* [bitcoin-dev] assumeutxo and UTXO snapshots [not found] <mailman.2593.1554248572.29810.bitcoin-dev@lists.linuxfoundation.org> @ 2019-04-03 7:51 ` Nicolas Dorier 2019-04-04 10:27 ` Kulpreet Singh 0 siblings, 1 reply; 18+ messages in thread From: Nicolas Dorier @ 2019-04-03 7:51 UTC (permalink / raw) To: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 19524 bytes --] James, You might be interested by my work which is currently used in production, without any change to bitcoin core. I properly explain how to verify the utxoset independently. https://github.com/btcpayserver/btcpayserver-docker/blob/master/contrib/FastSync/README.md People are using it, since I get around 10 download a day. What can be done to help at Bitcoin Core level is actually very minimal. First, instead of asking signers of by UTXOSet to sign the utxoset hash from gettxoutsetinfo, I ask them to sign the hash of the tarball of my UTXO Set. The reason is that it is currently impossible to stop BitcoinD on a specific block then asking the serialized hash of the UTXO Set. So instead, a verifier download the tarball (300 blocks + utxoset at specific height), sync to the latest block, then compare the gettxoutsetinfo of the newly synched node with another trusted node. If it match, the verifier sign the tarball. I create a new utxoset snapshot every 6 months, so people have time to verify it and add their signatures. (Approximately once every bitcoin core release) The easiest thing that could be done at Bitcoin Core level does not require any code change, but a change in the release process. The new process would be to ask to the gitian signers to not only build the source themselves, but also verify a tarball following the procedure I explain in the link above. More complicated solution like signing the serialized utxoset itself, while possible, would require bothersome code changes. Nicolas, On Wed, Apr 3, 2019 at 9:25 AM < bitcoin-dev-request@lists•linuxfoundation.org> wrote: > Send bitcoin-dev mailing list submissions to > bitcoin-dev@lists•linuxfoundation.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > or, via email, send a message with subject or body 'help' to > bitcoin-dev-request@lists•linuxfoundation.org > > You can reach the person managing the list at > bitcoin-dev-owner@lists•linuxfoundation.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of bitcoin-dev digest..." > > > Today's Topics: > > 1. BIP: Bitcoin Integrated Address Feature? (nathanw@tutanota•com) > 2. Re: BIP: Bitcoin Integrated Address Feature? (htimSxelA) > 3. assumeutxo and UTXO snapshots (James O'Beirne) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 2 Apr 2019 18:53:11 +0200 (CEST) > From: <nathanw@tutanota•com> > To: <bitcoin-dev@lists•linuxfoundation.org> > Subject: [bitcoin-dev] BIP: Bitcoin Integrated Address Feature? > Message-ID: <LbTxyE4--3-1@tutanota•com> > Content-Type: text/plain; charset="utf-8" > > To whom it may concern, > > I believe a missing feature in Bitcoin is the ability to have an > "integrated address", where the address resolves into a Bitcoin address, > and also a transaction message or some other kind of identifier. > > By having this feature we could enhance the security of exchange > cold-wallet systems, by allowing them to easily receive all payments to a > single address from an infinite number of customers. We would also greatly > simplify the process of setting up and managing exchange cold-wallet > systems, because we would eliminate the "sweeping" step required to move > multiple customer deposits from a hot address into a single cold address. > > Although it would be nice to have all customers deposit directly into cold > addresses, this quickly becomes impractical when large amounts of customers > begin to use exchange wallets as their personal web-wallet, frequently > depositing and withdrawing without trading action. You end up needing to > have a staff member moving funds away from cold deposit addresses as a full > time job - if you wish to handle customer funds in a completely secure > manner. > > Thus we see that most exchanges now use the hot-deposit system, where > customers deposit into a hot address that is then automatically swept into > a singular cold address, by a service which holds customers private keys > online. You can observe this service at work simply by making a deposit to > most major exchanges (including the largest exchange Binance), as you will > see the funds quickly being "swept" to their cold wallet address in a > manner which heavily suggests automation by a program which possesses > private keys to the address you are sending funds to. This means there is > always the danger of a sophisticated hacker being able to capture private > keys to customer deposit addresses (as they are clearly being held online). > An integrated address would allow all exchanges using this automated > hot-deposit service to easily switch to a far more secure alternative of > having all customers depositing directly into their singular cold wallet > address. > > There are several other more minor advantages such a feature would have, > including: > - Lower fees for exchanges (which could be passed onto customers), by > reducing a transaction step out of the deposit-to-withdrawal flow. > - Less need for large rescans after loading huge amounts of customer > addresses into client software. > - Exchanges can more easily provision deposit addresses to new customers > in a secure manner, by simply generating a hex or other value, creating an > integrated address from the cold wallet address, and then providing this to > the customer. > - By providing a singular cold address for exchanges publicly, customers > can more easily verify that no man-in-the-middle has given them an > incorrect address to deposit to. > The integrated address could work by combining the Bitcoin address > together with some kind of hex or other value, allowing users to choose the > amount they wish to deposit themselves, but ensuring their deposits are > uniquely trackable. > > I'm not sure if some kind of functionality already exists in BTC, as I > haven't been able to find it. If not, can I submit a proposal to implement > this? This feature would be a godsend to all exchange developers if it was > widely accepted. > > Thanks for your time. > Regards, > > Nathan Worsley > CTO - LocalCoinSwap.Com > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190402/400c1e1b/attachment-0001.html > > > > ------------------------------ > > Message: 2 > Date: Tue, 02 Apr 2019 20:01:34 +0000 > From: htimSxelA <htimsxela@protonmail•com> > To: "nathanw@tutanota•com" <nathanw@tutanota•com>, Bitcoin Protocol > Discussion <bitcoin-dev@lists•linuxfoundation.org> > Subject: Re: [bitcoin-dev] BIP: Bitcoin Integrated Address Feature? > Message-ID: > > <wtbAF1FAGePDAkY3xkqANuFJtAhEXvz0JeGWnc_OZcGEyFQb-1B590I3IbwtW2FBivur0yONbSQtxaWqiQTJeoDdadivtbGkWwJnLnnzQQE=@ > protonmail.com> > > Content-Type: text/plain; charset="utf-8" > > Hello, > > I see two immediate issues with this: > 1. Increased resource requirements per transaction > 2. Embedding identifying information into the blockchain is generally bad > for privacy > > It may help your case to provide some technical details of how you'd like > to see this implemented, but without overcoming the issues mentioned above > I think this proposal will be a very tough sell. > > > ...this quickly becomes impractical when large amounts of customers > begin to use exchange wallets as their personal web-wallet, frequently > depositing and withdrawing without trading action. You end up needing to > have a staff member moving funds away from cold deposit addresses as a full > time job - if you wish to handle customer funds in a completely secure > manner. > > I am not sure if I see how this issue is solved by your proposal. > Assumedly, a human will still need to manually approve cold-wallet > withdrawals in order to maintain security. So it seems to me that removing > the 'hot-wallet' component of the backend would only amplify the need for > human interaction. > > I assume you are familiar with hierarchical deterministic wallets? They > can allow an exchange to assign/identify user deposits based on address > derivation path. Keys for deposit addresses can be kept offline if wanted, > and a proper implementation of an HD wallet system should also remove the > need for rescans of user deposit addresses. > > There is also a functionality built into Bitcoin that allows a user to > prove that they own the private keys to some address: signing an agreed > upon message using the private key that controls that address. > Unfortunately I don't think this is a workable solution for you, since the > majority of modern wallet software does not include this feature-- but > perhaps worth mentioning nonetheless. > > Best, > Alex > > ??????? Original Message ??????? > On Tuesday, April 2, 2019 9:53 AM, Nathan Worsley via bitcoin-dev < > bitcoin-dev@lists•linuxfoundation.org> wrote: > > > To whom it may concern, > > > > I believe a missing feature in Bitcoin is the ability to have an > "integrated address", where the address resolves into a Bitcoin address, > and also a transaction message or some other kind of identifier. > > > > By having this feature we could enhance the security of exchange > cold-wallet systems, by allowing them to easily receive all payments to a > single address from an infinite number of customers. We would also greatly > simplify the process of setting up and managing exchange cold-wallet > systems, because we would eliminate the "sweeping" step required to move > multiple customer deposits from a hot address into a single cold address. > > > > Although it would be nice to have all customers deposit directly into > cold addresses, this quickly becomes impractical when large amounts of > customers begin to use exchange wallets as their personal web-wallet, > frequently depositing and withdrawing without trading action. You end up > needing to have a staff member moving funds away from cold deposit > addresses as a full time job - if you wish to handle customer funds in a > completely secure manner. > > > > Thus we see that most exchanges now use the hot-deposit system, where > customers deposit into a hot address that is then automatically swept into > a singular cold address, by a service which holds customers private keys > online. You can observe this service at work simply by making a deposit to > most major exchanges (including the largest exchange Binance), as you will > see the funds quickly being "swept" to their cold wallet address in a > manner which heavily suggests automation by a program which possesses > private keys to the address you are sending funds to. This means there is > always the danger of a sophisticated hacker being able to capture private > keys to customer deposit addresses (as they are clearly being held online). > An integrated address would allow all exchanges using this automated > hot-deposit service to easily switch to a far more secure alternative of > having all customers depositing directly into their singular cold wallet > address. > > > > There are several other more minor advantages such a feature would have, > including: > > - Lower fees for exchanges (which could be passed onto customers), by > reducing a transaction step out of the deposit-to-withdrawal flow. > > - Less need for large rescans after loading huge amounts of customer > addresses into client software. > > - Exchanges can more easily provision deposit addresses to new customers > in a secure manner, by simply generating a hex or other value, creating an > integrated address from the cold wallet address, and then providing this to > the customer. > > - By providing a singular cold address for exchanges publicly, customers > can more easily verify that no man-in-the-middle has given them an > incorrect address to deposit to. > > > > The integrated address could work by combining the Bitcoin address > together with some kind of hex or other value, allowing users to choose the > amount they wish to deposit themselves, but ensuring their deposits are > uniquely trackable. > > > > I'm not sure if some kind of functionality already exists in BTC, as I > haven't been able to find it. If not, can I submit a proposal to implement > this? This feature would be a godsend to all exchange developers if it was > widely accepted. > > > > Thanks for your time. > > > > Regards, > > > > Nathan Worsley > > CTO - LocalCoinSwap.Com > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190402/ade34235/attachment-0001.html > > > > ------------------------------ > > Message: 3 > Date: Tue, 2 Apr 2019 16:43:11 -0400 > From: "James O'Beirne" <james.obeirne@gmail•com> > To: bitcoin-dev@lists•linuxfoundation.org > Subject: [bitcoin-dev] assumeutxo and UTXO snapshots > Message-ID: > <CAPfvXf+JS6ZhXUieWVxiaNa4uhhWwafCk3odMKy5F_yi= > XwngA@mail•gmail.com> > Content-Type: text/plain; charset="utf-8" > > Hi, > > I'd like to discuss assumeutxo, which is an appealing and simple > optimization in the spirit of assumevalid[0]. > > # Motivation > > To start a fully validating bitcoin client from scratch, that client > currently > needs to perform an initial block download. To the surprise of no one, IBD > takes a linear amount time based on the length of the chain's history. For > clients running on modest hardware under limited bandwidth constraints, > say a mobile device, completing IBD takes a considerable amount of time > and thus poses serious usability challenges. > > As a result, having fully validating clients run on such hardware is rare > and > basically unrealistic. Clients with even moderate resource constraints > are encouraged to rely on the SPV trust model. Though we have promising > improvements to existing SPV modes pending deployment[1], it's worth > thinking about a mechanism that would allow such clients to use trust > models closer to full validation. > > The subject of this mail is a proposal for a complementary alternative to > SPV > modes, and which is in the spirit of an existing default, `assumevalid`. It > may > help modest clients transact under a security model that closely resembles > full validation within minutes instead of hours or days. > > # assumeutxo > > The basic idea is to allow nodes to initialize using a serialized version > of the > UTXO set rendered by another node at some predetermined height. The > initializing node syncs the headers chain from the network, then obtains > and > loads one of these UTXO snapshots (i.e. a serialized version of the UTXO > set > bundled with the block header indicating its "base" and some other > metadata). > > Based upon the snapshot, the node is able to quickly reconstruct its > chainstate, > and compares a hash of the resulting UTXO set to a preordained hash > hard-coded > in the software a la assumevalid. This all takes ~23 minutes, not > accounting for > download of the 3.2GB snapshot[2]. > > The node then syncs to the network tip and afterwards begins a simultaneous > background validation (i.e., a conventional IBD) up to the base height of > the > snapshot in order to achieve full validation. Crucially, even while the > background validation is happening the node can validate incoming blocks > and > transact with the benefit of the full (assumed-valid) UTXO set. > > Snapshots could be obtained from multiple separate peers in the same manner > as > block download, but I haven't put much thought into this. In concept it > doesn't > matter too much where the snapshots come from since their validity is > determined via content hash. > > # Security > > Obviously there are some security