SPV proofs in Flexible Transactions
I've seen more people ask some important questions about worries they have with regards to SegWit and specifically how those worries apply to Flexible Transactions.
At The Future Of Bitcoin event Peter Rizun presented a talk about an economic attack. (video). The idea is that miners can skip downloading and validating the Witness part of a SegWit block, and at a certain boundary this actually is profitable in a Bitcoin like network.
The trick works because the witness is added in such a way that it doesn't interfere or break any parts of Bitcoin. That was the goal because SegWit wanted to be backwards compatible.
In Flexible Transactions we don't have that goal and what we decided is to adjust the merkle-root instead (spec). Essentially every single FlexTrans transaction has not one, but two entries in the merkle-tree. One is for the transaction without signatures and another is for the entire transaction, including signatures.
This has one main implication; a node can not build the merkle-root without having all full transactions, including signatures. This breaks the attack, right there.
But there are a couple of other effects that may be even more exciting. (you know you are geek if payment proofs and crypto are "exciting")
SPV wallets currently request a transaction from a full node and they are able to get proof that this transaction actually came from the actual chain by matching it to the block-header they have validated independently.
The way this works is that a merkle-tree (a tree of hashes where the parent is the result of hashing the children) is created by the full node and the direct path from the transaction all the way up to the root is provided to the SPV wallet. Thereby the SPV wallet is capable of doing various hashings and validate with certainty that the transaction was in the block. Which means it was mined and validated. Which in itself can be used to avoid lots of fraudulent situations.
This is all possible today.
What FlexTrans adds is based on the fact that a FlexTrans transaction has not one but two hashes in the merkle tree. Getting either one is enough proof. But the useful part is that an SPV wallet can now request a transaction without signatures and still be able to do the validation that this is a transaction that has been mined. An SPV wallet can now choose between asking for a transaction with or without signatures. And since signatures take up to 75% of a transaction, this is a relevant difference.