Topic: [neㄘcash, ᨇcash, net⚷eys, or viᖚes?] Name AnonyMint's vapor coin? - page 43. (Read 95256 times)

Astute question.

(also glad you found my last post, I was intending to message you but I haven't opened my PMs box yet and have 16 msgs to deal with there...)

The nominations don't take effect immediately. The nominated verification nodes can't begin verifying until a certain number of blocks announcements. Thus rendering irrelevant any recent PoW chain ambiguity over nominations (said ambiguity due to the last block included in any count of announcements may have disagreement due to propagation). There is still the issue of conflict (even though the conflict is displaced in time, it is still there) if there is disagreement over the nominations in set of blocks in the count. This is fixed by choosing the greater set of any alternatives where the displacement in time allows propagation to be unambiguous and for the set of alternatives to be well defined and stable. See why I have sometimes alluded to my design being an anti-aliasing method for PoW. Again we see that my conceptual insight from 2014 on how to defeat selfish mining is always the way to resolve ambiguity by being inclusive of all block announcement state (and my key paradigm shift that nominations are additive and can't conflict, i.e. I used the concept of separation-of-concerns in order to move the double-spend threat to an orthogonal concern so it gets out of the way of consensus).

Also I had mentioned that to defeat the 49-99% game theory attacks on the predetermined entropy (coming from chain history) of the quorums (very similar to Dash Evolution's quorums except as I previously noted I believe Evolution has design flaws), the nominations are not changed until every verification node has been the designated node for at least one block. This makes it sure that even if a payer's transactiont is rejected by all quorums (the quorum for a UTXO will change every block or after every N blocks) due to the attacker controlling 49 - 99% of the verification nodes, then the payer can alternatively (the designed node for each block is an optional choice for the payee) still get his friendly verification node to be designated (by waiting for the round-robin) so he can push his transaction onto the block chain in a permissionless paradigm even against a 99% PoW attacker! Amazing! I proud of that aspect of the design. And without incurring the flaws and downsides of PoS.

Also because the side-effects of nominations of verification nodes is accumulative and can't conflict, unlike the double-spends that can conflict with different relative perspectives on which PoW chain is valid. Verification nodes can't create double-spends (other than due to conflicts in the PoW chain which I resolved as I already explained as per the above). Explaining in more explicit detail beyond this would require revealing virtually all the finer details of my design and implementation, so I will withhold for now. But I think I have already spilled the beans for any astute implementator can now duplicate my design.


Keeping the difficulty in alignment (as required by my design's way of eliminating conflicts by merging all chains) is perhaps one of the areas to look for a potential flaw in my design. I haven't expended as much effort yet thinking about that aspect.

One of the attacks a 49 - 99% attacker can do is to mine sporadically which in Satoshi's design can wreck havoc on the block period variance. That is why I said the block difficulty adjustment will be calculated over a very long window. And remember this amazing insight... that is that since transaction confirmations don't slow down when block period does, my design doesn't have any problem with block period variance!

Remember the cost of production affects the attacker, not the payers who will be mining without care for cost. The debasement rate will be a very small annual % maybe even less than 0.5%. So the economics of the debasement are irrelevant. The only reason to have any debasement (other than the macroeconomic arguments of Gresham's Law), is to countervail the incidence of lost private keys. Bitcoin after 2032 will eventually shrink to a 0 money supply due to lost coins. In a microtransaction world, users will lose coins quite frequently due to abandoning small balance accounts.

Edit:



Health update is I am cruising along great. After 14+ hours of working my legs and head start getting inflammation, but sleep renews me each time. Very consistent now that I am taking the Turmeric root extract (curcuma longa) in coconut milk with black pepper. Also all my other anti-oxidant supplements. I will make a new updated list of the supplements I've been taking daily. Overall I am very cautiously hopeful and thankful for my progress. I was at the basketball court again a couple of days ago. I haven't exercised the past 3 days. Been really working nonstop other than sleeping. My recent production should be evidence enough that my health has stabilized considerably. In hindsight what destroyed my health from July through September was when my new gf arrived to live with me May 25, she cooked for me all the Omega 6 meats such as pork, chicken, and beef. At the time I was thinking that carbos were my enemy so I was eating massive amount of meat and no rice. Omega 6 is highly inflammatory and this about killed me. Now eating only tuna (which is Omega 3) which is less inflammatory, raw veggies (no night shades!), rice, and coconut milk/oil (which is non-inflammatory medium chain fatty acides that feed the brain energy directly through the liver via ketones instead of circulating into the glucose mechanism for energy. Coconut is a miracle food. Also I think rangedriver was correct when he pointed out that fasting is really bad in my case because I also read that to get inflammation under control requires stabilizing the glutathione/glutamate/glutamine balance where glutathione is produced in the liver and a deficiency is catastrophic and fasting depletes glutathione. So the 10 day water only fasting might have been good for putting a halt to that omega 6 overload that nearly destroyed me, but it was probably counterproductive from the standpoint of glutathione. I am now taking NAC, ALA, and EGCG to restore my glutathione related anti-oxidant imbalance.