implications due consideration. While > this > proposal is in the spirit of assumevalid, practical attacks may become > easier. > Under assumevalid, a user can be tricked into transacting under a false > history > if an attacker convinces them to start bitcoind with a malicious > `-assumevalid` > parameter, sybils their node, and then feeds them a bogus chain > encompassing > all of the hard-coded checkpoints[3]. > > The same attack is made easier in assumeutxo because, unlike in > assumevalid, > the attacker need not construct a valid PoW chain to get the victim's node > into > a false state; they simply need to get the user to accept a bad > `-assumeutxo` > parameter and then supply them an easily made UTXO snapshot containing, > say, a > false coin assignment. > > For this reason, I recommend that if we were to implement assumeutxo, we > not > allow its specification via commandline argument[4]. > > Beyond this risk, I can't think of material differences in security > relative to > assumevalid, though I appeal to the list for help with this. > > # More fully validating clients > > A particularly exciting use-case for assumeutxo is the possibility of > mobile > devices functioning as fully validating nodes with access to the complete > UTXO > set (as an alternative to SPV models). The total resource burden needed to > start a node > from scratch based on a snapshot is, at time of writing, a ~(3.2GB > + blocks_to_tip * 4MB) download and a few minutes of processing time, which > sounds > manageable for many mobile devices currently in use. > > A mobile user could initialize an assumed-valid bitcoin node within an > hour, > transact immediately, and complete a pruned full validation of their > assumed-valid chain over the next few days, perhaps only doing the > background > IBD when their device has access to suitable high-bandwidth connections. > > If we end up implementing an accumulator-based UTXO scaling design[5][6] > down > the road, it's easy to imagine an analogous process that would allow very > fast > startup using an accumulator of a few kilobytes in lieu of a multi-GB > snapshot. > > --- > > I've created a related issue at our Github repository here: > https://github.com/bitcoin/bitcoin/issues/15605 > > and have submitted a draft implementation of snapshot usage via RPC here: > https://github.com/bitcoin/bitcoin/pull/15606 > > I'd like to discuss here whether this is a good fit for Bitcoin > conceptually. Concrete > plans for deployment steps should be discussed in the Github issue, and > after all > that my implementation may be reviewed as a sketch of the specific software > changes necessary. > > Regards, > James > > > [0]: > https://bitcoincore.org/en/2017/03/08/release-0.14.0/#assumed-valid-blocks > [1]: https://github.com/bitcoin/bips/blob/master/bip-0157.mediawiki > [2]: as tested at height 569895, on a 12 core Intel Xeon Silver 4116 CPU @ > 2.10GHz > [3]: > > https://github.com/bitcoin/bitcoin/blob/84d0fdc/src/chainparams.cpp#L145-L161 > [4]: Marco Falke is due credit for this point > [5]: utreexo: https://www.youtube.com/watch?v=edRun-6ubCc > [6]: Boneh, Bunz, Fisch on accumulators: https://eprint.iacr.org/2018/1188 > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190402/46b25dd8/attachment.html > > > > ------------------------------ > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > > End of bitcoin-dev Digest, Vol 47, Issue 6 > ****************************************** > [-- Attachment #2: Type: text/html, Size: 23951 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [bitcoin-dev] assumeutxo and UTXO snapshots 2019-04-03 7:51 ` [bitcoin-dev] assumeutxo and UTXO snapshots Nicolas Dorier @ 2019-04-04 10:27 ` Kulpreet Singh 0 siblings, 0 replies; 18+ messages in thread From: Kulpreet Singh @ 2019-04-04 10:27 UTC (permalink / raw) To: Nicolas Dorier, Bitcoin Protocol Discussion Hi Nicolas, I have a small question about FastSync. Would it make sense to validate all blocks once FastSync is complete and BTCPayServer has started accepting payments? I am aware this will require changes to bitcoind. So this is just an academic question to figure if there are problems with such an approach, especially for merchants accepting payments who want to get started immediately and still want to stay on a Raspberry PI. Phase 1: FastSync from trusted UTXO set and start accepting payments. Phase 2: Validate the entire blockchain - this will take X days on Raspberry PI - but at least in in the end you can fully trust your own node. In this phase, you'd do IBD, but instead of writing to db, just verify that the validated block matches the on the the db and move on. It is a pity leveldb doesn't allow multiple processes to open the db. If so, phase 2 could have been a different process altogether as well. Regards Kulpreet On Wed, 3 Apr 2019 at 21:23, Nicolas Dorier via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> wrote: > > James, > > You might be interested by my work which is currently used in production, without any change to bitcoin core. > > I properly explain how to verify the utxoset independently. > > https://github.com/btcpayserver/btcpayserver-docker/blob/master/contrib/FastSync/README.md > > People are using it, since I get around 10 download a day. > What can be done to help at Bitcoin Core level is actually very minimal. > > First, instead of asking signers of by UTXOSet to sign the utxoset hash from gettxoutsetinfo, I ask them to sign the hash of the tarball of my UTXO Set. > > The reason is that it is currently impossible to stop BitcoinD on a specific block then asking the serialized hash of the UTXO Set. > > So instead, a verifier download the tarball (300 blocks + utxoset at specific height), sync to the latest block, then compare the gettxoutsetinfo of the newly synched node with another trusted node. If it match, the verifier sign the tarball. > > I create a new utxoset snapshot every 6 months, so people have time to verify it and add their signatures. (Approximately once every bitcoin core release) > > The easiest thing that could be done at Bitcoin Core level does not require any code change, but a change in the release process. > > The new process would be to ask to the gitian signers to not only build the source themselves, but also verify a tarball following the procedure I explain in the link above. > > More complicated solution like signing the serialized utxoset itself, while possible, would require bothersome code changes. > > Nicolas, > > On Wed, Apr 3, 2019 at 9:25 AM <bitcoin-dev-request@lists•linuxfoundation.org> wrote: >> >> Send bitcoin-dev mailing list submissions to >> bitcoin-dev@lists•linuxfoundation.org >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> or, via email, send a message with subject or body 'help' to >> bitcoin-dev-request@lists•linuxfoundation.org >> >> You can reach the person managing the list at >> bitcoin-dev-owner@lists•linuxfoundation.org >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of bitcoin-dev digest..." >> >> >> Today's Topics: >> >> 1. BIP: Bitcoin Integrated Address Feature? (nathanw@tutanota•com) >> 2. Re: BIP: Bitcoin Integrated Address Feature? (htimSxelA) >> 3. assumeutxo and UTXO snapshots (James O'Beirne) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Tue, 2 Apr 2019 18:53:11 +0200 (CEST) >> From: <nathanw@tutanota•com> >> To: <bitcoin-dev@lists•linuxfoundation.org> >> Subject: [bitcoin-dev] BIP: Bitcoin Integrated Address Feature? >> Message-ID: <LbTxyE4--3-1@tutanota•com> >> Content-Type: text/plain; charset="utf-8" >> >> To whom it may concern, >> >> I believe a missing feature in Bitcoin is the ability to have an "integrated address", where the address resolves into a Bitcoin address, and also a transaction message or some other kind of identifier. >> >> By having this feature we could enhance the security of exchange cold-wallet systems, by allowing them to easily receive all payments to a single address from an infinite number of customers. We would also greatly simplify the process of setting up and managing exchange cold-wallet systems, because we would eliminate the "sweeping" step required to move multiple customer deposits from a hot address into a single cold address. >> >> Although it would be nice to have all customers deposit directly into cold addresses, this quickly becomes impractical when large amounts of customers begin to use exchange wallets as their personal web-wallet, frequently depositing and withdrawing without trading action. You end up needing to have a staff member moving funds away from cold deposit addresses as a full time job - if you wish to handle customer funds in a completely secure manner. >> >> Thus we see that most exchanges now use the hot-deposit system, where customers deposit into a hot address that is then automatically swept into a singular cold address, by a service which holds customers private keys online. You can observe this service at work simply by making a deposit to most major exchanges (including the largest exchange Binance), as you will see the funds quickly being "swept" to their cold wallet address in a manner which heavily suggests automation by a program which possesses private keys to the address you are sending funds to. This means there is always the danger of a sophisticated hacker being able to capture private keys to customer deposit addresses (as they are clearly being held online). An integrated address would allow all exchanges using this automated hot-deposit service to easily switch to a far more secure alternative of having all customers depositing directly into their singular cold wallet address. >> >> There are several other more minor advantages such a feature would have, including: >> - Lower fees for exchanges (which could be passed onto customers), by reducing a transaction step out of the deposit-to-withdrawal flow. >> - Less need for large rescans after loading huge amounts of customer addresses into client software. >> - Exchanges can more easily provision deposit addresses to new customers in a secure manner, by simply generating a hex or other value, creating an integrated address from the cold wallet address, and then providing this to the customer. >> - By providing a singular cold address for exchanges publicly, customers can more easily verify that no man-in-the-middle has given them an incorrect address to deposit to. >> The integrated address could work by combining the Bitcoin address together with some kind of hex or other value, allowing users to choose the amount they wish to deposit themselves, but ensuring their deposits are uniquely trackable. >> >> I'm not sure if some kind of functionality already exists in BTC, as I haven't been able to find it. If not, can I submit a proposal to implement this? This feature would be a godsend to all exchange developers if it was widely accepted. >> >> Thanks for your time. >> Regards, >> >> Nathan Worsley >> CTO - LocalCoinSwap.Com >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190402/400c1e1b/attachment-0001.html> >> >> ------------------------------ >> >> Message: 2 >> Date: Tue, 02 Apr 2019 20:01:34 +0000 >> From: htimSxelA <htimsxela@protonmail•com> >> To: "nathanw@tutanota•com" <nathanw@tutanota•com>, Bitcoin Protocol >> Discussion <bitcoin-dev@lists•linuxfoundation.org> >> Subject: Re: [bitcoin-dev] BIP: Bitcoin Integrated Address Feature? >> Message-ID: >> <wtbAF1FAGePDAkY3xkqANuFJtAhEXvz0JeGWnc_OZcGEyFQb-1B590I3IbwtW2FBivur0yONbSQtxaWqiQTJeoDdadivtbGkWwJnLnnzQQE=@protonmail•com> >> >> Content-Type: text/plain; charset="utf-8" >> >> Hello, >> >> I see two immediate issues with this: >> 1. Increased resource requirements per transaction >> 2. Embedding identifying information into the blockchain is generally bad for privacy >> >> It may help your case to provide some technical details of how you'd like to see this implemented, but without overcoming the issues mentioned above I think this proposal will be a very tough sell. >> >> > ...this quickly becomes impractical when large amounts of customers begin to use exchange wallets as their personal web-wallet, frequently depositing and withdrawing without trading action. You end up needing to have a staff member moving funds away from cold deposit addresses as a full time job - if you wish to handle customer funds in a completely secure manner. >> >> I am not sure if I see how this issue is solved by your proposal. Assumedly, a human will still need to manually approve cold-wallet withdrawals in order to maintain security. So it seems to me that removing the 'hot-wallet' component of the backend would only amplify the need for human interaction. >> >> I assume you are familiar with hierarchical deterministic wallets? They can allow an exchange to assign/identify user deposits based on address derivation path. Keys for deposit addresses can be kept offline if wanted, and a proper implementation of an HD wallet system should also remove the need for rescans of user deposit addresses. >> >> There is also a functionality built into Bitcoin that allows a user to prove that they own the private keys to some address: signing an agreed upon message using the private key that controls that address. Unfortunately I don't think this is a workable solution for you, since the majority of modern wallet software does not include this feature-- but perhaps worth mentioning nonetheless. >> >> Best, >> Alex >> >> ??????? Original Message ??????? >> On Tuesday, April 2, 2019 9:53 AM, Nathan Worsley via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> wrote: >> >> > To whom it may concern, >> > >> > I believe a missing feature in Bitcoin is the ability to have an "integrated address", where the address resolves into a Bitcoin address, and also a transaction message or some other kind of identifier. >> > >> > By having this feature we could enhance the security of exchange cold-wallet systems, by allowing them to easily receive all payments to a single address from an infinite number of customers. We would also greatly simplify the process of setting up and managing exchange cold-wallet systems, because we would eliminate the "sweeping" step required to move multiple customer deposits from a hot address into a single cold address. >> > >> > Although it would be nice to have all customers deposit directly into cold addresses, this quickly becomes impractical when large amounts of customers begin to use exchange wallets as their personal web-wallet, frequently depositing and withdrawing without trading action. You end up needing to have a staff member moving funds away from cold deposit addresses as a full time job - if you wish to handle customer funds in a completely secure manner. >> > >> > Thus we see that most exchanges now use the hot-deposit system, where customers deposit into a hot address that is then automatically swept into a singular cold address, by a service which holds customers private keys online. You can observe this service at work simply by making a deposit to most major exchanges (including the largest exchange Binance), as you will see the funds quickly being "swept" to their cold wallet address in a manner which heavily suggests automation by a program which possesses private keys to the address you are sending funds to. This means there is always the danger of a sophisticated hacker being able to capture private keys to customer deposit addresses (as they are clearly being held online). An integrated address would allow all exchanges using this automated hot-deposit service to easily switch to a far more secure alternative of having all customers depositing directly into their singular cold wallet address. >> > >> > There are