BIP draft: BIPs for Utreexo

[kcalvinalvin]

These are the 3 BIPs that describe Utreexo, a consensus-compatible (non-soft fork) way to send and verify transactions without storing the full UTXO set.

The 3 BIPs are for:

1. The specification of the Utreexo accumulator.
2. The specification of Bitcoin block and tx validation using the Utreexo accumulator.
3. The peer to peer networking changes required to enable Utreexo nodes.

Mailing list post: https://groups.google.com/g/bitcoindev/c/W1lxBraKG_E

[jmoik]

some typos

[jonatack]

Thank you for proposing these drafts. They already look quite complete with respect to the editorial requirements (BIPs 2 and 3). I've done a cursory first pass. No immediate conceptual feedback. A few editorial comments follow; feel free to ignore them during conceptual review until they are applicable.

[petertodd]

You need to justify why you're using SHA-512/256 rather than SHA-256, like the rest of the Bitcoin protocol. Right now you just link to a paper from 2011. But that paper is out of date now that hardware support for SHA-256 has become common.

[1BitcoinBoWP1FZ4xwTNkq6XksKidmgYYw]

I strongly recommend replacing SHA-256 with SHAKE256 (from the SHA-3 standard) for the following reasons:

1. Security Advantages

• 🔒 Provides built-in protection against length-extension attacks
• 📏 Offers flexible output lengths (supports 128-bit and 256-bit security levels)
• ⚙️ Based on Keccak sponge construction (NIST FIPS 202 standard)
• 🌐 Aligns with post-quantum cryptography standards

2. Comparative Analysis: SHA-256 vs SHAKE256

Characteristic	SHA-256	SHAKE256
Algorithm Family	SHA-2	SHA-3 (Keccak)
Output Flexibility	Fixed 256-bit	Arbitrary length
Security Properties	Vulnerable to length-extension	Resistant to length-extension
Internal Structure	Merkle-Damgård	Sponge function
Standardization	NIST FIPS 180-4	NIST FIPS 202

3. Functional Example

Input: Bitcoin

SHAKE256 (512-bit output):
6beb0661ba1fa7289bf359fbb81550bd9641cf5abc62a14d466c421c8a86e528e027632ec0e7ceb994650566f3c8258af2240333b6d0e9186766fd2c1ebb763a

SHAKE256 (256-bit output):
6beb0661ba1fa7289bf359fbb81550bd9641cf5abc62a14d466c421c8a86e528

4. Implementation Benefits

• ✅ Maintains 256-bit output compatibility where needed
• ✅ Future-proofs against emerging cryptographic vulnerabilities
• ✅ Reduces potential attack vectors through improved design
• ✅ Supports Bitcoin's security evolution while maintaining performance

5. Technical Reference

For detailed cryptographic differences:
Cryptographic Comparison: SHA-2 vs SHA-3

[kcalvinalvin]

You need to justify why you're using SHA-512/256 rather than SHA-256, like the rest of the Bitcoin protocol. Right now you just link to a paper from 2011. But that paper is out of date now that hardware support for SHA-256 has become common.

Sure we can update the accumulator BIP with benchmarks for SHA512/256 vs SHA256.

But could you link to the aforementioned justifications for the other parts of the Bitcoin protocol that use SHA512?

[kcalvinalvin]

I strongly recommend replacing SHA-256 with SHAKE256 (from the SHA-3 standard) for the following reasons:

SHAKE256 is not used in Bitcoin and introduces a new hash which increases the trust-assumption. We do not want to do this.

[jonatack]

Some friendly moderation to keep the discussion focused on technical review -- thanks.

[kcalvinalvin]

The reliance of Bitcoin on SHA-2—a legacy hash function designed by the National Security Agency (NSA)—introduces non-trivial security risks, particularly when considering the often-dismissed threat posed by quantum adversaries.

SHA256 and SHA512 are quantum resistent.

Migrating to SHAKE256 (a variant of SHA-3) would represent a meaningful improvement, though such a change merely delays the inevitable: Bitcoin must eventually transition to a quantum-resistant cryptographic framework. When this occurs—and it will, regardless of opposition—SHA-2, along with ECDSA private keys, public keys, and signatures, will become obsolete.
See: Lenght extension attack (Bitcoin is vulnerable because it's using SHA-256)

Ok but this has nothing to do with this BIP.

[murchandamus]

@1BitcoinBoWP1FZ4xwTNkq6XksKidmgYYw, please cut out the LLM generated comments. If any of us were interested in seeing an LLM’s prediction of what might be said about a topic, we could prompt one ourselves.

[petertodd]

On Mon, Aug 18, 2025 at 04:06:51AM -0700, Calvin Kim wrote: kcalvinalvin left a comment (bitcoin/bips#1923) > You need to justify why you're using SHA-512/256 rather than SHA-256, like the rest of the Bitcoin protocol. Right now you just link to a paper from 2011. But that paper is out of date now that hardware support for SHA-256 has become common. Sure we can update the accumulator BIP with benchmarks for SHA512/256 vs SHA256. But could you link to the aforementioned justifications for the other parts of the Bitcoin protocol that use SHA512?

No part of the Bitcoin consensus protocol uses SHA512.

[kcalvinalvin]

On Mon, Aug 18, 2025 at 04:06:51AM -0700, Calvin Kim wrote: kcalvinalvin left a comment (bitcoin/bips#1923) > You need to justify why you're using SHA-512/256 rather than SHA-256, like the rest of the Bitcoin protocol. Right now you just link to a paper from 2011. But that paper is out of date now that hardware support for SHA-256 has become common. Sure we can update the accumulator BIP with benchmarks for SHA512/256 vs SHA256. But could you link to the aforementioned justifications for the other parts of the Bitcoin protocol that use SHA512?
No part of the Bitcoin consensus protocol uses SHA512.

Ok but you've stated in your previous comment "You need to justify why you're using SHA-512/256 rather than SHA-256, like the rest of the Bitcoin protocol". Would be very helpful to see what type of justifications the other protocols have made.

Second, I don't think it matters if SHA512 wasn't used in the Bitcoin consensus protocol. SHA512 is used in BIP32 and the argument that SHA512 is safe for generating private keys but not safe for Bitcoin consensus isn't sound.

I think our original justification (better performance with SHA512/256) mentioned in the BIP is sound. Happy to provide the benchmarks, they're being worked on at the moment.

[lucad70]

For clarification, is the Utreexo_Tag_V1 really used twice in preimage to the hash?

[murchandamus]

My guess would be that this duplication is unintended.

Suggested change

	| Name | Type | Description |
	| ----------------- | ------------------------ | ----------------------------------------- |
	| Utreexo_Tag_V1 | 64 byte array | The version tag to be prepended to the leafhash. |
	| Utreexo_Tag_V1 | 64 byte array | The version tag to be prepended to the leafhash. |
	| Name | Type | Description |
	| ----------------- | ------------------------ | ----------------------------------------- |
	| Utreexo_Tag_V1 | 64 byte array | The version tag to be prepended to the leafhash. |

[petertodd]

On Mon, Aug 18, 2025 at 04:06:51AM -0700, Calvin Kim wrote: kcalvinalvin left a comment (bitcoin/bips#1923) > You need to justify why you're using SHA-512/256 rather than SHA-256, like the rest of the Bitcoin protocol. Right now you just link to a paper from 2011. But that paper is out of date now that hardware support for SHA-256 has become common. Sure we can update the accumulator BIP with benchmarks for SHA512/256 vs SHA256. But could you link to the aforementioned justifications for the other parts of the Bitcoin protocol that use SHA512?
No part of the Bitcoin consensus protocol uses SHA512.

Ok but you've stated in your previous comment "You need to justify why you're using SHA-512/256 rather than SHA-256, like the rest of the Bitcoin protocol". Would be very helpful to see what type of justifications the other protocols have made.

Second, I don't think it matters if SHA512 wasn't used in the Bitcoin consensus protocol. SHA512 is used in BIP32 and the argument that SHA512 is safe for generating private keys but not safe for Bitcoin consensus isn't sound.

I think our original justification (better performance with SHA512/256) mentioned in the BIP is sound. Happy to provide the benchmarks, they're being worked on at the moment.

The question is 1) why are we added one new dependency to consensus implementations, and 2) is this actually a performance increase, given that dedicated SHA256 hardware is becoming common?

Length-extension attacks are not relevant for this use-case as we are only committing to public data.

[murchandamus]

I had a look at most of the Accumulator Specification for the first helping. Looks very good already. I only reviewed the function definitions up to root_position, then skimmed the rest, before reading on from Rationale.

[murchandamus]

Nit: BIP 2 is still active, so this should be "Standard Track" for the time being.

[murchandamus]

Suggested change

	This BIP describes the Utreexo accumulator and it's operations. It lays down how to update the
	This BIP describes the Utreexo accumulator and its operations. It lays down how to update the

[murchandamus]

In case this doesn’t get discussed later, it might be interesting to compare how O(log₂(N)) for all transaction outputs ever created compare to the current UTXO set size.

[murchandamus]

Does this ambiguity regarding the depth of the leaf in the tree not introduce similar weaknesses as the original Merkle tree construction? Why would we float up leaf-hashes rather than create a tagged hash at each level?

Is this fully mitigated due to the number of leaves being known?

[murchandamus]

The numleaves - 1 throws me off here. It’s not obvious to me, why the function would be defined that way rather than the "minimum number of bits required to represent numleaves"? Perhaps a bit more context would help?

[murchandamus]

I could have used a little more explanation why this returns the parent, but staring at it for a bit, it seems to me that a fully filled tree with 2n leaves would have 2n-1 inner nodes, meaning that all leaves start with a zero in the first position and all inner nodes starting with a one.

E.g. for four leaves, the leaves are 000, 001, 010, and 011, and the inner nodes would be 100, 101, 110.

For 000 and 001, shifting to the right gives 00 and setting the top bit makes the parent 100. For 010 and 011, it works out to be 101. For 100 and 101, it works out to 110.

Gotcha, cool.

[murchandamus]

New jargon is usually italicized on introduction, perhaps consider:

Suggested change

	Utreexo's design is driven by the need for Bridge Nodes: nodes that maintain backward compatibility with existing
	Utreexo's design is driven by the need for *bridge nodes*: nodes that maintain backward compatibility with existing

[murchandamus]

This time I took a look at the "Validation Layer" BIP. Also looks very good already. I noticed that there is no Rationale section, and the title seemed a little less informative than it could be.

[murchandamus]

The title feels a bit odd to me. It could be a bit more descriptive, I was thinking "Utreexo - Transaction and block validation" or smth?

[murchandamus]

Nit: Until BIP 3 activates, this should be Standards Track.

[murchandamus]

Maybe for the time being:

Suggested change

	Utreexo accumulator itself, for that see BIP-????. This document is only concerned with
	Utreexo accumulator itself, for that see [‎BIP Utreexo Accumulator](‎utreexo-accumulator-bip.md). This document is only concerned with

[murchandamus]

Suggested change

	being added or removed from the accumulator. The leaf hash is a 32 byte hash that
	being added or removed from the accumulator. The leaf hash is a 32-byte hash that

[murchandamus]

Suggested change

	Individual UTXOs are represented as 32 byte hashes in the Utreexo accumulator. To obtain this
	Individual UTXOs are represented as 32-byte hashes in the Utreexo accumulator. To obtain this

[murchandamus]

As far as I can tell, the rest of BIP 34 explains the activation mechanism of BIP 34, so I would claim that this is the main reason.

Suggested change

	of the coinbase transaction. One of the reason for the change was to make
	of the coinbase transaction. The main reason for the change was to make

[murchandamus]

Suggested change

	random bytes that could be interpreted as block heights. The lowest block
	heights are: 209,921, 490,897, and 1,983,702.
	random bytes that could be interpreted as block heights. The lowest implicated block
	heights are: 209,921, 490,897, and 1,983,702.

[murchandamus]

Suggested change

	consensus failure due to the inability to perform the BIP-0030 checks. However,
	consensus failure due to the inability to perform the BIP-0030 checks, if someone were to reuse coinbase transaction from block 164,384 . However,

[murchandamus]

Not due to this rule, but rather before it was introduced:

Suggested change

	There were two UTXOs that were overwritten due to this consensus rule are:
	There were two UTXOs that were overwritten by repeated transactions:

[murchandamus]

If I’m understanding this right:

Suggested change

	accumulator. To be consensus compatible with clients that do have the historical
	violations, the leaves representing these two UTXOs in the Utreexo accumulator
	are hardcoded as unspendable.
	accumulator. To be consensus compatible with clients that retain only the second
	occurrences of these outputs, the leaves representing the corresponding first UTXOs in the Utreexo accumulator
	are hardcoded as unspendable.

[murchandamus]

I read the whole P2P BIP, although I went over the new messages section a bit more quickly. There are some sections that felt a bit confusing to me, perhaps you could try to take a look at whether you can clarify those for the less initiated. Overall, this seems close to complete, although I noticed that it is missing a Rationale section.

[murchandamus]

little caching ↦ almost no caching
a little caching ↦ some caching

I think you mean the latter:

Suggested change

	It's still reasonable for a single node to download this extra data but little caching goes a long way in reducing the amount of data that one has to download.
	It's still reasonable for a single node to download this extra data but a little caching goes a long way in reducing the amount of data that one has to download.

[murchandamus]

It’s not clear to me how "bridge nodes should in fact be indistinguishable from CSNs on the network". By whom are they indistinguishable. In what regard are they indistinguishable? Shouldn’t they, e.g., be frequently the first peer to notify about new transactions appearing in the mempool and blocks having been found as they act as the translation layer and therefore the initial source of data for the Utreexo-portion of the node network?

[murchandamus]

Does "Bridge node" refer to the aspect of whether the node has the UTXO set, and does "archive node" refer to having the full set of data? I.e., are these different dimensions? Would you run an "archive bridge node" if you want to offer all services?

Edit: Oh, never mind, you answer that right below.

[murchandamus]

Suggested change

	When introducing Utreexo into an existing network, there are 2 thing needed before CSNs can operate.
	When introducing Utreexo into an existing network, there are two things needed before CSNs can operate.

[murchandamus]

Suggested change

	First, archive nodes need to build proofs for old blocks to serve during the initial-block download (IBD).
	First, archive nodes need to build proofs for old blocks to serve during the initial block download (IBD).

[murchandamus]

Scrolling up and down through this document, it’s sometimes difficult to tell whether a paragraph belongs to the image before or after the paragraph. Since Markdown does not allow captions on images, it could for example help if either the images included the caption, or if the text were structured in some way that makes it clearer.

[murchandamus]

Consistency: Previously you were referring to non-Utreexo nodes as "current nodes", now it’s "legacy". Please use one term to refer to the same concept across the entire document.

[murchandamus]

Suggested change

	Therefore, we can safely just omit the locking script hash from the UTXO data and reconstruct it from the witness or scriptSig.
	Therefore, we can safely omit the locking script hash from the UTXO data and reconstruct it from the witness or scriptSig.

[murchandamus]

Suggested change

	| TTLs | vector of TTL infos | The TTL Info for the UTXOs that are added to the Utreexo merkle forest in blockchain ordering. See [Utreexo - Validation Layer](./utreexo-validation-bip.md#Excluded UTXOs from the accumulator) for the UTXOs that are not added to the Utreexo merkle forest |
	| TTLs | vector of TTL infos | The TTL Info for the UTXOs that are added to the Utreexo merkle forest in blockchain ordering. See [Utreexo - Validation Layer](./utreexo-validation-bip.md#excluded-utxos-from-the-accumulator) for the UTXOs that are not added to the Utreexo merkle forest |

[murchandamus]

Suggested change

	Using the [proof_positions](./utreexo-accumulator-bip.md#Utility Functions) function, it's possible to generate the positions of the needed proof hashes for a given set of targets.
	Using the [proof_positions](./utreexo-accumulator-bip.md#utility-functions) function, it's possible to generate the positions of the needed proof hashes for a given set of targets.

[jonatack]

After discussion amongst the editors, we've assigned 181-183 for these 3 BIP drafts.

@murchandamus suggested 181 Accumulator / 182 Validation / 183 P2P (I agree) while leaving it up to you.

[murchandamus]

Whenever you get around to it, please add the numbers to the Preambles, set the "Created" header to 2025-08-29 (it holds the date a BIP got numbered), and add the table entries to the README.mediawiki.

[kcalvinalvin]

After discussion amongst the editors, we've assigned 181-183 for these 3 BIP drafts.

@murchandamus suggested 181 Accumulator / 182 Validation / 183 P2P (I agree) while leaving it up to you.

Whenever you get around to it, please add the numbers to the Preambles, set the "Created" header to 2025-08-29 (it holds the date a BIP got numbered), and add the table entries to the README.mediawiki.

Currently going through all the reviews and writing up the rationale for validation and p2p. Will address these as well.