Gold collapsing. Bitcoin UP.

[AdrianX]

@Norway in Norway your fellow citizens are planing on storing and protecting the world's data.
http://www.wired.co.uk/article/norway-data-storage-vault

I estimate the blockchain if scaled for the world will be less than 0.1% of that data.

The cost of running a PoW node is not storing the data, it's in the bandwidth needed to relay transactions and blocks. Pruning helps solve the problem that the storing the blockchain for those who think it will be too cumbersome or large, it's a non issue, there are data hungry applications driving data storage, 4K home video being the first that comes to mind - bitcoin can't compete with that data demand.

If you want to join the network in a trust-less way you will want to validate from scratch or proof that the coins you are accepting are accounted for according to the rules.

If I understand correctly the limiting factor is managing the UTXO all available spend addresses. - and second to that is the bandwidth needed to propagate transactions.

The problem to a massive UTXO set is, it takes time to find and validate a transaction - that in turn slows down the network, in turn that puts an orphan risk on miners as miners who validate all transactions in a block. - the solution to a UTXO set that is too big to manage with available technology is a layer 2 transaction networks.

BS/Core are jumping the gun here with segwit and LN.

 

[Mengerian]

@Norway I agree that conceptually, Bitcoin as a system could work if not all the data ends up being stored. We could imagine a future system where the block chain can be pruned, and the UTXO set can be pruned.

This means that the people who care about certain data would have to ensure that that data is stored somehow. So you can imagine that if you have coins (ie, private keys that can be used to spend unspent outputs), miners may want to be provided with proof that that the unspent outputs exist when you go to spend the coins. So the holder of the coins would have an incentive to save the subset of UTXO data necessary for this.

That's interesting, because it means that the meta data in a transaction, like a hash serving as a timestamp of something, would not be carved in stone for all eternity.

Similar to the example above, although the data itself is not necessarily stored by third parties, as long as one person saves the necessary data, it will be "carved in stone for all eternity". The person who wants to use the data as a timestamp just needs to save the Merkle path from the block header to the hash in question. With this data they can prove, in a non-forgeable way, that the data existed at the time the block was mined.

 

[Norway]

The idea of downloading the whole blockchain just to verify the current UTXO when initializing a new node seems like a waste of time and resources.

Why not just add a field with a hash of the current UTXO in each block? Then you can download the UTXO from wherever, and verify that the UTXO is correct when you initialize a new node.

 

[Mengerian]

@Norway, Yeah, I agree. In the long run this is what I would expect to happen.

Even more generally, you can just download whatever subset of the data you are interested in. It doesn't even need to be the whole UTXO set. Maybe you just want some unspent outputs to prove that coins are spendable, or maybe you want some historical transaction to prove that certain coins have been spent.

We can imagine markets for this type of data in the future. Maybe light clients will have a way to pay for data they need, such as UTXO data, which would provide an incentive for nodes to store this data.

This is also why I find the concept of Fraud Proofs so interesting. Because depending on the data structures that enable the fraud proofs, they give you the ability to prove certain things about subsets of data in the block chain without needing the all the historical data. This makes it possible to imagine ways you could have confidence in the validity of a certain subset of data in the block chain without needing to download the entire block chain.

 

[Justus Ranvier]

Why not just add a field with a hash of the current UTXO in each block? Then you can download the UTXO from wherever, and verify that the UTXO is correct when you initialize a new node.

Remember that one of the problems Bitcoin is intended to solve is that you don't need to trust anyone to maintain the integrity of the currency supply. That was actually the very first thing Satoshi addressed in his announcement of Bitcoin.

The root problem with conventional currency is all the trust that's required to make it work. The central bank must be trusted not to debase the currency, but the history of fiat currencies is full of breaches of that trust.

If all nodes suddenly start completely trusting the miners to commit a valid UTXO set hash, then suddenly the trust model of Bitcoin has changed to one in which the miners are allowed to debase the currency as long as they can get a majority coalition to go along with the scheme.
If we want to maintain the Bitcoin security model then we really do need a working fraud proof system before doing something like committing a UTXO set hash into the blockchain.

 

[Norway]

@Justus Ranvier
Pruned nodes should always download and keep some of the last blocks. Let's say that the requirement is 100 blocks, the coinbase maturity period.

Each of these 100 blocks have a hash of their current UTXO. And each block represent the unique transformation of one UTXO to the next.

Yes, you have to trust that all nodes, 100 blocks deep, are correct.

I don't see the big difference in the trust model going from all historical blocks to just the last 100 blocks.

Maybe I'm missing something? I probably am, he he.

 

[Justus Ranvier]

@Norway It's really just a subset of the same problem underlying we need fraud proofs in the first place:

How does a node which has detected miner cheating communicate a warning to other network users in a way that does not require the other users to all possess a full copy of the blockchain in order to validate the warning?

Most of the ways that miners can cheat could already be proven with a compact message, and could be verified easily by light clients.

There are two tricky cases though, and enabling compact fraud proofs for those cases would require block format changes.

 

[Norway]

@Justus Ranvier
I would assume that all nodes would detect the miner cheating at the same time, and reject the block as invalid. No communication to warn others are needed.

 

[Justus Ranvier]

If we had a complete set of fraud proofs for blocks, then it would be straightforward and safe to extend them to cover committed UTXO sets.

Then we'd never really need to worry about how many full node existed in the world, as long as there was more than one.
[doublepost=1491270270][/doublepost]@Norway You've missed the point.

There's never been a problem of nodes lacking the ability to reject an invalid block. That's practically the definition of a node.

Fraud proof are for the benefit of all the other users of the network who lack this capability.

