I've been having a discussion with d'aniel from the forumsĀ about how to handle the possibility of a majority-miner conspiracy to raise inflation, if most economic actors use SPV clients.
Because of how blocks are formatted you cannot check the coinbase of a transaction without knowing the fees in the block, and the fees can only be calculated if you have all the input transactions for every transaction in that block. Because the attack scenario is an attempted takeover of the economy by miners, attempting to put hints into the blocks won't work - we have to assume the hardest chain is in fact wrong according to the rules signed up to by the Bitcoin user. The most obvious goal for a cartel of miners is to change the inflation formula, either for purely selfish reasons (they want more money than can be obtained by fees) or due to coercion by governments/central banks who still subscribe to the "inflation is good" idea. Whilst "good" nodes (still on the old ruleset) won't relay blocks that violate the rules no matter how hard they are, in a situation where an SPV client DOES hear about the bad best chain, it would switch to it automatically. And who knows how the network might look in future - perhaps most nodes would end up run by miners, or other entities that upgrade to the new ruleset for other reasons. d'aniel made a good proposal - having good nodes broadcast announcements when they detect a rule that breaks the rules, along with a proof that it did so. Checking the proof might be very expensive, but it would only have to be done for split points, limiting the potential for DoS. If a node announces that it has a weaker chain and that the split point is a rule-breaker, the SPV client would download the headers for the side chain to verify the split, then download all the transactions in the split block along with all their inputs, and the merkle branches linking the inputs to the associated block headers. In this way the fee can be calculated, the inflation formula applied and the coinbase value checked. If the block is indeed found to be a rule-breaker, it'd be blacklisted and chains from that point forward ignored. Miners may decide to allow themselves to create money with non-index-zero transactions to work around this. In that case the good node can announce that a given tx in the rule-breaker block is invalid. The SPV node would then challenge nodes announcing the longer chain to provide the inputs for the bad tx all the way back to a pre-split coinbase. Doing these checks would be rather time consuming with huge blocks, but it's a last resort only. In the absence of bugs, the mere presence of the mechanism should ensure it never has to be used. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development