several other more minor advantages such a feature would have, including: >> > - Lower fees for exchanges (which could be passed onto customers), by reducing a transaction step out of the deposit-to-withdrawal flow. >> > - Less need for large rescans after loading huge amounts of customer addresses into client software. >> > - Exchanges can more easily provision deposit addresses to new customers in a secure manner, by simply generating a hex or other value, creating an integrated address from the cold wallet address, and then providing this to the customer. >> > - By providing a singular cold address for exchanges publicly, customers can more easily verify that no man-in-the-middle has given them an incorrect address to deposit to. >> > >> > The integrated address could work by combining the Bitcoin address together with some kind of hex or other value, allowing users to choose the amount they wish to deposit themselves, but ensuring their deposits are uniquely trackable. >> > >> > I'm not sure if some kind of functionality already exists in BTC, as I haven't been able to find it. If not, can I submit a proposal to implement this? This feature would be a godsend to all exchange developers if it was widely accepted. >> > >> > Thanks for your time. >> > >> > Regards, >> > >> > Nathan Worsley >> > CTO - LocalCoinSwap.Com >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190402/ade34235/attachment-0001.html> >> >> ------------------------------ >> >> Message: 3 >> Date: Tue, 2 Apr 2019 16:43:11 -0400 >> From: "James O'Beirne" <james.obeirne@gmail•com> >> To: bitcoin-dev@lists•linuxfoundation.org >> Subject: [bitcoin-dev] assumeutxo and UTXO snapshots >> Message-ID: >> <CAPfvXf+JS6ZhXUieWVxiaNa4uhhWwafCk3odMKy5F_yi=XwngA@mail•gmail.com> >> Content-Type: text/plain; charset="utf-8" >> >> Hi, >> >> I'd like to discuss assumeutxo, which is an appealing and simple >> optimization in the spirit of assumevalid[0]. >> >> # Motivation >> >> To start a fully validating bitcoin client from scratch, that client >> currently >> needs to perform an initial block download. To the surprise of no one, IBD >> takes a linear amount time based on the length of the chain's history. For >> clients running on modest hardware under limited bandwidth constraints, >> say a mobile device, completing IBD takes a considerable amount of time >> and thus poses serious usability challenges. >> >> As a result, having fully validating clients run on such hardware is rare >> and >> basically unrealistic. Clients with even moderate resource constraints >> are encouraged to rely on the SPV trust model. Though we have promising >> improvements to existing SPV modes pending deployment[1], it's worth >> thinking about a mechanism that would allow such clients to use trust >> models closer to full validation. >> >> The subject of this mail is a proposal for a complementary alternative to >> SPV >> modes, and which is in the spirit of an existing default, `assumevalid`. It >> may >> help modest clients transact under a security model that closely resembles >> full validation within minutes instead of hours or days. >> >> # assumeutxo >> >> The basic idea is to allow nodes to initialize using a serialized version >> of the >> UTXO set rendered by another node at some predetermined height. The >> initializing node syncs the headers chain from the network, then obtains and >> loads one of these UTXO snapshots (i.e. a serialized version of the UTXO set >> bundled with the block header indicating its "base" and some other >> metadata). >> >> Based upon the snapshot, the node is able to quickly reconstruct its >> chainstate, >> and compares a hash of the resulting UTXO set to a preordained hash >> hard-coded >> in the software a la assumevalid. This all takes ~23 minutes, not >> accounting for >> download of the 3.2GB snapshot[2]. >> >> The node then syncs to the network tip and afterwards begins a simultaneous >> background validation (i.e., a conventional IBD) up to the base height of >> the >> snapshot in order to achieve full validation. Crucially, even while the >> background validation is happening the node can validate incoming blocks and >> transact with the benefit of the full (assumed-valid) UTXO set. >> >> Snapshots could be obtained from multiple separate peers in the same manner >> as >> block download, but I haven't put much thought into this. In concept it >> doesn't >> matter too much where the snapshots come from since their validity is >> determined via content hash. >> >> # Security >> >> Obviously there are some security implications due consideration. While this >> proposal is in the spirit of assumevalid, practical attacks may become >> easier. >> Under assumevalid, a user can be tricked into transacting under a false >> history >> if an attacker convinces them to start bitcoind with a malicious >> `-assumevalid` >> parameter, sybils their node, and then feeds them a bogus chain encompassing >> all of the hard-coded checkpoints[3]. >> >> The same attack is made easier in assumeutxo because, unlike in assumevalid, >> the attacker need not construct a valid PoW chain to get the victim's node >> into >> a false state; they simply need to get the user to accept a bad >> `-assumeutxo` >> parameter and then supply them an easily made UTXO snapshot containing, >> say, a >> false coin assignment. >> >> For this reason, I recommend that if we were to implement assumeutxo, we not >> allow its specification via commandline argument[4]. >> >> Beyond this risk, I can't think of material differences in security >> relative to >> assumevalid, though I appeal to the list for help with this. >> >> # More fully validating clients >> >> A particularly exciting use-case for assumeutxo is the possibility of mobile >> devices functioning as fully validating nodes with access to the complete >> UTXO >> set (as an alternative to SPV models). The total resource burden needed to >> start a node >> from scratch based on a snapshot is, at time of writing, a ~(3.2GB >> + blocks_to_tip * 4MB) download and a few minutes of processing time, which >> sounds >> manageable for many mobile devices currently in use. >> >> A mobile user could initialize an assumed-valid bitcoin node within an hour, >> transact immediately, and complete a pruned full validation of their >> assumed-valid chain over the next few days, perhaps only doing the >> background >> IBD when their device has access to suitable high-bandwidth connections. >> >> If we end up implementing an accumulator-based UTXO scaling design[5][6] >> down >> the road, it's easy to imagine an analogous process that would allow very >> fast >> startup using an accumulator of a few kilobytes in lieu of a multi-GB >> snapshot. >> >> --- >> >> I've created a related issue at our Github repository here: >> https://github.com/bitcoin/bitcoin/issues/15605 >> >> and have submitted a draft implementation of snapshot usage via RPC here: >> https://github.com/bitcoin/bitcoin/pull/15606 >> >> I'd like to discuss here whether this is a good fit for Bitcoin >> conceptually. Concrete >> plans for deployment steps should be discussed in the Github issue, and >> after all >> that my implementation may be reviewed as a sketch of the specific software >> changes necessary. >> >> Regards, >> James >> >> >> [0]: >> https://bitcoincore.org/en/2017/03/08/release-0.14.0/#assumed-valid-blocks >> [1]: https://github.com/bitcoin/bips/blob/master/bip-0157.mediawiki >> [2]: as tested at height 569895, on a 12 core Intel Xeon Silver 4116 CPU @ >> 2.10GHz >> [3]: >> https://github.com/bitcoin/bitcoin/blob/84d0fdc/src/chainparams.cpp#L145-L161 >> [4]: Marco Falke is due credit for this point >> [5]: utreexo: https://www.youtube.com/watch?v=edRun-6ubCc >> [6]: Boneh, Bunz, Fisch on accumulators: https://eprint.iacr.org/2018/1188 >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190402/46b25dd8/attachment.html> >> >> ------------------------------ >> >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists•linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> >> >> End of bitcoin-dev Digest, Vol 47, Issue 6 >> ****************************************** > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev ^ permalink raw reply [flat|nested] 18+ messages in thread
* [bitcoin-dev] assumeutxo and UTXO snapshots @ 2019-04-02 20:43 James O'Beirne 2019-04-03 6:37 ` Jonas Schnelli ` (4 more replies) 0 siblings, 5 replies; 18+ messages in thread From: James O'Beirne @ 2019-04-02 20:43 UTC (permalink / raw) To: bitcoin-dev [-- Attachment #1: Type: text/plain, Size: 5622 bytes --] Hi, I'd like to discuss assumeutxo, which is an appealing and simple optimization in the spirit of assumevalid[0]. # Motivation To start a fully validating bitcoin client from scratch, that client currently needs to perform an initial block download. To the surprise of no one, IBD takes a linear amount time based on the length of the chain's history. For clients running on modest hardware under limited bandwidth constraints, say a mobile device, completing IBD takes a considerable amount of time and thus poses serious usability challenges. As a result, having fully validating clients run on such hardware is rare and basically unrealistic. Clients with even moderate resource constraints are encouraged to rely on the SPV trust model. Though we have promising improvements to existing SPV modes pending deployment[1], it's worth thinking about a mechanism that would allow such clients to use trust models closer to full validation. The subject of this mail is a proposal for a complementary alternative to SPV modes, and which is in the spirit of an existing default, `assumevalid`. It may help modest clients transact under a security model that closely resembles full validation within minutes instead of hours or days. # assumeutxo The basic idea is to allow nodes to initialize using a serialized version of the UTXO set rendered by another node at some predetermined height. The initializing node syncs the headers chain from the network, then obtains and loads one of these UTXO snapshots (i.e. a serialized version of the UTXO set bundled with the block header indicating its "base" and some other metadata). Based upon the snapshot, the node is able to quickly reconstruct its chainstate, and compares a hash of the resulting UTXO set to a preordained hash hard-coded in the software a la assumevalid. This all takes ~23 minutes, not accounting for download of the 3.2GB snapshot[2]. The node then syncs to the network tip and afterwards begins a simultaneous background validation (i.e., a conventional IBD) up to the base height of the snapshot in order to achieve full validation. Crucially, even while the background validation is happening the node can validate incoming blocks and transact with the benefit of the full (assumed-valid) UTXO set. Snapshots could be obtained from multiple separate peers in the same manner as block download, but I haven't put much thought into this. In concept it doesn't matter too much where the snapshots come from since their validity is determined via content hash. # Security Obviously there are some security implications due consideration. While this proposal is in the spirit of assumevalid, practical attacks may become easier. Under assumevalid, a user can be tricked into transacting under a false history if an attacker convinces them to start bitcoind with a malicious `-assumevalid` parameter, sybils their node, and then feeds them a bogus chain encompassing all of the hard-coded checkpoints[3]. The same attack is made easier in assumeutxo because, unlike in assumevalid, the attacker need not construct a valid PoW chain to get the victim's node into a false state; they simply need to get the user to accept a bad `-assumeutxo` parameter and then supply them an easily made UTXO snapshot containing, say, a false coin assignment. For this reason, I recommend that if we were to implement assumeutxo, we not allow its specification via commandline argument[4]. Beyond this risk, I can't think of material differences in security relative to assumevalid, though I appeal to the list for help with this. # More fully validating clients A particularly exciting use-case for assumeutxo is the possibility of mobile devices functioning as fully validating nodes with access to the complete UTXO set (as an alternative to SPV models). The total resource burden needed to start a node from scratch based on a snapshot is, at time of writing, a ~(3.2GB + blocks_to_tip * 4MB) download and a few minutes of processing time, which sounds manageable for many mobile devices currently in use. A mobile user could initialize an assumed-valid bitcoin node within an hour, transact immediately, and complete a pruned full validation of their assumed-valid chain over the next few days, perhaps only doing the background IBD when their device has access to suitable high-bandwidth connections. If we end up implementing an accumulator-based UTXO scaling design[5][6] down the road, it's easy to imagine an analogous process that would allow very fast startup using an accumulator of a few kilobytes in lieu of a multi-GB snapshot. --- I've created a related issue at our Github repository here: https://github.com/bitcoin/bitcoin/issues/15605 and have submitted a draft implementation of snapshot usage via RPC here: https://github.com/bitcoin/bitcoin/pull/15606 I'd like to discuss here whether this is a good fit for Bitcoin conceptually. Concrete plans for deployment steps should be discussed in the Github issue, and after all that my implementation may be reviewed as a sketch of the specific software changes necessary. Regards, James [0]: https://bitcoincore.org/en/2017/03/08/release-0.14.0/#assumed-valid-blocks [1]: https://github.com/bitcoin/bips/blob/master/bip-0157.mediawiki [2]: as tested at height 569895, on a 12 core Intel Xeon Silver 4116 CPU @ 2.10GHz [3]: https://github.com/bitcoin/bitcoin/blob/84d0fdc/src/chainparams.cpp#L145-L161 [4]: Marco Falke is due credit for this point [5]: utreexo: https://www.youtube.com/watch?v=edRun-6ubCc [6]: Boneh, Bunz, Fisch on accumulators: https://eprint.iacr.org/2018/1188 [-- Attachment #2: Type: text/html, Size: 7473 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [bitcoin-dev] assumeutxo and UTXO snapshots 2019-04-02 20:43 James O'Beirne @ 2019-04-03 6:37 ` Jonas Schnelli 2019-04-03 15:39 ` Ethan Scruples 2019-04-03 19:51 ` James O'Beirne 2019-04-03 9:55 ` Luke Dashjr ` (3 subsequent siblings) 4 siblings, 2 replies; 18+ messages in thread From: Jonas Schnelli @ 2019-04-03 6:37 UTC (permalink / raw) To: James O'Beirne, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 7462 bytes --] Thanks James for the post. I proposed a similar idea [1] back in 2016 with the difference of signing the UTXO-set hash in a gitian-ish way. While the idea of UTXO-set-syncs are attractive, there are probably still significant downsides in usability (compared to models with less security), mainly: * Assume the UTXO set is 6 weeks old (which seems a reasonable age for providing enough security) a peer using that snapshot would still require to download and verify ~6048 blocks (~7.9GB at 1.3MB blocks,… probably CPU-days on a phone) * Do we semi-trust the peer that servers the UTXO set (compared to a block or tx which we can validate)? What channel to we use to serve the snapshot? If the goal is to run a full node on a consumer device that is also been used for other CPU intense operations (like a phone, etc.), I’m not sure if this proposal will lead to a satisfactory user experience. The longer I think around this problem, the more I lean towards accepting the fact that one need to use dedicated