Topic: Satoshi didn't solve the Byzantine generals problem - page 2. (Read 13680 times)

"Insufficient" is unclear because there is no unambiguous definition of how much is sufficient.

In large part it depends on the decentralization of mining. If mining is decentralized then you only need a small (but still nonzero) incentive because any miner can't really do anything other than follow the longest chain rule. While raw hash rate attacks are possible (i.e. temporarily centralizing mining by incurring a cost), in a larger system they will have significant cost and will only succeed as long as the ongoing cost is paid.

If mining is highly concentrated by nature then you are really only relying on the weak linear security of the block reward itself, and maybe not even that, because miners (e.g., hypothesized Chinese cartels) have all sorts of perverse incentives.

Your statement would be correct if you added ", assuming mining becomes centralized as I have claimed it will."

Correct, meaning the amount of hashrate miners spend will be equal to the block subsidy[1] (where block subsidy will ultimately be Monero's perpetual tail reward which is necessarily a fixed # of coins), because (as I pointed out in our prior discussion) transaction fees will trend to costs, due to that the median block size M_N will trend upwards to match market demand and thus there is no pricing power on transaction fees.

[1] Note this means the tail reward security of Monero will be very weak and insufficient.


You wrote that before in our prior discussion:


And it still doesn't make any sense to me. The block size will trend upwards to match transaction demand, because the penalty is driven to 0 as the median block size increases as  miners can justify burning some of the transaction fees to the penalty. That drives the median block size upwards, which drives the penalty to 0 again. The median block size doesn't have any incentive to decrease again, thus transaction fees then fall to costs.

Sorry as I told you before, Monero does not solve the Tragedy of the Commons in Satoshi's design. It does adaptively increase the block size while preventing spam surges.

I doubt John Conner's design has achieved any better, because as I explained at our prior discussion, there is no decentralized solution to that Tragedy of the Commons in the current proof-of-work designs. I have a solution, but it is a very radical change to the proof-of-work design that relies on unprofitable mining by payers.

Let me take a stab at explaining for laymen, my debate with ArticMine.

Monero has a feature that charges a penalty deducted from the coinbase block reward (e.g. analogous to the 25 BTC per block reward in Bitcoin). The Monero penalty is calculated based on how much larger the block is relative to the median of the preceding N blocks. The intended effect of this feature is that block size will scale to market demand without any Tragedy of the Commons collapse into dysfunctional/degenerate outcomes. Note miners also earn income from transaction fees, so we have to analyze the complex interplay (i.e. game theory and any Nash equilibrium) between Monero's penalty algorithm, block size, block reward, and transaction fees, as well as any costs (see next paragraph).

Bitcoin has “scalepocalypse” Tragedy of the Commons collapse into dysfunctional/degenerate outcomes as transaction volumes scale up, because either:

• There is a block size limit and thus transaction fees will rise to the level of transaction values as transaction volumes far exceed that limit, in order to prioritize which transactions don't fit in the limited sized blocks.
  
  
• Or block size would be allowed to have no limit, in which case transaction fees will decline to the cost of verification (the cost for the miner with the most hashrate!) since in the absence of a block size limit the miners have no incentive to not include transactions which provide some more income per block (regardless how small that income per transaction is for as long as it exceeds costs). Note the bandwidth/propagation delay cost argument is moot because again the miners with most hashrate have the lowest bandwidth/propagation delay cost and they set the lowest transaction fees since they have the lowest costs[1] (readers thus note these issues are very complex and requires to have many variables in one's head at the same time to give a correct holistic analysis). The unbounded block size case leads to an oligarchy of the monopoly on hashrate so those in the mining cartel can have pricing power and also because (as I explained in the prior sentences) those who have more hashrate also have lower costs, thus they over time aggregate more hash rate than other miners (because they are more profitable).

