Pages:
Author

Topic: Satoshi didn't solve the Byzantine generals problem - page 6. (Read 13700 times)

legendary
Activity: 2968
Merit: 1198
Thus per the definition, Satoshi's PoW design is not Byzantine fault tolerant, because the metric of when it is fault tolerant is ill defined (can't be measured). An unknowable state is as reliable (fault tolerant) and a random result, thus no reliability exists.

This is exactly the same as the Byzantine Generals Problem, which is solved up to 1/3 faulty generals (and only then, unless you add externally-assigned identities and unforgeable messages). If there are >1/3 faulty generals, then the honest generals can not determine that they are being tricked, so they will commence a doomed attack and they will all die. This is fault tolerant up to 1/3 traitor generals but not beyond. There is no way for the honest Generals to measure the number of traitor generals. If they could, they would not be tricked into attacking and die.

Likewise, in Bitcoin if there is <50%* faulty hash rate, then there is no effective censorship and functional consensus (including on there being no effective censorship). If there is too much faulty hash rate, then the rest of the system can not measure the faulty hash rate and it can not determine that it is being tricked.

In both cases, an outside observer who is able to see all the interactions can tell the system has failed. Within the system you can not.
sr. member
Activity: 420
Merit: 262
Don't lie. I stated it will converge because you are enforcing centralization.

Oh, thx, forgot centralization part. So you position is that it can't converge without centralization but it's hard to get your logic without reading that long thread. Fixed.

Agreed. Thx.

And note I am claiming every coin design is centralized (or heading there).

I contemplate a design that has decentralized control over centralized verification, but I have nothing to show but words at this point.
legendary
Activity: 2142
Merit: 1010
Newbie
Don't lie. I stated it will converge because you are enforcing centralization.

Oh, thx, forgot centralization part. So you position is that it can't converge without centralization but it's hard to get your logic without reading that long thread. Fixed.

EDIT: Maybe you should find time and provide a brief explanation, so noone will think that you try to evade something by making excuses. The reference to those 33 pages look as an excuse to me, a solid idea doesn't need walls of text to explain.
sr. member
Activity: 420
Merit: 262
I have presented my logic to back my claim in the Decentralization thread. You are free to disagree. Everyone on these forums is free to express their logic.

Got it. I'll back this reply up via WebArchive site and present it every time I see someone saying something like "AnonyMint states that Iota consensus doesn't converge" so people won't think that you provided a proof of that claim.

Don't lie. I stated it will converge because you are enforcing centralization.
legendary
Activity: 2142
Merit: 1010
Newbie
I have presented my logic to back my claim in the Decentralization thread. You are free to disagree. Everyone on these forums is free to express their logic.

Got it. I'll back this reply up via WebArchive site and present it every time I see someone saying something like "AnonyMint states that Iota consensus doesn't converge" so people won't think that you provided a proof of that claim.
sr. member
Activity: 420
Merit: 262
I have not claimed the word 'proof' and I specifically stated in that linked Decentralization thread that I have not endeavored to produce a formal proof. If you would like me to add a link to your best post in that thread where you presented your stance, then please suggest a link.

So you claim that Iota consensus can't converge but there is no a formal proof? What about a non-formal one?

I have presented my logic to back my claim in the Decentralization thread. You are free to disagree. Everyone on these forums is free to express their logic.
legendary
Activity: 2142
Merit: 1010
Newbie
I have not claimed the word 'proof' and I specifically stated in that linked Decentralization thread that I have not endeavored to produce a formal proof. If you would like me to add a link to your best post in that thread where you presented your stance, then please suggest a link.

So you claim that Iota consensus can't converge but there is no a formal proof? What about a non-formal one?
sr. member
Activity: 420
Merit: 262
Suggest a link and I will add it to the linked post. Then I will delete this post.

Is it a joke? My point was that that thread didn't contain the proof. How do you think I'll find the proof if there is none from my point of view? What about you linking to the actual proof instead of giving looping references?

I have not claimed the word 'proof' and I specifically stated in that linked Decentralization thread that I have not endeavored to produce a formal proof. If you would like me to add a link to your best post in that Decentralization thread where you presented your stance, then please suggest a link.
legendary
Activity: 2142
Merit: 1010
Newbie
Suggest a link and I will add it to the linked post. Then I will delete this post.

Is it a joke? My point was that that thread didn't contain the proof. How do you think I'll find the proof if there is none from my point of view? What about you linking to the actual proof instead of giving looping references?
sr. member
Activity: 420
Merit: 262
Please respect canonical definitions. Byzantine 'agreement' is not what we are talking about in this thread. We are talking about Byzantine fault tolerance. The definitions are on Wikipedia:

I'm tired of repeating myself. Here is an entire paper which proves that bitcoin did solve the BGP: http://nakamotoinstitute.org/static/docs/anonymous-byzantine-consensus.pdf

That paper is flawed. For example,

Quote from: nakamotoinstitute.org/static/docs/anonymous-byzantine-consensus.pdf#page=3
What really matters is that ownership of the currency is undisputable - everyone can agree on who owns what.

Yet the paper never addresses the issue that no one can know when all observers agree or not on who has lost access due to censored transaction or victim of a double spend (a double spend has a loser and winner but who can prove the loser the victim). The majority hashrate is forced on all observers, regardless. That is not the definition of fault tolerance. Consistency of observer experience is violated. The CAP theorem requires that if Partition tolerance is not allowed (due to the single longest chain partition rule) then either Access or Consistency must be lost.

Monsterer I grow very weary of your proclamations which are nearly always short-sighted. You demand I go do the work that you didn't do. And that isn't fair to me. Just because a white paper claims to prove something, doesn't mean it did.
legendary
Activity: 1008
Merit: 1007
Please respect canonical definitions. Byzantine 'agreement' is not what we are talking about in this thread. We are talking about Byzantine fault tolerance. The definitions are on Wikipedia:

I'm tired of repeating myself. Here is an entire paper which proves that bitcoin did solve the BGP: http://nakamotoinstitute.org/static/docs/anonymous-byzantine-consensus.pdf
sr. member
Activity: 420
Merit: 262
Rather my upthread argument is that Byzantine fault tolerance requires the ability to distinguish between a fault and a non-fault, because otherwise the system does not present the same symptoms to all observers (which is a requirement of Byzantine fault tolerance). Satoshi's PoW can't distinguish a fault (attack) from a non-fault (non-attack).

Byzantine agreement is the process of forming a consensus decision on truth in the face of faulty network participants; bitcoin achieves this. Your definition of fault is incorrect in this context; a fault is information which the majority doesn't accept as truth, which manifest themselves as orphaned branches in bitcoin. Obviously all observers of the network can see orphaned branches.

Please respect canonical definitions. Byzantine 'agreement' is not what we are talking about in this thread. We are talking about Byzantine fault tolerance. The definitions are on Wikipedia:

A system which doesn't objectively (from the perspective of all observers) know when it is failing is not Byzantine fault tolerant.

Refer again to the Wikipedia definitions:

The following practical, concise definitions are helpful in understanding Byzantine fault tolerance:[3][4]

Byzantine fault
    Any fault presenting different symptoms to different observers
Byzantine failure
    The loss of a system service due to a Byzantine fault in systems that require consensus

This circular logic of yours is getting redundant.

A fault is clearly defined above as any inability for all observers to be mutual objective about all symptoms. I already explained that censoring transactions or double-spends can occur where some observer is harmed but other observers can't be objective about whom has been harmed or whether the harm is really taking place or which hashrate to blame the fault on.

smooth's retort is such a fault doesn't occur until a % of the network is faulty (and he swears "I didn't inhale" but he did swallow and "that woman was never under my desk" but she was on top[1]), but again we can't measure nor prove when the network is faulty. If one says "yeah it is fault tolerant but I can't ever know when it is fault tolerant" that is not telling us any state where we know that observers are observing the same symptoms. The state can never be known. It is akin to arguing that yeah if the sealed box contains X then Y, but the box can never be opened.

Thus per the definition, Satoshi's PoW design is not Byzantine fault tolerant, because the metric of when it is fault tolerant is ill defined (can't be measured). An unknowable state is as reliable (fault tolerant) and a random result, thus no reliability exists.

smooth and r0ach said that Satoshi's PoW may still have value even without being strictly Byzantine fault tolerant. I pointed out it economically must become an oligarchy and asked what advantages are those? (note I have argued the advantage of Bitcoin is it drives R&D in crypto)

[1]
Quote from: Bill Clinton
It depends on what the meaning of the word 'is' is. If the—if he—if 'is' means is and never has been, that is not—that is one thing. If it means there is none, that was a completely true statement. … Now, if someone had asked me on that day, are you having any kind of sexual relations with Ms. Lewinsky, that is, asked me a question in the present tense, I would have said no. And it would have been completely true.
legendary
Activity: 1008
Merit: 1007
Rather my upthread argument is that Byzantine fault tolerance requires the ability to distinguish between a fault and a non-fault, because otherwise the system does not present the same symptoms to all observers (which is a requirement of Byzantine fault tolerance). Satoshi's PoW can't distinguish a fault (attack) from a non-fault (non-attack).

