Topic: [ANN][XEL] Elastic Project - The Decentralized Supercomputer - page 344. (Read 450549 times)

I think I responded to the most up-to-date version, though I missed your explanation for why you omitted those values.  You are quite correct that the entire merkle tree can be treated as one giant nonce. This is a problem that I have been thinking about from the very earliest versions of the Lionel whitepaper.  But if we don't include these values into the PoS hash, what is to stop someone promulgating a completely different merkel tree and claiming that these are the true data?

Can we also make sure that any wallet or other software we release that uses the toy blockchain has big flashing lights to remind the user that the money isn't real.


I'll have a look to see if the points raised in my previous post have been addressed.

My understanding is that each account will have a public key.  Any given user will generally have several accounts.


I think signatures are mandatory for just this reason.


If it does not include the transactions or their Merkle hash, how are these to be validated?

If it does include one of these things, what is to stop an PoS miner from manipulating transaction or other data in the Merkle tree to turn this into PoW?

My feeling is that there is no way to avoid this scheme turning into PoW, albeit giving stakeholders an advantage proportionate to their stake.  Effectively this will be hybrid PoW/PoS.

I will post a followup explaining my own idea for a pure PoS scheme.


All hail the computron.

You are absolutely right. Let's call them "TELC" (Toy ELC) or something to avoid confusion. Also, the version will only run with the testnet flag set.
I have by the way fixed a few things in my explanation one post above yours. I have originally missed the difference between PoS hashes and regular hashes of a block.

The "ELC" we will be able to send around, won't be the real ELC, it will be Monopoly money. won't it?  Otherwise people who haven't taken part in the crowdsource won't have any ELC to send around.

If so, can we make it really clear that this is toy money, that we'll give some to anyone who asks, to let they play with it, and that the real blockchain won't be launched until later.

Just a small update from me:

Those are the parameters (inspired by the NXT PoS scheme) that I have been using when implementing the PoS mini-blockchain.

The target block generation time is 60 seconds.
Let Bavg be the average block generation time over the last 3 blocks, and Tlast the last block's base target.
Then, the current Block's base target value is

Tcurr = Tlast * min(Bavg, 67)/60

if Bavg was longer than 60 seconds, and

Tcurr = Tlast - Tlast * (3/5) * max(Bavg, 53)/60

else.

Now, each PoS miner determines his personal target value which depends on his effective balance he has at the time the block is forged.
Assume user u has the effective balance Bu and Boverdue denotes the time that has passed since the very last block has been found, then his personal target value is Tu = Tcurr * Boverdue * Bu.

The user signs the block with his private key. The signature must be normalized and deterministic to avoid turning the PoS into a PoW by resigning the transaction with different r-values (i.e., the degree of freedom in form of a random number in regular signature schemes) over and over again until the PoS hash of the block meets the target value requirement. The PoS hash, to mention it, is different from the real hash of the block. The real hash takes the entire block into account, while the timestamp as well as the transactions themselves are also not accounted when creating the so-called PoS hash. In fact, for practical reasons, the hash of the previous block + the PoS signature is enough here I think. This is again to avoid turning the PoS to a pure PoW by varying the timestamp, rearranging, creating additional or leaving out present transactions, etc. to try out many different blocks until one eventually meets the target requirement.

I have been thinking if we really need the PoS signature at all, or whether it might be enough to just include the public key of the user that stakes the current block. This, however, might allow one entity to solve PoS blocks for all other accounts that have a positive balance. This again opens up the system for certain attacks, where the network's staking power can be drastically increased and decreased quickly by only one attacker allowing him for messing around with the base target values. I suggest sticking with the PoS signatures as described above.

The PoS hash must be below the user's personal target value Tu. If so, he found a block. A higher target value basically means a higher probability of finding a block.

This scheme is adjusting the target value per block. I have performed some first tests and have been staking for a day: the average block time converges towards 60 seconds. I am posting it for public review, in case I have missed something.


While I will reply in more detail soon, let me say this for now:


I love the computron .

