Topic: Satoshi didn't solve the Byzantine generals problem - page 9. (Read 13683 times)

Correction follows.

It will be impossible to design a memory hard PoW that is not electrically more efficient on an ASIC, unless the hash function employed (for randomizing the read/writes over the memory space) is insignificant w.r.t. the RAM power consumption, which is probably not going to be the case in any design where that hash function has sufficient diffusion to be secure.

The only way to make an ASIC resistant PoW is for the proving computation to be memory latency bound, because DRAM latency can't be improved much in general (whereas hardwired arithmetic computation and memory bandwidth can be accelerated with custom hardware):

http://community.cadence.com/cadence_blogs_8/b/ii/archive/2011/11/17/arm-techcon-paper-why-dram-latency-is-getting-worse
http://www.chipestimate.com/techtalk.php?d=2011-11-22

However, what a GPU (which starts with 4 - 10X worse main memory latency than CPUs) and especially an ASIC will do to get better DRAM amortization (if not also lower electricity consumption due to less latency) is run dozens or hundreds of instances of the proving algorithm with the memory spaces interleaved such that the latencies are combined and amortized over all instances, so that the effective latency drops (because reading from the same memory bank of DRAM is latency free if multiple accesses within the same bank are combined into the same transaction). This can even be done in software as interleaved memory spaces without needing a custom memory controller. More exotic optimizations might have custom memory controllers and larger memory banks (note I am not expert on this hardware issue). This is probably why Cryptonote includes also AES-NI instructions because GPUs have only at best at parity in performance per watt on AES, but that won't be enough to stop ASICs.

However that optimization for ASICs will bump into memory bandwidth limit so the amortization will have a limit. Theoretically memory bandwidth can be increased with duplicated memory banks for reads but not for writes!

Using larger memory spaces in a properly designed memory hard PoW hash function (not Scrypt) can decrease the probability of that instances will hit the same memory bank within a sufficiently small window of time necessary to reduce the latency. Also using wider hash functions (e.g. my Shazam at 2048 to 4096-bits) reduces the number of instances that can be interleaved in the same memory bank (and standard DRAM I think has bank/page size of 4KB?). The ASIC can respond by designing custom DRAM with larger memory banks and run more instances, but that not only raises the investment required but the memory bandwidth limit for writes seems to be an insurmountable upper bound.

So although I think a memory hard PoW hash can be made which is more ASIC resistant than current ones, I think it will be impossible to sustain parity in hashes/Watt and hashes/$hardware. Perhaps the best will be within 1 to 2 orders-of-magnitude on those.

So all profitably mined PoW coins (with sufficient market caps) are destined to be centralized into ASIC mining farms running on cheap or free electricity, but the scale and rate at which this happens can be drastically improved over SHA256 (Bitcoin, etc).

My design of unprofitably mined PoW will only require that the difficulty from the PoW shares sent with transactions is sufficient to making ASIC mining unprofitable for the level of block reward offered. Keeping the CPU implementation of the PoW prover within 1 to 2 orders-of-magnitude of an ASIC implementation reduces the level of such aforementioned difficulty needed.

I hope I didn't make another error in this corrected statement. It is late and I am rushing.

Yes, Bitcoin solves BGP (in some way). It solves also a bunch of other completely unknown problems:

* how to prove some information existed at a certain time
* how to create a public ledger of ownership
* how to issue a currency without requiring a nation state army to enforce scarcity
* how to reach agreement over a communications channel on value

BGP is a term Lamport came up with, to describe a certain theoretical model.


Okay paper, but I wish they would have referenced Lamport and more relevant work on quorum systems. Bitcoin implements Lamport's partial order of events for the first time, yet its not described here.


True, but there are other "attacks". Such as calling up Chinese miners and convince them to do a certain thing. The smaller that number and the more closer related, the worse the situation. I believe the best thing to do is to recognize the genius of this invention, but then think about how to do something better on that basis. One of the biggest problems is the complexity of the system, i.e. the large technical debt. E.g. last year there has been 1B$ investment in this area, and there been almost no progress at all in terms of advanced applications (just an increase in noise levels). I think the possibilities are largely not explored. Mostly because the Bitcoin system is extremely complex and actually not that versatile compared to what might be possible. Most discussions take many design aspects for granted, when they might be a hinderance. The PoS systems have been very helpful thinking about these things in different ways. Many also don't know the pre Bitcoin designs, Bitgold and b-money, which are also helpful to consider, see http://www.weidai.com/bmoney.txt and https://en.bitcoin.it/wiki/Bit_Gold_proposal . Actually quite surprising since satoshi said Bitcoin is an implementation of those ideas:

Quote from satoshi:

https://bitcointalksearch.org/topic/m.4508

See also:
https://bitcointalksearch.org/topic/m.11405

He may not have said it in the bitcoin paper, but others have proved it:
http://nakamotoinstitute.org/static/docs/anonymous-byzantine-consensus.pdf

Okay, but so what?

Bitcoin also didn't solve P ?= NP or any number of other problems.

And unless I'm mistaken, Satoshi did not say that it did solve the Byzantine Generals problem, especially in the specific manner that problem is formulated (with discrete General-actors, something that doesn't even exist in Bitcoin at all). At best there is a rough similarity. Correction: Satoshi did say it was a solution in this email. But again, he formulated in a very careful manner, stating that each general has a laptop, which ends up making "majority of CPU power" equivalent to a majority of discrete General-actors.

He said exactly what it does solve. If a majority of the CPU power is not conspiring to attack the network, then it reaches consensus that is final and secure (though slowly in the case close to 50%).

It is up you as a prospective user or investor to decide whether "a majority of the CPU power" is an acceptable requirement. It seems at this point there isn't anything better, and some number of people think it is useful (most of the world does not).

I've been guilty of making this same mistake myself in the past, but byzantine faulty nodes can be colluding (or sybil), so the failure tolerance of 51% includes sybil nodes.

The Byzantine Generals problem does not state "A majority of CPU power" as the problem. I already stated that is Satoshi's requirement but as the correct title of this thread points out, Satoshi's stated requirement is not a solution to the Byzantine Generals problem. Period.

One of the attack vectors in solving the Byzantine Generals is the Sybil attack. The Byzantine Generals problem is all about the need to trust that 2/3 of the generals are loyal without centralization where all generals are the same person, i.e. that there is no Sybil attack.

Anyone who has studied all the variants of consensus algorithms (as I have) will know clearly that Sybil attacks are always resolved via centralization of the protocol.

This is why as I looked for an improvement over all of what has already been tried, I was cognizant of that I would need to accept centralization in some aspect and so I began to look for the possibility of controlling centralization with decentralization, i.e. a separation of orthogonal concerns which is often how paradigm shifts arise to  solve intractable design challenges.

Every consensus design creates centralization. This will always be unavoidable due to the CAP theorem. The key in my mind is to select carefully where that centralization should be.

• Satoshi's PoW consensus design centralizes because a) SHA256 has orders-of-magnitude lower electrical cost on ASICs, b) full nodes must centralize (maximize pooled hashrate) to win the battle over who will have the most profitable verification costs (which can be accomplished with a Sybil attack), and c) variance of block rewards require maximizing pooled hashrate (at least up to double-digit percentages and Sybil attack incentives kick in from there).
• Stellar's SCP consensus design centralizes because although it can't diverge, it requires that slices are not Sybil attacked to avoid eternal preemption (being jammed stuck forever).
• Ripple's consensus algorithm diverges unless it is centralized trust, as confirmed by Stellar's divergence before it switched to the SCP algorithm.
• Iota's (any DAG's) consensus diverges unless centralization can force the mathematical model that payers and recipients encode in their interaction with the system.
• Ethereum never solved the issue that verification of long running scripts can't be decentralized. They are now off another deadend tangent (consensus-by-betting, Casper, shards) trying to deny the CAP theorem.
• PoS is centralization.

Extracting the generative essence of an issue is what I do. That is where I have made my career in the past and will do so again.

There is no Sybil attack possible on the problem as stated. "A majority of CPU power" is a physical quantity which can't be Sybil attacked. Period.

This does not mean that Bitcoin will be a great success and moon to $10 million/BTC, or even that it will survive at all more than another year or two, or anything in between. It is possible to conclude that the consensus algorithm does exactly what Satoshi said it does (putting aside possible selfish mining attacks), and still conclude that such a security margin is too weak to be useful, because of all of the ways the precondition itself can fail (pooling, of course, can contribute to some of them).

First let us realize that the weaknesses of those approaches is they must use some centralization to prevent Sybil attacks:


Without considering the Sybil attack, then one isn't solving the Byzantine fault issue, i.e. isn't solving the Byzantine Generals problem (which is the correct title of this thread). Just because Satoshi failed to mention that he hadn't solved what he was implying to have solved, doesn't make that just having a majority of the hashrate is the only consideration in a PoW solution to the Byzantine Generals problem.

Even if we remove the economics which drives hashrate to concentrate into mining farms such as my suggestion to make mining unprofitable (and an ASIC resistant PoW protocol such as a memory hard hash would help improve the ratio of PoW shares from the marginal mines which are the payers required to make mining unprofitable for the lowest-cost miners which are the mining farms), we still have the problem that if payers are not full nodes and thus have to choose another server to do verification and select transactions for each block, the Sybil attack problem remains in that one can't know if many servers are owned/controlled by the same entity. And in fact, I have shown that verification MUST due to economics be centralized because those full nodes which have higher hashrate (even if hidden behind a Sybil attack from the public's perspective) thus earn more block reward and/or transaction fees per verification than those who control less hashrate, thus pools/full nodes are forced to be centralized (and hide it from the public with a Sybil attack because we all are delusional and expect Satoshi's design to remain decentralized when it can't).

But let's consider what damage the Sybil attack on full nodes can do, and how it can be detected and mitigated. In Satoshi's design, the Sybil attacking full node has lower costs for verification (and maybe can also potentially do a selfish mining attack but that isn't required to make my point) and thus will eventually drive the other full nodes bankrupt as a result. Thus Satoshi's design centralizes because of the inviolable and insoluble economic reality.

The other bad things centralization can do is censor some transactions and execute long-con double-spend attacks.

The solution is to centralize only the verification, but keep the control of the PoW computation decentralized, and make it such that the blame for censoring transactions and long-con double-spending is not ambiguous as it is in Satoshi's design.

That is exactly what my design accomplishes, while also enabling instant transactions that are sound. White paper and implementation forthcoming.

http://research.microsoft.com/en-us/um/people/lamport/pubs/reaching.pdf
http://research.microsoft.com/en-us/um/people/lamport/pubs/lamport-paxos.pdf

The stated problem bounds do not include being able to tell whether someone controls >50% of the hash rate. That isn't in the paper at all. The wording of the paper is "As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network". It doesn't matter whether they cooperate via pools or otherwise, either way it is outside the bounds.

Circular logic. Bitcoin didn't solve the Sybil attack problem when pools control 51% and no one can know whether they do and reroute their PoW shares.

Bitcoin solves the byzantine generals problem within the bounds of the assumptions in the model. If one entity controls a majority of hashing power, that is outside of the bounds.

I believe it is possible to design a memory hard PoW that is not electrically more efficient on an ASIC, but it will be very slow. I originally didn't think so, but have since realized I had a mistake in my 2013/4 research on memory hard hashes. It is possible that Cuckoo Hash already achieves this, but it is more difficult to be certain and it is very slow when DRAM economics are maximized (although it adds asymmetric validation which is important for DDoS rejection if the transaction signatures are ECC and not Winternitz and for verification when PoW share difficulty can't be high because each PoW trial is so slow).

Cryptonote's memory hard hash can't possibly be ASIC resistant, because by my computation it could not possibly have 100 hashes/second on Intel CPUs and be ASIC resistant.

See also Zcash's analysis thus far.

I made this same point in either 2013 or 2014.

Afaics, the only solution is unprofitable PoW which is the design I am now pursuing.

I have added the above quote to my epic post about all the flaws in PoS.

I'm just going to leave this here for reference purposes:


http://nakamotoinstitute.org/static/docs/anonymous-byzantine-consensus.pdf

Agree, and not just a single fake exchange either. There could be all manner of corrupt platforms and investment schemes that exist, at least in part, to collect stake. In fact the market forces kind of dictate this, since such platforms and vehicles can likely pay a higher yields than honest ones. Furthermore they are paying those yields in units where they, alone, with privileged knowledge of their future plans, have good visibility as to underlying value. Not really so different from the fiat banking system in a lot of ways.

Not clear that isn't just a treadmill though. If SHA256 became corrupted than given the same structure something else might very well become corrupted too.

Various arguments could be made about difference in absolute time, relative ASIC-resistance of the function, etc. but I'm not sure how compelling they are.

Even if KnC/Bitfury/etc. were >50% and dishonest, the socioeconomic majority can flee their corrupted PoW by forking to something besides SHA256.

So smooth won, but for a reason not explained.   

True. I suppose creating a fake pool for a long con is equivalent to creating a fake exchange to gather POS coins with which to vote... With the exception that the fake pool will be at capacity for the attack, whereas the exchange voting with stake is much harder to detect, and is passive.