Topic: rpietila Altcoin Observer - page 138. (Read 387493 times)

off topic:  I'm trying to figure out the most efficient way of converting a standard PoW chain that's still being mined to a DPOS system.  Bitshares did just a "snapshot of the chain" method of PTS>BitsharesX.  I was thinking proof of burn would be useful, but it seems like it would have the exact same centralization or central point of failure as the snapshot method, and I was hoping this is something people would be able to do over a long period of time without entirely trusting a central authority.  It seems like the snapshot method is something I'll have to use.

And here is an example of what I predicted w.r.t. to innovation originating from smaller teams.

Boolberry looks better thanhas some innovations on Monero (at least until Monero adds I2P and copies these features, then Monero has the better name).

1. It prevents the cascade of linkability when other users in your mix don't mix as much as you do (although this could lead to gridlock if not managed somehow).

2. It claims to prune the blockchain by an estimated 30 - 70% (note this is still not enough to deal with the 100s of Petabytes scaling criticism I made upthread, because it is only a constant factor). Edit: when I formerly thought deeply about pruning Cryptonote, it seemed you'd have no way to prevent someone in your mix from not spending forever, thus making pruning impossible in that case. So I have some doubt about his claim.

3. It cleverly uses block chain random data to determine the random lookup indices for memory hardness, thus in theory computation can not be traded for space. Thus it is faster with roughly the same ASIC resistance as Monero. Note this does not make it ASIC proof nor does it remove my concern that the strategy could cause a complex ASIC to appear later which would be proprietary for some longer duration thus causing centralization of mining as compared to an ASIC that was ubiquitous sooner due to not being complex (off the shelf designs being already available). I admire this idea as a short-time way to help insure CPU-only. I need to study it more to see if I can find any flaw.

4. It has a novel block chain debasement (emission) schedule based on an algorithm that relates to difficulty change. I need to study this before commenting. Edit: this is Infinium-8, not Boolberry.

My suggestion to the Monero core. Go make a deal with Boolberry immediately. Given him a lot of coins and make him your #1 developer and give him a lot of control.

For the record, I think it was my posts some months ago that caused them to realize they needed IP obfuscation.

So my posts are also in some ways constructive for Monero.

I did however make criticisms about I2P and Tor not being entirely trustable (perhaps against determined hacker or especially probable against a global adversary). I've also conceded that is adds a layer of anonymity with some probability.

I agree with you on refinement with a clear concrete specification— the author of MMM was working for IBM. Whereas I was answering to the innovation stage where there is no specification and everything in the entire holistic iterative design-by-inquiry is open to change. In that case it is difficult to create orthogonal roles and communication overload or miscommunication or disagreement gets in the way.

P.S. I edited my prior post in a few areas to make it more fair and balanced, e.g. the #1 answer and the link on the word "theoretical" to emphasize it is not a widely accepted fact.

Have you actually read MMM? My recollection (it has been a while since I read it) was that it suggests a core team size of a half dozen to a dozen, though with carefully delineated roles. The Monero core team is actually quite close to this ideal, though perhaps that is not so apparent from the outside. We have also done well to identify important projects that can be done largely independently of the core team (i.e. they have their own core team of manageable size). This is not an accident.

People are going to decide what degree of mixing is necessary for their threat model, and we don't know yet what will be typical.

To avoid massive (big data scale) linking and analysis of the entire blockchain, it may be that small mixes of 2 or 3 are sufficient. Even these offer an exponential explosion of paths once the tracing goes through multiple transactions (as opposed to mixes of 1, which offers no such explosion i.e. bitcoin).

As for mixes-of-mixes, those are more efficient than flat mixing (though perhaps vulnerable to some forms of analysis especially if not done carefully). If we assume everyone mixes with mix=2 five times there is an ambiguity factor of 32 to the original source of funds, yet the increase in total signature size on each transaction is only 9. This still does not get to orders of magnitude. Note that you don't need to create all the mix paths, only one path to the true source, because there is no way to identify which path leads back to it.

1. yes but "devil is in the (so many and always multiplying complexity of...) details" so this is conjecture at this point. Often (as any programmer will attest to) estimates of design are proved grossly incorrect during actual implementation and refinement of a design that existed only in overview in someone's head.


I did write or imply that.


I wanted to agree, but to really be anonymous you need to obscure your IP address connection too, so in that case you could just use Bitcoin.

You can start to make that argument once the I2P or  Tor support is running by default, but still one has to decide if they trust low-latency Chaum mix-nets or if they'd prefer to obtain an unregistered connection to the internet.

Note however that Cyptonote's untraceability and unlinkability adds a form of anonymity that can't be obtained with obscured IP address alone, and that is the correlation of people who have spent to you and you have spend to, so if any one of them leaks your identity then cascade to potentially all your transactions can be identified.

So I would say your point is reasonable, but not absolute.


Won't Zerocash have the same problem with a unprunable blockchain?


