Ultimate blockchain compression w/ trust-free lite nodes - page 2.

sugarpuff

newbie

Activity: 58

Merit: 0

Quote from: instagibbs on June 20, 2014, 11:27:46 AM

It's the difference between saying:

1) I believe the UTXO checkpoint is valid because people built on top of it. (SPV-like, depth-based)

With a UTXO checkpoint built-in to the client, safety is guaranteed (so far as I can tell) if the checkpoint is valid.

That is the scenario the wiki discusses. The scenario I originally asked about is downloading the entire UTXO chain (not a checkpoint of it).

Quote

I'm not even trying to argue about a practical attack, I'm simply explaining why they're different. They are.

They are different but if the difference isn't meaningful in terms of security for the chain then there's no issue and UTXO and/or ledger-block can be used instead of downloading everything from genesis (this is good news btw! You should want to make it work, otherwise bitcoin won't be sustainable).

instagibbs

member

Activity: 114

Merit: 12

It's the difference between saying:

1) I believe the UTXO checkpoint is valid because people built on top of it. (SPV-like, depth-based)

and

2) I don't have to trust any checkpoint, I computed the address balances from the beginning of time.

I'm not even trying to argue about a practical attack, I'm simply explaining why they're different. They are.

sugarpuff

newbie

Activity: 58

Merit: 0

(For any audience, see SPV in Thin client security.)

Quote from: instagibbs on June 20, 2014, 10:22:52 AM

Ok, well again, this is still SPV-like security(block depth). That's the definition of the security model. Practically you might feel it's ok, but it's certainly a different security model than Bitcoin full node security.

In that it is using block-depth it is like SPV (this I already acknowledged in a previous post), but it is not the same because of the extra information in the UTXO, and it is not the same as rolling-root/ledger-block because the current root is guaranteed to not have any relevant transactions prior to it.

Please be specific. What does the attack scenario look like with UTXO and/or ledger-block, and why does it require the full transaction history?

The wiki seems to agree with me actually:

Quote

If such UOT hashes were included in the block chain, a client which shipped with a checkpoint block that had a UOT would only need to download blocks after the checkpoint. Moreover, once the client had downloaded those blocks and confirmed their UOTs, it could discard all but the most recent block containing a UOT.

https://en.bitcoin.it/wiki/Thin_Client_Security#Unused_Output_Tree_in_the_Block_chain_.28UOT.29

Edit: Although it is saying something slightly different (shipping clients with the full UTXO already intact, but I don't think that's necessary with rolling root. Would have to give it more thought, but might not be necessary for UTXO either. If there's a problem for UTXO, it could be fixed with a rolling-root type solution).

instagibbs

member

Activity: 114

Merit: 12

Quote from: sugarpuff on June 20, 2014, 10:14:18 AM

Edited point 1 in above post of mine to state:

1. The ledger block of the honest nodes will contain transactions that can be verified to have thousands of confirmations.

Ok, well again, this is still SPV-like security(block depth). That's the definition of the security model. Practically you might feel it's ok, but it's certainly a different security model than Bitcoin full node security.

sugarpuff

newbie

Activity: 58

Merit: 0

Edited point 1 in above post of mine to state:

1. The ledger block of the honest nodes will contain transactions that can be verified to have thousands of confirmations.

sugarpuff

newbie

Activity: 58

Merit: 0

Quote from: instagibbs on June 20, 2014, 09:44:55 AM

Let's say we only have one ledger block, or whatever, or UTXO commitment thing. If we don't know the blocks before that, other than just headers, we can't verify that people are building on valid blocks. Someone could have made a fraudulent ledger block, and built on top of it. If people don't catch this, and never check contents before that, they have successfully attacked the network.

(For any audience, "ledger block" is same thing as "rolling root".)

Thank you for the reply (and trying to address my questions)! I'm not convinced that is correct, however. How would this attacker create a convincing fraudulent ledger block that beats the ledger block of the honest nodes?

1. The ledger block of the honest nodes will contain transactions that can be verified to have thousands of confirmations.
2. The ledger block of the honest nodes will be part of a longer chain than the fraudulent one for the same reasons described in the bitcoin paper.

