Topic: Decrits: The 99%+ attack-proof coin - page 12. (Read 45353 times)

I admit that my design is universally better than bitcoin's. Not selecting a fork is completely by design choice, because it is the only way to be 99%+ attack proof. There are two ways a fork can occur: if there is a legitimate split such as a country hitting the "off switch" on the internet, in which case everyone is aware; the other is an intentionally dishonest split by creating a fork in secret or not-secretly dropping the TBs of the honest side.

In the latter case, everyone is still aware of the fork because consensus either is or it isn't. They know that one of the two halves is being intentionally dishonest. Therefore they cannot be fooled. What does it matter if they cannot initially determine which fork is dishonest if they can't be fooled into doing anything?

Even still, as long as the individual is aware of both networks, both networks must operate identically in regards to tx activity or the dishonest network will be easily ousted. The dishonest half can *not* do anything nefarious while the people are deciding which is honest. So if both are available and both are operating, there really is no network interruption.


No, it isn't like bitcoin branches. Some pseudo-anonymous group of peers has elected to bring on a massive fork of the network, and everyone knows it. If the network has any kind of use, this will be massive, massive news. If it is some nefarious evilcorp, that means every honest merchant is not partaking in the split and will say so. If it is some evil government, they either say nothing or give some ultimatum to attempt to force its citizens to use its fork or whatnot.

This attack can't just happen without some kind of agenda, or the money is as good as burned. The decision to which network is honest will be simple unless somehow a large group of various entities and people decide the network isn't doing what they want. In this case, section 4 comes into play and they can create their own network with the rules they want. They will not be able to force the users of the network to use those rules without the consent of the people using the network.


This is not clear because the PoW is anonymous. Bitcoin cannot aggregate PoW blocks that are attacking the network into separate piles. It has no clue and dumbly accepts whatever chain is longer. Since there is no penalty for attacking the network, nothing can be done about it anyway other than developers patching out each attack that anonymous PoW throws at the network.

This is irrelevant, if the following penalty can never be decided.


We know of no decentralized way to determine that evil fork is evil. We have shown why in the prior several posts where we discussed the 51% attack.


And exactly how will you get the rest of the world to agree that this minority is honest? What metric will the non-friends all over the world look at objectively?

Can there be such a decentralized metric other than the 51% power within the system?


Incorrect. We showed in the prior posts (on page 16 of this thread) that the evil consensus could contain all the TBs, yet still gain control such that only the evil peers will be able to sign the CB (that has the most signatures given 51% of peers).


We already showed the specific 51% attack. You need to show how you stop it algorithmically. I don't believe you will be able to, unless it is some sort of minority consensus reference point algorithm?


Ditto the points made above. By what decentralized metric does any peer choose to ignore the majority fork?

Indeed.


Exactly. That is what I was hoping he would realize if he tried to write down an algorithm for how his incentives were going to stop the 51% attack.


Bingo! And yet we have to spell it out for him like this (given his claimed two years of design thought).


Such an "honesty" algorithm can not exist because it would need a reference point from outside the system, in order to avoid the alternative of a 51% peer power security from within the system. In a decentralized system there is no outside point of reference.

Perhaps the only possible exception is if there was some reference point from the minority within the decentralized system that did not eliminate minority opinions.

And worse yet, the hard proof that we need a consensus is that we can't even autonomously prove that an event occurred before a moment in time (to prove which is earlier in a double-spend) using an external point of reference without consensus voting. We can prove that an event occurred after a point in time, by signing with a newspaper clipping as Satoshi did to show that he wasn't premining. However, to prove an event occurred before a point in time, requires many observers agreeing that it did, because the future will have occurred by the time we are looking back in history. History is always a memory of the observers and can not be proven autonomously. Thus there is no one history, but multiple histories depending of which observers are telling.

The threat of a 51% attack is not the end of the world for us. It is no worse than Bitcoin, and we may be able to improve on reducing the likelihood of a cartel obtaining 51%.

To me it's ok if he doesn't want to discuss the algorithms. There may be many legitimate reasons to do not disclose everything yet (he may try to patent it and so on).
Having no algorithm is another matter, however.

@sor.rge
We are preparing something to address this
"degradation".Don't talk to AM, he is full
 of mistakes
Stay tuned.

Your incentive is that if you can't write the algorithm down, then you can't implement it.

And open source means that anyone can steal as much as they want.

And your paranoia is feigned given I have been mentioning that either proof-of-share or proof-of-hard disk might be suitable. I really don't care if any of my ideas are incorporated. I obviously only care if we design something that works.

