|
The crypto in Zerocash is really neat (quadratic span programs, et al). But both Zerocash and Zerocoin are not immune if ever the NSA (or any one) has a quantum computer because they use bilinear pairings and double discrete logarithm trapdoors respectively which are factorable with Shor's algorithm. We would need instead Zero Knowledge employing a McEliece or Niederreiter binary Goppa codes style trapdoor instead, which so far remain theoretically immune to complexity reduction with a quantum algorithm.
Remember this. It is impossible to do Zero Knowledge Proof without a trap door. Thus a one-way hash (like SHA256) can't be used to do ZKP. Zerocash uses hashes but these are not the trapdoor.
I could explain this and Fiat-Shamir's transform to the average reader here, but I don't have time. And I think they don't really need to know.
|
|
|
|
The summary thus far of my analysis of Darksend is that Evan has put into place adequate mechanisms to disincentivize theft of the collateral payments and to disincentivize Sybil attacking the inputs to a Darksend with legitimate Darksends.
The weaknesses (w.r.t. to anonymity) are that Masternodes can be purchased and if the adversary has too many of them, they can reduce your probability of anonymity unless you send your funds through dozens of Darksends between each receipt or spend transaction. If the adversary controlled 90% of the Masternodes, it would nearly impossible to be anonymous more than say 99% of the time, i.e. 1 in 100 of your spends would lose anonymity. Evan argues that attaining a lot of Masternodes is too expensive. Well probably so for the common criminal, but I am not convinced that is so for the NSA.
1 in 100 may not sound bad, but remember that loss of anonymity tends to domino cascade (for the holistic reasons I pointed out in my reply to LimLims on this page). And that is for the person who is extremely diligent to do dozens of Darksends between each spend. Most users are not so perfectionist. So for them anonymity could drop significantly.
The other weakness is that it is not yet mandatory to use an IP mixer such as Tor with Darksend, and if not all of the participants to the Darksend are obfuscating their IP, then the anonymity probability declines. Note that even if Darksend makes Tor mandatory, Tor is not the best we can do for an IP mixer. It is unknown how effective Tor is. Some might estimate 80 - 95%. Others might pull 50% out of their arse. I really don't know, but I don't trust Tor entirely. This combined with say 20% of the Masternodes compromised (and a little bit of normal human error on your part such as forgetting to send dozens of Darksends for each coin your receive) can also make it unrealistic to repeatedly sustain very military grade strength of anonymity. (But who said you wanted military grade assurance? Some do, some may not require it)
Darksend has anonymity. Darkcoin is an anonymity coin. The strength of the anonymity depends on the resources and resolve of the adversary versus the Darkcoin user.
I am still trying to think of suggestions to improve it.
I think the current state of things will be great for a V1 release, however what about the following strategy for V2: Step 1: Users submit their inputs to master node, with collateral Step 2: Users submit outputs and blind signature Step 3: If missing an output, the master node will ask for users to send inputs/outputs. The missing user in step 2 will be charged collateral, then step 1 begins again without the bad actor. To attack this, you must be in control of the master node and would have to pay the collateral to de-anonymize. edit: nm, the master node could just lie and deanonymize everything it sees Also don't forget the Masternode can't correlate a blinded output if the collateral doesn't accompany the blinded output. That one keeps getting me too, which is why I wrote it down in a post as follows so I wouldn't forget: In case readers don't understand why the collateral payments can't be associated only with the inputs and not the outputs, it is because the outputs are blind signed. So if output signing fails, then there is no way for inputs to prove they signed the outputs in order to isolate the adversary(ies) who didn't.
So this is why output signing has to be correlated to inputs. This is what breaks the anonymity in terms of allowing Sybil attacks on master nodes (see my calculation example upthread).
Then apparently we also have the problem that collateral payments can be stolen by Sybil attacking master nodes (and miners/pools if the payments go to them), but still waiting to finish that discussion.
|
|
|
|
|
I edited my summary of the anonymity situation in Darkcoin. Please re-read.
|
|
|
|
I hope readers find my posts helpful? ZeroCash is going public in a few months time ~20 May. Regardless of whether they have anything tangible or just a published paper,
I don't think they will have beta-test level code then. This is about not being drowned out and then being considered a clone.
No way Darkcoin can be considered a clone, as Zerocash completely hides the payer, payee, and the amount of transactions. The block chain is a complete fog. Zerocoin doesn't do this. Zerocash will have some positive spin. They will talk about e-cash and anonymity.
They will make the point I just wrote above. What they won't talk about are the problems with the project.
