
Hidden surprises in the Bitcoin blockchain and how they are stored - ca98am79
http://www.righto.com/2014/02/ascii-bernanke-wikileaks-photographs.html
======
mike_hearn
There's a hidden surprise in store for people who think this is a neat trick
to ensure their message lasts forever: there's no guarantee it will work.

In future some nodes, probably many, will become "pruning" nodes. That means
they'll throw old blocks away and won't be able to serve them anymore. It's a
popular misconception that it is technically necessary to store all blocks to
run a fully functioning Bitcoin node. So long term storage and serving of the
full chain will slowly start to migrate to more specialised archival nodes
that have cheap bandwidth and storage to spare. At that point stuffing data
into the block chain is not much different to just uploading it to a bunch of
servers.

But even those nodes don't have to store your data forever, for two reasons.

Firstly, although being able to reconstruct today's ledger by replaying from
day zero is a rather nice feature from an academic perspective, it's not
actually necessary for Bitcoin to function. Even if every archival node
deleted some old blocks, all that'd mean is you had to start your node from a
snapshot of the database taken at the earliest block time and work from there.
This means trusting the snapshot in some sense, but if many people have
calculated that snapshot and attested to it (especially if they've done so in
future blocks!), the practical security difference is quite small. Certainly
it wouldn't mean Bitcoin stopped working or anything.

And secondly, as Satoshi described in his original white paper, the way blocks
are structured means transactions can be deleted _forever_ and yet the chain
can still be replayed, if none of the outputs of those transactions were ever
spent. Given that outputs which store only files cannot be spent, it's safe to
both delete them from the UTXO set, and delete them from the archived blocks
too (such a block would have to be sent using the partial merkle tree format
already supported in the protocol). As long as identification of the outputs
is reliable/conservative so there's no chance of misidentifying a spendable
output as unspendable, you don't even need consensus to do this: just delete
the guff from your local database and only serve blocks to nodes that
understand partial block downloads, and you're done. Of course it's better if
there is consensus, so perhaps some future version of Bitcoin will schedule
certain transaction outputs for destruction as part of some other upgrade.

~~~
AnthonyMouse
> Even if every archival node deleted some old blocks, all that'd mean is you
> had to start your node from a snapshot of the database taken at the earliest
> block time and work from there.

Why would _every_ archival node delete the old blocks? Wouldn't it be prudent
for at least a significant minority of nodes to keep copies of the entire
blockchain in case there is ever any dispute about the provenance of the
snapshot?

> Given that outputs which store only files cannot be spent

Is that a hard requirement? There is no feasible way to encode both a file and
a legitimate transaction into the same block?

------
SippinLean
>It is well known that the Genesis block...contains the message: 'The Times
03/Jan/2009 Chancellor on brink of second bailout for banks'. Presumably this
is a political commentary

Actually, it was the way Satoshi showed that he hadn't pre-mined any bitcoins,
by using the title of a headline on the same day that he started mining (as
there was no way to fake that).

~~~
mikeash
Surely it's both? Embedding a headline is a great way to prove it wasn't
generated in advance, but there are thousands of headlines he could have used,
and he picked that particular one.

------
t05ter
How long until someone goes and puts something stupid in the blockchain such
as child porn, plans to make bombs, etc.

Would this information then be used against a bitcoin user in the event that
his computer was confiscated by authorities?

~~~
mike_hearn
Already been done and no.

Bear in mind encoding data into the block chain is a pretty stupid thing to
do, practically speaking. No mainstream Bitcoin software/wallets have a file
extraction feature, so you end up needing to download a special app designed
to download that specific file. At which point, you may as well have just
downloaded the file as well. Absence of the special file-downloader-file is
proof that you are not willingly engaged in illegal conduct of any kind.

------
JohnTHaller
Couldn't a bunch of folks severely interfere with the already-slow processing
time for bitcoin transactions by sending large encoded bits in transactions
back and forth between a few addresses, making the already-unwieldy bitcoin
blockchain (24.1GB and counting in the Windows client) grow even more
unwieldy?

~~~
michaelt
According to [1] in the default client there's a fee of 0.0001 BTC per
thousand bytes. That's US$0.05 so for a million dollars you could add 20
gigabytes to the blockchain.

Of course, in the default client will also only generate 750,000 bytes per
block, and the block rate is about 6 per hour, so the blockchain shouldn't
grow by more than 0.1 gigabytes a day. And if it takes 200 days to execute a
denial of service attack, people might notice the attack and adjust fees or
limits to make the attack more expensive.

With that said, presumably if bitcoin becomes widely used (and appreciates in
value) there will be many more transactions (requiring larger block sizes) and
the transactions will be much smaller (requiring smaller transaction fees). So
if you think you might want to perform a denial of service attack in the
future, invest now!

[1]
[https://en.bitcoin.it/wiki/Transaction_fees](https://en.bitcoin.it/wiki/Transaction_fees)

------
indutny
Check out
[http://btc.blockr.io/tx/info/4434aa18b36eacfa897c909f9f36c28...](http://btc.blockr.io/tx/info/4434aa18b36eacfa897c909f9f36c28fb2809de6e5527b67b743e0137a82403b).
The non-first multisig's public keys form a deflated blog post ;)

------
maaku
Please please PLEASE do not do this. You would be burdening every other node
from now until the heat death of the universe.

~~~
ggreer
I don't think it's a huge problem. You have to spend BTC to get your message
saved.

As Dan Kaminsky once said (after using this technique to create a blockchain
memorial for Len Sassaman[1]), "This is the cyber-equivalent of pouring one
out for your homies."

1\.
[https://en.wikipedia.org/wiki/Len_Sassaman](https://en.wikipedia.org/wiki/Len_Sassaman)

~~~
maaku
The coin you may or may not spend does not go to the people who incur the
cost.

~~~
ryan-c
> The coin you may or may not spend does not go to the people who incur the
> cost.

The spent coin goes to nobody - it is burned into the blockchain as a
transaction output that can never be spent, and cannot be pruned.

~~~
maaku
I assumed he was talking about fees. You could make the output zero-valued.

~~~
ryan-c
Wouldn't a zero-value output trip the anti-dust rules?

~~~
maaku
Those aren't consensus rules. They are recommended policy.