You are ducking the requirement to make your algorithms clear, because you fear failure and peer review.

So the users will have to make this decision themselves? By this you admit that you don't have an algorithm to resolve the fork, and rely on human judgement to defend against the attack. In other words, you admit that your system is insecure.

It could be nice if you put the main mechanic in the OP.

What if the user doesn't have any honest friends? I don't have any honest friends in bitcoin. I have no idea how to even approach the problem of finding them.
What if the honest friends are on different branches? What if they are offline? What if they, like me, have no idea what to do and they just look back at me in hope I will somehow point them to the right branch?
No, that doesn't answer any security question. It's like saying that you have to check bitcoin branches manually to spot someone reversing transaction.

It is until the algorithm to choose the best chain is written down and analyzed. So far we have a "largest consensus" rule, which I've shown to be insecure.

Consider the dropping SHs 51% attack above. Why is it going to be rejected? No oracle merchants are allowed in the algorithm, sorry

Well, in bitcoin forks are clear as day: when a node receives two block broadcasts with different blocks pointing to the same parent. The algorithm chooses the chain which will eventually get longer. Merely detecting the fork and then offering the user to choose is not a good solution, since the users will not have enough information to make the right decision.

Except bitcoin's design is not decrits' design. And the failure of proof of hard disk is the same failure as proof of work--the forking chain cannot be destroyed because they can just create new anonymous proofs with no penalty. On the other hand, with an enforced fork and forcing users to make this decision, the evil fork, unless they can convince the entire world that they are honest, will lose all of its money and will not simply be able to reattack the network as with physical media. Yeah, the "simpler" design is the far more powerful design.

At various points in this thread I have described several mechanics as to how users can identify an honest from a dishonest fork. The simplest is of course the fork where their honest friends and merchants are currently creating TBs.


I believe you are presuming that a 51% attack is still viable. It is not. Even if a peer is only seeing the dishonest fork, he knows that a large portion of consensus is missing and that the network is not to be trusted until he figures out what is going on. You can't even dupe a newbie node because of the shareholder ledger design, again as previously described.


You need to be more specific. You are not referring to any actual attack, just a big generalization. EvilCorp can't make bad spends or do anything particularly nefarious, because everyone watching the network will reject it.


It is in the thread. Regardless, the algorithm does not choose for anyone. There is no need to automatically choose, because with consensus there is a clearly defined fork. This isn't possible with proof of work. It isn't even possible with proof of stake.

But do you want to discuss your proposal? In particular, the security proofs.

In response to what I've said, you mentioned
This is not a good answer to the proposed attack. You say that effectively this creates a fork and everyone is free to accept either branch. This is similar to saying that in bitcoin there is no 51% attack, users are free to choose a shorter chain if they prefer. It's simply not true. It's not the users, but the software in their wallets who will decide which chain to accept, and since it's the same program for every wallet they will all choose the same thing, given that they perceive the same situation. So one of the branches will die immediately, and per your rules it will be the honest branch.

Now for the propagation. I think the rewards for propagation, no matter how large, will not improve the defense against the attacks. The incentives are specified within the system, assuming that it still works; however if there is a possibility to break the system and gain complete control of it, the successful attacker will claim all the rewards and more. Even if the incentives will be designed in such a way that it would be impossible to claim them after a successful attack, the future gains from the complete domination of the system would still likely outweigh any lost rewards.
In short, the incentives cannot be used as a security measure. They may serve a role to keep the system efficient, but when it comes to security, they will not guard anything.

I'm afraid this could be right. However, there is no hard proof so far. Perhaps there is an algorithm that decides which viewpoint is the most "honest", according to some reasonable definition of "honest", even if only a minority share it. Unfortunately, we didn't find it yet.

What incentive do I have to further help someone who has made his intentions clear to take all of my ideas and use them for his own purposes as soon as he understands them? It may very well have been your intention from the start. It certainly did not take long for you to try to insert as much as possible of your idea to "simplify" things. It did take longer for you to realize the failure in this.

Sorry, you will have to work these things out on your own. You will not be getting help from me on how to design my protocol for your purposes.


Because you want something from me. Again, I have nothing but disincentive to help you.

Focus in on the key point. I will try to help you do so as follows.


Tell us the algorithm that will prevent the aforementioned 51% attack. In as few words as possible please.


Show the readers the algorithm that obtains these claims.


20 concepts is not an algorithm. I am a computer scientist. I don't like talk.


