Pages:
Author

Topic: Decentralized Timestamp (Read 5325 times)

newbie
Activity: 25
Merit: 0
October 20, 2017, 05:23:40 AM
#92
how would you go about creating a decentralized system that agrees on the current time?

Preferably not Proof of Work.

Quote
Preferably not Proof of Work.
Your question stops being interesting when you start removing the only known solution for strong decentralized consensus— even in the proof of work model an effort to do consensus time probably fails for incentive reasons, but no one knows how to do decenteralized consensus absent the expenditure of work.

I have a solution gmaxwell hasn't thought of. By looking at the stars with a camera to periodically calibrate, time can be an objective fact computers can determine for themselves without consensus.  Honest nodes would reject dishonest transactions and blocks that do not have the correct time, within some error.  With this solution, mining and blocks are not needed.  It would be a simpler "transaction chain".  Nodes would share transactions and reject spends of the same coin if they occur within say 1 minute of each other, or reject any second spend that occurred more than 1 minute after the 1st one.
sr. member
Activity: 280
Merit: 257
bluemeanie
May 21, 2014, 01:18:17 PM
#91
So I was discussing this with a friend was wondering if you guys had any input, how would you go about creating a decentralized system that agrees on the current time?

Preferably not Proof of Work.

Thanks.

https://research.microsoft.com/en-us/um/people/lamport/pubs/time-clocks.pdf

Re-invent the wheel for your special protocol?


Hate to quote myself, but Lamport is able to establish a meaningful logical clock by the participants of the system interacting, I suppose this might be considered PoW, but does it have to be someone mining?  Would the time network fall apart if only one or two systems were a part of the network at some point in the future?

It only works if everyone in the system is honest. If you use the assumption that everyone is honest, you might as well just randomly pick a single node to tell everyone else what the time is.

it's fully considered in my concept.

-bm
sr. member
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
May 21, 2014, 10:47:44 AM
#90
In any case, we would like to increase the uncertainty to 100% after n blocks where n << 1440.

We have approaches reaching from forking the network deliberately to using reverse hashchains to include random numbers into blocks. These random numbers get included into the generation signature and make the forger prediction impossible at a particular block height.

This is essentially copying peercoin's StakeModifier

If I sign a block at height n either the person who gets to sign the block (with first preference) at height n+m is known to me or unknown. If the person is known then there is nothing I can do to affect this. If the person is unknown but at height n+1 the person who gets to sign the block at n+m is known, that implies that something in block n decided who got to sign the block n+m. Since I have complete control over what is included in block n, I get to decide.

This applies to NXT and to peercoin. With NXT, the previous signer gets to choose who gets to sign the next one. However they only have 1 bit of control. They can either choose someone (signing the block) or choose not to sign the block and delegate the choice to the second preference signer who gets to choose someone (signing the block) or choose not to sign the block and delegate the choice to the third preference signer...

I told you, we use reverse hashchains. So, you as a forger are forced to publish a previously publicly unknown number. However, everybody can check if you published the correct number. So, there is no choosing in what you include in your block.

And, btw. who says that everybody should include random numbers into their blocks? Wink
jr. member
Activity: 56
Merit: 1
May 21, 2014, 10:23:52 AM
#89
In any case, we would like to increase the uncertainty to 100% after n blocks where n << 1440.

We have approaches reaching from forking the network deliberately to using reverse hashchains to include random numbers into blocks. These random numbers get included into the generation signature and make the forger prediction impossible at a particular block height.

This is essentially copying peercoin's StakeModifier

If I sign a block at height n either the person who gets to sign the block (with first preference) at height n+m is known to me or unknown. If the person is known then there is nothing I can do to affect this. If the person is unknown but at height n+1 the person who gets to sign the block at n+m is known, that implies that something in block n decided who got to sign the block n+m. Since I have complete control over what is included in block n, I get to decide.

This applies to NXT and to peercoin. With NXT, the previous signer gets to choose who gets to sign the next one. However they only have 1 bit of control. They can either choose someone (signing the block) or choose not to sign the block and delegate the choice to the second preference signer who gets to choose someone (signing the block) or choose not to sign the block and delegate the choice to the third preference signer...
sr. member
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
May 21, 2014, 09:11:45 AM
#88
Well, it is not that easy, though. You need to wait at least 1441 blocks for a new account being able to forge.

During this period, real-world randomness could easily destroy the ability to forge of your carefully crafted account.

