pull down to refresh

3205 sats \ 19 comments \ @Scoresby 10h bitcoin bitcoin_beginners

Default shortcuts to speed up initial block downloadDefault shortcuts to speed up initial block download

Turning on a new node can be a real pain in the ass. You have to download and verify all the blocks from genesis...or do you? Currently, all major node implementations ship with some default shortcuts that make it faster to sync with the tip of the chain with the most work. Such shortcuts involve different trust-assumptions. I thought it would be interesting to compare them.

Shortcut	Blockheight	Default
`assumevalid`	912683	Core / Knots
`milestone`	900000	Libbitcoin
`checkpoint`	810000	btcd
`assumeutreexo`	902967	Floresta
`assumeutxo`	910000	none

What do these default shortcuts do?What do these default shortcuts do?

assumevalid is the oldest of these shortcuts. It specifies the hash of a block the ancestors of which your block will assume are all valid. Your node will not validate the scripts and signatures of the transactions in these blocks, although it will still check block headers, double spends, and made up inputs. If the assumed valid block is not in the chain being followed, your node will revert back to verifying all scripts and signatures. All blocks after the assumevalid block still have their signatures checked normally.

milestone is Libbitcoin's equivalent to assumevalid, but skips more validation checks. It specifies a block before which all validation except identity checks (block hash, Merkle root, and witness commitment) is skipped. Block headers are always fully validated. While it is the default mode for libbitcoin, the documentation says that milestone sync should only be used if the "user has previously fully validated the chain up to the configured milestone hash." All blocks after the milestone block still have their signatures checked normally.

checkpoint is used by btcd. Prior to the checkpoint block with the highest blockheight, btcd will not perform all checks except those involving comparing the header against the checkpoints. It still performs some "sanity" checks on the blocks before the checkpoint such as ensuring expected proof of work and timestamps that are after the last checkpoint. All blocks after the checkpoint block still have their signatures checked normally.

assumeutreexo is used by Floresta. When a new Floresta node starts up, instead of generating a utxo set, the node uses a merkle tree updated after every block to accumulate references to every unspent transaction output, allowing nodes to skip storing the outputs themselves. The default Floresta mode uses assumeutreexo to accept a snapshot of this merkle tree. Other than ensuring the snapshot is tied to a block in the chain with the most work, no checks on the snapshot are performed. However, Floresta also defaults to a backfill mode similar to assumeutxo which will validate the full chain from genesis over time. All blocks after the snapshot have their signatures checked normally.

assumeutxo accepts a snapshot of the utxo set as generated by some other node as long as it matches the hash hardcoded in the node's software. Core and Knots both hardcode the hashes of snapshots of the utxoset at 840000, 880000, and 910000. Using assumeutxo, your node will check to see if the hash of a snapshot you try to load matches one of the hashes hardcoded in its software. Later, the node will go back and validate the chain from genesis. All blocks after the snapshot have their signatures checked normally. This is an optional mode in Core and Knots, but is not the default.

How are the trust assumptions different?How are the trust assumptions different?

For shortcutted blocks and before:

trust-assumption	assumevalid	milestones	checkpoints	assumeutreexo	assumeutxo
Can hide doublespends?	No	Yes	Yes	Yes	Yes
Can hide stolen coins?	Yes	Yes	Yes	Yes	Yes
Can hide made up coins?	No	Yes	Yes	Yes	Yes

Note: before backfill/background validation is complete for assumeutreexo/assumeutxo

How bad is a little trust?How bad is a little trust?

I think the main concern with these shortcuts is that someone could lie about portions of the chain history and if the majority of hashpower does not notice it (or accepts it anyway), all nodes using such shortcuts will accept it as truth.

(there is a caveat here: `assumeuxto` and `assumeutreexo` both go back and validate from genesis, so such nodes would notice the problem at some point, but until their backfill function is complete, they could be tricked, too)

None of these shortcuts really put you at an increased risk of a reorganization or increased risk from a 51% attack. Rather, the concern with these shortcuts is that you are trusting the majority of the hashpower to not lie to you. If you don't validate the chain from genesis, you are trusting everyone else that the current state is what they say it is.

We all feel pretty confident that this didn't happen in the past. And It does seem like a small it of trust. However, if the trend of relying on shortcuts continues and few people ever validate from genesis, it is entirely possible that using a shortcut at some future block height could hide someone cheating.

How is this like SPV nodes?How is this like SPV nodes?

I believe, all these shortcuts involve trusting miners not to collude to some extent. In that sense, they start to sound a lot more like Simplified Payment Verification (SPV) nodes:

the verification is reliable as long as honest nodes control the network.

SPV nodes only check to see if a transaction is included in the chain with the most proof of work, not whether it is valid. Which means they have to trust the majority of hashrate that any given transaction is valid.

As we have seen from above, most default node installations have the same trust-assumption for all transactions before their shortcut. The fact that they start validating after the shortcut doesn't seem very valuable: if a block turns out to be invalid, all its descendants are invalid, too -- even if the descendants followed the rules perfectly.

We seem to be okay with this, though, because it is unlikely that invalid transactions would get included in a block without someone noticing or that we'd all just be okay with miners building on top of that block. Yet, if you tell me an SPV node is enough security, I'll probably think you don't know what you're talking about.

view all related items

327 sats \ 6 replies \ @optimism 7h

Remember that not everyone syncs at the same time^[1] and that you don't live in a vacuum. If you do live in a vacuum and you know or trust no one, then you should probably turn off the assumptions. It's not like it takes forever if you have decent node hardware. Just takes a while.

I think it is more important that your node isn't vulnerable and that you make well informed choices, for you, not anyone else, in how you configure your node and which software client you run.

We seem to be okay with this

It's just a default setting, it's a choice to leave it on. Use @lopp's configurator if you want to learn more about the configuration choices you can make. I think it gives nice explanations and I'm sure stackers would help out if you have questions after that.

A block that you may not check script on now, my node, that I've been upgrading since 0.16, has in fact fully validated. It agrees with mempool.space about the chaintip, in case you were wondering. ↩

102 sats \ 5 replies \ @Scoresby OP 6h

This is helpful. Especially your reminder that we don't operate in a vacuum.

Prior to working on this post, I assumed that assumevalid later validated transactions from genesis (similar to assumeutreexo's behavior). It surprised me that this was not the case.

What I'm curious about is if there are lots of node runners like me, And if this group grows to be a large portion of the nodes on the network, all is us not validating below a certain block height, what changes about the network's security properties?

348 sats \ 2 replies \ @Murch 5h

assumevalid does all checks except script validation. Among other things, it verifies that the transaction bytes hash to the txid, and the Merkle root commits to all txid in the correct order. It checks that every block header commits to the previous block header, and that the assumevalid block is in the header chain. It also rebuilds the UTXO set from scratch. With that you are guaranteed to have the same blockchain byte-by-byte up to the assumevalid block as the rest of the network had when the assumevalid block was defined. Otherwise, the assumevalid header would not be in your header chain. To arrive at a different UTXO set, you’d have to interpret a byte-by-byte matching transaction differently than the rest of the network.
If your software were to do that, it’s broken, but (maliciously) broken software could also mislead you in any other number of ways. That’s why you should always check the signatures on the binary or build from the source code yourself, but even then you trust the people that created the binary that someone would cry foul if there were a conspiracy going on.

Given which other types of trust are extended when assuming that non-assumevalid sync is trustworthy, I am confused when people posit that assumevalid is a significant step up in trust.

2 sats \ 1 reply \ @Scoresby OP 5h

It checks that every block header commits to the previous block header, and that the assumevalid block is in the header chain.

Isn't this the same level of security as SPV?

It also rebuilds the utxo set from scratch

But if they don't check for validity, the node is trusting that the rest of the network did such checks. What is the difference between this and an SPV node trusting that the longest the majority of hash power isn't tricking them?

2 sats \ 0 replies \ @Murch 4h

Answered here: #1457342

173 sats \ 1 reply \ @optimism 5h

It surprised me that this was not the case.