If I'm wrong, I must be missing some subtle and would appreciate it if you (or anyone else) could explain what that is.

instagibbs

member

Activity: 114

Merit: 12

Quote from: sugarpuff on June 20, 2014, 08:32:19 AM

Still waiting for that reply.

Let's say we only have one ledger block, or whatever, or UTXO commitment thing. If we don't know the blocks before that, other than just headers, we can't verify that people are building on valid blocks. Someone could have made a fraudulent ledger block, and built on top of it. If people don't catch this, and never check contents before that, they have successfully attacked the network.

I think of it as SPV++ security: We are saying the ledger blocks/UTXO commitments are "secure" based on how deep in the chain they are, rather than looking at height. The only way to know the chain is valid is to start 100% from the beginning, and work your way through until you reach the current height.

sugarpuff

newbie

Activity: 58

Merit: 0

Quote from: maaku on June 20, 2014, 01:59:36 AM

I explained myself, twice:

Quote from: maaku on June 18, 2014, 11:27:18 PM

The miner needs to verify the entire block chain history because otherwise he has no way of knowing if he is actually on a valid chain or not. This has nothing to do with UTXO commitments, rolling root, or any other proposal. It's a basic, fundamental requirement of any consensus system: if the miners themselves operate in SPV mode (which you advocate), then anyone -- no matter their hashrate! -- can trick the network into mining an invalid chain. The attacker does so by mining a fork with invalid history and temporarily (by luck or 51%) overcoming the honest network. New miners coming online, or miners tricked into reseting their state then switch to the invalid chain This completely invalidates the SPV assumption and makes it unsafe for anybody to use the network.

In what universe is that an answer to the facts that I pointed out?

You're continuing to ignore that:

1. I did not advocate SPV.
2. UTXO is not SPV.
3. Rolling root is not SPV.

The 51% attack you describe would have *equal* impact on nodes with the full history (so far as I understood what you're describing).

You never explained—anywhere—how UTXO "full-leaf nodes" are different in any meaningful manner from nodes with complete transaction histories.

Still waiting for that reply.

doldgigger

full member

Activity: 170

Merit: 100

Quote from: maaku on June 19, 2014, 03:02:18 PM

Checkpoints are a temporary hack that will go away soon, we hope.

How is that? Performance suddenly considered a bad thing?

maaku

legendary

Activity: 905

Merit: 1012

I explained myself, twice:

Quote from: maaku on June 18, 2014, 11:27:18 PM

The miner needs to verify the entire block chain history because otherwise he has no way of knowing if he is actually on a valid chain or not. This has nothing to do with UTXO commitments, rolling root, or any other proposal. It's a basic, fundamental requirement of any consensus system: if the miners themselves operate in SPV mode (which you advocate), then anyone -- no matter their hashrate! -- can trick the network into mining an invalid chain. The attacker does so by mining a fork with invalid history and temporarily (by luck or 51%) overcoming the honest network. New miners coming online, or miners tricked into reseting their state then switch to the invalid chain This completely invalidates the SPV assumption and makes it unsafe for anybody to use the network.

sugarpuff

newbie

Activity: 58

Merit: 0

Quote from: maaku on June 19, 2014, 03:02:18 PM

Checkpoints are a temporary hack that will go away soon, we hope.

Maaku, I take your silence to indicate either that you believe I am wrong but do not (for whatever reason) want to explain why you think so.

Or... well, actually that's my only hypothesis.

For my part, I do not see how you can be right, and I provided my reasons for why I think that. As far as I can tell, once the leaves have all been fetched, miners can safely mine on the blockchain without having to download the histories of all those coins.

maaku

legendary

Activity: 905

Merit: 1012

Checkpoints are a temporary hack that will go away soon, we hope.

doldgigger

full member

Activity: 170

Merit: 100

Quote from: maaku on June 18, 2014, 10:09:13 PM

no it's worse than that -- you have to download and process every single block since Genesis. otherwise you may be on an invalid chain and not even know it.

People might speed up that process by relying on checkpoint hashes built into the client. Since most cryptocurrency client software is developed using git (which also comes with a cryptographically secured history), detecting manipulations there is also practical in most cases.

sugarpuff

newbie

Activity: 58

Merit: 0

Quote from: maaku on June 18, 2014, 11:27:18 PM

The miner needs to verify the entire block chain history because otherwise he has no way of knowing if he is actually on a valid chain or not. This has nothing to do with UTXO commitments, rolling root, or any other proposal. It's a basic, fundamental requirement of any consensus system: if the miners themselves operate in SPV mode (which you advocate)

Full stop. I have never advocated that. If you believe that, then you never understood the rolling root proposal.

I agree it's best to keep the threads separate. If you have questions about how rolling root works feel free to ask in the other thread.

Sticking to UTXO though, I don't believe you answered my question. UTXO is not SPV either, so it is still not clear to me why you say they don't know whether they're on a valid chain or not. They downloaded the headers from genesis (SPV), but in addition to that they downloaded the entire UTXO meta chain which they can then use to verify any txn and build the merkle/btree or w/e the latest data structure is.

maaku

legendary

Activity: 905

Merit: 1012

Sure I can, now that I'm at my computer instead of my phone Wink

The miner needs to verify the entire block chain history because otherwise he has no way of knowing if he is actually on a valid chain or not. This has nothing to do with UTXO commitments, rolling root, or any other proposal. It's a basic, fundamental requirement of any consensus system: if the miners themselves operate in SPV mode (which you advocate), then anyone -- no matter their hashrate! -- can trick the network into mining an invalid chain. The attacker does so by mining a fork with invalid history and temporarily (by luck or 51%) overcoming the honest network. New miners coming online, or miners tricked into reseting their state then switch to the invalid chain This completely invalidates the SPV assumption and makes it unsafe for anybody to use the network.

"Rolling root" doesn't even make sense in the context of bitcoin, as has been explained multiple times by multiple people in your own thread. Let's not bring that discussion here. If your goal is to minimize the amount of data required to bring new non-mining nodes online, then that is what UTXO commitments does.

sugarpuff

newbie

Activity: 58

Merit: 0

Quote from: maaku on June 18, 2014, 10:09:13 PM

no it's worse than that -- you have to download and process every single block since Genesis. otherwise you may be on an invalid chain and not even know it.

Can you explain why that is?

If what you're saying is true, then the rolling root is still needed for Bitcoin's future feasibility and safety: http://hackingdistributed.com/2014/06/18/how-to-disincentivize-large-bitcoin-mining-pools/#comment-1442133143

maaku

legendary

Activity: 905

Merit: 1012

no it's worse than that -- you have to download and process every single block since Genesis. otherwise you may be on an invalid chain and not even know it.

sugarpuff

newbie

Activity: 58

Merit: 0

Quote from: maaku on June 18, 2014, 05:55:25 PM

You never ever under any circumstances want to be mining on top of a chain you have not validated the entire history of.

Interesting point. Hope you don't mind if I mention your reply in that other thread as well.

So, what is the takeaway from that then? That new lite-nodes can use UTXO to validate arbitrary queries, but they cannot participate in securing the network until they have all the transactions for the leaf nodes of the entire UTXO tree?

doldgigger

full member

Activity: 170

Merit: 100

Quote from: hazek on June 17, 2012, 01:43:53 PM

Before I read this I just want to quickly post that I personally, no matter whether justifiably or unjustifiably, I personally feel like this is the most pressing issue when it comes to Bitcoin's successful future and I really hope the core team has planed an order of priorities accordingly.

Why pressing? The blockchain is easy to understand and verify. And the practically required size might be reduced by imposing a fee on old inputs, which would lead to implementors of wallet software implementing per-wallet compression strategies in order to avoid the fee. Having some archival nodes with a full history still wouldn't hurt.

maaku

legendary

Activity: 905

Merit: 1012

You never ever under any circumstances want to be mining on top of a chain you have not validated the entire history of.

Topic: Ultimate blockchain compression w/ trust-free lite nodes - page 2. (Read 87932 times)