Appeal to authority over a cryptographic reasoning in a trustless system  

Do you have any technically and cryptographically sound arguments that may contribute anything to the discussion too ?  Up to now, you sound somewhat like the cardinals telling Galileo that he could get lost (or could get burned) because the authority, Aristotle, said that the earth didn't turn and the Pope too said that he was wrong.  That's not how science, or any rational reasoning, is done.

Do you have an argument against my essentially mathematical demonstration that the SPV system can only be fooled in those circumstances where:
1) a full node would be fooled too
or
2) the currently ongoing block chain with the highest PoW contains blocks that are false, ie. contain double spendings, but a large majority of miners nevertheless continues to build upon it ?

I indicated where achow101's answer went wrong, namely that the SPV has the block header chain, just as well as a full node has it.  He somehow thought that the SPV protocol consisted in just giving one correctly mined block independent of the block header list.  But that's not correct.  Even an SPV client gets all block HEADERS.  If one would only mine one stand alone block, yes that wouldn't be cryptographically secure, and that's essentially what achow101 tells me.  But that's not SPV.

The only thing that an SPV node doesn't do, and a full node does, is to see whether the block bodies are correct.  Miners are supposed to do that. But an SPV node cannot be tricked in believing a correctly mined block is part of the chain while it isn't, because it wouldn't fit with the header list.  
So only two possibilities remain:
1) the header list I obtained is wrong to trick me
or
2) the block is wrong (contains a double spend)

Well, if it is 1), a full  node is just as vulnerable ; and this attack is hugely expensive in PoW.
If it is 2) it means that the chain with most PoW has been mining on top of a false block since quite a while.

Hence my statement is proven.  

There are two levels of "belief" in a speculative token.  One is the "speculative" belief: is someone going to be willing to pay me value later for the thing I am considering acquiring against value ?  That's of course the essential thing: the belief in its value.  If that value is derived from economic utility, I would say that its value has a fundamental.  If not, it is purely speculative.

The other level is of course, that one believes that the system used, is going to work IN PRACTICE.  Exactly how it is working, doesn't really matter.  There may be security and privacy considerations that may induce you to consider these.  You have to have confidence in the thing working, and in the thing allowing you to do what you want to do.  If you don't have confidence, you won't use it.  

I think people have this thing of decentralization totally upside down.  

What we actually want is to be able to use the system and be relatively confident that it works correctly, right ?   So, practical immutability and censorship resistance should be, *in practice* be guaranteed.   We know that these aspects are theoretically, even in bitcoin, actually, not guaranteed at all, but that, for all practical purposes, they will be respected simply because the entities able to overthrow these aspects, are also the entities that get most profit from this business, so them colluding (even if they could, easily) is most probably not going to happen.   This "most probably not going to happen" is now realized by the market.  In the beginning, when bitcoin was VERY small, it was realized by the passion and integrity of the people starting this.  Somewhat later it was most probably realized by effective decentralization.  By now, the financial investments are such, that it is the market that makes that this is not going to happen.  And, who knows, maybe later, it may be law enforcement that will make that it is not going to happen, if bitcoin is a legal tender and the world reserve currency, totally centralized by the united nations mining consortium who has requisitioned 55% of all electrical power on the planet as bitcoin mining tax  (joking).

In other words, the *game-theoretical technology* used to make the thing work correctly doesn't really matter, from the moment that it works.  Right now, bitcoin is not decentralized if by decentralized, one understands that a MASSIVE collusion of so many different entities is necessary to make the system go out of its "good working" conditions, that this is very, very hard to do.  If 4 guys in a room come to an agreement, they can decide things in bitcoin.  But they won't, because their business depends on bitcoin being loved in the market.

However, I agree that this is just a practical engineering mindset. As such, I don't like fake religion-like dogmatic constraints on design that do not stand the test of scrutiny.   I get insulted a lot because I'm interrogating the dogma's of that religion, but I can't help it, I don't like bogus stories.  I like to inquire in the profound reasons for things.  Religious attitudes that force design are a bad idea.  If they work out, they are dangerous ; and if not, they are the origin of downfall.  Nature doesn't lie, in the end.  What I witness with bitcoin is that some "principle" has been leveraged to a level where it is killing the very system: a false notion of decentralization.  

My opinion is that bitcoin, as it was originally designed by Satoshi, only needed a high level of decentralization at a certain point (say, 2011-2013) to have it function correctly.  In 2010, it was just a "game between geeks, under Satoshi's central control" ; from 2013 onward, it is an industrial endeavour with so much investment at stake by the oligarchy that commands, that the market is now the guarantee for its correct functioning, together with the bit of decentralisation that remains.  I'm absolutely profoundly convinced that the story about "many full nodes" is technical, cryptographic and economic BS, and this is where religion inducing bad design was evident: this is responsible for bitcoin's loss of the crypto currency market monopoly.  This is exactly the kind of example where some "holy principle that isn't there, or isn't needed in practice, induces a lot of practical problems".   And remember, people want this to work in practice in the first place, before talking about great principles.

However, at the same time, there's now the development of the LN technology (or was it the other way around ?).  I think that this can have interesting applications, but most probably not what it is sold for (in the same way as bitcoin).  I see the LN as a solution that was looking for a problem that was then created for it, but the LN is good technology that may do other things than bring a solution to a non-existing problem that became a problem when one needed it to become a problem in order to be able to propose the solution, if you see what I mean.  But in the mean time, a problem has been created where there wasn't one, so now we have to hope that the LN will solve it, after all !

The real problem of bitcoin, however, isn't in this.  The real problem of bitcoin is its huge waste of economic value.  One tends to think that bitcoin is a zero-sum game, but it isn't: it is very very lossy.  The value economically wasted by PoW is extracted from the system to go nowhere.  In the long run, that's not sustainable.

In a certain way, the whole block size drama was a *simulation* of what this actually means, to have to waste a lot of economic value.  The high fees that put off people, here for block size reasons, is an example of how value will need to flow out of the system.  Now, you can say: "but with the LN, we will have many more transactions for the same fee !"  Or: "with big blocks we wouldn't have such high fees !"  But that's missing the point.  If bitcoin needs to be secure with PoW, it needs to spend a sizeable fraction of its value in proof of work.  That value needs to come from somewhere: from its users.   No matter how, technically, the value is taken from the users, it needs to flow out of the system, and literally in hot air.

At a certain point, this cost will become prohibitive, if there are other, just as practical, just as secure for all practical purposes, systems in competition.  One can try to sell that other religious dogma, that "you need to waste because that brings value" but that's such an economic idiocy that sooner or later, one will find out that it doesn't hold.

As to the problem of censor resistance, I think that not decentralization, but anonymity is the answer.  In monero for instance, even if mining were done by one single entity, it couldn't censor any transaction, because there's no way to know which one to censor.   In monero, only the payer and the payee know the transaction.  You can't sensor "an address".

I agree with you, my PoS proposal doesn't reward the stakers.  The stakers are only useful to limit the amount of consensus proposals and to make sure that it is not always the same one that proposes the consensus (unless there's only one staker on the network).  PoW is a very good coin ISSUANCE method, because it burns seigniorage.   
 
I think that one should separate the consensus mechanism, and the coin creation mechanism.

This is right, and there's nothing anyone can do about that in any speculative token system.    The only thing my proposition would have going for it, is that at least, there is no risk that it becomes a greater-fool token, and as such, that when it has value, this is mostly a currency-usage value, which is a genuine economic utility value.  Something that has genuine economic utility (hence, has fundamentals) usually has less volatility than a greater-fool token, and its steadiness of price may induce a stickiness that makes people believe more firmly in exactly that value ; as such, whenever it lowers, there's more speculative potential to see this as an opportunity, because one knows that behind it, there's economic utility, than when the token is essentially ONLY used to speculate on.

That would be a good thing to do.  You do not contribute anything useful in this technical discussion, which is about the security of the SPV protocol,  which in itself is a crucial element in the scalability of block chain systems, and which is related to the subject of this thread.

Your few interactions were not of any utility in the advancement of the subject, and essentially ad hominem.

As it stands, the SPV protocol is a cryptographically secure way to know whether a transaction is part of the actual consensus block chain with a very light network overhead.  The counter arguments given by achow101 and by a few others necessitates that the current bitcoin block chain contains deep down, double spends, or necessitates an attack that would also trick a full node, and that in any case, would require a huge PoW effort on the part of the attacker.

OK, great.


No, it is not a 51% attack.  It is "isolating a full node network-wise, and have him swallow a (correctly mined) side prong of the actual chain".  Then you can make believe that full node that this is the correct chain - and it is A correct chain - but it is not the current consensus "out there".

However, in order to pull that feat, you have:
1) to isolate your victim network-wise
2) still to make that side prong with all the PoW that goes into it

which makes this attack highly improbable.


The same way a full node does.  In order to provide me, SPV user, with a "false prong of block chain headers" you have to do exactly as I previously indicated:
1) isolate me network-wise so that I cannot talk to the majority miners
2) still you'd have to MAKE that false chain of headers with all the PoW that goes into it.

The ONLY difference between me, SPV client, and a full node, is that I'm not going to download the block bodies, and check the block body validity.  I take it that if miners are willing to spend a lot of PoW building on top of such blocks, that they've verified them, or that bitcoin is, as I said, broken, because the actual consensus block chain out there contains, deep down, false blocks, and miners still continue to put MAJORITY HASH RATE on top of it.

If there's a block, 6 or more blocks deep, and with majority hash rate (in fact, with no other prong around) still mining on top of it, I take it that that block is correct, or that bitcoin is broken.  In order for me to know that, I simply have to find 6 block headers on top of the block I'm considering, and I know that that hash rate has been spent on it.  If ever that block were false, it would be utmost amazing that miners are putting full hash rate on it, and are NOT mining on the "correct" side prong.

