Topic: DECENTRALIZED crypto currency (including Bitcoin) is a delusion (any solutions?) - page 36. (Read 91144 times)

Right, if assumes reward are directly tied to blocks (the atomic unit in Bitcoin). All that one observes of others nodes is very short term behaviour, and there is no way to sanction bad behaviour - all attacks have to be prevented in an ex-ante fashion. There are however potentially other ways to reward/punish behaviours, which are not tied to a single block.

'The Transaction Managers' represent a centralised solution to double spending, and even then it appears a tenuous solution because there might be disagreement between transaction managers, which would then require consensus to resolve, opening the system up to all the problems of a blockchain.

Maybe you can find useful answers and working mechanisms here:
http://blog.maidsafe.net/2015/01/29/consensus-without-a-blockchain/

This is the same as in any PoW chain, nothing different there.


Hilarious. Ok, so the attackers only motivation is to double spend. Simple as that. Why do I need to explain this to you?


They have the incentive to do GOOD as well as evil in bitcoin. By removing this angle, you have thrown away a totally critical part of the game theory.



I'll accept that you can compute a probability of a double spend succeeding in the absence of a block reward in the face of an attacker who is arbitrarily attacking. However, you must have missed this from the 2nd paper you linked about the motivation of the attacker, which adds critical detail to the analysis:

https://bitcoil.co.il/Doublespend.pdf#page=12

v=value of double spend
r=probability of double spend success
k=number of merchants attacked per block
alpha=liquidity of purchase
B=block reward

"This means that discouraging an attack requires that:"

v <= (20*(1-r)*B) / (k*(alpha + r - 1))

Set B = 0, then

v <= 0

So to discourage an attack in the absence of a block reward, the value of the double spend must be 0.

I.e. it's impossible to discourage without a block reward.


Prepare to be surprised.

In addition, I just want to say that I am not attempting to attack you, or your idea here, I am just trying to help you succeed; it is better for a idea to receive the harshest critical analysis *before* you go to all the pains of implementing it, wherein it would be too late to fix the problems. I would like to offer suggestions in how to fix these flaws, if I can.

Yes, that's a good point. PoW and PoS rely on an algorithm, not explicit actions of individual nodes. But to solve that problem you need some mechanism to securely count and distinguish nodes. And the Internet doesn't allow that. That's the whole reason for the extremely complicated construction via CPU. The Bitcoin whitepaper discussed an alternative to 1 CPU = 1 vote.

"The proof-of-work also solves the problem of determining representation in majority decision making. If the majority were based on one-IP-address-one-vote, it could be subverted by anyone able to allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. "

In a system with one-IP-one-vote, it would be possible to sanction individual actions - which is impossible in PoW/PoS.


Almost everything in Bitcoin is designed for it to work at the beginning. Its better to accept its not a perfect system and think what it was designed to do  - a quorum system via CPU, with incentives and currency. New designs can learn from many things and discard most aspects. Verification and storage of data needs to be profitable in the longterm. That's basic the most basic principle of Bitcoin. Users solve the tragedy of the commons together with the P2P ledger. The problem is not profitability, but economies of scale.

An attacker is up against the entire world's CPUs (and remember I designed a very efficient CPU hash in 2014). And who is going to finance that mining farm, when mining is unprofitable?

Remember your point (seems you forget your own points, haha) was that in PoW an attacker must sustain his attack at ongoing cost. But how does the attacker finance this cost when none of his costs are being recouped. I think you fail to consider many factors including for example that mining farms near hydropower generation plants have Bitcoin costs in the range of $50 per BTC. Thus mining centralizes and hashrate centralizes because of the economic profitability of mining.

What evil can the attacker do to recover his costs of mounting the attack? What is the incentive to do evil and how does the attacker finance the attack? And what can he accomplish with an attack? Of course a miner can short the coin, but can he recover enough profit from a short to pay for a 51% attack sustained long enough to do a double-spend that any large sector of the ecosystem cares about? If payees are following the correct probabilities (per Bitcoin 101 below), then the 51% attacker needs win at least 6 blocks to execute a double-spend of any significant value (unless he can spread out his spends in many smaller transactions). But this is the same for Bitcoin's design as well. There is no difference due to the mining being profitable or unprofitable. Bitcoin miners who are renting aren't incentivized to short the coin, otherwise the owners of mining equipment with their sunk capital costs wouldn't rent out mining hardware.

You are completely out-of-touch with the reality of the economics of mining. The reason Bitcoin is so vulnerable is because mining is profitable and thus finances the creation of ASICs and mining farms.

