Bitcoin Forum

Delegated proof of work, which Bitcoin is, doesn't.  If 70% of the hash rate is in china owned by three pools, you have no way of knowing these pools aren't owned by the same person (sybil).  The only way is to audit them yourself, which is the purpose of the voting mechanism in DPoS, to audit the block validators for sybil.  The only difference is, the audit mechanism is built into the protocol of DPoS and excluded entirely from Bitcoin (delegated proof of work).

I feel this topic deserves it's own thread and would get stonewalled with popular opinion somewhere in the Bitcoin section.  My argument here is:

<r0ach> you can't solve byzantine generals problem with a probabilistic model unless you've first solved sybil with a probabilistic model and Bitcoin doesn't do that
<r0ach> because there's no way of telling if all pools are owned by the same person, then it's not collusion or 51% attack, it's a sybil attack
<r0ach> since the essence of the byzantine generals problem is sybil attack, dealing with sybil comes first in the hierarchy before byzantine generals is discussed at all

The Byzantine problem deals with a minority of actors or signal throwing off the consensus of the system or majority.  If you can't determine how many actors even exist in the first place, you're probably always going to lose this test.  This fact also probably gives credence to the deterministic # of block validators model.

The problem of blockchain synchronization is the following:

Imagine you are sitting in a bunker. You have no idea what people are out there and what are their intentions. You only receive some incoming messages from strangers that may contain anything. They can be just random garbage or deliberately crafted messages to confuse you or lie to you. You never know. You cannot trust anyone.e

The problem of "money" or any other "social contract" is that everyone should be able to know what the majority agrees to without trusting some intermediaries (otherwise they can easily obuse their special position). If everyone votes for "X", then you sitting in a bunker must somehow independently figure out that all those other people indeed voted for "X" and not for "Y" or "Z". But remember: you cannot trust anyone's message and messages are the only thing you get from the outside world.

When two propositions arrive into your bunker, "X" and "Y", we have no trusted reference point to figure out which one is supported by the majority of other people. We only have "data in itself" to judge which one we should choose as the main one. To make things simpler we are not trying to apply subjective judgement to either proposition, but only trying to make everyone agree to a single option. In case of Bitcoin it is a reasonable assumption: everyone is owner of their money, so no one really cares which version of the history is chosen as long as their own balance is respected.

So how X should be distinct from Y that we know for sure that no one can accidentally choose Y, Z or W? First property: this data should be "recent". So we know that we are not sitting on some old agreement while everyone else has moved onto something else. Second property: any "recent" alternative should be impossible to produce. Because if it was possible to produce, then there is always a chance that some number of people could see it and accept that alternative. And you have no way to estimate how many such alternatives exist and how many people accepted it (because you are sitting in a bunker and you cannot trust incoming messages or know how many message did you miss).

How do we define "impossible"? It means either of two things: either it is logically impossible, or it is practically (economically) impossible. If it is logically impossible, than we can know all future agreements in advance (like a deterministic chain of numbers), just by using induction. But this does not work because we'd have to have some agreement about starting point in the first place. So we end up with requiring practical impossibility. In other words we need the following:

"Message X should be provably recent and alternatives should be practically impossible to produce."

Practical impossibility can be reframed in terms of "opportunity cost": there are limited physical resources and those should have been largely allocated to X than to Y so we can see that X sucked in all resources from any alternatives. Because if it didn't, then there is a huge uncertainty about whether remaining resources are used for alternative Y or they do not interfere with the voting process. Is it possible that X did not suck in a lot of resources while alternatives are still not possible? Then it would mean that X logically follows from whatever previous state of the system and there is no voting process needed.

Therefore: message X should be provably recent and should have employed provably big amount of resources, big enough that there are not enough resources left for any alternative Y to produce in a reasonably short time frame. Also, the message X should be always "recent" and always outcompete any alternative. Because we cannot reliably compare "old" messages: is Y an "old" one that was just delivered now, or was it produced just now after resources spent on X were released?

This logically leads us to the following: we should accept only the messages with the biggest Proof-of-Work attached, and that proof-of-work should be the greatest possible ever, so there would not be any possibility for any alternative to be produce in the short window of time. And that proof-of-work must be constantly reinforced or the value of previous consensus begins to fade quickly as the opportunity for alternatives grows.

Expensive, highly specialized computer farms is the most reliable way to achieve consensus. If we were to use non-specialized resources, it would be harder to gauge whether the majority of them are indeed used for proof-of-work computations. By observing that enormous amount of work happens in a very specific, easy-to-observe part of the economy, we can estimate how expensive it is to produce an alternative, equally difficult message. In case of Bitcoin mining farms, such an alternative would require a very expensive and complex production chain, requring either outcompeting other firms that use chip foundries or building single use datacenters in the most cost-effective locations on the planet (with the cheapest electricity, coldest weather, low latency connectivity etc.)

Conclusion.

If achieving consensus in a non-trust manner is ever possible in practice, then it is only possible with a Proof-of-Work scheme and highly specialized expensive production chains. Also, consensus is only valuable for a short period of time so it must be constantly reinforced.

Bitcoin is Byzantine resilient because of PoW and Game theory. Bitcoin follows Nakamoto consensus, but all Byzantine consensus algos are only resistant up to 51% or less.

Before satoshi, byzantine agreement models could only deal with 33% bad actors.

https://gist.github.com/oleganza/8cc921e48f396515c6d6

<r0ach> yes, i can pull my hash rate AFTEr the attack has occurred
<r0ach> that's fault recovery, not fault tolerance
<r0ach> this is known as the long con, I'm sure you've heard of it

I suspect you are attempting to justify other consensus mechanisms by trying to find loopholes in definitions to prove a point. Satoshi did solve the byzantine problem in the face of sybil attack, it's been proven.

I suspect you are attempting to justify other consensus mechanisms

by trying to find loopholes in definitions to prove a point.

If it was trustless, it would be a democracy.  This is why PoW is a less efficient, worse scaling, resource wasting form of DPoS.  They're both republics.  One is designed to be that way, the other reaches the same conclusion by creating a Rube Goldberg machine that eats megatons of coal and spits out a less decentralized, lower performing system afterwards.  Both systems are republics, both systems are delegation, denying it is intellectually dishonest.

If it was trustless, it would be a democracy.  

What an odd statement to make. How is trust in anyway related to democracies? Pure Democracies are far from trustless and consist of two wolves and a sheep deciding whats for dinner. No crypto is trustless... people really need to stop using that term inappropriately.

Not odd at all.  I guess I should refine my statement with the words "direct democracy" or something.

This is over simplified.  The smaller fork has every right to call their currency bitcoin regardless of the majorities objections.

Gavin would be the confederacy in that case.

Satoshi did not technically solve the byzantine problem, merely solved it in a probabilistic or pragmatic manner with game theory where someone is incentivized to secure the network instead of attack it.

There is an enormous amount of concentration now that does't come from pools. This has the same effect of weakening the security model that pools do, or possibly worse (since you can't pull hash rate from KnC if they decide to misbehave).

Before satoshi, byzantine agreement models could only deal with 33% bad actors.

No, I'm proving that Bitcoin doesn't function at all like the PDF states.  Words used like "trustless" are obviously not correct because a second layer of abstraction was added (pools) that invalidates much of what he says about voting.  You're not participating in democracy, you're participating in a republic.  If it was trustless, it would be a democracy.  This is why PoW is a less efficient, worse scaling, resource wasting form of DPoS.

Producing a block costs nothing, therefore neither does attacking the chain.

Bitcoin is Byzantine resilient because of PoW and Game theory. Bitcoin follows Nakamoto consensus, but all Byzantine consensus algos are only resistant up to 51% or less.

The bigger question is how likely a 51% attack or sybil attack is within bitcoin and under what conditions can we make it less likely.

With PoW there is at least physical limitations and better signals that limit sybil attacks vs PoS. Nothing is trustless or completely immutable but we can get closer to these ideals with decentralization and the right security mechanisms.

Yes, for PoS the security is exponential to amount of users

The gap is pretty large and "therefore" is not enough here. The fact that we don't observe such attacks hints that you are plain wrong.

I'm not sure what gap you are referring to?

A double spend in POS has a constant cost proportional to the amount of stake you own.

Yes, for PoS the security is exponential to amount of users

With PoS/PoI/DPoS a sybil attack can come without any notice and with potentially much cheaper costs. (No, an attacker need not have to "buy" coins to attack, They can create an exchange/bank that pays interest/dividends to corner a good chunk of coins 5-30% needed depending upon the algo, Or they can create a popular wallet with a backdoor, Or they can compromise several large bagholders computers, Or a few large holders could short and attack their own coin, ect..)

With PoS/PoI/DPoS a sybil attack can come without any notice and with potentially much cheaper costs. (No, an attacker need not have to "buy" coins to attack, They can create an exchange/bank that pays interest/dividends to corner a good chunk of coins 5-30% needed depending upon the algo, Or they can create a popular wallet with a backdoor, Or they can compromise several large bagholders computers, Or a few large holders could short and attack their own coin, ect..)

These are social engineering attacks, of course.  I guess the equivalent in POW would be to 'borrow' someone's server farm.

Sybil attacks can still occur by a persistent and motivated attacker but they are extremely expensive (in PoW)

In my original post I give an example of why that's not true.  The same guy can own all the big PoW hashing pools in secrecy, which is a sybil attack, not collusion.  He can operate profitably the entire time and initiate the long con or other strategy whenever he wants.

The only thing he needs to do is to buy all that mining hardware.... Oh, and to produce some blocks... the cost of which is superlinear in the number of blocks...  Mmmm....

Except that major exchanges tend to hold vastly more coins than individuals, so they replace mining pools in being the 51% risk, and (much) worse, their mining security can be anonymously and easily moved if it's accessed by a hacker. See for example MintPal (Viacoin) and Bter (NXT)

By making pools appear smaller they encourage independent miners to (continue to) send hash rate there. Thus the evil pool operator doesn't need buy the hash rate himself, he's tricking miners into letting him use it.

You can't use Bitcoin itself as an example of Byzantine consensus in an effort to justify it's own existence.  That page is moving the goal posts all around and adding a bunch of new variables that aren't even in the original problem.  All that page is doing is saying, Bitcoin works, therefore, the solution Bitcoin used is the answer.  Circular reasoning.


Battle of the century of r0ach vs smooth regarding this issue.  They call him "smooth" because it's like talking to Bill Clinton.  You tell me who won:

<@smooth> The BGP as usually stated has a concept of identity ("Generals") which is specificaly not part of the problem definition in Bitcoin (which is what makes it sybil resistant). Bitcoin doesn't care
<r0ach> I made the arguement that byzantine generals is a ridiculous ivory tower example with too many open ended variables and the only real problem is sibil prevention
<@smooth> yes and for the millionth time bitcoin is totally sybil resistant
<@smooth> because identity doesn't matter
<r0ach> it's not sybil resistant, all pools can be owned by the same guy
<@smooth> pools are not actors in bitcoin. hash rate is
<@smooth> hash rate can't be sybil attacked, it is a physcal property
<r0ach> hash rate doesn't decide vote, it's delegated proof of work (bitcoin), only the pool owner does
<r0ach> what hash does is irrelevant
<r0ach> you're letting satoshi decide what you can criticize or not
<r0ach> instead of using your own logic
<r0ach> to figure it out
<r0ach> because the model that exists is nothing like the PDF
<@smooth> well if you are critizing bitcoin, you are criticizing somethign he defined
<@smooth> if you want to redefine it, and then criticize that, that's perfect valid science, just make a specific definition first
<r0ach> bitcoin does not function in the way his PDF describes at all, so when you cite satoshi, it's pretty much meaningless in that context
<@smooth> I disagree
<@smooth> the only portion that does not apply is the convergence proof
<@smooth> but that is because of hash rate concentration, not because of pools
<@smooth> even with pools (and I'll admit this is not a precise argument), if 50% of hash rate is honest, pools can't do anything because the hash rate will quickly flee a dishonest pool
<@smooth> Note this is not true if KnC Bitfury etc. is not honest, because their hash rate can't flee
<@smooth> even 1 cpu 1 vote is actually true still
<@smooth> again, cpus are a physical entity, can't be sybiled
<r0ach> it doesn't matter what the hell the cpus are doing since you're going through a 2nd layer of abstraction known as delegation (pool)
<r0ach> and the 2nd layer takes precedent over the 1st
<@smooth> i would argue the opposite
<@smooth> the 1st takes precendence over the 2nd, because is I said, you pull your hash rate
<r0ach> yes, i can pull my hash rate AFTEr the attack has occurred
<r0ach> that's fault recovery, not fault tolerance
<r0ach> this is known as the long con, I'm sure you've heard of it

Even if KnC/Bitfury/etc. were >50% and dishonest, the socioeconomic majority can flee their corrupted PoW by forking to something besides SHA256.

True. I suppose creating a fake pool for a long con is equivalent to creating a fake exchange to gather POS coins with which to vote... With the exception that the fake pool will be at capacity for the attack, whereas the exchange voting with stake is much harder to detect, and is passive.

Anonymous Byzantine Consensus from
Moderately-Hard Puzzles: A Model for Bitcoin

Some of it does involve Social engineering, yes. The distinction between PoW and PoS/PoI/DPoS is that several of these attack vectors cannot be accomplished with PoW. With PoW all you can do is steal the account holders coins with a mtgox, ponzi scheme, or when a large bagholder is compromised. With PoS you can also attack the network and steal other peoples coins as well. Additionally, a compromised wallet cannot attack the network with a 51% attack with PoW as in PoS.

I suppose one could social engineer their way into Ant-pools mine and covertly reflash the firmware on all the miners. This attack would be much more difficult to do because large farms have multiple engineers who look over things and they have to constantly check their equipment and have large incentives to keep ontop of everything because of razor thin profit margins.  

It is no surprise that many PoS coins use checkpoints to add another security layer which is essentially centralization by a few developers approval. Checkpoints don't prevent these attacks just narrow the window of attack which is absolutely no problem. Developers Like Vitalik have studied these security weaknesses long and hard and despite desperately wanting to use some form of TaPoS for security still have not found an acceptable solution to mitigate these threats.

[...]

<r0ach> you can't solve byzantine generals problem with a probabilistic model unless you've first solved sybil with a probabilistic model and Bitcoin doesn't do that
<r0ach> because there's no way of telling if all pools are owned by the same person, then it's not collusion or 51% attack, it's a sybil attack
<r0ach> since the essence of the byzantine generals problem is sybil attack, dealing with sybil comes first in the hierarchy before byzantine generals is discussed at all

...and another incentive structure must be developed to encourage decentralized p2p mining.

Switching to an ASIC resistant PoW coin doesn't solve this problem but merely delays the inevitable. As interest and hash power grows ASICS will be developed within time regardless.

I made this same point in either 2013 or 2014.

Afaics, the only solution is unprofitable PoW which is the design I am now pursuing (https://bitcointalk.org/index.php?topic=1319681.msg13781951#msg13781951).

Bitcoin solves the byzantine generals problem within the bounds of the assumptions in the model. If one entity controls a majority of hashing power, that is outside of the bounds.

Circular logic. Bitcoin didn't solve the Sybil attack problem when pools control 51% and no one can know whether they do and reroute their PoW shares.

http://research.microsoft.com/en-us/um/people/lamport/pubs/reaching.pdf
http://research.microsoft.com/en-us/um/people/lamport/pubs/lamport-paxos.pdf

Still another approach to consensus is Byzantine agreement [Pease et al. 1980; Lam-
port et al. 1982], the best known variant of which is PBFT [Castro and Liskov 1999].
Byzantine agreement ensures consensus despite arbitrary (including non-rational) be-
havior on the part of some fraction of participants. This approach has two appealing
properties. First, consensus can be fast and efficient. Second, trust is entirely decou-
pled from resource ownership, which makes it possible for a small non-profit to help
keep more powerful organizations, such as banks or CAs, honest. Complicating mat-
ters, however, all parties must agree on the the exact list of participants. Moreover,
attackers must be prevented from joining multiple times and exceeding the system’s
failure  tolerance,  a  so-called  Sybil  attack  [Douceur  2002].  BFT-CUP  [Alchieri  et  al.
2008] accommodates unknown participants, but still presupposes a Sybil-proof cen-
tralized admission-control mechanism.

Generally, membership in Byzantine agreement systems is set by a central authority
or closed negotiation. Prior attempts to decentralize admission have given up some of
the benefits.

The stated problem bounds do not include being able to tell whether someone controls >50% of the hash rate. That isn't in the paper at all. The wording of the paper is "As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network". It doesn't matter whether they cooperate via pools or otherwise, either way it is outside the bounds.

Without considering the Sybil attack, then one isn't solving the Byzantine fault issue, i.e. isn't solving the Byzantine Generals problem (which is the correct title of this thread). Just because Satoshi failed to mention that he hadn't solved what he was implying to have solved, doesn't make that just having a majority of the hashrate is the only consideration in a PoW solution to the Byzantine Generals problem.

There is no Sybil attack possible on the problem as stated. "A majority of CPU power" is a physical quantity which can't be Sybil attacked. Period.

Circular logic. Bitcoin didn't solve the Sybil attack problem when pools control 51% and no one can know whether they do and reroute their PoW shares.

The Byzantine Generals problem does not state "A majority of CPU power" as the problem. I already stated that is Satoshi's requirement but as the correct title of this thread points out, Satoshi's stated requirement is not a solution to the Byzantine Generals problem. Period.

And unless I'm mistaken, Satoshi did not say that it did solve the Byzantine Generals problem, especially in the specific manner that problem is formulated (with discrete General-actors, something that doesn't even exist in Bitcoin at all). At best there is a rough similarity. Correction: Satoshi did say it was a solution in this email (https://www.mail-archive.com/cryptography@metzdowd.com/msg09997.html). But again, he formulated in a very careful manner, stating that each general has a laptop, which ends up making "majority of CPU power" equivalent to a majority of discrete General-actors.

He may not have said it in the bitcoin paper, but others have proved it:
http://nakamotoinstitute.org/static/docs/anonymous-byzantine-consensus.pdf

There is no Sybil attack possible on the problem as stated. "A majority of CPU power" is a physical quantity which can't be Sybil attacked. Period.

Bitcoin is an implementation of Wei Dai's b-money proposal http://weidai.com/bmoney.txt on Cypherpunks http://en.wikipedia.org/wiki/Cypherpunks in 1998 and Nick Szabo's Bitgold proposal http://unenumerated.blogspot.com/2005/12/bit-gold.html

I believe it is possible to design a memory hard PoW that is not electrically more efficient on an ASIC, but it will be very slow. I originally didn't think so, but have since realized I had a mistake in my 2013/4 research on memory hard hashes. It is possible that Cuckoo Hash already achieves this, but it is more difficult to be (https://bitcointalk.org/index.php?topic=1219023.msg13735241#msg13735241) certain and it is very slow when DRAM economics are maximized (https://bitcointalk.org/index.php?topic=1219023.msg13729741#msg13729741) (although it adds asymmetric validation which is important for DDoS rejection if the transaction signatures are ECC and not Winternitz and for verification when PoW share difficulty can't be high because each PoW trial is so slow).

Cryptonote's memory hard hash can't possibly be ASIC resistant, because by my computation it could not possibly have 100 hashes/second on Intel CPUs and be ASIC resistant.

See also Zcash's analysis thus far (https://github.com/Electric-Coin-Company/zcash/issues/27).

Yes, Bitcoin solves BGP (in some way). It solves also a bunch of other completely unknown problems:

* how to prove some information existed at a certain time

* how to create a public ledger of ownership

* how to issue a currency without requiring a nation state army to enforce scarcity

* how to reach agreement over a communications channel on value

E.g. last year there has been 1B$ investment in this area, and there been almost no progress at all in terms of advanced applications (just an increase in noise levels).

I think the possibilities are largely not explored.

Many also don't know the pre Bitcoin designs, Bitgold and b-money, which are also helpful to consider, see http://www.weidai.com/bmoney.txt and https://en.bitcoin.it/wiki/Bit_Gold_proposal . Actually quite surprising since satoshi said Bitcoin is an implementation of those ideas:

Quote from satoshi:

https://bitcointalk.org/index.php?topic=342.msg4508#msg4508

See also:
https://bitcointalk.org/index.php?topic=583.msg11405#msg11405

The simple protocol of the bell tower, which broadcast to every resident of a medieval town the same time, can now be implemented on a network -- either through logical broadcast on the Internet or physical broadcast with radio. For the first time we can implement on the Internet the integrity properties on which civilization depends -- including synchronized clocks, unforgeable transactions, and censorship-proof publishing. Where today's Internet, lacking this technology, fails to provide many of these properties, we now know how to provide them with a greater degree of integrity and availability than either the Internet or any previous media was capable of.

    // Check timestamp
    if (nTime > GetAdjustedTime() + 2 * 60 * 60)
        return error("CheckBlock() : block timestamp too far in the future");

//
// "Never go to sea with two chronometers; take one or three."
// Our three chronometers are:
//  - System clock
//  - Median of other server's clocks
//  - NTP servers
//
// note: NTP isn't implemented yet, so until then we just use the median
//  of other nodes clocks to correct ours.
//

"Incorrect. It only proves some information existed at a certain block. There is no way to put a clock time in the block chain."

It seems you really haven't understood the most basic things. Blocks are of course timestamped with actual UTC timestamp from the node that generates it.

Yes, Bitcoin solves BGP (in some way)...


True, but there are other "attacks". Such as calling up Chinese miners and convince them to do a certain thing.

BGP is not solved if there is Sybil attack vulnerability.

In bitcoin, BGP is solved to within the stated tolerance of 51% byzantine faulty nodes.

The following is not "other attack" but rather it is a Byzantine fault (because the loyal participants can't be certain of Consistency by keeping the control of the hashrate below 51%).

Okay, but so what?

Bitcoin also didn't solve P ?= NP or any number of other problems.

And unless I'm mistaken, Satoshi did not say that it did solve the Byzantine Generals problem, especially in the specific manner that problem is formulated (with discrete General-actors, something that doesn't even exist in Bitcoin at all). At best there is a rough similarity. Correction: Satoshi did say it was a solution in this email (https://www.mail-archive.com/cryptography@metzdowd.com/msg09997.html). But again, he formulated in a very careful manner, stating that each general has a laptop, which ends up making "majority of CPU power" equivalent to a majority of discrete General-actors.

He said exactly what it does solve. If a majority of the CPU power is not conspiring to attack the network, then it reaches consensus that is final and secure (though slowly in the case close to 50%).

It is up you as a prospective user or investor to decide whether "a majority of the CPU power" is an acceptable requirement. It seems at this point there isn't anything better, and some number of people think it is useful (most of the world does not).

Satoshi's PoW does not distinguish between faulty and non-faulty nodes.

So we can conclude Bitcoin didn't solve BGP because there is no block chain objectivity about faults. And then we can say that Sybil attacks on pools destroy one of our subjective metrics for community appraisal of Consistency.

In bitcoin, faulty nodes = sybil nodes.

A byzantine fault in bitcoin is a fork.


A poor conclusion. LCR provides the objectivity; branches which get orphaned were objectively selected against as being byzantine faulty.

The following practical, concise definitions are helpful in understanding Byzantine fault tolerance:[3][4]

Byzantine fault
    Any fault presenting different symptoms to different observers
Byzantine failure
    The loss of a system service due to a Byzantine fault in systems that require consensus

So if the LCR is creating censored transactions is that not a fault/failure? What the hell use of Byzantine fault tolerance if it doesn't guarantee a system that can be used by the participants?

So if the LCR is creating censored transactions is that not a fault/failure? What the hell use of Byzantine fault tolerance if it doesn't guarantee a system that can be used by the participants?

True, but there are other "attacks". Such as calling up Chinese miners and convince them to do a certain thing.

monsterer and smooth, I repeat again, how do you prove if a 51% attack is censoring transactions? In other words, how do you even detect it in an objective and provable manner?

A system which doesn't objectively (from the perspective of all observers) know when it is failing is not Byzantine fault tolerant.

Refer again to the Wikipedia definitions:


This circular logic of yours is getting redundant. I have made my point and you have not refuted it.

Nodes vote with their hash-power on the branch of the chain which they consider to be truth.

Evidence of byzantine failures is the existence of multiple branches; we call these orphans. Each branch presents a different version of truth to observers of the system.

"Correctly functioning components of a Byzantine fault tolerant system will be able to provide the system's service, assuming there are not too many faulty components."

In Bitcoin "too many faulty components" = majority of the CPU power.

Not really, those are just evidence of latency. If a majority of the CPU power is conspiring to attack the system and all non-cospirator blocks are orphaned then no one will mine outside the conspiracy and there will be no such orphans (there may still be forks within the conspiracy if they still have latency).

The system will have failed, but it will have failed because it exceeded stated limits.

We can't count the components because identities can be Sybil attacked.

The system will have failed, but it will have failed because it exceeded stated limits.

I'm not really sure why you are having such a problem with this; it is obvious that hashing power is the only substitute for the abstract concept of a node, or a component.

Because hash rate doesn't prove faultiness. Bitcoin has no frame of reference.

When you see a corrected design, you will understand why not being able to Sybil attack a frame of reference is what enables establishing blame and making the system Byzantine tolerant.

The system didn't fail. Who can prove it failed?

It won't work - you cannot combine the majority-is-truth rule with something which gives power to the minority, because if you do, any faulty minority will be able to overthrow the majority, which leads to divergent chaos.

Majority is truth. That is the ethos of bitcoin.

It may work, up to its specified limits, but then it will fail a different way.

Since Bitcoin can not detect faultiness (consistently provable to all observers), then that means you are claiming it is Byzantine fault tolerant with up to 100% of the hashrate faulty. Which obviously violates the fundamental research about what is theoretically plausible. Which thus proves to you that your claim is incorrect.

Bitcoin is the Power Law of Economics, not Byzantine fault tolerance.

Apply that logic to any of the attempts to solve the BGP, you will find that none of them solve it, which suggests that your definition is incorrect. Each and every attempt at solving the BGP defines bounds on the failure tolerance; beyond these bounds, all bets are off.

As smooth said, since the system has failed once it passes the tolerance, how can it possibly detect anything? That defies logic.

I will repeat, Bitcoin provides a Power Law distribution (winner takes all) consensus. That is all it does.

Again I think this another evidence that Bitcoin was created by the DEEP STATE with evil intentions. It is a fools gold.

Bitcoin didn't solve BGP either. Nothing does because the problem is open to Sybil attacks.

Again I think this another evidence that Bitcoin was created by the DEEP STATE with evil intentions

As Smooth said, such a system can still have value.  You don't have to be a perfect system, just better or competitive with the others.  Not hard to do when your competition is a Federal Reserve enslavement scheme.  It's like asking a prisoner would you rather be tortured with a chainsaw or be given a cell phone with bad reception.

Another? As far as I know such an argument is the only evidence.

Bitcoin didn't solve BGP either. Nothing does because the problem is open to Sybil attacks.

On the topic of the thread, I consider Bitcoin and BGP as distinct, but related, problems. The setup is quite different, and I haven't seen anything close to a method (including Satoshi's email) to reduce one to the other.

What you keep denying is that there are solutions (all solutions, and provably so in the case of BGP) that solve the problem within a specified range. Generally up to 33%-of-generals in the case of BGP and maybe 50%-of-hash rate for Bitcoin.

ASIC-resistant PoW seems like a delightful idea to me.  Is memory latency the barrier to stand upon for the ages?  Hmm, that sounds familiar.

That is why I designed an UNprofitable PoW system. There is no other hope.

Hmm, I can be dense.  Unprofitable PoW; seems like it will be pretty hard to get folks to participate.  That said, I do run an unprofitable full node without mining.  So, maybe we would get some altruistic folks to do it *but* aren't they at risk of being over-taken by bad guys willing to run unprofitably?

The details, incentives, and potential pitfalls are deeper than that and are partially covered in the Decentralization thread (https://bitcointalk.org/index.php?topic=1319681.0) (perhaps start reading from page 20 forward). No offense intended, but I am too weary to repeat again.

... amortization of block chain verification over great income...

Profitable PoW will always centralize, because there is a "selfish mining" attack always ongoing and there is no such thing as a minimum requirement for 25 or 33% of the hashrate, because (a conceptual variant of) "selfish mining" is built into the economics of Bitcoin (e.g. the amortization of verification costs, etc).

...it's security through obscurity, where the only way anyone actually knows the security of the system at any given time is for you to know the total hash rate and acquire 51% of it yourself.  I think there's a distinction to be made between provably secure, provably bad or invalid security, or in the case of Bitcoin, an unknown level of security to most or all parties at all times.

As Smooth said, such a system can still have value.  You don't have to be a perfect system, just better or competitive with the others.

One of the attack vectors in solving the Byzantine Generals is the Sybil attack. The Byzantine Generals problem is all about the need to trust that 2/3 of the generals are loyal without centralization where all generals are the same person, i.e. that there is no Sybil attack.

Anyone who has studied all the variants of consensus algorithms (as I have) will know clearly that Sybil attacks are always resolved via centralization of the protocol.

This is why as I looked for an improvement over all of what has already been tried, I was cognizant of that I would need to accept centralization in some aspect and so I began to look for the possibility of controlling centralization with decentralization, i.e. a separation of orthogonal concerns which is often how paradigm shifts arise to  solve intractable design challenges.

Every consensus design creates centralization. This will always be unavoidable due to the CAP theorem. The key in my mind is to select carefully where that centralization should be.

• Satoshi's PoW consensus design centralizes because a) SHA256 has orders-of-magnitude lower electrical cost on ASICs, b) full nodes must centralize (maximize pooled hashrate) to win the battle over who will have the most profitable verification costs (which can be accomplished with a Sybil attack), and c) variance of block rewards require maximizing pooled hashrate (at least up to double-digit percentages and Sybil attack incentives kick in from there).
• Stellar's SCP consensus design centralizes because although it can't diverge, it requires that slices are not Sybil attacked to avoid eternal preemption (being jammed stuck forever).
• Ripple's consensus algorithm diverges unless it is centralized trust (https://bitcointalk.org/index.php?topic=1319681.msg13777571#msg13777571), as confirmed by Stellar's divergence (https://bitcointalk.org/index.php?topic=1319681.msg13777193#msg13777193) before it switched to the SCP algorithm.
• Iota's (any DAG's) consensus diverges unless centralization can force the mathematical model (https://bitcointalk.org/index.php?topic=1319681.msg13777769#msg13777769) that payers and recipients encode in their interaction with the system.
• Ethereum never solved the issue that verification of long running scripts can't be decentralized. They are now off another deadend tangent (consensus-by-betting, Casper, shards) trying to deny the CAP theorem.
• PoS is centralization (https://bitcointalk.org/index.php?topic=1319681.msg13488432#msg13488432).

Iota's (any DAG's) consensus diverges unless centralization can force the mathematical model (https://bitcointalk.org/index.php?topic=1319681.msg13777769#msg13777769) that payers and recipients encode in their interaction with the system.

Rather my upthread argument is that Byzantine fault tolerance requires the ability to distinguish between a fault and a non-fault, because otherwise the system does not present the same symptoms to all observers (which is a requirement of Byzantine fault tolerance). Satoshi's PoW can't distinguish a fault (attack) from a non-fault (non-attack).

Byzantine agreement is the process of forming a consensus decision on truth in the face of faulty network participants; bitcoin achieves this. Your definition of fault is incorrect in this context; a fault is information which the majority doesn't accept as truth, which manifest themselves as orphaned branches in bitcoin. Obviously all observers of the network can see orphaned branches.

A system which doesn't objectively (from the perspective of all observers) know when it is failing is not Byzantine fault tolerant.

Refer again to the Wikipedia definitions:


This circular logic of yours is getting redundant.

Please respect canonical definitions. Byzantine 'agreement' is not what we are talking about in this thread. We are talking about Byzantine fault tolerance. The definitions are on Wikipedia:

I'm tired of repeating myself. Here is an entire paper which proves that bitcoin did solve the BGP: http://nakamotoinstitute.org/static/docs/anonymous-byzantine-consensus.pdf

What really matters is that ownership of the currency is undisputable - everyone can agree on who owns what.

Suggest a link and I will add it to the linked post. Then I will delete this post.

Is it a joke? My point was that that thread didn't contain the proof. How do you think I'll find the proof if there is none from my point of view? What about you linking to the actual proof instead of giving looping references?

I have not claimed the word 'proof' and I specifically stated in that linked Decentralization thread that I have not endeavored to produce a formal proof. If you would like me to add a link to your best post in that thread where you presented your stance, then please suggest a link.

So you claim that Iota consensus can't converge but there is no a formal proof? What about a non-formal one?

I have presented my logic to back my claim in the Decentralization thread. You are free to disagree. Everyone on these forums is free to express their logic.

Got it. I'll back this reply up via WebArchive site and present it every time I see someone saying something like "AnonyMint states that Iota consensus doesn't converge" so people won't think that you provided a proof of that claim.

Don't lie. I stated it will converge because you are enforcing centralization.

Oh, thx, forgot centralization part. So you position is that it can't converge without centralization but it's hard to get your logic without reading that long thread. Fixed.

Thus per the definition, Satoshi's PoW design is not Byzantine fault tolerant, because the metric of when it is fault tolerant is ill defined (can't be measured). An unknowable state is as reliable (fault tolerant) and a random result, thus no reliability exists.

This is exactly the same as the Byzantine Generals Problem, which is solved up to 1/3 faulty generals (and only then, unless you add externally-assigned identities and unforgeable messages). If there are >1/3 faulty generals, then the honest generals can not determine that they are being tricked, so they will commence a doomed attack and they will all die. This is fault tolerant up to 1/3 traitor generals but not beyond. There is no way for the honest Generals to measure the number of traitor generals. If they could, they would not be tricked into attacking and die.

Likewise, in Bitcoin if there is <50%* faulty hash rate, then there is no effective censorship and functional consensus (including on there being no effective censorship). If there is too much faulty hash rate, then the rest of the system can not measure the faulty hash rate and it can not determine that it is being tricked.

In both cases, an outside observer who is able to see all the interactions can tell the system has failed. Within the system you can not.

Thus I wrote upthread there is no solution to BGP. The problem will never be solved as stated.

Who claimed it is solved with 1/3 of the generals are honest!

That is the statement of the problem. The problem is not fault tolerant!

The only fault tolerant design for a solution is with centralization which obviously doesn't address the requirements of the problem, .e.g as you say "unless you add externally-assigned identities and unforgeable messages".

Thus I wrote upthread there is no solution to BGP. The problem will never be solved as stated.

Thus if you claim it is not solvable, then you have either found an error in their proof, or you have redefined the problem in your own way. I suspect the latter.

As with all such systems, fault tolerance is achieved up to a specified number of faults, and no farther.

With unforgeable written messages, the problem is solvable for any number of generals and possible traitors.

If messages of the generals can't be faked then even 99 of 100 traitors is not a problem. I think he didn't redefine the problem, more likely he just forgot to provide some details.

EDIT:

From that paper:

.e.g as you say "unless you add externally-assigned identities and unforgeable messages".

No, he mentioned that in his reply, as I did earlier.

Afaics the paper has an important omission which is that when the disloyal generals (traitors) are not colluding (i.e. can't trust each other) then they have no reliable means to disrupt the loyal consensus.

Thus although the paper is correct to state that BGP is solvable if the 2/3 + 1 of the generals are loyal (i.e. 3m + 1 total generals for m traitors), the only way to know that precondition is for the system to be centralized so that the count of the traitors is known. Thus the white paper is poorly written (w.r.t. this issue) because it does not explain that there is no decentralized, trustless solution to the BGP and insinuates the opposite in the mind of the naive reader.

No loyal general ever knows if the system is loyal or not.

There is no decentralized solution to the BGP problem. Period.

the only way to know that precondition is for the system to be centralized so that the count of the traitors is known

This is a good observation, the results should differ depending on capabilities of the traitors and some traitors may compete with each other unintentionally helping the good guys.

PS: By the way, classical BGP mentions somewhere that traitors collude AFAIK.

Another poor conclusion. If the set of all traitors was known a priori, the system would be tollerant to any bound! That is the entire point of the problem; the set of traitor generals is unknown.

The reason why bitcoin's 51% tolerance is controversial in the face of classical BGP is that the ability for the generals to lie is proportional to the hash rate of each general. Their messages are computationally signed against being forged.

They can't be forged, but the sender isn't known either, so the problem specification is different, which is what I've been saying all along. I don't know whether a proper reduction is possible. Maybe that paper from Andrew Miller does something along those lines; I haven't read it yet.

Another poor conclusion. If the set of all traitors was known a priori, the system would be tollerant to any bound! That is the entire point of the problem; the set of traitor generals is unknown.

I wrote about the 'number/count of' not the 'set of' (where the latter requires knowing which of the generals are the traitors, not just the count of traitors).

There is no fault in my logic. Sorry dude.

There is no decentralized solution to the BGP problem. Period.

Both the set of, and the count of traitor generals are unknown in BGP; that is the specification of the problem.

For a moment, just consider this; you are saying that there is no solution to BGP in trustless anonymous systems, but: If you take a snapshot of the current bitcoin hash rate and equally divide it out between N generals of fixed and equal hash rate, this is now classical BGP. You must be forced to concede that you are in fact saying that there is no solution to BGP at all, which is clearly false.

I call it a condition rather than a precondition because in some setups it is clear that the former is more useful. For example, a safety control system may specify that it continue to function properly as long as <1/3 of its components fail.

For a moment, just consider this; you are saying that there is no solution to BGP in trustless anonymous systems, but: If you take a snapshot of the current bitcoin hash rate and equally divide it out between N generals of fixed and equal hash rate, this is now classical BGP. You must be forced to concede that you are in fact saying that there is no solution to BGP at all, which is clearly false.

And that it is conditional, is why I rebutted smooth upthread (https://bitcointalk.org/index.php?topic=1183043.msg13819494#msg13819494) that he was stating the problem—not the solution—in the decentralized context because the count can only be conjectured (e.g. probabilistic estimates of hardware failure which was the focus of the paper) in a centralized (non-Sybil attacked application).

Look he is saying there is no "unconditional" solution, which is absolutely correct. There is a solution, which may work, or may not work, depending on the state of the world when it is applied.

That is trivially obvious though. Of course there is no solution which works at all times, in all circumstances, that is why any proposed solution has specified bounds. To take 5 pages of back and forth to arrive here with that result would be very disappointing indeed.

You are conflating the decentralized, trustless, Sybil attackable scenario with the scenarios where the precondition can be conjectured probabilistically and thus where Lamport's "solution" has quantitative merit/utility as I stated:

Look he is saying there is no "unconditional" solution, which is absolutely correct. There is a solution, which may work, or may not work, depending on the state of the world when it is applied.

That is very much the same as Bitcoin, and stated as such by Satoshi in the white paper. Bitcoin is not unconditionally anything. If a majority of CPU power is conspiring to attack it, then it is failing.

Though Bitcoin does have a somewhat nice recovery property in that the failure only persists as long as 50% of the CPU power is conspiring to attack it. Unlike, an airplane for example. If too many components "temporarily" fail, then it may be catastrophically disassembled before they recover.

I am saying that in a decentralized, trustless, Sybil-attackable scenario, there is also no conditional solution to BGP, because the participants have no way to conjecture the probabilities of 51% attack

(nor does any solution to BGP provide all participants a consistent, provable observation when the system state is attacked).

The condition of count of traitors has only utility in applications where the probabilistic rate of traitors can be conjectured.

I have also I think argued convincingly that Satoshi's PoW design (and every decentralized consensus design) must trend towards and rely on centralization. Thus the asymptotic probability of 51% attack is ~1.

I can think of scenarios where that isn't necessarily true. For example, such an attack convinces speculators that the attack can be repeated at-will and so they flee the coin. Crash and burn.

Just because you cannot quantify the number of traitors does not mean the system will produce invalid results within the bounds. This is true of any BGP consensus and has absolutely nothing to do with trustless, decentralised solutions.

For Christ's sake, you cause me to repeat all the points I made upthread over and over again.

I already explained to you invalid results where the observers can't know whether the state was attacked or not, which is a Byzantine fault (https://en.wikipedia.org/wiki/Byzantine_fault_tolerance)! There is no way to compute this risk and in fact the asymptotic risk is 100% (probability = ~1) because all decentralized consensus systems must centralize (which I explained in detail upthread).

Whereas, with a quantified probability of traitors (e.g. hardware MTBF), the risk of Byzantine fault is computed. Which was the intent of Lamport et al's paper.

For Christ's sake, you cause me to repeat all the points I made upthread over and over again.

I already explained to you invalid results where the observers can't know whether the state was attacked or not, which is a Byzantine fault (https://en.wikipedia.org/wiki/Byzantine_fault_tolerance)! There is no way to compute this risk and in fact the asymptotic risk is 100% (probability = ~1) because all decentralized consensus systems must centralize (which I explained in detail upthread).

Whereas, with a quantified probability of traitors (e.g. hardware MTBF), the risk of Byzantine fault is computed. Which was the intent of Lamport et al's paper.

We'll have to agree to disagree. As long as I can write down a solution, and write down the condition under which it applies, then I consider that a conditional solution. I do not need to state a probability that such a condition will be satisfied.

I agree with this part.

Utility is necessarily subjective. Also, ability to conjecture a probability is subjective.

See there, you just conjectured one!

Others likely conjecture a different one.

The system can still recover. There is no catastrophic disassembly.

You will never convince all the speculators to leave either. It is a bit like infinite divisibility. You have infinite reducibility of speculative value. Altcoin at #1000 in market cap still has a (tiny) value, there is still a (tiny) incentive to mine, and its blockchain still functions.

Your points are irrelevant, you don't understand the problem as stated. You are desperately clinging to wikipedia definitions in an attempt to save face, when the honest thing would be to admit your mistake; no one will judge you for it.

What use is a condition if it can't be measured?

You keep linking that page, and you keep ignoring the statement on that page that says "assuming there are not too many faulty components"

I am not ignoring it. You are ignoring the point that the condition on count of traitors is unknowable from any sane engineering estimation and thus no state of the decentralized, trustless consensus system (Satoshi's variant when conjectured to be decentralized, trustless) can ever be distinguished from a Byzantine fault, regardless whether the condition threshold has been reached or not.

when an inestimable condition for Byzantine fault tolerance is COMBINED with inability to observe faults consistently among all observers, then no state is trustworthy

That's not really the case. Read the paper more carefully. Simple probabilistic hardware failure is easy to cope with using redundancy and majority voting. The hard problem is failures that are more subtle and complex, which can mimic deception and collusion.

The algorithm becomes a tool in a toolbox which is used to improve robustness against certain types of failures, but the robustness is still never absolute, and in real systems the actual probability of failure is still not known.

I suggest you also read the paper more carefully. Specifically Section "6. Reliable Systems" (http://research.microsoft.com/en-us/um/people/lamport/pubs/the-byz-generals.pdf#page=10) which we are referring to.

What it says is that as the hardware fails the outputs can become like traitor inputs to other hardware components causing the cascade to lie, which is precisely the BGP problem and what the solution is modeling by a count of traitors (passing along a traitor's lie doesn't create a new traitor (http://research.microsoft.com/en-us/um/people/lamport/pubs/the-byz-generals.pdf#page=3)). Even in the case where the derivative computation is corrupted due to the corrupted input, this is still a quantified probability of cascade of traitors obtainable from engineering and math/models applied from hardware MTBF rates. It is more exact science or estimation than not knowing. There is no decentralization, Sybil attacked introduced which otherwise makes the estimation highly unknowable and unmeasurable (science requires measurement to validate that models are predictive).

Your first point is irrelevant because that is the natural state for any byzantine system that we are concerned with. The second point is just plain incorrect, because a byzantine fault is a fork in bitcoin, and all observers can see the fork.

We covered this earlier monsterer, but I don't agree that observers can necessarily see the fault. If mining is centralized and no one outside of the collusion mines (because it is not economically viable to do so), then there will be no forks.

However, it is accurate to say that if we know there are miners who aren't part of a collusion and we don't see forks that exceed those accounted for by natural propagation, then there is no attack.

I believe the bolded condition is a near certainty today, and the italic condition is very likely true.

Therefore Bitcoin is solving (something like) BGP for the moment.

Analyzing the present based on available evidence is the only objective statement anyone can make on the matter.

Anyway, it turns out that monsterer is actually correct, and failures are observable in Bitcoin after all. You can't censor transactions without controlling either all the miners or creating forks. As long as neither condition is observed we know it hasn't failed.

Besides collusion is unknowable due to Sybil attacks.

Attacker only needs 51% of hashrate to censor transactions perpetually (and less % to delay transactions).

You can collude to attack, but that would be visible.

Nope.

Please re-read my prior post.

Attacker only needs 51% of hashrate to censor transactions perpetually (and less % to delay transactions).

You can collude to attack, but that would be visible.

To censor, he has to orphan other miners' blocks that do include the transactions. That is visible. Delaying is possible without creating forks. Censorship is not.

Also I already explained upthread that an emphemeral fork (which orphans another chain) can't be blamed for a double-spend or censored transaction, because there is no provable correlation. Seems you've forgotten where I had to teach you in my Decentralized thread why it is impossible for a minority chain to prove (https://bitcointalk.org/index.php?topic=1319681.msg13509665;topicseen#msg13509665) anything (because the state of the chain is never absolute w.r.t. to any external chain/clock and is always moving forward). Which is the same analogous mistake enet made upthread (https://bitcointalk.org/index.php?topic=1183043.msg13805802#msg13805802).