If a rogue SPV server cannot succeed in  isolating me from the network, then in order to trick me, he has to pull a full 51% attack to convince me to take his, majority POW prong, over the "real" one.  But in as much as he can pull that, he could actually attack the real block chain just as well.  And in as much as he's pulling that on top of a false block, why wouldn't he attack the real chain ?

Sigh.  Go back and read everything.  

I just realized you missed a crucial point of SPV here: the SPV user has the full list of block headers, but not of the block bodies.  As such, for this user to believe the Electrum server, the root of the given Merkle tree needs to be in one of the elements of the full list of block headers, which means it is part of the block chain "up to now".  I explained that earlier:


Here, H is the full list of block headers.

Edit:
see for instance: http://docs.electrum.org/en/latest/spv.html#spv

No, that is cryptographically impossible.  You cannot give a "fraudulent copy of the block chain headers" to an SPV user, if that user knows the currently actual block chain headers, in exactly the same way full nodes do.  In as much as full nodes can know the latest few block headers, an SPV user can know them too, and in as much as you can trick an SPV user into believing the last few block headers are different from what is actually mined on right now, you can just as well trick a full node into that.

Moreover, "tricking someone into a false block chain header list" requires you in any case to spend PoW on that block chain header list of the same order of magnitude than the prong you want your SPV victim to believe.  If you do that, you can just as well trick a full node into your prong.


No, as I outlined, that is not possible.  In order to trick me into believing that, you have to provide me with of course the fake transaction, but you also have to provide me with the leg of the Merkle tree that connects its root to the transaction.  That Merkle root is included in the block chain header list I have.

If that header list is ending on the block chain headers that mining pools are currently mining on, then I know that that transaction is a part of the very block chain miners are mining on right now.  That is exactly the same block chain that full nodes have right now also.

Again: if, of two block chains, the leading heads of the header blocks are the same, both the ENTIRE BLOCK CHAINS are identical.

So there's no such thing as a rogue SPV server, IF I can have access to the latest block headers being mined right now.  And even if I cannot have access to the latest blocks being mined (and then, my full node wouldn't get access either), that "rogue SPV server" still has to spend a lot of PoW to make the false prong.  He will have to spend as much PoW grossly as attacking the real chain, and for this attack to succeed, he must also ensure himself to avoid me of learning about the real chain (that may have somewhat more PoW).   A full node is just as "vulnerable" to such an attack.

There is no more a rogue SPV server, than there can be another rogue document server of a document of which I know the hash.  If I know the hash of a given piece of software, then no server can trick me in installing another piece of software.  As the last block header mined is equivalent to a kind of hash of the entire block chain, no-one is going to be able to serve me anything else and make me believe it.  
However, the structure of the block chain makes it possible to "chop up" the document in small pieces: the transactions.  That's exactly why Satoshi did so.

If I can know the latest headers, I cannot be tricked into accepting anything in the block chain that a full node that is accepting these latest headers, wouldn't have accepted either.

The argument that achow101 put forward, was another situation, namely where in the actual chain, there were double spends included.  Indeed, as an SPV node, I can be made aware of an existing transaction in the actual chain, but I cannot know that that actual chain also includes a double spend, while a full node can.  But then, as I said, bitcoin is broken already.


Just to be absolutely clear: in the SPV system, the SPV user has the full block header chain of course, from the genesis block up to the current blocks.
He simply doesn't have the block bodies.  But he has all the headers.

The problem is that you didn't even understand the logic of the arguments here.

Achow101 argued that a risk of using SPV is that one could be tricked in accepting a transaction that was present in the correct block chain that was at the same time a double spend.  In order for that to be a risk, you have to accept already that there HAS BEEN a double spend somewhere in a past block that is included in the current block chain on which everyone is building.  It means hence, that there was a past block (say, block number 506072) that contains a double spend, and that miners are still happily building on top of that.  Otherwise, the SPV user cannot be tricked in believing such a double spend, because it is not present in the block chain.  So one needs to reason as if that were the case.

Achow101's argument is that if such were the block chain, that my SPV client could be tricked in accepting that double spend as true.  That is correct.  My SPV client could indeed simply be convinced that, as it stands, a given transaction was indeed, in the actual block chain and I wouldn't know that it was a double spend that miners had simply accepted.  

MY argument, like yours BTW, if you could think somewhat logically, is that if ever that were the case, then bitcoin is broken.  It means that already for a week or so, there is an invalid block in the chain, and miners don't mind, exchanges don't mind, nobody minds.

Now, if ever that were true, that is, if miners did include a double spend in block 506072 and continued to mine on top of that, then every full node would come to a full stop at block 506071, because they would reject block 506072 as invalid (containing a double spend).  However, as miners have been mining on top of that invalid block 506072 by hypothesis, and are now at block 507762 or so, there is, nowhere in this world, a successor prong to block 506071 that full nodes would accept.  The only blocks that have been made are 506072,506073.... 507762 and are ALL INVALID according to the full node, and no other blocks have ever been made.  So it comes to a full stop, for good.  Because no "good blocks" 506072, 506073,... have ever been mined.

