Why the fuck did Satoshi implement the 1 MB blocksize limit?

[BitcoinCasinoFinder.com]

@OP, I agree with your argument. As per game theory and the assumptions you have made, I don't see a reason why the block size limit has to stay at 1 MB.

Newbie question here, is there any way to change the block size limit? How feasible it is to do? Would it require a hard fork?

Well, that's why there is a current "civil war" within the Bitcoin community because of this. There are groups that want to scale Bitcoin and others just want to stay in place. Again, that's why the forks of Bitcoin Cash and Bitcoin Gold happened and I believe there are more to come or happened already.

BCH has an 8MB block size limit if you're looking for one with a bigger block size.

[1713899430]

1713899430

[1713899430]

1713899430

[1713899430]

1713899430

[Anonymous Kid]

Wow. I didn't expect this thread to get so many replies. glad I could spark up a discussion 

Some great points raised.

[cryptodoe]

Great question !

Okay okay, before you rush and say "To prevent spam attacks!!", please wait and read this whole thread.

^The above argument is what I hear all the time. However, there is something not quite right about that reasoning. It doesn't make sense.

Let's start with a little background info...

Satoshi implemented the 1 MB blocksize limit without telling anyone; He just did it randomly. There was no discussion beforehand and after he did it, he did not mention it anywhere. People had to look at the code/use it to see the change. The mannerism in which the 1 MB blocksize limit was added is already strange in itself and as soon as it was done, debates/arguments among the community started happening.

Satoshi never told people that the 1 MB limit was to prevent spam - its just what everyone inferred.

Okay... history lesson over.

Now here is why it doesnt make sense:

The process of a transaction getting confirmed and added to the blockchain goes like this:

1) Tx. is broadcast with a custom fee
2) Tx. is added to the mempool
3) Miner collects tx. from the mempool (usually they will pic tx. based on which has the highest fee and work their way down from there)
4) Miner adds tx. to their block
5) Miner calculates the proof of work
6) Miner publishes block to the blockchain

Okay now we have the process outlined we can analyse the miners incentives/behaviour. I'll be using game theory to explain this and here is where it gets interesting.

The miners main goal is to make profit. This is why he adds tx. to his block in the first place (it allows for more fees and thus, more profits). So we can assume that without the blocksize limit, the miners would add infinite tx. to their block right? WRONG!

Allow me to explain:

Look at step 3.. Collecting the tx. from the mempool and adding it to their block takes a set amount of time and the longer that the miner spends collecting the tx. and adding it to their block, the less time they can spend calculating the proof of work - thereby giving their competition (other miners) the edge. The miners would naturally (based on game theory) find a nash equilibrium between collecting as many tx. as possible and finding enough time to calculate the proof of work in order to give them the maximum profitability. Thus, we can assume, that without a blocksize limit (infinite), the block size would stay relatively the same.

This is why an infinite block size limit is not an issue. I honestly cannot understand why he added the 1 MB limit.
Can someone please, please explain? I have been pondering this for over a month now. Thanks.

There are three possible answers:

1) Satoshi didn't completely understand the implications of his random choice, which seemed reasonable at the time to him.  

2) Satoshi knew very well what he was doing, was an evil mind, and he was lying through his teeth all the time, to trick us into his nonsense.

3) Satoshi was a true god and genius, and even though we think he might have made a mistake, he was absolutely right in everything he ever did and we are simply too dumb to see it.

There have been a lot of discussions over that issue, and people warned Satoshi that his random decision was recipe to disaster.

The truth is maybe in the 3 things at once.  It is obvious that the spam limit is a joke.  In fact, it makes spam worse.  The excuse was that if a fool mined a single block of 10 GB full of nonsense, the blockchain would be spammed to an incredible size in no time.  That was clearly wrong, because in order for that block to be incorporated into the chain, other miners would have to agree with it.  There's no reason why honest miners would mine on top of a crazy block.  In other words, implicitly, there would be a gross maximum size set by miners and that would grow dynamically.

By putting a hard limit on block size, you actually increase drastically the effect of spam, as we saw.  Once the block is full of spam, transactions are hindered.  This is an efficient DDOS of bitcoin.  If the blocks are elastic, you can spam a lot, that will increase the size to some point, but transactions can go through unhampered, and you'd have to spam like crazy in order to have an efficient DDOS.  Hard limits make DDOSsing of bitcoin in fact much easier.

Satoshi was clearly in favour of very large blocks if useful, and he explains that in the beginning, where he tells us that most normal users shouldn't run a full node, "left to specialists with farms of specialized hardware".  That was in November 2008.

People explained him that putting a hard limit in the protocol would require a hard fork at a point, which might be problematic.  He wavered that away: just changing a constant in the code.

Maybe Satoshi did put a "time bomb" in his bitcoin system because he considered it an experiment from which we have to learn, and it should self-destroy at a certain point in order for us to make a new system with better properties.  Maybe Satoshi wanted to put in a trap, so that only if his heirs were smart enough to have good governance, and if they cannot even change a simple parameter, then it is better that this system dies.  Maybe Satoshi wanted to develop a whole crypto market, and needed to put something nasty in bitcoin, in order to make it lose its first mover advantage and open up the market.

Maybe Satoshi was designing a reserve currency for big, dark, deep state players, and only needed Joe Sixpack to ramp it up, but needed him to be pushed out of bitcoin once the system was up and running, to leave it to the big boys.  Claiming it to be a currency of the people, but at the same time, making its use too expensive for the people, and only allow the big boys on it, was maybe his hidden plan.

But I think that Satoshi simply made a mistake.  He made many.  Bitcoin is quite ill designed.  That doesn't take away the fact that he was a bright mind.  We have hindsight he didn't have.  But he was wrong on this one, as he was wrong on many choices.

Makes Satoshi sound like John Kramer!

[dinofelis]

Makes Satoshi sound like John Kramer!

Mmm.  Makes me think.  How about a future vision of a "cryptofatwa" ?  Remember Salman Rushdi, who had to hide because he had written a book that was to the disliking of some Islamic leaders in Iran, who pronounced a fatwa over him ?  There was a call to kill Salman, and the "reward" must have been something akin to virgins in paradise or some other thing.  Now, in as much as virgins in paradise sound like an attractive reward, you still have to be convinced in it before you think that going to kill a guy because someone said so, is a reasonable thing to do.  Nevertheless, it scared the hell out of Salman Rushdi and the British government that tried to protect him.  But one could still go and ask, with "convincing arguments" that the pronunciation of the fatwa be undone.