One of the applications of microtransactions will be to get my ethical revenge (i.e. fixing what is a broken concept suppressing open source) on Stackoverflow/Stackexchange and destroy their sites with a superior economic model:



For context:

http://stackoverflow.com/questions/26769706/fix-so-cursor-moves-and-displays-correctly-in-eclipse-for-android-development

https://bitcointalksearch.org/topic/m.13220287

I have a myriad of reasons for making a cryptocurrency project. And all the motivations are ethically noble and driving me to work double-digit hours per day at the age of 50+.

P.S. instead of downvoting, fork. Then list all the forks. Downvoting is destructive and counter-productive. The effort to criticize should be consumerate with the effort to create. Duh!

Why don't disagreements in the set of all nominations cause the same forking problem that would occur with a fixed time window?

Also, isn't adjusting difficulty by factors of 2 is in danger of increasing the volatility of the currency? The cost of production will double or halve rather than smoothly increasing/decreasing as it does in bitcoin.

monsterer, I was observing whether you would find the weakness in my design, but I don't fault you for not seeing it so early in your exposure to this new conceptual design and lacking all the details. I have been afforded months to think about it with full access to all the details.

I was feigning an incorrect (more accurately "an incomplete") design because I was thinking about keeping the following secret for while longer (and also to see if anyone would find the flaw), but I am also thinking some very astute readers (e.g. Bitcoin core devs if they happen to read this) might silently think I am foolish if I don't complete the description of the design.

So now I will elaborate on the fundamental Achilles heel and trade-off compared to Satoshi's design.

That is if users disagree on the objectivity, then the block chain is forked. The users could disagree if they could be fooled about which blocks propagated within the allotted (e.g. 6 seconds) window. Once they disagreed, they might never agree again (but read on for a solution to that). Since users rely on other nodes to relay to them, the objectivity is under the influence of those relay nodes. Well I already stated most of that in my prior post, but I didn't emphasize that the bad outcome is a fork:


Whereas, Satoshi's design forces acceptance of the longest chain of PoW thus eliminating the risk of a fork due to disagreeing perspectives on propagation, but at the cost of incurring double-spend risk, 49+% attacks, selfish mining attacks (and for faster 1-confirmations of Bitcoin-NG incurring DDoS attacks).

Besides the problem of objective relaying, any window of time results in disagreement due to minute differences in propagation near to the end of the window! Ouch!

Both problems can be fixed by changing my protocol rule from “honest chain's next block must include the nominations from any that occurred in the 6 second window” to “honest chain must include the nominations from all block solutions that occurred (with the same difficulty)”. Thus the difficulty has to be calculated counting all block solutions.

Thus chains can't diverge, except if they disagree about the difficulty. The objectivity about difficulty is a combination of using very long periods for the calculation so that difficulty is the same in calculations that differ only in small changes in the blocks included can't result in half or double the difficulty (since difficulty increments are a factor of 2 since they are the leading bits of the PoW with a 0 value), and the rule that the correct difficulty is the one that counts the most difficulty in the numerator.

That entirely fixes the fork risk. It also virtually eliminates the trust issues around the relay nodes. The community only needs to verify they relay, not that they relay within very dubious small windows of time, e.g. 6 seconds.

And the inspiration for that conceptually comes from the same way I fixed the selfish mining problem mathematically in 2014 by rewarding all PoW in the orphaned chains. That ends up being one of the most important discoveries I've made, yet it was unceremoniously ignored:



Note that rule could not be grafted onto Satoshi's design for an additional reason to those I enumerated in a prior post on this page. That is it essentially removes the requirement to mine at the end of the chain, because there is no objectivity about when a block's computation had to begin. But this isn't a problem in my design, because my design doesn't depend on blocks to confirm the 1 second transactions and thus it doesn't matter if some percentage of the PoW resources are not applied to updating the checkpoints of the confirmation nodes. In short, everything is additive except for double-spends. However this does raise an issue for double-spends documented below.

