Q: In this video, John Newbery talks about verification vs computation, and he bring it up as a big reason why he thinks bitcoin can scale but is skeptical about ethereum. I think I get the general idea of what he’s saying but I might be missing something.
Is there a qualitative difference between verification and computation? And is it the fact that ethereum is capable of performing arbitrary computation that makes the whole thing difficult to scale, or is it that specifically smart contracts that require arbitrary computation won’t be able to scale (as in those contracts would be very expensive to run).
A: There is a big difference between verification and computation.
For instance:
- given the prime number 11,121,415,581,673,924,441, compute its prime factorisation.
- given the prime number 11,121,415,581,673,924,441, verify that 3,226,079,203 and 3,447,347,347 are its factors.
(1) is difficult for any classical computer to do if the numbers are large enough.
(2) is trivial, even for enormous numbers.
The difference between the two is what gives RSA its security (h/t John Newbery for the example).
Another way to think this is by borrowing from an adjacent concept - the DoS attack. One way to DoS is to craft a request that requires little effort from the attacker, but lots of computational effort on behalf of the defender. This asymmetric load means that an attacker can create tons of requests and paralyze a target under a pile of computational tasks that can't be filtered beforehand into honest requests or malicious ones.
Verification is the opposite. It should be easy to verify, which is why POW works. It requires a lot of computational work to create a hash with all those leading zeros, but easy to verify that it is correct. Do we care how the miner got there? Do we care if a miner started with a low nonce or high nonce or used some fancy mid-state hashing algo? Or do we just care to check that a block is valid, which approximates all the work that’s been done by the network to arrive at that result? Verification of this nature allows for the computational load to be done elsewhere, and all that ends up on-chain is the verifiable proof. SCRIPT is the same way. If you can satisfy the script you can spend the coins. Do we as non-participants care how this was arrived at, or do we just care that there is a succinct representation of this somewhere that we can verify?
Bitcoin’s SCRIPT remains very basic. Read over Satoshi’s reasoning for its inclusion. Things like miniscript, simplicity, and scriptless scripts are being developed to create more elaborate contracts. No matter how complex they get though, verification should remain easy. I know very little about ETH, but I keep hearing about their on-chain bloat. That may be all well and good for accommodating a world computer where consistent computational steps are integral to the system, but it doesn’t make much sense for money where verification of its authenticity and security is what really matters.