Let us fast-forward to our crypto paradise in a few decades, when crypto rules finance.  Of course, an obvious application will be life insurance.  if someone dies, automatically, smart contracts are put into work to pay the beneficiaries.  There's no reason why this big part of finance should not be crypto-ized, right ?  Now, consider the following: if, by sufficient atomic swaps, I can put together a fatwa contract on one or other crypto smart contract chain, so that a large amount of another crypto currency (say, bitcoin) will be given to the guy or girl that goes and kills a specified person ?  The contract will be triggered by a minor life insurance contract on his real-world identity, to indicate that the target was killed.  The potential murderer has to stake some amount of coins, together with a payment address to him, somewhere else on another smart contract, before he kills the victim, within a given time slot.  If the victim's death is not acted through the oracle of the life insurance contract, the potential murderer has lost his funds, and these are added to the reward of the next candidate-murderer.   So, there's a smart contract that runs a cryptofatwa on Joe Schmoe, and offers, say, 1000 BTC to his killer.  If Jack proposes himself to the contract as the candidate murderer, he has to put, say, 100 BTC stake.  This locks the contract (no other murderer can apply) for, say, 3 weeks.  Jack submits in his payment also an address for his reward (his mother's address).  If the contract observes that Joe Schmoe is dead before 3 weeks, it verses 1100 BTC to the address Jack provided ; if not, Jack lost his 100 BTC, and now the contract is open again, and the reward is now 1100 BTC. Maybe Jack simply needed more time: he can stake again.  Or, Joe Schmoe may stake himself, to win 3 weeks of his life.  And stake again, and again, and again.  But for each 3 weeks he buys himself for 100 BTC, he augments the attractiveness of his killing !  Of course, it is maybe wiser to use ZCASH or monero or the like.  The LN technology makes this possible once atomic swaps are implemented.  Note that the contract remains valid, even if the police traces me, tortures me, hangs me, and burns me publicly on a stack in the middle of town.  I launched it, but I cannot stop it.  Even if I'm dead, it will keep running.

Once we have such crypto fatwa, the door is open to unlimited bribery.   What if I ask a politician to vote against a crypto-limiting law, or a crypto fatwa will be launched against his daughter ?  Ok, I can go to jail.  Would the judge dare to convict me BTW ?  Ok, I may even regret what I did.  There's no stopping this thing.

Let us up the stakes a bit more: let us now have a self-propagating contract over all descendants of the victim.  The crypto equivalent of what the Knights Templar did when he cursed the French king until the 13th generation.   But with earthly rewards for the killer, or his family, not promises of virgins, paradise or whatever religious smoke and mirrors....

Is that good enough as a John Kramer story before bed time ?  

[Anti-Cen]

Remember Salman Rushdi, who had to hide because he had written a book that was to the disliking of some Islamic leaders in Iran, who pronounced a fatwa over him

Yes it's getting a bit like that around here too if you offend members of the bitcoin faith, they attack you and
spew out all kinds of bullshit.

My understanding of contracts on ETH is you can write one to move money from A-B and take a commission fee
but have code within the deployed contract that says on the 1st June 2020 send all payments to my account.

Bitcoin is only pretending to use smart contracts because no one has told me how to upload "Smart contracts" or
even what the scripting language will be so maybe it's some values on the Lightning Network where the banking
hubs can set the transaction fee or something.

EVO seems to have the best "Smart Contracts" and windows developers can write them in C# or even use Java-script
 

[dinofelis]

I just fell on this gem by Satoshi.  It makes me think that Satoshi didn't fully understand his own system.

http://satoshi.nakamotoinstitute.org/posts/bitcointalk/188/

"I anticipate there will never be more than 100K nodes, probably less."

Unless Satoshi has a sense of humour and of understatement, and given that he previously wrote:

http://satoshi.nakamotoinstitute.org/emails/cryptography/2/#selection-67.0-75.14

"Long before the network gets anywhere near as large as that, it would be safe
for users to use Simplified Payment Verification (section to check for
double spending, which only requires having the chain of block headers, or
about 12KB per day. Only people trying to create new coins would need to run
network nodes."

he's anticipating there would be less than 100K mining nodes.

Let us think through what that would mean if there were 100K nodes, each having, in the best of cases, exactly the same hash rate.  Given that there will be generated 52000 blocks per year, it means that each node will on average win one block every two years.

Now let us see what that would mean.  Given that finding a block is a Poisson process, the probability of not finding a single block in time T will be:

P(T) = exp(-T/(2 years).

It means that the probability that you have been mining for 4 years is 13% ; it means that the probability that you have been mining for 6 years and not one single block, is 5%.

Who could support the costs of mining without revenue over such periods ?  Most probably your hardware is obsolete before you had anything!
Can you imagine having started mining in 2013, and still not have a single block ?  Not one cent of revenue ?

In reality of course, not all miners will be equal, which makes it even much, much worse for the smaller ones.  In reality, one could at most expect a few hundred solo miners.  We observed that the market decided upon 10 or something.

[cellard]

One can say: maybe he realized that his 2008 scaling solution was going to "centralize" is system, so he simply put in something that would push people to invent an off-chain way of using it.  In other words, he put in this limit because he understood that block chain tech doesn't scale, contrary to his 2008 explanation, and considered that people should invent something that solves it in another way.  In other words, he did this to push people to invent the LN.

But that doesn't hold water either.  Given that he didn't know whether something like the LN could even be invented, and given that he didn't know when it would be invented, and what would have been its needs, crippling the only solution you have, of which you've explained how it would scale, would have been extremely dangerous.  If the LN would only have been invented in 2025, bitcoin would have been dead already by the time it could have been invented.  That's akin to jumping out of an air plane, and hoping you'll invent a parachute while falling.

Hal Finney predicted "more or less" LN back in the day:

Actually there is a very good reason for Bitcoin-backed banks to exist, issuing their own digital cash currency, redeemable for bitcoins. Bitcoin itself cannot scale to have every single financial transaction in the world be broadcast to everyone and included in the block chain. There needs to be a secondary level of payment systems which is lighter weight and more efficient. Likewise, the time needed for Bitcoin transactions to finalize will be impractical for medium to large value purchases.

Bitcoin backed banks will solve these problems. They can work like banks did before nationalization of currency. Different banks can have different policies, some more aggressive, some more conservative. Some would be fractional reserve while others may be 100% Bitcoin backed. Interest rates may vary. Cash from some banks may trade at a discount to that from others.

George Selgin has worked out the theory of competitive free banking in detail, and he argues that such a system would be stable, inflation resistant and self-regulating.

I believe this will be the ultimate fate of Bitcoin, to be the "high-powered money" that serves as a reserve currency for banks that issue their own digital cash. Most Bitcoin transactions will occur between banks, to settle net transfers. Bitcoin transactions by private individuals will be as rare as... well, as Bitcoin based purchases are today.