Note there are other issues that revolve around how checkpoints of the confirmation nodes are recorded in the PoW block chain. Normally these are accumulative (same as for nominations) and can't mathematically be a conflicting double-spend (according to a quorum mechanism that is similar to the one employed in Dash's Evolution except the quorums don't change on every block as that introduces a double-spend risk on time windows on the order of the block period which would otherwise defeat the point of 1 second confirmations, which btw is a critical flaw in Dash's Evolution especially because it is based on Satoshi's design which allows chains to be orphaned). My design also requires a fallback mechanism where the payer is having difficulty finding a cooperative quorum due to the 49 - 99% attacker having a majority of the confirmation nodes. In that case the transactions have to be confirmed by the block chain. For this case, the payees need to wait until all confirmation nodes confirm all confirmation nodes in some number of block confirmations (just like in Satoshi's design) before it is more probable that the merging of all block chains can't have a conflicting double-spend. Double-spends within that interval are invalid upon merge. The objectivity is counting block confirmations (of the same difficulty) regardless which chain they are on. Again my conceptual fix to the selfish mining attack continues to be the solution to objectivity in every place where objectivity would fail otherwise. The potential subjectivity is due to a block solution built off a historic block that attempts to introduce a double-spend. The objectivity is that the block chain will reject this block because it attempts to mine too far into the past (again by counting the number of blocks). So the attack this enables is that the 49 - 99% attacker could build a longer chain has double-spends compared to the honest chain and which starts from far back in history, so then it is not objective as to which chain is honest, because neither chain can merge with the other. Here the objectivity is longer-term propagation (not 6 second windows but counted blocks) trumps and so any chain that was hidden and suddenly revealed from many blocks back in history is the dishonest chain. So what we end up with, is that there is no incentive to mine at the end of the chain if you aren't producing double-spends. However, the problem of subjectivity around the end of the window still applies to counting blocks. When receive more than one block within the propagation window, then if differing arrangements of the order of those block produce different answers as to whether a spend was double-spent or was already confirmed before the double-spend arrived, there is no objectivity. So to fix this we must abandon the feature of having a fallback mechanism to have a transaction confirmation by the block chain. Instead we can have a designated node that can supplant the quorum and this node also changes (but not every block) in the same mechanism as for the quorum (basing on the entropy of the historical block chain). Thus eventually the payer will be able to get confirmation on a node that is not the adversary, except that the adversary can precompute the entropy and try to game theory his nominations changes to prevent that eventuality (but the success of which may be foiled by making the period of confirmation node nomination longer than the number of confirmation nodes, so that all nodes are cycled through before a change can be made to the confirmation nodes). Anonymous transactions (Zerocash style where the IP address can't be correlated across transactions) would be another solution so the adversary can't easily determine which transactions to censor. Realize a vote wouldn't work (adversary controls most of the confirmation nodes) to provide permissionless guarantee, which is one of the critical flaws in the Railblocks design.

And that seems to cover all the scenarios. Whew.

True, but that (bolded statement) isn't an attack.

Attack means can blacklist minority PoW and confirmation nodes, double-spend, or DDoS attack (or other form of real harm). I think I already explained why having even 99% of the PoW and confirmation nodes does not enable those attacks. But probably it is only clear to me because there are design details in my head that I haven't written here in public. So when I get it all organized in a white paper, it will be more clear to me what I need to explain in more detail.

Paradigmatic shifts are often non-obvious to others (an analogy to banging into a glass door which is obviously there to the person who banged into before), even though to the person who invented them they seem as obvious as sunshine already.

I think this will indeed be key to understanding this design. This probably doesn't help you at all, but the root of my line of reasoning is that the attacker can be both confirmation node(s) and regular node(s) and have a majority of both at any time.

What attack? Up thread I already refuted for my design, all the known attacks on Satoshi's PoW (at least those presented by you and I thus far).

Fully compliant confirmation nodes can't do any attack. If they attack, they are no longer compliant and will be ignored by the honest network (not only ignored but all their transaction fees will be confiscated due to "fraud proofs" recorded by other confirmation nodes and you can see my recent posts relating my design to Segregated Witnesses).

Afaics, having nodes "sleep" (which I guess you mean they do only compliant activity while "sleeping", since you can't mean sleep in terms of being unknown because all nominations are public on the PoW block chain) doesn't aid the attacker in any way in terms of executing any attack at any future time.

I think I can deduce why you are misunderstanding (and it is an expected reason that can probably only be conquered with a very thorough elucidation). It seems you are conflating the concepts of attacks on PoW chains with attacks on, by, or leveraging confirmation nodes. These are orthogonal concepts in my design. For example, confirmation nodes do not gain any power to issue double-spends (all confirmations have an objectivity that can't be violated and that is another design secret and I won't discuss that now but you can look at Dash's Evolution design for a hint).

Again I will reiterate that afaics separating the concerns into PoW and confirmation nodes as orthogonal, provides paradigmatic elimination of the attack vulnerabilities in Satoshi's design.


As you anticipated, afaics you've entirely misunderstood the design. I think it is improbable to give readers the holistic view (any more than I have already elucidated) without detailing the entire design in a well organized and quite lengthy white paper. And I am not ready to do that yet. Wait a few more weeks please. This discussion has been a "sneak preview".

I think you will be able to offer more constructive and deeper insights once you can understand well every detail of my block chain design. As of now, you will be handicapped by lacking full and deep elucidation from me.

P.S. thank you for injecting your peer review. Look forward to more of it once the design has been released in a well organized paper.