Byzantine agreement is the process of forming a consensus decision on truth in the face of faulty network participants; bitcoin achieves this. Your definition of fault is incorrect in this context; a fault is information which the majority doesn't accept as truth, which manifest themselves as orphaned branches in bitcoin. Obviously all observers of the network can see orphaned branches.
legendary
Activity: 2142
Merit: 1010
Newbie
Iota's (any DAG's) consensus diverges unless centralization can force the mathematical model that payers and recipients encode in their interaction with the system.

I followed the link and saw "I was very clear upthread." Could you show more respect to the readers and replace https://bitcointalksearch.org/topic/m.13777769 with the direct link to a post that contains more information? For example, a post that contains the proof (or its beginning if it's scattered among several posts) would be a better option.
sr. member
Activity: 420
Merit: 262
...it's security through obscurity, where the only way anyone actually knows the security of the system at any given time is for you to know the total hash rate and acquire 51% of it yourself.  I think there's a distinction to be made between provably secure, provably bad or invalid security, or in the case of Bitcoin, an unknown level of security to most or all parties at all times.

I will elaborate/reinforce on your point below...

As Smooth said, such a system can still have value.  You don't have to be a perfect system, just better or competitive with the others.

What is the value of a system that must become an oligarchy? I have better things to do with life than waste it building a copy of the Federal Reserve that is global and puts all our transactions in the clear text on the block chain.


smooth and monsterer continue to repeat over and over the claim that Satoshi's PoW design is Byzantine fault tolerant in the case that some % of the hashrate is not "faulty" (and they've proposed 33% to 51%, or even 25% in a special case of official selfish mining).

I have explained in the prior post that there is no % at which Satoshi's PoW design is not economically driven to centralize due to "selfish mining" (official and the Tragedy of the Commons case I explained).

ArticMine also pointed out in my Decentralization thread another Tragedy of the Commons  in Satoshi's PoW that is economically driven to centralization because block size can't be controlled algorithmically thus it will either be driven to a fixed size set by 51% control over mining (with infinite transaction fees a possibility due to centralized control) or to infinite block size with zero transaction fees but the latter of course will bankrupt mining so only the former can be the outcome. I then argued/showed that Monero's proposed algorithmic block size scaling feature has a mathematical flaw, thus I argued/showed it doesn't solve the issue.

I believe my contemplated decentralized UNprofitable PoW design (with intra-block partitioning and centralized verification) fixes the above problems with Satoshi's PoW design, but I need to work on it more to become more confident/certain there isn't an unacceptable flaw/tradeoff.


I am explaining to smooth and monsterer that Satoshi's PoW design has no asymptotic security because it must economically centralize. David Mazières a PhD Computer Science professor at Stanford who is the Chief Scientist at Stellar, co-authored Kademlia DHT (Distributed Hash Transform), and is an expert in this field of Byzantine fault tolerant decentralized/distributed systems has explained that Bitcoin doesn't have asymptotic security (and he argues that is because the hashrate is in control and thus there is no conclusive objectivity in the system and the entire block chain can be erased and replaced by a longer chain that comes along any time in the future).

I don't really buy into the argument that the entire block chain can be replaced; because I believe the community will create social checkpoints.

Rather my upthread argument is that Byzantine fault tolerance requires the ability to distinguish between a fault and a non-fault, because otherwise the system does not present the same symptoms to all observers (which is a requirement of Byzantine fault tolerance). Satoshi's PoW can't distinguish a fault (attack) from a non-fault (non-attack).

smooth and monsterer retort that it doesn't matter and the system is non-faulty up to some % of the hashrate being non-faulty. But again we can't detect faulty from non-faulty, so we don't know if the system is faulty or non-faulty. And I have further shown there is no % at which the system is stable and will maintain non-faulty (because trend is to centralization) indefinitely.

Whereas, all other solutions to the Byzantine fault tolerance must have an element of centralization in order to be able to distinguish faults from non-faults.

This is why I said I focused my design on including some centralization but controlling it via UNprofitable decentralization of PoW from payers. Whereas, Satoshi's PoW design lies and claims decentralization and fault tolerance, but instead has asymptotic centralization and Sybil attacked truth (because no one can prove the faults distinct from the non-faults).

Thus Satoshi's PoW is a winner take all design, not a stable Byzantine fault tolerant design which can tell us when it is limits have become faulty.

The undetectable Sybil attack on pools combined with the economic incentive to pool more hashrate to amortize verification costs and lose less hashrate on mining fewer orphans, is another example of how Satoshi's PoW design is not Byzantine fault tolerant  because observers can't all observe the same symptoms w.r.t. to faulty or non-faulty progression of the system.

