Simplified-Payment-Verification (SPV) is secure under the assumption that the chain with the most Proof-of-Work (PoW) is valid. As many have pointed out before, and attacks like Segwit2x have shown, this is not a safe assumption. What I propose below improves this assumption -- invalid blocks will be rejected as long as there are enough honest miners to create a block within a reasonable time frame. This still doesn’t fully inoculate SPV clients against dishonest miners, but is a clear improvement over regular SPV (and compatible with the privacy improvements of BIP157[0]).
The idea is that a fork is an indication of potential misbehavior -- its block header can serve as a PoW fraud proof. Conversely, the lack of a fork is an indication that a block is valid. If a fork is created from a block at height N, this means a subset of miners may disagree on the validity of block N+1. If SPV clients download and verify this block, they can judge for themselves whether or not the chain should be rejected. Of course it could simply be a natural fork, in which case we continue following the chain with the most PoW. The way Bitcoin currently works, it is impossible to verify the validity of block N+1 without knowing the UTXO set at block N, even if you are willing to assume that block N (and everything before it) is valid. This would change with the introduction of UTXO set commitments, allowing block N+1 to be validated by verifying whether its inputs are present in the UTXO set that was committed to in block N. An open question is whether a similar result can be achieved without a soft fork that commits to the UTXO set[0][1]. If an invalid block is created and only 10% of the miners are honest, on average it would take 100 minutes for a valid block to appear. During this time, the SPV client will be following the invalid chain and see roughly 9 confirmations before the chain gets rejected. It may therefore be prudent to wait for a number of confirmations that corresponds to the time it may take for the conservative percentage of miners that you think may behave honestly to create a block (including variance). If users do not wait and happen to accept payments from an invalid chain during this time, these payments could get reverted. This is a weakness, but still seems preferably to continually following an invalid chain. As long as a reasonable number of miners remains honest, a dishonest majority can only temporarily control the network, and their blocks (and all coins gained from it) will eventually be rejected. -- Ruben Somsen [0] Olaoluwa Osuntokun, BIP 157: Client Side Block Filtering, https://github.com/bitcoin/bips/blob/master/bip-0157.mediawiki [1] Peter Todd, TXO commitments do not need a soft-fork to be useful, https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-February/013591.html _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
