Let me take a stab at explaining for laymen, my debate with ArticMine.
Monero has a feature that charges a penalty deducted from the coinbase block reward (e.g. analogous to the 25
BTC per block reward in Bitcoin). The Monero penalty is calculated based on how much larger the block is relative to the median of the preceding N blocks. The intended effect of this feature is that block size will scale to market demand without any
Tragedy of the Commons collapse into dysfunctional/degenerate outcomes. Note miners also earn income from transaction fees, so we have to analyze the complex interplay (i.e. game theory and any Nash equilibrium) between Monero's penalty algorithm, block size, block reward, and transaction fees, as well as any costs (see next paragraph).
Bitcoin has “
scalepocalypse”
Tragedy of the Commons collapse into dysfunctional/degenerate outcomes as transaction volumes scale up, because either:
- There is a block size limit and thus transaction fees will rise to the level of transaction values as transaction volumes far exceed that limit, in order to prioritize which transactions don't fit in the limited sized blocks.
- Or block size would be allowed to have no limit, in which case transaction fees will decline to the cost of verification (the cost for the miner with the most hashrate!) since in the absence of a block size limit the miners have no incentive to not include transactions which provide some more income per block (regardless how small that income per transaction is for as long as it exceeds costs). Note the bandwidth/propagation delay cost argument is moot because again the miners with most hashrate have the lowest bandwidth/propagation delay cost and they set the lowest transaction fees since they have the lowest costs[1] (readers thus note these issues are very complex and requires to have many variables in one's head at the same time to give a correct holistic analysis). The unbounded block size case leads to an oligarchy of the monopoly on hashrate so those in the mining cartel can have pricing power and also because (as I explained in the prior sentences) those who have more hashrate also have lower costs, thus they over time aggregate more hash rate than other miners (because they are more profitable).
The simplest rebuttal to ArticMine is that if the penalty feature of Monero works as intended so as to allow the block size to expand to the market demand for transaction volume, then the “
scalepocalypse”
Tragedy of the Commons collapse economics that I explained in the prior paragraph for the case of unbounded block size also applies to Monero. Monero's penalty feature only prevents a miner from bloating the blocks with
fake transactions paying to themself (because the miner would have to pay the penalty for exceeding the median block size, but is receiving no transaction fees to pay for the cost of the penalty from
fake transactions); and Monero's penalty feature is intended to scale block size to actual market demand.
Thus I have explained there is no Nash equilibrium in Monero's penalty feature (unlike for Satoshi's longest chain rule where there is indeed a Nash equilibrium because if miners don't converge on the longest chain then all their chains are invalid/orphans and worthless without consensus). ArticMine is probably thinking that since miners have different costs, the equilibrium point for transaction fees will be the weighted average but I have explained the holistic economics by which this weighted average is driven by the costs of the largest hashrate miners until they control all the hashrate[1].
If one instead assumed that ALL (or nearly all) payers will choose to wait for the lowest cost miner to win a block (and include their transactions, i.e. queueing up in a line that grows longer and longer) and thus set their transaction fees accordingly, then Monero's penalty feature would force the block size to trend to 0. I of course don't think payers will do this, thus I stated that either the block size trends to 0, or the block size scales to market demand. But per the prior paragraph, when the block size scales to market demand, then the transaction fees decline to the lowest cost miners over time (which is essentially trending to ~0), and thus the largest hash rate miners will be incentivized to form an alliance so they can have some pricing power over transaction fees.
Monero has solved nothing and has the same insoluble “
scalepocalypse”
Tragedy of the Commons collapse economics as Bitcoin.
Btw, I know how to solve this problem and the solution will be in my coin. Iota appears to have solved this problem as well, but my analysis concludes Iota will fail to converge without centralization of the system as well. The only distinction of what I am proposing to do in my coin is that the verification cost centralization is under the control of decentralized payers. Iota can't do this because if the payers don't stay with the same centralization, the convergence is lost. Whereas, in my coin design the payers can move their PoW shares at any time, because my design has a longest chain rule.
[1] | This is mathematically unarguable for payers willing to wait for their transaction to be confirmed until the largest hashrate miner wins a block. It is also true in that the transaction fees are set by a weighted average of frequency of block wins by miners according to hashrate. And since I explained that miners with more hashrate aggregate more hashrate over time due to having lower costs, then the long game centralization/domination of transaction fee weighted average trend is unarguable as well. |
This response starts with the correct assumption that decentralization alone can't have a solution to the Byzantine Generals Problem (the failure of proof of stake), and then proceeds to make little sense on the unrelated problem of scaling the blocksize in POW coins. The latter problem Monero solves. Keep in mind that an equilibrium between fees per block, base reward and blocksize without a collapse to zero or "infinite" fees, the problem Monero solves, does not by itself speak to the miner centralization issue.
Whether proof of work introduces enough external entropy into the system to solve Byzantine Generals Problem is far from clear because there are a host of centralizing and de-centralizing factors interacting with each other the majority of which have not been taken into consideration in the previous discussion.
The underlined portion was refuted above.
Now I will address your abstract theoretical errors in the non-underlined portions quoted above...
The
Nash equilibrium failures of PoS are caused by the fact that the centralization is in the stake. What I showed abstractly in this thread is that every BGP solution will have some element of centralization, because BGP can't be solved without a reference point because otherwise there is no objective reality.
The longest chain rule employing external entropy from PoW provides no reference point other than the longest chain. As I explained to smooth and monsterer, so any attributes that can't be detected from the LCR, e.g. whether the coin is under 51% attack doing double-spends or censoring transactions, thus can't be objectively known/proved so that
all observers agree (i.e. these attributes are undecidable).
Thus Satoshi's LCR employing PoW does not solve BGP and can't solve it without some centralization. Period!
The key insight is to control how and where the centralization will be in the system. The error Bitcoin and Monero have made is the centralization is out-of-control of the payers. I have fixed that.
Thus the abstract BGP analysis does apply to the conclusion that Monero (and Ethereum) have deluded themselves into thinking they can avoid centralization and instead gets centralization in a way they did not want.
Sorry you were wrong on every single point you wrote.
Edit: PoW LCR is necessary to enforce the following conditions assumed by BGP that don't exist in a decentralized network otherwise (but again there is no objectivity other than the Nash equilibrium of the longest chain):
Afaics the paper has an important omission which is that when the disloyal generals (traitors) are not colluding (i.e. can't trust each other) then they have no reliable means to disrupt the loyal consensus. So my analysis will focus on the case where the disloyal generals are colluding.
[...]
(note also that the definition of oral messages assumes conditions A1, A2, and A3 which can't exist in a decentralized network where Sybil attacks are possible)
PS: By the way, classical BGP mentions somewhere that traitors collude AFAIK.