But LN is much better than what he envisioned.

And this post is very old, but they already knew it wouldn't scale on-chain. People buying coffees on-chain all over the world fast and cheap was always delusional, but LN can save the day.

Satoshi also predicted people going against blocksize increases:

Piling every proof-of-work quorum system in the world into one dataset doesn't scale.

Bitcoin and BitDNS can be used separately.  Users shouldn't have to download all of both to use one or the other.  BitDNS users may not want to download everything the next several unrelated networks decide to pile in either.

The networks need to have separate fates.  BitDNS users might be completely liberal about adding any large data features since relatively few domain registrars are needed, while Bitcoin users might get increasingly tyrannical about limiting the size of the chain so it's easy for lots of users and small devices.

I don't believe in conspiracy theories, everyone was trying to do what was seen as best at the time. Satoshi didn't predict big centralization in mining, so we can't have huge blocksizes, it will need to scale off-chain. LN is the best technology out there to scale a coin worldwide. If it fails, we can always go back to layer 0 and still have decentralized enough network and use it as a store of value only (yes, Bitcoin IS decentralized, when was the last time you saw a miner selecting a transaction he didn't like and blocking it? because that is what decentralization is, being able to donate to Wikileaks freely, and same goes for the protocol, no one can change it in a centralized fashion; sure the mining could be better, but the power distribution is spread across different parties enough to be called decentralized, as for the initial specs of Bitcoin (that is, 21 million limit coin, the blocksize, and so on).. well, it had to start somewhere, I don't know what you suggest there.

[dinofelis]

One can say: maybe he realized that his 2008 scaling solution was going to "centralize" is system, so he simply put in something that would push people to invent an off-chain way of using it.  In other words, he put in this limit because he understood that block chain tech doesn't scale, contrary to his 2008 explanation, and considered that people should invent something that solves it in another way.  In other words, he did this to push people to invent the LN.

But that doesn't hold water either.  Given that he didn't know whether something like the LN could even be invented, and given that he didn't know when it would be invented, and what would have been its needs, crippling the only solution you have, of which you've explained how it would scale, would have been extremely dangerous.  If the LN would only have been invented in 2025, bitcoin would have been dead already by the time it could have been invented.  That's akin to jumping out of an air plane, and hoping you'll invent a parachute while falling.

Hal Finney predicted "more or less" LN back in the day:

Actually there is a very good reason for Bitcoin-backed banks to exist, issuing their own digital cash currency, redeemable for bitcoins. Bitcoin itself cannot scale to have every single financial transaction in the world be broadcast to everyone and included in the block chain. There needs to be a secondary level of payment systems which is lighter weight and more efficient. Likewise, the time needed for Bitcoin transactions to finalize will be impractical for medium to large value purchases.

Bitcoin backed banks will solve these problems. They can work like banks did before nationalization of currency. Different banks can have different policies, some more aggressive, some more conservative. Some would be fractional reserve while others may be 100% Bitcoin backed. Interest rates may vary. Cash from some banks may trade at a discount to that from others.

George Selgin has worked out the theory of competitive free banking in detail, and he argues that such a system would be stable, inflation resistant and self-regulating.

I believe this will be the ultimate fate of Bitcoin, to be the "high-powered money" that serves as a reserve currency for banks that issue their own digital cash. Most Bitcoin transactions will occur between banks, to settle net transfers. Bitcoin transactions by private individuals will be as rare as... well, as Bitcoin based purchases are today.

But LN is much better than what he envisioned.

Ah, that's interesting.  When you contrast that with Satoshi's November 2008 e-mail, where he clearly explained how 100 MB blocks were no problem, and how users would use SPV clients ; and when you see that Hal Finey was the one pushing for the 1 MB limit according to some, we now see that Hal Finey finally took power over Satoshi.  Hal Finey is writing here exactly the same objection that Satoshi already replied to in November 2008: "of course we don't send all transactions to all users".

Satoshi never had any doubts about the scaling non-problem from the beginning. Most users simply didn't need the block chain, and that's exactly why he introduced the SPV possibility with the Merkle tree - otherwise there's no need for a Merkle tree structure in Bitcoin ! The very single only reason Satoshi invented the ordering of the blocks in a Merkle tree, is that this allows SPV.  If blocks are to be used as a whole, you can simply calculate a single hash of the entire block.  Nowhere else do you need any Merkle tree.  The Merkle tree is a way to have a minimal number of steps of verification of presence of a piece of data in a block, and really becomes useful only when blocks are very large.
Otherwise you could even resort to a sub-list, that is, a block is a linear list of transactions, and to each transaction corresponds a hash, that can itself be included in a hashed linked list of "hash blocks" all the way to the block header, containing the hash of the last "hash header".  The problem is that this list goes as N, when N is the number of transactions in a block.  A Merkle tree does the same, but the depth goes as log2(N).  This becomes a significant thing when N becomes very large, that is, when blocks become very big.  For 1MB blocks, with some 2000 transactions in it, this is not yet very significant.  If, in order to check that a given transaction T is in a given block, you need to get that famous "linked list" with 2000 entries, to see that your transaction T was indeed, in the K-th entry of those 2000 entries, that's still very feasible.  However, for a block of 100 MB, looking in the list of 200 000 entries, or looking in a path of the Merkle tree, only 18 steps deep, is a hell of a difference.

So from the very start, Satoshi designed bitcoin as a very big block system, of which only mining nodes need to have the full data burden, and of which all other users use SPV and connect to one of these nodes.

And this post is very old, but they already knew it wouldn't scale on-chain. People buying coffees on-chain all over the world fast and cheap was always delusional, but LN can save the day.

Nope, it wasn't in Satoshi's vision.  But clearly Hal Finey didn't understand Satoshi's vision, or didn't agree with it.

Satoshi also predicted people going against blocksize increases:

Piling every proof-of-work quorum system in the world into one dataset doesn't scale.

Bitcoin and BitDNS can be used separately.  Users shouldn't have to download all of both to use one or the other.  BitDNS users may not want to download everything the next several unrelated networks decide to pile in either.

The networks need to have separate fates.  BitDNS users might be completely liberal about adding any large data features since relatively few domain registrars are needed, while Bitcoin users might get increasingly tyrannical about limiting the size of the chain so it's easy for lots of users and small devices.

That's very funny, because Satoshi takes here the entirely opposite stance than when he laconically wavered Jeff Garzik's opposition to him introducing this limit in the first place, away, for exactly the same reasons.

I don't believe in conspiracy theories, everyone was trying to do what was seen as best at the time. Satoshi didn't predict big centralization in mining, so we can't have huge blocksizes, it will need to scale off-chain.

If mining is centralized, bitcoin is of course centralized, and everything you build on it just as well.  The problem is that people see decentralization as a goal, while it was a tool.  Decentralization was a tool to make bitcoin work correctly.  After all, the ONLY thing you want from bitcoin, is that you can do transactions, and verify transactions.  Exactly how that comes about, doesn't really matter (unless it becomes a kind of sales argument in itself of course).  Whether it is the impossibility to leave a Nash equilibrium because of "massive collusion needed too difficult and too impractical to be plausible", which is the decentralization method, or by market forces ("if I do stupid things as a miner, my entire investment in hardware will become an expensive doorstep"), it doesn't matter.  What one simply wants, is that one can do transactions, that's all bitcoin is good at.  Even if bitcoin were entirely centralized in one big data centre, but because of its investment and market forces, it kept on running bitcoin as it should, that's just as good.

LN is the best technology out there to scale a coin worldwide. If it fails, we can always go back to layer 0 and still have decentralized enough network and use it as a store of value only (yes, Bitcoin IS decentralized, when was the last time you saw a miner selecting a transaction he didn't like and blocking it? because that is what decentralization is, being able to donate to Wikileaks freely, and same goes for the protocol, no one can change it in a centralized fashion;

Well, as I just said, decentralization is a tool to obtain a result ; but other tools can work just as well.  So it is not because you see that the system works well, that you can conclude that decentralization is at work.  In fact, if you think about it, you see that it isn't the case, because it is very easy, TECHNICALLY, for this to fail.

You know very well that there are 3 or at best 4 mining pools that make a good majority of the blocks. If these 3 or 4 entities sit together and decide NOT to include a given transaction, and NOT to mine on a block that includes this transaction, then, I hope you agree with me, that technically this transaction will not be included.  Simply because with the hash rate they command, the longest chain rule will never include this transaction.  Other mining pools including this transaction will make orphaned blocks ; or they can be informed that they shouldn't even try.  You know just as well as I do, that *purely technically*, according to bitcoin's rules, that is perfectly possible, and nobody violated any rule in doing so.

A decentralized system would not permit such thing to happen, because 2000 people would have to agree to do so, and the hypothesis of decentralization is exactly that such a collusion is not going to happen because too massive, too difficult, and internally too inconsistent.  That's the core idea of decentralization: a super-Nash equilibrium that can only be broken by such massive collusion, that that collusion in itself, is not realistic.

Well, in bitcoin's mining landscape today, this kind of collusion is theoretically extremely possible.  I use to joke that bitcoin is more centralized than the Euro.  In order to decide something for the Euro, 15 finance ministers have to agree ; in bitcoin, 3 or 4 mining pool owners have to agree.

But, I agree with you, this is not happening (yet).  Why is this not happening ?  Because of the market. Because these mining pools and their miner subcontractors have a lot of investment in bitcoin mining, and if ever this would get known, their mining equipment might become an expensive doorstep.  But if that argument holds, then a totally centralized miner will be just as sensitive to this, and will just as well let through all transactions.

So, bitcoin can work, even though its functioning is not any more guaranteed by a decentralized game theoretical argument ; now it is a market sensitivity argument.  Miners are in the business for money, they don't want to risk their investment.  Whether they are 1, 2, 3 or 200.

But let us now think of something else.  Let us now think of bitcoin being legally accepted everywhere, and is legally framed, and recognized as a form of legal tender.  Let us also suppose that you get legal permits to be a bitcoin miner.  Given the huge amounts of energy that go into bitcoin mining, it is not a "do it in your basement" kind of activity, and you cannot do that underground.  We're talking about industrial installations, and these can very well be legally framed.  You might even get preferential electricity prices on the condition that you are registered.  Nothing tells you that this legal frame may include a clause that puts you in a legal difficulty if ever your mining contributes to forbidden transactions.  As such, as a miner, you better connect to a mining pool that respects those engagements.  You can set up a contract, and the mining pool engages in only using your hash rate if it doesn't approve transactions given by an international committee (say, linked to Interpol or the likes). Your mining pool is now legally bond to not include such transactions, and not mine on top of blocks that do include such a transaction. But if you respect that, you're not only legally OK, you even have advantages like cheap power.  You pay taxes on your benefits, and you can enjoy your rich life of a miner in all legality.
If there is enough international collaboration over this, a majority of hash rate can fall in the hands of such legalized mining pools.  If they reject a transaction, they have a good legal reason to do so.   If the 4 or 5 most important mining pools are legalized that way, they will also be very attractive for industrial miners (they have contractually to do so).

Where's your decentralization now ?  You know that technically, the 4 or 5 majority mining pools can do so.  Now, they have a legal incentive.  Do you think your LN will save you from this ?  What idiot is going to lock in his coins with an entity that might get all further transactions blocked ?

This Gedanken Experiment shows you that if the bitcoin layer is centralized and potentially censored, the LN on top cannot be less censored. You cannot "win in decentralization" on top of a centralized system.   That's the equivalent of thinking you can run safely some code on a compromised computer.

[achow101]

Ah, that's interesting.  When you contrast that with Satoshi's November 2008 e-mail, where he clearly explained how 100 MB blocks were no problem, and how users would use SPV clients ; and when you see that Hal Finey was the one pushing for the 1 MB limit according to some, we now see that Hal Finey finally took power over Satoshi.  Hal Finey is writing here exactly the same objection that Satoshi already replied to in November 2008: "of course we don't send all transactions to all users".

Satoshi never had any doubts about the scaling non-problem from the beginning. Most users simply didn't need the block chain, and that's exactly why he introduced the SPV possibility with the Merkle tree - otherwise there's no need for a Merkle tree structure in Bitcoin ! The very single only reason Satoshi invented the ordering of the blocks in a Merkle tree, is that this allows SPV.  If blocks are to be used as a whole, you can simply calculate a single hash of the entire block.  Nowhere else do you need any Merkle tree.  The Merkle tree is a way to have a minimal number of steps of verification of presence of a piece of data in a block, and really becomes useful only when blocks are very large.
Otherwise you could even resort to a sub-list, that is, a block is a linear list of transactions, and to each transaction corresponds a hash, that can itself be included in a hashed linked list of "hash blocks" all the way to the block header, containing the hash of the last "hash header".  The problem is that this list goes as N, when N is the number of transactions in a block.  A Merkle tree does the same, but the depth goes as log2(N).  This becomes a significant thing when N becomes very large, that is, when blocks become very big.  For 1MB blocks, with some 2000 transactions in it, this is not yet very significant.  If, in order to check that a given transaction T is in a given block, you need to get that famous "linked list" with 2000 entries, to see that your transaction T was indeed, in the K-th entry of those 2000 entries, that's still very feasible.  However, for a block of 100 MB, looking in the list of 200 000 entries, or looking in a path of the Merkle tree, only 18 steps deep, is a hell of a difference.

So from the very start, Satoshi designed bitcoin as a very big block system, of which only mining nodes need to have the full data burden, and of which all other users use SPV and connect to one of these nodes.

The SPV system that satoshi described involves fraud proofs, which are proofs that miners did not commit fraud. However we have no such thing today. From the paper (emphasis mine):

While network nodes can verify
transactions for themselves, the simplified method can be fooled by an attacker's fabricated
transactions for as long as the attacker can continue to overpower the network. One strategy to
protect against this would be to accept alerts from network nodes when they detect an invalid
block, prompting the user's software to download the full block and alerted transactions to
confirm the inconsistency

Satoshi realizes that SPV is not secure, and that some method must be implemented in order for SPV nodes to know that they are not being defrauded, e.g. by full nodes giving them some alert. But the Bitcoin network does not support such a thing, so Satoshi's "SPV vision" does not work until such proofs can be made and be provably sound (i.e. you can't fake a proof).

[dinofelis]

The SPV system that satoshi described involves fraud proofs, which are proofs that miners did not commit fraud. However we have no such thing today. From the paper (emphasis mine):

I never understood that SPV was a check on the correctness of miners.  After all, without having all transactions explicitly you can never know whether or not these transactions were valid.  You cannot know whether there was a double spend or not.  You cannot know whether the signatures were valid or not.  You need to download the entire block to be able to verify that.
You cannot even begin to consider an SPV system that verifies the correctness of miners' verification work of a block.  So that could never be part of it.

The SPV system is not something that "keeps miners in check". The SPV system is a cryptographically secure way to know that a given transaction is part of a given block chain.  In that respect, it is working, and it is working correctly.  Wallets like electrum work that way as far as I understand.

In an SPV system, if one is given a transaction T, a leg in a Merkle tree M(T) leading to T, and the entire header chain, of which the top of the leg M(T) is included in the header chain, you know for sure that:

- this transaction T is part of the block B with the Merkle Tree M of which you have the leg M(T).
- this block B is part of the block chain of which you have the header list H.

From the header list, you can check the amount of proof of work.  In fact, one cannot give you a fake SPV result without at least having spent the proof of work leading up to the block block B ; but if you have the header list H, one cannot give you a fake SPV result with less than the proof of work in the entire list H.

It is sufficient to check that the list H is part of the actual block chain that is being produced by the mining pools, to know that you are having a genuine transaction in the currently accepted consensus block chain.   So the only things you need for SPV to be absolutely foolproof is:
- that the header list H is sufficiently recent
- that the current mining pools are working on top of this header list.

As such, you simply need to request the last part of the header list H' from a few of the principal mining pools (or from a few full nodes of which you think they are up to date) and you know cryptographically that the transaction T that has been shown to you, is included in the currently accepted consensus block chain.   Note that it is essentially impossible that the currently active mining pools would be lying to you, because in order to lie to you, they would have to spend a lot of proof of work to give you a fake block header list ; moreover, it would be very difficult for them to do this in a simultaneous way.  They would need to spend as much hashes on the top list of, say, 10 blocks, than to mine 10 new blocks.  

So, if you can obtain from the top mining pools:
- the last few block headers mined H'
- the SPV data (T, M(T), H)

in such a way that the end of H overlaps with H', you know 100% cryptographically for sure that T is part of the actual block chain.

Satoshi realizes that SPV is not secure, and that some method must be implemented in order for SPV nodes to know that they are not being defrauded, e.g. by full nodes giving them some alert. But the Bitcoin network does not support such a thing, so Satoshi's "SPV vision" does not work until such proofs can be made and be provably sound (i.e. you can't fake a proof).

No, what Satoshi refers here to, is that it could in principle be possible that your SPV provider is providing you with a fork of lesser PoW, that is not the main chain.  This is possible in a situation (as Satoshi saw things) where you have a very broad network of mining nodes, and one mining node decided to continue mining on his orphaned fork, and gives you the SPV results of that orphaned fork.  If you are not part of the full network, you might believe that this fork is the actual consensus, because you are not up to date to the actual chain. He might, while he's working on his false prong, include transactions that do not exist and that were never broadcast.

Note, however, that in order to do so, one has nevertheless to waste mining resources to make this false prong, in order to mislead you.

In order for this cheating to work, apart from having to mine the useless prong, he must also be sure that you are not contacting another node that might have the true currenc consensus block chain. In the current bitcoin structure, with much less different mining sources, even the price to make a fork is so large, that this is not a problem.  Miners don't waste time continuing on their fork.

Imagine that your "SPV provider" were a mining node that has somewhat less than 10% of the total hash rate, and is making hence a block two hours or so.  He might, if he wanted to, put this hash rate in a fork, instead of putting it in the consensus chain (I don't see why but OK).  That fork grows slower, but it is a correct chain, and he can give you the SPV elements of that chain.  You may be tricked in believing a recent transaction on his prong, that is not part of the general consensus.

But from the moment that you know the real chain head, this won't work.  And the real chain head is given to you by the major mining pools.  Note that the danger Satoshi pointed out, is also a danger for a full node.  If a full node is kept apart from the rest of the network, and is only fed with a false prong, that full node will be just as gullible as your SPV client.

[achow101]

The SPV system is not something that "keeps miners in check". The SPV system is a cryptographically secure way to know that a given transaction is part of a given block chain.

I never said that SPV was to "keep miners in check". You are completely misunderstanding me.

Fraud proofs are necessary to have a cryptogrpahically secure way to know that a transaction is part of a given blockchain AND that the transaction is valid. Yes, merkle trees ensure that a transaction is part of the blockchain. But nothing currently exist to prove that a transaction is valid without having to have the full transaction history. The only way that a transaction can be fully validated is to know the transactions that it spends from, and then the transactions those spend from, etc.

In that respect, it is working, and it is working correctly.  Wallets like electrum work that way as far as I understand.

No, it does not currently work, and it is not how Electrum works at all.

All that Electrum can do is know for certain that a transaction is included in a block. It must trust that the Electrum servers that it has connected to have actually verified the transaction. However if your Electrum wallet were to be connected to malicious Electrum servers, they could serve you invalid transactions which you would not know are invalid. Said transaction can be included as part of a block; the merkle root would be correct and the PoW of the block would be valid. BUT the block would contain an invalid transaction. For full nodes, this block would be entirely invalid and discarded. But we are talking about malicious Electrum servers here. So those malicious servers TELL YOU that the invalid transaction is actually valid, and so you accept it. There is no way for you to prove that the transaction is valid or invalid, Electrum simply does not have the data to fully verify the transaction. But we still have met all of the criteria that you wanted: the transaction is included in the merkle root and the block's PoW is valid. The big thing that you are missing is that the block includes an invalid transaction, and SPV wallets have no way of knowing whether the transaction is valid or not. Fraud proofs are required to prove that all of the transactions in a block are valid, and currently they do not exist nor is there a known way to make such proofs.