Also you make the assumption that the professional mining farms in profitable PoW of Bitcoin (i.e. Satoshi's design) don't have an incentive to do evil. I explained upthread that they will roll over when the government regulates them, because it is entirely in their interest to do so. Please don't ask me to repeat those points I made upthread since you didn't disagree with them at the time.


Did you not learn Bitcoin 101?

https://bitcoin.org/bitcoin.pdf#page=6
http://arxiv.org/abs/1402.2009


I mean that without a total ordering you can't decide which double-spend to discard when those double-spends appear in separate branches of the tree.

The fact that you can't seem to comprehend what is being written is indicative of that you are not qualified as you seem to think you are on the analysis of consensus systems.

Again you miss the point entirely. An individual payer CAN have a majority of PoW in exactly the same way as it can happen in bitcoin, except you've totally removed the incentive to use this power for good instead of evil.


Define 'acceptable' - you will find it impossible because there is nothing to value the PoW being expended.


What does it mean to have a conflicting double spend? (a double spend is itself obviously a conflict, so you mean a conflict of conflicts?)

The attackers can be both users and providers (you must have considered this?). A user with a majority PoW can also set up a majority of provider nodes, such that he can use his majority control to censor transactions with a greater than 50% chance of success, assuming the minority moves away from the attackers provider node randomly. If you require users to query ALL provider nodes for transactions, this becomes a DOS attack.

Correct my design eliminates the selfish-mining attack, because there are no pools controlling 25 - 33% of the hashrate, which is the minimum required to execute that attack. Each payer only controls a minute amount of PoW, and besides the payer isn't doing the propagation. And moreover, the propagation of the transactions is occurring constantly, not just at the time a block solution is found!

Edit: most saliently, selfish-mining only applies when mining is profitable. The selfish-mining attack is one that is more profitable than not selfish-mining.

So this - http://www.cs.cornell.edu/~ie53/publications/btcProcFC.pdf
- is not applicable? Ok.

I have thought extensively about other strategies that the various participants in my design could employ and my analysis is the Nash equilibrium is that that payers all have an incentive to approve each other's transactions, for a similar reasons that in Bitcoin miners don't have any incentive to create multiple chains and ignore the LCR. If payers deviate from this equilibrium then they get chaos and none of their coins and transactions are worth anything.

One of the key points of analysis is that it must not be possible for insoluble double-spend conflicts to accumulate and metastasise into downstream transactions in which many otherwise honest payers would have some financial incentive to fight each other instead of honoring the LCR. But double-spends never make it into a block, same as for Bitcoin, so they can't accumulate (except by the withheld 51% attack same as for Bitcoin and in this case the attacker wins any way so Nash equilibrium doesn't apply).

As for the providers, they are at the mercy of the payers;  that is unless they can somehow manipulate apathetic payers and get 51% of the payers to stick with a provider that is doing malfeasance or hide their malfeasance but I haven't found any such mechanism in my design yet.

You refer to game theory implicitly in almost every post but haven't analyzed Nash equilibria yet, have you?

I mentioned earlier today upthread that I would elaborate on the weaknesses in my design.

First let me explain the meaning of the above quote. So each provider is also (potentially) a verification node in my design. I say potentially because it is also plausible that providers would pool their verification and do it only once instead each duplicating the cost of verification.

So the first point is that system wide verification costs increase as the number of providers increase (assuming they aren't all pooling their verification). And remember upthread I pointed out that the Tragedy of the Commons of mining (where those providers processing more transaction volume and thus earning more fees, but all providers required to verify all transactions from all providers, would cause a centralization of or oligarchy of providers to control transaction fees as is the case for full nodes in Bitcoin and Ethereum per my upthread explanations) would be avoided only if transaction verification costs (and thus fees) were insignificant compared to typical transaction values. So since we can't limit minimum transaction values (because for one reason is that it would need an ongoing centralized monitor of exchange prices), the next best proxy is to make sure the cost of the PoW submitted with each transaction is much greater than the transaction fees (or more accurately stated in the red text quoted above). So we should set the PoW share difficulty as high as can be tolerated by the computers of payers (users) which will signing transactions (and the delay they can tolerate to compute the PoW share). This also has the benefit of making the total PoW hashrate from payers larger, thus making it more difficult to 51% attack the coin.

If users elect too many providers (in the scenario wherein all do their own independent verification) then if the distribution of users on providers becomes too concentrated into a few of those too many providers, then it is possible for the transaction fees on the seldom used providers to become significant, which would further incentivize users to concentrate into a few providers. Nevertheless this seems to be self-regulating in that since users (payers) have no financial incentive to concentrate in a few providers to begin with (since mining is unprofitable so the variance on block rewards is mostly irrelevant), then the community can (even the default wallet client) can work to distribute transactions across the available providers that have been elected by other payers when the concentration in any one provider exceeds some threshold (say 5% of the network hashrate and other than that leave the number of providers elected a free market function).