The difficulty with  this kind of argument for a limited mind is that it contains too difficult a form of argument which is called "reductio ad absurdum".  So it is quite normal for some not to be able to follow.    https://en.wikipedia.org/wiki/Reductio_ad_absurdum

I claim that SPV is secure.
Achow101 argues that there is a case where it is insecure.

My argument is: if ever your argument were true, then.... (absurdities) ; which you confirm (!).

Hence, Achow101's argument cannot be valid, and hence my claim that SPV is secure, stands.

I'm defining it.  I have the right to define a notion in an argument, right ?  The notion of same fool is like the notion of greater fool, except that the coefficient of foolishness in same-fool systems has an expectation value of near 1, while the expectation value of the coefficient of foolishness is a large number in greater-fool systems.  (and I suppose that you won't be able to find "coefficient of foolishness" either).

The point is that you can have a finite set of fools, and they can maintain indefinitely a system of same-fool belief ; however a finite set of fools can never sustain a greater-fool system: they run out of greater fools at a given moment.

Here, the definition of coefficient of foolishness A in such kind of games is the following:

 "an entity is willing to buy the asset at price X, on the condition of expecting to find buyers at A.X."

I have the right to define notions.  I thought it was obvious, and it didn't need explanation.

If we have a finite set of entities, the above game can be played only successfully for a long time if the expectation value of A over that set is near 1.  That's what I call a "same fool" system.  For instance, I know that a $100 bill is intrinsically worth nothing.  I can at best light my stove with it, physically, I cannot eat it, it is not beautiful.  So this quite useless piece of paper isn't worth anything intrinsically.   Wanting to work a few hours to obtain such a piece of paper is foolishness.  Except that I'm willing to do so, because I believe that I will find another fool, accepting it against similar value.  And the very next day, that fool (who also accepted a piece of paper he can do nothing with) will find a third fool that ALSO is EQUALLY foolish.  And in the end, that third fool will propose that bill to me for a few hours of work, and lo and behold, I am again as foolish as he is to accept to do work for a silly piece of paper. That game can  continue indefinitely, because each time each of us is satisfied in our expectations.

However, if there's an asset X within a finite set of people, of which the people only want to acquire it for price X, if on average, they expect to sell it for 100 X to another player (bitcoin and co must be of that kind), then you end up ALWAYS having a large portion of the players totally frustrated in their expectations.

In as much an asset can continue to go around with people expecting more or less the SAME value when they sell it, than when they buy it, an asset cannot continue to go around with people expecting more or less a much higher value when they sell it, than when they buy it.  This always ends up frustrating a large majority of the players, unless the set of players is infinite.

You can classify speculative assets (that is, assets which are intrinsically worthless, such as a piece of paper that is a $100 dollar bill) in two sets: the set of assets where most of its users are in the "same fool" game ; and the set of assets where most of its users are in the "greater fool" game.  Crypto users are in the last kind.

By far most crypto buyers are ONLY buying crypto, because they want to sell their crypto for MUCH more than they acquired it. There is only a very, very small fraction of crypto buyers that are NOT buying crypto with the idea of selling it higher.  So the average A in this game is much higher than 1.  I don't know how much it is, but ask yourself: if someone buys bitcoin at $10 000, do you really think that his motivation is to sell that coin at about $10 000, 5 years from now and that was the real motivation ?

No, that block header would not be included in the block header list that ends in the last currently published block.  There's no way a malicious electrum server can tell me that a given transaction is in the block chain that ends in the known recent block on which miners are working now.

As I said before, there's no way to make me another block header list than the correct one, that ends in the recent block headers.  I only need to know ONE SINGLE number from the miners: the recent block header hash.  That single hash proves to me that any block header list that ends in that hash, is the actual, right one.  And nobody can lie to me as to any included transaction.  Not even with 90% of all hash rate.  Because there's only ONE SINGLE BLOCK CHAIN that can end in this hash, if the hash function is not broken.

This doesn't even have anything to do with proof of work.  You give me the last header hash, and nobody can lie to me as to anything included in the block chain. Because you cannot lie in a linked list of hashes, you cannot lie in a Merkle tree, and you cannot lie about the hash of a transaction.

Mathematically: even without PoW: if you have two block chains, B and B', build of a chain of headers which contain each the top of a Merkle tree of "data segments", and the top hash of the header list of B is equal to the top hash of the header list of B', then B is identical to B'.

If two tops of header lists are identical, the two lists are identical (up to same length, you could append BEFORE the genesis block, true...).  If the header lists are identical, the roots of the Merkle trees are identical.  And if two Merkle trees are identical, the data segments they hash are identical..

Nobody cares whether the transaction is valid, if it is included in the block chain of course !  The hypothesis of having to check whether transactions that are part of the SOLE current collective consensus might be "wrong" somehow, is making the hypothesis that bitcoin is entirely broken and that nobody gives a shit.

It would mean that miners have made a false block, that all other miners agreed to mine on top of that false block and then on top of that other block and so on.  If a false transaction is deeply burried within the block chain, and miners are still mining on it, and no "clean prong" exists that doesn't include that block, then bitcoin is entirely broken.  Because if that can happen, miners can just include ANYTHING.  They can include erroneously signed transactions, they can include transactions of which the sum of the outputs is 500 times the sum of the inputs, they can include a coin base transaction that gives them 2000 BTC, they can include headers that don't correspond to the Merkle tree, they could include a porn movie, anything.

Moreover, there's not even another block chain in this world that is made correctly, because the massive amount of PoW that goes in this butched-up block chain cannot be re-done elsewhere.  If the massive PoW voting power of the bitcoin miners collectively decide to make a butched-up block chain with false transactions in it, that's all there is to bitcoin, there is no clean version any more.

But even then, SPV is still working, in the following way: it is up to the payer to give you (by e-mail/ftp or other form of communication) the full history of his payment: that is, he has to give you the backward tree of all coinbase transactions and all successive transactions up to his payment to you.  That's quite some data, but unless all coins are mixed up with all other coins, still much, much less than the block chain.  For each transaction in this "pedigree", he needs to specify the block and Merkle tree leg.

With simply the block header list, you can verify the exactitude of his e-mail.  You don't even need an SPV server for that.  You can check the mini-block chain of the pedigree, from the coinbase of each origin at the leaves, all the way up to his last transaction to you.  You don't depend on any form of bitcoin network for that, except that you need to know the head of the current header list.  One single hash you need to know from bitcoin's system, and you can verify all the rest by yourself.

Of course, the payer needs to have all his previous transactions that way.  In other words, if you pay someone, you make a new transaction, you have to watch the bitcoin network in one way or another, and catch your transaction once it is included in a block.  From that, you can extract its SPV data (block header, Merkle leg, transaction).  And you don't care any more about the system.  No need for an extended P2P network.  Only the miner pool servers, or some derived servers from that.

It is true that this way, you cannot be sure that there are no double spends included in the block chain.  But this hassle is only necessary if we take it for granted that bitcoin is already entirely broken, and that miners collectively decide to continue to build a totally broken chain... Indeed, imagine that in the same block, the same coin is spent 500 times to different addresses.  Normally, this cannot happen, but our working hypothesis is that miners make false blocks.  So which one of the 500 transactions is the real one ?  Or is this coin dead now ?

Moreover, in what way would a full node be helpful here ?  A full node would have stopped for good when the first false block was mined.  All full nodes would have come to a grinding halt since a long time, because no miner made a correct block.  They wouldn't be able to tell you anything about recent "valid" transactions on a broken block chain.

Well, if we don't agree that the lock-out time is 1 week, we cannot even start to set up the channel of course, so nothing is locked in.  It is during the same process of fixing the lock-out time, that the initial commitment transaction is made and broadcast.  If there's no agreement on the lock-out time, there's no possibility to even make a commitment transaction, and certainly not to broadcast it.

But I like your expression "partner to partner".  In peer-to-peer, your connection to a peer is "without engagement" and can be broken as fast as it can be set up, with no costs.  If I fire up Openbazaar, I look for peers, but these peers are individually trustless, and if some behave badly (don't respond, flood, do crazy things), I can just cut the connection and look for another peer in a matter of seconds.  Once my funds are locked in with 'a guy on the internet', it is my partner and I cannot whimsically decide to cut that and go elsewhere in a matter of seconds.  it is a matter of days or weeks, and I have to pay money.  This is why I said that one cannot compare IP routing to the LN. 

So indeed, partner to partner.

I never understood that SPV was a check on the correctness of miners.  After all, without having all transactions explicitly you can never know whether or not these transactions were valid.  You cannot know whether there was a double spend or not.  You cannot know whether the signatures were valid or not.  You need to download the entire block to be able to verify that.
You cannot even begin to consider an SPV system that verifies the correctness of miners' verification work of a block.  So that could never be part of it.

The SPV system is not something that "keeps miners in check". The SPV system is a cryptographically secure way to know that a given transaction is part of a given block chain.  In that respect, it is working, and it is working correctly.  Wallets like electrum work that way as far as I understand.

In an SPV system, if one is given a transaction T, a leg in a Merkle tree M(T) leading to T, and the entire header chain, of which the top of the leg M(T) is included in the header chain, you know for sure that:

- this transaction T is part of the block B with the Merkle Tree M of which you have the leg M(T).
- this block B is part of the block chain of which you have the header list H.

From the header list, you can check the amount of proof of work.  In fact, one cannot give you a fake SPV result without at least having spent the proof of work leading up to the block block B ; but if you have the header list H, one cannot give you a fake SPV result with less than the proof of work in the entire list H.

It is sufficient to check that the list H is part of the actual block chain that is being produced by the mining pools, to know that you are having a genuine transaction in the currently accepted consensus block chain.   So the only things you need for SPV to be absolutely foolproof is:
- that the header list H is sufficiently recent
- that the current mining pools are working on top of this header list.

