📅 Original date posted:2015-02-21
📝 Original message:Seems like Greg & I may be saying different things. Maybe I am
misunderstanding something at the wire level or in size/scalability
but what I was trying to say is I think simpler.
By UTXO commitment I mean a merkle tree of unspent addresses is
committed in each block. Also a bloom filter containing addresses in
the block is committed.
Now the user downloads the bloom filter for each block, and searches
it locally. They see which addresses of theirs maybe in the block
(with some false positives).
Then they make fresh random connections to different nodes and request
download of the respective individual transactions from the full node.
The node can respond either a) here is the transaction and here is its
merkle path in the merkle tree (this is the way SPV works today); or
b) there is no such transaction, this is a false positive, and here is
a pair of merkle trie paths in the UTXO commitment (a trie) that
proves the full node is not withholding and its true that no such
transaction is in the block.
Additionally with UTXO commitments in case a) the user can keep up to
date with the chain tip and request from the full node a merkle path
in the UTXO commitment to show that the coin is still unspent.
(Otherwise you get long range attacks where someone can grind away
until they belatedly find a PoW on an old low hashrate block with UTXO
and fool an SPV node they know the address for into accepting a spend
of something long spent).
About privacy the node can make different random connections to
different nodes to fetch addresses. Nothing is leaked by downloading
the bloom filter. Scanning happens locally. The full node cant
correlate the addresses as belonging to the same person by correlating
the download requests for them, because they are made via different
nodes. Its not a surprise nor privacy revealing that someone would
want to check receipt of the funds. The limit is the interactive
nature of ToR which isnt very secure against pervasive monitoring.
But for basic full-node passive attack resistant privacy pretty good.
Contrast with increasing the false positive on bloom queries: here the
full node can test correlation (modulo the false positive ratio) and
combine that with network flow analysis to narrow down who the user
might be. Plus query size and privacy are in conflict. Plus the
query size has to be continually retuned to even create a reliable
false positive rate relative to the current UTXO set. Is that is even
happening now (other than parameter sets)?
About the bitmap:
>Greg Maxwell wrote:
>> there is a scriptpubkey bitmap per block
>> which is committed. Users can request the map, and be SPV confident
>> that they received a faithful one. If there are hits, they can request
>> the block and be confident there was no censoring.
how does the SPV client know what the bits in this map mean to scan?
I presume these would be one bit per address and one would need to
know the full UTXO set in order to know whats in there. I am not sure
an SPV node would want the hit of keeping up to date with the full
UTXO set?
s/address/scriptpubkey for accuracy)
Adam
On 20 February 2015 at 19:03, Mike Hearn <mike at plan99.net> wrote:
>> It's a straight forward idea: there is a scriptpubkey bitmap per block
>> which is committed. Users can request the map, and be SPV confident
>> that they received a faithful one. If there are hits, they can request
>> the block and be confident there was no censoring.
>
>
> OK, I see now, thanks Gregory. You're right, the use of UTXO set in that
> context was confusing me.
>
> If I go back to when we first did Bloom filtering and imagine the same
> proposal being made, I guess I would have been wondering about the following
> issues. Perhaps they have solutions:
>
> 1. Miners have to upgrade to generate the per-block filters. Any block that
> doesn't have such a filter has to be downloaded in full, still. So it would
> have taken quite a while for the bandwidth savings to materialise.
>
> 2. If checking the filter isn't a consensus rule, any miner who builds a
> wrong filter breaks the entire SPV userbase. With per-node filtering, a
> malicious or wrong node breaks an individual sync, but if the wallet user
> notices they don't seem to be properly synchronised they can just press
> "Rescan chain" and most likely get fixed. In practice broken nodes have
> never been reported, but it's worth considering.
>
> 3. Downloading full blocks is still a lot of data. If you have a wallet that
> receives tips a couple of times per day, and you open your wallet once per
> week, then with 1mb blocks you would be downloading ~14mb of data each time.
> Pretty pokey even on a desktop. Much sadness if you're on mobile.
>
> 4. Header size is constant, but per-block filters wouldn't be. So even the
> null sync would download more data as the network got busier. Of course
> Bloom filtering has the same scaling problem, but only between hard disk ->
> RAM -> CPU rather than across the network.
>
> 5. Is it really more private? Imagine we see a hit in block 100, so we
> download the full block and find our transaction. But now we must also learn
> when that transaction is spent, so we can keep the wallet-local UTXO set up
> to date. So we scan forward and see another hit in block 105, so now we
> download block 105. The remote node can now select all transactions in block
> 105 that spend transactions in block 100 and narrow down which txs are ours.
> If we are watching a wallet that does multi-sends then it feels like this
> problem gets much worse.
>
>
>
> I'd really like to find a solution that has O(1) scaling on sync. If we see
> nodes just as sources of UTXO data then shovelling the client (tx, existing
> merkle path) pairs keyed off script prefixes would (with one additional
> index) be O(1) and provide the same security guarantees as Bloom filtering
> today. It creates lots of other problems to solve, but at least it would
> scale into the forseeable future.
>
>
Adam Back [ARCHIVE] /
npub1ac…lswfj
2023-06-07 15:30:45
in reply to nevent1q…d7gv
Author Public Key
npub1ac86vemj7ce5z8jyxt39rna3tvwql6xd30ha3vxcd6esysp23d9qrlswfjPublished at
2023-06-07 15:30:45Event JSON
{
"id": "b1f52f344fba3f0b2e3ea03ded3bfafbce98c52dac89eb58fe78d68a73d266b2",
"pubkey": "ee0fa66772f633411e4432e251cfb15b1c0fe8cd8befd8b0d86eb302402a8b4a",
"created_at": 1686151845,
"kind": 1,
"tags": [
[
"e",
"d00e0f44d6037fd0ba68029864e2acf1e3fe5c4c51dbcdd7d112be31766cd3e9",
"",
"root"
],
[
"e",
"80460bb658a7082c1cd8b73f342ce92de120bf42653bd5b2f9a343196433c9ed",
"",
"reply"
],
[
"p",
"f2c95df3766562e3b96b79a0254881c59e8639f23987846961cf55412a77f6f2"
]
],
"content": "📅 Original date posted:2015-02-21\n📝 Original message:Seems like Greg \u0026 I may be saying different things. Maybe I am\nmisunderstanding something at the wire level or in size/scalability\nbut what I was trying to say is I think simpler.\n\nBy UTXO commitment I mean a merkle tree of unspent addresses is\ncommitted in each block. Also a bloom filter containing addresses in\nthe block is committed.\n\nNow the user downloads the bloom filter for each block, and searches\nit locally. They see which addresses of theirs maybe in the block\n(with some false positives).\n\nThen they make fresh random connections to different nodes and request\ndownload of the respective individual transactions from the full node.\nThe node can respond either a) here is the transaction and here is its\nmerkle path in the merkle tree (this is the way SPV works today); or\nb) there is no such transaction, this is a false positive, and here is\na pair of merkle trie paths in the UTXO commitment (a trie) that\nproves the full node is not withholding and its true that no such\ntransaction is in the block.\n\nAdditionally with UTXO commitments in case a) the user can keep up to\ndate with the chain tip and request from the full node a merkle path\nin the UTXO commitment to show that the coin is still unspent.\n(Otherwise you get long range attacks where someone can grind away\nuntil they belatedly find a PoW on an old low hashrate block with UTXO\nand fool an SPV node they know the address for into accepting a spend\nof something long spent).\n\nAbout privacy the node can make different random connections to\ndifferent nodes to fetch addresses. Nothing is leaked by downloading\nthe bloom filter. Scanning happens locally. The full node cant\ncorrelate the addresses as belonging to the same person by correlating\nthe download requests for them, because they are made via different\nnodes. Its not a surprise nor privacy revealing that someone would\nwant to check receipt of the funds. The limit is the interactive\nnature of ToR which isnt very secure against pervasive monitoring.\nBut for basic full-node passive attack resistant privacy pretty good.\n\nContrast with increasing the false positive on bloom queries: here the\nfull node can test correlation (modulo the false positive ratio) and\ncombine that with network flow analysis to narrow down who the user\nmight be. Plus query size and privacy are in conflict. Plus the\nquery size has to be continually retuned to even create a reliable\nfalse positive rate relative to the current UTXO set. Is that is even\nhappening now (other than parameter sets)?\n\nAbout the bitmap:\n\n\u003eGreg Maxwell wrote:\n\u003e\u003e there is a scriptpubkey bitmap per block\n\u003e\u003e which is committed. Users can request the map, and be SPV confident\n\u003e\u003e that they received a faithful one. If there are hits, they can request\n\u003e\u003e the block and be confident there was no censoring.\n\nhow does the SPV client know what the bits in this map mean to scan?\nI presume these would be one bit per address and one would need to\nknow the full UTXO set in order to know whats in there. I am not sure\nan SPV node would want the hit of keeping up to date with the full\nUTXO set?\n\ns/address/scriptpubkey for accuracy)\n\nAdam\n\nOn 20 February 2015 at 19:03, Mike Hearn \u003cmike at plan99.net\u003e wrote:\n\u003e\u003e It's a straight forward idea: there is a scriptpubkey bitmap per block\n\u003e\u003e which is committed. Users can request the map, and be SPV confident\n\u003e\u003e that they received a faithful one. If there are hits, they can request\n\u003e\u003e the block and be confident there was no censoring.\n\u003e\n\u003e\n\u003e OK, I see now, thanks Gregory. You're right, the use of UTXO set in that\n\u003e context was confusing me.\n\u003e\n\u003e If I go back to when we first did Bloom filtering and imagine the same\n\u003e proposal being made, I guess I would have been wondering about the following\n\u003e issues. Perhaps they have solutions:\n\u003e\n\u003e 1. Miners have to upgrade to generate the per-block filters. Any block that\n\u003e doesn't have such a filter has to be downloaded in full, still. So it would\n\u003e have taken quite a while for the bandwidth savings to materialise.\n\u003e\n\u003e 2. If checking the filter isn't a consensus rule, any miner who builds a\n\u003e wrong filter breaks the entire SPV userbase. With per-node filtering, a\n\u003e malicious or wrong node breaks an individual sync, but if the wallet user\n\u003e notices they don't seem to be properly synchronised they can just press\n\u003e \"Rescan chain\" and most likely get fixed. In practice broken nodes have\n\u003e never been reported, but it's worth considering.\n\u003e\n\u003e 3. Downloading full blocks is still a lot of data. If you have a wallet that\n\u003e receives tips a couple of times per day, and you open your wallet once per\n\u003e week, then with 1mb blocks you would be downloading ~14mb of data each time.\n\u003e Pretty pokey even on a desktop. Much sadness if you're on mobile.\n\u003e\n\u003e 4. Header size is constant, but per-block filters wouldn't be. So even the\n\u003e null sync would download more data as the network got busier. Of course\n\u003e Bloom filtering has the same scaling problem, but only between hard disk -\u003e\n\u003e RAM -\u003e CPU rather than across the network.\n\u003e\n\u003e 5. Is it really more private? Imagine we see a hit in block 100, so we\n\u003e download the full block and find our transaction. But now we must also learn\n\u003e when that transaction is spent, so we can keep the wallet-local UTXO set up\n\u003e to date. So we scan forward and see another hit in block 105, so now we\n\u003e download block 105. The remote node can now select all transactions in block\n\u003e 105 that spend transactions in block 100 and narrow down which txs are ours.\n\u003e If we are watching a wallet that does multi-sends then it feels like this\n\u003e problem gets much worse.\n\u003e\n\u003e\n\u003e\n\u003e I'd really like to find a solution that has O(1) scaling on sync. If we see\n\u003e nodes just as sources of UTXO data then shovelling the client (tx, existing\n\u003e merkle path) pairs keyed off script prefixes would (with one additional\n\u003e index) be O(1) and provide the same security guarantees as Bloom filtering\n\u003e today. It creates lots of other problems to solve, but at least it would\n\u003e scale into the forseeable future.\n\u003e\n\u003e",
"sig": "88dd765940de9669e1350e3e9ee1bab6eca76cb032c57bd79bdd1e9a1ed4ece215e7dde4677aa2bf91b3f9372698c9b9281697ed7711d7d03f94d4805752c541"
}