You guys know that I have a fetish for analogies, so bear w/ me about this one. Thesis: if Bitcoin is digital Gold, then the (pseudo)"SPV" model for light nodes is digital Coinage, w/ basically the same trade-offs & risks. Argument development following in this tweetstorm:
1) Physical gold was a GREAT form of money for ancient civilizations: great durability in time, good divisibility/density tradeoff, fundamental scarcity (before asteroid/ocean-floor mining), not-too-much-elastic supply due to estraction costs, fair access, recognizability.
2) Last feature, recognizability, was not super-easy to leverage in everyday commerce, though. Sure: you can use hydrostatic weighing to check the gold pieces you receive, but that's often not practical. The verification cost for merchants was kinda high, w/ bare gold pieces.
3) For this reason, many civilizations through history eventually gave up some of their gold's "indipendence", in exchange for outsourced verification, to reduce verification costs in everyday exchange. A trusted third party (often a smith, a jeweler, a military protector)...
4) ...could provide particular pieces of gold w/ their "signature" (some sign which was easy to recognize but difficult to reproduce). Checking this sign was less expensive than performing hydrostatic weighing. But, sadly, there ain't no such thing as a free lunch, as we know.
5) Trusted third parties involved in coinage, has been known to often abuse this position, almost systematically. Whenever they had some kind of extent monopoly, they would debase coins. Always. Now, the situation wasn't as bad as w/ modern fiat money: they still had to save...
6) ...face about the gold content. Debasement was slow, stealthy, gradual, w/ some level of plausible deniability. There still was an easy way to detect it, by any "hydrostatic full node" out there. Competition among coinage-providers contributed to keep it (often) under control.
7) Of course, the more competition you had, the less this kind of attack represented a concern. It's worth noting that the most disastrous episodes of debasement occurred under very wide coinage monopolies (often politically/militarily enstablished, ie late Roman Empire, ecc.).
8) But it's not so hard, at the end, to enforce monopolies when we talk about trusted third parties: they tend to be, by design, very easy to censor, corrupt, hijack, blackmail, etc. So, even before the modern tragedy of the rise of the absolutist, democrstic nation-states...
9) ...(w/ their baggage of legal tender laws, gold expropriation, ban of monetary alternatives, central banking & abolition of gold pegging, which made hyperinflation & manipulations trivial to perform) they already represented a pretty huge security hole in the monetary system.
10) Now: introducing Bitcoin. Like physical gold, it's peer-to-peer & independent, it's not scriptural money based on some trusted third party. You can check every tx against the rules & verify on your own. Sure, you are "trusting" the fact that hashrate is typically not...
11) ...typically colluding for more that 50% w/ the payer, in order to reorg after many confirmations, doublespending you. Assuming that's a reasonable expectation (is it???), you can verify the digital gold you receive independently, w/o any trusted third party involved.
12) But like hydrostatic weighing tools, full nodes are often too expensive/impractical for everyday transactions. Many Bitcoin users want to receive money w/o maintaining their own validating full node. It's perceived as something nerdy & specialistic: many Bitcoin merchants...
13) ...just want to receive money using their mobile phone or their tablet. The Bitcoin blockchain is too heavy (blocks are too big & too frequent, to satisfy a difficult transferability/verifiability trade-off) to run on those device. Sure, you can easily connect the light...
14) ...device w/ your full node over Tor, but many merchants nowadays, illiterate in cybersec & used to the "cloud" paradigm, don't even know how to deploy/maintain a trusted computer where they could run their own. So, the Bitcoin civilization started to rely on coinage as well.
15) That happened w/ a little help by Satoshi himself: he proposed a (theoretical) trustless verification scheme for light nodes, "SPV", based on the presence of inclusion proofs & the absence of fraud proofs. While a system to check inclusion proofs was relatively easy to...
16) ...implement (Merkle roots in headers, Bloom filters & all that jazz), a system to check the absence of fraud proofs proved to be very tricky (it may be even impossible, for all we know today) & nobady ever implemented it. So, what people calls "SPV" today, is actually...
17) ...the practice of trusting the hashrate majority not JUST to prevent doublespending, but to properly verify enforce Bitcoin rules. Merchant are outsourcing verification, because, while entirely possible, it is too expensive/impractical. Welcome (not so much) back, coinage!
18) Of course, coinage becomes a major problem only when coinage-providers are colluding in cartels. Hashers are not exactly trusted third parties, & that's good: we are operating under the assumption they are way harder to censor/corrupt/hijack/blackmail/etc. It may even work!
19) But, while we could have a relaistic (is it???) expectation that, overall, hashers themselves will not systematically collude, we know for a fact that ASICs production is (still, hopefully not for long) a de facto monopoly, able to easily influence majority hashrate at will.
20) We aren't even talking about theoretical attacks here: they just tried last year! A business cartel named NYA, who wanted to fool (pseudo)"SPV" nodes w/ false/counterfeit bitcoins, sent against the consensus rules, coopted the monopolist (for now) of ASIC production, which...
21) ....in turn coopted/blackmailed most of the major mining pools, pushing them to signal the intention to collude to perform this attack (if they would have followed signaling w/ actions remains unclear). The main developer working for the cartel, Garzik, publicly stated...
22) ...that the intention was precisely that of forcing the (pseudo)"SPV" nodes to follow the new rules. The specific goal of the NYA attack wasn't debasement (it was further mining/nodes centralization, along w/ replacement of the FLOSS development process w/ corporate devs)...
23) ...but it's not hard to imagine similar attacks aimed to debasement inflation. In fact such attacks were attempted by some hashrate minority during halvings. They are, anyway, the natural game-theory outcome when coinage-providers are free to change/manipulate rules at will.
24) The NYA attack failed (to be more precise: it was called off just few moments before an obvious, inevitable & disastrous failure) because too many validating full nodes would have rejected it. But in a (pseudo)"SPV" world, it would have certainly been successful. Conclusions?
25) Well:
- we shouldn't make full nodes harder to run, EVER;
- we should try to make full nodes easier to run;
- we should understand/explain the reasons to make extra-efforts to run full nodes.
We know what coinage does in the long run...USE THAT FUCKING HYDROSTATIC SCALE!!!
- we shouldn't make full nodes harder to run, EVER;
- we should try to make full nodes easier to run;
- we should understand/explain the reasons to make extra-efforts to run full nodes.
We know what coinage does in the long run...USE THAT FUCKING HYDROSTATIC SCALE!!!