He doesn't need to convince the rest of the network. The problem is insidious; the attacker presents a majority of fully compliant, well behaved nodes with which the rest of the network becomes acquainted and then sits and waits until he needs to pull of his attack, at which point the minority of the network will go along with his presented truth because they will already be nominating his 'sleeper' nodes.

Unless I have misunderstood the entire design, which is very possible

In the honest scenario, the 49 - 99% attacker can nominate 49 - 99% of the confirmation nodes, but the crucial distinction from the security of Satoshi's design is the attacker can't dominate ALL the confirmation nodes and thus can't destroy the permissionless quality of decentralized cryptocurrency. Nor afaics can this preponderance of confirmation nodes gain the attacker any advantage in terms of double-spending or abusing the protocol.

In the dishonest attack scenario where attacker wants to own ALL the confirmation nodes, I already explained that:


Also include the following snippet in the above context:


So the 49 - 99% attacker could nominate ALL the confirmation nodes in his private chain, but attacker can't convince the rest of the network that his chain is valid, due to my rule that attacker must include all the nominations from propagated block announcements (which attacker didn't refute within the 6 second window...because as I explained, the attacker can't refute because the rule requires him to restart his computation of next block after each block announcement).

I told you (and all readers) for many months to expect a "Bitcoin killer" algorithmic twist that no one else had apparently thought of.

It is time for everyone to start realizing that I am not a bullshitter and I am legit.

Why isn't it the case that the majority POW also has a monopoly on the set of nodes which can be nominated, thereby dominating the choices for the honest nodes?

My design doesn't (and afaics shouldn't need to) prove to a syncing node anything about propagation that occurred while that node wasn't listening live. Remember that the 49 - 99% attack must be sustained otherwise it can't maintain the blacklist on the minority PoW. The minority PoW will have identified the dishonest chain and be humming along (at a reduced level of PoW difficulty, yet still including the attacker's nominations so as to prove to syncing nodes which chain is refusing to include the other's nominations). So the syncing node will have ample opportunities while live to objectively determine which chain is dishonest.

(Assuming the node is syncing to a honest relay and remember my point about community responsibility for this,) the syncing node will see there are two competing chains and thus syncing node will be wary to accept any transaction as final until it has determined which chain is the honest one. Note that if the dishonest chain is an extension of the chain the syncing node had earlier identified as dishonest (a hash for that node's choice is saved on the block chain so the node can't forget), that node already knows it blacklisted that chain (which can be determined from the chain history).


Finney attacks are not possible in my design, because transactions are not confirmed by PoW blocks. So the payee will not accept the transaction until it has been confirmed, which can be on the order of 1 second from the time the transaction is sent to the confirmation network.

In my (monumental?) prior two posts, I was starting to lay out some of the paradigmatic gains that arose from separation-of-concerns for transaction confirmation and PoW chains. Bitcoin-NG (from the researchers who published the selfish mining attack) separates timing of transaction confirmation from PoW chains (thus removing the latency spikes for propagation of block announcements, i.e. a form of anti-aliasing), but it doesn't eliminate double-spending by orphaned chains (which my design does eliminate). Also Bitcoin-NG nominates only one node per block period to confirm transactions thus Bitcoin-NG (and Bitshares' DPOS) is highly vulnerable to DDoS (even more vulnerable than current Bitcoin which employs Satoshi's design!).

Based on your use of the word 'nominate', you may be misunderstanding what is nominated in my design. C.f. how Bitcoin-NG nominates a node to confirm all the transactions until the next block. In my design, there are a plurality of confirmation nodes nominated, they persist for a plurality of PoW blocks.

Afaics, in my design there simply isn't a way to create an orphaned chain which would be required to create a double-spend other than a Finney attack. In my design, orphaned chains can only occur due to network partitioning and in that case Satoshi's design also allows double-spends on both forks. Dealing with network partitioning is another issue. We can discuss that later.

P.S. as a tribute to the prodigious generosity and amiable unassuming attitude of Hal Finney, I like to share his description of how Chaum's Ecash worked which helped me a lot when I was first learning what the Fiat-Shamir transform is and how it converts an interactive ZKP to a NIZKP (non-interactive zero knowledge proof).

* How do you prove to a syncing node that a given historical block arrived within the 6 second propagation window without having a different protocol for syncing/live nodes?

* Is it possible to differentiate between a syncing/live node in a p2p blockchain without being subject to attack edge cases? (e.g. all proof of stake chains)

What about this attack:

1. Miner A controls a large amount of POW resources and wishes to double spend by creating a bunch of finney blocks
2. They start with the genuine last propagated block
3. Generate a new block on top
4. Nominate the crap out of it with their superior POW resources
5. Fake the time stamps
6. Loop to 3

When they're done, they dump this huge finney chain onto the network which also contains their double spend?

The attacker can do that (even with a minority of the PoW). It is good to see that my prior explanation was coherent enough that you pondered that possibility, so I know I have made progress in my elucidation of my block chain design.

But anyone today could create a fork of Bitcoin and use it for paying from themselves to themselves, but no one does that because it is pointless.

As I explained, in my block chain design all the users who are (or their client is automatically) concerned about following the protocol which enforces honesty, will not be on the attacker's chain which has violated the protocol, because the objectivity of the protocol is not subjective.

To recap, a majority PoW attacker with approximately 49 - 99% (49% because the network wastes some of its PoW mining the orphaned chain per the white paper I linked in my prior post) of the systemic PoW resources normally in Satoshi's design has the ability to win every block announcement (thus blacklisting the minority PoW from the longest chain of PoW), because the attacker can ultimately build a longer chain which orphans all the block solutions produced by the minority. However I have stated that if we change Satoshi's protocol so that every announced block solution which is not challenged by another block solution within the reasonable propagation window (e.g. 6 seconds), must be based off the previously propagated block solution. Thus the attacker can no longer blacklist the minority PoW from the longest chain of PoW.  (With 99 - 100% majority of the PoW resources, an attacker can defeat the security in my design as well).

For n00b readers (not you monsterer), please understand the Bitcoin 101 concept that due to the randomness in the Poisson distribution, an attacker with < 100% of the PoW resources can't produce the first block solution every block period if the attacker is required to start his computation of each block at the same time as everyone else in the network. An attacker can produce a longer chain with a majority of the PoW resources, but only if the attacker is allowed by the protocol to ignore the minority's PoW solutions that occasionally (not a majority incidence) arrive faster than the attacker can produce the next block. Satoshi's design does not require the attacker to build his next block off the propagated block. Satoshi's design allows the attacker to build his chain hidden. This is the major design error of Satoshi's design, that enables selfish mining and the 51% attack. I correct Satoshi's design error. I believe this is the first explanation of any where of my aforementioned rule as a solution. If anyone can cite a prior art on this point, please do. Probably there is a post (or posts) from the 2010 - 2011 timeframe on this forum (or in 2013/14 discussions about the selfish mining white paper) that has some similarity to my point. I would be very interested in reading such posts if anyone can find such.

There are reasons that Satoshi's design can't incorporate my aforementioned rule which defeats selfish mining and the 51% attack:

• The attacker could put a double-spend in his chain, thus he can not follow a rule which forces him to base his chain on the announced chain which contains a double-spend. In Satoshi's design, there is no objectivity about which double-spend in which chain came first (i.e. there is intra-chain objectivity but no inter-chain objectivity). Whereas, my design is different because PoW has a dual role, one of which is to confirm nominations for "confirmation nodes" (the nodes which do the transaction confirmations distributed thus enabling the 1 second confirmed transactions, not 0-confirmation insecurity of Satoshi's design). Thus my rule is that nominations from the propagated block have to be included in the next propagated block, thus defeating the selfish mining and 51% attacks, but Satoshi's design can't do this rule because it doesn't have the concept of nominations. Note that unlike transactions, nominations of "confirmation nodes" can't conflict because they are accumulative. My design can't just be grafted onto Bitcoin, because it requires a radical hard fork which necessities changes throughout the ecosystem of clients (thus virtually impossible to accomplish).
• Satoshi's design has no mechanism to constrain the variance of the propagation. Afair, Satoshi's white paper doesn't even talk about P2P network design (other than the SPV client suggestion) in the propagation context and the propagation design issues. All that design work has been done ad hoc over the past years, where I showed with my recent paper that Maxwell et all still haven't even addressed DDoS (which it is synergistic with propagation due to amplication as I explained my recent paper) in the scaling up scenario. I will not explain my entire design now.
• Satoshi's suggestion of SPV lite nodes are too lite to guard the network. Recent comments from the Hong Kong Bitcoin scaling conference (which I really wanted to attend but I am just too overloaded with my illness and trying to get a coin launched) show that Bitcoin lead core dev Wuille at al are thinking more about Segregated Witness and user clients that are in between the power of a full node and an SPV node, as is the case in my proposed design. But afaics, they are a probably a long way from realizing all the issues and then realizing they can't realistically graft this onto Bitcoin and it will instead need to be a side-chain (since those guys work for Blockstream).

Why can't an attacker simply pretend to be 1M payees, and use that control to vote in his fraudulent chain?

