-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
==Abstract==
In simple payment verification (SPV) proofs it is currently necessary
that every intervening block header be provided between two blocks in
order to establish both connectivity and proof of work. By committing to
a hash tree of past block headers in each block, these back references
can be exploited to demonstrate in logarithmic space that an elided
sequence of block headers actually represents the claimed work. This is
particularly useful in the construction of 2-way pegging between chains,
and as an efficiency optimization for SPV clients and headers-first
synchronization.
==Overview==
The miner of a block is allowed to choose some subset of the block
history which it creates direct links back to. These links include the
block hash, height, and work distance from the new block, and are
organized into a hash tree structure. The root of this hash tree is
committed to the coinbase string, or some other identifiable position in
the block. Bitcoin is soft-forked to include verification of the
accuracy of the contents of this structure - if present - as a
validation rule.
When constructing an SPV proof, the prover is allowed to choose
back-links from this structure whose relative work distance is less than
or equal to the apparent work of the proof-of-work which contains the
back-link structure. Apparent work in this context means the expected
work that would be required to meet or exceed the actual block hash.
Since back-links can only be used if the apparent work is greater than
or equal to the distance back, constructing such a fraudulent proof is
expected to require just as much or more work as recreating the
underlying sequence of blocks.
The result is skip list structure where lucky proofs of work are used
to skip back further than a single block (recall that if you search for
a 64-bit leading-0 proof of work, half the time you get 65 leading-0's,
a quarter of those cases have 66 leading-0's, and so on). When
constructing very long proofs, the solver will follow links back to the
nearest lucky block, then use the back-links contained within that block
to skip back to a prior lucky block, and so on until it reaches a block
which points directly to the desired target block. Given the
distribution of lucky blocks, it is expected that such compact proofs
require revelation of log2 N links in order to prove the work required
to build a chain of length N.
==Back link selection==
In fully general form, this compact SPV proof scheme works no matter the
back-links chosen by miners, so long as they are either revealed or
selected in a deterministic way such that full nodes can check their
validity. In choosing which back-links to include, the primary trade-off
is that more back-links results in better connectivity, whereas a
limited number of links results in smaller tree structures and therefore
fewer hashes.
At one extreme you can commit to every single header in the entire
history of the block chain, by building an incremental data structure
such as a binary heap. Such a structure would require log N storage per
chain and log N hash operations per block update, where N is the total
number of blocks in the chain. The root hash of this structure is then
committed to the block chain in a known location.
At the other extreme one could allow the miner instead to commit
whatever back-links he or she desires, and force these the hash tree
structure to be revealed prior to block validation. This allows the
miner to be selective in choosing back-links which provide the most
value, although there is not yet a clearly optimal mechanism for
choosing these links.
This is an area which requires more research with the purpose of
determining the best structure for the hash tree of block header
commitments, and the selection of back-links.
==Use cases==
For SPV clients, a client that has just come online could quickly
ascertain which block represents the most work, and retrieve compact
proofs-of-inclusion for its transactions without having to download
every intervening block header. This further eliminates the need for
checkpoints in an SPV client as it can instead obtain very compact
proofs back to the genesis block instead of the most recent checkpoint,
at a comparable cost. Similar optimizations apply to the initial stages
of headers-first synchronization of full nodes.
Assuming the availability of (U)TxO hash-tree commitments, a compact SPV
proof would allow a mobile client to very quickly fast-forward to the
current most-work block from which it could then query the spend status
of its wallet outputs.
For merged-mined or slow proof-of-work side chains, the savings from
not including every intervening block header could be very significant
in bandwidth and processing time.
Compact SPV proofs allow side chains or private accounting servers to
experiment with very short block intervals without having a detrimental
effect on SPV proof sizes, as the