Note also that block chain storage costs (given the only regulation of spam are the PoW shares and any free market transaction fees but these should be insignificant relative to PoW per the above) could also be centralizing, i.e. providers might be economically incentivized to pool the storage and verification function. Nevertheless the decentralized, permissionless defense remains that users control the PoW and they can move their PoW at-will away from providers that are censoring or any other malfeasance.

So that is why I wrote upthread that my epiphany was that some centralization of mining is unavoidable but that the decentralized control can remain with the users, so in effect the system remains decentralized. The number of providers and the extent of pooling their verification and storage functions can anneal to the resilency requirements of the network (because for example if providers are DDoSed and unresponsive then users will switch to another provider).

How many times have I told you that you can not analyze consensus designs piecemeal. It leads to nonsense posts.


I already had explained this and I don't understand why it is so difficult for you to comprehend that the payers must send a PoW with their transactions. The majority of the PoW comes from payers, and the payers have every incentive to approve the longest chain, so their transactions are included on the block chain. If an individual payer wants to attempt a double-spend, he doesn't have enough PoW by himself to accomplish it.

Profitability of mining has nothing to do with the incentives in my design. I hope I don't have to explain this again.


Same as in Satoshi's design. When the acceptable number of blocks have been confirmed since the block that included the transaction.

Note that there is another mechanism for instant confirmations as well, but it is optional.


You can't have branches which don't conflict on double-spends without a total ordering. You can't get total ordering without LCR unless you use a clock to timestamp each node of the tree. Period.

Sorry no. The users would have to be the attackers (assuming the users' cumulative hashrate far exceeds any attacker and remember I am targeting instant microtransactions so users' cumulative hashrate will be very astronomical with say 100,000 tx/sec). They decide the set of providers simply by choosing where they send their transactions.

Please also see my reply to enet, wherein I explained what happens if 51% of the users are apathetic and willing to support abusive providers.

This objectivity is fine, except for the fact that the attacker is free to create an overwhelming majority of providers, such that moving away from one to another has no effect at all. There is a sybil problem here. You can attempt to mitigate this by making it expensive to become a provider, but then we regress back to the PoS security model, which no one wants in a new coin.

I would need to explain the last remaining secret about my design in order for the following to make complete sense, which then I might as well just quit implementing it because I would potentially lose the lead on being first to implement it.

I attempted to explain in my prior post on this topic in reply to enet, that users can't be objective about censorship of other user's transactions (per the discussion you and I had upthread), but each user (payer) can be objective about the provider which is censoring their own transaction. And since they all move away from that provider to avoid the censorship, then it has the net effect of taking PoW hashrate away from that provider. Sounds almost like a pool but as I said there are some important differences which I will hold secret for the time being. Also if that provider is refusing to interopt with other providers, this can be objectively observe and users might en mass move away from that provider based on a community alert (e.g. in a forum).

You are correct that the users with their PoW elect the providers, which in that respect is similar to a pool. But there are very significant differences and one of which is that users aren't being paid for their PoW shares and the providers aren't being paid by the PoW. That statement doesn't reveal the other secrets.

I'm building a clearer picture of your design now. Providers aggregate transactions because users are not suited to the task of building blocks due to their ephemeral online presence. All PoW comes from users in this design, not providers. Users pick transactions from providers to place in their block when they send a transaction. In order to try and prevent a majority PoW from censoring transactions, users can look to these providers in order to tell if a particular fork is censoring transactions.

However, I see a problem: why can't the majority PoW simply create a majority of providers as well, and therefore gain a greater than 50% chance that users will miss information about censorship?

I can play the same game:
The upthread explanation was a vague set of words that didn't contain other proof than that the author can't think outside the box. 

PS: Those who don't see why ordering is not required at all should read https://en.wikipedia.org/wiki/Superposition_principle.

Partial ordering is a weaker requirement than total ordering, making the statement true. It doesn't matter if it is impossible to achieve in practice; I was making a gross simplification to prove a point, but that appears lost on you.


Nothing in that post addresses the problem. I'll say it again: If you remove the block reward, you remove the honest miners incentive, along with part of the game theory which makes bitcoin work. What incentive is there in your system to play by the rules for an attacker?


No you have not! Damn it, you make me repeat the same explanations over and over and over and over again.