From: Erik Aronesty <erik@q32•com>
To: moonsettler <moonsettler@protonmail•com>
Cc: bitcoindev@googlegroups.com
Subject: Re: [bitcoindev] OP_CHECKUTXOSETHASH idea
Date: Thu, 2 Oct 2025 16:39:51 -0700 [thread overview]
Message-ID: <CAJowKg+et-84+BvkwE=Kjkms-gX-2peT+jvDJSXbHT-MLXan7w@mail.gmail.com> (raw)
In-Reply-To: <yWSgWCkIJcRS4SRwKDLGs3M3Ui-bDH-sCOUqwxXhWo8Y4RSt-UcCMKs3vd6le6l3S3j8yVt3Tqylyhq9MhgTVLpf0D5wtkCEXoJhbEyl-B0=@protonmail.com>
[-- Attachment #1: Type: text/plain, Size: 4617 bytes --]
I agree, this doesn’t belong in general script where it could create
mempool weirdness; also the DoS surface is real if checkpoints can be
demanded arbitrarily.
Verification isn’t nearly as heavy as you suggest though. Every validating
node already maintains the UTXO set; computing the salted hash once per
epoch is basically a linear scan with caching. Incremental hashing
techniques can make it even faster.
To reduce attack surface: commitment in the coinbase only, at most once per
difficulty epoch. No mempool footprint, no risk of pinning attacks, and no
repeat scanning. Nodes just compute and cache the root when they process
the epoch’s first block, then check a 32-byte value at the epoch’s end.
Producing that root is still expensive enough to require real incentives
(sponsor still has to pay for it, and that's OK) - checking it is trivial.
Voluntary and expensive to make, cheap to verify, consensus-enforced if
present but never mandatory. Miners and sponsors decide if it’s worth
burning the cycles, nodes get a safe fast-sync path.
The key ingredient is sponsor-paid-work. This thing disappears if nobody
wants to pay for it or mine it.
On Thu, Oct 2, 2025 at 3:40 PM moonsettler <moonsettler@protonmail•com>
wrote:
> Hi Erik,
>
> Since it is costly for nodes to compute, this is a bit of a DOS vector. I
> would suggest to limit UTXO set commitments to every 2016 blocks (either
> the first or the last block of a difficult adjustment epoch).
>
> If it checks the UTXO set commitment of a previous block, it will not
> interfere with mining, for example always commit to the initial state of
> the difficult adjustment epoch at the end of the epoch. The hash can be
> calculated well in advance. It also would be the same in every check, so
> it's not possible to use it for denial of service.
>
> It's a bit interesting that the script can not be fully validated before
> it hits an actual block. It also allows for submitting a transaction into
> the mempool that might be invalid to mine, that needs additional steps for
> eviction. Wonder if this allows for weird new pinning attacks for free?
>
> Overall I have low confidence that this belongs in script instead of the
> coinbase transaction structure via a more specific soft fork.
>
> BR,
> moonsettler
>
> On Tuesday, September 30th, 2025 at 2:11 AM, Erik Aronesty <erik@q32•com>
> wrote:
>
> > A soft fork could introduce a new opcode, `OP_CHECKUTXOSETHASH`,
> allowing miners to optionally commit a deterministic hash of the current
> UTXO set into a block. If present, all nodes must verify its correctness or
> reject the block; if absent, the block is still valid. Old nodes treat the
> opcode as unspendable, so backward compatibility is preserved.
> > Because computing the full UTXO root is costly, this makes each
> checkpoint intentionally expensive to produce, ensuring that miners will
> only include them when compensated with sufficient fees. Additionally, it
> could be limited to one per block.
> >
> > The result is a voluntary, self-limiting, incentive-aligned, fee-driven
> system where checkpoints are cheaply consensus-enforced when included but
> never mandatory.
> >
> > Most nodes could operate on a rolling history validated by occasional,
> high-value commitments, while archival nodes remain free to preserve the
> full chain. This reduces the burden of initial sync and resource use
> without sacrificing Bitcoin’s security model, since any invalid checkpoint
> would invalidate its block.
> >
> > In practice, the chain becomes more efficient for everyday use while the
> historical record remains intact for those willing to bear the expense of
> maintaining it.
> >
> >
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Bitcoin Development Mailing List" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to bitcoindev+unsubscribe@googlegroups•com.
> > To view this discussion visit
> https://groups.google.com/d/msgid/bitcoindev/CAJowKgLE4kb7qT1NxXrmEssr8%2BfQGd-%3D7%3Dm-BAsjePoti8TRRg%40mail.gmail.com
> .
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAJowKg%2Bet-84%2BBvkwE%3DKjkms-gX-2peT%2BjvDJSXbHT-MLXan7w%40mail.gmail.com.
[-- Attachment #2: Type: text/html, Size: 5563 bytes --]
next prev parent reply other threads:[~2025-10-02 23:42 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <GDC-d847c0e8-4e35-40c5-87e7-2ab89e13ea09@google.com>
2025-09-30 0:09 ` Erik Aronesty
2025-10-02 22:40 ` 'moonsettler' via Bitcoin Development Mailing List
2025-10-02 23:39 ` Erik Aronesty [this message]
2025-10-03 16:12 ` Peter Todd
2025-10-03 22:15 ` Erik Aronesty
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJowKg+et-84+BvkwE=Kjkms-gX-2peT+jvDJSXbHT-MLXan7w@mail.gmail.com' \
--to=erik@q32$(echo .)com \
--cc=bitcoindev@googlegroups.com \
--cc=moonsettler@protonmail$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox