[Bitcoin-development] does "stubbing" off Merkle trees reduce initial download bandwidth?
Elden Tyrell
tyrell.elden at gmail.com
Tue Jan 3 01:39:09 UTC 2012
On 2012-01-02 14:41:10 -0800, Gregory Maxwell said:
> make this possible: https://bitcointalk.org/index.php?topic=21995.0
Neat! I had a similar idea but you've clearly beat me to [a big part of] it.
> Er, no— if a node controls the private keys for a transaction, and
> that transaction makes it into the chain then it can safely assume
> that its unspent (at least once its buried a few blocks into the
> chain).
I'm not so sure about that. If you accept X successor blocks as proof
that none of the transactions in a block re-used an output, then the
cost of attacking is X*50BTC since the hashpower needed for the attack
could have earned that much reward.
However, an attacker could use the same faked X-block sequence to
attack multiple clients by putting several double-spend transactions in
the first faked block. This would spread out the cost over more than
one attack. So simply checking that the value of the transaction is
less than X*50 isn't necessarily enough, although the logistics of the
attack aren't exactly easy.
There's also the question of knowing what the difficulty for those X
blocks ought to be. If the attacker controls your network connection
(e.g. your ISP attacks you) you wouldn't be able to get a second
opinion on how high the difficulty ought to be, and might get fooled by
X very-low-difficulty blocks that were each produced with a lot less
than 50BTC worth of hashpower.
- e
More information about the bitcoin-dev
mailing list