The simplest rebuttal to ArticMine is that if the penalty feature of Monero works as intended so as to allow the block size to expand to the market demand for transaction volume, then the “scalepocalypse” Tragedy of the Commons collapse economics that I explained in the prior paragraph for the case of unbounded block size also applies to Monero. Monero's penalty feature only prevents a miner from bloating the blocks with fake transactions paying to themself (because the miner would have to pay the penalty for exceeding the median block size, but is receiving no transaction fees to pay for the cost of the penalty from fake transactions); and Monero's penalty feature is intended to scale block size to actual market demand.

Thus I have explained there is no Nash equilibrium in Monero's penalty feature (unlike for Satoshi's longest chain rule where there is indeed a Nash equilibrium because if miners don't converge on the longest chain then all their chains are invalid/orphans and worthless without consensus). ArticMine is probably thinking that since miners have different costs, the equilibrium point for transaction fees will be the weighted average but I have explained the holistic economics by which this weighted average is driven by the costs of the largest hashrate miners until they control all the hashrate[1].

If one instead assumed that ALL (or nearly all) payers will choose to wait for the lowest cost miner to win a block (and include their transactions, i.e. queueing up in a line that grows longer and longer) and thus set their transaction fees accordingly, then Monero's penalty feature would force the block size to trend to 0. I of course don't think payers will do this, thus I stated that either the block size trends to 0, or the block size scales to market demand. But per the prior paragraph, when the block size scales to market demand, then the transaction fees decline to the lowest cost miners over time (which is essentially trending to ~0), and thus the largest hash rate miners will be incentivized to form an alliance so they can have some pricing power over transaction fees.

Monero has solved nothing and has the same insoluble “scalepocalypse” Tragedy of the Commons collapse economics as Bitcoin.

Btw, I know how to solve this problem and the solution will be in my coin. Iota appears to have solved this problem as well, but my analysis concludes Iota will fail to converge without centralization of the system as well. The only distinction of what I am proposing to do in my coin is that the verification cost centralization is under the control of decentralized payers. Iota can't do this because  if the payers don't stay with the same centralization, the convergence is lost. Whereas, in my coin design the payers can move their PoW shares at any time, because my design has a longest chain rule.

[1]

This is mathematically unarguable for payers willing to wait for their transaction to be confirmed until the largest hashrate miner wins a block. It is also true in that the transaction fees are set by a weighted average of frequency of block wins by miners according to hashrate. And since I explained that miners with more hashrate aggregate more hashrate over time due to having lower costs, then the long game centralization/domination of transaction fee weighted average trend is unarguable as well.

---

The underlined portion was refuted above.

Now I will address your abstract theoretical errors in the non-underlined portions quoted above...

The Nash equilibrium failures of PoS are caused by the fact that the centralization is in the stake. What I showed abstractly in this thread is that every BGP solution will have some element of centralization, because BGP can't be solved without a reference point because otherwise there is no objective reality.

The longest chain rule employing external entropy from PoW provides no reference point other than the longest chain. As I explained to smooth and monsterer, so any attributes that can't be detected from the LCR, e.g. whether the coin is under 51% attack doing double-spends or censoring transactions, thus can't be objectively known/proved so that all observers agree (i.e. these attributes are undecidable).

Thus Satoshi's LCR employing PoW does not solve BGP and can't solve it without some centralization. Period!

The key insight is to control how and where the centralization will be in the system. The error Bitcoin and Monero have made is the centralization is out-of-control of the payers. I have fixed that.

Thus the abstract BGP analysis does apply to the conclusion that Monero (and Ethereum) have deluded themselves into thinking they can avoid centralization and instead gets centralization in a way they did not want.

Sorry you were wrong on every single point you wrote.


Edit: PoW LCR is necessary to enforce the following conditions assumed by BGP that don't exist in a decentralized network otherwise (but again there is no objectivity other than the Nash equilibrium of the longest chain):

I am writing a layman's post now. I will try to explain the debate between ArticMine and myself in a way that hopefully more people can understand.

Could "good enough" vs. "ideal" be part of the problem?  Clearly Bitcoin is up and running good enough for now; denying undermines credibility.  If there are theoretical issues underneath it then it is good to be aware and think about how to address them; denying this is unwise.  What are the real risks of one of these underlying issues flaring up enough to wreck Bitcoin?  How urgent is the topic?  Is someone exploiting us right now?  Can we detect it?  Perhaps the bad guys aren't being as evasive as they could be?  It might be really hard to be totally evasive.  Should we encourage pools to stay under some threshold or risk the wrath of the community at large?  Should we ask the US military to drop bombs on mining sites in China?  Oh, sorry, I went too far. 

Your conceptualization is so egregiously incorrect on so many levels, I am mentally challenged as to how I can respond to both illuminate and untangle all your errors. When someone as you have done here twists their thinking into such a convoluted state of wrong conceptualization on top of wrong conceptualization, it becomes arduous to even continue the discussion. Sorry if that sounds like an ad hominem response, but I am really flabberghast+exasperated that you are apparently incapable of comprehending what I have tried to explain (again presuming you are supposed to be an expert on this issue given you display that you are intimately involved with Monero's penalty algorithm). I guess I just assume that extremely intelligent people are capable of comprehending, but apparently this is not true and I need to work harder to elucidate my point. But I am also trying to discipline myself to stop posting in this forum, so I can't continue to untangle the twisted thoughts of others. This has to stop at some point very soon.

Let me reflect for a while on how I can elucidate this issue to you.

This response starts with the correct assumption that decentralization alone can't have a solution to the Byzantine Generals Problem (the failure of proof of stake), and then proceeds to make little sense on the unrelated problem of scaling the blocksize in POW coins. The latter problem Monero solves. Keep in mind that an equilibrium between fees per block, base reward and blocksize without a collapse to zero or "infinite" fees, the problem Monero solves, does not by itself speak to the miner centralization issue.

Whether proof of work introduces enough external entropy into the system to solve Byzantine Generals Problem is far from clear because there are a host of centralizing and de-centralizing factors interacting with each other the majority of which have not been taken into consideration in the previous discussion.

And this is because there is no reference point (i.e. the lack of objective reality other than the LCR which I was referring to in this thread in general). And this is known already abstractly from the fact that the BGP can't be solved in a decentralized context.

My logic has nothing to do with the miner paying a penalty.

Per the math I replied to, the Monero penalty is based on exceeding the median of recent N blocks. Since (as you claim, but see Edit below) that median will scale over time to match the market demand for transactions thus no penalty will be incurred for adding all the transactions, then verification costs will eventually cost more than or a significant portion of the tail emission block reward as transaction volume scales. The point is there is no bound on transaction volume.

Thus the logic I stated takes over (where lower hashrate miners are unprofitable and centralization is forced economically):


Please check your logic more thoroughly before responding. Because you are incorrect. So find your error before posting please.

Edit: my point about transaction fees trending towards 0 is correct but not necessary for my argument as explained above. The reason txn fees trend to 0 despite Monero's penalty for creating blocks which exceed the median of recent N blocks is that payers can send the txns with the lowest fee that any miner will accept.  Thus Monero's block size will trend to 0 if the penalty feature works as designed.

So either txn fees trend to 0 or block size trends to 0.  

Sorry you can not defeat the fundamental fact that decentralization can't have a solution to the Byzantine Generals Problem. That is fundamental and inviolable. Waste years of your life, but you will still never defeat Physics and the fact that the speed-of-light isn't infinite.

