Topic: This message was too old and has been purged - page 10. (Read 12685 times)

Thank you for your honesty and consistency, my investment will not be withdrawn.

since you've taken action, this project has gained value, not the reverse.

i'm not a coder,so my help in this initial step is ZERO, but i hope in the near future to be able to help in marketing.

This message was too old and has been purged

This message was too old and has been purged

I don't necessarily want to.  At this point I think we may have to, unless you by chance have any ideas as to how we slay the FAA dragon?

At this point I think my vision of the project is that our goal is to build a distributed market for computer resources, which uses secure protocols to guarantee that sellers get paid, buyers get correct results, and nobody gets his computer hacked.  I am, in principle, agnostic about the technology used to achieve this, though I believe that a new cryptocurrency will be a centrepiece.

This is probably flogging a dead horse, but it just occurred to me that if the program state is stored in a Merkel tree, we could use StateMerkelRoot as an encryption key, which would not only change every instruction, but would force the attacker to reencrypt the entire buffer every time he tweaks the state.

This message was too old and has been purged

The entire point in this coin is user supplied PoW. You're saying that at this point you want to randomly make up a new coin to create?

I don't.  Its only purpose is the make the subsequent SHA-256 operation a more constant proportion of the total running time.  It also makes it more expensive.  This whole idea of adding overhead to make the system more secure might have some merit if it worked, and if our goal was only to build a slightly better bitcoin by harvesting as useful work a few percent of its PoW effort.  But it doesn't work, and I'd prefer to have the overhead rather than the useful work at the few percent level.


Yes, and average it over very different hardware.  What if an attacker were to run his FAA on an ASIC crafted for the purpose?  A faster-algorithm-in-the-hardware attack. In fact, this is exactly what has happened to bitcoin over the past few years.  For us, it is a nightmare.


It's a convincing argument.  It's not sound, though.  It took me a while to realise that.

What I have informally proven here, is that in a random oracle model in which the oracle is time-linear in the size of the input, the best an attacker can achieve is a linear speed-up.

Unfortunately it turns out that supra-linear speed-ups of SHA-256 and indeed all sequential hash algorithms are possible in some circumstances.  Let s be a security parameter.  Let S be a fixed string of length s.  Let c be a constant.  Let C_i be an arbitrary sequence of strings of length c.  Let S.C_i denote the concatentation of S and C_i and let C_i.S be construed accordingly. Then in the time-linear random-oracle model, the time to compute both sequences Oracle(S.C_i) and Oracle(C_i.S) are, trivially, both O(s).  However SHA-256(S.C_i) is trivially O(1).  All you do reuse the saved state of the SHA-256 algorithm for the constant part of the string.  I think SHA-256(C_i.S) is likely to be O(s), but I can't prove it.  Can you?

And this is serious, because our PoW protocol is precisely to compute sequences of SHA-256 where the input string has parts which can be manipulated by an adversary, and other parts which are constant.

This should be an object lesson in why people should be very, very, skeptical about claims of security proofs.  


This is encryption, and if we're talking about 10ms segments, it helps not one iota, though it does add some overhead he can't avoid.  He doesn't have a limited time to handcraft his function.  He doesn't have to handcraft anything; he can use any innocent program such as might have been written by some other honest buyer.  All he has to do is find a reasonably tight loop which the program stays in for longer than 10ms, and runs the program "honestly" to reach that point.

Next he runs a 10ms segment "honestly" to fill the buffer.  Then he can screw around all he likes with any part of the state not read during the loop, and compute hash after hash after hash using the same buffer until he finds one that works.  The state of the crypto at the start of the segment is just another part of the program state read during the loop.  As long as he doesn't touch it, then the buffer will be valid.

The attacker has his oracle.  The buffer is filled up instantly because it is the same buffer he used before.

In fact the attacker can do even better than this.  He doesn't need to run the program "honestly" to reach his start point.  He can just initialise the read variables, including the crypto state, with plausible values.  If he keeps a copy of the unencrypted buffer, he could even screw around with the crypto state, reencrypting the buffer as necessary.  Think of the unread state, excluding the crypto state as analogous to bitcoin's "Nonce" then the crypto state could be "ExtraNonce", there to be used if the "Nonce" is too small, with just a little extra overhead.

So we see that the FAA is like a virus that exploits the very immune system which is intended to fight it.

Of course if it's the entire program, not just a 10ms segment, that is the PoW function, then yes, I agree that it would be difficult for an attacker to craft his program, especially if the crypto is seeded by the previous block, but then we're back to limiting the program time, which I don't want to do.  Additionally "difficult"/="impossible".

At this point it is my opinion that user supplied PoW is dead in the water and we need to find another way to secure the blockchain.

This message was too old and has been purged

Yes you are right.

The baseline of performing PoW for other coins should be enough to give work with reasonable rewards for miners anyway.

I was just trying to look at Tau chain and I can't even find any explanation of how they secure consensus or whether their 'proof of code execution' is involved, and I'm not capable of finding out from reading the code. I wonder if perhaps they have been so busy discussing logical ontologies that they have allowed the security of the Agoras coin to take a back seat

thanks for the answer and good luck

understood. 

This message was too old and has been purged

This message was too old and has been purged

Have you guys looked into Tau chain https://bitcointalksearch.org/topic/tau-chain-and-agoras-official-thread-generalized-p2p-network-950309 ?

There are some similarities to ELC such as 'proof of code execution' although I'm not sure if that is used to secure the chain or just get payment. I tried to follow Tau chain / Agoras a while back but a lot of the AI-type stuff just seemed overly optimistic to me.

This message was too old and has been purged

As long as the coin launches with the 5 million supply then I don't see what could be wrong with a majority vote changing absolutely anything.

But I very much disagree that this should be changed to attract more miners. Unless there is a lot more overhead for a miner performing the work compared to getting it done elsewhere the big advantage here is that the miner is already being paid twice - once with the fee for the work and once with the transactions fees in the blocks they mine. This will surely make mining more attractive than other coins?

Of course that depends both on how much efficiency needs to be sacrificed for security and therefore how much of the cost of mining is met by the market rate for the work done, and what the balance between the number of transactions and amount of submitted work being performed looks like, so I may well change my mind later, but as things stand I would argue against making a change to this.

Edit: In actual fact I think was being stupid there, because it will obviously be likely to have very little submitted work and very few transactions in the early days, so perhaps some coin generation may be necessary. But I think it should reduce to zero relatively quickly compared to other coins.

The announcement is incoherent.  This is not entirely EK's fault.  I don't know how long EK has had control of the project, but it cannot have been more than about a day before he posted this.  It was a shambles when he inherited it; it is not surprising that it still is.

In my opinion EK should make one, and only one rock-solid unbreakable commitment at this point.  And that is that anybody who has cotributed BTC so far can have their money back right now, no questions asked, and that this offer will remain in place until we can come up with a clear, coherent statement of what it is we are proposing to do.

Other than that, everything should be up for discussion, including the terms of the crowdfunding.  For example, I would like to suggest changing this:


I would suggest that we allow for changes in the money supply, upon a 51% vote of the coin-holders.  For example, they might vote to pay workers more than 100% of the buyers' fees.  Why might they vote to dilute their own holdings?  Because they might hope to attract more miners and thereby expand the economy.  Of course there would have to be limits to ensure that minority coin-holders are not unduly disadvantaged.  Whether or not you like this idea, I think it should be open for discussion.

If I have anything at all to bring to this project, it is out-of-the-box thinking.  But what good am I to you, if the box has been locked and the keys thrown away before I ever arrived on the scene?

sorry. you said you have hundreds of btc. now you are in debt.

This message was too old and has been purged