One of the attack vectors in solving the Byzantine Generals is the Sybil attack. The Byzantine Generals problem is all about the need to trust that 2/3 of the generals are loyal without centralization where all generals are the same person, i.e. that there is no Sybil attack.

Anyone who has studied all the variants of consensus algorithms (as I have) will know clearly that Sybil attacks are always resolved via centralization of the protocol.

This is why as I looked for an improvement over all of what has already been tried, I was cognizant of that I would need to accept centralization in some aspect and so I began to look for the possibility of controlling centralization with decentralization, i.e. a separation of orthogonal concerns which is often how paradigm shifts arise to  solve intractable design challenges.

Every consensus design creates centralization. This will always be unavoidable due to the CAP theorem. The key in my mind is to select carefully where that centralization should be.

  • Satoshi's PoW consensus design centralizes because a) SHA256 has orders-of-magnitude lower electrical cost on ASICs, b) full nodes must centralize (maximize pooled hashrate) to win the battle over who will have the most profitable verification costs (which can be accomplished with a Sybil attack), and c) variance of block rewards require maximizing pooled hashrate (at least up to double-digit percentages and Sybil attack incentives kick in from there).
  • Stellar's SCP consensus design centralizes because although it can't diverge, it requires that slices are not Sybil attacked to avoid eternal preemption (being jammed stuck forever).
  • Ripple's consensus algorithm diverges unless it is centralized trust, as confirmed by Stellar's divergence before it switched to the SCP algorithm.
  • Iota's (any DAG's) consensus diverges unless centralization can force the mathematical model that payers and recipients encode in their interaction with the system.
  • Ethereum never solved the issue that verification of long running scripts can't be decentralized. They are now off another deadend tangent (consensus-by-betting, Casper, shards) trying to deny the CAP theorem.
  • PoS is centralization.
sr. member
Activity: 420
Merit: 262
Bitcoin didn't solve BGP either. Nothing does because...

What you keep denying is that there are solutions (all solutions, and provably so in the case of BGP) that solve the problem within a specified range. Generally up to 33%-of-generals in the case of BGP and maybe 50%-of-hash rate for Bitcoin.

... amortization of block chain verification over great income...

Profitable PoW will always centralize, because there is a "selfish mining" attack always ongoing and there is no such thing as a minimum requirement for 25 or 33% of the hashrate, because (a conceptual variant of) "selfish mining" is built into the economics of Bitcoin (e.g. the amortization of verification costs, etc).

I explained upthread the Tragedy of the Commons (not just in the quote above) that the miner with more hashrate wins more of the blocks thus has a greater income yet all miners have to do the same verification (of all transactions). Thus, (and most certainly egregious as the transaction rate scales to Visa scale and block rewards decline to 0 with transaction fees declining to costs in a non-oligarchy free market), the miners possessing greater hashrate will have a much higher profit (regardless whether their mining hardware is more efficient or their electricity is less expensive) because their transaction verification costs are amortized across all their income. Thus Bitcoin is always reducing miners with lower hashrate's relative capital (to purchase more hashrate) relative to those with higher hashrate (all other factors held constant, which is the same stipulation that must be made in the case of the selfish mining attack).

The official selfish mining attack applies when the attacker has 33% of the hashrate (or 25% with better propagation) is one where block solutions are withheld while the attack remains 1 block ahead of the rest of the network and then propagated immediately if the network catches up, thus mathematically/statistically forcing the rest of the network to waste some of their mining hashrate relative to the selfish miner (and do note all miners waste some hashrate due to the natural orphan rate caused by the ratio of propagation to block period but selfish mining is to the advantage of the selfish miner).

So when I wrote that the inequality between block mining income and verification costs (a.k.a. amortization of verification costs Tragedy of the Commons) is another form of "selfish mining", I mean in the sense that miners with more hashrate cause those with less hashrate to be less profitable, which thus drives centralization of mining because less profitable miners can buy less hashrate relative to more profitable miners. And note there is no minimum requirement for 25% or 33% of the hashrate, as this economic attack is implicit in PoW mining. And thus just like selfish mining it will cause mining to trend towards centralized until an oligarchy can form which agrees to share (centralize) verification costs and not selfish mine each other (because the official selfish mining can be a stalemate loss for both if they both have > 25% of the mining hashrate, thus they are forced to form an oligarchy or fight to the end in a "winner take all").

For the curious, I showed the math from the selfish mining white paper with a tweak to pay all orphaned chains block rewards and it fixed the official selfish mining attack (but not the amortization of verification costs centralizing economics problem). But I think later I found a flaw with convergence of consensus but I forget and that detail is some where in my vaporcoin thread (in a discusssion between monsterer and myself).

Edit: one might claim that the ratio of disparity in profit is equivalent to the ratio of the hashrate and ratio of amortized verification costs (since income is proportional to hashrate if variance is not considered), thus proportional hashrate would remain unchanged and thus my claim of trending to centralization would be invalid in this case of amortized verification costs. However that would only be true if the profitability was proportional to the relative hashrate without any verification costs, which is not true due to ASIC, electrical, and other efficiencies. These other efficiencies are the fundamental issue. Then add the variance and propagation cost (wasted hashrate mining an orphan for those with lower hashrate) issues and thus pools with greater hashrate have a disproportionate profitability relative to proportional verification costs.

Also note that verification costs are constant for any hashrate, thus is a larger proportion of income given lower hashrate.
hero member
Activity: 709
Merit: 503
That is why I designed an UNprofitable PoW system. There is no other hope.
Hmm, I can be dense.  Unprofitable PoW; seems like it will be pretty hard to get folks to participate.  That said, I do run an unprofitable full node without mining.  So, maybe we would get some altruistic folks to do it *but* aren't they at risk of being over-taken by bad guys willing to run unprofitably?
The details, incentives, and potential pitfalls are deeper than that and are partially covered in the Decentralization thread (perhaps start reading from page 20 forward). No offense intended, but I am too weary to repeat again.
I sincerely appreciate your efforts; I sincerely wish you the best.  I don't think you can do it (but that's almost certainly due to my shortcomings) but please do try; nothing would make me happier than to see you succeed.  If there's anything I can do to help then please do not hesitate to ask me and I will try my best.  For example, I would be delighted to review your white paper when it is ready.
sr. member
Activity: 420
Merit: 262
That is why I designed an UNprofitable PoW system. There is no other hope.
Hmm, I can be dense.  Unprofitable PoW; seems like it will be pretty hard to get folks to participate.  That said, I do run an unprofitable full node without mining.  So, maybe we would get some altruistic folks to do it *but* aren't they at risk of being over-taken by bad guys willing to run unprofitably?

The details, incentives, and potential pitfalls are deeper than that and are partially covered in the Decentralization thread (perhaps start reading from page 20 forward). No offense intended, but I am too weary to repeat again.
hero member
Activity: 709
Merit: 503
That is why I designed an UNprofitable PoW system. There is no other hope.
Hmm, I can be dense.  Unprofitable PoW; seems like it will be pretty hard to get folks to participate.  That said, I do run an unprofitable full node without mining.  So, maybe we would get some altruistic folks to do it *but* aren't they at risk of being over-taken by bad guys willing to run unprofitably?
sr. member
Activity: 420
Merit: 262
Bitcoin didn't solve BGP either. Nothing does because...

What you keep denying is that there are solutions (all solutions, and provably so in the case of BGP) that solve the problem within a specified range. Generally up to 33%-of-generals in the case of BGP and maybe 50%-of-hash rate for Bitcoin.

ASIC-resistant PoW seems like a delightful idea to me.  Is memory latency the barrier to stand upon for the ages?  Hmm, that sounds familiar.

Of course no PoW proving algorithm (of any design) can be as efficient on less optimized consumer hardware and retail electricity (10 - 20 cents per KWH) as compared to highly optimized ASIC mining farms on 0 - 4 cents per KWH electricity (hydropower colocated or China's collectivized corruption). Even distributing ASICs to consumers won't level the playing field and not only because of differences in electricity costs, yet also due to economies-of-scale, access to lower interest loans, better connectivity to the major pools of the P2P announcement network, amortization of block chain verification over great income, etc..

Profitable PoW will always centralize, because there is a "selfish mining" attack always ongoing and there is no such thing as a minimum requirement for 25 or 33% of the hashrate, because (a conceptual variant of) "selfish mining" is built into the economics of Bitcoin (e.g. the amortization of verification costs, etc).

That is why I designed an UNprofitable PoW system. There is no other hope.

Edit: the reason I am interested in narrowing the margin between PoW prover computation on consumer hardware and mining farms, is because in an UNprofitable mining design then the aforementioned ratio dictates from the ratio of UNprofitable hashrate to profitable hashrate determines how high that block reward can be and not be profitable to any miner. Obviously a coinbase reward of 0 is always UNprofitable (unless transaction fees are considered which is another detail I covered in the Decentralization thread).
Pages:
Jump to:
© 2020, Bitcointalksearch.org