruben Somsen via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\n\u003e Simplified-Payment-Verification (SPV) is secure under the assumption\n\u003e that the chain with the most Proof-of-Work (PoW) is valid. As many\n\u003e have pointed out before, and attacks like Segwit2x have shown, this is\n\u003e not a safe assumption. What I propose below improves this assumption\n\u003e -- invalid blocks will be rejected as long as there are enough honest\n\u003e miners to create a block within a reasonable time frame. This still\n\u003e doesnβt fully inoculate SPV clients against dishonest miners, but is a\n\u003e clear improvement over regular SPV (and compatible with the privacy\n\u003e improvements of BIP157[0]).\n\u003e\n\u003e The idea is that a fork is an indication of potential misbehavior --\n\u003e its block header can serve as a PoW fraud proof. Conversely, the lack\n\u003e of a fork is an indication that a block is valid. If a fork is created\n\u003e from a block at height N, this means a subset of miners may disagree\n\u003e on the validity of block N+1. If SPV clients download and verify this\n\u003e block, they can judge for themselves whether or not the chain should\n\u003e be rejected. Of course it could simply be a natural fork, in which\n\u003e case we continue following the chain with the most PoW.\n\nI presume you mean a chain split?\n\n\u003e\n\u003e The way Bitcoin currently works, it is impossible to verify the\n\u003e validity of block N+1 without knowing the UTXO set at block N, even if\n\u003e you are willing to assume that block N (and everything before it) is\n\u003e valid. This would change with the introduction of UTXO set\n\u003e commitments, allowing block N+1 to be validated by verifying whether\n\u003e its inputs are present in the UTXO set that was committed to in block\n\u003e N. An open question is whether a similar result can be achieved\n\u003e without a soft fork that commits to the UTXO set[0][1].\n\u003e\n\u003e If an invalid block is created and only 10% of the miners are honest,\n\u003e on average it would take 100 minutes for a valid block to appear.\n\u003e During this time, the SPV client will be following the invalid chain\n\u003e and see roughly 9 confirmations before the chain gets rejected. It may\n\u003e therefore be prudent to wait for a number of confirmations that\n\u003e corresponds to the time it may take for the conservative percentage of\n\u003e miners that you think may behave honestly to create a block (including\n\u003e variance).\n\nI suppose a minority miner that wants to disrupt the network could simply create a *valid* block at block N+1 and deliberately ignore every other valid block at N+1, N+2, N+3 etc. that it did not create itself.\nIf this minority miner has \u003e 10% of network hashrate, then the rule of thumb above would, on average, give it the ability to disrupt the SPV-using network.\n\n\u003e10% of network hashrate to disrupt the SPV-using nodes would be a rather low bar to disruption.\nConsider that SPV-using nodes would be disrupted, without this rule, only by \u003e50% network hashrate.\n\nIt is helpful to consider that every rule you impose is potentially a loophole by which a new attack is possible.\n\nRegards,\nZmnSCPxj",
"sig": "1c9305a57be0d4660a1e57e073f7bd29465ae6562c36c602e9d37d68f0efeb1e80bfd13d36696879b099088487c998bf2a87127f9916bade8b6d6dfa2e4314e1"
}