Just because a block has a valid PoW does not mean that all transactions in the block are valid. Just because they are included in the merkle root does not mean that all transactions in the block are valid. There is more to a valid block than just the merkle root and the PoW.


Edit: It's not worth my time to argue this with you. You clearly don't understand how Bitcoin or SPV wallets work. To my ignore list you go.

[dinofelis]

The SPV system is not something that "keeps miners in check". The SPV system is a cryptographically secure way to know that a given transaction is part of a given block chain.

I never said that SPV was to "keep miners in check". You are completely misunderstanding me.

Fraud proofs are necessary to have a cryptogrpahically secure way to know that a transaction is part of a given blockchain AND that the transaction is valid. Yes, merkle trees ensure that a transaction is part of the blockchain. But nothing currently exist to prove that a transaction is valid without having to have the full transaction history. The only way that a transaction can be fully validated is to know the transactions that it spends from, and then the transactions those spend from, etc.

Nobody cares whether the transaction is valid, if it is included in the block chain of course !  The hypothesis of having to check whether transactions that are part of the SOLE current collective consensus might be "wrong" somehow, is making the hypothesis that bitcoin is entirely broken and that nobody gives a shit.

It would mean that miners have made a false block, that all other miners agreed to mine on top of that false block and then on top of that other block and so on.  If a false transaction is deeply burried within the block chain, and miners are still mining on it, and no "clean prong" exists that doesn't include that block, then bitcoin is entirely broken.  Because if that can happen, miners can just include ANYTHING.  They can include erroneously signed transactions, they can include transactions of which the sum of the outputs is 500 times the sum of the inputs, they can include a coin base transaction that gives them 2000 BTC, they can include headers that don't correspond to the Merkle tree, they could include a porn movie, anything.

Moreover, there's not even another block chain in this world that is made correctly, because the massive amount of PoW that goes in this butched-up block chain cannot be re-done elsewhere.  If the massive PoW voting power of the bitcoin miners collectively decide to make a butched-up block chain with false transactions in it, that's all there is to bitcoin, there is no clean version any more.

But even then, SPV is still working, in the following way: it is up to the payer to give you (by e-mail/ftp or other form of communication) the full history of his payment: that is, he has to give you the backward tree of all coinbase transactions and all successive transactions up to his payment to you.  That's quite some data, but unless all coins are mixed up with all other coins, still much, much less than the block chain.  For each transaction in this "pedigree", he needs to specify the block and Merkle tree leg.

With simply the block header list, you can verify the exactitude of his e-mail.  You don't even need an SPV server for that.  You can check the mini-block chain of the pedigree, from the coinbase of each origin at the leaves, all the way up to his last transaction to you.  You don't depend on any form of bitcoin network for that, except that you need to know the head of the current header list.  One single hash you need to know from bitcoin's system, and you can verify all the rest by yourself.

Of course, the payer needs to have all his previous transactions that way.  In other words, if you pay someone, you make a new transaction, you have to watch the bitcoin network in one way or another, and catch your transaction once it is included in a block.  From that, you can extract its SPV data (block header, Merkle leg, transaction).  And you don't care any more about the system.  No need for an extended P2P network.  Only the miner pool servers, or some derived servers from that.

It is true that this way, you cannot be sure that there are no double spends included in the block chain.  But this hassle is only necessary if we take it for granted that bitcoin is already entirely broken, and that miners collectively decide to continue to build a totally broken chain... Indeed, imagine that in the same block, the same coin is spent 500 times to different addresses.  Normally, this cannot happen, but our working hypothesis is that miners make false blocks.  So which one of the 500 transactions is the real one ?  Or is this coin dead now ?

Moreover, in what way would a full node be helpful here ?  A full node would have stopped for good when the first false block was mined.  All full nodes would have come to a grinding halt since a long time, because no miner made a correct block.  They wouldn't be able to tell you anything about recent "valid" transactions on a broken block chain.

[dinofelis]

However if your Electrum wallet were to be connected to malicious Electrum servers, they could serve you invalid transactions which you would not know are invalid. Said transaction can be included as part of a block; the merkle root would be correct and the PoW of the block would be valid. BUT the block would contain an invalid transaction.

No, that block header would not be included in the block header list that ends in the last currently published block.  There's no way a malicious electrum server can tell me that a given transaction is in the block chain that ends in the known recent block on which miners are working now.

As I said before, there's no way to make me another block header list than the correct one, that ends in the recent block headers.  I only need to know ONE SINGLE number from the miners: the recent block header hash.  That single hash proves to me that any block header list that ends in that hash, is the actual, right one.  And nobody can lie to me as to any included transaction.  Not even with 90% of all hash rate.  Because there's only ONE SINGLE BLOCK CHAIN that can end in this hash, if the hash function is not broken.

This doesn't even have anything to do with proof of work.  You give me the last header hash, and nobody can lie to me as to anything included in the block chain. Because you cannot lie in a linked list of hashes, you cannot lie in a Merkle tree, and you cannot lie about the hash of a transaction.

Mathematically: even without PoW: if you have two block chains, B and B', build of a chain of headers which contain each the top of a Merkle tree of "data segments", and the top hash of the header list of B is equal to the top hash of the header list of B', then B is identical to B'.

If two tops of header lists are identical, the two lists are identical (up to same length, you could append BEFORE the genesis block, true...).  If the header lists are identical, the roots of the Merkle trees are identical.  And if two Merkle trees are identical, the data segments they hash are identical..

[nullius]

Anonymous Kid wrote:  “Why the fuck did Satoshi implement the 1 MB blocksize limit?”

To mess with your head, you vulgar retard, because he hates you personally.  To let us know who the quality posters aren’t, by inciting the creation of trashy megathreads such as this one; he trolled you!  Most of all, to divide the wheat from the tares in the realm of Bitcoin engineering:  People’s blocksize opinions rapidly expose their true (mis)understanding of scaling issues.  Scaling is always a hard engineering problem; and he wanted for it to be easy to spot those who are innately incapable of ever grasping it.

But mostly just to mess with your head, personally, and laugh at you.

(Giving the answer which the question is worth.  I did not need to read more than the subject line to know that this was a stupid thread, which I studiously ignored until it refused to die.  @#$@)

What is amazing in this, however, is how elementary and fundamentally wrong it is.  It denies the very design of bitcoin !

The design of Bitcoin is a subject about which you demonstrate worse than zero understanding, insofar as misconceptions must be unlearned.  You really ought to go study up on how Bitcoin actually works before you spout off.  You don’t even grasp the basics.  You talk as if you learned all you know by reading /r/btc.

Edit: It's not worth my time to argue this with you. You clearly don't understand how Bitcoin or SPV wallets work. To my ignore list you go.

Nobody cares whether the transaction is valid, if it is included in the block chain of course !

WRONG.  Invalid transactions do not exist in the blockchain, because they cause the containing block to be rejected as invalid.

Thus highlighting the flaw in premise underlying this ramble of a disorganized thinker:

Nobody cares whether the transaction is valid, if it is included in the block chain of course !  The hypothesis of having to check whether transactions that are part of the SOLE current collective consensus might be "wrong" somehow, is making the hypothesis that bitcoin is entirely broken and that nobody gives a shit.

It would mean that miners have made a false block, that all other miners agreed to mine on top of that false block and then on top of that other block and so on.  If a false transaction is deeply burried within the block chain, and miners are still mining on it, and no "clean prong" exists that doesn't include that block, then bitcoin is entirely broken.  Because if that can happen, miners can just include ANYTHING.  They can include erroneously signed transactions, they can include transactions of which the sum of the outputs is 500 times the sum of the inputs, they can include a coin base transaction that gives them 2000 BTC, they can include headers that don't correspond to the Merkle tree, they could include a porn movie, anything.

Moreover, there's not even another block chain in this world that is made correctly, because the massive amount of PoW that goes in this butched-up block chain cannot be re-done elsewhere.  If the massive PoW voting power of the bitcoin miners collectively decide to make a butched-up block chain with false transactions in it, that's all there is to bitcoin, there is no clean version any more.

Yes, miner could fill a block with the output of /dev/random, if he wanted.  However, he would only waste electricity on his own bill; for “Joes [] running nodes in their basement” (as you like to deride nodes) would treat the block as if it were /dev/null.

There is no voting on the Bitcoin network, not “PoW voting” and not otherwise.  Nodes do not blindly follow the chain with highest POW; rather, they follow the chain which is fully valid and independently validated by each of them and has the highest total POW.

Moreover, in what way would a full node be helpful here ?  A full node would have stopped for good when the first false block was mined.

Wrong.  The node will ignore the “false block” as if it had never existed.

Such is the power of nodes.

(Now, how’s that for conciseness?)

[dinofelis]

Moreover, in what way would a full node be helpful here ?  A full node would have stopped for good when the first false block was mined.

Wrong.  The node will ignore the “false block” as if it had never existed.

Such is the power of nodes.

The problem is that you didn't even understand the logic of the arguments here.

Achow101 argued that a risk of using SPV is that one could be tricked in accepting a transaction that was present in the correct block chain that was at the same time a double spend.  In order for that to be a risk, you have to accept already that there HAS BEEN a double spend somewhere in a past block that is included in the current block chain on which everyone is building.  It means hence, that there was a past block (say, block number 506072) that contains a double spend, and that miners are still happily building on top of that.  Otherwise, the SPV user cannot be tricked in believing such a double spend, because it is not present in the block chain.  So one needs to reason as if that were the case.

Achow101's argument is that if such were the block chain, that my SPV client could be tricked in accepting that double spend as true.  That is correct.  My SPV client could indeed simply be convinced that, as it stands, a given transaction was indeed, in the actual block chain and I wouldn't know that it was a double spend that miners had simply accepted.  

MY argument, like yours BTW, if you could think somewhat logically, is that if ever that were the case, then bitcoin is broken.  It means that already for a week or so, there is an invalid block in the chain, and miners don't mind, exchanges don't mind, nobody minds.

Now, if ever that were true, that is, if miners did include a double spend in block 506072 and continued to mine on top of that, then every full node would come to a full stop at block 506071, because they would reject block 506072 as invalid (containing a double spend).  However, as miners have been mining on top of that invalid block 506072 by hypothesis, and are now at block 507762 or so, there is, nowhere in this world, a successor prong to block 506071 that full nodes would accept.  The only blocks that have been made are 506072,506073.... 507762 and are ALL INVALID according to the full node, and no other blocks have ever been made.  So it comes to a full stop, for good.  Because no "good blocks" 506072, 506073,... have ever been mined.

The difficulty with  this kind of argument for a limited mind is that it contains too difficult a form of argument which is called "reductio ad absurdum".  So it is quite normal for some not to be able to follow.    https://en.wikipedia.org/wiki/Reductio_ad_absurdum

I claim that SPV is secure.
Achow101 argues that there is a case where it is insecure.

My argument is: if ever your argument were true, then.... (absurdities) ; which you confirm (!).

Hence, Achow101's argument cannot be valid, and hence my claim that SPV is secure, stands.

[DooMAD]

The problem is that you didn't even understand the logic of the arguments here.

Nope, you've misconstrued what they've said.  They're saying that SPV users rely on someone to give them a correct copy of the blockchain because SPV clients are not checking the history to validate if what they've received is correct.  The theoretical double spend wouldn't be in the actual blockchain that everyone else can see, it would be in the fraudulent copy being given to the SPV user.  Read what achow101 said again:

In that respect, it is working, and it is working correctly.  Wallets like electrum work that way as far as I understand.

No, it does not currently work, and it is not how Electrum works at all.

All that Electrum can do is know for certain that a transaction is included in a block. It must trust that the Electrum servers that it has connected to have actually verified the transaction. However if your Electrum wallet were to be connected to malicious Electrum servers, they could serve you invalid transactions which you would not know are invalid. Said transaction can be included as part of a block; the merkle root would be correct and the PoW of the block would be valid. BUT the block would contain an invalid transaction. For full nodes, this block would be entirely invalid and discarded. But we are talking about malicious Electrum servers here. So those malicious servers TELL YOU that the invalid transaction is actually valid, and so you accept it. There is no way for you to prove that the transaction is valid or invalid, Electrum simply does not have the data to fully verify the transaction. But we still have met all of the criteria that you wanted: the transaction is included in the merkle root and the block's PoW is valid. The big thing that you are missing is that the block includes an invalid transaction, and SPV wallets have no way of knowing whether the transaction is valid or not. Fraud proofs are required to prove that all of the transactions in a block are valid, and currently they do not exist nor is there a known way to make such proofs.

Just because a block has a valid PoW does not mean that all transactions in the block are valid. Just because they are included in the merkle root does not mean that all transactions in the block are valid. There is more to a valid block than just the merkle root and the PoW.

You could think you had received some BTC from a transaction, but when you tried to spend it, the rest of the network wouldn't validate it because you didn't actually have the funds, despite the copy of the blockchain you received saying you do have the funds.  SPV users have to rely on honest nodes.

[dinofelis]

The problem is that you didn't even understand the logic of the arguments here.

Nope, you've misconstrued what they've said.  They're saying that SPV users rely on someone to give them a correct copy of the blockchain because SPV clients are not checking the history to validate if what they've received is correct.  The theoretical double spend wouldn't be in the actual blockchain that everyone else can see, it would be in the fraudulent copy being given to the SPV user.  Read what achow101 said again:

No, that is cryptographically impossible.  You cannot give a "fraudulent copy of the block chain headers" to an SPV user, if that user knows the currently actual block chain headers, in exactly the same way full nodes do.  In as much as full nodes can know the latest few block headers, an SPV user can know them too, and in as much as you can trick an SPV user into believing the last few block headers are different from what is actually mined on right now, you can just as well trick a full node into that.

Moreover, "tricking someone into a false block chain header list" requires you in any case to spend PoW on that block chain header list of the same order of magnitude than the prong you want your SPV victim to believe.  If you do that, you can just as well trick a full node into your prong.

You could think you had received some BTC from a transaction, but when you tried to spend it, the rest of the network wouldn't validate it because you didn't actually have the funds, despite the copy of the blockchain you received saying you do have the funds.  SPV users have to rely on honest nodes.

No, as I outlined, that is not possible.  In order to trick me into believing that, you have to provide me with of course the fake transaction, but you also have to provide me with the leg of the Merkle tree that connects its root to the transaction.  That Merkle root is included in the block chain header list I have.

If that header list is ending on the block chain headers that mining pools are currently mining on, then I know that that transaction is a part of the very block chain miners are mining on right now.  That is exactly the same block chain that full nodes have right now also.

Again: if, of two block chains, the leading heads of the header blocks are the same, both the ENTIRE BLOCK CHAINS are identical.

So there's no such thing as a rogue SPV server, IF I can have access to the latest block headers being mined right now.  And even if I cannot have access to the latest blocks being mined (and then, my full node wouldn't get access either), that "rogue SPV server" still has to spend a lot of PoW to make the false prong.  He will have to spend as much PoW grossly as attacking the real chain, and for this attack to succeed, he must also ensure himself to avoid me of learning about the real chain (that may have somewhat more PoW).   A full node is just as "vulnerable" to such an attack.

There is no more a rogue SPV server, than there can be another rogue document server of a document of which I know the hash.  If I know the hash of a given piece of software, then no server can trick me in installing another piece of software.  As the last block header mined is equivalent to a kind of hash of the entire block chain, no-one is going to be able to serve me anything else and make me believe it.  
However, the structure of the block chain makes it possible to "chop up" the document in small pieces: the transactions.  That's exactly why Satoshi did so.

If I can know the latest headers, I cannot be tricked into accepting anything in the block chain that a full node that is accepting these latest headers, wouldn't have accepted either.

The argument that achow101 put forward, was another situation, namely where in the actual chain, there were double spends included.  Indeed, as an SPV node, I can be made aware of an existing transaction in the actual chain, but I cannot know that that actual chain also includes a double spend, while a full node can.  But then, as I said, bitcoin is broken already.


Just to be absolutely clear: in the SPV system, the SPV user has the full block header chain of course, from the genesis block up to the current blocks.
He simply doesn't have the block bodies.  But he has all the headers.

[Carlton Banks]

The problem is that you didn't even understand the logic of the arguments here.

Nope, you've misconstrued what they've said.  They're saying that SPV users rely on someone to give them a correct copy of the blockchain because SPV clients are not checking the history to validate if what they've received is correct.  The theoretical double spend wouldn't be in the actual blockchain that everyone else can see, it would be in the fraudulent copy being given to the SPV user.  Read what achow101 said again:

No, that is cryptographically impossible.  You cannot give a "fraudulent copy of the block chain headers" to an SPV user, if that user knows the currently actual block chain headers, in exactly the same way full nodes do.  

That isn't what he said, and you know it.


dinofelis, your only discernible input on this forum is misrepresenting facts in a (kind of) subtle way. Well, you're also good at avoiding direct debunking of the things you say which aren't true.

You ought really to be banned, as it's too obvious that you're not interested in any kind of constructive debate, and never have been (unfortunately, dinofelis is likely the owner of many accounts that have been created with a suspiciously similar style of debate, only adding to the perception that the owner is very intent on wasting everyone's time on Bitcointalk.org)

[dinofelis]

All that Electrum can do is know for certain that a transaction is included in a block. It must trust that the Electrum servers that it has connected to have actually verified the transaction. However if your Electrum wallet were to be connected to malicious Electrum servers, they could serve you invalid transactions which you would not know are invalid. Said transaction can be included as part of a block; the merkle root would be correct and the PoW of the block would be valid. BUT the block would contain an invalid transaction. For full nodes, this block would be entirely invalid and discarded. But we are talking about malicious Electrum servers here. So those malicious servers TELL YOU that the invalid transaction is actually valid, and so you accept it.

I just realized you missed a crucial point of SPV here: the SPV user has the full list of block headers, but not of the block bodies.  As such, for this user to believe the Electrum server, the root of the given Merkle tree needs to be in one of the elements of the full list of block headers, which means it is part of the block chain "up to now".  I explained that earlier:

So, if you can obtain from the top mining pools:
- the last few block headers mined H'
- the SPV data (T, M(T), H)

in such a way that the end of H overlaps with H', you know 100% cryptographically for sure that T is part of the actual block chain.

Here, H is the full list of block headers.

Edit:
see for instance: http://docs.electrum.org/en/latest/spv.html#spv

Simple Payment Verification (SPV) is a technique described in Satoshi Nakamoto’s paper. SPV allows a lightweight client to verify that a transaction is included in the Bitcoin blockchain, without downloading the entire blockchain. The SPV client only needs download the block headers, which are much smaller than the full blocks. To verify that a transaction is in a block, a SPV client requests a proof of inclusion, in the form of a Merkle branch.

[dinofelis]

The problem is that you didn't even understand the logic of the arguments here.

Nope, you've misconstrued what they've said.  They're saying that SPV users rely on someone to give them a correct copy of the blockchain because SPV clients are not checking the history to validate if what they've received is correct.  The theoretical double spend wouldn't be in the actual blockchain that everyone else can see, it would be in the fraudulent copy being given to the SPV user.  Read what achow101 said again:

No, that is cryptographically impossible.  You cannot give a "fraudulent copy of the block chain headers" to an SPV user, if that user knows the currently actual block chain headers, in exactly the same way full nodes do.  

That isn't what he said, and you know it.

Sigh.  Go back and read everything.