First, I'd like to apologise to the community for not contributing nearly as much to the discussion this weekend as I intended to.  Unfortunately I have had a migraine headache brought on by the intensity of my thinking about this project.  (Guys, I am physically suffering on your behalf.)  I spent much of Saturday lying in a darkened room.  Today, Sunday, I decided to take the afternoon off to go for a good long walk to help clear my head.  I also accepted an invitation to dinner this evening.  There is still only so long that I can stare at a monitor at a time before I have to retire.


That is correct


First that is not the only purpose of the coin, at least in so far as I conceive of it.  I want this coin to be the best, most useful coin for general purpose trading that it can be.  To that end, I have consistently advocated low to zero transaction costs, and built-in escrow.  The latter, of course, is also necessary for the mining function - the workers will need some assurance that they will get paid for their work, while buyers will need some assurance that they won't end up paying miners who don't do the work, or produce incorrect results.

Why not an established coin?  The reasons for that are partly historical.  The project was founded by someone calling himself "Lionel Keys".  A brief googling on that name turned up nothing beyond this project, so I assume it was a pseudonym.  Lionel expressed great confidence in his original plan, which included the use of arbitrary work to secure the blockchain, and started the crowdfunding on that basis.  My judgement was that his entire plan was a shambles.  Despite Lionel's claims to have security proofs, which he never showed us, I found several vulnerabilities in his scheme, the most serious of which (the infamous Faster Algorithm Attack) rendered it unworkable  Lionel ended up transferring the project to Evil Knieval and ceased his involvement in it at that time or shortly afterwards.  It is unclear to me whether Lionel was an out-and-out scammer who never had any intention of delivering his coin, or if he intended to, and believed that he could.  If he did believe that, then he was wrong.

When EK took over, he made the decision, against my advice, to continue the crowdfunding under the same terms  before he had had time to sort out website and whitepaper, while allowing only a very short period for people to withdraw their contribution.  Thus, under his tenure, crowdfunding continued on a website which was still largely promoting Lionel's plan, which we knew at the time was unworkable.  We were openly discussing what we could and couldn't do in the threads here, so an attentive reader would know what he could and couldn't expect, but many people aren't that attentive.

Consequently it is in my view, our moral responsibility to adhere as closely to Lionel's original plan as is feasible, while recognizing (and being open about the fact) that many aspects of it are not feasable, and some things not even possible.  That plan called for the creation of a new coin.

There are also good non-historical reasons why we need a new coin.  First, we are going to be attaching an awful lot of data to our blockchain.  I think, if we went up to some other coin and said "Hey guys, we've got this great new project we want to build around your coin, which is going to increase the size of your blockchain by a factor of a thousand or more.  By the way, we don't even know for certain whether this project will work, though we are very hopeful", we might meet with some resistance from their current users and devs.

Second, a new coin allows us more freedom to choose the core features of the coin.  Currently consensus appears to be coalescing around Proof-of-Stake and Mini-Blockchain.  I know of no established coin with this particular combination.  Do you?

Third, when considering what features we need to add to our coin, in order to allow the market infrastructure to work, there will be no other devs or users with competing interests who might object.


The project is open source.  It will be open to the devs of other projects to incorporate our ideas, and even our code into their coins.  Whether they do or not will be a matter for them.


Section 2.4 of the whitepaper purports to explain how we will do this.  I say "purports to" because it is still vulnerable to a devastating attack which I have yet to explain in detail to the community.  I had intended to do so this weekend.  I will try to do so this week, headaches, and real-world commitments permitting.

I have yet to persuade my fellow devs that the Section 2.4 scheme is not just broken, but irreparably so.  I'm not happy about that, as it was substantially my idea in the first place.  I have some ideas amounting to a completely different approach as to how we will be able to provide buyers with some assurance that their results are correct, which I will articulate in due course.  They are quite low tech, and not without their own security risks, but those risks are well-understood.  I don't believe less-than-bulletproof verifiability will be a project-killer, after all, centralised commercial cloud-computing provides no verifiability at all, yet it flourishes.


We will need at the very least to produce a software development toolkit, a miner's package, and a wallet.  If my ideas are accepted, then they will work together to provide several mechanisms to allow buyers to give themselves some assurance that they won't be paying for incorrect results, while simultaneously allowing workers to give themselves a similar assurance that they will get paid for producing correct results.


It's more likely that it will be "Y flops for each coin".  But it won't be flops as such.  We hope eventually to implement this on a wide range of hardware, so we will need a custom metric which will approximate to the average effort expended by the various processors, or at least the processors capable of running that particular program. Obviously if a program contains CUDA commands then it can't be run by a CPU-only miner.  And the system should ensure that no miner receives a job his hardware is incapable of or unsuited to.

Section 2.4 of the whitepaper does in fact describe a custom metric, namely the buffer B which is filled at a constant rate.  I think this idea is still workable, indeed improvable, so long as we do not rely on it in the form given in the paper to provide verifiability.

I hereby propose that the unit for the custorm metric be called "the computron".


Well, boinc is an infrastructure, as is our project, which allows for a range of programs to be run.  I don't know much about it, what its limitations are, etc., nor do I know much about folding@home.  I am very familiar with GIMPS.  Some of their jobs take weeks, months, or even years to complete, though the latter are not handed out routinely.

The idea that we can prove program execution correct or provide any kind of security by running it in 10ms segments at a time is dead-in-the-water, and I see no point in not just running it from beginning to end, or until funds run out.  Nor do I see any reason to impose arbitrary limits upon the duration of a run.  If both buyer and worker are willing, and if the buyer has sufficient ELC, then I don't see why programs lasting days, weeks, or even years, shouldn't be run.  On the other hand, it should also be possible for a worker to generate a save file, and return that to the buyer.


Much of the above has been said before, but it's scattered across multiple posts in several different threads.  It's good to get it all down in one place.  Perhaps Lannister would consider adapting this post into a technical Q&A on the website.

Any wallet where you can extract the private key for the address which you send the BTC from is fine.
If you are unsure what to do, the safest thing you can do is download Electrum, transfer your BTC to one of your new Electrum addresses and then, from there, send it to the Elastic project.
Using the right-mouse menu in the addresses list you can then extract the private key for the address you have used. Keep it somewhere safe and never lose it.

How do I take part and what BTC wallets are accepted ??

It would be better if it required 3 or more signs (although, again, I don't want to be the person with the 3rd key).

As it is, the 3rd key is just useful in case EK vanished for some odd reason (not that I think he'd vanish). Or if I was a maniac, and tried to get Lannister to release the funds somewhere where they shouldn't go.

It is a nice way of handling it in my opinion, although wouldn't it better to make it require more than just 2 signs?

That method could work, but when I asked Lannister about posting details or providing a ledger on expenses, he replied with:


It doesn't have to be a super specific ledger, but the way he worded his response seemed like no information at all would be provided.

What I have done this weekend: I have started implementing NXT's proof-of-stake scheme in conjunction with Cryptonite's mini-blockchain approach.
Seems to be working fine on the first sight. I will perform some test regarding how robust this scheme is during block reorganizations and especially during a "secret chain attack" (as Cryptonite calls it in their whitepaper).

I will try to summarize all my discoveries by tomorrow, and post them for public discussion.

I think the process is something like this:

Lannister creates a transaction spending a certain amount of funds from the multisig wallet. He creates a transaction, signs it with 1 of 2 required keys and gives the partially signed transaction to the community (or a subset of it). He explains what these funds are needed for. When someone who has the key agrees with it, then this someone signs the raw transaction with the second missing key and pushes it to the Bitcoin network. While there is no public ledger available, it is still known (to the community or again a subset of it) what these funds were needed for.

I am not the one to judge whether this scheme is the ideal solution or not and I am not the one to decide.
But I think that some sort of ticket system (or communication system) for the developers would be a first step towards more organization.

Yeah, saw that. Although I'm probably not the guy to get that key, as I'm not even currently invested in the project. When I asked who that 3rd party was, it didn't mean I wanted to be that 3rd party. Since lannister doesn't plan to publicly list what the funds are for, I'd never provide the key to him in the first place.

Thanks! great to know, will wait for that reply

There's no free distribution, although you can participate to the crownfunding http://www.elastic.pro/crowdsale

These people are really honest.

I have asked for a refound (when there was the procedure) and they refound my BTC after few hours.

I'm not yet involved here but i hope this ambicious project will have a great future.

You guys deserve my respect.

I won't say why, but now I do respect your honesty.

Thanks.

You have asked some excellent questions and I am partway through draughting a reply.  Please bear with me.