For example, assume a design scenario where the block period T is 10 minutes (600 seconds) and within 6 seconds of a block announcement (note one white paper showed the weighted average in Bitcoin is 11.37 seconds), it will have propagated to at least 80% of all nodes. Thus the probability of having 2 or more competing chains is approximately 1/100. Before getting into the implications of that fact w.r.t. to my design, first let us note that an entity controlling 50+% of the PoW resources could choose to withhold his block solutions until another one is announced (thus making sure it propagates within the 6 seconds), while continuing to mine on his hidden solution (thus the adversary's chain will ultimately always be longer after sufficient blocks) and thus that 50+% entity will always be able to blacklist (overrule) any minority block announcements. That is the selfish mining attack and it causes the rest of the network to do wasted PoW. However, by rewarding all block solutions that are announced within the propagation window, the attacker's strategy is foiled. In 2014, I had revealed the math proving that is a solution to the selfish mining attack. However, if we are not interested in just foiling the economic incentive of selfish mining, but we also want to foil the blacklisting incentive, I will hereby reveal another epiphany. We can require that any blocks will follow a contest between chains, must include the nominations (in my design) from both blocks (note we might not be able to, depending on the design be able to incorporate the txns from both chains because there may be double-spend conflicts, but suffice that nominations can't conflict).

Thus the only way for the 50+% adversary to blacklist minority PoW that nominates its nodes is for that adversary to win all the blocks and always announce the blocks as soon as they are found (otherwise the adversary is required to include the nominations from minority announcements if the adversary pursues the selfish strategy mentioned above which defeats the blacklisting). But if the adversary announces block solutions as soon they are found, then the adversary can't statistically win all the block announcements unless it has 100% of the PoW.

Okay the adversary must shift his strategy to fooling the payers (non-full nodes) into believing that the minority did not propagate first (or within for example 6 seconds if we choose 6 seconds as the rule), thus convincing the payers that the minority announcements were not required to be included in the longest chain. If the payers are not listening to the network, they have to trust some full nodes to tell them what happened. If the adversary violates the protocol and doesn't include the minority nominations (because the adversary can fool the payers), then the adversary can own all the nominations and thus report what ever it wants to report to the payers. The typical Bitcoin security argument is the community will call out such an adversary and take action. But I was never satisfied with that reasoning, because the masses are easy to manipulate because they are preoccupied.

So to make my design really robust, the payers need to be listening so they can enforce the protocol. Remember I am making a micro-transaction coin, so the payers will be online often. And often is good enough. Because if the payers clients blacklist the 50+% adversary's chain for violating the protocol, then the adversary could have 99% of the PoW resources, but if they constantly lose a larger and larger share of the payers, then they honest network has forked away from the adversary and filtered it out. This is what I mean by inertia. And also this inertia will become entangled (DAG-like) such that it is impossible to undo this filtering and the 50+% attacker racks up huge losses (in transaction fee revenue and uncompensated PoW). In my design the block announcements don't include any transaction nor PoW share data, so they are very lightweight to propagate.

Note I am still searching for holes in this design. So I am not assuming it is perfect yet. (There are likely issues revolving around conflicts in UTXO between competing chains, i.e. one users is wants the transaction to go on the adversary's chain which another user has observed as the fraudulent chain and is not accepting. The payer would then need to spend on both chains until the conflicting user has observed for itself that the adversary's chain is dishonest, then it would shift over the honest inertia) At the moment, I am preoccupied with getting something launched, so the peer review of the theory will need to wait.

I did take the time to write this part down, because I do have to incorporate some aspects of this design in the coding work I am doing now. So I wanted to make sure that my logic on the necessity of the payer monitoring is correct, because I am incorporating the necessary block chain records so the users of the network have the necessary state persisted for them in the block chain.

Point being that this is going to be easy as pie for a dummy to use. And personal password security should be much easier to deal with.


As I explained above, latency is a parameter for the holistic security design when incorporated into a holistic paradigm as I have explained. The higher the latency of propagation (the interval of indeterminism about which block announcement was first and what was the interval between announcements), the larger the block period needed to reduce the incidence of competing chains (if the selfish mining scenario has been defeated given my solutions for defeating selfish mining). The higher the expected (computed probability of) incidence of competing chains, the more often that multiple sets of nominations have to be included (per the epiphany rule I mentioned). This may be acceptable by appropriately dialing down the duration of nomination consummately, assuming that doesn't adversely impact some other important factor.


The PoW from all is unified. Sending PoW with transactions is one way to incentivize users to contribute their CPU resources so the professional miners won't control near to 100% of the PoW. Another way to incentivize them is they will need to pay some PoW to nodes that propagate block announcements to them. Thus while they are online doing microtransactions, their computer will be doing some background mining (but very lightly so, preferably scaled down when CPU load is high, i.e never significant enough for the user to complain about or increase their electricity bill noticeably and on mobile phones not plugged into the charger this really has to be subdued). The user can pay instead using micro-transactions which is more economical except they can perhaps notice this (or maybe not since the entire point of micro-transactions is your don't fuss over small incremental spend decisions). We'll work out this balance over time. These are the short of maturity issues that really require a lot of contributors and people working on the source code. I can't do all of these microscopic optimizations by myself. I am just trying to first get the basic coin launched.


I explained above that yes the entity that controls 50+% of the PoW could monopolize the nominated confirmation nodes by lying to non-full nodes (using that monopoly on nodes) about the propagation events that occurs when the non-full node wasn't listening. But by having non-full nodes listen (only when they are online doing micro-transactions and remember most people these days are online most of the day and if micro-transactions become integrated into everything we do on the internet!), then I explained the 50% adversary can't violate the rule and monopolize.

Realize also that once a listening peer has saved (on the block chain!) that he requires the hash of a given block to be included in any chain he accepts, this is a form of distributed checking pointing too. And also that node doesn't have to be online in the intervening period in to detect that a future chain has or has not incorporated that hash earlier in the chain. Thus the honest inertia aggregates over time, and is not diluted by being off line. It is a form of automated community policing by algorithm.

Note also this is not the same as nodes just checkpointing which ever chain they want to. That would cause chaos and divergence. Instead there is a clear rule about consensus which is defined by PoW in such a way that the only way to monopolize it to control what propagation the users observe (which means global control and thus I shift the security from 50% control to nearly 100% control required). Afaics, the only way to have divergence is for nodes to be lied to about propagation. Here is where the community needs to play a role and maintain a list of honest relay servers and easy-as-pie ways for users to access these automatically configured into clients. I am leading the way on this ease-of-use lesson with my initial coin launch example web-based client. It will be easier than Coinbase and Paypal, yet the user controls his own coins (and private key).

It's certainly the case that, during nominal operation, latency is a driving factor in orphan rate, especially as the block period decreases. It's easy to see why because the easier it is so solve a POW, the more miners will build on the same block, causing orphans to be more common as the same data structure gets updated simultaneously by different miners.

However, this is nominal operation, not an attack scenario. It does not follow that statistically less orphans means better security, simply because an attack is not nominal operation.


Taking a guess here, I suspect you have two classes of miner? Type A is the professional miner expending a lot of energy to produce chains of work and type B is the every day user sending transactions already mined by including a POW with the transaction. So the key becomes how to make sure that you cannot impersonate type B miners to throw your new chain selection rule out of whack, since their POW difficulty must be trivially easy to solve.

You'll need to prove that the type A miner (with say 1M x the hashing power), cannot have 1M x the influence over the chain selection rule (by, say, impersonating 1M type B miners), otherwise this will collapse to being equivalent to regular longest chain selection rule.

Apologies my brain was toast in my prior post after 20 hours non-stop coding (other than a few minutes to eat and urinate).


Here is some overview of the conceptual math to make this more concrete.

In Satoshi's design, the probability of your chain not being the longest chain and thus being orphaned is calculated (employing a Poisson distribution approximation) solely based on the number of blocks, z, that have followed (and including) the block containing your transaction. No where in the calculation of the longest chain or probabilities for a double-spend do you see any variable related to anything other than z and the relative PoW power (p/q) of the entity computing a longer chain:

https://bitcoin.org/bitcoin.pdf#page=6
https://bitcoil.co.il/Doublespend.pdf#page=5  (http://arxiv.org/pdf/1402.2009.pdf#page=5)

Here follows references on the computing the orphan rate and the statistics about "informed nodes":

http://diyhpl.us/~bryan/papers2/bitcoin/Information%20propagation%20in%20the%20Bitcoin%20network.pdf#page=8
https://bitcointalksearch.org/topic/m.2666847
https://blog.ethereum.org/2014/07/11/toward-a-12-second-block-time/#comment-1521884349
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-August/009916.html
https://dl.dropboxusercontent.com/u/43331625/feemarket.pdf#page=4

As an approximation, as the "average" verification+propagation delay decreases linearly relative to the block period (block period is enforced with PoW difficulty), then the orphan rate and probability of being an uninformed node or on an orphaned chain (at some z) decreases exponentially.

Thus statistically it should be possible to ignore longer chains that become widely informed much later than the probabilities would indicate are reasonable, i.e. one could select a threshold for filtering at say 1/1000 chance without causing appreciable pain to honest miners.

But Bitcoin's nodes can't measure how relatively informed all nodes are for the competing chains (i.e. there is no reference point, everything is totally relative solely to longest chain measured in blocks and/or cumulative difficulty of the blocks), thus it can't incorporate such a statistical anti-aliasing against dishonest mining. What I have initially named "inertia" are the confirmations that occur orthogonal to the PoW chain, which Bitcoin doesn't even have (and the Bitcoin-NG proposal/paper doesn't change this, because confirmations don't occur out-of-order and orthogonal w.r.t. to the nomination from the longest chain). Thus in my design there is an objective measurement that is valid from the perspective of each node as to whether one chain (although longer) was withheld from the network or is blacklisting some portion of the network. Again this depends on some very specific changes to the design and propagation of the P2P network. Which also depends on an overall change to the way confirmations are achieved and recorded in the block chain. It has some conceptual similarities to a DAG, but I assert (not yet shown publicly) my design rectifies the issues with a DAG that I outlined in my discussions last month with CfB@Iota. Details to be forthcoming in white paper.

So in my design the math—for choosing the longest chain to mine on—include the calculations about what is statistically fraudulent.

Thus double-spending, blacklisting the minority PoW, and forking the protocol with a 51% attack becomes statistically implausible (intractable).

In other words, I unconflate confirmation of transactions (which is inertial evidence of who is lying about propagation) with PoW longest chain consensus (and use that consensus only to nominate who can do confirmations). Thus being nominated is permissionless, unless the adversary has 100% of the PoW. The adversary could have 99% of the PoW and the nominated resources, but it would still be objectively clear to the remaining 1% that the 99% is fraudulenting blacklisting the minority or forking the protocol and thus the minority's inertia would fork away from the fraudulent inertia. The payer's (non-full node) clients would recognize this also (by monitoring block announcements on both chains and computing relative statistics about delay, noting that block announcements are very light to verify and "fraud proofs" are employed as security mechanism ... see my recent posts about "segregated witness") and send their transactions through the 1% fork. This of course requires a much longer block period because the propagation delay to any client could be much longer. So in essence the dishonest fork could have 99% of the PoW yet none of transaction activity. If the 99% PoW fork is not measurably dishonest, then it will of course not be filtered out.

A future white paper will lay out the precise math for peer review.

It is 3:30am and I been awake since 7am, so please excuse if this reads like I am drunk.


Because A is not required to increase the PoW difficulty (number of leading 0 bits) for the PoW required to be submitted with a transaction. It is not used to rate limit spam. The only purpose is to get every payer to contribute something to the security. Again as I explained in the prior message, for as long as no entity has control over (near to) 100% of the PoW, their asymmetric leverage is fairly impotent.

Even most mobile phones has SIMD Neon now, so their performance on BLAKE2 would only about be about 1/4 - 1/10. However the PoW hash I designed is optimized for desktop processors due to the highly optimized carryless multiply instruction in the AES_NI. So mobile phones might end up with a noticeable delay. There is a sweet spot to balance this, because devices will get faster over time, and there are a lot more mobile devices than desktop PCs these days. Will choose some reasonably balanced level, and the goal is to maintain at least a few percent (if not better) of the network PoW hash rate coming from distributed users instead of 100% from professional farms.

Edit: it is possible to have two PoW hash function alternatives if it can be determined that the relative advantage for ASICs for the SIMD BLAKE2 hash is compensated relative to the PoW function that I designed which uses the carryless multiply instruction. Thus it might be possible to leverage the SIMD NEON in mobile phones.


As I wrote in my prior post, all that matters is what percentage of your market cap you are paying to debasement over any period of time, and that determines how much electricity can be spent each such period on PoW. But more debasement doesn't lower the ratio of professional miners to distributed non-professional miners, thus it really doesn't increase security. It is isn't a defense against a 51% attack, because more debasement doesn't correlate with better distribution of PoW resources. It is basically nonsense and we've been hoodwinked into throwing our money away to professional miners who are siphoning all the value out of Bitcoin by mining at < $50 per BTC cost. (Edit: and then by roughly 2032 or sooner, Bitcoin completely dies because mining funding has to come nearly all from transactions and the coin becomes highly deflationary, but long before then we will have replaced Bitcoin)

This is why I have tried to move entirely away from viewing PoW as security, because it isn't by itself security. I view PoW only a Sybil prevention mechanism for obtaining a consensus on nominated resources, which an aspect of driving the security of the inertia that results from those resources. Without PoW, anyone could nominate themselves and there'd be no convergence of the inertia (which is the precisely what I expect for Iota once someone writes a client other than the one they release to game theory their protocol)— other than meta-protocol convention and community coordination.


The key is that when propagation is orders-of-magnitude faster than the block period, and there is no way to Sybil attack the network due to PoW consensus, then lying about having not propagated is statistically and objectively filterable as fraud. Thus the 51% attack falls away. There are more details that need to be explained.

In Satoshi's design the nodes want to be on the longest chain of PoW. In my design, they want to be on the longest chain of PoW which is not incongruent with the propagated inertia. There are two aspects (PoW and inertia) interlocking and supporting each other synergistically. The reason Bitcoin (Satoshi's design) can't do this distinction is because there is no inertia orthogonal to PoW. If you are thinking the PoW nominates the inertia, so the inertia is not orthogonal, then don't forget another key detail which is duration of nomination is much greater than any statistically objective honest orphan chain length (duration). Essentially my design is a form of anti-aliasing. More PoW resources can gain a larger share of the inertia, but the thing about inertia is that each participant views their own inertia as a priority and so any entity trying to blacklist another's inertia is going to be viewed statistically and objectively as fraudulent and thus that fraudulent PoW can be filtered out and its inertia spirals down. In other words, greater share of resources doesn't allow you to violate the laws of physics about propagation.