OP_CHECKUTXOSETHASH idea
Erik Aronesty
moonsettler
Since it is costly for nodes to compute, this is a bit of a DOS vector. I would suggest to limit UTXO set commitments to every 2016 blocks (either the first or the last block of a difficult adjustment epoch).
If it checks the UTXO set commitment of a previous block, it will not interfere with mining, for example always commit to the initial state of the difficult adjustment epoch at the end of the epoch. The hash can be calculated well in advance. It also would be the same in every check, so it's not possible to use it for denial of service.
It's a bit interesting that the script can not be fully validated before it hits an actual block. It also allows for submitting a transaction into the mempool that might be invalid to mine, that needs additional steps for eviction. Wonder if this allows for weird new pinning attacks for free?
Overall I have low confidence that this belongs in script instead of the coinbase transaction structure via a more specific soft fork.
BR,
moonsettler
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAJowKgLE4kb7qT1NxXrmEssr8%2BfQGd-%3D7%3Dm-BAsjePoti8TRRg%40mail.gmail.com.
Erik Aronesty
I agree, this doesn’t belong in general script where it could create mempool weirdness; also the DoS surface is real if checkpoints can be demanded arbitrarily.
Verification isn’t nearly as heavy as you suggest though. Every validating node already maintains the UTXO set; computing the salted hash once per epoch is basically a linear scan with caching. Incremental hashing techniques can make it even faster.
To reduce attack surface: commitment in the coinbase only, at most once per difficulty epoch. No mempool footprint, no risk of pinning attacks, and no repeat scanning. Nodes just compute and cache the root when they process the epoch’s first block, then check a 32-byte value at the epoch’s end. Producing that root is still expensive enough to require real incentives (sponsor still has to pay for it, and that's OK) - checking it is trivial.
Voluntary and expensive to make, cheap to verify, consensus-enforced if present but never mandatory. Miners and sponsors decide if it’s worth burning the cycles, nodes get a safe fast-sync path.
The key ingredient is sponsor-paid-work. This thing disappears if nobody wants to pay for it or mine it.
Peter Todd
> A soft fork could introduce a new opcode, `OP_CHECKUTXOSETHASH`, allowing
> miners to optionally commit a deterministic hash of the current UTXO set
> into a block. If present, all nodes must verify its correctness or reject
> the block; if absent, the block is still valid. Old nodes treat the opcode
> as unspendable, so backward compatibility is preserved.
>
> Because computing the full UTXO root is costly, this makes each checkpoint
> intentionally expensive to produce, ensuring that miners will only include
> them when compensated with sufficient fees. Additionally, it could be
> limited to one per block.
validate that the block is valid.
Anyway, just as an aside, if you really need to do something like this, make
the commitment be computable in advance by using a UTXO set root from the
*prior* interval, to give nodes plenty of time to compute it. I outlined this
approach before in the form of delayed txo commitments:
https://petertodd.org/2016/delayed-txo-commitments
--
https://petertodd.org 'peter'[:-1]@petertodd.org