Note that this is a mostly theoretical weakness: the cost to attack is orders of magnitude higher than cost of simply creating fake blocks, which are almost just as good at defauding SPV clients (particularly when you have a pile of money left over by using the cheaper attack!).
Anyway, not many SPV clients actually exist these days - instead it's much more common for "lite" wallets to actually use trusted servers.
I wish they were frankly. Unfortunately there's endless dishonesty and fraud in the blockchain world in projects denying that their solutions involve huge amounts of trust; that's just a mild example out of many.
> Mining several blocks in private to confirm the fake transaction may be needed to prevent the other miners from reorganizing the blockchain in order to steal the fees and output of transaction T. If the attacker is not in collusion with 51% of the miners, then this may cost the attacker millions in rented hashing power ...
Does this mean that this exploit only has value to an attacker who is already capable of sustaining a 51% attack?
No, AFAIU it only implies that such an attacker would have to face the multi million dollar cost of renting enough hashing power to guarantee that no-one could steal the 'loot' before the attack has settled. I didn't study the article a lot, but it seems the attack transaction(s) previously crafted can essentially be stolen by any node working with it, and that the costs sunk by the attacker to craft the could then be avoided by THAT attacker.
The very popular Gnutella/DC TTH algorithm was distinguishing between Merkle tree and leaf nodes for security/correctness in circa 2000, so it's not clear why Bitcoin (2009) left it out.
Interesting to see how much intellectual rigor is in the theory of Bitcoin, and how little in the long term market. It’s the exact opposite of most startup sectors.
Anyway, not many SPV clients actually exist these days - instead it's much more common for "lite" wallets to actually use trusted servers.