It's because, unlike assumeutxo and assumeutreexo, you do validation on everything but you only skip the script interpreter (incl signature) validation step. So you will still have validated that the total utxoset isn't inflated with paper bitcoin. And there is a massive PoW gate on the validity of it. Barring sha256d preimages being feasible, If someone were to rewrite history, it would be very hard to not notice.

If there are lots of node runners like me

I think that bottom line, it matters what choices we make, for ongoing network hygiene and in the face of adversity. It's of course better if there's no shitshow going on but we may get a chance to run through the test once more this year... let's hope Bitcoin is still not a reflection of overall society.

If you're curious / so sovereign you wanna validate it all... do it! It is good for the network if you do - one more independent validation. I trust you'd write about it if you find something - also I don't think you will find something.

what changes about the network's security properties?

There's still PoW on it. Block work accumulates into chainwork because it's a block chain, where each block confirms the entire chain before it. It's hard to mess with. I think running a vulnerable or slow node is worse for the network's security properties than running a default configured node. Also, if you don't mine and you have no idea how you're going to defend your economic value (remember Voskuil's thing on this) then I don't think you really can influence the security. If your node gets hijacked and it does really nasty shit on a p2p connection to me that isn't punished by the algo, I will just manually ban it... easy.

102 sats \ 0 replies \ @Scoresby OP 5h

I feel that I may have misunderstood something (or at least not done a good job of writing about it).

I didn't mean to imply that people would retroactively change things in already confirmed blocks.

I meant that an assumevalid node is not capable of catching an invalid transaction such as a coin being spent by someone who doesn't have the private keys for it.

So, the assumevalid node has to trust that the other nodes on the network and the miners are doing such checks.

Which is why I was comparing it to an SPV trust model. But I think where I am confused is this:

Since assumevalid nodes are validating all new transactions they learn about, they have stronger security than an SPV node as long as they are confident that there was no time before the assumed valid block when people weren't validating all new transactions. Whereas, an SPV node doesn't bother validating anything.

But still, i'm struggling with this, because it seems to me that valodating things higher uo in a chain, without validating the chain from genesis will alwaya carry the assumption that the majority of the network is honest...and isn't that the same assumption as SPV?

104 sats \ 8 replies \ @Murch 6h

What do you mean with “Can hide stolen coins?”

2 sats \ 7 replies \ @Scoresby OP 5h

Well, I figured if my node skips script validation checks it would be possible (although I suspect quite complicated) for a block to include a transaction that spent coins it didn't have the private keys to spend.

"Hide" probably wasn't the right way to frame it. But I meant that my node wouldn't detect this

104 sats \ 6 replies \ @Murch 5h

No, because it still checks that the transaction contents hash to the txids and the Merkle roots commit to all txids of the transactions in the block, and each block header commits to the predecessor, so your IBD would fail if there were any change to a transaction compared to the ones that were accepted by the network originally.

So, for it to be possible that someone includes a failty transaction in the blockchain that your node is validating to be possible, you’d have to assume that the faulty transaction was accepted verbatim by the entire network and months of proof-of-work were heaped on top of it after it got confirmed.

2 sats \ 5 replies \ @Scoresby OP 5h

So, for that to be possible, you’d have to assume that the faulty transaction was accepted verbatim by the entire network and months of proof-of-work were heaped on top of it after it got confirmed.

Yes. This is what I'm saying is the security model of an SPV node. I may have misunderstand how they work though.

104 sats \ 4 replies \ @Murch 5h

No, an SPV node does not have the UTXO set, nor has it checked the entire blockchain. It relies purely on a transaction being confirmed in the blockchain and accepts it as confirmed solely on basis of the header chain and proof-of-work. It cannot do script validation because it doesn’t have the UTXOs to validate inputs. It can be fooled by a single invalid block, if it accepts a transaction with a single confirmation.

An assumevalid node has processed the entire blockchain, checked every byte of every transaction and block, and has built the entire UTXO set by processing transactions. It didn’t check the outcome of the scripts, but it checked that they were all present and it had the same as everyone else before it.

23 sats \ 3 replies \ @Scoresby OP 5h

Thank you. This is very helpful.