Edit#2: you will probably think that payers will increase their txn fees so that their txn gets added to a block because miners aren't motivated to add too many transactions to incur the penalty (for miners that accept lower txn fees than the other miners which drive the median block size). But some of the txns will get added which have this lower txn fee, but payers can only be sure their txn is added timely if they pay the maximum txn fee that any miner requires (or some amount higher than the lowest fee), thus the miner may be able to afford to pay the penalty by including these extra transactions thus driving the median block size upwards over time and thus eventually driving the txn fees to 0 (the point is miners have no incentive to exclude txns with any level of txn fee when it doesn't cost them anything to add a transaction to block thus the trend will be ever lower and lower txn fees ... the entire point of my rebuttal to your math is what your penalty algorithm does not reach equilibrium). Which was my point that the penalty feature of Monero will not work as intended. But if it does work, it will drive the block size to 0. There are many other scenarios but they all have failure modes (analysis by case enumeration is very piss poor methodology to do academic work, rather I have started from first principles to show abstractly that no decentralized solution to the BGP can possibly exist). So choose your poison because there is no way to escape the problem that verification MUST be centralized in order to solve the Byzantine Generals Problem.

Actually the error is on your side since you expect a rational miner to pay a penalty in order to add a transaction to a block with a minimal or zero fees which are far less than the penalty. Please do not make me explain the basics of how Cryptonote works again.

I rest my case. Monero has prevented the Tragedy of the Commons.

Your error is of course as I already stated, that transactions can grow unbounded due to market demand for more transactions, and since the Monero block size limit is bounded by the market demand as you have admitted, then it is unbounded.

Thus fees (not block reward) will trend towards 0 because no miner can enforce a bound on the block size so the miners will compete with each other to provide the lowest fees since there is no limit on the number of transactions a miner can put in a block (i.e. the payer can send a transaction with lower fees and wait some extra confirmations until the miner with lower fees wins the block).

But as I already stated, this means those miners with more hash rate will have higher income than those miners will less hashrate, yet all miners have the same verification costs. Thus mining will centralize to an oligarchy. Satoshi put a 1MB block size limit to keep verification costs much lower than the block reward, so that Bitcoin would not centralize too quickly.

I rest my case. Monero has not prevented the Tragedy of the Commons. Please don't make me explain it again.

I will respond to this because it is the crux of the entire argument. In Cryptonote the blocksize is bounded by the total of what market will pay in total fees for a block vs the base reward because a rational miner will not add transactions to a block that causes a net loss of fees received vs penalty paid. Also if demand falls then the blocksize falls with no recovery of the penalty. So total fees per block cannot fall to zero in the presence of a block reward. If the base reward is zero then yes the blocksize is unbounded.

Edit: Total fees per block can fall to zero only if the blocks are very small, below the minimum threshold, currently 20 KB  (60 KB after the fork to 2 min blocks) for Monero

No he has stated not even an iota of correctness.

monsterer is spreading his dumb shit.

You clarified and refined the explanation and conceptualization, or at least brought it to my attention again, which is why I credited (and thanked) you for focusing me on that again in my Decentralization thread.


If I understand correctly that by "burn coins to the penalty", you mean that miners will create fake transactions to themselves? Thus the cost of the penalty is being charged to the miner who can't generate fees from himself.

But that is incorrect rationale, because your and my entire point has been that the Tragedy of the Commons is due to market demand for scaling, then the block size is unbounded. Your (and my) entire point was that without any bound, then transaction fees would trend towards 0 and thus an oligarchy MUST form because verification is not only not free, but more saliently verification is less profitable any miner that has less hashrate than the other miner who has the most hashrate (since all miners have to verify the entire block chain and thus verification costs are the same for all full nodes and have to amortized over income from blocks).

Thus you've accomplished nothing in terms of the fact that verification will centralize.

I explained in this thread starting from first principles as to why the abstract Byzantine Generals Problem can't be solved decentralized. Period!

Thus that guarantees that it doesn't matter how you try to obfuscate this reality in numerous technobabble. smooth is incorrect to question whether Bitcoin is directly correlated to the BGP. I could explain that too, but I grow weary of foruming.


The base reward not going to zero does nothing to solve the Tragedy of the Commons, as explained innumerable times by me and reexplained again above.