hardware in his own environment to perform a painless full validation. /jonas [1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-February/012478.html > Am 02.04.2019 um 22:43 schrieb James O'Beirne via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org>: > > Hi, > > I'd like to discuss assumeutxo, which is an appealing and simple > optimization in the spirit of assumevalid[0]. > > # Motivation > > To start a fully validating bitcoin client from scratch, that client currently > needs to perform an initial block download. To the surprise of no one, IBD > takes a linear amount time based on the length of the chain's history. For > clients running on modest hardware under limited bandwidth constraints, > say a mobile device, completing IBD takes a considerable amount of time > and thus poses serious usability challenges. > > As a result, having fully validating clients run on such hardware is rare and > basically unrealistic. Clients with even moderate resource constraints > are encouraged to rely on the SPV trust model. Though we have promising > improvements to existing SPV modes pending deployment[1], it's worth > thinking about a mechanism that would allow such clients to use trust > models closer to full validation. > > The subject of this mail is a proposal for a complementary alternative to SPV > modes, and which is in the spirit of an existing default, `assumevalid`. It may > help modest clients transact under a security model that closely resembles > full validation within minutes instead of hours or days. > > # assumeutxo > > The basic idea is to allow nodes to initialize using a serialized version of the > UTXO set rendered by another node at some predetermined height. The > initializing node syncs the headers chain from the network, then obtains and > loads one of these UTXO snapshots (i.e. a serialized version of the UTXO set > bundled with the block header indicating its "base" and some other metadata). > > Based upon the snapshot, the node is able to quickly reconstruct its chainstate, > and compares a hash of the resulting UTXO set to a preordained hash hard-coded > in the software a la assumevalid. This all takes ~23 minutes, not accounting for > download of the 3.2GB snapshot[2]. > > The node then syncs to the network tip and afterwards begins a simultaneous > background validation (i.e., a conventional IBD) up to the base height of the > snapshot in order to achieve full validation. Crucially, even while the > background validation is happening the node can validate incoming blocks and > transact with the benefit of the full (assumed-valid) UTXO set. > > Snapshots could be obtained from multiple separate peers in the same manner as > block download, but I haven't put much thought into this. In concept it doesn't > matter too much where the snapshots come from since their validity is > determined via content hash. > > # Security > > Obviously there are some security implications due consideration. While this > proposal is in the spirit of assumevalid, practical attacks may become easier. > Under assumevalid, a user can be tricked into transacting under a false history > if an attacker convinces them to start bitcoind with a malicious `-assumevalid` > parameter, sybils their node, and then feeds them a bogus chain encompassing > all of the hard-coded checkpoints[3]. > > The same attack is made easier in assumeutxo because, unlike in assumevalid, > the attacker need not construct a valid PoW chain to get the victim's node into > a false state; they simply need to get the user to accept a bad `-assumeutxo` > parameter and then supply them an easily made UTXO snapshot containing, say, a > false coin assignment. > > For this reason, I recommend that if we were to implement assumeutxo, we not > allow its specification via commandline argument[4]. > > Beyond this risk, I can't think of material differences in security relative to > assumevalid, though I appeal to the list for help with this. > > # More fully validating clients > > A particularly exciting use-case for assumeutxo is the possibility of mobile > devices functioning as fully validating nodes with access to the complete UTXO > set (as an alternative to SPV models). The total resource burden needed to start a node > from scratch based on a snapshot is, at time of writing, a ~(3.2GB > + blocks_to_tip * 4MB) download and a few minutes of processing time, which sounds > manageable for many mobile devices currently in use. > > A mobile user could initialize an assumed-valid bitcoin node within an hour, > transact immediately, and complete a pruned full validation of their > assumed-valid chain over the next few days, perhaps only doing the background > IBD when their device has access to suitable high-bandwidth connections. > > If we end up implementing an accumulator-based UTXO scaling design[5][6] down > the road, it's easy to imagine an analogous process that would allow very fast > startup using an accumulator of a few kilobytes in lieu of a multi-GB snapshot. > > --- > > I've created a related issue at our Github repository here: > https://github.com/bitcoin/bitcoin/issues/15605 > > and have submitted a draft implementation of snapshot usage via RPC here: > https://github.com/bitcoin/bitcoin/pull/15606 > > I'd like to discuss here whether this is a good fit for Bitcoin conceptually. Concrete > plans for deployment steps should be discussed in the Github issue, and after all > that my implementation may be reviewed as a sketch of the specific software > changes necessary. > > Regards, > James > > > [0]: https://bitcoincore.org/en/2017/03/08/release-0.14.0/#assumed-valid-blocks > [1]: https://github.com/bitcoin/bips/blob/master/bip-0157.mediawiki > [2]: as tested at height 569895, on a 12 core Intel Xeon Silver 4116 CPU @ 2.10GHz > [3]: https://github.com/bitcoin/bitcoin/blob/84d0fdc/src/chainparams.cpp#L145-L161 > [4]: Marco Falke is due credit for this point > [5]: utreexo: https://www.youtube.com/watch?v=edRun-6ubCc > [6]: Boneh, Bunz, Fisch on accumulators: https://eprint.iacr.org/2018/1188 > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev [-- Attachment #2: Message signed with OpenPGP --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [bitcoin-dev] assumeutxo and UTXO snapshots 2019-04-03 6:37 ` Jonas Schnelli @ 2019-04-03 15:39 ` Ethan Scruples 2019-04-03 21:39 ` Dave Scotese 2019-04-04 2:48 ` Luke Dashjr 2019-04-03 19:51 ` James O'Beirne 1 sibling, 2 replies; 18+ messages in thread From: Ethan Scruples @ 2019-04-03 15:39 UTC (permalink / raw) To: Jonas Schnelli, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 9752 bytes --] Jonas, If we can get mandatory UTXO commitments soft forked into Bitcoin, we get the advantage of a non-growing IBD, which I think everyone would agree is a benefit that, uh, grows over time. The thing I do not see people noticing is that we actually pay little to no security price for this benefit. To see this, consider Alice, who starts from a UTXO snapshot made at current height - 50,000 and Bob who validates from genesis. After her partial validation, Alice is satisfied that she is in possession of the UTXO set-- she is in consensus with the rest of the network peers. However, Bob realizes that there is actually an invalid block at current height - 50,001. Three things to notice: 1. This scenario essentially cannot happen. There is no way that the miners are going to stack 50,000 blocks on top of an invalid block without the economic majority abandoning the invalid chain. 2. If this scenario DOES happen, Bob has learned about it too late for it to matter to Bob. The blockchain Bob wants to be on is the one that everyone has been using for the last year, whether or not it is besmirched by an invalid block. 3. If this scenario DOES happen, and Bob DOES want to reject the last 50,000 mined blocks as invalid, he may discover to his dismay that in the 1 year since the invalid block, mischievous entities have enough time to mine equally weighted alternative histories from the Genesis block forward to the invalid block, meaning that Bob has no way to use POW to come to consensus with other Bobs out there. On Wed, Apr 3, 2019 at 3:33 AM Jonas Schnelli via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > Thanks James for the post. > > I proposed a similar idea [1] back in 2016 with the difference of signing > the UTXO-set hash in a gitian-ish way. > > While the idea of UTXO-set-syncs are attractive, there are probably still > significant downsides in usability (compared to models with less security), > mainly: > * Assume the UTXO set is 6 weeks old (which seems a reasonable age for > providing enough security) a peer using that snapshot would still require > to download and verify ~6048 blocks (~7.9GB at 1.3MB blocks,… probably > CPU-days on a phone) > * Do we semi-trust the peer that servers the UTXO set (compared to a block > or tx which we can validate)? What channel to we use to serve the snapshot? > > If the goal is to run a full node on a consumer device that is also been > used for other CPU intense operations (like a phone, etc.), I’m not sure if > this proposal will lead to a satisfactory user experience. > > The longer I think around this problem, the more I lean towards accepting > the fact that one need to use dedicated hardware in his own environment to > perform a painless full validation. > > /jonas > > [1] > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-February/012478.html > > > Am 02.04.2019 um 22:43 schrieb James O'Beirne via bitcoin-dev < > bitcoin-dev@lists•linuxfoundation.org>: > > > > Hi, > > > > I'd like to discuss assumeutxo, which is an appealing and simple > > optimization in the spirit of assumevalid[0]. > > > > # Motivation > > > > To start a fully validating bitcoin client from scratch, that client > currently > > needs to perform an initial block download. To the surprise of no one, > IBD > > takes a linear amount time based on the length of the chain's history. > For > > clients running on modest hardware under limited bandwidth constraints, > > say a mobile device, completing IBD takes a considerable amount of time > > and thus poses serious usability challenges. > > > > As a result, having fully validating clients run on such hardware is > rare and > > basically unrealistic. Clients with even moderate resource constraints > > are encouraged to rely on the SPV trust model. Though we have promising > > improvements to existing SPV modes pending deployment[1], it's worth > > thinking about a mechanism that would allow such clients to use trust > > models closer to full validation. > > > > The subject of this mail is a proposal for a complementary alternative > to SPV > > modes, and which is in the spirit of an existing default, `assumevalid`. > It may > > help modest clients transact under a security model that closely > resembles > > full validation within minutes instead of hours or days. > > > > # assumeutxo > > > > The basic idea is to allow nodes to initialize using a serialized > version of the > > UTXO set rendered by another node at some predetermined height. The > > initializing node syncs the headers chain from the network, then obtains > and > > loads one of these UTXO snapshots (i.e. a serialized version of the UTXO > set > > bundled with the block header indicating its "base" and some other > metadata). > > > > Based upon the snapshot, the node is able to quickly reconstruct its > chainstate, > > and compares a hash of the resulting UTXO set to a preordained hash > hard-coded > > in the software a la assumevalid. This all takes ~23 minutes, not > accounting for > > download of the 3.2GB snapshot[2]. > > > > The node then syncs to the network tip and afterwards begins a > simultaneous > > background validation (i.e., a conventional IBD) up to the base height > of the > > snapshot in order to achieve full validation. Crucially, even while the > > background validation is happening the node can validate incoming blocks > and > > transact with the benefit of the full (assumed-valid) UTXO set. > > > > Snapshots could be obtained from multiple separate peers in the same > manner as > > block download, but I haven't put much thought into this. In concept it > doesn't > > matter too much where the snapshots come from since their validity is > > determined via content hash. > > > > # Security > > > > Obviously there are some security implications due consideration. While > this > > proposal is in the spirit of assumevalid, practical attacks may become > easier. > > Under assumevalid, a user can be tricked into transacting under a false > history > > if an attacker convinces them to start bitcoind with a malicious > `-assumevalid` > > parameter, sybils their node, and then feeds them a bogus chain > encompassing > > all of the hard-coded checkpoints[3]. > > > > The same attack is made easier in assumeutxo because, unlike in > assumevalid, > > the attacker need not construct a valid PoW chain to get the victim's > node into > > a false state; they simply need to get the user to accept a bad > `-assumeutxo` > > parameter and then supply them an easily made UTXO snapshot containing, > say, a > > false coin assignment. > > > > For this reason, I recommend that if we were to implement assumeutxo, we > not > > allow its specification via commandline argument[4]. > > > > Beyond this risk, I can't think of material differences in security > relative to > > assumevalid, though I appeal to the list for help with this. > > > > # More fully validating clients > > > > A particularly exciting use-case for assumeutxo is the possibility of > mobile > > devices functioning as fully validating nodes with access to the > complete UTXO > > set (as an alternative to SPV models). The total resource burden needed > to start a node > > from scratch based on a snapshot is, at time of writing, a ~(3.2GB > > + blocks_to_tip * 4MB) download and a few minutes of processing time, > which sounds > > manageable for many mobile devices currently in use. > > > > A mobile user could initialize an assumed-valid bitcoin node within an > hour, > > transact immediately, and complete a pruned full validation of their > > assumed-valid chain over the next few days, perhaps only doing the > background > > IBD when their device has access to suitable high-bandwidth connections. > > > > If we end up implementing an accumulator-based UTXO scaling design[5][6] > down > > the road, it's easy to imagine an analogous process that would allow > very fast > > startup using an accumulator of a few kilobytes in lieu of a multi-GB > snapshot. > > > > --- > > > > I've created a related issue at our Github repository here: > > https://github.com/bitcoin/bitcoin/issues/15605 > > > > and have submitted a draft implementation of snapshot usage via RPC here: > > https://github.com/bitcoin/bitcoin/pull/15606 > > > > I'd like to discuss here whether this is a good fit for Bitcoin > conceptually. Concrete > > plans for deployment steps should be discussed in the Github issue, and > after all > > that my implementation may be reviewed as a sketch of the specific > software > > changes necessary. > > > > Regards, > > James > > > > > > [0]: > https://bitcoincore.org/en/2017/03/08/release-0.14.0/#assumed-valid-blocks > > [1]: https://github.com/bitcoin/bips/blob/master/bip-0157.mediawiki > > [2]: as tested at height 569895, on a 12 core Intel Xeon Silver 4116 CPU > @ 2.10GHz > > [3]: > https://github.com/bitcoin/bitcoin/blob/84d0fdc/src/chainparams.cpp#L145-L161 > > [4]: Marco Falke is due credit for this point > > [5]: utreexo: https://www.youtube.com/watch?v=edRun-6ubCc > > [6]: Boneh, Bunz, Fisch on accumulators: > https://eprint.iacr.org/2018/1188 > > > > _______________________________________________ > > bitcoin-dev mailing list > > bitcoin-dev@lists•linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 12059 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [bitcoin-dev] assumeutxo and UTXO snapshots 2019-04-03 15:39 ` Ethan Scruples @ 2019-04-03 21:39 ` Dave Scotese 2019-04-04 3:01 ` Luke Dashjr 2019-04-13 19:09 ` Peter Todd 2019-04-04 2:48 ` Luke Dashjr 1 sibling, 2 replies; 18+ messages in thread From: Dave Scotese @ 2019-04-03 21:39 UTC (permalink / raw) To: Ethan Scruples, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 12666 bytes --] Every block's hash is smaller than the difficulty at that time. Block 569927's hash was VERY small (started with 21 zeros). The ratio of block hash to difficulty requirement (0xffffffff - difficulty, I think) could be used to identify blocks as "special," thus providing the opportunity to popularize unimportant but memorable-and-therefore-useful details. How can they be useful if they are unimportant? They are useful for sanity checking. For example, if the drunken bishop walk (or some other popular randomart) produced by block 569927's hash looked like a face, that would be memorable: "The block with the smallest hash in 2019 (maybe ever?) looks like a face after the drunken bishop walk." If a few of these showed up each year, then Bob and/or Alice would have a good chance of seeing that something was wrong if and when they checked. It would not be surprising, given Ethan's assumption that the invalid block Bob found contributed to Alice's UTXOs, that at some point, the history one of them has would be missing the memorable things beginning at some block height because, clearly, one of them has been forked. Luke's comment that it could "lead to users trusting third parties (like developers) way too much" is pertinent too, but I think an honest abatement of that concern is impossible without teaching everyone C++. "Developers" as an open group (anyone can fork the github repo, find a problem, and make an issue) deserve the trust we put in them, and that's because they're accountable (any such error found in the repo will have been put there by someone). The same thing goes for making it possible to download (*not just the compiled software*, but) the entire UTXO Set if a commitment of it is hardcoded into the software, as James suggests. We all trust "developers" like that, and it's okay. No one holds the "ring of power." On Wed, Apr 3, 2019 at 8:39 AM Ethan Scruples via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > Jonas, > > If we can get mandatory UTXO commitments soft forked into Bitcoin, we get > the advantage of a non-growing IBD, which I think everyone would agree is a > benefit that, uh, grows over time. The thing I do not see people noticing > is that we actually pay little to no security price for this benefit. > > To see this, consider Alice, who starts from a UTXO snapshot made at > current height - 50,000 and Bob who validates from genesis. > > After her partial validation, Alice is satisfied that she is in possession > of the UTXO set-- she is in consensus with the rest of the network peers. > > However, Bob realizes that there is actually an invalid block at current > height - 50,001. > > Three things to notice: > > 1. This scenario essentially cannot happen. There is no way that the > miners are going to stack 50,000 blocks on top of an invalid block without > the economic majority abandoning the invalid chain. > > 2. If this scenario DOES happen, Bob has learned about it too late for it > to matter to Bob. The blockchain Bob wants to be on is the one that > everyone has been using for the last year, whether or not it is besmirched > by an invalid block. > > 3. If this scenario DOES happen, and Bob DOES want to reject the last > 50,000 mined blocks as invalid, he may discover to his dismay that in the 1 > year since the invalid block, mischievous entities have enough time to mine > equally weighted alternative histories from the Genesis block forward to > the invalid block, meaning that Bob has no way to use POW to come to > consensus with other Bobs out there. > > On Wed, Apr 3, 2019 at 3:33 AM Jonas Schnelli via bitcoin-dev < > bitcoin-dev@lists•linuxfoundation.org> wrote: > >> Thanks James for the post. >> >> I proposed a similar idea [1] back in 2016 with the difference of signing >> the UTXO-set hash in a gitian-ish way. >> >> While the idea of UTXO-set-syncs are attractive, there are probably still >> significant downsides in usability (compared to models with less security), >> mainly: >> * Assume the UTXO set is 6 weeks old (which seems a reasonable age for >> providing enough security) a peer using that snapshot would still require >> to download and verify ~6048 blocks (~7.9GB at 1.3MB blocks,… probably >> CPU-days on a phone) >> * Do we semi-trust the peer that servers the UTXO set (compared to a >> block or tx which we can validate)? What channel to we use to serve the >> snapshot? >> >> If the goal is to run a full node on a consumer device that is also been >> used for other CPU intense operations (like a phone, etc.), I’m not sure if >> this proposal will lead to a satisfactory user experience. >> >> The longer I think around this problem, the more I lean towards accepting >> the fact that one need to use dedicated hardware in his own environment to >> perform a painless full validation. >> >> /jonas >> >> [1] >> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-February/012478.html >> >> > Am 02.04.2019 um 22:43 schrieb James O'Beirne via bitcoin-dev < >> bitcoin-dev@lists•linuxfoundation.org>: >> > >> > Hi, >> > >> > I'd like to discuss assumeutxo, which is an appealing and simple >> > optimization in the spirit of assumevalid[0]. >> > >> > # Motivation >> > >> > To start a fully validating bitcoin client from scratch, that client >> currently >> > needs to perform an initial block download. To the surprise of no one, >> IBD >> > takes a linear amount time based on the length of the chain's history. >> For >> > clients running on modest hardware under limited bandwidth constraints, >> > say a mobile device, completing IBD takes a considerable amount of time >> > and thus poses serious usability challenges. >> > >> > As a result, having fully validating clients run on such hardware is >> rare and >> > basically unrealistic. Clients with even moderate resource constraints >> > are encouraged to rely on the SPV trust model. Though we have promising >> > improvements to existing SPV modes pending deployment[1], it's worth >> > thinking about a mechanism that would allow such clients to use trust >> > models closer to full validation. >> > >> > The subject of this mail is a proposal for a complementary alternative >> to SPV >> > modes, and which is in the spirit of an existing default, >> `assumevalid`. It may >> > help modest clients transact under a security model that closely >> resembles >> > full validation within minutes instead of hours or days. >> > >> > # assumeutxo >> > >> > The basic idea is to allow nodes to initialize using a serialized >> version of the >> > UTXO set rendered by another node at some predetermined height. The >> > initializing node syncs the headers chain from the network, then >> obtains and >> > loads one of these UTXO snapshots (i.e. a serialized version of the >> UTXO set >> > bundled with the block header indicating its "base" and some other >> metadata). >> > >> > Based upon the snapshot, the node is able to quickly reconstruct its >> chainstate, >> > and compares a hash of the resulting UTXO set to a preordained hash >> hard-coded >> > in the software a la assumevalid. This all takes ~23 minutes, not >> accounting for >> > download of the 3.2GB snapshot[2]. >> > >> > The node then syncs to the network tip and afterwards begins a >> simultaneous >> > background validation (i.e., a conventional IBD) up to the base height >> of the >> > snapshot in order to achieve full validation. Crucially, even while the >> > background validation is happening the node can validate incoming >> blocks and >> > transact with the benefit of the full (assumed-valid) UTXO set. >> > >> > Snapshots could be obtained from multiple separate peers in the same >> manner as >> > block download, but I haven't put much thought into this. In concept it >> doesn't >> > matter too much where the snapshots come from since their validity is >> > determined via content hash. >> > >> > # Security >> > >> > Obviously there are some security implications due consideration. While >> this >> > proposal is in the spirit of assumevalid, practical attacks may become >> easier. >> > Under assumevalid, a user can be tricked into transacting under a false >> history >> > if an attacker convinces them to start bitcoind with a malicious >> `-assumevalid` >> > parameter, sybils their node, and then feeds them a bogus chain >> encompassing >> > all of the hard-coded checkpoints[3]. >> > >> > The same attack is made easier in assumeutxo because, unlike in >> assumevalid, >> > the attacker need not construct a valid PoW chain to get the victim's >> node into >> > a false state; they simply need to get the user to accept a bad >> `-assumeutxo` >> > parameter and then supply them an easily made UTXO snapshot containing, >> say, a >> > false coin assignment. >> > >> > For this reason, I recommend that if we were to implement assumeutxo, >> we not >> > allow its specification via commandline argument[4]. >> > >> > Beyond this risk, I can't think of material differences in security >> relative to >> > assumevalid, though I appeal to the list for help with this. >> > >> > # More fully validating clients >> > >> > A particularly exciting use-case for assumeutxo is the possibility of >> mobile >> > devices functioning as fully validating nodes with access to the >> complete UTXO >> > set (as an alternative to SPV models). The total resource burden needed >> to start a node >> > from scratch based on a snapshot is, at time of writing, a ~(3.2GB >> > + blocks_to_tip * 4MB) download and a few minutes of processing time, >> which sounds >> > manageable for many mobile devices currently in use. >> > >> > A mobile user could initialize an assumed-valid bitcoin node within an >> hour, >> > transact immediately, and complete a pruned full validation of their >> > assumed-valid chain over the next few days, perhaps only doing the >> background >> > IBD when their device has access to suitable high-bandwidth connections. >> > >> > If we end up implementing an accumulator-based UTXO scaling >> design[5][6] down >> > the road, it's easy to imagine an analogous process that would allow >> very fast >> > startup using an accumulator of a few kilobytes in lieu of a multi-GB >> snapshot. >> > >> > --- >> > >> > I've created a related issue at our Github repository here: >> > https://github.com/bitcoin/bitcoin/issues/15605 >> > >> > and have submitted a draft implementation of snapshot usage via RPC >> here: >> > https://github.com/bitcoin/bitcoin/pull/15606 >> > >> > I'd like to discuss here whether this is a good fit for Bitcoin >> conceptually. Concrete >> > plans for deployment steps should be discussed in the Github issue, and >> after all >> > that my implementation may be reviewed as a sketch of the specific >> software >> > changes necessary. >> > >> > Regards, >> > James >> > >> > >> > [0]: >> https://bitcoincore.org/en/2017/03/08/release-0.14.0/#assumed-valid-blocks >> > [1]: https://github.com/bitcoin/bips/blob/master/bip-0157.mediawiki >> > [2]: as tested at height 569895, on a 12 core Intel Xeon Silver 4116 >> CPU @ 2.10GHz >> > [3]: >> https://github.com/bitcoin/bitcoin/blob/84d0fdc/src/chainparams.cpp#L145-L161 >> > [4]: Marco Falke is due credit for this point >> > [5]: utreexo: https://www.youtube.com/watch?v=edRun-6ubCc >> > [6]: Boneh, Bunz, Fisch on accumulators: >> https://eprint.iacr.org/2018/1188 >> > >> > _______________________________________________ >> > bitcoin-dev mailing list >> > bitcoin-dev@lists•linuxfoundation.org >> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists•linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > -- I like to provide some work at no charge to prove my value. Do you need a techie? I own Litmocracy <http://www.litmocracy.com> and Meme Racing <http://www.memeracing.net> (in alpha). I'm the webmaster for The Voluntaryist <http://www.voluntaryist.com> which now accepts Bitcoin. I also code for The Dollar Vigilante <http://dollarvigilante.com/>. "He ought to find it more profitable to play by the rules" - Satoshi Nakamoto [-- Attachment #2: Type: text/html, Size: 15585 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [bitcoin-dev] assumeutxo and UTXO snapshots 2019-04-03 21:39 ` Dave Scotese @ 2019-04-04 3:01 ` Luke Dashjr 2019-04-04 5:59 ` Jim Posen 2019-04-13 19:09 ` Peter Todd 1 sibling, 1 reply; 18+ messages in thread From: Luke Dashjr @ 2019-04-04 3:01 UTC (permalink / raw) To: bitcoin-dev, Dave Scotese On Wednesday 03 April 2019 21:39:32 Dave Scotese via bitcoin-dev wrote: > Luke's comment that it could "lead to users trusting third parties (like > developers) way too much" is pertinent too, but I think an honest abatement > of that concern is impossible without teaching everyone C++. Learning C++ is something within everyone's capability. Even people who do not wish to learn it can hire someone to perform review for them. > "Developers" > as an open group (anyone can fork the github repo, find a problem, and make > an issue) deserve the trust we put in them, and that's because they're > accountable (any such error found in the repo will have been put there by > someone). No, we are not. We explicitly disclaim any warranty, and do not want your trust. > The same thing goes for making it possible to download (*not > just the compiled software*, but) the entire UTXO Set if a commitment of it > is hardcoded into the software, as James suggests. Verifying a UTXO set commitment is impossible short of a real IBD. It's not even comparable. > We all trust > "developers" like that, and it's okay. No, it isn't okay. There are plenty of fiat options if you want a trust-based currency. Bitcoin is supposed to be something more than that. Luke ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [bitcoin-dev] assumeutxo and UTXO snapshots 2019-04-04 3:01 ` Luke Dashjr @ 2019-04-04 5:59 ` Jim Posen 2019-04-04 14:36 ` James O'Beirne 0 siblings, 1 reply; 18+ messages in thread From: Jim Posen @ 2019-04-04 5:59 UTC (permalink / raw) To: Luke Dashjr, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 340 bytes --] > > Learning C++ is something within everyone's capability. Even people who do > not > wish to learn it can hire someone to perform review for them. > Anyone with enough knowledge of C++ to audit the entire the Bitcoin Core codebase is more than capable of running it with assumeutxo disabled and checking the hard-coded vale themself. > [-- Attachment #2: Type: text/html, Size: 737 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [bitcoin-dev] assumeutxo and UTXO snapshots 2019-04-04 5:59 ` Jim Posen @ 2019-04-04 14:36 ` James O'Beirne 0 siblings, 0 replies; 18+ messages in thread From: James O'Beirne @ 2019-04-04 14:36 UTC (permalink / raw) To: Jim Posen, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 950 bytes --] I recommend that anyone following this thread read through the recent IRC exchange between Greg Maxwell and Luke Dashjr: http://www.erisian.com.au/bitcoin-core-dev/log-2019-04-04.html <http://www.erisian.com.au/bitcoin-core-dev/log-2019-04-04.html> The conversation starts on line 205 at 2019-04-04T02:54:50. On Thu, Apr 4, 2019 at 2:38 