 

[Norway]

@Justus Ranvier
I wasn't really talking about SPV clients or fraud proofs.

I was trying to envision a future blockchain that is just 100 blocks long and not growing in size, just changing. More nimble to initialize and run.

And if anybody want to keep a museum of all historical transactions, they are free to do so. But it's not required for bitcoin to work.

I also envision a constant size of UTXO, proportional to the number of people in the world.

 

[Justus Ranvier]

If the ability to prove currency supply integrity isn't a big deal for you then what you really want is a proof of stake system.

 

[Norway]

Thanks for trying to answer my stupid questions, @Justus Ranvier

The ability to prove the currency supply integrity is important to me.

And I think that it's possible to do this with just pruned nodes with 100 blocks history.

You have to assume that the 100 last blocks build on previous blocks that have followed the correct block rewards and is a valid chain in every aspect.

And I think that would be a safe assumption.

 

[molecular]

The idea of downloading the whole blockchain just to verify the current UTXO when initializing a new node seems like a waste of time and resources.

Why not just add a field with a hash of the current UTXO in each block? Then you can download the UTXO from wherever, and verify that the UTXO is correct when you initialize a new node.

That's called "UTXO commitments" and it's been discussed for a long time. It's a good idea but it's technically a weakening of the security guarantees you get: the miners could theoretically screw you over in such a case and sneak in some "illegitimate" transactions (for example they could take some of satoshis old coins using invalid transactions (without valid sig)) without you being able to detect it. (They could also fiddle with the coin issuance schedule, but that would be detectable in the utxo set itself: just sum up all outputs and compare to what total supply *should* be)

Of course such attacks by the miners (they would have to collude, too) are far-fetched and to be honest: as long as I can somehow afford it I will run a fully validating node and because many will, it's very unlikely for miners to even try to pull this off. It would become public in no time. I personally don't see a future in which the tx history of bitcoin gets somehow lost (even just in small parts), so I don't think we have to debate this.

And I think that it's possible to do this with just pruned nodes with 100 blocks history.

You have to assume that the 100 last blocks build on previous blocks that have followed the correct block rewards and is a valid chain in every aspect.

Even better: you can still follow and verify the block headers back to the genesis block. So you can actually verify the cumulative work of the chain. SPV wallets like andreas' schildbachs android wallet do this afaik. So this comes back to the old Zankapfel: is it sufficient to simply trust the longest chain or does every "user" have to verify all the transactions in it. I personally think it's sufficient to simply trust the longest chain PLUS trust in the fact that there are enough people (not being silenced) who verify its accordance to certain rules.

 

[Justus Ranvier]

I personally think it's sufficient

A complete fraud proof system in Bitcoin would increase the degree to which everybody can get the level of security they think is sufficient.

 

[molecular]

If the ability to prove currency supply integrity isn't a big deal for you then what you really want is a proof of stake system.

hm? I fail to see the connection here, to be honest. Can you explain how PoS weakens the ability to be sure about the supply? I see how trusting UTXO commitments weakens this ability and how this can be even more problematic with PoS, but when verifying all transactions / blocks, I can be sure about the supply even with PoS, no?

 

[Norway]

@molecular
I don't see how miners could sneak in some "illegitimate" transactions.

My basic assumption is that a mining node could be pruned, with just a 100 block history.

I also assume that the system as a whole has the same security wheather 1% or 100% of nodes are pruned.



Soo... what about new nodes? Do they really need to download the whole blockchain to verify and build the UTXO?

I suggested that we could add a new field in the blocks to solve this. A field that contain the hash of the UTXO-set before the block was assembled.

When a node verify a block, it would also verify that the hash of the previous UTXO is correct. (Since the UTXO-hash is from the previous block, you have on average ten minutes to hash the UTXO before you need it.)


Imagine this initial sync process:

1. You download the last 100 blocks under the assumption that they build on the valid chain.

2. You download the UTXO-set of, say the oldest block, 100 blocks deep, from somewhere on the internet.

3. You hash that UTXO-set and check if it matches the hash in the 100 old block.

4. Then you go through the next 100 blocks and verify that everything is correct while building an increasingly more updated UTXO that will also match the UTXO-hashes in each block on the way.

5. Presto! You have a updated, pruned node, in a world where nobody stores the whole chain!

 

[xhiggy]

3. You hash that UTXO-set and check if it matches the hash in the 100 old block.

What if it doesn't match?

 

[Norway]

@xhiggy then the UTXO was fake. Try to find one that give the right hash. The UTXO could be downloaded from other nodes, bittorrent or wherever. I havent thought of the best way to download it. Only a way to verify that it's correct.

 

[xhiggy]

"then the UTXO was fake"

Couldn't it also mean that the UTXO is correct but the network is under attack? Then one would need the whole chain to verify.

Maybe I'm misunderstanding things...

 

[Richy_T]

If all nodes suddenly start completely trusting the miners to commit a valid UTXO set hash, then suddenly the trust model of Bitcoin has changed to one in which the miners are allowed to debase the currency as long as they can get a majority coalition to go along with the scheme.
If we want to maintain the Bitcoin security model then we really do need a working fraud proof system before doing something like committing a UTXO set hash into the blockchain.

Yes, this is the issue. There are many things that *can* be done with Bitcoin but, ultimately, that moves away from the model Bitcoin provides.

I currently see a push to classify LN as just another part of Bitcoin but, in fact, other than the opening and closing transactions, it is entirely separate and uses a different model. I am not against LN but when I see obfucations like that, I have to wonder what kind of machinations are going on (Mostly I suspect Segwit supporting propaganda at this stage)