RPC/txoutproof: Support including (and verifying) proofs of wtxid

[luke-jr]

Feature requested by @SomberNight for Electrum's Lightning stuff. (Please confirm this does what you need)

Unfortunately WIP because the wtxid merkle root calculation doesn't match and I don't have time to figure out why not yet (maybe after concept ACK? or if anyone else wants to take a look...)

Mostly backward compatible, but a segwit-enabled proof will verify the generation tx in old versions.

[DrahtBot]

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage & Benchmarks

For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/32844.

Reviews

See the guideline for information on the review process.

Type	Reviewers
Concept ACK	Sjors, ajtowns, fjahr

If your review is incorrectly listed, please copy-paste <!--meta-tag:bot-skip--> into the comment that the bot should ignore.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #33116 (refactor: Convert uint256 to Txid by marcofleon)
• #33094 (refactor: unify container presence checks by l0rinc)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

LLM Linter (✨ experimental)

Possible typos and grammar issues:

• In RPCResult description: "If verify_witness is true and the proof invalid" -> "If verify_witness is true and the proof is invalid" [missing “is” makes the sentence ungrammatical]

No other typos were found.

^{drahtbot_id_4_m}

[SomberNight]

Feature requested by @SomberNight for Electrum's Lightning stuff. (Please confirm this does what you need)

Wow, thank you for working on this! I was meaning to open an issue to ask for this, but did not even get to that yet.

The request I would like an electrum server, assuming txindex=1, to be able to serve is:

bc.tx.get_merkle_witness(txid), (so given just a txid,)

return a dict containing:

• wtxid
• block_height
• block_hash
• pos (index of tx in block)
• merkle or wmerkle
  • exactly one of the two
  • merkle is the Satoshi-SPV proof, in case there is no witness commitment in the block
  • wmerkle is the witness-SPV proof otherwise
• cb_tx, the generation/coinbase tx
• cb_proof, the Satoshi-SPV proof for the generation tx

Obviously the electrum server can act as middleware and transform the response, assuming the necessary fields are available or obtainable.

As far as I can tell, but I haven't tried yet, the RPC response from this PR can be transformed to what I describe above. So the RPC looks to be doing what I need. :)

---

I think it is non-trivial, so let me detail how an electrum/light client would then use bc.tx.get_merkle_witness(txid):

• it is assumed client already has a full raw tx, and wants to verify whether it has been mined
• client also has full header chain, proof-of-work verified
• client calls bc.tx.get_merkle_witness(txid)
• client calculates wtxid of full tx it has, compares it with received wtxid
• using cb_tx, cb_proof, block_height, block_hash
  • client Satoshi-SPVs the received coinbase tx, against block header merkle_root
• client extracts witness_commitment from cb_tx
  1. if there is no witness_commitment,
     • client Satoshi-SPVs the txid, using merkle, block_height, block_hash, pos, against block header merkle_root
     • now client has an SPV guarantee that block only contains non-segwit txs, and tx in particular is also non-segwit (wtxid==txid) and it was mined in this block
  2. if there is a witness_commitment,
     • client must do witness-SPV, even if tx seems non-segwit (as e.g. malicious electrum server could have stripped away the witness)
     • client does witness-SPV using wmerkle and pos, against witness_commitment
     • client must check that length of wmerkle matches length of cb_proof. This ensures there are the same number of levels in the wtxid merkle tree and in the txid merkle tree. (the two trees should have the same number of leaves, but this seems hard to check as a light client) This is intended as some protection against merkle-tree-construction weaknesses (cf. banning of 64 byte transactions and similar).
• now client has an SPV guarantee that wtxid was mined in this block
  • or if some check failed, then the client can connect to another server

[Sjors]

Concept ACK. @SomberNight it's still useful if you open an issue to track the reason you need this, just in case this implementation PR doesn't make.

[Sjors]

Took an initial look at the code, but got a bit confused. Will check again later.

[luke-jr]

Reworked this to cover @SomberNight 's requirements and address feedback. Test is now passing.

[DrahtBot]

🐙 This pull request conflicts with the target branch and needs rebase.

[ajtowns]

Transaction proofs are an interoperability feature, I don't think it makes much sense to implement this without also documenting it and providing test vectors via a BIP.

Concept ACK

[ajtowns]

There is no such subclass?

I think all this logic should entirely be in a separate class though. For efficiency probably two paths:

• if the generation tx has no witness commitment; provde all (w)txids and the generation tx via the block partial merkle tree.
• if the generation tx does have a witness commitment; provide just the generation tx's merkle path back to the block header, and prove all wtxids via a partial merkle tree back to the witness commitment

[ajtowns]

I think this should probably be automatic, with the current "array of txids" result being stuck behind a -deprecatedrpc option.

[fjahr]

I think that makes sense and we could even do the same for gettxoutproof I think (if that wasn't already intended with the comment as well).

[ajtowns]

This information (height, confirmations, assumeutxo info) seems better obtained via getblockheader on the blockhash to me.

[ajtowns]

I would have expected this logic to be in merkleblock.cpp as a standard part of verifying a proof (eg so that it could be included in kernel), not in the RPC code.

[ajtowns]

Being able to easily prove/verify that a tx was included in a reorged block seems fine?

[fjahr]

Concept ACK

Is there something special about the naming "generation tx" here? It seems to be just an older alias for the coinbase transaction without any other special meaning. I can not recall seeing it used anywhere in the code base or online discourse. If I am not overlooking something it would probably be better to just call it coinbase tx instead which should be less confusing to newer contributors that haven't heard this term before.

[fjahr]

Should also cover an invalid proof here

[fjahr]

I think that makes sense and we could even do the same for gettxoutproof I think (if that wasn't already intended with the comment as well).

[DrahtBot]

⌛ There hasn't been much activity lately and the patch still needs rebase. What is the status here?

• Is it still relevant? ➡️ Please solve the conflicts to make it ready for review and to ensure the CI passes.
• Is it no longer relevant? ➡️ Please close.
• Did the author lose interest or time to work on this? ➡️ Please close it and mark it with one of the labels 'Up for grabs' or 'Insufficient Review', so that it can be picked up in the future.

[sedited]

There's been unaddressed review comments here for some time already. @luke-jr do you plan to respond to these? If not, maybe one of the reviewers could take charge of this change?

[Sjors]

I plan to take this over and address earlier feedback, unless someone else beats me to it.

[Sjors]

Here's an initial sketch: Sjors#116. I plan to open a PR on this repo after some polishing.

For the test vectors I used small and early blocks, so we can include them as fixtures for a roundtrip test. These could be turned into a BIP, but I prefer if someone else does that, @SomberNight? There might be a better set of test vectors, I can switch to those.

I limited my PR to proving a single transaction at a time. Is there a need to provide multiple at once? In that case we might need a BIP to define an encoding for that, as it's less trivial than just an array of hashes. The RPC command takes an array of wtxid's, so it's easy to add support for this later.

[Sjors]

@SomberNight wrote:

The request I would like an electrum server, assuming txindex=1, to be able to serve is:

bc.tx.get_merkle_witness(txid), (so given just a txid,)

I assume you can also make the request by wtxid? If not, why not?