How can a lightweight client make sure output has not been spent yet?

It's simple to prove the creation of a UTXO: You just need to provide the transaction data, the Merkle branch, and block of the creating transaction.

Then, as a full-node, it is simple to check whether the output hasn't been spent yet: You're keeping track of the UTXO yourself, and if it hasn't been removed from your UTXO set, it's still unspent.

As a lightweight client doesn't have the full UTXO set at hand, how could it make sure that an output is still unspent? I see that BIP0064 introduced a getutxo message, but can't seem to find more about it. Is such an interface still in effect? Is there an option beyond polling a number of different nodes for a particular UTXO, or running a full-node?

Clarification of what I'm interested in: I've recently read the paper Sybil-Resistant Pseudonymization and Pseudonym Change without Trusted Third Parties. The proposed system BitNym manages pseudonyms by storing them in transaction outputs. A pseudonym stays valid until the anchoring output is spent. It is therefore of interest to check whether an output is still in the UTXO set.

Murch

Posted 2016-04-26T07:33:40.163

Reputation: 41 609

Answers

There are currently 115 or so nodes which will answer the getutxos message. This is as good a source of this information as calling a 3rd party API. The problem with both of these sources is that they do not provide cryptographic proof.

It's not actually possible to prove an output unspent, for the simple reason that it may have been spent in a block found an instant after the proof was produced.

The idea of UTXO commitments would have miners publish a digest of the entire UTXO set in every block, which could be referenced to prove that a specific UTXO was unspent as of the lastest one, but you're probably also interested in any unconfirmed spends that are floating around out there.

It may be a better idea to ask your peers to try to prove that an output is already spent. Only confirmation should build your confidence in an incoming payment, but a spend proof in the form of a conflicting transaction (+ merkle branch, if found in the chain) can instantly lower your confidence to zero.

Tom Harding

Posted 2016-04-26T07:33:40.163

Reputation: 336

UTXO commitments seems to be exactly what I was looking for, thank you. The nodes are the XT nodes, right? I've edited the question to clarify what I am exactly interested in knowing. – Murch – 2016-04-27T08:32:27.637

As a lightweight client doesn't have the full UTXO set at hand

I assume you're right and in addition to your second message, I suppose the only way to check UTXO without BIP64 is to call a full node.
Here is a simple exemple to do that :

curl "https://bitcoin.toshi.io/api/v0/addresses/12c6DSiU4Rq3P4ZxziKxzrL5LmMBrzjrJX/unspent_outputs"

from https://toshi.io/docs/#get-address-unspent-outputs

onepix

Posted 2016-04-26T07:33:40.163

Reputation: 240

It appears that BIP64 was reverted soon after it was merged, and only lived on in BitcoinXT as Mike Hearn originally introduced it for his Lighthouse application. The getutxo message is also not part of Bitcoin Classic, as Classic was forked from Core, and not from XT.

Therefore, it seems to me that being sure an output is still unspent is only practical by running your own full-node to query with gettxout.

Please feel free to correct me, if the above is not accurate.

Murch

Posted 2016-04-26T07:33:40.163

Reputation: 41 609

I don't think an SPV node can know for sure for 0-conf transactions.

However, once the transaction is in a block, the full node will provide you with a Merkle path proving that this transaction is part of that block. So then you're sure and if you also keep track of the PoW and subsequent blocks you can count how many confirmations the transactions has.

Jannes

Posted 2016-04-26T07:33:40.163

Reputation: 5 823

Yeah, the proof of the contrary is trivial, no question. I am however actually wondering about the stated problem: How can a lightweight node be reasonable sure about an output not being spent yet? – Murch – 2016-04-26T13:22:39.227

Ah you mean the question as "without waiting for a confirmation". Another way would be to trace back the input of the transaction all the way back to the coinbase transaction(s). Downloading only the (parts of the) blocks that are relevant along that graph. That could add up to serious amounts of data (worst case the whole blockchain I guess). However, if UTXO commitments ever become a thing, a light client might do the above tracing only until it has a UTXO commitment. Or depending on how the UTXO commitments will work, no tracing at all: every block contains a delta to update the UTXO set. – Jannes – 2016-04-26T21:00:04.070

No, I mean, that it is still in the UTXO set. – Murch – 2016-04-27T00:20:59.823

I've edited my question to clarify my interest. – Murch – 2016-04-27T08:42:24.843