Toms Blog

Where I talk about Bitcoin and Technology

Are SPV payments safe?

2018-01-27 bitcoin

There are still a lot of misconceptions out about SPV wallets, people make it seem like they are less useful than they are, and this is a shame.

SPV wallets are wallets with “Simplified Payment Verification”. A term that actually shows up in the original Bitcoin whitepaper from Satoshi Nakamoto.

The trick is that SPV wallets (which in practice is almost all wallets) check all the Bitcoin blocks, validate if the miners did their work but they do not download and check all the transactions. This limits the download and check of the entire 8 year blockchain to about 39 MB. Pretty neat eh?

So, what are people worried about?

Worry: The worry goes that since SPV doesn’t check 100% of the chain, it ends up trusting the miners.

Truth: It is incorrect to say that there is trust in the miners. Instead the trust is in the open market and human behaviour. Both of which have been proven many times.

The truth goes like this; Bitcoin is an entire ecosystem, from merchants to traders and users and miners. Take any of these away, and the value drops. The little validation that an SPV wallet does, actually includes the check that the miner did his “Proof of work” and various other checks. This means that the SPV wallet validated that the data we are seeing is in actual fact part of the Bitcoin ecosystem. An ecosystem that is based on the premise that cheating is more expensive than being honest.

For normal payments (say, below €10,000) you need to “trust” that the Bitcoin ecosystem is healthy. In the case of Bitcoin Cash, it certainly is.

Worry: SPV wallets have privacy worries, people can track your transactions to you.

Truth: This misunderstands lots of technology and misunderstands how SPV actually works. In actual fact, there is no privacy worry.

First the simple truth, practically all people that run their SPV wallet on their phone, or even at home, do NOT have a real internet-accessible IP address. We’ve had a shortage of addresses for decades now and your phone or internet provider use a trick called NAT where hundreds or even thousands of people share the same public IP address. This by itself already disqualifies the worry as you drown out in the crowd.

Second is that the app on your phone connects to 4 or more nodes. Different ones every time you use it. Any sort of tracking has to be done by those nodes. They didn’t pick you to connect to, you picked them randomly out of a pool of 10000 nodes. You have to be pretty unlucky to connect to various nodes especially set up to track you. Which they can’t due to the fact that they don’t get anything even remotely personal about you.

Last, the only thing that makes you possible to differentiate from others is when you shared a bitcoincash address with someone and you are waiting for a payment from that someone, and for that payment to actually be mined.

This basically means that the SPV wallet only needs to “expose” your traceable data for maybe 20-45 minutes or so, for each payment. So if you are not using the wallet a lot, you are good. On top of the doubtful statistics about connecting to a tracking node, which doesn’t have access to anything identifying anyway.