I am tired of reading your characterizations of what you think your 20 concepts will do. Show us the algorithm. So we can analyze for ourselves what we think it will do.


If you were as good as writing down an algorithm, as your incessant "we will save the world" sales pitches, we would be done already here.

I am not being hostile. I tell you, "Talk is cheap, show the code"-- Linus Torvalds.

An algorithm suffices where code is not yet available.

I won "mental chess" match !
Thank you , sir AnonyMint

And ,please, place Etlase "on ignore" too !
Then leave Decrits thread ...

Yet the solution is in the OP. I pointed out the propagation weakness in bitcoin and even gave you some specific details to search for on your own.


So now you must consider, as I have, a way to incentivize propagation. I am sure you are rereading many posts that you did not originally understand, and are making further connections. You have again conceded many of my points. Each time I tried to make these points, you often stubbornly refused to acknowledge them. And then go off on small details as some critical vulnerability that needs to be flamed on about for several pages until you get it.

I think the same can even go for the monetary system. Your quip about destroying money to redistribute wealth is completely baseless. That mechanic is purely for network defense. What I believe you are doing is conflating the ability to start a new currency from within the protocol. It always comes back to being able to fork away from malicious people so that there is no such thing as a 51% attack. And there is not in my design. The money is not destroyed in this scenario unless people universally choose the new currency (and the currency is not actually destroyed; only its value if no one uses that fork). I explained this very early on to you.

I may not be the best at explaining these things to someone with a hostile attitude, but impatience is not a virtue. And it is very difficult to explain 20 concepts in one post.

There is no redistribution of wealth in decrits; please stop misrepresenting my ideas for your benefit. I have mentioned that it is economically unwise to buy too many decrits when the price is high, so any purchasing power lost is completely voluntary. Instead, businesses and people would be encouraged to build up the use of decrits over time. This will reduce volatility and actually allow most businesses to profit as the currency appreciates. But it does not particularly encourage buying and holding. Again, this is due to wanting to design something that is useful as a currency, not a speculative vehicle. This is key to getting and retaining adoption, and eventually ending ties with fiat.

You are free to use my concepts to create another roller coaster currency like bitcoin, but I do believe it will have the same long-term adoption problems as bitcoin. I think these problems will cause the currency to lose ground vs something that is more stable.

And I believe any cryptocurrency design that is willing to be adopted by everyone *will* be the key to allowing the true innovators of society to shine through. Our goals, while stated remarkably differently, are the same.

Here is a link on the orthogonal point about where the power vacuum derives that gives rise to the power elite and socialism:

https://bitcointalksearch.org/topic/m.2355498

Here is the extra link:

https://bitcointalksearch.org/topic/m.2350083

The point is:

1. People disagree and want everything they want (including controlling others).

2. They elect leaders to give them everything they want.

3. Leaders can do this to the extent individual freedom is not able to route around top-down control via some technology.

4. Leaders can fund this by obfuscating mutual self-destruction in debt and misallocation of capital.

5. As this fails economically, the people demand the leaders to fulfill their promises, thus megadeath.

6. Thus the only sustained prosperity is due to technologies that enable individual freedom from top-down control. Gave an example upthread that when WAN wireless is something any individual can do, the telcoms will be disrupted.

That theoretical "socialism" of your sweet
 dreams does not exist in the REAL world.
You don't understand what real, practical
 socialism is (cuz you are constrained by
 your IQ).
Again, both of them are NOT the parts of DCR
 proposal.
We can discuss this with you, when you'll
 grow a bit (that is never , cuz you don't wish to become responsible adult... )

Very nice words.
After you claimed Etlase is 2 years old.He'll w/o any
 doubts give you his hand of cooperation.
Maybe both hands...

Or maybe you only admited this interesting
 fact for yourself ? Then i am stunned...

And who are "adults" then ? Your masters ?
---------
------------
Broken logic, broken game;
May i find someone to blame ?

Broken rhymes'n'broken chess,
time to end bullshit contest...

AnonyMint is so funny with all his propaganda of elitism ...
Please don't leave this thread alone. :pPpP

51% Rule of Decentralized Agreement


In any decentralized P2P system any consensus fork of agreement is controllable by controlling 51% of the peers.

It must be this way, else there is no way to eliminate minority opinions (minority forks of agreement).

So what is money? Money is what 51+% of the people agree that it is. Gold is an exception.

The challenge in designing a decentralized money is that the masses can be fooled by cartels into supporting detrimental activities (which may even be obscured from and/or only indirectly harm the 51%).