The main weakness of Zerocash is it adds an additional 3 minutes between check out and completion of payment. (Add that on top of Bitcoin's 10 - 60 minutes, or Litecoins 2.5 - 15 minutes). Zerocoin doesn't have this problem. The main weakness of Zerocash and Zerocoin are they depend on new crypto which hasn't been subjected to years of cryptanalysis, and if you put it on the block chain, then it is later cracked, the entire coin is potentially F.U.B.A.R.. Whereas Darksends are offchain! Even if you crack the crypto of Darksend (which uses very old well vetted crypto), the block chain remains uncracked! The other weakness of Zerocash and Zerocoin is they depend on a trusted party to create the master parameters. If anyone retains that information (even if they snooped it using the NSA's air gap detection mechanisms), they in the case of Zerocash they can create unlimited coins and nobody will even know it! In other words, the coin supply becomes unknowable!! I am not exaggerating!! Another counter point may be that each Zerocash transaction takes 9ms to verify (500ms for Zerocoin). Thus they can only put 111 transactions in a block per second per core of the CPU on the miner. Visa does 2,000 - 4,000 transactions per second, so for Zerocash to scale to global transactions needs 40 CPU cores per miner (e.g. 10 iCore i7 CPUs), not including denial-of-service transaction spam. Transaction spam could be really bad if they don't have a transaction fee or other means to control it. Any way, 40 CPU cores is not really a big problem if mining will be done only in pools. But crypto-currencies are hoping to enable microtransactions, thus the transactions per second would explode by orders-of-magnitude. Thus appears to me Zerocash is incompatible with microtransactions unless mining becomes very centralized among a few powerful pools. Centralization of mining is a severe problem with Bitcoin having onetwo or three pool with 51% of the hash power now. |
|
|
|
|
The summary thus far of my analysis of Darksend is that Evan has put into place adequate mechanisms to disincentivize theft of the collateral payments and to disincentivize Sybil attacking the inputs to a Darksend with legitimate Darksends.
The weaknesses (w.r.t. to anonymity) are that Masternodes can be purchased and if the adversary has too many of them, they can reduce your probability of anonymity unless you send your funds through dozens of Darksends between each receipt or spend transaction. If the adversary controlled 90% of the Masternodes, it would nearly impossible to be anonymous more than say 99% of the time, i.e. 1 in 100 of your spends would lose anonymity. Evan argues that attaining a lot of Masternodes is too expensive. Well probably so for the common criminal, but I am not convinced that is so for the NSA.
1 in 100 may not sound bad, but remember that loss of anonymity tends to domino cascade (for the holistic reasons I pointed out in my reply to LimLims on this page). And that is for the person who is extremely diligent to do dozens of Darksends between each spend. Most users are not so perfectionist. So for them anonymity could drop significantly if the adversary has such huge resources.
The other weakness is that it is not yet mandatory to use an IP mixer such as Tor with Darksend, and if not all of the participants to the Darksend are obfuscating their IP, then the anonymity probability declines. Note that even if Darksend makes Tor mandatory, Tor is not the best we can do for an IP mixer. It is unknown how effective Tor is. Some might estimate 80 - 95%. Others might pull 50% out of their arse. I really don't know, but I don't trust Tor entirely. This combined with say 20% of the Masternodes compromised (and a little bit of normal human error on your part such as forgetting to send dozens of Darksends for each coin your receive) can also make it unrealistic to repeatedly sustain very military grade strength of anonymity. (But who said you wanted military grade assurance? Some do, some may not require it)
Darksend has anonymity. Darkcoin is an anonymity coin. The strength of the anonymity depends on the resources and resolve of the adversary versus the Darkcoin user.
I am still trying to think of suggestions to improve it.
|
|
|
|
Based on these numbers (despite not factoring in sybil inputs), it seems clear that a high level of anonymity can be achieved by increasing the number of pooling stages to 10+, even if the attacker controls > 50% of nodes.
Depends. Because 50% means that your anonymity set is reduced by 50% on each round as I explained in my other post above. Example. If you are mixed with 10 others on each round, then only 5 will be anonymous (and one of the five might be you), so that means have 50% + 20% (1 in 5) chance to be non-anonymous. So 70% per round. You will need more rounds or you need larger mix sizes. This is actually not correct. A distinction needs to be made between the risk of being unmasked completely, and the reduction in the size of the set of anonymous entities in a pool. As an illustration: say we have a ballot with only two voters. We would know with 50% certainty the identity behind each vote. It's a small anonymous set of identities, but the vote is still anonymous. The lack of certainty represents a break in the causal chain. This is important for various reasons, but doesn't diminish the importance of having a large pool of anonymous identities (likewise for various reasons). So for strong anonymity we need some level of certainty of not being unmasked completely AND a sufficiently large pool of anonymous users. I posit that the distinction is meaningless as the outcomes are pushed out to the edges of the causality graph at economies-of-scale. Because at economies-of-scale, the adversary doesn't have perfect identities data, rather the NSA has statistically overlapping data sets (e.g. Tor breaks, browser fingerprints, etc), that when correlated generate identities. The NSA is not just targeting a few millionaires to know where all the wealth is being stored (so the G20 can confiscate it after 2016 as the world descends into a nightmare debt collapse), rather they are saving everything in Utah and targeting all the millionaires. Anonymity is never an all-or-nothing proposition, rather is a degree of anonymity. That is why the distinction I made between privacy and anonymity upthread has blended and disappeared as we have discussed Darksend more. (that was your point too  ) Also you have to factor in the non-anonymous rate of Tor and those inputs who didn't use Tor at all are not anonymous. This reduces your anonymity set, even if you use Tor. This is important and I don't think the ramifications of IP addresses unmasking anonymity have been adequately discussed here yet. What would be required to unmask an otherwise anonymous darksend transaction if the IP addresses were available at each of the compromised nodes? I surmise that you mean to say is if a Darksend does not pass through a compromised Masternode, then how can interception of IP address by a Tor node impact anonymity of a Darksend. Correct? If so, then my analysis is that if you see the same IP address sending the input and signing the outputs, you still don't know which output that was, because the output signing is blinded cryptographically. But it depends on how the outputs are collected. If the outputs are first sent by each IP, then separate the collection signed, then output can be correlated to IP. But if the outputs are blinded signed as they are collected using ring signatures, then knowing the IP doesn't help the adversary. So we need to ask Evan if he is using ring signatures? However even if he is using ring signatures, there is another way that interception of IP can break anonymity. When you spend the output of a Darksend, then your IP can correlate your identity to the same one as the input, and thus anonymity is broken. So yes not obfuscating IP, breaks anonymity of the Darksend. Also there is another way to break anonymity of the Darksend. If I merge two or more outputs of Darksends to form the inputs spent on a transaction, then I have correlated that those outputs share one identity (since they will look different than a Darksend mix transaction which has a constant amount and matching # of inputs and outputs). |
|
|
|
Evan how are you going to stop the adversary from flooding the Darksend will unlimited inputs? You charge a small fee?
You mean for honest transactions like a Sybil? There is a small fee that would add up of 0.001DRK Yes that is what I meant. And that seems like the correct mechanism to throttle it. |
|
|
|
It is roughly saying we won't significantly surpass $1000 in 2014. I don't know where the correctly fitted curve would be right now, so I can't project where the price should be now and where it will be nominally. I think the slope projection is more close to accurate, so we can say that if the theory is correct (that distribution of money holders is a power law distribution as the cited research and common knowledge says it always is), then price appreciation will slow down specifically to 0.05 units on the log 10 chart per month where 1 unit is 10X appreciation. So if we bottom at $400, then price after 20 months should be $4000. Again this is a very rough eyeballed fit and would expect the refined fit to have a slightly higher slope maybe 0.06, so make that 16 months instead.  The red line below is a power law distribution for B=0.5 which you can see above is the value of B I fitted.  What that distribution says is that the rich hold most of the percentage of wealth, which we know is in fact always true. And the fitting of the cumulative distribution function to BTC price is the theoretical claim that earlier adopters will be more wealthy (by now) than later ones. The research I cited points out is that the masses use money as a unit-of-exchange, not as a store-of-value. However does the Metcalf's law value of money (which Peter R has shown BTC mcap and thus price is tracking) where the value is proportional to the square of the number of nodes in the network nullify my use of a power law distribution? I.e. do the wealthy not create (proportional to their wealth) more network nodes (e.g. unique active BTC addresses) than the masses? I see the really diehard power users (e.g. SlipperySlope and Peter R) are both talking about creating a new node every day. Thus this anecdotally supports that the power law distribution applies correctly here. Thus I think we need to take this theory seriously. It might be the correct growth curve. The linear one with a least squares fit seems really out-of-touch with historical data. It totally ignores the shape of the earliest adoption curve up to July 2011. Risto's explanation was the early adopters were bad speculators and bid the price up too much, but my interpretation is they are the most wealthy now and they were the most powerful because they are early adopters. The least squares fitting of a line to a curved adoption could possibly be (confirmation bias in play as) an (emotional "to the moon") attempt to force a linear projection on a growth curve which obviously was not always linear. Has it become linear since January 2012? I very much doubt it!Convince me? Risto how do you analytically defend your linear least squares fit that makes you so sure of everything and gives you the audacity to browbeat all the bears? Add: why don't stocks follow this log-logistic curve? Maybe they do (?), if we don't compress the early adopters into a single event IPO. Also can a stock issue have network effects, i.e. does Metcalf's law apply to company shares? Seems to me yes if the shareholders network amongst themselves, but much less so than a network of money holders. Add: Fact is the slope during the runup to July 2011 was 0.33 per month. Since Jan 2012, it has been 1/4 of that 0.08 roughly. Why should we expect the slope to not decline again? Why should the pace of adoption remain constant? Seems intuitively unlikely to me. Pace of adoption should slow as we slog into the less astute demographics. Larger mass with more inertia grows more slowly than smaller mass with nimble inertia.
That is irrelevant as I have explained. What it does is reduce the network effects (merchants accepting and holding Bitcoin thus being nodes in the Metcalf law valuation) within the Bitcoin ecosystem that those holding fiat must buy BTC to attain. If everything they can buy with BTC they can also buy with fiat, then there is no great need to buy BTC with their fiat.
That was precisely my point about why lose 3-5% on double exchange, when one can just buy with their credit card for 0%.
Many people prefer to use BTC rather than credit cards, even though they can use either, because BTC is faster and more convenient for online payments. They buy, wait for the price to increase, then spend when needed. It's that simple. I do not think this 3-5% double exchange loss you are talking is a significant factor in whether or not people choose to use or accept Bitcoin. The 3 - 5% is an ancillary argument and not the core one. If they wish to be irrational and waste 3-5%, it doesn't mean they are part of a trend of new adopters who love to waste money. Whether Bitcoin holders continue to be interested in Bitcoin is irrelevant to the point I was making. I was making the point that if we don't create more merchants that accept only BTC, i.e. hold BTC and not just a useless facade for fiat, then there is no compelling need for non-Bitcoin owners to decide to acquire Bitcoin (if we are speaking about its demand as a currency and not as an investment). On the investment demand side, the adoption is slowing and thus due to Metcalf's Law's correlation P = 1.5 x n^2, the rate of price growth (increase) has and will continue to slow. There is no linear growth on the log 10 chart "to the moon". Price growth will moderate and we won't exceed $10,000 before 2016. (note that is still a very nice gain, just not as "to the moon"). Bitcoin's price increase after 2015 will further slow, will not exceed gold. (assuming gold bottoms around $1000 in 2015 as I expect) Remember Risto was the guy calling for $300,000 by now (I've seen others write this, I wasn't around when he purportedly made that projection). How did that work out for him? Buffet is correct, Bitcoin is just a facade for fiat. Bitpay and Peter Thiel have just put that future in concrete. Now I sit back and watch my observations wreck havok on Risto's net worth expectations and confidence. Add: slowing rate adoption can still be very large nominally, e.g. if going from 1 million to 100 million takes 3X longer it still happens. You see as Peter Thiel helps to convert Bitcoin to the government coin, the masses will come in as it will become essentially be a form of fiat with offchain services that Peter Thiel creates. Everything is running exactly to plan as how I expected it to go when I wrote Bitcoin : The Digital Kill Switch in March 2013 and first joined this community. P.S. Mining is now concentrated in one pool with greater then 51% attack hash power. And there are individual miners with 7 - 10% of the entire hash power. Everything is going exactly how I predicted. Yet people still think I am wrong. |
|
|
|
That is irrelevant as I have explained. What it does is reduce the network effects (merchants accepting and holding Bitcoin thus being nodes in the Metcalf law valuation) within the Bitcoin ecosystem that those holding fiat must buy BTC to attain. If everything they can buy with BTC they can also buy with fiat, then there is no great need to buy BTC with their fiat.
That was precisely my point about why lose 3-5% on double exchange, when one can just buy with their credit card for 0%.
Many people prefer to use BTC rather than credit cards, even though they can use either, because BTC is faster and more convenient for online payments. They buy, wait for the price to increase, then spend when needed. It's that simple. I do not think this 3-5% double exchange loss you are talking is a significant factor in whether or not people choose to use or accept Bitcoin. The 3 - 5% is an ancillary argument and not the core one. If they wish to be irrational and waste 3-5%, it doesn't mean they are part of a trend of new adopters who love to waste money. Whether Bitcoin holders continue to be interested in Bitcoin is irrelevant to the point I was making. I was making the point that if we don't create more merchants that accept only BTC, i.e. hold BTC and not just a useless facade for fiat, then there is no compelling need for non-Bitcoin owners to decide to acquire Bitcoin (if we are speaking about its demand as a currency and not as an investment). On the investment demand side, the adoption is slowing and thus due to Metcalf's Law's correlation P = 1.5 x n^2, the rate of price growth (increase) has and will continue to slow. There is no linear growth on the log 10 chart "to the moon". Price growth will moderate and we won't exceed $10,000 before 2016. (note that is still a very nice gain, just not as "to the moon"). Bitcoin's price increase after 2015 will further slow, will not exceed gold. (assuming gold bottoms around $1000 in 2015 as I expect) Remember Risto was the guy calling for $300,000 by now (I've seen others write this, I wasn't around when he purportedly made that projection). How did that work out for him? Buffet is correct, Bitcoin is just a facade for fiat. Bitpay and Peter Thiel have just put that future in concrete. Now I sit back and watch my observations wreck havok on Risto's net worth expectations and confidence. Add: slowing rate adoption can still be very large nominally, e.g. if going from 1 million to 100 million takes 3X longer it still happens. You see as Peter Thiel helps to convert Bitcoin to the government coin, the masses will come in as it will become essentially be a form of fiat with offchain services that Peter Thiel creates. Everything is running exactly to plan as how I expected it to go when I wrote Bitcoin : The Digital Kill Switch in March 2013 and first joined this community. P.S. Mining is now concentrated in one pool with greater then 51% attack hash power. And there are individual miners with 7 - 10% of the entire hash power. Everything is going exactly how I predicted. Yet people still think I am wrong. |
|
|
|
I think it's a pretty smart fit actually. very interesting.
Which one? Trolololo's fractal or my log-logistic? How can Trolololo's fit be sane where the 3rd is larger than the 2nd which was smaller than the 1st? That would imply the adoption decelerated in 2012 to 2014 and now will accelerate.  Add: I am becoming more confident adoption is slowing. It simply makes the most sense and the data supports it. Needing to use fiat to add merchants is the death to adoption of BTC. Bitcoin is losing its raison d'etre. |
|
|
|
Take a look at this fractal:  It compares the bubbles of Oct2011 + Jan2012 + April-May2012 vs the bubbles of Jan-Mar2013 + Nov2013 + May-Sept2014? The top of the next bubble would peak around 100,000 USD/XBT at around end of September 2014 (6 months from now). You see the size of the second staircase step is smaller than the first, then you make an arbitrary curve fit which makes the 3rd staircase step larger than both. That defies objective reason and rationality. |
|
|
|
I want a Klein bottle. There is a stock of 1000 waiwai on the wampum market. It is not moving. It is bidless. But they travel well by air, so I take one waiwai from the stock, by buying it on the market. The market moves against me. I.e. the value of one waiwai increases. I sent one waiwai to Alice by European swallow to pay for a Klein bottle. Alice wants wampum, so she sells the waiwai on the wampum/waiwai market. The market moves against her. I.e. the value of one waiwai decreases. Net impact on waiwai/wampum: Zen.
Youtube videos of my Klein bottle go viral. 1100 teenage girls in Uruguay want Klein bottles, at various times, 100 each day. As more and more school girls trade wampum for waiwai, the stock of waiwai declines, the cost in wampum increases. 100 waiwai are held by pidgeons. Alice takes the waiwai from the pidgeons and sells them for wampum the next day, but by that time 100 more Uruguayan school girls have pidgeons in the air. For 11 days, the stock of waiwai on the wampum market is reduced by 10%. Uruguayans 101 to 1100 pay 20% more for the waiwai, and Alice gets 118% as much wampum for her Klein bottles as she would have were the waiwai rates constant. If Alice's ten cousins start marketing their Klein bottles to Moldovan gigolos, whose pidgeons are twice as slow, those transactions will remove twenty times as much waiwai from the supply/demand balance on the wampum markets, and the price will rise confoundedly. The result will be a waiwai bubble.
Please cite a reference which says as demand (bids) increases, the float decreases? I have never seen such a claim. Rather as demand increases supply of float (asks) also increases to match it, but at a higher price. The supply increases faster than the demand because investors have larger and larger gains, this is why marginal price doesn't grow to the edge of the universe. The same is true in production, where the price won't go to infinity because new producers will come online to serve higher demand at higher marginal prices. I scored in the high 90s (out of 100) in my Economics 101 university class, but I didn't major in Economics and that was 30 years ago. I renewed my interest in Economics starting around 2005. For interim decades I was doing only computer science and programming (and wasteful mischief which I am suffering from now). PQ=MV, the value of the money stock is M, denominated in PQ/V. Increasing V decreases M.
Or it increases P x Q. V has been falling since 2008 and M was increased by the Fed in order to keep P x Q propped up, but that was not a free market event and after 2016 P x Q is going to come crashing down because M is mostly debt and thus we have massive P x Q oversupply in the global economy. Increasing the number of times a waiwai can flip during a fortnight, say by using African swallows instead of pidgeons, will increase laden air speed, thus decreasing the wampum per waiwai.
You got that backwards. Increasing the V that doesn't need to convert to/from fiat doesn't necessarily decrease the fiat price of BTC. It may decrease the supply of BTC that wants to sell for fiat, while increasing the demand for BTC of those who hold fiat, because there are more network effects within the Bitcoin ecosystem that they want to avail of. Using bitpay keeps BTC in the air.
That is irrelevant as I have explained. What it does is reduce the network effects (merchants accepting and holding Bitcoin thus being nodes in the Metcalf law valuation) within the Bitcoin ecosystem that those holding fiat must buy BTC to attain. If everything they can buy with BTC they can also buy with fiat, then there is no great need to buy BTC with their fiat. That was precisely my point about why lose 3-5% on double exchange, when one can just buy with their credit card for 0%. Sorry you really dropped the logic on this one. That creates a churning marginal demand which decreases the supply on the fiat market. If you buy immediately before spending, and the merchant takes fiat, then the time in the air is small. If you buy in anticipation, V decreases, and the effective air time, from the point of view of the exchange market, is quite long. Using bitpay also adds to the bid and to the ask on the market, thus increasing liquidity, which in turn makes bitcoin marginally more efficient (less slippage) and less risky (as liquidity is available when it is needed).
If everyone makes a different color of Klein bottle, and everyone wants to collect the whole set, then there are N^2 pidgeon flights which need to occur. The first pidgeon reduced the stock of waiwai by a factor of 0.999. The second person, by a factor of 0.998, the n^2 person by a factor of 1-0.001*n^2. As a result the cost of a waiwai rises by a factor of k*e^(n^2).
Your model continues to boggle my mind.
I try to perform at least one Bitcoin transaction daily. Either by spending some, buying some, transferring some, or most often by receipt of mining earnings.
Suppose that I am responsible for permanently increasing the daily quantity of transactions by one. Today's adjusted number of transactions reported by Blockchain.info is 58,006, and your model projects a market cap of $1.50 * 58,006 * 58,006 = $5,047,044,054.00. My contribution makes the adjusted number of transactions 58,007, and the corresponding market cap is 5,047,218,073.50. The difference between the two market caps is $174,019.50. As the total number of Bitcoins at the time of writing is 12,591,775, my one incremental daily transaction lifts the corresponding price per bitcoin by 0.013 USD.
And this is why Quantity Theory of Money says M x V = value, not M alone. This is why selling out to fiat via Bitpay robs us of the square of the count of transactions and puts that value in fiat instead. The value of a network is the velocity times the position, not just the position, i.e. if all the actors (hodlers of money or nodes) don't interact then the network is a beautiful pile of do-nothing. Using bitpay keeps BTC in the air. That creates a churning marginal demand which decreases the supply on the fiat market. If you buy immediately before spending, and the merchant takes fiat, then the time in the air is small. If you buy in anticipation, V decreases, and the effective air time, from the point of view of the exchange market, is quite long. Using bitpay also adds to the bid and to the ask on the market, thus increasing liquidity, which in turn makes bitcoin marginally more efficient (less slippage) and less risky (as liquidity is available when it is needed). One of the ways I spend bitcoin is to buy gift cards from Gyft or Giftcard Zen. Unfortunately the coins get converted into fiat right away and my subsequent use of the gift card at, for example, Amazon does not add to the Bitcoin economy. Bingo!
I want a Klein bottle...
I want some of that stuff that makes you think clearly  What clearly was that? - Trendline comparison: we are now at -0.291 log units. The trendline is at $932 and rising $7 per day, conclusion: rock bottom
- Prognosis: intact from yesterday
Arbitrary curve fitting again presented as uber confident analysis. |
|
|
|
Apologies I was intending to make following correction and then we had a brown out and I fell asleep. It is roughly saying we won't significantly surpass $1000 in 2014. I don't know where the correctly fitted curve would be right now, so I can't project where the price should be now and where it will be nominally. I think the slope projection is more close to accurate, so we can say that if the theory is correct (that distribution of money holders is a power law distribution as the cited research and common knowledge says it always is), then price appreciation will slow down specifically to 0.05 units on the log 10 chart per month where 1 unit is 10X appreciation. So if we bottom at $400, then price after 20 months should be $4000. Again this is a very rough eyeballed fit and would expect the refined fit to have a slightly higher slope maybe 0.06, so make that 16 months instead. The red line below is a power law distribution for B=0.5 which you can see above is the value of B I fitted. What that distribution says is that the rich hold most of the percentage of wealth, which we know is in fact always true. And the fitting of the cumulative distribution function to BTC price is the theoretical claim that earlier adopters will be more wealthy (by now) than later ones. The research I cited points out is that the masses use money as a unit-of-exchange, not as a store-of-value. However does the Metcalf's law value of money (which Peter R has shown BTC mcap and thus price is tracking) where the value is proportional to the square of the number of nodes in the network nullify my use of a power law distribution? I.e. do the wealthy not create (proportional to their wealth) more network nodes (e.g. unique active BTC addresses) than the masses? I see the really diehard power users (e.g. SlipperySlope and Peter R) are both talking about creating a new node every day. Thus this anecdotally supports that the power law distribution applies correctly here. Thus I think we need to take this theory seriously. It might be the correct growth curve. The linear one with a least squares fit seems really out-of-touch with historical data. It totally ignores the shape of the earliest adoption curve up to July 2011. Risto's explanation was the early adopters were bad speculators and bid the price up too much, but my interpretation is they are the most wealthy now and they were the most powerful because they are early adopters. The least squares fitting of a line to a curved adoption could possibly be (confirmation bias in play as) an (emotional "to the moon") attempt to force a linear projection on a growth curve which obviously was not always linear. Has it become linear since January 2012? I very much doubt it!Convince me? Risto how do you analytically defend your linear least squares fit that makes you so sure of everything and gives you the audacity to browbeat all the bears? Add: why don't stocks follow this log-logistic curve? Maybe they do (?), if we don't compress the early adopters into a single event IPO. Also can a stock issue have network effects, i.e. does Metcalf's law apply to company shares? Seems to me yes if the shareholders network amongst themselves, but much less so than a network of money holders. Add: Fact is the slope during the runup to July 2011 was 0.33 per month. Since Jan 2012, it has been 1/4 of that 0.08 roughly. Why should we expect the slope to not decline again? Why should the pace of adoption remain constant? Seems intuitively unlikely to me. Pace of adoption should slow as we slog into the less astute demographics. Larger mass with more inertia grows more slowly than smaller mass with nimble inertia. |
|
|
|
Most of you can't picture in your head as I (and some others here probably) can, so I need to show you chart for you to get that "Ah ha" epiphany. I lack the math software to do a proper log-logistic curve fit. Here follows my eyeballing and rough fit to the change in slope. The run from Oct to Jul 2011 had a slope of 2/7mos and from Jan 2012 to Jan 2014 had a slope of 2/24 mos. The cumulative distribution function shown superimposed in blue below is 1/1+(1/x)^0.5. Thus from x=0 to x=0.25 for the Oct to Jul 2011 run has a slope of 1/1+sqrt(1/0.25) = 1/3 = 0.33 and from Jan 2012 to Jan 2014 is from x=0.25 to x=0.50, thus 1/1+sqrt(1/0.5) = 0.41. So 0.33-0 = 0.33 and 0.41 - 0.33 = 0.08. And 0.33/0.08 = 4 and 24/7 = 3.5. So we can see ratios of the slopes match closely. So this is a reasonable curve fit as the proportional vertical heights also match. A quantitative fit would be more accurate. The accurate fit is probably a bit less steep in the early portion and less flat in the latter. So this would be more favorable than the one I overlaid. Any way, if this theory is correct, then you can clearly see that Bitcoin will stop rising as fast and that it is due to fall down in price significantly before it rises again and more slowly than the past. From here on the slope from x = 1 to x = 1.5 is only 0.05, thus 5/8 of the rate of increase we've on the log 10 chart since Jan 2012. Note that is 5/8 of a rate of increase that is exponential in the power of 10. It is roughly saying we won't significantly surpass $1000 in 2014. I don't know where the correctly fitted curve would be right now, so I can't project where the price should be now and where it will be nominally. I think the slope projection is more close to accurate, so we can say that if the theory is correct (that distribution of money holders is a power law distribution as the cited research and common knowledge says it always is), then price appreciation will slow down specifically to 0.05 units on the log 10 chart per month where 1 unit is 10X appreciation. So if we bottom at $400, then price after 20 months should be $4000. Again this is a very rough eyeballed fit and would expect the refined fit to have a slightly higher slope maybe 0.06, so make that 16 months instead. It seems too simple, but on the other hand I cannot believe that the goodness of fit is just coincidence; is there something truly at play here that we haven't fully come to understand?
What is hard to understand? Reed's Law is another way of stating Metcalf's Law. It is quite clear that in a network with N nodes, there arre N^2 possible interconnections. Thus the value of the network interaction is N^2. How hard is it to understand that without communication and interaction, there is no leverage of each other. How can I use your knowledge if I can't interact with you? Why do we become smarter by posting in this forum. Etc.. |
|
|
|
Your model continues to boggle my mind.
I try to perform at least one Bitcoin transaction daily. Either by spending some, buying some, transferring some, or most often by receipt of mining earnings.
Suppose that I am responsible for permanently increasing the daily quantity of transactions by one. Today's adjusted number of transactions reported by Blockchain.info is 58,006, and your model projects a market cap of $1.50 * 58,006 * 58,006 = $5,047,044,054.00. My contribution makes the adjusted number of transactions 58,007, and the corresponding market cap is 5,047,218,073.50. The difference between the two market caps is $174,019.50. As the total number of Bitcoins at the time of writing is 12,591,775, my one incremental daily transaction lifts the corresponding price per bitcoin by 0.013 USD.
And this is why Quantity Theory of Money says M x V = value, not M alone. This is why selling out to fiat via Bitpay robs us of the square of the count of transactions and puts that value in fiat instead. The value of a network is the velocity times the position, not just the position, i.e. if all the actors (hodlers of money or nodes) don't interact then the network is a beautiful pile of do-nothing. |
|
|
|
Bitpay and coinbase are on the edges of the bitcoin economy. What's important to note is that they continually push the edges outward.
Just as merchants were motivated to accept bitcoin through bitpay (because it's virtually no risk), the same will happen with those merchants' suppliers. And once that happens, the merchants don't need to completely convert to fiat anymore. Eventually the merchant can keep their income in bitcoin, and it's the suppliers who use bitpay.
What's going to stop the edges from moving outward?
Talk about fantastical dreaming. I thought I was really far out there with wanting an anonymous coin. So in order to stop rape, first we need to rape until everyone is raped, then we can suddenly stop raping because everyone has a rape kit. You won't get to even 1% coverage before the entire ecosystem has been co-opted by centralization and fiat regulation. Dance with the vampires only if you want to be bitten and converted. I guess the love of greed can make one think up any kind of irrational excuse to continue in that greed. I have absolutely no idea what you're talking about here. How does stopping rape relate to the adoption of bitcoin? You really can't wrap your mind around the analogy? "So in order to stop rapefiat-takeover-of-Bitcoin, first we need to rapefiat-takeover-of-Bitcoin until everyone is rapedhas-fiat-takeover-of-Bitcoin, then we can suddenly stop rapingfiat-takeover-of-Bitcoin because everyone has a rape kitpretends-to-accept-BTC-but-really-accepts-fiat." The only possible government attack I see on bitcoin that can succeed is the 51% mining attack. All your other concerns I think are overblown, you give governments too much credit.
How can I say in a nice way that I think you are incredibly naive. What fool would lose 3-5% spread (at least) on two times exchanges instead of paying 0% to spend the fiat with a credit card?
And cause a premature capital gains event.
If you lose money on the two exchanges, how do you have capital gains? Do most people in Bitcoin have only 3 - 5% gains. Nope, they gain much more. So your criticism about losing a few percent on fees is ridiculous. How did wasting money become ridiculous? And for what benefit did it serve? To promote the fiat use of Bitcoin which will enslave all of us. |
|
|
|
|
Evan how are you going to stop the adversary from flooding the Darksend will unlimited inputs? You charge a small fee?
|
|
|
|
ive been following this discussion , and i most say, the level of control you need to have over the network to use it for a practical sybil attack is unfeasable, my worst case scenario tells me max 10% could be controlled, now if you do run it through say 10 times, the chance of being unmasked is 10% and we are talking about several factors that have to happen..
you need the 10% to be on EVERY mixing stage - Very unlikely im not even going to try and calculate the chance
Just trying to keep up with the concepts here... If a tx is compromised on stage 1, for example, is it compromised through all of the following stages as well (assuming it doesn't pass through any more sybil nodes)? You may be confusing 2 different things. Each Darksend has 3 stages: Collect inputs Collect blind signed outputs Collect signed inputs The denial-of-service issue that would cause Darksend to repeat over and over and be blocked would be if an adversary refused to complete their part of the stages. Evan solved this by attaching a collateral penalty payment to stage 1 and this is charged only to those to don't complete all stages. In doing that, Evan had to expose each Darksender's IP, input, and output to the randomly chosen MasterNode. So the MasterNode knows your identity, the anonymity is broken. But if the MasterNode is not an adversary, it will not use that information against you (it won't retain nor share it with others). If the MasterNode is an adversary, then that Darksend is not anonymous for you. There are other ways that a Darksend can end up not anonymous for you, see my calculation example upthread, e.g. Tor is also not 100% anonymous every time you use it. So let's say that 20% of MasterNodes are adversaries (e.g. China's NSA buys up 20% of MasterNodes), then every time you do a Darksend, you have at least 20% chance of losing anonymity for that Darksend. (and more than 20% because Tor isn't 100%, etc) So you do multiple Darksends and each one has a 20% (or more) chance of being not anonymous. But if any one of them is anonymous, then you are anonymous. So take that percentage (including Tor factor, etc) and raise it to the exponent of the number of Darksends you will do on the same funds. So let's say 0.30^10 = 0.0000059049. That is 6 in a million. So very strong anonymity. But please see my upthread calculation, because there are many factors and your anonymity will not be that strong in reality. The adversary can also Sybil attack the inputs, meaning they flood the Darksend with inputs and thus assuming that Evan needs to set some limit on the number of inputs in a Darksend, then this attack can lower the anonymity set as I explained in my calculation. Can the final input, output and IP be compromised at each mixing stage? If so, how do multiple stages help at all?
Once a sender is compromised, how are they tracked in the future? IP? Wallet address? Some other way?
Your IP, input and output are compromised at the probability (frequency) of the calculation. |
|
|
|
@ AnonyMint - will u invest in DRK?
AnonyMint promised slyA not to announce nor endorse any altcoin. Thus no comment. |
|
|
|
No I meant the collateral payments can be stolen, not the tx fees. Are you meaning to write that collateral payments always go to the miners, thus master nodes have no incentive to lie?
No that's what you said earlier "Edit: but the master node can steal the tx fees. And then not include the input in the output signing. So scratch this idea." We need to use specific terminology here. Tx fees are from the transaction and they go to the miners. Collateral payments are made out to the master nodes. In either case, master nodes can lie and steal, they just make sure they also control miner(s) (or pools).
No one can prove the master node isn't being malicious to hurt the reputation of an innocent pool or miner.
Thus you can't stop theft.
You completely missed what I was saying. Collateral is multi-sig, requiring more than 1 party to lie. 99.999999999% they won't be the same party. I'm getting tired, lets continue this another day. As far as I can fathom, multisig doesn't protect you because master node can just lie and say none signed. How will the other signatories know if the master node is telling truth or not? However, I have a partial solution for this. Send the collateral payment to the ether. Then master node loses some incentive. But still the master node might lie just to harm the coin and the owners of those collateral. I guess the inputs can forward their communications to other signatories too? In that case, your anonymity is more broken because more nodes would see the triplet of IP, input, and output on each Darksend. Thus the percent of master nodes needed to lower anonymity would be proportionally less (e.g. if 5 signatories, then need only 1/5 as many master nodes to be adversaries). There's an even simpler solution. User A: You MasterNode A: The previous master node MasterNode B: This rounds master node User A makes the collater payment out to the Master A but sends it to Master B along with the input/out1/out2. Master B can cash it, but it doesn't benefit him at all. That solution doesn't decrease the anonymity, but complete destroys the incentives to cheat. Adversary will wait until he is MasterNode A and MasterNode B. The more Sybil nodes he has, the more often that will be. Actually adversary doesn't have to wait for that, if he has MasterNode B, he can spend it and cause trouble for DarkCoin. And who can prove he was lying? With 5000 master nodes the chances that you're both Master A & B are (1/5000)^2 or .000000004. I think we're fine. Adversary can't even node-Sybil attack the anonymity (can still Sybil attack the Darksend inputs regardless) if he doesn't control a significant percentage of the MasterNodes. So if he controls 20% of them, then (1/5)^2 = 1 in 25. So every 25th Darksend could be stolen. But the government probably isn't interested in destroying the Darksends. Rather they would want to silently collect the identity data. So if someone wants to buy 1000DRK off of the open market to be a master node and charge random people fees, I think they'll help darkcoin more than they'll hurt it. They'll raise the price and 1 in 5000 transactions will get charged .1DRK, it's still cheap.
Buying DRK is not a zero sum game. They can sell their DRK later. I think there people with a lot of money in the world, especially the government because they can print money. And they gain all the identity data and they can use that to confiscate and tax funds, then it is very lucrative for the government. But they can do that and really don't have an incentive to steal the payments. In fact, don't want to draw attention to themselves, so they wouldn't steal. Perhaps you've solved the stealing issue. Congrats. But the anonymity issue remains weaker. Government does have the incentive to buy up the MasterNodes. Plus, charging fees could reset the age of that 1000DRK and we could require an age of 24 hours or something. So that really limits their ability to mess with Darkcoin.
Why? If they plan to be a MasterNode for years why is 24 hours delay a problem? My point is there's a million solutions.
Hehehe, but you haven't explained a million of them yet. |
|
|
|
|
Show Posts
