[bitcoin-dev] Fork of invalid blocks due to BIP66 violations
tier.nolan at gmail.com
Sat Jul 4 15:35:49 UTC 2015
On Sat, Jul 4, 2015 at 4:18 PM, Justus Ranvier <
justus at openbitcoinprivacyproject.org> wrote:
> In general, the situation can be improved if there existed proofs which
> validating full nodes could broadcast which would tell SPV nodes why the
> branch it sees with the most proof of work is actually invalid.
Yeah, fraud proofs have been suggested lots of times in the past.
In this case, they weren't even needed. Fully updated SPV clients should
also have rejected the invalid fork. All the information required to
reject it was in the header chain.
The problem wasn't SPV miners, it was SPV-miners where the SPV part wasn't
upgraded to handle v3 blocks.
> As far as I can tell, producing such proofs is reasonably
> straightforward for all cases except the case where a block is invalid
> because it contains a transaction which references a non-existent output.
Even that can be handled with UTXO set commitments. If the UTXO tree is
sorted you can prove that an entry doesn't exist.
What cannot be handled is proving that a block is invalid if the
transaction data for the block is withheld.
> If each transaction input identified the block containing the referenced
> outpoint, then the proof of non-existence is either the block in
> question, or the list of block headers (to show that the block doesn't
> exist). That's a significant improvement in proof size over the entire
That is reasonable. Unconfirmed transactions can't include that info
It could be committed in as an extra commitment.
One issue is that you need to prove of of these commitments too.
A transaction which points to the wrong block would also be provable in the
> Proving the non-existence of a particular transaction in a specific
> block could be made easier for future blocks by requiring transactions
> to be ordered in the merkle tree by their hashes. Then it would just
> require a few nodes in the tree to show that the transaction isn't in
> the place where it should be.
You could just have an extra merkle tree.
You would only need to include the block hashes for all transactions to
show that the two trees don't match. That is 32 bytes per transaction
rather than the full 200-500 bytes per transaction.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bitcoin-dev