On Sat, Jul 4, 2015 at 4:18 PM, Justus Ranvier <justus@openbitcoinprivacyproject.org> wrote:
In general, the situation can be improved if there existed proofs which
validating full nodes could broadcast which would tell SPV nodes why the
branch it sees with the most proof of work is actually invalid.

Yeah, fraud proofs have been suggested lots of times in the past.

In this case, they weren't even needed.  Fully updated SPV clients should also have rejected the invalid fork.  All the information required to reject it was in the header chain.

The problem wasn't SPV miners, it was SPV-miners where the SPV part wasn't upgraded to handle v3 blocks.
 
As far as I can tell, producing such proofs is reasonably
straightforward for all cases except the case where a block is invalid
because it contains a transaction which references a non-existent output.

Even that can be handled with UTXO set commitments.  If the UTXO tree is sorted you can prove that an entry doesn't exist.

What cannot be handled is proving that a block is invalid if the transaction data for the block is withheld.
 
If each transaction input identified the block containing the referenced
outpoint, then the proof of non-existence is either the block in
question, or the list of block headers (to show that the block doesn't
exist). That's a significant improvement in proof size over the entire
blockchain.

That is reasonable.  Unconfirmed transactions can't include that info though.

It could be committed in as an extra commitment.

One issue is that you need to prove of of these commitments too.

A transaction which points to the wrong block would also be provable in the same way.
 
Proving the non-existence of a particular transaction in a specific
block could be made easier for future blocks by requiring transactions
to be ordered in the merkle tree by their hashes.  Then it would just
require a few nodes in the tree to show that the transaction isn't in
the place where it should be.

You could just have an extra merkle tree.

You would only need to include the block hashes for all transactions to show that the two trees don't match.  That is 32 bytes per transaction rather than the full 200-500 bytes per transaction.