Furthermore, we are going to introduce more entropy in order to predict the next say 20 forgers (which is required to have a high transaction rate) but after that it is completely random.

I wondered about that. 1440 is too many blocks to correctly guess unless everyone does forge when they are allowed to.

Exactly. Even balances could change dramatically to change the forging queue of future blocks.

In any case, we would like to increase the uncertainty to 100% after n blocks where n << 1440.

We have approaches reaching from forking the network deliberately to using reverse hashchains to include random numbers into blocks. These random numbers get included into the generation signature and make the forger prediction impossible after n blocks.
jr. member
Activity: 56
Merit: 1
May 21, 2014, 07:51:23 AM
#87
Well, it is not that easy, though. You need to wait at least 1441 blocks for a new account being able to forge.

During this period, real-world randomness could easily destroy the ability to forge of your carefully crafted account.

Furthermore, we are going to introduce more entropy in order to predict the next say 20 forgers (which is required to have a high transaction rate) but after that it is completely random.

I wondered about that. 1440 is too many blocks to correctly guess unless everyone does forge when they are allowed to.
sr. member
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
May 21, 2014, 06:57:03 AM
#86

Why do you still referring to the block signature? It has nothing to do with forging.

You cannot iterate through many different possibilities for the generation signature because there is only one possibility for each account.

I've looked through the code again and I am wrong. The generator signature is completely deterministic and  not a signature just a hash. This allows a forger to look ahead and see likely next values of the generator signature/hash and so simply transfer coins to a public key calculated such that it has a high probability of being a future forger.


Well, it is not that easy, though. You need to wait at least 1441 blocks for a new account being able to forge.

During this period, real-world randomness could easily destroy the ability to forge of your carefully crafted account.

Furthermore, we are going to introduce more entropy in order to predict the next say 20 forgers (which is required to have a high transaction rate) but after that it is completely random.
legendary
Activity: 1372
Merit: 1002
May 21, 2014, 05:42:05 AM
#85
not to mention that there is a (unknown and likely linear) relationship between intrinsic value of BTC and cost and presence of hashing power. 

First of all, there's no such thing as "intrinsic value". It is outrageous that you hold this medieval dogma and at the same time pretend to lecture others on the social science of economics.

Let's cite Carl Menger first:

"[v]alue is… nothing inherent in goods, no property of them, but merely the importance that we first attribute to the satisfaction of our needs... and in consequence carry over to economic goods as the… causes of the satisfaction of our needs." (Principles of Economics)

I really prefer Silvio Gesell's critique, and I find this part specially comical:

https://www.community-exchange.org/docs/Gesell/en/neo/part3/3.htm
"The presence of value can be demonstrated on the weighing-machine: "fully-valued". Whether there are any other processes for detecting value has not yet been established. Litmus paper seems to be insensitive to value, the magnetic needle is not deflected by it; it withstands the highest known temperatures. Indeed our whole knowledge of value is still somewhat meagre, we only know that it exists. This is unfortunate, considering the "fundamental importance" of value in science and in life. New possibilities are, however, opened up by Dr. Helfferich's discovery that with some "substances containing value" (Wertstoffe) the value is not always proportionate to the Substance. The substance containing the value is greater or smaller than the value of the substance. He has discovered that the value of silver money is twice the value of the silver used in its manufacture. Silver money thus contains value in double concentration, and we have therefore an extract of value. This important discovery gives a quite new insight into the nature of value. It shows that value can be extracted, concentrated and, as it were, separated from its substance. We may therefore hope that science will at some future date be able to produce chemically pure value. But here again we have a contradiction. In a roundabout way we have reached the theory of a paper-money standard. But this theory is based solely on price and leaves the theory of value severely alone."

Hehe, it seems to me that some people in the cryptocurrency space are precisely trying to produce "cryptographically pure value"...

Anyway, as Peter R explains the relationship between the price of BTC and mining investment is very simple: while the costs of mining are lower than the mining reward (which is a function of the price of BTC), more investment in mining equipment is to be expected.
This is not "pulp fiction economics" but simple supply and demand.

From wikipedia:

"If demand increases (demand curve shifts to the right) and supply remains unchanged, a shortage occurs, leading to a higher equilibrium price."

So when miner's cost are lower than the reward price, they get a profit. Profits encourage competition, we know that (also from wikipedia): "Economic profit does not occur in perfect competition in long run equilibrium". So the explanation of the relationship between BTC price and hashing power is really simple: when prices rise the market produces more hashing power trying to reach an equilibrium.
It has nothing to do with "a law of bitcoin value", with the "intrinsic value" myth or with the phantom that is value.

Just another funny joke from Gesell criticizing Marx, hehehe:

"Marx, whose economic system is founded upon a theory of value, uses almost the same words: "Value is a phantom" - which does not, however, prevent him from attempting to conjure up this phantom in three bulky volumes."
member
Activity: 71
Merit: 10
May 21, 2014, 04:30:22 AM
#84
It is virtually impossible due to Sybil attacks. Bitcoin is as close to a decentralised timestamp system as you will get.

nope, can be done.  I have a working model.  see:  http://www.stanford.edu/class/cs240/readings/lamport.pdf

if you review that paper maybe we can discuss how to do this, otherwise I'll save it for later.

later friends!  -bm


Oh someone beat me to it.
Oh well, it's a popular paper I suppose.
jr. member
Activity: 56
Merit: 1
May 21, 2014, 04:25:15 AM
#83
So I was discussing this with a friend was wondering if you guys had any input, how would you go about creating a decentralized system that agrees on the current time?

Preferably not Proof of Work.

Thanks.

https://research.microsoft.com/en-us/um/people/lamport/pubs/time-clocks.pdf

Re-invent the wheel for your special protocol?


Hate to quote myself, but Lamport is able to establish a meaningful logical clock by the participants of the system interacting, I suppose this might be considered PoW, but does it have to be someone mining?  Would the time network fall apart if only one or two systems were a part of the network at some point in the future?

It only works if everyone in the system is honest. If you use the assumption that everyone is honest, you might as well just randomly pick a single node to tell everyone else what the time is.
member
Activity: 71
Merit: 10
May 21, 2014, 04:21:24 AM
#82
So I was discussing this with a friend was wondering if you guys had any input, how would you go about creating a decentralized system that agrees on the current time?

Preferably not Proof of Work.

Thanks.

https://research.microsoft.com/en-us/um/people/lamport/pubs/time-clocks.pdf

Re-invent the wheel for your special protocol?


Hate to quote myself, but Lamport is able to establish a meaningful logical clock by the participants of the system interacting, I suppose this might be considered PoW, but does it have to be someone mining?  Would the time network fall apart if only one or two systems were a part of the network at some point in the future?
sr. member
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
May 21, 2014, 04:15:49 AM
#81
The generator signature is completely deterministic and  not a signature just a hash.
It was a signature in their original code. Whats is it a hash over now?

That was a trap for clones.
full member
Activity: 148
Merit: 100
May 21, 2014, 04:12:53 AM
#80
This leads to fun outcomes like old stake holders can exit the system (sell their coins) and then sell their old keys to people go fork off the chain at a point in the past, at no cost to themselves. Someone who is later handed two histories— the real one and the simulated one— cannot distinguish them, they can tell— perhaps— that someone was naughty, but that doesn't help them decide which chain is the good one.
That's not true, as in that's not a characteristic of PoS. It's a characteristic of flawed PoS.  

A transaction in block x has to be equivalent to signing it by stake held in inputs (or accounts, whatever the design of the system is).  
Transactions have to be valid in only one blockchain, as to not be replayed.  
If A has 30% of stake, the fake empty block created by A has the same validity as a block generated by A with A's selling transaction to someone. Now the buyer and A can both create their equivalent blockchains. However, all it takes to make one blockchain one valid is another stake signing one block in one of the blockchains in the future.

Fake block stake validity, all by A:
30%, 30%, 30%

True blockchain stake signed:
30% (A's stake, selling), 30% (buyer), 30% (buyer) + 1% (someone else, B)

By signing third block, B effectively validates all blocks before him. So now first fake block has 30% of stake behind it, and true block (with selling transaction) 31%.  

Quote
There are a number of other related implications.  A number of different modifications have been proposed, but so far all of them seem to be obfuscation and not actually fix the underlying issue, which seems a bit fundamental.

You can read more about this in Section 5 of https://download.wpsoftware.net/bitcoin/asic-faq.pdf

It's trivial to create a rule which makes one block with identical stake better than another, like a comparison of hashes. This would lead the honest nodes to completely ignore the worse block. To break that would be equivalent to acting directly against self financial interest, for no reason, and as long as all people in control of a currency don't act against their interests, everything works.  
It's no different to PoW. If I own serious money in a specific cryptocurrency, I'm not going to endanger that, because that would be very costly, although indirectly, just as mining forks in PoW is costly.

Most people living in skyscrapers don't steal and destroy bricks from foundation.  

Note that it takes just one person with one coin to behave correctly, even if literally everyone else is signing all forks, and everything works.  

Why for no reason? Because this shouldn't be profitable, if it is, it's a design error. I don't think it's that important though.  
member
Activity: 71
Merit: 10
May 21, 2014, 04:07:01 AM
#79
So I was discussing this with a friend was wondering if you guys had any input, how would you go about creating a decentralized system that agrees on the current time?

Preferably not Proof of Work.

Thanks.

https://research.microsoft.com/en-us/um/people/lamport/pubs/time-clocks.pdf

Re-invent the wheel for your special protocol?
jr. member
Activity: 56
Merit: 1
May 21, 2014, 03:31:28 AM
#78
It was a signature in their original code. Whats is it a hash over now?

It is the SHA256 hash of the previous generation signature concatenated with the block signers public key.
staff
Activity: 4284
Merit: 8808
May 21, 2014, 03:09:04 AM
#77
The generator signature is completely deterministic and  not a signature just a hash.
It was a signature in their original code. Whats is it a hash over now?
jr. member
Activity: 56
Merit: 1
May 21, 2014, 03:04:47 AM
#76

Why do you still referring to the block signature? It has nothing to do with forging.

You cannot iterate through many different possibilities for the generation signature because there is only one possibility for each account.

I've looked through the code again and I am wrong. The generator signature is completely deterministic and  not a signature just a hash. This allows a forger to look ahead and see likely next values of the generator signature/hash and so simply transfer coins to a public key calculated such that it has a high probability of being a future forger.
sr. member
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
May 21, 2014, 01:47:26 AM
#75
You still aren't understanding me. You have to get lucky and be allocated a block randomly as per normal. Now you get the chance to create a block signature. Once you get this opportunity you can iterate through many different possibilities for the block signature such that the next block is guaranteed to be signed by you.

The crucial bit of the code is hash(generation signature of previous block concatenated with the forger's public key). If you are able to manipulate the signature of the previous block because you were randomly allocated the ability to sign the previous block then you can make sure this hash is very small.

Why do you still referring to the block signature? It has nothing to do with forging.

You cannot iterate through many different possibilities for the generation signature because there is only one possibility for each account.
sr. member
Activity: 280
Merit: 257
bluemeanie
May 20, 2014, 05:31:52 PM
#74
2.  He does not understand that "attacking the network" to attempt to reverse a colored-coin trade for bitcoin is sort of pointless.  If Bluemeanie buys my colored coin for 100 BTC and then double-spends to reverse the transaction (after spending a lot of money to do so), sure he'll end up with his 100 BTC back in the unlikely case that he is successful, but I'll end up with my colored coin back.  With coinjoin, the trade was a single transaction.    

Some people don't use these special transactions and instead exchange coloured coins/ mastercoins directly for fiat or products or services, this enables successful double spends.

Correct.  Double spends are possible when trading blockchain assets for something external to the blockchain, whether the blockchain assets are bitcoins or colored coins.  The advantage of colored coins on the bitcoin network is they can be traded risk-free for bitcoins (since they are registered on the same blockchain and can be exchanged with a single coinjoin TX). 

In other words, there is an advantage to trading assets registered on a particular blockchain with the native currency of that blockchain because these trades can be made risk free (the trade either happens or it doesn't--one party can't get stiffed).   


even if you want to believe this scenario still somehow preserves the value of Color Coins technology you ignore the fact that you can reverse price collapses and market rallies.

-bm
sr. member
Activity: 280
Merit: 257
bluemeanie
May 20, 2014, 05:30:30 PM
#73
2.  He does not understand that "attacking the network" to attempt to reverse a colored-coin trade for bitcoin is sort of pointless.  If Bluemeanie buys my colored coin for 100 BTC and then double-spends to reverse the transaction (after spending a lot of money to do so), sure he'll end up with his 100 BTC back in the unlikely case that he is successful, but I'll end up with my colored coin back.  With coinjoin, the trade was a single transaction.    

Some people don't use these special transactions and instead exchange coloured coins/ mastercoins directly for fiat or products or services, this enables successful double spends.


these assets are presumably exchangeable for something else outside the system.  Let's say I can exchange the cryptonote for gold at any time.  So I exchange it for gold, then release my counterfeit chain where I still own the gold note.  Then cash it in for gold again?

if such an event were to occur the entire system would collapse because confidence would be destroyed.

it's not difficult to execute such an attack.

-bm
Pages:
Jump to: