Pages:
Author

Topic: Shadowcash vs. Monero, an unbiased debate. (Read 7796 times)

legendary
Activity: 1133
Merit: 1050
October 12, 2015, 08:59:52 AM
I don't know about the SDC launch, I wasn't there.

The SDC distribution process of 100% of the supply going out in two weeks is terrible.

The Monero launch was fair, and the distribution process of 85% of the base supply going out in 4 years, with a 0.3 XMR (0.9%) disinflationary perpetual reward after about 8 years is a bit fast, but defensible.

Technology-wise they are somewhat comparable as the SDC anonymity scheme is based heavily on cryptonote. The SDC code base is largely based on Bitcoin, via Blackcoin or some other path of forking (I'm not sure of the details), so part of it is more mature than Monero, although the anon part is newly implemented and probably less mature.

The cryptonote alleged improvements on Bitcoin that aren't anon-related such as dynamic blocks sizes are not present in SDC, so that would be a point for Monero if you think those are good.

That SDC has an integrated non-anon portion of the chain could be viewed as a privacy negative since it will pull some of the transactions out of the anonymity set. Monero is going in the other direction pushing all transactions into the anonymity set, although that isn't implemented yet, so Monero also has a non-anon portion of its chain currently.

EDIT: I agree with fluffypony's later point that proof of stake is cryptographically unproven and likely unsound and unfixable.




Is SDC anon feature decentralized?

Yes.
MR1
legendary
Activity: 927
Merit: 1000
I don't know about the SDC launch, I wasn't there.

The SDC distribution process of 100% of the supply going out in two weeks is terrible.

The Monero launch was fair, and the distribution process of 85% of the base supply going out in 4 years, with a 0.3 XMR (0.9%) disinflationary perpetual reward after about 8 years is a bit fast, but defensible.

Technology-wise they are somewhat comparable as the SDC anonymity scheme is based heavily on cryptonote. The SDC code base is largely based on Bitcoin, via Blackcoin or some other path of forking (I'm not sure of the details), so part of it is more mature than Monero, although the anon part is newly implemented and probably less mature.

The cryptonote alleged improvements on Bitcoin that aren't anon-related such as dynamic blocks sizes are not present in SDC, so that would be a point for Monero if you think those are good.

That SDC has an integrated non-anon portion of the chain could be viewed as a privacy negative since it will pull some of the transactions out of the anonymity set. Monero is going in the other direction pushing all transactions into the anonymity set, although that isn't implemented yet, so Monero also has a non-anon portion of its chain currently.

EDIT: I agree with fluffypony's later point that proof of stake is cryptographically unproven and likely unsound and unfixable.




Is SDC anon feature decentralized?
hero member
Activity: 608
Merit: 509
Well... been a while... just bumpin' this thread to see if there's anything else to say here?  LOL

Seems like ALL of my (few) "alts" not doin' too well lately but still gonna hodl 'em just as hedge against any bitcoin catastrophe or whatever "natural evolution" may happen here in crypto-world.  

Fun times  Tongue



P.S. {Edit} Sig tag says, "formerly AnonyMint, UnunoctiumTesticles, iamback, contagion, TheFascistMind, etc…" and FWIW and IMHO your best coolest screen name by far has always been "AnonyMint" but really, why change accounts so much?  WTF, dude?  LOL
sr. member
Activity: 420
Merit: 262
Also I do not think instant transactions are feasible. How would you divy out blockchain authority and ensure that a one to one transaction is secure without a vote (can't rely on closest/quickest response time)? But that is a whole nother topic and this thread should stick to the main theme of POS vs. POW and the perceived benefits/flaws of SDT.

Okay I won't go off on that tangent here.
hero member
Activity: 896
Merit: 1000
Avatars are overrated.
Appears to me ShadowCash are trying to do too much at one time thus preoccupied away from being thorough in their white papers. See upthread for supporting facts.
Thats for damn sure. Shadow is tackling the crypto end game while most people are just dicking around digging for shit to fling.

Also I do not think instant transactions are feasible. How would you divy out blockchain authority and ensure that a one to one transaction is secure without a vote (can't rely on closest/quickest response time)? But that is a whole nother topic and this thread should stick to the main theme of POS vs. POW and the perceived benefits/flaws of SDT.


sr. member
Activity: 420
Merit: 262
Also there is no discussion of the spam resistance.

Without spam resistance, an adversary can flood a channel and lower the anonymity set. Adversary could also drive users away from using the chat due to the spam overhead, thus further reducing the anonymity set.

Appears to me ShadowCash are trying to do too much at one time thus preoccupied away from being thorough in their white papers. See upthread for supporting facts.
sr. member
Activity: 420
Merit: 262
Nothing else besides anonymity is ever gonna be enough to ever match (or unseat) bitcoin.

Disagree. I think instant transactions and scaling to microtransaction volume (million transactions per second) will unseat Bitcoin.

Anonymity will become more important, but most people in the world don't care about anonymity. They care about social media and stuff like that. Monetizing that with microtransactions is the huge market.

Anonymity could end up being very important as the bankrupt States of the world start to tax everything that moves. Chicago is going to tax video streaming on the internet.

But these anonymity markets may be much slower to develop than microtransaction markets. I'd pursue both if I did a coin.

What marketing plans do you suggest for Monero? I also believe that Monero has the best tech but could benefit from more effective promotion

I would suggest making it super easy for people to mix BTC. Then try to hook them into using XMR from there.

I would suggest creating new uses for anonymous coins and especially combined with microtransactions.
sr. member
Activity: 420
Merit: 262
This is a serious advantage for Shadow.

Why having two types of tx instead of one ?
Look at monero blockchain size. The private tx are way bigger than the public one

By keeping the two types of tx, you can avoid to surcharge the blockchain with private ones when they are not needed.
You can also imagine a lot of applications using that possibility of having both private and public tx.

Monero blockchain size might become a huge problem if it become really successful

Block chain scaling is a problem even for Bitcoin with no private transactions.

All cryptocoins have scalability problems.

I intend to attempt to solve this.

Public and private coin spaces are a problem, because they can weaken the anonymity for the private coin space. Think about it. If you allow people to spend off to non-anonymous space, then spend back into the anonymous space then anonymity sets break down.

The CN viewkey is superior in that you can give to a trusted party without giving it to the public. Public coin spaces of SDC give the anonymity breakage to everyone.

Logic on this stuff isn't always as obvious as n00bs think it is.
sr. member
Activity: 420
Merit: 262
I would take TPTB_need_war/Anonymint words over the ones of the most people on this thread, he posted clues about who he is in other threads, Monero Research Labs delivered several worthy academic papers but he is an independent expert.

I would caution I make mistakes sometimes. I do try to correct and admit when I find an error in my work.
sr. member
Activity: 420
Merit: 262
PoS is nowhere close to PoW in terms of research. At this point the economic incentives to attack most PoS coins have not been high enough to prove worthwhile.
I am not saying that PoS has no chance to succeed or that PoW is perfect. I am saying that at this point the chances of an existential threat to PoS are far greater than to PoW.
Well of-course it is not .. ~90% of the crypto market cap is held by a PoW coin ...
The chaps over at NeuCoin have done extensive research on it .. you should read it : http://www.neucoin.org/en/whitepaper/

I read the summary. Will probably read the white paper in detail in the future.

They claim to prove sufficient security for some cases where the entropy of PoS has been attacked, but afaics they haven't proved every genre of attack, because afaics the entropy of PoS can't be characterized so we can't know what all the attacks might be. For example, let's say we took entropy for the modifier from a hash of the transactions for each block. But this hash can be gamed by the participants in the mining.

Their points against PoW I think can be eliminated, but again I will have to say await a white paper.

The basic problem with PoW now is we burden it with too much responsibility. Satoshi forgot to follow the Principle of Least Power and separation-of-concerns. I believe it possible to unburden PoW so that it is not longer an expensive appendage, but rather just a voting mechanism as it was originally intended to be, essentially one vote one computer because PoW won't have the power that it does not. Specifically I think it is possible to entirely filter the 51% attack. But I need to work through all the details formally before I can be sure of this.
sr. member
Activity: 350
Merit: 250
I would take TPTB_need_war/Anonymint words over the ones of the most people on this thread, he posted clues about who he is in other threads, Monero Research Labs delivered several worthy academic papers but he is an independent expert.
sr. member
Activity: 420
Merit: 262
Both are good. Each has it's strenghs and weaknesses. It is more a religious question in my opinion, which of both is better.

No there are distinct advantages for PoW:

  • You can prove PoW's security. We know the failure points are 51% attack, 25 - 33% for selfish mining attack. Each PoS is adhoc, and can't prove generally/reliably the security nor characterize the entropy of the system. With PoS, generally you have no idea if you are secure or not. which is the antithesis of security.
  • PoW can distribute coins, even widely to home users if you realize they will not count the cost of their electricity, but PoS can not distribute.

Whether someone can prove security math for a specific flavor of PoS, is something I am unaware of. Has anyone done it?
sr. member
Activity: 420
Merit: 262
What happens to PoW-based coins that one day reach a point where it is no longer profitable for miners to continue to mine due to the required resources? Could very well be the case with LTC at some point for example (unless I am mistaken).

Monero counters this by having a minimum block reward (ie. it is permanently disinflationary), so there will be no reliance on fees. I would imagine that, in the face of global adoption, the hashrate will tend towards some technological ceiling (let's call that supply) with the equlibrium being curbed by "mining profit" incentives (let's call that demand). General mining decline is staved off by Monero's Smart Mining system, whereby users (including those using lightweight wallets) mine in the background to a threshold when not on battery power and when the system is idle (enabled-by-default-but-optional).

How does a declining block reward to some trickle constitute protection against a 51% attack?

Also, you have some groups like 21e6 who are pushing the limits of computing for mining purposes (the ASIC manufacturer deal), just a handful of these types and you would have 3-4 individual "groups" that control 90% of the mining power of the market -- How is that good for a system that is intended for and relies on decentralization?

Just curious.

Monero's PoW closes the performance gap between CPUs, GPUs, and ASICs, so whilst this is entirely possible it still means that (in the far future) CPU miners could be a measurable part of the hashrate. Couple this with Smart Mining, and for-profit mining farms, and it seems unlikely that a small number will be able to exercise control over a significant portion of the hashrate.

Mining centralization is also due to the rising transaction rate per second (see the current GavinCoin chaos for Bitcoin now) causing the increasing block size to not propagate without some centralization amongst a fewer number of high bandwidth nodes. Solutions such as IBLT are really just obfuscation of mining centralization.

This is a complex discussion from another thread that I am not going to repeat here.

Also afaik, ASICs haven't yet been designed for CryptoNite hash so I don't think you can reliably make that claim.
tyz
legendary
Activity: 3360
Merit: 1533
Both are good. Each has it's strenghs and weaknesses. It is more a religious question in my opinion, which of both is better.
sr. member
Activity: 420
Merit: 262
There is no proof that POW is superior to POS. If there was then people wouldnt use adjectives like "I think" and "probably". Hybrid POW launch and POS to sustain the network for the fucking win.

There is one thing that PoW can do which PoS can't. Distribute coins to new users who own no coins. PoW fails at this in practice because Bitcoin is dominated by ASICs. I think I may have an economic solution that destroys ASICs.

What happens to PoW-based coins that one day reach a point where it is no longer profitable for miners to continue to mine due to the required resources? Could very well be the case with LTC at some point for example (unless I am mistaken).

Also, you have some groups like 21e6 who are pushing the limits of computing for mining purposes (the ASIC manufacturer deal), just a handful of these types and you would have 3-4 individual "groups" that control 90% of the mining power of the market -- How is that good for a system that is intended for and relies on decentralization?

Just curious.

You raise real questions and indeed PoW may fail. That doesn't make PoS a success, it just makes it the other fail.

I think I may have a solution to this and solved the 51% attack also. Await white paper.
sr. member
Activity: 420
Merit: 262
So POS is a sham? it's as clear cut as that?

...

... and do, make subtle changes to their systems when presented with flaws, or order to "fix" the flaws. In formal and security analysis, any change, however subtle, means the analysis needs to be completely redone. Obviously you can see how this might make it infeasible to keep up with every new variation and show how each and every one of them are broken in specific detail.

Nevertheless it is possible to analyze these systems in broad terms and reach conclusions in terms of general principles, such as needing to consume some external resource (i.e. proof of "work", broadly) in order to reach a decentralized consensusmaintain unbounded entropy...

But anyway, what of Paul Stzorc's response to Vitalik? Riskless counter-contracts. In general with PoS it seems to me that Vitalik and the other PoS people are falling into the "make the security model confusing enough that even really smart people can't understand it = good security" error. Sure, PoS doesn't seem confusing, but with things like stake-grinding plus an endless parade of more unfamiliar-to-security-researchers workarounds it optimizes for a security model that's difficult to poke holes in during debate, but that a motivated attacker could eventually figure out how to attack precisely because it's too opaque to know that what the attack vectors are so that they can be defended against.

I maintained since 2013 that PoS can't pull from a large enough pool of entropy. The randomization of order can be gamed. Note a natural source of external entropy can't be employed (as this would require centralization).

The excessive use of resources in PoW can be easily solved by lowering the debasement rate (and transaction fees), but before you do this you have to remove the 50+% attack...


Proof-of-Work vs. Proof-of-Stake

Extending from my prior post, the bolded portion is an unnecessary assumption (i.e. a weaker assumption is also valid):

https://download.wpsoftware.net/bitcoin/pos.pdf#page=7

6In that same blog post, Buterin says “if you are tired of opponents of proof of stake pointing you to this article[Poe14b]
by Andrew Poelstra, feel free to link them here in response”. It is not clear what he means by this; he did not, there or
anywhere, refute that paper’s claim that you cannot produce consensus except by consuming an external resource.

What part of "subjective condition" did Andrew (and Maxwell) not understand? Vitalik demonstrated an example whereby PoW suffers an analogous requirement for assumptions of mutual incentive for optimization of the public good as PoS does. Andrew is trying to argue that PoS is self-referential thus can never be absolute proof. But Vitalik shows by example that PoW is conditioned on subjectivity also.

The subjectivity claim against PoW may be weaker than against some variants of PoS (e.g. one-time spend addresses with check points), but the devil is in the details. PoW requires checkpoints to guard against 50+% attacks too. Checkpoints are a form of social trust (aka "assumptions of mutual incentive for optimization of the public good"), subjective (SPV-like) trust model which Maxwell alluded to.

Quote from: Vitalik Buterin
Objective: a new node coming onto the network with no knowledge except (i) the protocol definition and (ii) the set of all blocks and other “important” messages that have been published can independently come to the exact same conclusion as the rest of the network on the current state.

Weakly subjective: a new node coming onto the network with no knowledge except (i) the protocol definition, (ii) the set of all blocks and other “important” messages that have been published and (iii) a state from less than N blocks ago that is known to be valid can independently come to the exact same conclusion as the rest of the network on the current state, unless there is an attacker that permanently has more than X percent control over the consensus set.

The main argument I had against Proof-of-Stake since my 2013 debates with Etlase2 was the entropy of the randomization function. I still have to look at how that is done in variants and see if my former criticism still applies.

P.S. Andrew's paper and Vitalik's blog are both excellent for raising clarity on the issue and much appreciated.


Edit: Ah I see my long-standing reservation against PoS has remained true thus far:

https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/#comment-1730404390

Quote from: Stephan Tual
Random contract execution and random hash functions every x nonces both proved flawed after some research. The plan is to use a variant of Hashimoto for v1.
hero member
Activity: 606
Merit: 500
I started discussing I2P on page 21 and the discussion continued until at least page 24 of the thread:

https://bitcointalksearch.org/topic/m.11842826



Also I don't know where to find a technical description of ShadowCash's private messaging anonymity algorithm?? You can see my analysis of similar attempts on the prior linked and following linked post, and I very much doubt that ShadowCash is doing it correctly:

https://bitcointalksearch.org/topic/m.11844778

I am nearly certain that ShadowCash will have a flaw in it and that is probably why they are not detailing it in a white paper. They are hiding details.

Edit: Okay I found the ShadowChat white paper. I didn't know what to google for until just recently.

http://www.shadow.cash/downloads/shadowcoin-p2p-em.pdf

Section 3.3 Message Propagation makes it clear that is a Bitmessage-like clone. They are sending every encrypted message to every peer on the network, except grouped by 1 hour channels. So that means they send out a list of all messages to all peers, then peers only request an hourly channel which contains a message intended for them.

That is indeed Information Theoretic Security anonymity.

So thus I will give ShadowChat a thumbs up. This is the first proposal I've seen which is a potential alternative to Bitmessage.

From that description it may be feature incomplete from my perspective of what is really needed out by the market. And I will not detail now the other features I would like to see. They probably have many plans for the ShadowChat which I am not aware of.

However, I don't know if it can scale. That is one of the problems with Bitmessage. Imagine you have 1 million peers and you have to send a message digest to all of them. You can of course shrink the anonymity sets to the desired sizes by decreasing the channel width in time, but the digests still need to be sent to every peer. There are alternative ways to design the channels so digests are not sent to all peers. Appears they haven't done that yet.

Also there is no discussion of the spam resistance.

Again I am giving ShadowMarket a thumbs down.

Thanks, I'll be taking a look at all of this when I can. Gives me some direction for my personal research Smiley
sr. member
Activity: 420
Merit: 262
Section 3.3 Message Propagation makes it clear that is a Bitmessage clone.

Curious that the white paper makes no mention of how their system is similar to and/or different from bitmessage.

But then, they did include bitmesssage in the list of references.

It is not scholarly to not discuss prior art and explain the differences. Which is typical of altcoins isn't it.

Also note I edited my post, to point out no discussions of spam resistance and scaling.
legendary
Activity: 2968
Merit: 1198
Section 3.3 Message Propagation makes it clear that is a Bitmessage clone.

Curious that the white paper makes no mention of how their system is similar to and/or different from bitmessage.

But then, they did include bitmesssage in the list of references.
sr. member
Activity: 420
Merit: 262
I started discussing I2P on page 21 and the discussion continued until at least page 24 of the thread:

https://bitcointalksearch.org/topic/m.11842826



Also I don't know where to find a technical description of ShadowCash's private messaging anonymity algorithm?? You can see my analysis of similar attempts on the prior linked and following linked post, and I very much doubt that ShadowCash is doing it correctly:

https://bitcointalksearch.org/topic/m.11844778

I am nearly certain that ShadowCash will have a flaw in it and that is probably why they are not detailing it in a white paper. They are hiding details.

Edit: Okay I found the ShadowChat white paper. I didn't know what to google for until just recently.

http://www.shadow.cash/downloads/shadowcoin-p2p-em.pdf

Section 3.3 Message Propagation makes it clear that is a Bitmessage-like clone. They are sending every encrypted message to every peer on the network, except grouped by 1 hour channels. So that means they send out a list of all messages to all peers, then peers only request an hourly channel which contains a message intended for them.

That is indeed Information Theoretic Security anonymity.

So thus I will give ShadowChat a thumbs up. This is the first proposal I've seen which is a potential alternative to Bitmessage.

From that description it may be feature incomplete from my perspective of what is really needed out by the market. And I will not detail now the other features I would like to see. They probably have many plans for the ShadowChat which I am not aware of.

However, I don't know if it can scale. That is one of the problems with Bitmessage. Imagine you have 1 million peers and you have to send a message digest to all of them. You can of course shrink the anonymity sets to the desired sizes by decreasing the channel width in time, but the digests still need to be sent to every peer. There are alternative ways to design the channels so digests are not sent to all peers. Appears they haven't done that yet.

Also there is no discussion of the spam resistance.

Again I am giving ShadowMarket a thumbs down.
Pages:
Jump to: