Pages:
Author

Topic: [white paper] Purely P2P Crypto-Currency With Finite Mini-Blockchain (Read 24190 times)

sr. member
Activity: 359
Merit: 250
Transaction history is retained for some reasonable window of time, e.g. a month.

To present to the network a blockchain which differs from the one others have, the only possible way is the differences must originate from before the retained transaction history (or the differences must include only transactions the attacker can sign which is same vulnerability in Bitcoin), because the attacker can't sign transactions for which he doesn't hold the private key.

Your only valid point is that if someone has significantly more than the network hashrate, they can compute a fake Proof Chain going back to before the retention window of transaction data, then they could claim any Account Tree they wish to.

Then you claim that nodes who have not always been online since the time of the deviation of the Proof Chain would not know which blockchain to trust (they would naturally trust the one with more hashrate).

But Bitcoin has a similar vulnernability, in that nodes would not know which transaction history to trust, i.e. the coinbase coins rewards that were for the miner could be awarded to the attacker. Fact is that there are records on the internet kept and so no one wold dare try this, because it would be front page news.

Thus your argument is silly. Copies of the valid Proof Chain will be stored all over the internet. Anyone trying to go back months and change the Proof Chain is going to be thwarted by the power of human communication.

Orphaned chains resolve on the order of hours, i.e. one chain doesn't hide from the world for months, then suddenly appear and expect to not be outed by human communication. Impossible.

For both mini-block chain coins and Bitcoin, the attacker would create a fork which no one would follow except for followers that were deviously (or fooled by some very powerful entity that could paint the media story) intent on following the attacker's theft.
Well, I can only fully agree with you, because that's exactly what I was saying. It is possible, but we don't have to worry about it for reasons you stated.

Side note: bitcoin is slightly more resilient because you can't rewrite history from before of chain spilt, but it doesn't matter anyway.
hero member
Activity: 518
Merit: 521
Transaction history is retained for some reasonable window of time, e.g. a month.

To present to the network a blockchain which differs from the one others have, the only possible way is the differences must originate from before the retained transaction history (or the differences must include only transactions the attacker can sign which is same vulnerability in Bitcoin), because the attacker can't sign transactions for which he doesn't hold the private key.

Your only valid point is that if someone has significantly more than the network hashrate, they can compute a fake Proof Chain going back to before the retention window of transaction data, then they could claim any Account Tree they wish to.

Then you claim that nodes who have not always been online since the time of the deviation of the Proof Chain would not know which blockchain to trust (they would naturally trust the one with more hashrate).

But Bitcoin has a similar vulnernability, in that nodes would not know which transaction history to trust, i.e. the coinbase coins rewards that were for the miner could be awarded to the attacker. Fact is that there are records on the internet kept and so no one wold dare try this, because it would be front page news.

Thus your argument is silly. Copies of the valid Proof Chain will be stored all over the internet. Anyone trying to go back months and change the Proof Chain is going to be thwarted by the power of human communication.

Orphaned chains resolve on the order of hours, i.e. one chain doesn't hide from the world for months, then suddenly appear and expect to not be outed by human communication. Impossible.

For both mini-block chain coins and Bitcoin, the attacker would create a fork which no one would follow except for followers that were deviously (or fooled by some very powerful entity that could paint the media story) intent on following the attacker's theft.
sr. member
Activity: 359
Merit: 250
Question is: what information do we need to verify if set of transactions which caused transition from state X to state Y obeyed network rules? Hashes in Proof Chain are not enough, they are just random strings for outside observer. Full Account Trees in both states are potentially not enough too (maybe txns in block N really sent all existing coins to single address ?). We need transactions. (BTW: header of transactions tree also need to be in proofchain).

You are still not grasping the mathematical point I made. There is no mathematical way to create an Account Tree in each block that is different from the only one that will hash to the hash value in the Proof Chain.

The Proof Chain guarantees that the Account Tree chain is not an imposter, even if the history of the Account Tree is discarded.
And you are not grasping the point that you don't need to create different account tree with same hash as real one to cheat the system. Hash tree changes from one block to other and that's when you cheat. In next block (of your alternate proofchain) you just provide hash of tree which was not result of applying valid transactions to previous state but just made out of thin air. Without transactions you cant prove it's invalid.
hero member
Activity: 518
Merit: 521
Question is: what information do we need to verify if set of transactions which caused transition from state X to state Y obeyed network rules? Hashes in Proof Chain are not enough, they are just random strings for outside observer. Full Account Trees in both states are potentially not enough too (maybe txns in block N really sent all existing coins to single address ?). We need transactions. (BTW: header of transactions tree also need to be in proofchain).

You are still not grasping the mathematical point I made. There is no mathematical way to create an Account Tree in each block that is different from the only one that will hash to the hash value in the Proof Chain.

The Proof Chain guarantees that the Account Tree chain is not an imposter, even if the history of the Account Tree is discarded.
sr. member
Activity: 359
Merit: 250
I believe you are mistaken.

The Account Tree is a hierarchy of hashes and the single hash at the top of the tree is stored in the Proof chain. Thus in order to create an alternative history for the Account Tree, the adversary would need to construct an Account Tree history (at each block interval) which matches the Proof chain hashes (for each block) because the history of the Proof chain is never discarded. This can not be mathematically accomplished in log O(log N) time (i.e. not in exponential time) if the hashing algorithm approximates a Random Oracle or actually less restrictively for as long as it can't be preimaged, i.e. if a cryptographically secure hash is employed.
Transactions included in block describe operations which you have to do on current account tree to get updated version of this tree.
In block N Account Tree was in state X. We apply transactions and get state Y. Hashes of account tree in both states are included in adjacent blocks. Question is: what information do we need to verify if set of transactions which caused transition from state X to state Y obeyed network rules? Hashes in Proof Chain are not enough, they are just random strings for outside observer. Full Account Trees in both states are potentially not enough too (maybe txns in block N really sent all existing coins to single address ?). We need transactions. (BTW: header of transactions tree also need to be in proofchain).

I still don't think it is a problem because we only have problem reaching consensus in short term. No one will have any problem with determining if blockchain which tries to overwrite few months of history is legitimate or not.

All that consensus discussion upthread has been rendered irrelevant by my assertion above. TADA! Wink
In real world - yes. Just imagine what would happen if suddenly someone would emerge with longer bitcoin blockchain invalidating months of current blockchain. We would get a patch in no time with hardcoded checkpoint just after branching. Same thing will happen with any future sufficiently important cryptocurrency, so why keep pretending wee need system to resolve such conflicts in software?
hero member
Activity: 518
Merit: 521
Now attack scenario. Suppose there is attacker with more than 50% of hashing power. He takes hash of current best block N and tries generating a next one but instead of using real account database he just create new one in which he holds all coins. If he is able to keep this chain in front of original one for as long as original network looses block N contents he can reveal his chain and it would look perfectly valid for all nodes because they lost track of how account database looked on block N.
It looks like algorithm presented in this paper is only as secure as mini blockchain is secure and if attacker could sustain 51% hashing power for as long as mini blockchain cycle completes it could cause much more severe problems than in bitcoin, because attacker could rewrite entire account balances database and not just make some double spends.

Essentially Bitcoin has the same risk for clients that don't download the entire transaction history, and the solution is the same which is to ask the peers that have the relevant transaction history to prove which chain is not valid.

On further thought, aaaxn's proposed attack is impossible if the cryptographic hash used to construct the Account Tree and Proof Chain can't be preimaged.

Because there is no way the attacker can find a suitable set of replacement addresses and balances to match the hash in the Proof Chain.

Thus all the discussion that followed aaaxn's post above regarding centralization and the need to remember transaction data history is irrelevant.
Wow, I didn't think anyone is still discussing this idea but still no one actually tried to implement it Smiley

As for the problem, I think you are mistaken. Attacker does not need to match hash in original proof chain. Proof chain contain only hashes, and without accompanying transaction data there is no way to tell if transformation of account tree from state which hashes to A to state with B hash is valid.
When attacker start his own branch he can create new tree and just tell that this hash resulted from set of legal transactions. After full cycle these transactions are lost and no one can prove he lied.

I believe you are mistaken.

The Account Tree is a hierarchy of hashes and the single hash at the top of the tree is stored in the Proof chain. Thus in order to create an alternative history for the Account Tree, the adversary would need to construct an Account Tree history (at each block interval) which matches the Proof chain hashes (for each block) because the history of the Proof chain is never discarded. This can not be mathematically accomplished in log O(log N) time (i.e. not in exponential time) if the hashing algorithm approximates a Random Oracle or actually less restrictively for as long as it can't be preimaged, i.e. if a cryptographically secure hash is employed.

I still don't think it is a problem because we only have problem reaching consensus in short term. No one will have any problem with determining if blockchain which tries to overwrite few months of history is legitimate or not.

All that consensus discussion upthread has been rendered irrelevant by my assertion above. TADA! Wink
sr. member
Activity: 350
Merit: 250
Read first few pages - it sounds awesome! If you will need any help from web developer in future you can count on me Wink
sr. member
Activity: 359
Merit: 250
Now attack scenario. Suppose there is attacker with more than 50% of hashing power. He takes hash of current best block N and tries generating a next one but instead of using real account database he just create new one in which he holds all coins. If he is able to keep this chain in front of original one for as long as original network looses block N contents he can reveal his chain and it would look perfectly valid for all nodes because they lost track of how account database looked on block N.
It looks like algorithm presented in this paper is only as secure as mini blockchain is secure and if attacker could sustain 51% hashing power for as long as mini blockchain cycle completes it could cause much more severe problems than in bitcoin, because attacker could rewrite entire account balances database and not just make some double spends.

Essentially Bitcoin has the same risk for clients that don't download the entire transaction history, and the solution is the same which is to ask the peers that have the relevant transaction history to prove which chain is not valid.

On further thought, aaaxn's proposed attack is impossible if the cryptographic hash used to construct the Account Tree and Proof Chain can't be preimaged.

Because there is no way the attacker can find a suitable set of replacement addresses and balances to match the hash in the Proof Chain.

Thus all the discussion that followed aaaxn's post above regarding centralization and the need to remember transaction data history is irrelevant.
Wow, I didn't think anyone is still discussing this idea but still no one actually tried to implement it Smiley

As for the problem, I think you are mistaken. Attacker does not need to match hash in original proof chain. Proof chain contain only hashes, and without accompanying transaction data there is no way to tell if transformation of account tree from state which hashes to A to state with B hash is valid.
When attacker start his own branch he can create new tree and just tell that this hash resulted from set of legal transactions. After full cycle these transactions are lost and no one can prove he lied.

I still don't think it is a problem because we only have problem reaching consensus in short term. No one will have any problem with determining if blockchain which tries to overwrite few months of history is legitimate or not.
hero member
Activity: 518
Merit: 521
Now attack scenario. Suppose there is attacker with more than 50% of hashing power. He takes hash of current best block N and tries generating a next one but instead of using real account database he just create new one in which he holds all coins. If he is able to keep this chain in front of original one for as long as original network looses block N contents he can reveal his chain and it would look perfectly valid for all nodes because they lost track of how account database looked on block N.
It looks like algorithm presented in this paper is only as secure as mini blockchain is secure and if attacker could sustain 51% hashing power for as long as mini blockchain cycle completes it could cause much more severe problems than in bitcoin, because attacker could rewrite entire account balances database and not just make some double spends.

Essentially Bitcoin has the same risk for clients that don't download the entire transaction history, and the solution is the same which is to ask the peers that have the relevant transaction history to prove which chain is not valid.

On further thought, aaaxn's proposed attack is impossible if the cryptographic hash used to construct the Account Tree and Proof Chain can't be preimaged.

Because there is no way the attacker can find a suitable set of replacement addresses and balances to match the hash in the Proof Chain.

Thus all the discussion that followed aaaxn's post above regarding centralization and the need to remember transaction data history is irrelevant.
full member
Activity: 199
Merit: 101
I will play a coloredcoin based this interesting mini-blockchain project.
newbie
Activity: 3
Merit: 0
I really like this Mini-Blockchain concept. The potential is limitless. I was thinking about the concept and want to share some of the ideas I came up with.

If instead of defining the accounts by single public key, we allow multiple public keys and a number that represents the number of signatures required we can create a whole set of account types without any scripts.
Let's say first we store a byte, first 4 bits of which represent the number of keys in the account and the next 4 bits represent the number of signatures required, then the following table will show what kinds of accounts that could potentially define:
KeysSignaturesAccount Type
11Regular
2+1Joined
2+KeysMutual Agreement
32Escrow
There are more values that I can define which could just be used as constants to represent additional account types like trust fund and the like.

So for escrow, you could just send the money to the 2of3 address and when the other party fulfill or not fulfill the terms, that you can specify in the memo, they or you can create a transaction, sing it and send it to the other party or the escrow for the other required signature. In most cases, the escrow wouldn't even have to get involved.

Now, how nice would it be to have a trust account without relying on a trustee.

I also thought to share the addresses not as set of public keys, but as hash of the set. It would save a lot of space and simplify the database structure, but that might potentially compromise the security in case of hash collision because optional public keys could make a lot of room for nonce data. Unless the address itself is signed by each of the keys used which would validate each key. And considering that key generation is slow, especially combined with hashing the security will be intact.

The other idea is:
Instead of using a separate data structure to save all the balances of all the accounts and synchronize every version of it with the network.
Miners could just list all the affected account/balance pairs from the current block and all the account/balance pairs that weren't mentioned since the discarded block in the current block.

I came up with it as I still can't wrap my head around how would miners be able to get all the historical versions of the account tree to validate it's accuracy in every point in time.
full member
Activity: 158
Merit: 100
AnonyMint
I recently discovered your posts.
I find them very interesting and informative.
Thank you.

You once wrote that if government pays for everything, family doesnt matter much.
The collapse of former Soviet union seems to prove the contrary.
Are you familliar with Dmitry Orlov's book?
Orlov holds that the Soviet Union hit a “soft crash” because centralized planning, housing, agriculture, and transportation left an infrastructure private citizens could co-opt so that no one had to pay rent or go homeless and people showed up for work, even when they were not paid. He writes that Orlov believes the U.S. will have a hard crash, more like Germany’s Weimar Republic of the 1920s.
http://fora.tv/2009/02/13/Dmitry_Orlov_Social_Collapse_Best_Practices
(at 33 min)
Regards
hero member
Activity: 518
Merit: 521
hero member
Activity: 798
Merit: 1000
‘Try to be nice’
Hope bitfreak! is still here lol
hero member
Activity: 518
Merit: 521
Monetary Darwinism. Listen to Daniel Krawisz at around the 34 min point:

http://letstalkbitcoin.com/e53-monetary-darwinism/#.UnmHJ3CBmfY
hero member
Activity: 798
Merit: 1000
‘Try to be nice’
I need to read the pdf a couple of times...
Read the project wiki, the white-paper is quite out-dated now.

Im reading it now , why has it not been put forward to a test ?

Seems the only things left to do relate to  testing weaknesses.

Devs should be lining up. ?
hero member
Activity: 518
Merit: 521
Read in context at following link:

http://blog.mpettis.com/2013/10/hidden-debt-must-still-be-repayed/#comment-3551

============================

Quote
Quote
very common to hear that government debt doesn’t matter if its denominated in by a currency issuer because the central bank can print as much as it wants to pay the bills

It is more or less garbage...

Prof. Pettis, are you refuting Paul Krugman's recent article where he wrote as quoted below?

Quote
terror of a debt crisis that keeps not happening, and, in fact, can’t happen to a country like the United States, which has its own currency and borrows in that currency. Yet the scaremongers can’t bring themselves to let go...

...He and his friends have been wrong about everything so far, and they literally have no idea what they’re talking about.

Krugman displays a debt-to-GDP chart which is extremely misleading because total debt ratio for the UK is over 500%! Additionally we know most of the western government unfunded liabilities are hiding off balance sheet.

Or here where Krugman misleadingly argues that Spain's 25% unemployment is due to not enough debt spending, when others of us believe the unemployment is structural for as long as socialism (and the requisite shared Euro currency) has stymied Spanish competitiveness.

The socialist Krugman appears to argue every problem can be smoothed (on the way to resolution) with Keynesian debt spending.

Krugman even thinks the drop in world trade growth has something to do with container ships and tariffs, and I guess he failed to realize there is trade in services and that lower international trade means lower economic growth (except short-term where the debt is rushing into unsaturated debt markets of the newly emerging countries, such as the Philippines which is growing faster than any other country in the world, if discounting China's GDP growth as a fabrication).

P.S. Hope you saw Krugman's blog post on the Chinese and Middle Easterners parking their (crony ill-gotten) cash in London flats. The G20 socialism cooperation will be going after all this wealth, some of it justifiably so, but unfortunately I postulate the honest upper middle-class small businessmen will get razed too, which will worsen the postulated future implosion.
hero member
Activity: 518
Merit: 521
Read in context at following link:

http://blog.mpettis.com/2013/10/hidden-debt-must-still-be-repayed/#comment-3549

============================

Guys thank you for both pointing out quite eloquently that the world has turned socialist, thus the "far-left" is now the "center-right". For me as a minanarchist (subset of Libertarian), any redistribution plan is "left" relative to a historical baseline. If the entire population is left, then I have to wait for them to kill themselves as leftists always do, so then the true "center-right" is restored after that.

They always kill themselves because they don't understand the basic premise of economics, which is that small things grow faster, thus any form of central planning is waste and bankruptcy, but not until after the socialists do everything they can do to disallow bankruptcy including gestapos, rationing, etc. I want to refer you to some specific comments I already made on this page, which go into more detailed explanation:

1800s vs. 1900s vs. 2000s coming

failure of centralized investment

why smaller things grow faster

illogic of collective central planning

The reason insurance is always failure is because it pools investments and the investments are thus centrally planned.

Sorry to you socialists but I remain a minanarchist because history has always repeated. The socialists get blinded by a recent 50 - 80 years, so then they drive over the cliff as they always do. How many genocides, dark ages, and massive economic implosions from history do you need me to cite and relate to the socialism that caused them. Of course the socialists will invent other causation theories. C'est la vie!

Since I am the only minanarchist here and since I think Dr. Pettis wants to hear from all sides, I hope you all understand why I have so many comments on this page, because I am the only person speaking from the other side on this page. Yes we are far outnumbered by the socialists, and that is why we need an anonymous weapon to survive the outcome of socialism, such as Bitcoin as I have suggested as a possibility (not certain).
hero member
Activity: 518
Merit: 521
http://blog.mpettis.com/2013/10/hidden-debt-must-still-be-repayed/#comment-3544

Quote from: AnonyMint aka Shelby
Mancur Olsen's generative algorithm says that democracy ALWAYS individualizes the benefits (incentives for voters) and socialize the costs (debt). And debt is always future taxation.

Democracy is a power vacuum, which sucks in vested interests. The only possible way I can see to change this is to eliminate the ability of government to tax and spend. This is why I am a minanarchist (not anarchy). I think possibly (not certain) Bitcoin (or a replacement) might have the potential to restore some balance between private ownership of wealth and government's power to use force to tax.


==============================

http://blog.mpettis.com/2013/10/hidden-debt-must-still-be-repayed/#comment-3546

Quote from: AnonyMint aka Shelby
Panics in the 1800s were due to the private banks writing fractional receipts for gold on deposit, thus expanding debt and monetary velocity, until individual bank runs would reveal the insolvency of fractional receipts thus causing frequent corrections to the overexpansion of debt.

In the 1900s, we replaced this with centrally controlled fractional reserves, which has enabled the global system to run to extremely insane levels of debt without frequent correction. And this is going to end in a scorched earth.

There is no solution as documented in my upthread comment with link to Mancur Olsen's analysis. Decentralized currencies such as Bitcoin have the potential to bring us back to the 1800s with more frequent corrections, by restoring the balance-of-power between socialists and private enterprise. As a minanarchist, I would prefer that, but today the world is dominated by socialists and they will not like it. So there is fight coming. Sorry to say. I wish it wasn't so.
hero member
Activity: 798
Merit: 1000
‘Try to be nice’


Agreed , I'll agree to disagree at this point .

I agree the blockchain issue needs focus..
Pages:
Jump to: