Re: [bitcoin-dev] Improving SPV security with PoW fraud proofs

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: ZmnSCPxj <ZmnSCPxj@protonmail•com>
To: Ruben Somsen <rsomsen@gmail•com>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Improving SPV security with PoW fraud proofs
Date: Thu, 18 Apr 2019 16:55:10 +0000	[thread overview]
Message-ID: <-tCD0qh97dAiz-VGkDQTwSbSQIm9cLF1kOzaWCnUDTI4dKdsmMgHJsGDntQhABZdE2_yBYpPAAdulm8EpdNxOB8o3lI6ZQJBJZWF1INzUrE=@protonmail.com> (raw)
In-Reply-To: <CAPv7TjYspkc1M=TKmBK8k0Zy857=bR7jSTarRDCr_5m2ktYHDQ@mail.gmail.com>

Good morning Ruben,


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, April 18, 2019 9:44 PM, Ruben Somsen via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> wrote:

> Simplified-Payment-Verification (SPV) is secure under the assumption
> that the chain with the most Proof-of-Work (PoW) is valid. As many
> have pointed out before, and attacks like Segwit2x have shown, this is
> not a safe assumption. What I propose below improves this assumption
> -- invalid blocks will be rejected as long as there are enough honest
> miners to create a block within a reasonable time frame. This still
> doesn’t fully inoculate SPV clients against dishonest miners, but is a
> clear improvement over regular SPV (and compatible with the privacy
> improvements of BIP157[0]).
>
> The idea is that a fork is an indication of potential misbehavior --
> its block header can serve as a PoW fraud proof. Conversely, the lack
> of a fork is an indication that a block is valid. If a fork is created
> from a block at height N, this means a subset of miners may disagree
> on the validity of block N+1. If SPV clients download and verify this
> block, they can judge for themselves whether or not the chain should
> be rejected. Of course it could simply be a natural fork, in which
> case we continue following the chain with the most PoW.

I presume you mean a chain split?

>
> The way Bitcoin currently works, it is impossible to verify the
> validity of block N+1 without knowing the UTXO set at block N, even if
> you are willing to assume that block N (and everything before it) is
> valid. This would change with the introduction of UTXO set
> commitments, allowing block N+1 to be validated by verifying whether
> its inputs are present in the UTXO set that was committed to in block
> N. An open question is whether a similar result can be achieved
> without a soft fork that commits to the UTXO set[0][1].
>
> If an invalid block is created and only 10% of the miners are honest,
> on average it would take 100 minutes for a valid block to appear.
> During this time, the SPV client will be following the invalid chain
> and see roughly 9 confirmations before the chain gets rejected. It may
> therefore be prudent to wait for a number of confirmations that
> corresponds to the time it may take for the conservative percentage of
> miners that you think may behave honestly to create a block (including
> variance).

I suppose a minority miner that wants to disrupt the network could simply create a *valid* block at block N+1 and deliberately ignore every other valid block at N+1, N+2, N+3 etc. that it did not create itself.
If this minority miner has > 10% of network hashrate, then the rule of thumb above would, on average, give it the ability to disrupt the SPV-using network.

>10% of network hashrate to disrupt the SPV-using nodes would be a rather low bar to disruption.
Consider that SPV-using nodes would be disrupted, without this rule, only by >50% network hashrate.

It is helpful to consider that every rule you impose is potentially a loophole by which a new attack is possible.

Regards,
ZmnSCPxj

next prev parent reply	other threads:[~2019-04-18 16:55 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-15  6:37 Ruben Somsen
2019-04-18 16:55 ` ZmnSCPxj [this message]
2019-04-18 20:12   ` Ethan Heilman
2019-04-19  0:25     ` ZmnSCPxj
2019-04-19  1:13       ` Ethan Heilman
2019-04-19  2:53         ` ZmnSCPxj
2019-04-19  3:21           ` Ethan Heilman
2019-04-19  4:48             ` ZmnSCPxj
2019-04-19 13:23               ` Ruben Somsen
2019-04-20  1:59                 ` ZmnSCPxj
2019-04-20  3:26                   ` Ruben Somsen
2019-04-20  4:45                     ` ZmnSCPxj
2019-04-21  9:13                       ` Ruben Somsen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='-tCD0qh97dAiz-VGkDQTwSbSQIm9cLF1kOzaWCnUDTI4dKdsmMgHJsGDntQhABZdE2_yBYpPAAdulm8EpdNxOB8o3lI6ZQJBJZWF1INzUrE=@protonmail.com' \
    --to=zmnscpxj@protonmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=rsomsen@gmail$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox