|
Title: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Peter R on April 04, 2015, 05:37:03 PM Reading Andrew Poelstra's recent paper "On Stake and Consensus" (https://download.wpsoftware.net/bitcoin/new-pos.pdf) got me interested in better understanding how various proof-of-stake schemes (cPOS, dPOS, etc.) work.
In particular, for each PoS scheme I want to know: 1. After leaving the network for some length of time, how does a node determine the current state of the blockchain? 2. How are new blocks added to the blockchain? I'm finding it difficult, however, to extract the signal from the noise in the literature I find. Does anyone know of a concise but complete technical description of the various PoS schemes in use? ================== SOME RESOURCES: Original thread by QuantumMechanic: https://bitcointalk.org/index.php?topic=27787.0 Nxt white paper: http://wiki.nxtcrypto.org/wiki/Whitepaper:Nxt Neucoin white paper: http://www.neucoin.org/en/whitepaper/download Bitshares PoS: http://wiki.bitshares.org/index.php/DPOS Wikipedia article: http://en.wikipedia.org/wiki/Proof-of-stake Bitcoin PoS wiki: https://en.bitcoin.it/wiki/Proof_of_Stake https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf https://raw.githubusercontent.com/vbuterin/scalability_paper/master/scalability.pdf Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Peter R on April 04, 2015, 08:05:31 PM Reserved.
Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Daedelus on April 04, 2015, 08:44:47 PM Concise and complete. I think the title is asking too much :D
Have you posted this exact OP wording before? Seems very familiar Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Peter R on April 04, 2015, 10:00:50 PM Concise and complete. I think the title is asking too much :D By "concise but complete" I mean just enough details to understand how consensus is established and maintained [and not so much that the important points are obscured]. An example of what I'm looking for, applied to bitcoin, would be: Quote How are new blocks added to the blockchain? Nodes assemble recent transactions into a block and attempt to find a nonce that when hashed with the new blockheader (which is cryptographically linked to the previous blockheader) produce a number less than some target: hash(blockheader, nonce) < target. If a node finds such a nonce, it publishes the solution to the network. Other nodes signal their acceptance of this new block by attempting to build new blocks on top of it. Quote After leaving the network for some length of time, how does a node determine the current state of the blockchain? Upon rejoing the network, a node considers valid chains where: (1) the blockheaders form a cryptographic chain linking back to Bitcoin's genesis block, (2) all transactions are permitted according to the protocol rules, and selects the valid chain with the greatest cumulative work. Cumulative work is cumulative work = work in block 0 + work in block 1 + … + work in block n-1 + work in block n, where n is the number of blocks in the chain, and the work in the ith block is worki = fcn(hash(blockheaderi, noncei)). Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Daedelus on April 04, 2015, 10:34:13 PM Ok. Concise: This is for Nxt.
http://chepurnoy.org/blog/2014/09/inside-a-cryptocurrency-slash-inside-nxt-announce/ Kushti can discuss if you think there are any holes Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Peter R on April 04, 2015, 11:31:52 PM Thanks. Here's what I've got so far for Nxt:
Quote How are new blocks added to the blockchain? Registered nodes (nodes with a private key whose pubkey has been registered as a Nxt account) assemble recent transactions into a block and attempt to find a nonce that when used to sign the generation signature from the previous block, results in a signature that hashes to a number less than some time- and balance-weighted target: hash(sign_with_node_privkey(previous_block_signature, nonce)) < target x balance of account x time in seconds since last block. If a node finds such a nonce, it publishes the solution to the network. Other nodes signal their acceptance of this new block by attempting to build new blocks on top of it. Quote After leaving the network for some length of time, how does a node determine the current state of the blockchain? Upon rejoing the network, a node considers valid chains where: (1) the generation signatures form a cryptographic chain linking back to Nxt's genesis block, (2) all transactions are permitted according to the protocol rules. If more than one valid chain exists, the operator of the node would consult with people he trusts to determine the best chain. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Come-from-Beyond on April 04, 2015, 11:56:06 PM Thanks. Here's what I've got so far for Nxt: Quote How are new blocks added to the blockchain? Registered nodes (nodes with a private key whose pubkey has been registered as a Nxt account) assemble recent transactions into a block and attempt to find a nonce that when used to sign the generation signature from the previous block, results in a signature that hashes to a number less than some time- and balance-weighted target: hash(sign_with_node_privkey(previous_block_signature, nonce)) < target x balance of account x time in seconds since last block. If a node finds such a nonce, it publishes the solution to the network. Other nodes signal their acceptance of this new block by attempting to build new blocks on top of it. Quote After leaving the network for some length of time, how does a node determine the current state of the blockchain? Upon rejoing the network, a node considers valid chains where: (1) the generation signatures form a cryptographic chain linking back to Nxt's genesis block, (2) all transactions are permitted according to the protocol rules. If more than one valid chain exists, the operator of the node would consult with people he trusts to determine the best chain. The both parts are understood incorrectly. Sorry, can't tell how it should be, too late in my timezone. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Peter R on April 05, 2015, 12:21:36 AM The both parts are understood incorrectly. Sorry, can't tell how it should be, too late in my timezone. From this (http://wiki.nxtcrypto.org/wiki/Whitepaper:Nxt#The_Forging_Algorithm): Quote from: Nxt white paper Each block on the chain has a generation signature parameter. To participate in the block forging process, an active account cryptographically signs the generation signature of the previous block with its own public key. This creates a 64-byte signature, which is then hashed using SHA256. The first 8 bytes of the resulting hash gives a number, referred to as the accounts hit. The hit is compared to the current target value. If the computed hit is lower than the target, then the next block can be generated. and from this (http://wiki.nxtcrypto.org/wiki/Whitepaper:Nxt#Target_Value): Quote from: Nxt white paper In order to win the right to forge (generate) a block, all active Nxt accounts compete by attempting to generate a hash value that is lower than a given base target value. This base target value varies from block to block, and is derived from the previous blocks base target value multiplied by the amount of time that was required to generate that block… ...Each account calculates its own target value, based on its current effective stake. This value is: T = Tb x S x Be where: T is the new target value Tb is the base target value S is the time since the last block, in seconds Be is the effective balance of the account and from this (http://wiki.nxtcrypto.org/wiki/Whitepaper:Nxt#Accounts): Quote from: Nxt white paper ...all accounts are stored on the network, with private keys for each possible account address directly derived from each accounts passphrase using a combination of SHA256 and Curve25519 operations...When an account is accessed by a secret passphrase for the very first time, it is not secured by a public key. When the first outgoing transaction from an account is made, the 256-bit public key derived from the passphrase is stored on the blockchain, and this secures the account. I inferred that: Quote from: Peter R Registered nodes (nodes with a private key whose pubkey has been registered as a Nxt account) assemble recent transactions into a block and attempt to find a nonce that when used to sign the generation signature from the previous block, results in a signature that hashes to a number less than some time- and balance-weighted target: hash(sign_with_node_privkey(previous_block_signature, nonce)) < target x balance of account x time in seconds since last block. If a node finds such a nonce, it publishes the solution to the network. Other nodes signal their acceptance of this new block by attempting to build new blocks on top of it. I know I've neglected details such as the 1440 blocks that coins must be stationary before they count towards the account's forging balance, as well as the rolling checkpoints 720 blocks back, but at a high-level, what is incorrect about my summary? Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Peter R on April 05, 2015, 02:01:19 AM I'm wondering if I misinterpreted this statement:
Quote from: Nxt white paper To participate in the block forging process, an active account cryptographically signs the generation signature of the previous block with its own public key. This creates a 64-byte signature, which is then hashed using SHA256. I interpreted this to mean that the account produces an ECDSA signature of the previous block's generation signature with its private key (and that the word "public key" was a typo) and the resulting 64-byte signature got hashed. Does this instead mean that the generation signature is more like a fingerprint, and that the previous block's fingerprint gets mixed with the account's pubkey somehow in a deterministic way (hashing, XORing, etc.)? This would make more sense because each account would then be restricted to one attempt to solve the block per second. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: iGotSpots on April 05, 2015, 02:09:06 AM I don't really feel like going into detail, but I've recently warmed up to NXT, as well. I have issues with that particular network, but the tech itself is solid and worth looking into
Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Peter R on April 05, 2015, 06:19:35 AM Here's what I've got so far for Peercoin (thanks in part to http://www.neucoin.org/en/whitepaper/download)
Quote How are new blocks added to the blockchain? Nodes wait for their turn to append a block containing recent transactions to the blockchain. For each coin (UTXO) controlled by the node, the node checks to see if a specific data structure related to that coin hashes to a number less than some age- and balance-weighted target: hash(coin details, stake modifier, current time) < target x coin size x age. If any coin controlled by the node meets this requirement, then the node signs the block it assembled and publishes it to the network. Other nodes signal their acceptance of this new block by attempting to build new blocks on top of it. The data structure that gets hashed contains "coin details," something called the "stake modifier" and the "current time" in seconds. The "coin details" for a particular coin are known the moment the coin is created and never change (but of course become useless if the coin is later spent). The "stake modifier" is a sequence of bits that depend on details about the coin AND depend on details about the blockchain that correspond to times after the coin was created (and AFAICT the "stake modifier" remains constant once the coin reaches sufficient coinage to qualify for staking). The "current time" increments each second and is the dynamic variable that causes the hash value to continually change, giving each coin a new opportunity once per second to create a block. One thing I appear to be missing: where do the details about the previous block go (in order to form a cryptographically-linked chain of blocks)? Quote After leaving the network for some length of time, how does a node determine the current state of the blockchain? I'm not really sure yet, but I imagine the node would look for the chain that contained blocks regularly signed by Sunny King (the developer). I'm also not sure what would happen if Sunny King signed multiple competing chains or stopped signing anything at all. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Come-from-Beyond on April 05, 2015, 09:19:25 AM ...what is incorrect about my summary? "Nonce". There is no "nonce" in Nxt. I'm wondering if I misinterpreted this statement: Quote from: Nxt white paper To participate in the block forging process, an active account cryptographically signs the generation signature of the previous block with its own public key. This creates a 64-byte signature, which is then hashed using SHA256. I interpreted this to mean that the account produces an ECDSA signature of the previous block's generation signature with its private key (and that the word "public key" was a typo) and the resulting 64-byte signature got hashed. Does this instead mean that the generation signature is more like a fingerprint, and that the previous block's fingerprint gets mixed with the account's pubkey somehow in a deterministic way (hashing, XORing, etc.)? This would make more sense because each account would then be restricted to one attempt to solve the block per second. In the very beginning (first 30'000 blocks) Nxt indeed used signing. It was an intentionally injected flaw that transformed PoS into PoW (one could generate different signatures for the same block). But then signing was replaced with hashing, restricting to one attempt to solve the block per block, not per second. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Come-from-Beyond on April 05, 2015, 09:30:49 AM If more than one valid chain exists, the operator of the node would consult with people he trusts to determine the best chain. This should be replaced with: The software determines the best chain by analyzing ratio of transactions belonging to well-known participants (e.g. Walmart, Alibaba, Coinbase) of the economical cluster using Nxt. Non-legit chains can't include such transactions because every transaction refers to a block mined several minutes before the transaction timestamp, which prevents inclusion of majority of the transactions into chains with lower cumulative difficulty or into chains generated by an adversary. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Tobo on April 05, 2015, 11:21:22 AM For people interested in knowing more about the Nxt code review - the intentionally injected flaws hunting with rewards - you can see the whole story of the peer to peer and line by line review here - https://bitcointalk.org/index.php?topic=397183.0
Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Peter R on April 05, 2015, 04:23:55 PM In the very beginning (first 30'000 blocks) Nxt indeed used signing. It was an intentionally injected flaw that transformed PoS into PoW (one could generate different signatures for the same block). But then signing was replaced with hashing… ...There is no "nonce" in Nxt. Haha. I found one of the intentionally-injected flaws without even looking at the source code. :) BTW, I used the term "nonce" because the k-value used to produce an ECDSA signature could be used as a nonce to search the signature space for a {R,S} pair that hashes to a value that meets the target difficulty (thus creating a sort of PoW system as you pointed out). In any case, it sounds like the white paper is worded awkwardly. Perhaps you could clarify: Quote from: Nxt white paper To participate in the block forging process, an active account cryptographically signs the generation signature of the previous block with its own public key… Should this instead say that the account hashes together the "generation signature" of the previous block with its own public key? And does the "generation signature" of the previous block involve an ECDSA signature in some way? Or is it more like a fingerprint that results from a hashing operation? Quote from: Nxt white paper ...This creates a 64-byte signature, which is then hashed using SHA256 Again, I'm confused because the ECDSA signatures used in Bitcoin are 64-bytes long. But it sounds like the 64-byte signature is actually the output of a hash function. Which hash function is used? Do these 64-bytes get hashed again using SHA256, like the white paper says? But then signing was replaced with hashing, restricting to one attempt to solve the block per block, not per second. OK, I think we're saying the same thing. What I mean is that each second the quantity on the right-hand side (RHS) of this inequality grows: hash(previous block's generation signature, account's public key)) < target x balance of account x time in seconds since last block. Although the hash value on the LHS is static, the RHS grows larger once per second, thereby giving the account one chance per second to produce the next block. Is this not correct? Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Come-from-Beyond on April 05, 2015, 04:43:59 PM Should this instead say that the account hashes together the "generation signature" of the previous block with its own public key? Yes. And does the "generation signature" of the previous block involve an ECDSA signature in some way? Or is it more like a fingerprint that results from a hashing operation? No. Yes. Quote from: Nxt white paper ...This creates a 64-byte signature, which is then hashed using SHA256 Again, I'm confused because the ECDSA signatures used in Bitcoin are 64-bytes long. But it sounds like the 64-byte signature is actually the output of a hash function. Which hash function is used? Do these 64-bytes get hashed again using SHA256, like the white paper says? This is outdated info. ECDSA is not used, only SHA256. But then signing was replaced with hashing, restricting to one attempt to solve the block per block, not per second. OK, I think we're saying the same thing. What I mean is that each second the quantity on the right-hand side (RHS) of this inequality grows: hash(previous block's generation signature, account's public key)) < target x balance of account x time in seconds since last block. Although the hash value on the LHS is static, the RHS grows larger once per second, thereby giving the account one chance per second to produce the next block. Is this not correct? This is incorrect. Chance is already predefined and it's not changed until the next block. One account can generate the next block in 47 seconds, another - in 112 seconds. If the account at mark 47 is mining then 112th doesn't have any chance (until the next block). This is how it looks - http://nxtportal.org/forgers/, - new block leads to a new picture. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Peter R on April 05, 2015, 05:02:54 PM But then signing was replaced with hashing, restricting to one attempt to solve the block per block, not per second. OK, I think we're saying the same thing. What I mean is that each second the quantity on the right-hand side (RHS) of this inequality grows: hash(previous block's generation signature, account's public key)) < target x balance of account x time in seconds since last block. Although the hash value on the LHS is static, the RHS grows larger once per second, thereby giving the account one chance per second to produce the next block. Is this not correct? This is incorrect. Chance is already predefined and it's not changed until the next block. One account can generate the next block in 47 seconds, another - in 112 seconds. If the account at mark 47 is mining then 112th doesn't have any chance (until the next block). This is how it looks - http://nxtportal.org/forgers/, - new block leads to a new picture. Right, each participant in the network could calculate Q = hash(previous block's generation signature, account's public key)) / account's balance for every account in the network, and then sort these from smallest to largest Q. The participant who controlled the first account in that sorted list would forge the next block (once sufficient time has elapsed to meet the difficulty target), unless perhaps he goes offline (in which case the second account in that sorted list would forge). Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Peter R on April 05, 2015, 07:04:38 PM If more than one valid chain exists, the operator of the node would consult with people he trusts to determine the best chain. This should be replaced with: The software determines the best chain by analyzing ratio of transactions belonging to well-known participants (e.g. Walmart, Alibaba, Coinbase) of the economical cluster using Nxt. Non-legit chains can't include such transactions because every transaction refers to a block mined several minutes before the transaction timestamp, which prevents inclusion of majority of the transactions into chains with lower cumulative difficulty or into chains generated by an adversary. Thanks for the response. I'd like to re-word this in a way that doesn't use the term "software"; the software is an implementation of a protocol. A node is free to use different software provided it's compatible with the protocol. I'd also like to re-word your description in a way that doesn't make statements about what is or isn't possible (e.g., the last sentence in your description), unless we can prove this mathematically. In other words, I only want to describe how a node picks the best chain from multiple candidate chains. How's this: ============ Upon rejoing the network, a node considers valid chains where: (1) the generation signatures form a cryptographic chain linking back to Nxt's genesis block, (2) all transactions are permitted according to the protocol rules. If more than one valid chain exists, the operator of the node would analyze each chain, calculating the ratio of transactions that belong to participants that were well-known the the node prior to him leaving, to transactions from other participants. For each chain, the node applies a deterministic formula to get a score based on these ratios: score 1 = fcn(candidate chain 1) score 2 = fcn(candidate chain 2) … score n = fcn(candidiate chain n) The node would select the chain that had the highest score. ============ Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Come-from-Beyond on April 05, 2015, 07:13:10 PM Thanks for response. I'd like to re-word this in a way that doesn't use the term "software"; the software is an implementation of a protocol. A node is free to use different software provided it's compatible with the protocol. I'd also like to re-word your description in a way that doesn't make statements about what is or isn't possible (e.g., the last sentence in your description), unless we can prove this mathematically. In other words, I only want to describe how a node picks the best chain from multiple candidate chains. How's this: ============ Upon rejoing the network, a node considers valid chains where: (1) the generation signatures form a cryptographic chain linking back to Nxt's genesis block, (2) all transactions are permitted according to the protocol rules. If more than one valid chain exists, the operator of the node would analyze each chain, calculating the ratio of transactions that belong to participants that were well-known the the node prior to him leaving, to transactions from other participants. For each chain, the node applies a deterministic formula to get a score based on these ratios: score 1 = fcn(candidate chain 1) score 2 = fcn(candidate chain 2) … score n = fcn(candidiate chain n) The node would select the chain that had the highest score. ============ There are 2 rules for consensus in Nxt. Good old "longest chain wins" for short range (used by up-to-date nodes) and "stick to the economic cluster" for long range (used by catching up nodes). There is no a hard line between the rules, but if you suddenly join a wrong branch and make a payment then the counterparty won't see your transaction (you both must be on the same branch). The incentive to stay on the same branch is forced by economical laws, not by mathematical ones. I doubt you can formalize this with pure mathematical notation. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: presstab on April 05, 2015, 08:16:41 PM Don't know much about NXT, but for Peercoin and most of its derivatives:
Quote Contrary to popular belief, Proof of Stake is not all that different from Proof of Work. When you are mining a PoW coin, your goal is typically to create a hash that has a value below a certain threshold. Your miner continuously hashes inputs until it produces a hash under the target threshold, and then announces the hash to all its peers, which scan the information and ensure it meets the rules. When it is confirmed that it met the rules, everyone moves on to the next block in the chain. http://bitcoinist.net/interview-presstab-pos-vulnerabilities/Proof of Stake also tries to produce a hash that is below a certain target. The target is different for each peer (but governed by the same rules), instead of the same target network-wide as is the case for PoW. The target is equal to coin weight multiplied by the bits in the block (bits is difficulty inversed). Coin weight is calculated a little bit differently for each PoS coin, but for a simple example we can say that coin weight is equal to the coin group (technically called UTXO, but also known as “pile”, “coin block”, etc.) multiplied by how many days old it is. So if I have a group of 1,000 coins that is two days old, I would have a weight of 2,000. In order for this to “stake”, or to mine a new block, I would need to create a hash that is less than 2,000 multiplied by nBits. If nBits is equal to something like 100, then I would need to produce a hash that is less than 2,000 * 100 = 200,000. As you can see, the more weight I have, the easier the target is. If that group of coins was five days old, I would have to produce a hash less than 5,000 * 100 = 500,000. The primary goal of Proof of Stake is to prevent a Proof of Work style system where the most hashing equipment you have, the more likely you will hit the target first. So in order to avoid someone from hooking up miners and hashing to create a PoS block first, the protocol only allows one hash to be created per UTXO per second. So if I were to be hashing on my desktop here and also have a server hashing the same wallet, they would create identical hashes and I would not have any extra advantage by hashing with more power at once. If I have one UTXO held by my wallet, I am limited to 1 new hash per second. However, if I have 10 UTXOs in my wallet, I will have ten unique hashes I can create per second. Hashing is entirely random, so often you may have a large coin weight, but since you are only creating one hash per second, it does not have good odds of staking right away. This is why man people that understand the staking protocol will prefer 10 UTXOs of 1,000 coins instead of 1 UTXO of 10,000 coins. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Daedelus on April 06, 2015, 10:42:00 PM Vitalik may have just done the proof you were looking for for Nxt.. and found it to be "cryptoeconomically secure"
Lemma 3.0.3. The NXT algorithm described above satisfies the conditions for being a cryptoeconomically secure entropy source. Proof. To prove unpredictability, we note that the NXT blockchain produces a block every minute, and so the update v ← sha256(v, V (β)) takes place once a minute. During each round of updating, there is a probability 1 − po(60) that the primary signer will be online, and po(60) that the signer will be offline and thus a secondary signer will need to produce the block. Hence, after 1 −log(po(60)) blocks, there is a probability p ≈ 1 2 that the resulting value will be the “default value” obtained from updating v with the primary signers’ public keys at each block, and a p ≈ 1 2 probability that the resulting value will be different. We model 512 iterations of this process as a tree, with all leaves being probability distributions over sequences of 512 public keys of signers, where all probability distributions are disjoint (ie. no sequence appears with probability greater than zero in multiple leaves). By random-oracle assumption of sha256, we thus know that we have a set of 2512 independently randomly sampled probability distributions from {0, 1} 256, and so each value will be selected an expected {0, 1} 256 times, with standard deviation 2128. Hence, the probability distribution is statistically indistinguishable from a random distribution. To show that the first uninfluenceability criterion holds true, note that the only way to manipulate the result is for the block proposer to disappear, leading to another proposer taking over. However, this action is costly for the proposer as the proposer loses a block reward. The optimal strategy is to disappear with probability 0 < q <= 1 only when the predicate will be unsatisfied with the proposer participating but will be satisfied with the next proposer partipating; if a predicate has probability p this entails disappearing p ∗ (1 − p) ∗ q of the time, meaning that the predicate will be satisfied p + p ∗ (1 − p) ∗ q of the time instead of p of the time, a probability increment of p∗(1−p)∗q will have a cost of p∗(1−p)∗q∗R if R is the signing reward (whose real value is proportional to the quantity of transaction fees, a reasonable metric of economic activity). Hence, the desired condition holds true with b = 1. To show that the second uninfluenceability criterion holds true, note that when one is not the signer, one has no influence on the entropy, and when one is the signer one has the ability to not sign and instead defer to the next signer. Hence, an attacker controlling 1 k of all signing slots will be able to defer to the second signer 1 k of the time, to the third signer 1 k 2 of the time (by being in the first two slots simultaneously), etc, so in total such an attacker will on average be able to choose between 1 + 1 k−1 values and thus multiply the probability of a desired predicate by a factor of 1 + 1 k−1 . If the attacker controls 1 3 of all signing slots, the result will thus be increasing the probablity by a factor of 3 2 . *********** it seems vitalik made a proof about NXT algo Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Peter R on April 07, 2015, 04:39:33 PM Vitalik may have just done the proof you were looking for for Nxt... Thanks for the info and I applaud efforts like this to formalize the consensus problem. My take on what Vitalik has done is that he's defined a term "crypto-economically secure entropy source" and then provided what he claims is a proof that the Nxt algorithm1 satisfies this. But note that even if the proof is correct, and even if the definition of "crypto-economically secure entropy source" is useful, it is still a far cry from convincingly showing that "Nxt is as secure as Bitcoin." Let's take a closer look: Vitalik specifies that a "crypto-economically secure entropy source" should posses (a) unpredictability and (b) uninfluenceability. In plain words, his definition of "unpredictability" just means that, given enough time, the "state" of the currency system at some finite time in the future cannot be determined with information available in the present moment. Regardless of whether the system became fully unpredictable 10 minutes or 100 years in the future, his condition would be satisfied. Also note that his proof is only valid in the case where p0(60) is non zero, which is not true at least in the trivial case where an attacker is in control of 100% of the active accounts. His definition for uninfluenceability (I) just says that there's a minimum cost for an attacker to influence the probability of some blockchain event. Even if the cost is very small, and even if the event he's influencing is very significant, his definition would still be satisfied. His definition for uninfluenceability (II) is confusing to me. He says that an attacker controlling k of the stake should be unable to change the probability of some event to more than p' = p*(1+b) for some constant b. But there's always a constant value of b that would make p' = 100%. Perhaps I'm misinterpretting something, but if an attacker controlled 0.1% of the stake and could influence the outcome 100% of the time, his definition of uninfluenceability would still be satisfied [although such as system would be very influenceable]. Anyways, I'm not trying to be critical of Vitalik's efforts, I'm just pointing out that the results applied to Nxt may not be very significant in terms of Nxt's actual security properties. 1Neglecting the algorithm for how nodes that were previously offline determine the best blockchain out of many valid candidate blockchains upon rejoining the network. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Peter R on April 07, 2015, 04:57:35 PM Thanks for response. I'd like to re-word this in a way that doesn't use the term "software"; the software is an implementation of a protocol. A node is free to use different software provided it's compatible with the protocol. I'd also like to re-word your description in a way that doesn't make statements about what is or isn't possible (e.g., the last sentence in your description), unless we can prove this mathematically. In other words, I only want to describe how a node picks the best chain from multiple candidate chains. How's this: ============ Upon rejoing the network, a node considers valid chains where: (1) the generation signatures form a cryptographic chain linking back to Nxt's genesis block, (2) all transactions are permitted according to the protocol rules. If more than one valid chain exists, the operator of the node would analyze each chain, calculating the ratio of transactions that belong to participants that were well-known the the node prior to him leaving, to transactions from other participants. For each chain, the node applies a deterministic formula to get a score based on these ratios: score 1 = fcn(candidate chain 1) score 2 = fcn(candidate chain 2) … score n = fcn(candidiate chain n) The node would select the chain that had the highest score. ============ There are 2 rules for consensus in Nxt. Good old "longest chain wins" for short range (used by up-to-date nodes) and "stick to the economic cluster" for long range (used by catching up nodes). There is no a hard line between the rules, but if you suddenly join a wrong branch and make a payment then the counterparty won't see your transaction (you both must be on the same branch). The incentive to stay on the same branch is forced by economical laws, not by mathematical ones. I doubt you can formalize this with pure mathematical notation. Thanks for the info, CFB. I believe I fully understand the "longest chain wins" consensus rule for up-to-date nodes, but I'm still confused by the "stick to the economic cluster" rule for nodes that are catching up. You mentioned that the incentives to stay on the same branch are economic. I take this to mean that upon rejoining the network, a node cannot determine the correct chain with perfect reliability from several candidate chains using only information contained in the chains. The node needs to acquire new information (e.g., the last version of Nxt or other information from peers) in order to figure which chain is best. But I think what you're saying is that this should be "obvious" and sort of like "how do you know if you're connected to the REAL Internet when you rejoin and not a fake one? Haha...eventually you realize that none of your friends are getting your messages!!" Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Come-from-Beyond on April 07, 2015, 05:20:08 PM You mentioned that the incentive to stay on the same branch are economic. I take this to mean that upon rejoining the network, a node cannot determine the correct chain with perfect reliability from several candidate chains using only information contained in the chains. The node needs to acquire new information (e.g., the last version of Nxt or other information from peers) in order to figure which chain is best. But I think what you're saying is that this should be "obvious" and sort of like "how do you know if you're connected to the REAL Internet when you rejoin and not a fake one? Haha...eventually you realize that none of your friends are getting your messages!!" Scenario 1 Alice has never used Nxt. Bob (her friend) tells how it's cool. Alice downloads client software. Bob sends her hash of one of the recent blocks that his software sees. She copy-pastes the hash into the client and let the software to pick the same chain. Scenario 2 Charlie is a guy who has no friends. He orders "50 shades of grey" DVD. He runs the client and downloads blocks for the last 6 months. Then he makes the payment to the DVD store. If the store is on the same branch then they will see his payment, otherwise they will inform Charlie that he should pick the branch that contains the block with <insert recent block hash here> hash. Scenario 3 Dave buys 1000 NXT on Coinbase with USD and withdraws them to his wallet. In the interface of the website he sees that the transaction is done. If his wallet doesn't show the transaction then he copy-pastes the hash of a recent block from Coinbase site (or the wallet can pull this automatically) and jumps to the same branch. Scenario 4 Eve always buys food in Walmart. She adjusts settings of her wallet to connect to Walmart website to ask for recent block hash, just to make sure that they are on the same branch. This is how Economic Clustering works. It's perfectly legit to have Nxt blockchain forked several times. At some point you have to decide what branch to stick to. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Peter R on April 07, 2015, 07:19:57 PM You mentioned that the incentive to stay on the same branch are economic. I take this to mean that upon rejoining the network, a node cannot determine the correct chain with perfect reliability from several candidate chains using only information contained in the chains. The node needs to acquire new information (e.g., the last version of Nxt or other information from peers) in order to figure which chain is best. But I think what you're saying is that this should be "obvious" and sort of like "how do you know if you're connected to the REAL Internet when you rejoin and not a fake one? Haha...eventually you realize that none of your friends are getting your messages!!" Scenario 1 Alice has never used Nxt. Bob (her friend) tells how it's cool. Alice downloads client software. Bob sends her hash of one of the recent blocks that his software sees. She copy-pastes the hash into the client and let the software to pick the same chain. Scenario 2 Charlie is a guy who has no friends. He orders "50 shades of grey" DVD. He runs the client and downloads blocks for the last 6 months. Then he makes the payment to the DVD store. If the store is on the same branch then they will see his payment, otherwise they will inform Charlie that he should pick the branch that contains the block with <insert recent block hash here> hash. Scenario 3 Dave buys 1000 NXT on Coinbase with USD and withdraws them to his wallet. In the interface of the website he sees that the transaction is done. If his wallet doesn't show the transaction then he copy-pastes the hash of a recent block from Coinbase site (or the wallet can pull this automatically) and jumps to the same branch. Scenario 4 Eve always buys food in Walmart. She adjusts settings of her wallet to connect to Walmart website to ask for recent block hash, just to make sure that they are on the same branch. This is how Economic Clustering works. It's perfectly legit to have Nxt blockchain forked several times. At some point you have to decide what branch to stick to. OK, I think I can see clearly how Nxt solves the problem of "after leaving the network for some length of time, how does a node determine the current state of the blockchain?", and how Nxt's solution is different than Bitcoin's. A Bitcoin node does not need any new information beyond what is encoded in the candidate blockchains themselves. It applies a systematic and predefined function/procedure to each candidate blockchain: cumulative work 1 = fcn(candidate chain 1) cumulative work 2 = fcn(candidate chain 2) … cumulative work n = fcn(candidate chain n) and, for example, if Candidate Chain #2 has the highest value for cumulative work, it picks this chain as the best chain. Nxt is different, because the node relies on new information in addition to what's encoded in the candidate blockchains: best chain = fcn(candidate chain 1, candidate chain 2, … , candidate chain n, NEW INFORMATION FROM PEERS) in order to select the best chain. I don't want to argue the validity of either of these methods; what I'm trying to do is formalize how the methods are different, and I think I've done that. BITCOIN: a node rejoining the network can determine the best chain without any new information beside what is encoded in the candidate blockchains. NXT: a node rejoining the network needs new information in addition to what's encoded in the candidate blockchains. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Come-from-Beyond on April 07, 2015, 07:56:33 PM I don't want to argue the validity of either of these methods; what I'm trying to do is formalize how the methods are different, and I think I've done that. Ok. For others I'd like to add that Nxt's approach solves problems like famous Bitcoin Fork 2013 (https://bitcoin.org/en/alert/2013-03-11-chain-fork) in a decentralized manner (without necessity to have a developer saying what branch to follow). Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Daedelus on April 07, 2015, 08:15:18 PM This is good thread :)
Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: YarkoL on April 08, 2015, 07:57:58 AM This is good thread :) Certainly sheds illumination on many things. :) Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Daedelus on April 10, 2015, 09:39:32 AM @Peter R, you might be interested in an expansion of CfB's last comment here:
https://nxtforum.org/general-discussion/on-economic-clusters-and-the-longest-chain/ It is an "essay about Economic Clustering and The Longest Chain written by BCNext". Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: allwelder on April 13, 2015, 09:19:31 AM Thanks for response. I'd like to re-word this in a way that doesn't use the term "software"; the software is an implementation of a protocol. A node is free to use different software provided it's compatible with the protocol. I'd also like to re-word your description in a way that doesn't make statements about what is or isn't possible (e.g., the last sentence in your description), unless we can prove this mathematically. In other words, I only want to describe how a node picks the best chain from multiple candidate chains. How's this: ============ Upon rejoing the network, a node considers valid chains where: (1) the generation signatures form a cryptographic chain linking back to Nxt's genesis block, (2) all transactions are permitted according to the protocol rules. If more than one valid chain exists, the operator of the node would analyze each chain, calculating the ratio of transactions that belong to participants that were well-known the the node prior to him leaving, to transactions from other participants. For each chain, the node applies a deterministic formula to get a score based on these ratios: score 1 = fcn(candidate chain 1) score 2 = fcn(candidate chain 2) … score n = fcn(candidiate chain n) The node would select the chain that had the highest score. ============ There are 2 rules for consensus in Nxt. Good old "longest chain wins" for short range (used by up-to-date nodes) and "stick to the economic cluster" for long range (used by catching up nodes). There is no a hard line between the rules, but if you suddenly join a wrong branch and make a payment then the counterparty won't see your transaction (you both must be on the same branch). The incentive to stay on the same branch is forced by economical laws, not by mathematical ones. I doubt you can formalize this with pure mathematical notation. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Peter R on April 14, 2015, 10:40:20 PM OK, I think it's fairly clear that a formal difference between the consensus algorithms for PoW and PoS comes down to whether or not a node "catching-up" may need new information beyond what is encoded in the blockchain.
A PoS node rejoining the network may need supplementary information beyond what's encoded in the blockchain to determine the best chain (e.g., the economic clustering method), while a PoW node can determine the best chain strictly from what's encoded in the blockchain. This brings up my next question: I hear people talk about "weak subjectivity" in relation to PoS. Is the fact that a new node may need additional information why the term "weak subjectivity" exists? ...A PoW node can determine the best chain in a strictly objective manner, whereas a PoS node needs to rely on weakly-subjective new information? Once again, I'm not trying to argue in favour of PoS over PoW or vice versa. I'm just trying to wrap my head around the specific differences. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: smooth on April 15, 2015, 12:53:18 AM Let's conduct a thought experiment. Imagine that network splitted for 24 hours and there are 2 competing branches. Thousands transactions are processed, thousands goods are delivered to the buyers. Now the network is merged and we see that the longest chain contains only 30% of the transactions but the shortest the rest 70%. Which network will win? BCNext thinks that the shortest one, coz economic majority will decide to lose less than more (we assume that loss is proportional to number of rolled back transactions), and I tend to agree with him. The reader is free to have another opinion of coz. Another experiment. 20% of Bitcoin economy that owns 65% of hashing power decided to fork Bitcoin and add unlimited supply of the coins. Let's assume that they would mine 25 BTC per block forever. There are no other differences. What blockchain will a new user download? Of coz the one with unlimited supply because "the longest chain wins". Will the user agree on that? I doubt he will chose 20% of economy instead of 80%. And again we see that economic laws are more important than "mathematical" ones. These two cases are quite different. In the first case, both chains are valid according to the protocol definition. In the second case they are not. It is possible that "economic majority" would win over protocol in the first case, but I'm not sure about that. Although people conducting trade on the shorter branch stand to lose money, and that interest is stronger in the short term, it may still be the case that respecting the integrity of the protocol is viewed as more valuable because that is something that protects everyone, including those losing money in this particular instance, in the long term). In the second case there is no issue here. A chain that does not conform to the protocol is not a valid chain at all, therefore it can't be the longest chain. It's just garbage. There is a variation of the second case where the economic majority decides to change the protocol. That is more interesting. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: LiQio on April 15, 2015, 04:23:25 AM ... This brings up my next question: I hear people talk about "weak subjectivity" in relation to PoS. Is the fact that a new node may need additional information why the term "weak subjectivity" exists? ...A PoW node can determine the best chain in a strictly objective manner, whereas a PoS node needs to rely on weakly-subjective new information? ... I don't know if this is a generally accepted "definition" or the true origin of the term, but V. Buterin put it that way: Quote Weakly subjective: a new node coming onto the network with no knowledge except (i) the protocol definition, (ii) the set of all blocks and other “important” messages that have been published and (iii) a state from less than N blocks ago that is known to be valid can independently come to the exact same conclusion as the rest of the network on the current state, unless there is an attacker that permanently has more than X percent control over the consensus set. Under this model, we can clearly see how proof of stake works perfectly fine: we simply forbid nodes from reverting more than N blocks, and set N to be the security deposit length. That is to say, if state S has been valid and has become an ancestor of at least N valid states, then from that point on no state S’ which is not a descendant of S can be valid. Source: https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/ Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: YarkoL on April 15, 2015, 07:28:08 AM OK, I think it's fairly clear that a formal difference between the consensus algorithms for PoW and PoS comes down to whether or not a node "catching-up" may need new information beyond what is encoded in the blockchain. A PoS node rejoining the network may need supplementary information beyond what's encoded in the blockchain to determine the best chain (e.g., the economic clustering method), while a PoW node can determine the best chain strictly from what's encoded in the blockchain. This brings up my next question: I hear people talk about "weak subjectivity" in relation to PoS. Is the fact that a new node may need additional information why the term "weak subjectivity" exists? ...A PoW node can determine the best chain in a strictly objective manner, whereas a PoS node needs to rely on weakly-subjective new information? Once again, I'm not trying to argue in favour of PoS over PoW or vice versa. I'm just trying to wrap my head around the specific differences. Based on what I've read here, it appears that term "best chain" is no longer meaningful in NXT. If I understand correctly, it is perfectly fine for multiple exclusive fork-branches to exist. On the other hand, even with "economic clustering" there will be, I suppose, the "best" chain - that's where McDonalds etc are. But that would not be "best" in any formal sense at all, even if in practice it would be the most favored one. If that is so, the consensus algorithms of Bitcoin and NXT aren't all that comparable. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Daedelus on April 15, 2015, 10:12:53 AM Short term consensus in Nxt is still "best chain" or "chain with most work".
Economic Clustering is for long term consensus after a break and you haven't kept up with the blockchain. So, a new user starts their node and goes to McDonald's or whoever they want to send transactions to (they both have to be on the same chain for them to be valid). A large enough cluster will reinforce itself for the same reason and forks tend towards 1. Once the new user is up to date with the blockchain, economic clustering is no longer required. The user is then competing with McDonald's or whoever to create the "chain with the most work wins" to determine short term consensus. That is my understanding. CfB has said in the past the BTC and NXT are very similar, if you consider each Nxt a small mining rig. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: YarkoL on April 15, 2015, 10:34:42 AM So, a new user starts their node and goes to McDonald's or whoever they want to send transactions to (they both have to be on the same chain for them to be valid). A large enough cluster will reinforce itself for the same reason and forks tend towards 1 So far it is unclear to me how the size of a cluster eliminates forks. What about this scenario: Alice wants to buy an ounce of weed from SilkRoadNXT. So Bob passes him a blockhash and she can sync with the branch where SilkRoadNXT is. Afterwards she gets the munchies, so she wants to buy a burger from McDonalds. She again calls Bob, who gives her a hash from the chain with McDonalds. And from now on, she has two NXT wallets or accounts on her desktop: one for the weed, one for the burgers. (Until eating meat gets criminalized of course) Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Daedelus on April 15, 2015, 10:38:46 AM So, a new user starts their node and goes to McDonald's or whoever they want to send transactions to (they both have to be on the same chain for them to be valid). A large enough cluster will reinforce itself for the same reason and forks tend towards 1 So far it is unclear to me how the size of a cluster eliminates forks. What about this scenario: Alice wants to buy an ounce of weed from SilkRoadNXT. So Bob passes him a blockhash and she can sync with the branch where SilkRoadNXT is. Afterwards she gets the munchies, so she wants to buy a burger from McDonalds. She again calls Bob, who passes her a hash from the chain with McDonalds. And from now on, she has two NXT wallets or accounts on her desktop: one for the weed, one for the burgers. (Until eating meat gets criminalized of course) Why would Silkroad and McDonald's choose to be on different chains? There is an incentive for everyone to be on the same chain. If you deliberately fork with 1% of the stake, you are giving people a disincentive to use your chain as you will only be able to transact with 1% of the economy (and the 1% transactions wouldn't be accepted by the 99%). Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: YarkoL on April 15, 2015, 10:47:23 AM Why would Silkroad and McDonald's choose to be on different chains? There is an incentive for everyone to be on the same chain. If you deliberately fork with 1% of the stake, you are giving people a disincentive to use your chain as you will only be able to transact with 1% of the economy. Well maybe McD would announce they'll have nothing to do with Silkroad and want a clean, family-friendly fork. And if that happened, users who wanted both services would then have to use two wallets, right? Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Daedelus on April 15, 2015, 10:56:37 AM Why would Silkroad and McDonald's choose to be on different chains? There is an incentive for everyone to be on the same chain. If you deliberately fork with 1% of the stake, you are giving people a disincentive to use your chain as you will only be able to transact with 1% of the economy. Well maybe McD would announce they'll have nothing to do with Silkroad and want a clean, family-friendly fork. And if that happened, users who wanted both services would then have to use two wallets, right? By the same token, maybe they would start their own interwebs as they want a clean, family friendly net? I don't think this is likely scenario. If they did do it deliberately, they would be effectively leaving the network and starting on their own. It would be like "Physical Silkroad" moving it's one department store from America to Tahiti. Their user base is and economy is drastically reduced. Maybe CfB can answer definitively (he wrote Economic Clustering). Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: YarkoL on April 15, 2015, 10:58:18 AM Their user base is and economy is drastically reduced. Why, if you can run multiple wallets on different branches? Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Daedelus on April 15, 2015, 11:14:07 AM Their user base is and economy is drastically reduced. Why, if you can run multiple wallets on different branches? In Wallet A you have 100. McDonalds forks the network with their 5% stake. So now you have Wallet A with 100 and Wallet B with 100. You sell a DVD for 100 on the original A network (95% of economy) and buy a burger for 100 on network B. Your new balances are A = 200, B = 0. McDonald's then tries to buy supplies for 100 they got from B. There is no one who wants to accept their transactions as the economy is so small, there are no fries suppliers running nodes on network B. They are all still doing business on network A. McDonald's can't spend that 100 Nxt on chain A as that 100 is still in wallet A (+100 they got for the DVD). The transaction that moved those coins to McDonald's was on network B. McDonald's tries to convert the 100 to fiat to pay their suppliers. All the exchanges still run network A so they aren't interested in converting their forked coins from network B. McDonald's decides to rejoin chain A rather than go out of business, so all network B's transactions never happened (no nodes running B = no network or history). McDonald's has an economic incentive to stay with the main chain if it wants to stay in business. Users have an economic incentive to stay on the main chain if they want their coins to be useful for transacting with businesses. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: YarkoL on April 15, 2015, 11:33:55 AM I applaud you for attempting to spell
it out in so concrete terms. I think I understand the argument, but McDonald's then tries to buy supplies for 100 they got from B. There is no one who wants to accept their transactions as the economy is so small, there are no fries suppliers running nodes on network B. They are all still doing business on network A. Is this a realistic assumption? wouldn't the fries suppliers have an incentive to follow and open up an account on branch with McDonald's, so as not to lose their large customer. And all the people with a liking to hamburgers? Especially since they all - including McDonald's - can still run wallets on the other forks. I'm just not convinced that economic incentives are enough to keep everyone on the same boat. To me they could under certain circumstances encourage splitting. Please note that I don't think this is a necessarily a bad thing at all. Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: LiQio on April 15, 2015, 12:06:48 PM I applaud you for attempting to spell it out in so concrete terms. I think I understand the argument, but McDonald's then tries to buy supplies for 100 they got from B. There is no one who wants to accept their transactions as the economy is so small, there are no fries suppliers running nodes on network B. They are all still doing business on network A. Is this a realistic assumption? wouldn't the fries suppliers have an incentive to follow and open up an account on branch with McDonald's, so as not to lose their large customer. And all the people with a liking to hamburgers? Especially since they all - including McDonald's - can still run wallets on the other forks. I'm just not convinced that economic incentives are enough to keep everyone on the same boat. To me they could under certain circumstances encourage splitting. Please note that I don't think this is a necessarily a bad thing at all. They could eat for free in economy B -> this alone should incentivize McDonalds not to stay in economy B and switch back to A asap (btw. those examples make me hungry) Title: Re: Concise but complete technical description of various proof-of-stake (PoS) schemes? Post by: Daedelus on April 15, 2015, 12:06:56 PM The problem is, if McDonald's goes alone then network B basically becomes Disney dollars or a loyalty scheme. Network B transactions are only accepted or have value in one place: McDonald's. And they can decide to suspend that at any time without notice or recourse by shutting down network B (granted, they could take them to court in this case but why take the risk when McDonald's could just continue on network A?) Anyone can choose to accept them if they want, but why would they?
It would be like accepting payments from McD's in airmiles or the like, one of your suppliers will need to accept airmiles as payment or you are digging yourself into a hole. Lots of expenses and nothing of value to others that you can use to pay them. Sooner or later, you will have to stop accepting airmiles and go back to the original (e.g. dollars) just to stay in business. The economic majority holds the balance of power. There is nothing stopping McDonald's forking. But they can't force anyone to use their chain. And, as shown above, there can't be any interaction between the two chains so the fork would need the economic majority for it to stand a chance of surviving long term. i.e. McDonalds forks and takes a fries supplier, a logistics company, a cow farmer, a butcher and 1 billion customers etc. with them and tries to make a sustainable economy. Another way of thinking of the forking. It would be the same as McDonald's being on the Nxt network but then announcing they are only going to pay suppliers only in a 3 node, $5000 POS coin that is at #970 on CMC (a small economy of limited number of users). Or going from USD to [Island Nation form of currency]. It doesn't make economic sense for them or for their suppliers to follow. Any payments their suppliers receive in the mean time are likely to be worth nothing in the long term as the economy is too small and is most likely to fail. I would say it is more of an assumption, it follows logic given the economic rules (self interest in preserving the value you have). |