No I wrote what a 51% attacker could do to game theory Monero's penalty algorithm and I said otherwise if you make N too small in Monero's penalty algorithm, then a < 50% attacker can win more than N blocks with some probability.


Again you are not addressing that the Tragedy of the Commons is due to market demand for scaling, not from the miner creating transactions to himself. Thus the rest of your logic is inapplicable.

Obviously if block chain observers are using the presence of ephemeral forks (i.e. orphaned chains) which are outside the normal variance threshold window of orphaned chains, then attackers may be financially motivated to created ephemeral forks which are not attacks. How did you measure that an attack is an attack again (you objectively can't!)

And don't tell me that they waste resources, because 1) the profitability or justification for hiding the attack may be sufficient to do so, 2) by doing so gradually they can raise the normal variance threshold (see #c below) thus forcing the system to require more confirmations or rely on less than confirmed probabilities, and even if not then 3) remember they may be able to charge those resources to collective, e.g. how you and I proved recently that the Chinese mining cartel (which control 67% of Bitcoin's hashrate) is lying (and thus we can assume there is some massive high-level corruption going on, possibly stealing Three Gorge's Dam electricity at no cost).


Several rebuttal points:

a) In fact most of the Bitcoin use relies on 0-confirmations. I've been selling BTC to rebit.ph lately, and the transactions confirm within seconds of the transaction being sent.

b) As I wrote before and you ignored, even relying on multiple confirmations may be within the normal variance window for orphaned chains.

c) An attacker can drive the normal variance window upwards as high as he wants to. This is the analogous mistake/myopia you Monero guys made on your math for what you erroneously claimed fixed the block chain size Tragedy of the Commons.

d) You ignored my point about ongoing 51% attack which is not an ephemeral fork but rather is the longest chain.

Sorry! There is no such objectivity in Satoshi's PoW other than the longest chain rule (LCR). Period!

Eventually you will learn to respect the research I've done on this matter.

I'm of course not claiming there are no devices that are simple enough to analyze in that manner, but it is a small subset of consensus systems today.

And what we are seeing in the real world more and more is that even safety-critical systems are relying on increasingly-intractable mountains of code, with testing, process certification, redundancy and fault tolerance used to reduce failures to an "acceptable" level.

Anyway, I think we agree for the most part, largely disagreeing on matters of terminology and (in the case of Bitcoin) probability of future failure.

And the discussion has become repetitive.

So, I'll bow out of this thread for now, especially if you are ignoring monsterer who is largely correct (though also may have a slightly different perspective)

When you have to put your fingers in your ears to stop the truth from getting in, it's time to reconsider your motives.

monsterer is on Ignore for repeating his same failed argument redundantly after it has already been refuted. Sorry I don't have time to argue with an idiot.

I've been patient enough and I can't allow those who are incapable to steal all my time. Sorry.

I was planning to write some code this afternoon and instead I had to expend the afternoon explaining an issue that should have been clear when I posted the first reply to smooth. Instead those incapable people that take me on a whirlwind of their misunderstandings. I am patient for those who can finally get it. But monsterer has proven that he is so hard-headed that he can't learn new concepts.

In smooth's case, please understand that he hasn't been spending all his time researching the specific area I have been, so this should be no reflection on his abilities. I've just spent more time in this area than he has. I am just joking him about Bill Clinton.

Of course you are not omniscient to know this can't be modeled in any applications of the solution. I am quite confident models apply in real world use cases.

Obviously Turing complete (unbounded recursion) outcomes can't be decidable, but dependently typed systems do exist.

Perhaps mission critical hardware controllers, routers, etc..


The Byzantine use case applies when ever there is redundancy of components that form a circuit, but the MTBF of those nodes of the circuit still applies to models of cascaded failure. Byzantine analysis tells us limits on this cascaded failure w.r.t. to the redundancy.

Manufacturer MTBF may be marketing BS but ConsumerLabs (i.e. independent verification) can compile third party stats.