Please could someone help with some questions I have. I'm just getting started with XMR.
When a wallet is described at
https://moneroeconomy.com/news/choose-your-wallet as doing "remote node", what is this more analogous to: a bitcoin wallet which uses the RPC interface and believes the results, or an SPV bitcoin client? I don't know if the SPV concept maps over into Monero. But is it possible to have a wallet mode of operation with Monero where just block headers and our own transactions are verified?
Yes it is. The tradeoffs are slightly worse than BTC but still not too bad.
First of all you need to retrieve the header chain from multiple sources and verify against each other to avoid trusting any one of them. It is possible to skip some blocks on each source and spot check at a coinfigurable confidence level, but that's probably not necessary since the headers are small. This has a higher verification cost than Bitcoin because of the PoW but a single core can verify about 50 blocks/sec, so even at the current overly-high block rate this is about 30 seconds per day single threaded to sync up. Cheap smartphones will do worse (no AES hardware) but the latest ones do have AES hardware and should be similar.
Second you need to do one of three things:
1) pass your view key to a server, which scans for new outputs for you. This imposes a large CPU load on the server and compromises your privacy. This probably makes sense only for the most bandwidth-constrained use cases, and might also need some kind of fee-for-service model given the server load.
2) Retrieve all of the output keys and scan them for new outputs yourself. These are quite small, only 32 bytes each, so that's going to be a few percent of the entire chain size.
3) Run your own server at home or on a VPS that does this in the background (could be a very cheap raspberry pi type device) and connect to it somehow to quickly identify your transactions without compromising your privacy.
Third you need to retrieve either the full blocks that contain your transactions (identified above) or a merkle proof of inclusion for the truncations that have outputs for you. You can spread these across servers and/or add as many dummy transactions/blocks as you want to protect your privacy.
At this point you have a cryptographic proof that you have received the funds, subject to the usual assumption that you have in fact found the longest chain, although as long as you can somehow find even a single server with the longest chain, the others can't fool you. Plus of course you are not verifying the entire chain and relying on the standard SPV assumption that only valid payments are mined (same as Bitcoin). Unfortunately, if your entire connection is controlled by an attacker, they can fool you with a fake chain (also the same as Bitcoin).
None of the current wallets do this, although I've been considering creating a version of simplewallet (command line) that would do it for demonstration purposes at least. Could also be used by the wallets that currently work as wrappers I suppose.