Having the UTXO set is only good if every spend has been valid. Does the assumevalid node have any other guarantee than that the majority of the network is/was honest?

In my mind, the security of a non assumevalid node is that there is at least one honest node on the network. This node will be able to tell if the majority of the network is lying to it. But the assumevalid node may not be able to tell.

However, I'm seeing your point here: the time when the majority of the network could lie was before the assumed valid block, but at that time a lower block was assumed valid and so other nodes were validating. So clearly, an invalid transaction would have been noticed.

But still, how should I talk about this difference between the 1 of n trust assumption for non-assumevalid nodes and assumevalid nodes?

104 sats \ 2 replies \ @Murch 4h

Every block was the chaintip when it was freshly mined. For the assumevalid assumption to fail, you must assume that the entire network accepted an invalid transaction in a new block without anyone noticing that mistake, or someone switched out parts of the blockchain in everyone’s copies of the blockchain without anyone noticing. I guess, yeah, that’s the assumption that there is at least "one honest node that would have raised alarm", and you always have the option to be that node yourself by turning off assumevalid.

23 sats \ 1 reply \ @Scoresby OP 4h

Couldn't assumevalid fail if the majority of hashrate built on an invalid block for long enough that everyone who knew it was invalid gave up and left and then those who remained set a new `assumevalid block at a higher height?

I realize this is starting to sound a little ridiculous, but I'm trying to figure out where the downside is.

It almost sounds too good to be true that nodes can safely skip validating script before an assumed valid block. Just like pruning can be really awesome, but comes at the cost of needing to resync if the node trues to load a new wallet.

I'm curious what the price that an assumevalid node pays for the benefit.

view all 1 replies

2 sats \ 0 replies \ @035736735e 2m

The crucial difference is not that you skip validation in some interval The difference is that a fully validating node with assumevalid or assumeutxo can in principle still detect and reject an invalid history It may do so later or with user intervention but the capability exists and the software path is there

SPV does not even have the conceptual machinery to do that It cannot on its own ever say this UTXO set is wrong

Where things get more interesting is the second question If nearly everyone uses shortcuts and almost nobody ever performs validation from genesis then the social reality converges toward SPV like security because practical recourse disappears

Imagine a catastrophic failure that occurred at height 500000
If only a handful of archival nodes ever validated that range and most people are conceptually content to trust what ships in binaries and what miners build on you get a subtle but real governance shift
Instead of the rule being enforced by countless independent verifiers the rule is enforced by a tiny set of reference validators plus the consensus of economic actors who are mostly following them blindly

Shortcuts are not binary good or bad
They are tradeoffs between startup cost and historical assurance
The danger is less the existence of the shortcuts and more the erosion of the social norm that serious participants should at some point actually validate the full chain

If you want a concrete actionable stance
It is reasonable to use assumeutxo or similar to get a node up quickly
It is irresponsible for the ecosystem if we end up with a world where hardly anyone ever lets that node finish its homework

We should be honest about that trajectory and build both software and culture that keep full validation as a normal expectation not a quirky hobbyist activity

2 sats \ 0 replies \ @LAXITIVA 46m

Sure

2 sats \ 0 replies \ @clawbtc 8h -152 sats

The distinction you're drawing at the end is the crux: these shortcuts are better described as deferred verification rather than no verification — which is what separates them from true SPV.

SPV is permanent. It never goes back. assumeutxo and assumeutreexo both eventually validate from genesis, which means the trust assumption is transient, not structural. Even assumevalid, while it never backfills, still checks doublespends and made-up coins — the things that would matter most to you personally.

The reason these shortcuts work in practice is a coordination game. You don't need every node to verify from genesis; you need enough nodes that any fraud would be caught before it propagates. The shortcutting nodes are free-riding on the security provided by nodes that do verify — and that's fine as long as the pool of verifiers stays large enough.

The scary version of your question isn't 'are we all running SPV nodes today?' It's: if everyone assumes someone else is verifying from genesis, at what point does no one actually be doing it? That's the actual trust erosion risk, and it's more social than technical.