To censor, he has to orphan other miners' blocks that do include the transactions. That is visible.

It depends on number of colluding entities. (http://journals.plos.org/plosone/article?id=10.1371/journal.pone.0147905)

I didn't read that but the point is that you can't engage in an attack without creating forks, as monsterer said. The forks are visible. They would exceed those explainable by propagation delays, and would be selective against miners who include the banned transactions.

Orphaned chains (not sustained forks!) are a natural and can't be proven to be an attack. Even those longer-con chains which orphan another chain which do not fall within the expected variance due to natural orphan rate can't be distinguished from natural (non-attack) network connectivity issues. Also I already explained upthread that an emphemeral fork (which orphans another chain) can't be blamed for a double-spend or censored transaction, because there is no provable correlation. Seems you've forgotten where I had to teach you in my Decentralized thread why it is impossible for a minority chain to prove (https://bitcointalk.org/index.php?topic=1319681.msg13509665;topicseen#msg13509665) anything (because the state of the chain is never absolute w.r.t. to any external chain/clock and is always moving forward). Which is the same analogous mistake enet made upthread (https://bitcointalk.org/index.php?topic=1183043.msg13805802#msg13805802).

This requires to assume that we all see and believe this. Right now chinese speculators can bribe a small pool to generate 10 consecutive orphaned blocks and start spreading FUD that someone tried to attack Bitcoin. With intention to buy cheap coins.

Wow, such horrible logic.

You can not know an attack did take place, because the forks could be a ruse, yes.

But you can know that an attack did not take place because there is no such fork anywhere in existence.

Wow, such horrible logic.

You can not know an attack did take place, because the forks could be a ruse, yes.

But you can know that an attack did not take place because there is no such fork anywhere in existence.

Unless you believe that all miners are colluding. I don't believe that. Even then, censorship would leave the censored transactions in the mempool.

@TPTB you are falling into the same logic trap as CfB. Proving an attack is not the same as proving the lack of an attack.

But...we certainly can't know there won't be an attack tomorrow, or the day after, or any other time. That is not only true, but clearly implied by the wording of the white paper.

People need to decide whether they can live with that risk or not.

As I explained to monsterer upthread (https://bitcointalk.org/index.php?topic=1319681.msg13509665;topicseen#msg13509665), it is not possible to objectively prove (with cryptography and math) which chain is the honest one and which one is the dishonest one when there are censored transactions.

[...]

Note however that this minority chain is unprovable to a full node that wasn't online as it was occurring (which was my point to monsterer (https://bitcointalk.org/index.php?topic=1319681.msg13509665;topicseen#msg13509665))...

Sorry smooth. You are going to be embarrassed this time. Get ready.

Hint: mempools prove nothing.

You should have read my Decentralization thread. Obviously you did not.

Mempools only prove nothing if nodes are also conspiring

Here is  (https://bitcointalk.org/index.php?topic=1319681.msg13509665;topicseen#msg13509665)what I taught monsterer before.

Here was some other discussion that linked back to that:

Are you blind?

Are you still blind?

Are you still blind?



How many times do I have to say that ephemeral forks are not an indication of an attack. And proving correctness of block chain state between ephemeral forks is impossible. The longest chain rule wins. Period! Damn it!

Well they are indication, just not conclusive evidence, since they can be natural or faked (at a cost)

But lack of ephemeral forks is conclusive evidence of lack of an attack, subject to the (reasonable) conditions I stated above.

smooth in Bill Clinton mode.

They can also be an indication of deception to confuse when there are actually attacks ongoing, which was CfB's correct point.

Wrong again. Example, Finney attack. Example, a double-spend that falls within the expected number of confirmations of normal orphan rate.

Orphaned chains (not sustained forks!) are a natural and can't be proven to be an attack.

Also I already explained upthread that an emphemeral fork (which orphans another chain) can't be blamed for a double-spend or censored transaction, because there is no provable correlation.

Seems you've forgotten where I had to teach you in my Decentralized thread why it is impossible for a minority chain to prove (https://bitcointalk.org/index.php?topic=1319681.msg13509665;topicseen#msg13509665) anything (because the state of the chain is never absolute w.r.t. to any external chain/clock and is always moving forward). Which is the same analogous mistake enet made upthread (https://bitcointalk.org/index.php?topic=1183043.msg13805802#msg13805802).

Fuck man, you can't even keep all the concepts in your head from the past discussions!

The examples in the paper are toy examples. Now consider a real system with many interconnected computers each running million or billions of lines of code. Passing along a lie does not create a new traitor, but responding incorrectly to an unexpected input does create new traitors. So it is very difficult to ever know how many Manchurian Candidate traitors exist, ready to be triggered.

Byzantine fault tolerance is used because it allows robustness against complex failures to a greater degree than simple majority voting, even when the components are not simple bits of hardware with an easily-quantifiable MTBF (which are often bullshit, BTW).

monsterer is on Ignore for repeating his same failed argument redundantly after it has already been refuted. Sorry I don't have time to argue with an idiot.

Of course you are not omniscient to know this can't be modeled in any applications of the solution. I am quite confident models apply in real world use cases.

Good thing we do not have any such confusion then!

It seems no one is interested in spending money to create confusion about attacks they aren't performing.

A Finley "attack" does not exist in the system as defined by the white paper, where PoW defines ordering (as opposed to mint timestamps as described in section 2). If people want to be dumb and rely on zero conf in Bitcoin, they are attacking themselves.

...
Several rebuttal points:

a) In fact most of the Bitcoin use relies on 0-confirmations. I've been selling BTC to rebit.ph lately, and the transactions confirm within seconds of the transaction being sent.

b) As I wrote before and you ignored, even relying on multiple confirmations may be within the normal variance window for orphaned chains.

c) An attacker can drive the normal variance window upwards as high as he wants to. This is the analogous mistake/myopia you Monero guys made on your math (https://bitcointalk.org/index.php?topic=1319681.msg13599150;topicseen#msg13599150) for what you erroneously claimed fixed the block chain size Tragedy of the Commons.

d) You ignored my point about ongoing 51% attack which is not an ephemeral fork but rather is the longest chain.

Sorry! There is no such objectivity in Satoshi's PoW other than the longest chain rule (LCR). Period!

Eventually you will learn to respect the research I've done on this matter.

Afaics, the above does nothing to remove/ameliorate the Tragedy of the Commons in Satoshi's mining algorithm[1], except if viewed as short-term solution while no miners have a significant percentage of the network hash rate.

The problem is that as I explained for Ethereum (https://bitcointalk.org/index.php?topic=1319681.msg13577100#msg13577100), as transaction rate scales up and thus the block reward is dominated by fees, then unless there is a uniform distribution of hashrate amongst all full node miners (which is of course impossible since not everyone can locate their mining equipment next to a hydropower plant with 2 - 4 cents electricity or for that matter perhaps free subsidized electricity in corrupt environs such as China (https://bitcointalk.org/index.php?topic=1219023.msg13578324#msg13578324)), then those miners with more hashrate will have lower costs of verification. Thus they will be more profitable and can buy more hashrate faster than the other miners. Thus mining will entirely centralize over time, because the economics are designed to centralize mining. So since mining will centralize, then attaining 51% of the mining power will be guaranteed and thus the above algorithm can do nothing to stop miners from spamming the block chain size by paying transaction fees to themselves. But of course with 51% of the hashrate, they can do anything they want, except up to the limits of what public perception will tolerate. I am assuming of course that transaction fees in a free market will reflect actual (marginal) costs and that verification cost will be significant relative to other costs such as bandwidth.

There is also afaics a math flaw in ArticMine's analysis. Unless N is very small, then a miner with a significant but less than 51% hashrate is going to win a block in most every N set, and thus they can hit the 2 * M_N hard limit every time (or what ever rate of increase they deem most cost effective according to the Penalty cost being a function of a square), gradually ramping the median block size up over time. Thus the spam attack is not avoided, rather it just takes longer. And again I had pointed out that by shorting the coin, they can potentially recover their lost block rewards and profit. And if N is very small, then the likelihood that a miner can win all N blocks with less than 51% hashrate increases. Also it is not clear to me from ArticMine's specification if N is overlapping meaning a FIFO queue? But I doubt that makes any difference to my conceptual math point (note I have not written down the equations to precisely quantify this alleged flaw).

Also the 2 * M_N hard limit means that block chain can't handle transient spikes in transaction load, e.g. such as would be required by Lightning Networks (which has sort of a garbage collection overhead which manifests has large spikes in transaction load).

Conceptually at the highest-level semantic model of the generalized essence, an anti-aliasing filter on transaction rate can't ameliorate the fact that a spam transaction is indistinguishable from a non-spam transaction.

To solve this problem we need to make the cost of what is burned when submitting a transaction greater than the cost of cumulative network verification costs. That both solves the economics of the first paragraph above and it also removes the need to limit the block size in any artificial way other than the burn cost. But in my design, I don't waste the burn cost and instead apply it to security in the form of unprofitable mining. Note that the only way to limit culmulative network verification costs is to centralize mining. And this is why I wanted to give up, because I didn't see any solution that didn't centralize mining. But then I realized the design I had for intra-block partitions can centralize while remaining controlled by decentralized PoW, thus effectively still decentralized. And this is why I say you will have to completely rewrite Monero (at least the consensus design portion of the block chain code).

[1]	I introduced this concept in 2013 in my thread Spiraling Transaction Fees (https://bitcointalk.org/index.php?topic=340686.0) and I nailed the block size as the fundamental issue in my last post (https://bitcointalk.org/index.php?topic=340686.msg3681159#msg3681159) in that 2013 thread.

---

I am suggesting the State (or those corrupt who control it) can charge the cost of mining to the collective (think the Three Gorges Dam that wrecked environmental devastation downstream, upstream and derivative effects all over China). I have made this point numerous times. And apparently (after everyone said I was crazy), it came true in China and if true was a factor that enabled China to capture an estimated 67% of the mining and 51% attack Bitcoin. Documentation of these statements is in my vaporcoin thread.

If the profit from shorting is greater than the reward, then it doesn't cost you anything. The free mining cost just makes it more likely you can sustain it long enough to reap your reward. How do we know the Chinese won't milk the investors while the block reward is high (mining at near $0 cost charging it the cost to the collective) and then also profit by shorting it all the way down from $1000.

We are bunch of naive geeks who are being reamed (mined) by savvy traders and strategists. These are no different conceptually than Rothschild's and Rockefeller's methods of yore. The players and technological field change, the game remains the same. (Yeah I am crazy conspiracy theorist whose analysis is always wrong)

Edit: haven't you been slightly suspicious of why the MSM publicized Bitcoin so much. That doesn't happen without the approval the global elite.

---

First I refer to both of your 2013 posts in which both the case of a fixed blocksize (with fees theoretically going to infinity, in practice they are bound by transferring the value of the coin to the miners) and an infinite blocksize (fees go to zero) both fail. I do not dispute either of those scenarios, in fact I have no problem giving you credit for them since you came up with them before I did.  

You propose a tragedy of the commons on the premise that the block reward is dominated by fees. When I first read this response I stopped right at that point since a block reward dominated by fees is actually not possible in a Cryptonote Coin short of actually setting the fees in the consensus code. This I thought would be clear from my previous comments, but it appears this needs some clarification.

The reason the above two scenarios do not apply to a Cryptonote coin with a tail emission such a Monero becomes apparent when one considers the economics of the total block reward components of fees and base reward (new coin emission). If the total in fees per block significantly exceed the base reward then it becomes economically attractive for miners to burn coins to the penalty by mining larger blocks. The block size rises until the total fees per block fall below a level where it is uneconomic for the miners to pay the penalty by increasing the blocksize.

This level is comparable to the base reward. It is at this point where the need for a tail emission becomes clear, since without the tail emission the total block reward (fee plus base reward) would go to zero.

The second claim is that a spam attack by a less that 50% subset of the miners is possible.

As I explained I in the original post this is not possible since one has to either to purchase coins on the open market and pay them to other miners to burn them against the penalty or use hashpower to generate the coins and then burn them to the penalty.

So, I'll bow out of this thread for now, especially if you are ignoring monsterer who is largely correct (though also may have a slightly different perspective)

..

If I understand correctly that by "burn coins to the penalty", you mean that miners will create fake transactions to themselves? Thus the cost of the penalty is being charged to the miner who can't generate fees from himself.

But that is incorrect rationale, because your and my entire point has been that the Tragedy of the Commons is due to market demand for scaling, then the block size is unbounded. Your (and my) entire point was that without any bound, then transaction fees would trend towards 0 and thus an oligarchy MUST form because verification is not only not free, but more saliently verification is less profitable any miner that has less hashrate than the other miner who has the most hashrate (since all miners have to verify the entire block chain and thus verification costs are the same for all full nodes and have to amortized over income from blocks).

Thus you've accomplished nothing in terms of the fact that verification will centralize.

I explained in this thread starting from first principles (https://bitcointalk.org/index.php?topic=1183043.msg13823607#msg13823607) as to why the abstract Byzantine Generals Problem can't be solved decentralized. Period!

Thus that guarantees that it doesn't matter how you try to obfuscate this reality in numerous technobabble. smooth is incorrect to question whether Bitcoin is directly correlated to the BGP. I could explain that too, but I grow weary of foruming.

...

I will respond to this because it is the crux of the entire argument. In Cryptonote the blocksize is bounded by the total of what market will pay in total fees for a block vs the base reward because a rational miner will not add transactions to a block that causes a net loss of fees received vs penalty paid. Also if demand falls then the blocksize falls with no recovery of the penalty. So total fees per block cannot fall to zero in the presence of a block reward. If the base reward is zero then yes the blocksize is unbounded.

Edit: Total fees per block can fall to zero only if the blocks are very small, below the minimum threshold, currently 20 KB  (60 KB after the fork to 2 min blocks) for Monero

...

Your error is of course as I already stated, that transactions can grow unbounded due to market demand for more transactions, and since the Monero block size limit is bounded by the market demand as you have admitted, then it is unbounded.

Thus fees (not block reward) will trend towards 0 because no miner can enforce a bound on the block size so the miners will compete with each other to provide the lowest fees since there is no limit on the number of transactions a miner can put in a block (i.e. the payer can send a transaction with lower fees and wait some extra confirmations until the miner with lower fees wins the block).

But as I already stated, this means those miners with more hash rate will have higher income than those miners will less hashrate, yet all miners have the same verification costs. Thus mining will centralize to an oligarchy. Satoshi put a 1MB block size limit to keep verification costs much lower than the block reward, so that Bitcoin would not centralize too quickly.

I rest my case. Monero has not prevented the Tragedy of the Commons. Please don't make me explain it again.

Actually the error is on your side since you expect a rational miner to pay a penalty in order to add a transaction to a block with a minimal or zero fees which are far less than the penalty. Please do not make me explain the basics of how Cryptonote works again.

I rest my case. Monero has prevented the Tragedy of the Commons.

But as I already stated, this means those miners with more hash rate will have higher income than those miners will less hashrate, yet all miners have the same verification costs. Thus mining will centralize to an oligarchy. Satoshi put a 1MB block size limit to keep verification costs much lower than the block reward, so that Bitcoin would not centralize too quickly.

... the entire point of my rebuttal to your math is what your penalty algorithm does not reach equilibrium...

My logic has nothing to do with the miner paying a penalty.

Per the math I replied to, the Monero penalty is based on exceeding the median of recent N blocks. Since (as you claim, but see Edit below) that median will scale over time to match the market demand for transactions thus no penalty will be incurred for adding all the transactions, then verification costs will eventually cost more than or a significant portion of the tail emission block reward as transaction volume scales. The point is there is no bound on transaction volume.

Thus the logic I stated takes over (where lower hashrate miners are unprofitable and centralization is forced economically):


Please check your logic more thoroughly before responding. Because you are incorrect. So find your error before posting please.

Edit: my point about transaction fees trending towards 0 is correct but not necessary for my argument as explained above. The reason txn fees trend to 0 despite Monero's penalty for creating blocks which exceed the median of recent N blocks is that payers can send the txns with the lowest fee that any miner will accept.  Thus Monero's block size will trend to 0 if the penalty feature works as designed. :o

So either txn fees trend to 0 or block size trends to 0.  ::)

Sorry you can not defeat the fundamental fact that decentralization can't have a solution to the Byzantine Generals Problem. That is fundamental and inviolable. Waste years of your life, but you will still never defeat Physics and the fact that the speed-of-light isn't infinite.

Edit#2: you will probably think that payers will increase their txn fees so that their txn gets added to a block because miners aren't motivated to add too many transactions to incur the penalty (for miners that accept lower txn fees than the other miners which drive the median block size). But some of the txns will get added which have this lower txn fee, but payers can only be sure their txn is added timely if they pay the maximum txn fee that any miner requires (or some amount higher than the lowest fee), thus the miner may be able to afford to pay the penalty by including these extra transactions thus driving the median block size upwards over time and thus eventually driving the txn fees to 0 (the point is miners have no incentive to exclude txns with any level of txn fee when it doesn't cost them anything to add a transaction to block thus the trend will be ever lower and lower txn fees ... the entire point of my rebuttal to your math is what your penalty algorithm does not reach equilibrium). Which was my point that the penalty feature of Monero will not work as intended. But if it does work, it will drive the block size to 0. There are many other scenarios but they all have failure modes (analysis by case enumeration is very piss poor methodology to do academic work, rather I have started from first principles to show abstractly that no decentralized solution to the BGP can possibly exist). So choose your poison because there is no way to escape the problem that verification MUST be centralized in order to solve the Byzantine Generals Problem.

This response starts with the correct assumption that decentralization alone can't have a solution to the Byzantine Generals Problem (the failure of proof of stake), and then proceeds to make little sense on the unrelated problem of scaling the blocksize in POW coins. The latter problem Monero solves. Keep in mind that an equilibrium between fees per block, base reward and blocksize without a collapse to zero or "infinite" fees, the problem Monero solves, does not by itself speak to the miner centralization issue.

Whether proof of work introduces enough external entropy into the system to solve Byzantine Generals Problem is far from clear because there are a host of centralizing and de-centralizing factors interacting with each other the majority of which have not been taken into consideration in the previous discussion.

This response starts with the correct assumption that decentralization alone can't have a solution to the Byzantine Generals Problem (the failure of proof of stake), and then proceeds to make little sense on the unrelated problem of scaling the blocksize in POW coins. The latter problem Monero solves. Keep in mind that an equilibrium between fees per block, base reward and blocksize without a collapse to zero or "infinite" fees, the problem Monero solves, does not by itself speak to the miner centralization issue.

Whether proof of work introduces enough external entropy into the system to solve Byzantine Generals Problem is far from clear because there are a host of centralizing and de-centralizing factors interacting with each other the majority of which have not been taken into consideration in the previous discussion.

Afaics the paper has an important omission which is that when the disloyal generals (traitors) are not colluding (i.e. can't trust each other) then they have no reliable means to disrupt the loyal consensus. So my analysis will focus on the case where the disloyal generals are colluding.

[...]

(note also that the definition of oral messages assumes conditions A1, A2, and A3 which can't exist in a decentralized network where Sybil attacks are possible)

PS: By the way, classical BGP mentions somewhere that traitors collude AFAIK.

This brings us back to the Cryptonote adaptive blocksize limit combined with a tail emission found in Monero where:
1) The cost of mining a block is set by the block subsidy

2) The total amount in fees per block has to rise to a number comparable to, but most of the time smaller, than the block subsidy.

The reason the above two scenarios do not apply to a Cryptonote coin with a tail emission such a Monero becomes apparent when one considers the economics of the total block reward components of fees and base reward (new coin emission). If the total in fees per block significantly exceed the base reward then it becomes economically attractive for miners to burn coins to the penalty by mining larger blocks. The block size rises until the total fees per block fall below a level where it is uneconomic for the miners to pay the penalty by increasing the blocksize. This level is comparable to the base reward. It is at this point where the need for a tail emission becomes clear, since without the tail emission the total block reward (fee plus base reward) would go to zero.

[1] Note this means the tail reward security of Monero will be very weak and insufficient.

"Insufficient" is unclear because there is no unambiguous definition of how much is sufficient.

In large part it depends on the decentralization of mining. If mining is decentralized then you only need a small (but still nonzero) incentive because any miner can't really do anything other than follow the longest chain rule. While raw hash rate attacks are possible (i.e. temporarily centralizing mining by incurring a cost), in a larger system they will have significant cost and will only succeed as long as the ongoing cost is paid.

If mining is highly concentrated by nature then you are really only relying on the weak linear security of the block reward itself, and maybe not even that, because miners (e.g., hypothesized Chinese cartels) have all sorts of perverse incentives.

Your statement would be correct if you added ", assuming mining becomes centralized as I have claimed it will."

I have a solution, but it is a very radical change to the proof-of-work design that relies on unprofitable mining by payers.

Which I do not see as a solution due to my criticism of IOTA where abstracting block reward from the external entropy process defeats the purpose of the external entropy process from existing in the first place, giving you something that's functionally equivalent to a closed loop proof of stake system.  Or to put it more simply for people who didn't read the IOTA thread, without permanent coin turnover via either transaction fee as block reward or permanent inflation, you technically have a permissioned ledger and not a decentralized system.  Transaction fee as block reward being the far lesser of evils to the point where it can only be considered a work of art.  I believe unprofitable mining is therefore pointless mining.

My, to borrow a slightly overused Anonymint term, "holistic" grasp of all cryptocurrency elements was not where it is now when I originally made this thread, and Satoshi indeed did not implement any Sybil prevention due to pools acting as an unforeseen abstraction layer, but Bitcoin is otherwise a work of art that no alternative systems have been able to improve upon yet.

There is a permanent tail reward turnover in my design. And it is still unprofitable.

Transaction fee as block reward with zero inflation being the far lesser of evils to the point where it can only be considered a work of art.

I'm honestly not ready to throw in the towel on inflation due to being a completely arbitrary number that opens an enormous slippery slope for alteration by succesors.  Inflation also just being a form of social engineering that people will always attempt to bypass by utilizing other systems.  Also due to the fact stated below:

[...]Monero's perpetual tail reward which is necessarily a fixed # of coins (https://bitcointalk.org/index.php?topic=753252.msg14578382#msg14578382)[...]

I will argue my statement was correct as stated, because there are other parties with significant resources and incentives who may not be mining normally but once the hashrate declines to the tail reward cost, they can then decide it is easier to attack the coin.

The better retort would be to argue that the as the adoption increases, the price will rise so the fixed size (in coins) tail reward has an adaptive valuation.

But I will retort that the value of shorting also scales up accordingly.

It (0 inflation) has further benefit due to the fact that Bitcoin mining profit trends towards zero, but with a deflationary system with no inflation involved, there is still incentive to mine it anyway due mining acting as futures market with a time opportunity cost that allows for forward profits

Shorting can't erase the cost due to PoW (burning energy). It can only erase a cost from loss of value of a holdings (PoS and other methods that claim to turn holding coins into "virtual miners").

BTW, I would suggest that Tragedy of the Commons is an ineffective analogy for explaining whatever it is you are trying to explain because obviously-intelligent people such as ArticMine don't understand it. It may be that you are entirely correct, but if you want to communicate effectively you need a differently-worded explanation.

The amount of inflation you can slop onto a system before it compromises my above statement is far too arbitrary and unknown

If attacking a coin causes its price to decline, shorting can return a profit. If that profit exceeds the cost due to PoW, then it erased it. Cover the short, stop the attack. Repeat if the price rises again.

Yes but if the attack doesn't succeed, the energy burn cost is still there (i.e. risk of failure)

If, by contrast, you try to attack a coin almost costlessly via PoS exploits and if your attack doesn't succeed then your your coins nor your short loses value. Then you can just try again, until you succeed...

I agree that "coins will go down in value" does not enhance the security of PoW; that would attempting to impute a some sort of stake-based incentive to mining, as some do, and that is flat out wrong, or at best, very weak security.

The usual way to short a currency is to use a currency pair—something like EUR/USD, the value of a euro denominated in dollars—which trades as a single unit. For example, if the euro was trading at $1.3000, you would “borrow” a currency pair from your broker, which you have to return within a certain period of time, and sell it on the open market, pocketing $1.30. If after an hour EUR/USD is trading at $1.2950, you can buy the currency pair at that price and return it to your broker, making a profit of $0.0050. (If you’re wrong, you lose out.)

But if you have a short position, there’s no limit to how much money you can lose if the shares rise. If the share price increases soon after you place a short position, you could quickly “cover” by buying back the shares and returning them to the investor you borrowed them from. If you’re lucky, you might not lose very much.

But an investor named Joe Campbell was not so lucky when he placed a $37,000 short position on KaloBios Pharmaceuticals Inc. US:KBIO  earlier this month, only to find out a day later that the shares had shot up about 800% after Turing Pharmaceuticals CEO Martin Shkreli gained control of a majority of KaloBios’ shares.

What Is a Forced Liquidation?

A forced liquidation is when all or part of your positions are closed automatically to prevent further loss and ensure you do not default on your loans. Forced liquidations are executed using one or more market orders; as such, order book liquidity at the time of these orders will affect the extent of the losses you incur from the liquidation. Forced liquidations occur when your Current Margin dips below your Maintenance Margin. It is strongly advised that you check the markets and your open positions regularly, mitigating your risk as necessary by reducing the size of your positions or transferring additional collateral into your margin account. Markets can change very quickly, and no guarantee can be made that you will receive a Margin Call warning in time for you to prevent a forced liquidation.

Hey guys,
Just have an interesting case study of my trading experience on Poloniex last week.  I traded on Poloniex's margin trading platform and was margin called on June 15th 17:15 when the prices went from .000029 BTC per BTS to .000014 BTC per BTS back to .000028 BTC per BTS in a ten minute span. (Down 50% in less than 10 minutes!) I didn't realize the liquidity was so low on Poloniex, but it's interesting to know what can happen.  I lost a chunk of money.
I think someone or some bot just ran down the book on all the buy orders and got the price really low to trigger all the margin calls and bought back at low prices, but not sure of the exact mechanics.

Which I do not see as a solution due to my criticism of IOTA...

"Criticism"? After you ruined your reputation by producing tons of bullshit (which you admitted by refusing to put your money where your mouth was) it's not longer a criticism, you behave like a kid who knows that thing he did were wrong but he can't stop doing them because others will see that he regrets of doing them in the past. "Criticism" haha, keep playing the role of joker blabbing words you don't understand.

Please, spare me the garbage.  If anyone has a bad reputation it's all you IPO scammers.

Yes but if the attack doesn't succeed, the energy burn cost is still there (i.e. risk of failure)

Regarding the future of Bitcoin and its Tragedy of the Commons economic design:


Cartels form in power vacuums. They must align with the greater power vacuums in order to sustain their market inefficiency (top-down control can't anneal maximum fitness). So the only way such a cartel would not fail, would be to become a fiat of the world government and be sustained by the Iron Law on Political Economics (http://esr.ibiblio.org/?p=984) which is the perennial, inimitable power vacuum.

If, by contrast, you try to attack a coin almost costlessly via PoS exploits and if your attack doesn't succeed then your your coins nor your short loses value. Then you can just try again, until you succeed...

I agree that "coins will go down in value" does not enhance the security of PoW; that would attempting to impute a some sort of stake-based incentive to mining, as some do, and that is flat out wrong, or at best, very weak security.

Agreed one of the major reasons PoS(hit) is insecure— there is no ongoing expenditure.