AM Jim Posen via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > Learning C++ is something within everyone's capability. Even people who do >> not >> wish to learn it can hire someone to perform review for them. >> > > Anyone with enough knowledge of C++ to audit the entire the Bitcoin Core > codebase is more than capable of running it with assumeutxo disabled and > checking the hard-coded vale themself. > >> _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 1911 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [bitcoin-dev] assumeutxo and UTXO snapshots 2019-04-03 21:39 ` Dave Scotese 2019-04-04 3:01 ` Luke Dashjr @ 2019-04-13 19:09 ` Peter Todd 2019-04-15 0:44 ` Dave Scotese 1 sibling, 1 reply; 18+ messages in thread From: Peter Todd @ 2019-04-13 19:09 UTC (permalink / raw) To: Dave Scotese, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 1217 bytes --] On Wed, Apr 03, 2019 at 02:39:32PM -0700, Dave Scotese via bitcoin-dev wrote: > Every block's hash is smaller than the difficulty at that time. Block > 569927's hash was VERY small (started with 21 zeros). The ratio of block > hash to difficulty requirement (0xffffffff - difficulty, I think) could be > used to identify blocks as "special," thus providing the opportunity to > popularize unimportant but memorable-and-therefore-useful details. How can > they be useful if they are unimportant? They are useful for sanity > checking. For example, if the drunken bishop walk (or some other popular > randomart) produced by block 569927's hash looked like a face, that would > be memorable: "The block with the smallest hash in 2019 (maybe ever?) looks > like a face after the drunken bishop walk." As hashest smaller than the target have no significance to the Bitcoin consensus I'd suggest not basing any features on that property. It's just as arbitrary as picking whole decimal number block heights, yet has the additional downsides of being harder to compute, and being likely to confuse people as to how the Bitcoin consensus works. -- https://petertodd.org 'peter'[:-1]@petertodd.org [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 488 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [bitcoin-dev] assumeutxo and UTXO snapshots 2019-04-13 19:09 ` Peter Todd @ 2019-04-15 0:44 ` Dave Scotese 0 siblings, 0 replies; 18+ messages in thread From: Dave Scotese @ 2019-04-15 0:44 UTC (permalink / raw) To: Peter Todd; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 2791 bytes --] No piece of data that does have significance to the Bitcoin consensus can be memorable because it occurs (about) every ten minutes. In order to get something memorable to provide sanity (let's say, anti-sybil-attack) checking, it has to be rare, but recurrent. The opportunity is actually already there, but it usually goes by without providing the benefits. For example, I found this blog post <http://www.righto.com/2014/02/ascii-bernanke-wikileaks-photographs.html> by Ken Shirriff who describes artifacts that can be found in the blockchain. These artifacts are not intimately tied to their location in the blockchain, so anyone building an alternative blockchain can relatively easily add the artifacts with the same timestamp and at the same height, masking the counterfeit. In order to prevent that, the memorable thing has to be intimately tied to work-intensive results, like the ratio of the hash to the target. Nelson Mandela's image appearing in the blockchain does NOT prove to me it's the blockchain I can see at blockchain.com right now, but if the smallest block hash in that blockchain, on 12/13/13, after all the zeroes, starts with 3da1 (144 * 65536 times as much work) and is one of the three block hashes from that day that have two occurrences of a double-e (about 256 times more work), then it will. The problem is that I'll probably forget most of those details - but not that Mandela's image went in the blockchain near the end of 2013. On Sat, Apr 13, 2019 at 12:09 PM Peter Todd <pete@petertodd•org> wrote: > On Wed, Apr 03, 2019 at 02:39:32PM -0700, Dave Scotese via bitcoin-dev > wrote: > > Every block's hash is smaller than the difficulty at that time. Block > > 569927's hash was VERY small (started with 21 zeros). The ratio of block > > hash to difficulty requirement (0xffffffff - difficulty, I think) could > be > > used to identify blocks as "special," thus providing the opportunity to > > popularize unimportant but memorable-and-therefore-useful details. How > can > > they be useful if they are unimportant? They are useful for sanity > > checking. For example, if the drunken bishop walk (or some other popular > > randomart) produced by block 569927's hash looked like a face, that would > > be memorable: "The block with the smallest hash in 2019 (maybe ever?) > looks > > like a face after the drunken bishop walk." > > As hashest smaller than the target have no significance to the Bitcoin > consensus I'd suggest not basing any features on that property. It's just > as > arbitrary as picking whole decimal number block heights, yet has the > additional > downsides of being harder to compute, and being likely to confuse people > as to > how the Bitcoin consensus works. > > -- > https://petertodd.org 'peter'[:-1]@petertodd.org > [-- Attachment #2: Type: text/html, Size: 3453 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [bitcoin-dev] assumeutxo and UTXO snapshots 2019-04-03 15:39 ` Ethan Scruples 2019-04-03 21:39 ` Dave Scotese @ 2019-04-04 2:48 ` Luke Dashjr 2019-04-04 3:04 ` Ethan Scruples 1 sibling, 1 reply; 18+ messages in thread From: Luke Dashjr @ 2019-04-04 2:48 UTC (permalink / raw) To: bitcoin-dev, Ethan Scruples On Wednesday 03 April 2019 15:39:29 Ethan Scruples via bitcoin-dev wrote: > If we can get mandatory UTXO commitments soft forked into Bitcoin, we get > the advantage of a non-growing IBD, No, we don't. This is exactly the danger. UTXO snapshots are NOT an alternative to a real IBD. There are HUGE security implications for this. Frankly, the danger that someone would do such a thing is itself a good reason not to ever add UTXO commitments. Luke ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [bitcoin-dev] assumeutxo and UTXO snapshots 2019-04-04 2:48 ` Luke Dashjr @ 2019-04-04 3:04 ` Ethan Scruples 0 siblings, 0 replies; 18+ messages in thread From: Ethan Scruples @ 2019-04-04 3:04 UTC (permalink / raw) To: Luke Dashjr; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 1306 bytes --] > This is exactly the danger. UTXO snapshots are NOT an alternative to a real IBD. There are HUGE security implications for this. This is a perfect example of what I am talking about when I say that people do not appear to notice that there is no important security implication to be found here. If there are huge security implications for this, then I am keen to hear them. In the scenario I have described, what advantage does Bob have over Alice? What actionable information has Bob gained, and what is the action he can take with it in hand? What value does Bob receive in return for the electricity he has spent validating the previous blocks? I cannot find any, but I am open to hearing the answer, and I think others would benefit from knowing it as well. On Wed, Apr 3, 2019 at 10:49 PM Luke Dashjr <luke@dashjr•org> wrote: > On Wednesday 03 April 2019 15:39:29 Ethan Scruples via bitcoin-dev wrote: > > If we can get mandatory UTXO commitments soft forked into Bitcoin, we get > > the advantage of a non-growing IBD, > > No, we don't. This is exactly the danger. UTXO snapshots are NOT an > alternative to a real IBD. There are HUGE security implications for this. > Frankly, the danger that someone would do such a thing is itself a good > reason not to ever add UTXO commitments. > > Luke > [-- Attachment #2: Type: text/html, Size: 1698 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [bitcoin-dev] assumeutxo and UTXO snapshots 2019-04-03 6:37 ` Jonas Schnelli 2019-04-03 15:39 ` Ethan Scruples @ 2019-04-03 19:51 ` James O'Beirne 1 sibling, 0 replies; 18+ messages in thread From: James O'Beirne @ 2019-04-03 19:51 UTC (permalink / raw) To: Jonas Schnelli; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 9754 bytes --] Thanks for the reply, Jonas. I should've figured someone had hit the mailing list with this one before! In hindsight, I may have overemphasized the use of this for low-powered mobile devices. Indeed I think this may also be a worthwhile optimization for common hardware too. On the margin, if a user wants to interact with Bitcoin they will download software that allows them to do it immediately - this results in many people defaulting to a light client. If Bitcoin were able to initialize from scratch in a comparable amount of time and then populate the full chain in the background, we may have many more people *incidentally* running full nodes. Regardless of whether or not we use UTXO snapshots per se, I'd argue that the pattern of doing some kind of quick initialization (whether it's with assumed-valid data, or headers-contingent data like BIP157) and then performing full validation in the background is a good way to ensure that we have a healthier population of full nodes than we would otherwise. For this reason, and (as Ethan points out) because IBD's linear setup time is infeasible in the long-term, I think this pattern is an obvious direction for the bitcoin client to go. > * Do we semi-trust the peer that servers the UTXO set (compared to a block or tx which we can validate)? What channel to we use to serve the snapshot? As you note in your post from 2016, where and how we retrieve the snapshot is more or less immaterial because we compare a hash of its contents to a previously specified value that the code ships with (the `assumeutxo` hash). We don't need to trust the source serving it to us, although bandwidth DoS prevention via some kind chunked delivery from peers would be worth thinking about. Regards, James On Wed, Apr 3, 2019 at 2:37 AM Jonas Schnelli <dev@jonasschnelli•ch> wrote: > Thanks James for the post. > > I proposed a similar idea [1] back in 2016 with the difference of signing > the UTXO-set hash in a gitian-ish way. > > While the idea of UTXO-set-syncs are attractive, there are probably still > significant downsides in usability (compared to models with less security), > mainly: > * Assume the UTXO set is 6 weeks old (which seems a reasonable age for > providing enough security) a peer using that snapshot would still require > to download and verify ~6048 blocks (~7.9GB at 1.3MB blocks,… probably > CPU-days on a phone) > * Do we semi-trust the peer that servers the UTXO set (compared to a block > or tx which we can validate)? What channel to we use to serve the snapshot? > > If the goal is to run a full node on a consumer device that is also been > used for other CPU intense operations (like a phone, etc.), I’m not sure if > this proposal will lead to a satisfactory user experience. > > The longer I think around this problem, the more I lean towards accepting > the fact that one need to use dedicated hardware in his own environment to > perform a painless full validation. > > /jonas > > [1] > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-February/012478.html > > > Am 02.04.2019 um 22:43 schrieb James O'Beirne via bitcoin-dev < > bitcoin-dev@lists•linuxfoundation.org>: > > > > Hi, > > > > I'd like to discuss assumeutxo, which is an appealing and simple > > optimization in the spirit of assumevalid[0]. > > > > # Motivation > > > > To start a fully validating bitcoin client from scratch, that client > currently > > needs to perform an initial block download. To the surprise of no one, > IBD > > takes a linear amount time based on the length of the chain's history. > For > > clients running on modest hardware under limited bandwidth constraints, > > say a mobile device, completing IBD takes a considerable amount of time > > and thus poses serious usability challenges. > > > > As a result, having fully validating clients run on such hardware is > rare and > > basically unrealistic. Clients with even moderate resource constraints > > are encouraged to rely on the SPV trust model. Though we have promising > > improvements to existing SPV modes pending deployment[1], it's worth > > thinking about a mechanism that would allow such clients to use trust > > models closer to full validation. > > > > The subject of this mail is a proposal for a complementary alternative > to SPV > > modes, and which is in the spirit of an existing default, `assumevalid`. > It may > > help modest clients transact under a security model that closely > resembles > > full validation within minutes instead of hours or days. > > > > # assumeutxo > > > > The basic idea is to allow nodes to initialize using a serialized > version of the > > UTXO set rendered by another node at some predetermined height. The > > initializing node syncs the headers chain from the network, then obtains > and > > loads one of these UTXO snapshots (i.e. a serialized version of the UTXO > set > > bundled with the block header indicating its "base" and some other > metadata). > > > > Based upon the snapshot, the node is able to quickly reconstruct its > chainstate, > > and compares a hash of the resulting UTXO set to a preordained hash > hard-coded > > in the software a la assumevalid. This all takes ~23 minutes, not > accounting for > > download of the 3.2GB snapshot[2]. > > > > The node then syncs to the network tip and afterwards begins a > simultaneous > > background validation (i.e., a conventional IBD) up to the base height > of the > > snapshot in order to achieve full validation. Crucially, even while the > > background validation is happening the node can validate incoming blocks > and > > transact with the benefit of the full (assumed-valid) UTXO set. > > > > Snapshots could be obtained from multiple separate peers in the same > manner as > > block download, but I haven't put much thought into this. In concept it > doesn't > > matter too much where the snapshots come from since their validity is > > determined via content hash. > > > > # Security > > > > Obviously there are some security implications due consideration. While > this > > proposal is in the spirit of assumevalid, practical attacks may become > easier. > > Under assumevalid, a user can be tricked into transacting under a false > history > > if an attacker convinces them to start bitcoind with a malicious > `-assumevalid` > > parameter, sybils their node, and then feeds them a bogus chain > encompassing > > all of the hard-coded checkpoints[3]. > > > > The same attack is made easier in assumeutxo because, unlike in > assumevalid, > > the attacker need not construct a valid PoW chain to get the victim's > node into > > a false state; they simply need to get the user to accept a bad > `-assumeutxo` > > parameter and then supply them an easily made UTXO snapshot containing, > say, a > > false coin assignment. > > > > For this reason, I recommend that if we were to implement assumeutxo, we > not > > allow its specification via commandline argument[4]. > > > > Beyond this risk, I can't think of material differences in security > relative to > > assumevalid, though I appeal to the list for help with this. > > > > # More fully validating clients > > > > A particularly exciting use-case for assumeutxo is the possibility of > mobile > > devices functioning as fully validating nodes with access to the > complete UTXO > > set (as an alternative to SPV models). The total resource burden needed > to start a node > > from scratch based on a snapshot is, at time of writing, a ~(3.2GB > > + blocks_to_tip * 4MB) download and a few minutes of processing time, > which sounds > > manageable for many mobile devices currently in use. > > > > A mobile user could initialize an assumed-valid bitcoin node within an > hour, > > transact immediately, and complete a pruned full validation of their > > assumed-valid chain over the next few days, perhaps only doing the > background > > IBD when their device has access to suitable high-bandwidth connections. > > > > If we end up implementing an accumulator-based UTXO scaling design[5][6] > down > > the road, it's easy to imagine an analogous process that would allow > very fast > > startup using an accumulator of a few kilobytes in lieu of a multi-GB > snapshot. > > > > --- > > > > I've created a related issue at our Github repository here: > > https://github.com/bitcoin/bitcoin/issues/15605 > > > > and have submitted a draft implementation of snapshot usage via RPC here: > > https://github.com/bitcoin/bitcoin/pull/15606 > > > > I'd like to discuss here whether this is a good fit for Bitcoin > conceptually. Concrete > > plans for deployment steps should be discussed in the Github issue, and > after all > > that my implementation may be reviewed as a sketch of the specific > software > > changes necessary. > > > > Regards, > > James > > > > > > [0]: > https://bitcoincore.org/en/2017/03/08/release-0.14.0/#assumed-valid-blocks > > [1]: https://github.com/bitcoin/bips/blob/master/bip-0157.mediawiki > > [2]: as tested at height 569895, on a 12 core Intel Xeon Silver 4116 CPU > @ 2.10GHz > > [3]: > https://github.com/bitcoin/bitcoin/blob/84d0fdc/src/chainparams.cpp#L145-L161 > > [4]: Marco Falke is due credit for this point > > [5]: utreexo: https://www.youtube.com/watch?v=edRun-6ubCc > > [6]: Boneh, Bunz, Fisch on accumulators: > https://eprint.iacr.org/2018/1188 > > > > _______________________________________________ > > bitcoin-dev mailing list > > bitcoin-dev@lists•linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > [-- Attachment #2: Type: text/html, Size: 11871 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [bitcoin-dev] assumeutxo and UTXO snapshots 2019-04-02 20:43 James O'Beirne 2019-04-03 6:37 ` Jonas Schnelli @ 2019-04-03 9:55 ` Luke Dashjr 2019-04-03 23:03 ` Jim Posen ` (2 subsequent siblings) 4 siblings, 0 replies; 18+ messages in thread From: Luke Dashjr @ 2019-04-03 9:55 UTC (permalink / raw) To: bitcoin-dev, James O'Beirne This would lead to users trusting third parties (like developers) way too much. Furthermore, removing the ability for users to easily set it removes the one reasonable use case: where the user has already verified the state at some point previously, and saved the hash (ie, as backup of the UTXO set). Luke On Tuesday 02 April 2019 20:43:11 James O'Beirne via bitcoin-dev wrote: > Hi, > > I'd like to discuss assumeutxo, which is an appealing and simple > optimization in the spirit of assumevalid[0]. > > # Motivation > > To start a fully validating bitcoin client from scratch, that client > currently > needs to perform an initial block download. To the surprise of no one, IBD > takes a linear amount time based on the length of the chain's history. For > clients running on modest hardware under limited bandwidth constraints, > say a mobile device, completing IBD takes a considerable amount of time > and thus poses serious usability challenges. > > As a result, having fully validating clients run on such hardware is rare > and > basically unrealistic. Clients with even moderate resource constraints > are encouraged to rely on the SPV trust model. Though we have promising > improvements to existing SPV modes pending deployment[1], it's worth > thinking about a mechanism that would allow such clients to use trust > models closer to full validation. > > The subject of this mail is a proposal for a complementary alternative to > SPV > modes, and which is in the spirit of an existing default, `assumevalid`. It > may > help modest clients transact under a security model that closely resembles > full validation within minutes instead of hours or days. > > # assumeutxo > > The basic idea is to allow nodes to initialize using a serialized version > of the > UTXO set rendered by another node at some predetermined height. The > initializing node syncs the headers chain from the network, then obtains > and loads one of these UTXO snapshots (i.e. a serialized version of the > UTXO set bundled with the block header indicating its "base" and some other > metadata). > > Based upon the snapshot, the node is able to quickly reconstruct its > chainstate, > and compares a hash of the resulting UTXO set to a preordained hash > hard-coded > in the software a la assumevalid. This all takes ~23 minutes, not > accounting for > download of the 3.2GB snapshot[2]. > > The node then syncs to the network tip and afterwards begins a simultaneous > background validation (i.e., a conventional IBD) up to the base height of > the > snapshot in order to achieve full validation. Crucially, even while the > background validation is happening the node can validate incoming blocks > and transact with the benefit of the full (assumed-valid) UTXO set. > > Snapshots could be obtained from multiple separate peers in the same manner > as > block download, but I haven't put much thought into this. In concept it > doesn't > matter too much where the snapshots come from since their validity is > determined via content hash. > > # Security > > Obviously there are some security implications due consideration. While > this proposal is in the spirit of assumevalid, practical attacks may become > easier. > Under assumevalid, a user can be tricked into transacting under a false > history > if an attacker convinces them to start bitcoind with a malicious > `-assumevalid` > parameter, sybils their node, and then feeds them a bogus chain > encompassing all of the hard-coded checkpoints[3]. > > The same attack is made easier in assumeutxo because, unlike in > assumevalid, the attacker need not construct a valid PoW chain to get the > victim's node into > a false state; they simply need to get the user to accept a bad > `-assumeutxo` > parameter and then supply them an easily made UTXO snapshot containing, > say, a > false coin assignment. > > For this reason, I recommend that if we were to implement assumeutxo, we > not allow its specification via commandline argument[4]. > > Beyond this risk, I can't think of material differences in security > relative to > assumevalid, though I appeal to the list for help with this. > > # More fully validating clients > > A particularly exciting use-case for assumeutxo is the possibility of > mobile devices functioning as fully validating nodes with access to the > complete UTXO > set (as an alternative to SPV models). The total resource burden needed to > start a node > from scratch based on a snapshot is, at time of writing, a ~(3.2GB > + blocks_to_tip * 4MB) download and a few minutes of processing time, which > sounds > manageable for many mobile devices currently in use. > > A mobile user could initialize an assumed-valid bitcoin node within an > hour, transact immediately, and complete a pruned full validation of their > assumed-valid chain over the next few days, perhaps only doing the > background > IBD when their device has access to suitable high-bandwidth connections. > > If we end up implementing an accumulator-based UTXO scaling design[5][6] > down > the road, it's easy to imagine an analogous process that would allow very > fast > startup using an accumulator of a few kilobytes in lieu of a multi-GB > snapshot. > > --- > > I've created a related issue at our Github repository here: > https://github.com/bitcoin/bitcoin/issues/15605 > > and have submitted a draft implementation of snapshot usage via RPC here: > https://github.com/bitcoin/bitcoin/pull/15606 > > I'd like to discuss here whether this is a good fit for Bitcoin > conceptually. Concrete > plans for deployment steps should be discussed in the Github issue, and > after all > that my implementation may be reviewed as a sketch of the specific software > changes necessary. > > Regards, > James > > > [0]: > https://bitcoincore.org/en/2017/03/08/release-0.14.0/#assumed-valid-blocks > [1]: https://github.com/bitcoin/bips/blob/master/bip-0157.mediawiki > [2]: as tested at height 569895, on a 12 core Intel Xeon Silver 4116 CPU @ > 2.10GHz > [3]: > https://github.com/bitcoin/bitcoin/blob/84d0fdc/src/chainparams.cpp#L145-L1 >61 [4]: Marco Falke is due credit for this point > [5]: utreexo: https://www.youtube.com/watch?v=edRun-6ubCc > [6]: Boneh, Bunz, Fisch on accumulators: https://eprint.iacr.org/2018/1188 ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [bitcoin-dev] assumeutxo and UTXO snapshots 2019-04-02 20:43 James O'Beirne 2019-04-03 6:37 ` Jonas Schnelli 2019-04-03 9:55 ` Luke Dashjr @ 2019-04-03 23:03 ` Jim Posen 2019-04-14 13:16 ` Omar Shibli 2019-04-23 14:17 ` James O'Beirne 4 siblings, 0 replies; 18+ messages in thread From: Jim Posen @ 2019-04-03 23:03 UTC (permalink / raw) To: James O'Beirne, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 7457 bytes --] Big Concept ACK. I think this would be one of the biggest usability improvements for Bitcoin and I see no security issues with the assumevalid approach. I also agree that it's important to start work on this even before the ultimate, perfect accumulator has been designed/tested and the commitment scheme can always be upgraded later on. assumeutxo syncing actually seems pretty orthogonal to the accumulator research. I have a few questions - So any nodes that do an initial sync will stop at the assumeutxo height, serialize a snapshot of the chain state and store it? How many nodes are expected to do this? Any idea how long this takes? Should it be enabled by default? - Would pruned nodes still download all historic blocks to double-check the snapshot or only full nodes that intend to serve block data? - How long are old snapshots retained? Presumably during a new release nodes should keep at least a version back. Without P2P signalling of which snapshots are available, they maybe have to keep all old snapshots or even download old ones. and comments - The snapshot should probably be chunked up to minimize the amount of bandwidth/IO/memory a malicious node could waste before you realize. Also, it would make parallel downloading easier. On Tue, Apr 2, 2019 at 4:43 PM James O'Beirne via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > Hi, > > I'd like to discuss assumeutxo, which is an appealing and simple > optimization in the spirit of assumevalid[0]. > > # Motivation > > To start a fully validating bitcoin client from scratch, that client > currently > needs to perform an initial block download. To the surprise of no one, IBD > takes a linear amount time based on the length of the chain's history. For > clients running on modest hardware under limited bandwidth constraints, > say a mobile device, completing IBD takes a considerable amount of time > and thus poses serious usability challenges. > > As a result, having fully validating clients run on such hardware is rare > and > basically unrealistic. Clients with even moderate resource constraints > are encouraged to rely on the SPV trust model. Though we have promising > improvements to existing SPV modes pending deployment[1], it's worth > thinking about a mechanism that would allow such clients to use trust > models closer to full validation. > > The subject of this mail is a proposal for a complementary alternative to > SPV > modes, and which is in the spirit of an existing default, `assumevalid`. > It may > help modest clients transact under a security model that closely resembles > full validation within minutes instead of hours or days. > > # assumeutxo > > The basic idea is to allow nodes to initialize using a serialized version > of the > UTXO set rendered by another node at some predetermined height. The > initializing node syncs the headers chain from the network, then obtains > and > loads one of these UTXO snapshots (i.e. a serialized version of the UTXO > set > bundled with the block header indicating its "base" and some other > metadata). > > Based upon the snapshot, the node is able to quickly reconstruct its > chainstate, > and compares a hash of the resulting UTXO set to a preordained hash > hard-coded > in the software a la assumevalid. This all takes ~23 minutes, not > accounting for > download of the 3.2GB snapshot[2]. > > The node then syncs to the network tip and afterwards begins a simultaneous > background validation (i.e., a conventional IBD) up to the base height of > the > snapshot in order to achieve full validation. Crucially, even while the > background validation is happening the node can validate incoming blocks > and > transact with the benefit of the full (assumed-valid) UTXO set. > > Snapshots could be obtained from multiple separate peers in the same > manner as > block download, but I haven't put much thought into this. In concept it > doesn't > matter too much where the snapshots come from since their validity is > determined via content hash. > > # Security > > Obviously there are some security implications due consideration. While > this > proposal is in the spirit of assumevalid, practical attacks may become > easier. > Under assumevalid, a user can be tricked into transacting under a false > history > if an attacker convinces them to start bitcoind with a malicious > `-assumevalid` > parameter, sybils their node, and then feeds them a bogus chain > encompassing > all of the hard-coded checkpoints[3]. > > The same attack is made easier in assumeutxo because, unlike in > assumevalid, > the attacker need not construct a valid PoW chain to get the victim's node > into > a false state; they simply need to get the user to accept a bad > `-assumeutxo` > parameter and then supply them an easily made UTXO snapshot containing, > say, a > false coin assignment. > > For this reason, I recommend that if we were to implement assumeutxo, we > not > allow its specification via commandline argument[4]. > > Beyond this risk, I can't think of material differences in security > relative to > assumevalid, though I appeal to the list for help with this. > > # More fully validating clients > > A particularly exciting use-case for assumeutxo is the possibility of > mobile > devices functioning as fully validating nodes with access to the complete > UTXO > set (as an alternative to SPV models). The total resource burden needed to > start a node > from scratch based on a snapshot is, at time of writing, a ~(3.2GB > + blocks_to_tip * 4MB) download and a few minutes of processing time, > which sounds > manageable for many mobile devices currently in use. > > A mobile user could initialize an assumed-valid bitcoin node within an > hour, > transact immediately, and complete a pruned full validation of their > assumed-valid chain over the next few days, perhaps only doing the > background > IBD when their device has access to suitable high-bandwidth connections. > > If we end up implementing an accumulator-based UTXO scaling design[5][6] > down > the road, it's easy to imagine an analogous process that would allow very > fast > startup using an accumulator of a few kilobytes in lieu of a multi-GB > snapshot. > > --- > > I've created a related issue at our Github repository here: > https://github.com/bitcoin/bitcoin/issues/15605 > > and have submitted a draft implementation of snapshot usage via RPC here: > https://github.com/bitcoin/bitcoin/pull/15606 > > I'd like to discuss here whether this is a good fit for Bitcoin > conceptually. Concrete > plans for deployment steps should be discussed in the Github issue, and > after all > that my implementation may be reviewed as a sketch of the specific software > changes necessary. > > Regards, > James > > > [0]: > https://bitcoincore.org/en/2017/03/08/release-0.14.0/#assumed-valid-blocks > [1]: https://github.com/bitcoin/bips/blob/master/bip-0157.mediawiki > [2]: as tested at height 569895, on a 12 core Intel Xeon Silver 4116 CPU @ > 2.10GHz > [3]: > https://github.com/bitcoin/bitcoin/blob/84d0fdc/src/chainparams.cpp#L145-L161 > [4]: Marco Falke is due credit for this point > [5]: utreexo: https://www.youtube.com/watch?v=edRun-6ubCc > [6]: Boneh, Bunz, Fisch on accumulators: https://eprint.iacr.org/2018/1188 > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 9769 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [bitcoin-dev] assumeutxo and UTXO snapshots 2019-04-02 20:43 James O'Beirne ` (2 preceding siblings ...) 