Cryptonote could of course copy any new innovation if the community agrees, but they can't copy the developer of those innovations. And that is why the momentum will always stay with the innovator (assuming it continues to innovate and refine) and not the copycat. That developer has more insight into his innovations than the copycats do. And he doesn't have time to explain every damn detail to everyone. He would never get any real work done (the Mythical Man-Month communication overload point again).


I agree. Hypothetical is silly if taken too far, because no one can predict all of that, not even the person who might be working on the dreamcoin.

One point of my posts was to ascertain where Monero is exactly (to test my assumptions) and also to explain the weaknesses clearly so both that community and any competitors can see clearly where the issues lie.

I am not trying to play some political game wherein I want to spend all my time trying to prevent people from adopting Monero. I think the discussion has reached its fulfillment already.


Agreed, but we can't project very well in detail speculative unknowns. What we can say is that Monero is likely to proceed on its current trajectory.


There is no level of transaction fees that is stable. I don't enough time right now to collate all my posts about tx fees to summarize the reasons.


Agreed the value of the existing network inertia is one of the factors the person with the private innovation has to consider carefully for making the choice whether to contribute it to the existing community or launch a new coin.

Launching a new coin successfully is much more difficult than it seems. Go find one example in an altcoin? Dogecoin got the ramp up from making debasement decline extremely fast and now they are paying the price for it (which I think is the other theoretical egregious flaw that may destroy XMR).


As I wrote upthread, I don't think that 5 or 6x calculation is accurate. Because someone told me that Monero currently has a limitation wherein you can't mix too many inputs (incorrect?), so you need to mix multiple times to achieve the same level of mixing you would with one transaction without the limit. Thus many of the transactions are multiple mixes for the same transaction, thus the real bloat is orders-of-magnitude higher than Bitcoin.

But remember from upthread discussion between smooth and myself, that the level of that multiplier is less relevant. I explained (argued) that the real problem is one-time ring signatures make the blockchain unprunable.


For the record: I don't (nor do anyone I want appease) own any DRK.

I do not agree it is inherently negative. In fact a coin where developers are unable make important changes (including hard forks) for whatever competence, organizational, or political reasons could see its value decline for that reason.

So I agree what what you said about it being coin/situation dependent.

Hard forks done for bad reasons or which are poorly executed will hurt a coin value.

It is easy to throw out these crazy numbers in hindsight, knowing the coin was going to explode in value.

The coin traded for about 0.0002 or below for the first two weeks (total daily mining output <$3K). For the next week it traded at about 0.001 (total daily mining output about $14K).

At that point public optimized miners started getting released and having an obvious effect on the hash rate (so we know they were being used, and the 100% monopolization assumption becomes increasingly implausible), where it remained for the next few weeks while increasingly optimized public miners were released.

Profits from mining and holding are speculation profits, not mining profits. People could make just as much by buying, and tens of thousands of coins were bought at those prices on OTC and cryptonote.exchange.to, so people were doing just that. Likewise, one could mine with an optimized miner at some huge advantage only to see the coin sink in value, but those too are speculation losses.

Nevertheless, I agree that a $1K bounty is uninteresting, and even $5K isn't that interesting unless you know for sure in advance that your approach is going to succeed (and that you will be the first one to get there). If you have to take risk, $5K is not nearly enough.

(a)  It's not a good wage for the time it would take for the kind of people who could do it.  It's probably > 20 hours of work, which would suggest that a $5k bounty might start to get in the right range.

(b)  I believe from the rumormill that a fast CryptoNight implementation from day 1 of XMR was worth something north of $400k in net profit.  Just as a comparison against the value of keeping an optimized implementation private.

I don't think it's reasonable to ask you to put up more of your personal cash - but I think it's reasonable for anyone seriously considering adopting CC to help boost that bounty into the range it would be attractive for someone to actually demonstrate.

I thought this same thing.  Hard forks probably do carry an inherent negative impact on a coin's value.  But depending on the reason for the fork that impact could easily be overshadowed by a positive response.  I think this factor is coin/situation dependent. 

A hard fork is serious business, but not the end of a coin in every case IMHO.  I am sure there is precedent for this.

Vericoin did an EXTREMELY controversial hard fork recently, and although the price has reflected a clear negative response the coin is by no means dead or dying because of the fork. (even though much of me thinks it should be)

What my Cuckoo Cycle benchmarking has shown so far is that 40 Xeon threads is not quite enough to saturate memory. But I imagine a few hundred will. An FPGA or ASIC will be able to generate the memory requests at a much faster rate using hardwired siphash24 computation, and so will hit the parallelization limit much earlier.

Because GPU memory is ill-suited for Cuckoo Cycle's random access to bitpairs in global memory,
which resist coalescing (1M consecutive accesses are on average 512 bytes apart on a large instance),
I expect the GPU to struggle to put hundreds of threads to use. That's why
I posted a $1000 bounty on the speed parity of GPUs and server CPUs for Cuckoo Cycle in
  https://bitcointalksearch.org/topic/cuckoo-cycle-speed-challenge-2500-in-bounties-707879
which is duplicated in the README at
  https://github.com/tromp/cuckoo

So you don't think my bounty is safe... care to have a go at it yourself?!

I was using round numbers everywhere, it isn't exactly 3% nor exactly 6MB. These numbers can't be measured exactly because they vary constantly (especially transaction volume). Nor is your 34 MB number exactly right because that varies too.


Exactly. It is a design trade off to achieve blockchain analysis resistance, unlinkability, etc.

If you don't think those things are important then you wouldn't accept that the trade off is worth it. Others clearly disagree.

6x is roughly equivalent to Moore's Law over a 5 year time period, which means the cost of Monero in inflation-adjusted computing resources is right about the same as Bitcoin was when it first launched. This is 100% normal in the computer industry. The equipment builders figure out how build  faster, bigger, and cheaper and the software builders figure out how build improved functionality. A form of "tick-tock" if you will.

Wait a minute, 6MB/day with 3% of Bitcoin transactions, and Bitcoins blockchain grows at 34 MB/day, that's not 5x the growth of blockchain compared to bitcoin, it's 5.82x, closer to 6x for the same number of transactions. You want to tell me that 6x bigger blockchain is not a design flaw, and it can be settled with well orchestrated hard fork? It's not only the question of disk space for a full node to use, it's the question of node's ability to successfully verify every block with such a large amount of data. Relying on Moor's law to solve the problem is not a rational approach. But then again, who am I to advise Monero developers what's best for their coin. If you think it's just fine - great, it's your child.

Just so everyone knows, bitcoin has went through a hard fork, hell, darkcoin went through about 3 hard forks....it's nothing complicated, the only reason I should suspect some people here rather want a new coin, than a simple hard fork, is because they want to mine and accumulate coins from early with low difficulty. Crypto really has the greediest people...sad.

This premise is false. You are ignorant of the fact that Monero transactions are not "negligible." You likely assume they are because: 1. Most of the shitcoins, by contrast, have negligible transctions; and 2) Monero is relatively new. In fact Monero has gained nearly unprecedented adoption and usage for an altcoin (e.g. see post #1 on this thread), although at present most of that usage is speculation. That's still usage though.

The blockchain is growing at 6 MB per day with about 3% as many transactions as Bitcoin. There is a small constant factor difference in size between the two, roughly 5x.

Upcoming changes will likely alter this factor but in offsetting directions, so I expect this to remain fairly close.


This is also false. Moore's law will likely make running a full node (even at close to Bitcoin volumes which no one expects) less expensive in the future, not more expensive.


Hard forks are not themselves dreaded. Some development processes have become so politicized and dysfunctional as to make changing anything nearly impossible, and likewise some incompetent developers have done hard forks poorly. Both of those are what should be dreaded, and both of those will be avoided by Monero.

If hard forks are needed to make significant improvements to Monero they will be done (correctly).

I'm not talking some far-in-the-future hypothesis. I'm talking about the fact that Monero's blockchain is exploding in size with negligible amount of transactions it now process. There's no PHD needed to see that with anything close to BTC amount of transactions it would making running the full Monero node unsustainable for most users. There's many things I like in Monero, but if something looks unrepairable without dreaded hard fork, why not take the best from Monero and move it to a new currency which doesn't have the super-fat blockchain problem?

Are you guys serious? You really think if a better technology comes along, that it is easier to build that network out with a new coin (not to mention testing, getting a developer network behind it, promoting it, etc.) instead of just adding that to Monero, BTC, etc? And then rinse and repeat with each new technological advancement. That makes absolutely no sense.

There are two problems. The first is that new technology (and I'm not talking about altcoin gimmicks, I mean ZeroCoin specifically) may introduce brand new, untested cryptography. What happens when you have millions of users and huge merchant adoption uptick? You can't play with people's money by opening them up to risk, so you stick with what is tried and tested.

The other problem is that it's not us who makes that decision. We may have some degree of swing now, but even right now - if we suddenly decided to introduce something stupid like doubling the block time without doubling the block reward, what would happen? Miners would ignore our changes, someone would fork the repo, and they'd continue development without us.

None of this means that Monero will eventually reach a point where change is impossible, it's just that some changes will be ill-advised until another cryptocurrency has demonstrated its value and cryptographic soundness over many years, and other changes may never live to see the light of day because miners will refuse to accept it. The upshot of this is that even if something like ZeroCoin is the holy grail and they've solved the obvious trust issue and they are absolutely certain no other exploits in the software exist (which will take years) it will still be a struggle for them to have any sort of adoption based on technology alone. There are WAY too many other variables at play.

Good analysis.

I did not say that high fees increase the value of money. I mean that it is possible to live with them, because everything considered, the fees are typically a minor percentage of the transaction costs.

- In corporate context, the policies and red tape are so high that every transaction costs up to $60 (accounting etc dept costs divided by # of transactions per year).
- In retail, we are still talking about several dollars.
- Even in grocery stores, each customer costs about $1 at least to check out.
- Only in automated internet transactions (not even really possible until crypto*), it matters whether the price is $0.01 or $0.1 per transaction.

ADD:
*or even then without subsidized transaction fees, given current implementations