As such, you simply need to request the last part of the header list H' from a few of the principal mining pools (or from a few full nodes of which you think they are up to date) and you know cryptographically that the transaction T that has been shown to you, is included in the currently accepted consensus block chain.   Note that it is essentially impossible that the currently active mining pools would be lying to you, because in order to lie to you, they would have to spend a lot of proof of work to give you a fake block header list ; moreover, it would be very difficult for them to do this in a simultaneous way.  They would need to spend as much hashes on the top list of, say, 10 blocks, than to mine 10 new blocks.  

So, if you can obtain from the top mining pools:
- the last few block headers mined H'
- the SPV data (T, M(T), H)

in such a way that the end of H overlaps with H', you know 100% cryptographically for sure that T is part of the actual block chain.


No, what Satoshi refers here to, is that it could in principle be possible that your SPV provider is providing you with a fork of lesser PoW, that is not the main chain.  This is possible in a situation (as Satoshi saw things) where you have a very broad network of mining nodes, and one mining node decided to continue mining on his orphaned fork, and gives you the SPV results of that orphaned fork.  If you are not part of the full network, you might believe that this fork is the actual consensus, because you are not up to date to the actual chain. He might, while he's working on his false prong, include transactions that do not exist and that were never broadcast.

Note, however, that in order to do so, one has nevertheless to waste mining resources to make this false prong, in order to mislead you.

In order for this cheating to work, apart from having to mine the useless prong, he must also be sure that you are not contacting another node that might have the true currenc consensus block chain. In the current bitcoin structure, with much less different mining sources, even the price to make a fork is so large, that this is not a problem.  Miners don't waste time continuing on their fork.

Imagine that your "SPV provider" were a mining node that has somewhat less than 10% of the total hash rate, and is making hence a block two hours or so.  He might, if he wanted to, put this hash rate in a fork, instead of putting it in the consensus chain (I don't see why but OK).  That fork grows slower, but it is a correct chain, and he can give you the SPV elements of that chain.  You may be tricked in believing a recent transaction on his prong, that is not part of the general consensus.

But from the moment that you know the real chain head, this won't work.  And the real chain head is given to you by the major mining pools.  Note that the danger Satoshi pointed out, is also a danger for a full node.  If a full node is kept apart from the rest of the network, and is only fed with a false prong, that full node will be just as gullible as your SPV client.

Ah, that's interesting.  When you contrast that with Satoshi's November 2008 e-mail, where he clearly explained how 100 MB blocks were no problem, and how users would use SPV clients ; and when you see that Hal Finey was the one pushing for the 1 MB limit according to some, we now see that Hal Finey finally took power over Satoshi.  Hal Finey is writing here exactly the same objection that Satoshi already replied to in November 2008: "of course we don't send all transactions to all users".

Satoshi never had any doubts about the scaling non-problem from the beginning. Most users simply didn't need the block chain, and that's exactly why he introduced the SPV possibility with the Merkle tree - otherwise there's no need for a Merkle tree structure in Bitcoin ! The very single only reason Satoshi invented the ordering of the blocks in a Merkle tree, is that this allows SPV.  If blocks are to be used as a whole, you can simply calculate a single hash of the entire block.  Nowhere else do you need any Merkle tree.  The Merkle tree is a way to have a minimal number of steps of verification of presence of a piece of data in a block, and really becomes useful only when blocks are very large.
Otherwise you could even resort to a sub-list, that is, a block is a linear list of transactions, and to each transaction corresponds a hash, that can itself be included in a hashed linked list of "hash blocks" all the way to the block header, containing the hash of the last "hash header".  The problem is that this list goes as N, when N is the number of transactions in a block.  A Merkle tree does the same, but the depth goes as log2(N).  This becomes a significant thing when N becomes very large, that is, when blocks become very big.  For 1MB blocks, with some 2000 transactions in it, this is not yet very significant.  If, in order to check that a given transaction T is in a given block, you need to get that famous "linked list" with 2000 entries, to see that your transaction T was indeed, in the K-th entry of those 2000 entries, that's still very feasible.  However, for a block of 100 MB, looking in the list of 200 000 entries, or looking in a path of the Merkle tree, only 18 steps deep, is a hell of a difference.

So from the very start, Satoshi designed bitcoin as a very big block system, of which only mining nodes need to have the full data burden, and of which all other users use SPV and connect to one of these nodes.


Nope, it wasn't in Satoshi's vision.  But clearly Hal Finey didn't understand Satoshi's vision, or didn't agree with it.


That's very funny, because Satoshi takes here the entirely opposite stance than when he laconically wavered Jeff Garzik's opposition to him introducing this limit in the first place, away, for exactly the same reasons.


If mining is centralized, bitcoin is of course centralized, and everything you build on it just as well.  The problem is that people see decentralization as a goal, while it was a tool.  Decentralization was a tool to make bitcoin work correctly.  After all, the ONLY thing you want from bitcoin, is that you can do transactions, and verify transactions.  Exactly how that comes about, doesn't really matter (unless it becomes a kind of sales argument in itself of course).  Whether it is the impossibility to leave a Nash equilibrium because of "massive collusion needed too difficult and too impractical to be plausible", which is the decentralization method, or by market forces ("if I do stupid things as a miner, my entire investment in hardware will become an expensive doorstep"), it doesn't matter.  What one simply wants, is that one can do transactions, that's all bitcoin is good at.  Even if bitcoin were entirely centralized in one big data centre, but because of its investment and market forces, it kept on running bitcoin as it should, that's just as good.


Well, as I just said, decentralization is a tool to obtain a result ; but other tools can work just as well.  So it is not because you see that the system works well, that you can conclude that decentralization is at work.  In fact, if you think about it, you see that it isn't the case, because it is very easy, TECHNICALLY, for this to fail.

You know very well that there are 3 or at best 4 mining pools that make a good majority of the blocks. If these 3 or 4 entities sit together and decide NOT to include a given transaction, and NOT to mine on a block that includes this transaction, then, I hope you agree with me, that technically this transaction will not be included.  Simply because with the hash rate they command, the longest chain rule will never include this transaction.  Other mining pools including this transaction will make orphaned blocks ; or they can be informed that they shouldn't even try.  You know just as well as I do, that *purely technically*, according to bitcoin's rules, that is perfectly possible, and nobody violated any rule in doing so.

A decentralized system would not permit such thing to happen, because 2000 people would have to agree to do so, and the hypothesis of decentralization is exactly that such a collusion is not going to happen because too massive, too difficult, and internally too inconsistent.  That's the core idea of decentralization: a super-Nash equilibrium that can only be broken by such massive collusion, that that collusion in itself, is not realistic.

Well, in bitcoin's mining landscape today, this kind of collusion is theoretically extremely possible.  I use to joke that bitcoin is more centralized than the Euro.  In order to decide something for the Euro, 15 finance ministers have to agree ; in bitcoin, 3 or 4 mining pool owners have to agree.

But, I agree with you, this is not happening (yet).  Why is this not happening ?  Because of the market. Because these mining pools and their miner subcontractors have a lot of investment in bitcoin mining, and if ever this would get known, their mining equipment might become an expensive doorstep.  But if that argument holds, then a totally centralized miner will be just as sensitive to this, and will just as well let through all transactions.

So, bitcoin can work, even though its functioning is not any more guaranteed by a decentralized game theoretical argument ; now it is a market sensitivity argument.  Miners are in the business for money, they don't want to risk their investment.  Whether they are 1, 2, 3 or 200.

But let us now think of something else.  Let us now think of bitcoin being legally accepted everywhere, and is legally framed, and recognized as a form of legal tender.  Let us also suppose that you get legal permits to be a bitcoin miner.  Given the huge amounts of energy that go into bitcoin mining, it is not a "do it in your basement" kind of activity, and you cannot do that underground.  We're talking about industrial installations, and these can very well be legally framed.  You might even get preferential electricity prices on the condition that you are registered.  Nothing tells you that this legal frame may include a clause that puts you in a legal difficulty if ever your mining contributes to forbidden transactions.  As such, as a miner, you better connect to a mining pool that respects those engagements.  You can set up a contract, and the mining pool engages in only using your hash rate if it doesn't approve transactions given by an international committee (say, linked to Interpol or the likes). Your mining pool is now legally bond to not include such transactions, and not mine on top of blocks that do include such a transaction. But if you respect that, you're not only legally OK, you even have advantages like cheap power.  You pay taxes on your benefits, and you can enjoy your rich life of a miner in all legality.
If there is enough international collaboration over this, a majority of hash rate can fall in the hands of such legalized mining pools.  If they reject a transaction, they have a good legal reason to do so.   If the 4 or 5 most important mining pools are legalized that way, they will also be very attractive for industrial miners (they have contractually to do so).

Where's your decentralization now ?  You know that technically, the 4 or 5 majority mining pools can do so.  Now, they have a legal incentive.  Do you think your LN will save you from this ?  What idiot is going to lock in his coins with an entity that might get all further transactions blocked ?

This Gedanken Experiment shows you that if the bitcoin layer is centralized and potentially censored, the LN on top cannot be less censored. You cannot "win in decentralization" on top of a centralized system.   That's the equivalent of thinking you can run safely some code on a compromised computer.

I just fell on this gem by Satoshi.  It makes me think that Satoshi didn't fully understand his own system.

http://satoshi.nakamotoinstitute.org/posts/bitcointalk/188/

"I anticipate there will never be more than 100K nodes, probably less."

Unless Satoshi has a sense of humour and of understatement, and given that he previously wrote:

http://satoshi.nakamotoinstitute.org/emails/cryptography/2/#selection-67.0-75.14

"Long before the network gets anywhere near as large as that, it would be safe
for users to use Simplified Payment Verification (section to check for
double spending, which only requires having the chain of block headers, or
about 12KB per day. Only people trying to create new coins would need to run
network nodes."

he's anticipating there would be less than 100K mining nodes.

Let us think through what that would mean if there were 100K nodes, each having, in the best of cases, exactly the same hash rate.  Given that there will be generated 52000 blocks per year, it means that each node will on average win one block every two years.

Now let us see what that would mean.  Given that finding a block is a Poisson process, the probability of not finding a single block in time T will be:

P(T) = exp(-T/(2 years).

It means that the probability that you have been mining for 4 years is 13% ; it means that the probability that you have been mining for 6 years and not one single block, is 5%.

Who could support the costs of mining without revenue over such periods ?  Most probably your hardware is obsolete before you had anything!
Can you imagine having started mining in 2013, and still not have a single block ?  Not one cent of revenue ?

In reality of course, not all miners will be equal, which makes it even much, much worse for the smaller ones.  In reality, one could at most expect a few hundred solo miners.  We observed that the market decided upon 10 or something.

Have you ever read, say, an exposition of general relativity ?  How many pages do you have to acquire, follow explanations, fill in gaps the author left, think through what the author is saying, not being quite sure that you're with him, before you actually start understanding the argument ?  Compared to that level of difficulty, "working through my walls of text" is leisure in a blink of an eye.  People not capable of doing this, can probably not reason on a sophisticated enough level to even start being useful.  Usually, in texts like that, the problem is rather that the text is too concise, and that one has to fill in too many gaps.  I err probably on the other side, I'm too verbose, too explicit, too much in simple details that could be filled in, in what I say.

I'll ask you: how many lines of explanation would you need to understand, from scratch, say, Pollard's rho attack on a Diffie-Hellman key exchange ?  Suppose that this was an unknown thing, and that someone posted this here for the first time, somewhat hesitant maybe in the fluidity of his wordings.  Would you also complain that there are "walls of text" if someone would try to give an argument explaining how it could be done in a page or two ?  Do you think that your comments would be of any use ?

If you tell me that the few people capable of seeing that, are elsewhere, then one must conclude that the amount of brain power here is too low to be of any sensible use in the development of any form of advanced argument.  That's also a possibility of course.

Of course, because no alt coin ever had a demand driven by a currency need (same fool).  Every crypto currency that launches, bitcoin included, is launched as a greater-fool token, which booms and busts.  Do you know many people buying an alt coin because they expect it to be stable in value ?

In fact the ONLY alt coin that has NO expectations of rise, and is working more or less as I describe, is Tether.   You cannot really redeem Tether for dollars.   So whether it is backed or not doesn't mean shit.  People buy tether as a currency.  Nobody speculates on tether.  So the market cap of tether represents a demand of currency, that is "transporter of value".  Slowly, the price sticks: one tether is $1.  Now, it is visibly true that tether can shrink somewhat its offer, and as far as I understand, this has been done very lightly, only twice.  When you look at the momentous rise of tether's market cap, and the stability of its price, essentially through emission, you get an idea.

Your argument actually supports what I'm saying: almost all altcoins that don't have price control, are speculative greater fool assets, MAINLY acquired with the hope of a rise (and we know what that means: bubble - burst - bubble - burst ....).  Almost none of them are acquired to keep a steady value.  So they, indeed, bubble.  And bitcoin bubbles too, it is not different.

A coin where there is no hope for a large rise, and with a predictable price maximum, is only bought when it is useful.  And when it is useful, there's no bubble-burst.  There is no bread bubble.   There is no butter bubble.  

It most probably wouldn't.  Well, as long as the total market cap remained between $0.000001 and $100, it would simply be a dead project, wouldn't it ?

To have the market cap grow to, say, $10 000, it would mean that people made coins that cost them $10.  They were NOT expecting any significant price rise, so the only way they did it, was that they expected it to remain close to that value.  Most probably, because they needed it as a currency - there's no other reason to spend $10 of work on something that won't be worth much more, right ?

So if the market cap rose to $10 000, it means that people had USE of it as a currency.  They wouldn't have any serious expectations of gain.  Only of use.  Say on dark markets.  On web sites.  On VPN.  On this and on that.  After a while, the price would "stick".  People wouldn't put fortunes in it, they would only acquire what they need to use as a currency.  They wouldn't be watching coinmarketcap to see what goes up and what goes down.  It would just be a real currency.

Of course, there could be moments where there's less demand for currency, that is, when its market shrinks and its adoption falls.  Yes.  I would think that if adoption seriously fell down, and hence, the price with it, there are two possibilities: people have faith in it, and hence, would like to see it as an opportunity to "buy $10 bills for $8", pushing the price back to $10.  Or the thing crumbles down.  Indeed, if during a ramp-up phase, people had only acquired it to buy stuff, got used to its price, and then see a slight dip, it would be "shopping time".  If adoption would, after a slow-down, take off again, price would again rise up to $10, and people would be confirmed in their belief in its price.  Those that "bought the dip" would have been rewarded.  The "stickiness of price" would latch on.  
It wouldn't be a speculative thing.  It would be driven by utility.  As long as the demand for that utility would be steadily increasing, even if sometimes it would drop, the price would be pushed against the $10 limit, even if it dropped sometimes.  That would induce people to hoard it when it drops, because they know there's all the chances in the world it would go up to $10 again if utility demand rises again.