Physical gold (and silver) is a unique form of money because it can't be cartelized, and even if the masses agree to outlaw gold as anonymous money, some people will still accept anonymously. This is due to the unique properties of the precious metals:

* high value per mass & volume due to natural rarity
* fungible
* durable and divisible
* stable supply
* anonymous (can't be permanently marked)

Is there any other form of money that is similar to gold, yet can be transmitted digitally?

No. I have thought about modules of open source software in trade, yet these are not fungible, and at least probably not divisible. The knowledge is unique and in the main module coder's mind.

The only truly decentralized money is gold. There will never be an alternative. Every decentralized currency design will be controlled by the 51% eventually.

PERIOD. Don't waste my time with oxymoronic nonsense about redistributing money to avoid socializing money. Hahaha.

If we don't adopt Etlase2's redistributions schemes for preventing concentration of capital within the system (and I agree to not argue that philosophical issue further for now nor commit the thread to a decision on that), then perhaps yours is a reasonable point?

Etlase2 presented the advantage that share can be destroyed, so we could penalize rogue activity. Our system can't destroy a physical asset with a penalty.

Also share is simpler to implement probably. Proof-of-hard disk has some corner issues with "he said, she said".

Share can not mint new coins for those who have none (thus a way to avoid anti money laundering id checks), only Bitcoin's proof-of-work or my proof-of-hard disk can do this. But this is orthogonal to transaction processing which we are discussing now.


Astute. Then the other peers can't sign the CB and thus can't be eligible for signing TBs in the next block.

The evil attack doesn't even need to withhold the propagation of its TBs, it can simply sign a CB that (is not propagated until after deadline so it) only has its peers (per my prior post which you hadn't seen when you wrote the above).

I was correct in the flame war to say that propagation is the weakness. Now I hope Etlase2 and the others here will stop questioning my motives and my IQ!

I was correct to criticize Etlase2 for burying his logic in two many undocumented details and wanting to waste more years not getting to the point. In design, we should always reduce first to simplest concepts to analyze clearly and early, so we don't waste time on a design that can't possibly work.

Note that Proof-of-Consensus is subject to 51% attack same as Bitcoin is. This does not eliminate it as an alternative design. At least we see that 51% attack is always possible in any decentralized currency. It is a fundamental.


Yeah as you implied, the economics for propagation has to work, because there is no centralized reference point in a decentralized system!

All socialism-related stuff is off-topic
 in this thread.
In the proposed Decrits design there is no
 government of the few wealthy by robbery
 socialist "leaders".
So all "AnonyMint"'s illogical constructions don't make sense.
-------------------
Please stay on YOUR topic : to deface this topic

We have an economic problem, but I think there is a solution.



I was correct upthread (in the flame war) to intuitively sense that propagation is the potential weakness.

If we don't make having the most CB signatures determine the consensus CB, then there is no (Bitcoin-like) selfish incentive to propagate CB signatures. And sor.rge has pointed out that this would make CB signing eligible for 51% attack. Differentiate this from TB signatures. The algorithm (for random selection of the specific ordering) requires the peer to sign the CB in order to be eligible (via random selection of the specific ordering) to sign a TB in the next period.

The solution appears to be the consensus CB must be the one that has most TB signatures *AND* the most CB signatures of those that have the most TB signatures.

Ok, I'll have to study it really. I think, from the security standpoint, proof of ownership of a real-world thing is better than proof of something withing the system, as latter may be compromised.

Aha, I see. Now it makes sense. Indeed, if everyone propagates everything, then a honest node cannot be kicked out because its CB will always include all the TBs which have been broadcasted. So it's only possible to kick nodes out by hiding signed TBs. Interesting!

Ok. Now I propose the following 51% attack. Malicious peers, who are the majority, withhold their signed TBs just until next CB. At the time of CB, they will be considered late and their TBs will not be included in the honest nodes' CB, which will therefore have 49% consensus. Right after the time of this decision, the attacking cartel releases their CB, which records all the honest nodes as dropouts, and therefore has 51% consensus. The other nodes, faced with the choice of two competing CBs both following the rules, will have to accept the malicious one. From now on, the cartel will have 100% power and will do what it wants.

Yes, I was considering the case when the cartel suddenly presents their version of history, which would then seem to be more legitimate than the accepted one, according to the rules. It may be possible to make a rule that a node would never revert its history too much to the past (kind of auto-checkpoint), but the new nodes, who don't have any history observed, could be easily fooled.