Why I don’t celebrate Neutrino
or why it is celebrated for the wrong reason
Introduction
Neutrino’s goal is to have a simple way for light bitcoin clients to synchronize the state of their wallet, without leaking your wallet information. The downside is that Bitcoin rules are not validated. It is a similar goal to BIP 37 but in a way more pragmatic, efficient, and privacy preserving way. And it is also way more easy to build a wallet on it.
Neutrino makes BIP 37 obsolete. And we should rejoice about it, BIP37 was fundamentally broken, and need to become just an archaeological curiosity.
I look forward the PR which remove BIP37 from Bitcoin Core code.
Neutrino is well specified in BIP 157 and BIP 158 and has been already integrated in NBitcoin by Lucas Ontivero and nopara73 because they needed it for Wasabi Wallet.
In general, I have been pretty silent about Neutrino, one of the reason is that I am not deep enough (nor interested) into computer science to judge the design decisions. Bitcoin developers have enough world class computer science experts to make me completely useless to the discussion.
What I am sure: Neutrino is way better than BIP37 by improving privacy, and is making it way easier to build light wallets.
However, the problem is: It can be used in a way which fundamentally weaken bitcoin in the long run, while giving short term advantages for its user… In short, like LaurentMT says “The path of least resistance” in UX term, which ultimately give miners more leverage.
Did everybody forgot what happened 1 years and a half ago with B2X?
Hooray! I am not alone.
Neutrino: the good, the bad and the ugly
So if you are using a Neutrino based light wallet on your phone, then it means that you phone is not validating the consensus rules of Bitcoin.
So if your wallet receive a filter for block X, how do you determine if this filter is not malicious?
- Trust a random third party node to not lie
- Ask to several third party nodes, accept if a threshold is passed (ie, if 3 nodes agrees that the filter is the same, accept it)
- Trust the miner (not possible now)
- Trust your own node
I think that 2 and 4 are both legitimate. I would advise 4, but I think the odds of Sybil attack by 2 are low enough. (This assertion is completely subjective)
I think there is no problem in there.
For choice 3: There has been proposal to commit to the filter in the block as part of a consensus rules. This will require a soft fork to which I will oppose, for the reason I will detail next.
But before evaluating if the filter is correct, how do you know if block X is correct?
- Trust a random third party node to not lie
- Ask to several third party nodes, accept if a threshold is passed (ie, if 3 nodes agrees that the block exists, accept it)
- Trust the most Proof of Work block
- Trust your own node
My point is that by far, the most systemic risk to bitcoin is 3!
Electrum wallet for example is using 1 and allows 4, which is to my mind, is the best for a light wallet.
Bad: Trust a random third party node to not lie
Pros:
- Very easy to implement
- Unpredictability on how users will behave if miners fork.
Cons:
- You can receive fake confirmation of payment
- Neutrino is almost useless for this (more details below)
Bad: Ask to several third party nodes, accept the block if a threshold is passed
Pros:
- Make the choice 1 attack harder to carry out
- Unpredictability of what happen if miners fork
Cons:
- Harder to implement
- You can still receive fake confirmation of payment, the attack is harder to carry out than connecting to a single node
- Neutrino is almost useless for this (more details below)
Ugly: Trust the most Proof of Work block
Pros:
- Easy to implement
- Protect against fake payments (in the case of targeted attack)
Cons:
- If all users use this, miners can change the consensus with little resistance
As a thought experiment, if 100% of the users are running this scheme, it is obvious that miner get lot’s of leverage and can change consensus rules at whim.
Of course, it is not realistic to think that 100% of users will trust proof of work. But then, it is just a matter of degree. While I can’t use cardinal numbers to properly quantify this, and nobody can, you can still assert, other things being equal, 11 users following most proof of work gives more leverage to miners than 10 using it.
You can’t assert the same thing with solutions connecting to random third party nodes.
There has been discussions about commit to the filter as part of the consensus rule. I will oppose to this because it encourages users to trust miners… Which seems safe on the surface in the short term, but bury the risks in the long run.
Don’t depends on the next generation to save the day with Samson’s hats the next time shit hit the fan.
Good: Trust your own node
Pros:
- Easy to implement
- Fully verify consensus rules
- No fake payment possible
- Does not give any leverage to miners
Cons:
- Hard to deploy (Shameless plug: Except if you use BTCPay Server)
- Neutrino is almost useless for this (more details below)
Neutrino is almost useless for this
Now, out of those 4 different ways to decide whether a block is valid or not, the only way it is useful is in the ugly case of trusting miners, which is dangerous in the long run for Bitcoin. Let me explain:
While it is technically possible to validate consensus rules on a phone, this is not practical. It costs lots of bandwidth and battery, phone are not adapted for this kind of usage. This mean that you need to a full node on some separate server and connect your light wallet to it.
Then you can connect to your own node, and use Neutrino to sync up the state of your wallet on the phone.
But why would you do this? If you trust a server, you can just ask for the state of your wallet to it directly like Electrum is already doing.
Downloading the filters Neutrino style and updating the wallet is still consuming bandwidth and has a bad UX: You need to wait that your wallet synchronize every time you start it. You don’t have such problem if you just have a trusted server handling the wallet’s state for you.
The reason why I consider Neutrino to be almost (and not completely) useless in this case is that it removes the need for any middleware other than a Bitcoin full node to operate, and that you don’t need full transaction index, which is resource consuming for servers. (The server side does not need a special, vendor specific API like exposed by LND, C-Lightning or Lightning Charge)
By making a wallet understand neutrino, and if BIP 157 and BIP 158 become part of Bitcoin Core, it behaves like a standard: Your wallet does not depends on anything else than a bitcoin full node. (Which I think is actually cool)
There is also, I admit, a privacy component to it: A client does not leak its UTXO to a random server as done in the Electrum case. But if you are using a lightning network wallet, your transactions still stay private.
Conclusion
I don’t hate Neutrino, despite having said “Neutrino makes me crazy”.
But the reason why I like Neutrino is very different from the reason more of Bitcoiners think.
Neutrino is useless if all you want is a lightning node working on a mobile. We already have this. What we don’t have, is a wallet which just connect to some random server the way Electrum is doing. But this is very easy to do, does not require Bitcoin P2P changes, and is way more user friendly and bandwidth saving than neutrino. (no need of downloading the filters)
Neutrino is ONLY cool to wallet developers who do not want to deal with different APIs for querying the state of their lightning node.
But please, if you decide to use it in your wallet and allow users to connect to random nodes on the network, don’t use the highest proof of work to validate whether a block is valid or not.
Better use a threshold mechanism (3 of your 4 peers agree that a block is valid, so it is valid). Yes it makes you weak to sybil attacks, and if you are scared of it, please use a full node. Such sybil attacks, in order to be profitable, need to be targeted, which will never happen to the majority of people. (And you should probably not store so much money in your mobile wallet if you are scared about losing it. Use a proper hardware wallet.)
If a fork happen where miners disagree with the Bitcoin chain, the wallet of the user will switch back and forth between the two chains and get into some kind of undefined and broken state. This force them, at this point, to take a conscious decision about what to do, instead of enrolling them by default to what the miners want.
By doing so, you remove incentive for miners to behave against the interest of users, because even users who do not even know or care that the miners go against their interests, or who does not give a shit about self-sovereignty, they will need to take conscious step to fix the undefined state of their wallet.
20 years down the road, Samson’s hats won’t be here to save the day against B3X, so take the right decision early.