2019-04-03 23:03 ` Jim Posen @ 2019-04-14 13:16 ` Omar Shibli 2019-04-23 14:17 ` James O'Beirne 4 siblings, 0 replies; 18+ messages in thread From: Omar Shibli @ 2019-04-14 13:16 UTC (permalink / raw) To: Bitcoin Protocol Discussion, James O'Beirne [-- Attachment #1: Type: text/plain, Size: 6832 bytes --] This sounds really promising to me, I think it could seriously improve the current SPV trust model. In abstract these are the possible setups today: Full node: All history, 100% monetary sovereignty. SPV: fancy term to Electrum trust model, random selection of nodes, with full delegation of monetary responsibility. I think in that spirit a hybrid approach of full node + spv. As follows: Hardware spv with only genesis hash block seeded, as a safe bootstrap, from there only headers is needed for validation, and ongoing new fresh blocks and associated historic blocks for conducting transactions. On Wed, Apr 3, 2019 at 2:43 AM James O'Beirne via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > Hi, > > I'd like to discuss assumeutxo, which is an appealing and simple > optimization in the spirit of assumevalid[0]. > > # Motivation > > To start a fully validating bitcoin client from scratch, that client > currently > needs to perform an initial block download. To the surprise of no one, IBD > takes a linear amount time based on the length of the chain's history. For > clients running on modest hardware under limited bandwidth constraints, > say a mobile device, completing IBD takes a considerable amount of time > and thus poses serious usability challenges. > > As a result, having fully validating clients run on such hardware is rare > and > basically unrealistic. Clients with even moderate resource constraints > are encouraged to rely on the SPV trust model. Though we have promising > improvements to existing SPV modes pending deployment[1], it's worth > thinking about a mechanism that would allow such clients to use trust > models closer to full validation. > > The subject of this mail is a proposal for a complementary alternative to > SPV > modes, and which is in the spirit of an existing default, `assumevalid`. > It may > help modest clients transact under a security model that closely resembles > full validation within minutes instead of hours or days. > > # assumeutxo > > The basic idea is to allow nodes to initialize using a serialized version > of the > UTXO set rendered by another node at some predetermined height. The > initializing node syncs the headers chain from the network, then obtains > and > loads one of these UTXO snapshots (i.e. a serialized version of the UTXO > set > bundled with the block header indicating its "base" and some other > metadata). > > Based upon the snapshot, the node is able to quickly reconstruct its > chainstate, > and compares a hash of the resulting UTXO set to a preordained hash > hard-coded > in the software a la assumevalid. This all takes ~23 minutes, not > accounting for > download of the 3.2GB snapshot[2]. > > The node then syncs to the network tip and afterwards begins a simultaneous > background validation (i.e., a conventional IBD) up to the base height of > the > snapshot in order to achieve full validation. Crucially, even while the > background validation is happening the node can validate incoming blocks > and > transact with the benefit of the full (assumed-valid) UTXO set. > > Snapshots could be obtained from multiple separate peers in the same > manner as > block download, but I haven't put much thought into this. In concept it > doesn't > matter too much where the snapshots come from since their validity is > determined via content hash. > > # Security > > Obviously there are some security implications due consideration. While > this > proposal is in the spirit of assumevalid, practical attacks may become > easier. > Under assumevalid, a user can be tricked into transacting under a false > history > if an attacker convinces them to start bitcoind with a malicious > `-assumevalid` > parameter, sybils their node, and then feeds them a bogus chain > encompassing > all of the hard-coded checkpoints[3]. > > The same attack is made easier in assumeutxo because, unlike in > assumevalid, > the attacker need not construct a valid PoW chain to get the victim's node > into > a false state; they simply need to get the user to accept a bad > `-assumeutxo` > parameter and then supply them an easily made UTXO snapshot containing, > say, a > false coin assignment. > > For this reason, I recommend that if we were to implement assumeutxo, we > not > allow its specification via commandline argument[4]. > > Beyond this risk, I can't think of material differences in security > relative to > assumevalid, though I appeal to the list for help with this. > > # More fully validating clients > > A particularly exciting use-case for assumeutxo is the possibility of > mobile > devices functioning as fully validating nodes with access to the complete > UTXO > set (as an alternative to SPV models). The total resource burden needed to > start a node > from scratch based on a snapshot is, at time of writing, a ~(3.2GB > + blocks_to_tip * 4MB) download and a few minutes of processing time, > which sounds > manageable for many mobile devices currently in use. > > A mobile user could initialize an assumed-valid bitcoin node within an > hour, > transact immediately, and complete a pruned full validation of their > assumed-valid chain over the next few days, perhaps only doing the > background > IBD when their device has access to suitable high-bandwidth connections. > > If we end up implementing an accumulator-based UTXO scaling design[5][6] > down > the road, it's easy to imagine an analogous process that would allow very > fast > startup using an accumulator of a few kilobytes in lieu of a multi-GB > snapshot. > > --- > > I've created a related issue at our Github repository here: > https://github.com/bitcoin/bitcoin/issues/15605 > > and have submitted a draft implementation of snapshot usage via RPC here: > https://github.com/bitcoin/bitcoin/pull/15606 > > I'd like to discuss here whether this is a good fit for Bitcoin > conceptually. Concrete > plans for deployment steps should be discussed in the Github issue, and > after all > that my implementation may be reviewed as a sketch of the specific software > changes necessary. > > Regards, > James > > > [0]: > https://bitcoincore.org/en/2017/03/08/release-0.14.0/#assumed-valid-blocks > [1]: https://github.com/bitcoin/bips/blob/master/bip-0157.mediawiki > [2]: as tested at height 569895, on a 12 core Intel Xeon Silver 4116 CPU @ > 2.10GHz > [3]: > https://github.com/bitcoin/bitcoin/blob/84d0fdc/src/chainparams.cpp#L145-L161 > [4]: Marco Falke is due credit for this point > [5]: utreexo: https://www.youtube.com/watch?v=edRun-6ubCc > [6]: Boneh, Bunz, Fisch on accumulators: https://eprint.iacr.org/2018/1188 > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > -- Sent from Gmail Mobile [-- Attachment #2: Type: text/html, Size: 9343 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [bitcoin-dev] assumeutxo and UTXO snapshots 2019-04-02 20:43 James O'Beirne ` (3 preceding siblings ...) 2019-04-14 13:16 ` Omar Shibli @ 2019-04-23 14:17 ` James O'Beirne 4 siblings, 0 replies; 18+ messages in thread From: James O'Beirne @ 2019-04-23 14:17 UTC (permalink / raw) To: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 6535 bytes --] Good morning all, Over the past weeks I've had a number of conversations with a few frequent contributors about this idea. I've condensed these discussions into a proposal document which you can view here: https://github.com/jamesob/assumeutxo-docs/tree/2019-04-proposal/proposal The document is structured as an FAQ, and so hopefully it addresses some of the common questions that would come up in this thread. If you'd like to comment, there's an associated pull request here: https://github.com/jamesob/assumeutxo-docs/pull/1 Regards, James On Tue, Apr 2, 2019 at 4:43 PM James O'Beirne <james.obeirne@gmail•com> wrote: > Hi, > > I'd like to discuss assumeutxo, which is an appealing and simple > optimization in the spirit of assumevalid[0]. > > # Motivation > > To start a fully validating bitcoin client from scratch, that client > currently > needs to perform an initial block download. To the surprise of no one, IBD > takes a linear amount time based on the length of the chain's history. For > clients running on modest hardware under limited bandwidth constraints, > say a mobile device, completing IBD takes a considerable amount of time > and thus poses serious usability challenges. > > As a result, having fully validating clients run on such hardware is rare > and > basically unrealistic. Clients with even moderate resource constraints > are encouraged to rely on the SPV trust model. Though we have promising > improvements to existing SPV modes pending deployment[1], it's worth > thinking about a mechanism that would allow such clients to use trust > models closer to full validation. > > The subject of this mail is a proposal for a complementary alternative to > SPV > modes, and which is in the spirit of an existing default, `assumevalid`. > It may > help modest clients transact under a security model that closely resembles > full validation within minutes instead of hours or days. > > # assumeutxo > > The basic idea is to allow nodes to initialize using a serialized version > of the > UTXO set rendered by another node at some predetermined height. The > initializing node syncs the headers chain from the network, then obtains > and > loads one of these UTXO snapshots (i.e. a serialized version of the UTXO > set > bundled with the block header indicating its "base" and some other > metadata). > > Based upon the snapshot, the node is able to quickly reconstruct its > chainstate, > and compares a hash of the resulting UTXO set to a preordained hash > hard-coded > in the software a la assumevalid. This all takes ~23 minutes, not > accounting for > download of the 3.2GB snapshot[2]. > > The node then syncs to the network tip and afterwards begins a simultaneous > background validation (i.e., a conventional IBD) up to the base height of > the > snapshot in order to achieve full validation. Crucially, even while the > background validation is happening the node can validate incoming blocks > and > transact with the benefit of the full (assumed-valid) UTXO set. > > Snapshots could be obtained from multiple separate peers in the same > manner as > block download, but I haven't put much thought into this. In concept it > doesn't > matter too much where the snapshots come from since their validity is > determined via content hash. > > # Security > > Obviously there are some security implications due consideration. While > this > proposal is in the spirit of assumevalid, practical attacks may become > easier. > Under assumevalid, a user can be tricked into transacting under a false > history > if an attacker convinces them to start bitcoind with a malicious > `-assumevalid` > parameter, sybils their node, and then feeds them a bogus chain > encompassing > all of the hard-coded checkpoints[3]. > > The same attack is made easier in assumeutxo because, unlike in > assumevalid, > the attacker need not construct a valid PoW chain to get the victim's node > into > a false state; they simply need to get the user to accept a bad > `-assumeutxo` > parameter and then supply them an easily made UTXO snapshot containing, > say, a > false coin assignment. > > For this reason, I recommend that if we were to implement assumeutxo, we > not > allow its specification via commandline argument[4]. > > Beyond this risk, I can't think of material differences in security > relative to > assumevalid, though I appeal to the list for help with this. > > # More fully validating clients > > A particularly exciting use-case for assumeutxo is the possibility of > mobile > devices functioning as fully validating nodes with access to the complete > UTXO > set (as an alternative to SPV models). The total resource burden needed to > start a node > from scratch based on a snapshot is, at time of writing, a ~(3.2GB > + blocks_to_tip * 4MB) download and a few minutes of processing time, > which sounds > manageable for many mobile devices currently in use. > > A mobile user could initialize an assumed-valid bitcoin node within an > hour, > transact immediately, and complete a pruned full validation of their > assumed-valid chain over the next few days, perhaps only doing the > background > IBD when their device has access to suitable high-bandwidth connections. > > If we end up implementing an accumulator-based UTXO scaling design[5][6] > down > the road, it's easy to imagine an analogous process that would allow very > fast > startup using an accumulator of a few kilobytes in lieu of a multi-GB > snapshot. > > --- > > I've created a related issue at our Github repository here: > https://github.com/bitcoin/bitcoin/issues/15605 > > and have submitted a draft implementation of snapshot usage via RPC here: > https://github.com/bitcoin/bitcoin/pull/15606 > > I'd like to discuss here whether this is a good fit for Bitcoin > conceptually. Concrete > plans for deployment steps should be discussed in the Github issue, and > after all > that my implementation may be reviewed as a sketch of the specific software > changes necessary. > > Regards, > James > > > [0]: > https://bitcoincore.org/en/2017/03/08/release-0.14.0/#assumed-valid-blocks > [1]: https://github.com/bitcoin/bips/blob/master/bip-0157.mediawiki > [2]: as tested at height 569895, on a 12 core Intel Xeon Silver 4116 CPU @ > 2.10GHz > [3]: > https://github.com/bitcoin/bitcoin/blob/84d0fdc/src/chainparams.cpp#L145-L161 > [4]: Marco Falke is due credit for this point > [5]: utreexo: https://www.youtube.com/watch?v=edRun-6ubCc > [6]: Boneh, Bunz, Fisch on accumulators: https://eprint.iacr.org/2018/1188 > > [-- Attachment #2: Type: text/html, Size: 8830 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2019-04-23 14:17 UTC | newest] Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <mailman.2593.1554248572.29810.bitcoin-dev@lists.linuxfoundation.org> 2019-04-03 7:51 ` [bitcoin-dev] assumeutxo and UTXO snapshots Nicolas Dorier 2019-04-04 10:27 ` Kulpreet Singh 2019-04-02 20:43 James O'Beirne 2019-04-03 6:37 ` Jonas Schnelli 2019-04-03 15:39 ` Ethan Scruples 2019-04-03 21:39 ` Dave Scotese 2019-04-04 3:01 ` Luke Dashjr 2019-04-04 5:59 ` Jim Posen 2019-04-04 14:36 ` James O'Beirne 2019-04-13 19:09 ` Peter Todd 2019-04-15 0:44 ` Dave Scotese 2019-04-04 2:48 ` Luke Dashjr 2019-04-04 3:04 ` Ethan Scruples 2019-04-03 19:51 ` James O'Beirne 2019-04-03 9:55 ` Luke Dashjr 2019-04-03 23:03 ` Jim Posen 2019-04-14 13:16 ` Omar Shibli 2019-04-23 14:17 ` James O'Beirne
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox