In the honest scenario, the 49 - 99% attacker can nominate 49 - 99% of the confirmation nodes, but the crucial distinction from the security of Satoshi's design is the attacker can't dominate ALL the confirmation nodes and thus can't destroy the permissionless quality of decentralized cryptocurrency. Nor afaics can this preponderance of confirmation nodes gain the attacker any advantage in terms of double-spending or abusing the protocol.

In the dishonest attack scenario where attacker wants to own ALL the confirmation nodes, I already explained that:


Also include the following snippet in the above context:


So the 49 - 99% attacker could nominate ALL the confirmation nodes in his private chain, but attacker can't convince the rest of the network that his chain is valid, due to my rule that attacker must include all the nominations from propagated block announcements (which attacker didn't refute within the 6 second window...because as I explained, the attacker can't refute because the rule requires him to restart his computation of next block after each block announcement).

I told you (and all readers) for many months to expect a "Bitcoin killer" algorithmic twist that no one else had apparently thought of.

It is time for everyone to start realizing that I am not a bullshitter and I am legit.

Computational Complexity Classes: Overview

An algorithm (or program) is a set of logical steps that transform some state (i.e. variables). If the algorithm is a function (i.e. not a procedure), then it will read the input state and write the output state, thus being a transformation from the input state to the output state. (I'm referring to a pure function which does not read nor write any global variables).

A computational complexity class defines boundaries on the computation allowed in an algorithm. Some examples of boundaries are:

1.	Result type:	e.g. a boolean, a count, an optimum, etc.
2.	Machine model:	e.g. boolean circuit, deterministic Turing, non-deterministic Turing, parallel processing, quantum, etc.
3.	Resources:	e.g. polynomial time, logarithmic space, constant depth, exponential time, etc.

In other words, a computation complexity class is a statement about the constraints on our program (algorithm). Interesting limitations include the 1) type of result computed, 2) type of machine the program runs on, and the 3) resources the program employs.

Computational complexity informs us on the bounds of the requirements on computation, but not on whether the computation is intractable or significantly removed from any implication of the bounds. Meaning any implications we make from computational complexity can overturned by future algorithmic discoveries— i.e. the implications can't be proven which is the fundamental weakness[1] of (most!) cryptography that relies on conditional (i.e. not information-theoretic) security. Meaning that most cryptography relies on the intractability of the computation required to break the security; but intractability can only be demonstrated for some example cases and not be proven to apply for all the cases not enumerated (i.e. ubiquitous lower bounds can't be generally proven for all real world scenarios, not even for the asymptotic Big Omega Ω, because for example any state complexity class depends on a machine model that might have an improved variant in the future with a possible reduction/conversion to that model).

For example, the elliptic curve discrete logarithm problem (ECDLP)[2] has been shown to be computationally intractable for the types of computation we know can be applied to cracking it, but it completely breaks on a future hypothetical quantum computing machine model (but conjectured to require a qubit for every bit of ECC security) or recently mathematically broken for small characteristic fields.

Often the stated computational complexity is for the asymptotic case, e.g. Big O, Big Theta Θ, Big Omega Ω; meaning the complexity class for values of the variables of the computation that stress the boundaries to the maximum (e.g. which is often meaning as the variables go to infinity). However, the asymptotic case might not be indicative of the real world case, e.g. in the following plot f(x) ≤ cg(x) [red line under blue line] asymptotically but not always for x < 5.



https://www.cs.cornell.edu/Courses/cs3110/2012sp/lectures/lec19-asymp/review.html


Thus although computational complexity class analysis is interesting, aids intuitive insight, and useful for comparing bounds, it can't prove certain practical questions such as “can an efficient implementation of this algorithm be found” or “will all implementations of algorithms of this class always be intractable”.

For example, RSA's asymptotic security which since 1978 has been reduced only from requiring b^2+o(1)-bit to b^3+o(1)-bit keys for b-bit security on non-quantum (a.k.a. “classical”) computing, has in the real world made RSA insecure against an adversary as powerful as the NSA when they only need to crack one key in order to break the HTTPS (SSL/TLS) privacy of 20% of the top million websites (or much easier just steal or use a national security letter confiscation of the keys of the popular certificate authorities). Caveat or lesson is be very careful with intuition and claimed implications from computational complexity.

[1]	Rolf Oppliger, Contemporary Cryptography, Second Edition, Introduction, §1.2.2.2 Notions of Security, p.11
[2]	https://www.certicom.com/index.php/52-the-elliptic-curve-discrete-logarithm-problem I. Chatzigiannakis, A. Pyrgelis, P. Spirakis, Y. Stamatiou, Elliptic Curve Based Zero Knowledge Proofs and Their Applicability on Resource Constrained Devices, §3. Zero Knowledge Protocols Based on the ECDLP, http://arxiv.org/abs/1107.1626, 8 July 2011.

My design doesn't (and afaics shouldn't need to) prove to a syncing node anything about propagation that occurred while that node wasn't listening live. Remember that the 49 - 99% attack must be sustained otherwise it can't maintain the blacklist on the minority PoW. The minority PoW will have identified the dishonest chain and be humming along (at a reduced level of PoW difficulty, yet still including the attacker's nominations so as to prove to syncing nodes which chain is refusing to include the other's nominations). So the syncing node will have ample opportunities while live to objectively determine which chain is dishonest.

(Assuming the node is syncing to a honest relay and remember my point about community responsibility for this,) the syncing node will see there are two competing chains and thus syncing node will be wary to accept any transaction as final until it has determined which chain is the honest one. Note that if the dishonest chain is an extension of the chain the syncing node had earlier identified as dishonest (a hash for that node's choice is saved on the block chain so the node can't forget), that node already knows it blacklisted that chain (which can be determined from the chain history).


Finney attacks are not possible in my design, because transactions are not confirmed by PoW blocks. So the payee will not accept the transaction until it has been confirmed, which can be on the order of 1 second from the time the transaction is sent to the confirmation network.

In my (monumental?) prior two posts, I was starting to lay out some of the paradigmatic gains that arose from separation-of-concerns for transaction confirmation and PoW chains. Bitcoin-NG (from the researchers who published the selfish mining attack) separates timing of transaction confirmation from PoW chains (thus removing the latency spikes for propagation of block announcements, i.e. a form of anti-aliasing), but it doesn't eliminate double-spending by orphaned chains (which my design does eliminate). Also Bitcoin-NG nominates only one node per block period to confirm transactions thus Bitcoin-NG (and Bitshares' DPOS) is highly vulnerable to DDoS (even more vulnerable than current Bitcoin which employs Satoshi's design!).

Based on your use of the word 'nominate', you may be misunderstanding what is nominated in my design. C.f. how Bitcoin-NG nominates a node to confirm all the transactions until the next block. In my design, there are a plurality of confirmation nodes nominated, they persist for a plurality of PoW blocks.

Afaics, in my design there simply isn't a way to create an orphaned chain which would be required to create a double-spend other than a Finney attack. In my design, orphaned chains can only occur due to network partitioning and in that case Satoshi's design also allows double-spends on both forks. Dealing with network partitioning is another issue. We can discuss that later.

P.S. as a tribute to the prodigious generosity and amiable unassuming attitude of Hal Finney, I like to share his description of how Chaum's Ecash worked which helped me a lot when I was first learning what the Fiat-Shamir transform is and how it converts an interactive ZKP to a NIZKP (non-interactive zero knowledge proof).

Join me on a technical journey to try to understand Zerocash (not Zerocoin which is a separate project although Zerocash does name their anonymous units zerocoins), starting from first principles.

I am curious and want to broaden and deepen my understanding of the technologies in Zerocash. I want to share my learning experience and perhaps also obtain collaboration with the community in learning and elucidating in layman's terms.

Here is a high-level enumeration of technologies we need to understand in reverse order of what we need to understand first, i.e. where the former requires understanding of the latter:

• Zerocash
• zk-SNARKS
• quadratic arithematic programs (QAPs)[1]
• quadratic span programs (QSPs)[1]
• probabilistically checked proofs (PCPs), as an alternative to QAPs or QSPs
• span programs
• computational complexity classes, e.g. P, NC, NP, E, #P, ⊕P

I recently realized that Zerocash is the only way to achieve anonymity without the (virtually impossible to guarantee) requirement to obscure our IP address.

This is a technical education and discussion of technology thread, so moderation is present to be able to keep it focused on such (because I understand there are political vested interests regarding anonymity technologies in the Altcoin arena).

P.S. sometimes I need a distraction from pure coding, and learning about theories and ideas is an outlet/diversion for me to relieve the stress or mental monotony of the coding process as compared to the "grand ideas" mental process.

[1]	http://www.iacr.org/archive/eurocrypt2013/78810623/78810623.pdf https://eprint.iacr.org/2012/215.pdf

http://newsinfo.inquirer.net/746668/us-launches-trial-of-facial-eye-scans-on-mexican-border

http://newsinfo.inquirer.net/743717/ph-navy-to-get-strategic-sealift-vessel-in-2016

http://globalnation.inquirer.net/133673/afp-to-receive-100-excess-armored-vehicles-from-us

http://globalnation.inquirer.net/127678/afp-accepts-over-40k-m4-remington-rifles-after-us-firm-corrects-over-20000-units

http://globalnation.inquirer.net/133447/great-to-be-president

https://www.youtube.com/watch?v=qgTEAelc5oU <--- must listen

http://globalnation.inquirer.net/133670/ph-to-battle-it-out-for-climate-goals

Bureaucrats destroying civilization (while hailing that they are for "human rights"):



Are these people ignorant of science, don't care, vested interest or...?

The attacker can do that (even with a minority of the PoW). It is good to see that my prior explanation was coherent enough that you pondered that possibility, so I know I have made progress in my elucidation of my block chain design.

But anyone today could create a fork of Bitcoin and use it for paying from themselves to themselves, but no one does that because it is pointless.

As I explained, in my block chain design all the users who are (or their client is automatically) concerned about following the protocol which enforces honesty, will not be on the attacker's chain which has violated the protocol, because the objectivity of the protocol is not subjective.

To recap, a majority PoW attacker with approximately 49 - 99% (49% because the network wastes some of its PoW mining the orphaned chain per the white paper I linked in my prior post) of the systemic PoW resources normally in Satoshi's design has the ability to win every block announcement (thus blacklisting the minority PoW from the longest chain of PoW), because the attacker can ultimately build a longer chain which orphans all the block solutions produced by the minority. However I have stated that if we change Satoshi's protocol so that every announced block solution which is not challenged by another block solution within the reasonable propagation window (e.g. 6 seconds), must be based off the previously propagated block solution. Thus the attacker can no longer blacklist the minority PoW from the longest chain of PoW.  (With 99 - 100% majority of the PoW resources, an attacker can defeat the security in my design as well).

For n00b readers (not you monsterer), please understand the Bitcoin 101 concept that due to the randomness in the Poisson distribution, an attacker with < 100% of the PoW resources can't produce the first block solution every block period if the attacker is required to start his computation of each block at the same time as everyone else in the network. An attacker can produce a longer chain with a majority of the PoW resources, but only if the attacker is allowed by the protocol to ignore the minority's PoW solutions that occasionally (not a majority incidence) arrive faster than the attacker can produce the next block. Satoshi's design does not require the attacker to build his next block off the propagated block. Satoshi's design allows the attacker to build his chain hidden. This is the major design error of Satoshi's design, that enables selfish mining and the 51% attack. I correct Satoshi's design error. I believe this is the first explanation of any where of my aforementioned rule as a solution. If anyone can cite a prior art on this point, please do. Probably there is a post (or posts) from the 2010 - 2011 timeframe on this forum (or in 2013/14 discussions about the selfish mining white paper) that has some similarity to my point. I would be very interested in reading such posts if anyone can find such.

There are reasons that Satoshi's design can't incorporate my aforementioned rule which defeats selfish mining and the 51% attack:

• The attacker could put a double-spend in his chain, thus he can not follow a rule which forces him to base his chain on the announced chain which contains a double-spend. In Satoshi's design, there is no objectivity about which double-spend in which chain came first (i.e. there is intra-chain objectivity but no inter-chain objectivity). Whereas, my design is different because PoW has a dual role, one of which is to confirm nominations for "confirmation nodes" (the nodes which do the transaction confirmations distributed thus enabling the 1 second confirmed transactions, not 0-confirmation insecurity of Satoshi's design). Thus my rule is that nominations from the propagated block have to be included in the next propagated block, thus defeating the selfish mining and 51% attacks, but Satoshi's design can't do this rule because it doesn't have the concept of nominations. Note that unlike transactions, nominations of "confirmation nodes" can't conflict because they are accumulative. My design can't just be grafted onto Bitcoin, because it requires a radical hard fork which necessities changes throughout the ecosystem of clients (thus virtually impossible to accomplish).
• Satoshi's design has no mechanism to constrain the variance of the propagation. Afair, Satoshi's white paper doesn't even talk about P2P network design (other than the SPV client suggestion) in the propagation context and the propagation design issues. All that design work has been done ad hoc over the past years, where I showed with my recent paper that Maxwell et all still haven't even addressed DDoS (which it is synergistic with propagation due to amplication as I explained my recent paper) in the scaling up scenario. I will not explain my entire design now.
• Satoshi's suggestion of SPV lite nodes are too lite to guard the network. Recent comments from the Hong Kong Bitcoin scaling conference (which I really wanted to attend but I am just too overloaded with my illness and trying to get a coin launched) show that Bitcoin lead core dev Wuille at al are thinking more about Segregated Witness and user clients that are in between the power of a full node and an SPV node, as is the case in my proposed design. But afaics, they are a probably a long way from realizing all the issues and then realizing they can't realistically graft this onto Bitcoin and it will instead need to be a side-chain (since those guys work for Blockstream).

For example, assume a design scenario where the block period T is 10 minutes (600 seconds) and within 6 seconds of a block announcement (note one white paper showed the weighted average in Bitcoin is 11.37 seconds), it will have propagated to at least 80% of all nodes. Thus the probability of having 2 or more competing chains is approximately 1/100. Before getting into the implications of that fact w.r.t. to my design, first let us note that an entity controlling 50+% of the PoW resources could choose to withhold his block solutions until another one is announced (thus making sure it propagates within the 6 seconds), while continuing to mine on his hidden solution (thus the adversary's chain will ultimately always be longer after sufficient blocks) and thus that 50+% entity will always be able to blacklist (overrule) any minority block announcements. That is the selfish mining attack and it causes the rest of the network to do wasted PoW. However, by rewarding all block solutions that are announced within the propagation window, the attacker's strategy is foiled. In 2014, I had revealed the math proving that is a solution to the selfish mining attack. However, if we are not interested in just foiling the economic incentive of selfish mining, but we also want to foil the blacklisting incentive, I will hereby reveal another epiphany. We can require that any blocks will follow a contest between chains, must include the nominations (in my design) from both blocks (note we might not be able to, depending on the design be able to incorporate the txns from both chains because there may be double-spend conflicts, but suffice that nominations can't conflict).

Thus the only way for the 50+% adversary to blacklist minority PoW that nominates its nodes is for that adversary to win all the blocks and always announce the blocks as soon as they are found (otherwise the adversary is required to include the nominations from minority announcements if the adversary pursues the selfish strategy mentioned above which defeats the blacklisting). But if the adversary announces block solutions as soon they are found, then the adversary can't statistically win all the block announcements unless it has 100% of the PoW.

Okay the adversary must shift his strategy to fooling the payers (non-full nodes) into believing that the minority did not propagate first (or within for example 6 seconds if we choose 6 seconds as the rule), thus convincing the payers that the minority announcements were not required to be included in the longest chain. If the payers are not listening to the network, they have to trust some full nodes to tell them what happened. If the adversary violates the protocol and doesn't include the minority nominations (because the adversary can fool the payers), then the adversary can own all the nominations and thus report what ever it wants to report to the payers. The typical Bitcoin security argument is the community will call out such an adversary and take action. But I was never satisfied with that reasoning, because the masses are easy to manipulate because they are preoccupied.

So to make my design really robust, the payers need to be listening so they can enforce the protocol. Remember I am making a micro-transaction coin, so the payers will be online often. And often is good enough. Because if the payers clients blacklist the 50+% adversary's chain for violating the protocol, then the adversary could have 99% of the PoW resources, but if they constantly lose a larger and larger share of the payers, then they honest network has forked away from the adversary and filtered it out. This is what I mean by inertia. And also this inertia will become entangled (DAG-like) such that it is impossible to undo this filtering and the 50+% attacker racks up huge losses (in transaction fee revenue and uncompensated PoW). In my design the block announcements don't include any transaction nor PoW share data, so they are very lightweight to propagate.

Note I am still searching for holes in this design. So I am not assuming it is perfect yet. (There are likely issues revolving around conflicts in UTXO between competing chains, i.e. one users is wants the transaction to go on the adversary's chain which another user has observed as the fraudulent chain and is not accepting. The payer would then need to spend on both chains until the conflicting user has observed for itself that the adversary's chain is dishonest, then it would shift over the honest inertia) At the moment, I am preoccupied with getting something launched, so the peer review of the theory will need to wait.

I did take the time to write this part down, because I do have to incorporate some aspects of this design in the coding work I am doing now. So I wanted to make sure that my logic on the necessity of the payer monitoring is correct, because I am incorporating the necessary block chain records so the users of the network have the necessary state persisted for them in the block chain.

Point being that this is going to be easy as pie for a dummy to use. And personal password security should be much easier to deal with.


As I explained above, latency is a parameter for the holistic security design when incorporated into a holistic paradigm as I have explained. The higher the latency of propagation (the interval of indeterminism about which block announcement was first and what was the interval between announcements), the larger the block period needed to reduce the incidence of competing chains (if the selfish mining scenario has been defeated given my solutions for defeating selfish mining). The higher the expected (computed probability of) incidence of competing chains, the more often that multiple sets of nominations have to be included (per the epiphany rule I mentioned). This may be acceptable by appropriately dialing down the duration of nomination consummately, assuming that doesn't adversely impact some other important factor.


The PoW from all is unified. Sending PoW with transactions is one way to incentivize users to contribute their CPU resources so the professional miners won't control near to 100% of the PoW. Another way to incentivize them is they will need to pay some PoW to nodes that propagate block announcements to them. Thus while they are online doing microtransactions, their computer will be doing some background mining (but very lightly so, preferably scaled down when CPU load is high, i.e never significant enough for the user to complain about or increase their electricity bill noticeably and on mobile phones not plugged into the charger this really has to be subdued). The user can pay instead using micro-transactions which is more economical except they can perhaps notice this (or maybe not since the entire point of micro-transactions is your don't fuss over small incremental spend decisions). We'll work out this balance over time. These are the short of maturity issues that really require a lot of contributors and people working on the source code. I can't do all of these microscopic optimizations by myself. I am just trying to first get the basic coin launched.


I explained above that yes the entity that controls 50+% of the PoW could monopolize the nominated confirmation nodes by lying to non-full nodes (using that monopoly on nodes) about the propagation events that occurs when the non-full node wasn't listening. But by having non-full nodes listen (only when they are online doing micro-transactions and remember most people these days are online most of the day and if micro-transactions become integrated into everything we do on the internet!), then I explained the 50% adversary can't violate the rule and monopolize.

Realize also that once a listening peer has saved (on the block chain!) that he requires the hash of a given block to be included in any chain he accepts, this is a form of distributed checking pointing too. And also that node doesn't have to be online in the intervening period in to detect that a future chain has or has not incorporated that hash earlier in the chain. Thus the honest inertia aggregates over time, and is not diluted by being off line. It is a form of automated community policing by algorithm.

Note also this is not the same as nodes just checkpointing which ever chain they want to. That would cause chaos and divergence. Instead there is a clear rule about consensus which is defined by PoW in such a way that the only way to monopolize it to control what propagation the users observe (which means global control and thus I shift the security from 50% control to nearly 100% control required). Afaics, the only way to have divergence is for nodes to be lied to about propagation. Here is where the community needs to play a role and maintain a list of honest relay servers and easy-as-pie ways for users to access these automatically configured into clients. I am leading the way on this ease-of-use lesson with my initial coin launch example web-based client. It will be easier than Coinbase and Paypal, yet the user controls his own coins (and private key).

Apologies my brain was toast in my prior post after 20 hours non-stop coding (other than a few minutes to eat and urinate).


Here is some overview of the conceptual math to make this more concrete.

In Satoshi's design, the probability of your chain not being the longest chain and thus being orphaned is calculated (employing a Poisson distribution approximation) solely based on the number of blocks, z, that have followed (and including) the block containing your transaction. No where in the calculation of the longest chain or probabilities for a double-spend do you see any variable related to anything other than z and the relative PoW power (p/q) of the entity computing a longer chain:

https://bitcoin.org/bitcoin.pdf#page=6
https://bitcoil.co.il/Doublespend.pdf#page=5  (http://arxiv.org/pdf/1402.2009.pdf#page=5)

Here follows references on the computing the orphan rate and the statistics about "informed nodes":

http://diyhpl.us/~bryan/papers2/bitcoin/Information%20propagation%20in%20the%20Bitcoin%20network.pdf#page=8
https://bitcointalk.org/index.php?topic=250735.msg2666847#msg2666847
https://blog.ethereum.org/2014/07/11/toward-a-12-second-block-time/#comment-1521884349
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-August/009916.html
https://dl.dropboxusercontent.com/u/43331625/feemarket.pdf#page=4

As an approximation, as the "average" verification+propagation delay decreases linearly relative to the block period (block period is enforced with PoW difficulty), then the orphan rate and probability of being an uninformed node or on an orphaned chain (at some z) decreases exponentially.

Thus statistically it should be possible to ignore longer chains that become widely informed much later than the probabilities would indicate are reasonable, i.e. one could select a threshold for filtering at say 1/1000 chance without causing appreciable pain to honest miners.

But Bitcoin's nodes can't measure how relatively informed all nodes are for the competing chains (i.e. there is no reference point, everything is totally relative solely to longest chain measured in blocks and/or cumulative difficulty of the blocks), thus it can't incorporate such a statistical anti-aliasing against dishonest mining. What I have initially named "inertia" are the confirmations that occur orthogonal to the PoW chain, which Bitcoin doesn't even have (and the Bitcoin-NG proposal/paper doesn't change this, because confirmations don't occur out-of-order and orthogonal w.r.t. to the nomination from the longest chain). Thus in my design there is an objective measurement that is valid from the perspective of each node as to whether one chain (although longer) was withheld from the network or is blacklisting some portion of the network. Again this depends on some very specific changes to the design and propagation of the P2P network. Which also depends on an overall change to the way confirmations are achieved and recorded in the block chain. It has some conceptual similarities to a DAG, but I assert (not yet shown publicly) my design rectifies the issues with a DAG that I outlined in my discussions last month with CfB@Iota. Details to be forthcoming in white paper.

So in my design the math—for choosing the longest chain to mine on—include the calculations about what is statistically fraudulent.

Thus double-spending, blacklisting the minority PoW, and forking the protocol with a 51% attack becomes statistically implausible (intractable).

In other words, I unconflate confirmation of transactions (which is inertial evidence of who is lying about propagation) with PoW longest chain consensus (and use that consensus only to nominate who can do confirmations). Thus being nominated is permissionless, unless the adversary has 100% of the PoW. The adversary could have 99% of the PoW and the nominated resources, but it would still be objectively clear to the remaining 1% that the 99% is fraudulenting blacklisting the minority or forking the protocol and thus the minority's inertia would fork away from the fraudulent inertia. The payer's (non-full node) clients would recognize this also (by monitoring block announcements on both chains and computing relative statistics about delay, noting that block announcements are very light to verify and "fraud proofs" are employed as security mechanism ... see my recent posts about "segregated witness") and send their transactions through the 1% fork. This of course requires a much longer block period because the propagation delay to any client could be much longer. So in essence the dishonest fork could have 99% of the PoW yet none of transaction activity. If the 99% PoW fork is not measurably dishonest, then it will of course not be filtered out.

A future white paper will lay out the precise math for peer review.

It is 3:30am and I been awake since 7am, so please excuse if this reads like I am drunk.


Because A is not required to increase the PoW difficulty (number of leading 0 bits) for the PoW required to be submitted with a transaction. It is not used to rate limit spam. The only purpose is to get every payer to contribute something to the security. Again as I explained in the prior message, for as long as no entity has control over (near to) 100% of the PoW, their asymmetric leverage is fairly impotent.

Even most mobile phones has SIMD Neon now, so their performance on BLAKE2 would only about be about 1/4 - 1/10. However the PoW hash I designed is optimized for desktop processors due to the highly optimized carryless multiply instruction in the AES_NI. So mobile phones might end up with a noticeable delay. There is a sweet spot to balance this, because devices will get faster over time, and there are a lot more mobile devices than desktop PCs these days. Will choose some reasonably balanced level, and the goal is to maintain at least a few percent (if not better) of the network PoW hash rate coming from distributed users instead of 100% from professional farms.

Edit: it is possible to have two PoW hash function alternatives if it can be determined that the relative advantage for ASICs for the SIMD BLAKE2 hash is compensated relative to the PoW function that I designed which uses the carryless multiply instruction. Thus it might be possible to leverage the SIMD NEON in mobile phones.


As I wrote in my prior post, all that matters is what percentage of your market cap you are paying to debasement over any period of time, and that determines how much electricity can be spent each such period on PoW. But more debasement doesn't lower the ratio of professional miners to distributed non-professional miners, thus it really doesn't increase security. It is isn't a defense against a 51% attack, because more debasement doesn't correlate with better distribution of PoW resources. It is basically nonsense and we've been hoodwinked into throwing our money away to professional miners who are siphoning all the value out of Bitcoin by mining at < $50 per BTC cost. (Edit: and then by roughly 2032 or sooner, Bitcoin completely dies because mining funding has to come nearly all from transactions and the coin becomes highly deflationary, but long before then we will have replaced Bitcoin)

This is why I have tried to move entirely away from viewing PoW as security, because it isn't by itself security. I view PoW only a Sybil prevention mechanism for obtaining a consensus on nominated resources, which an aspect of driving the security of the inertia that results from those resources. Without PoW, anyone could nominate themselves and there'd be no convergence of the inertia (which is the precisely what I expect for Iota once someone writes a client other than the one they release to game theory their protocol)— other than meta-protocol convention and community coordination.


The key is that when propagation is orders-of-magnitude faster than the block period, and there is no way to Sybil attack the network due to PoW consensus, then lying about having not propagated is statistically and objectively filterable as fraud. Thus the 51% attack falls away. There are more details that need to be explained.

In Satoshi's design the nodes want to be on the longest chain of PoW. In my design, they want to be on the longest chain of PoW which is not incongruent with the propagated inertia. There are two aspects (PoW and inertia) interlocking and supporting each other synergistically. The reason Bitcoin (Satoshi's design) can't do this distinction is because there is no inertia orthogonal to PoW. If you are thinking the PoW nominates the inertia, so the inertia is not orthogonal, then don't forget another key detail which is duration of nomination is much greater than any statistically objective honest orphan chain length (duration). Essentially my design is a form of anti-aliasing. More PoW resources can gain a larger share of the inertia, but the thing about inertia is that each participant views their own inertia as a priority and so any entity trying to blacklist another's inertia is going to be viewed statistically and objectively as fraudulent and thus that fraudulent PoW can be filtered out and its inertia spirals down. In other words, greater share of resources doesn't allow you to violate the laws of physics about propagation.

Go read that thread again. Maxwell was clearly assuming that peanutbuttercoin was insinuating that BBR had implemented SW. Clearly Maxwell wasn't aware of what "boolberry" had done and he was reacting to peanutbuttercoin's statement that BBR had not implemented hashes of signatures in its SW implementation. There is no other possible explanation that makes any sense. Even the thread reads clearly that Maxwell was responding the what peanutbuttercoin asserted was the case.

I personally don't care. I was trying to help those who asked for some clarification and even was using my scarce free time to try to help you as well. They call this sharing. As in the open source spirit. I thought I was being a good, helpful participant.


I was agreeing with your point that not storing hash is silly. I mispelled "prove" as "proof" twice so obviously I wasn't putting a lot of effort into every pedantic detail. I didn't even consciously contemplate that I was doing something that would touch your nerve.

I heard Vaseline works well, but I haven't tried it myself.

Good grief, can't we just have a discussion without turning it into nonsense fights. Most of the verbiage was focused on the main point which was to address the concerns and details pertaining to that issue or recently to anonymity in general. As for competition, the few words we say here don't mean shit. It is all the hours of coding and all the effort put into marketing that will. If you think this thread is relevant in the marketing context, you've got larger hurdles than I even presumed.

You still don't have a clue that I don't need any promotion in this forum. I could have already launched my coin and you wouldn't even know. I have much bigger challenges (problems to meet head on) and bigger fish to fry (or crash and burn if I fail), than this. We were just having a discussion in Altcoin discussion which is a no man's land if considered relative to global scale of marketing.

I've got much bigger problems and issues to deal with pertaining to marketing success or failure. My reason for participating here is to help myself, you and others on brainstorming issues. It is totally out-of-proportion to worry about a slip of a few words here or there.

I would have been probably best served by saying nothing about RingCT and CN anonymity probably being a  dead-end compared to Zerocash. This is only a recently realization for me and I am not yet 100% final on that insight. But how does it help me in a competitive sense to get you, Shen, Blockstream, and the rest of Monero to stop wasting effort and refocus your efforts in another direction. If I was being selfish, I should STFU and let you go on without sharing my brainstorming.

Difficulty is adjusted as it is always is for PoW.


It might still be profitable to mine the chain for the professionals with very low electricity costs and very efficient ASICs, but for the transaction submitters it surely isn't profitable (but it isn't noticeable either so they don't care or even know).

The profitability is orthogonal to your point, which is you mean how to get Bitcoin's security if the percentage of your market cap paid to mining debasement and the market cap are not the same level as for Bitcoin.

You are making the point that small market cap and/or low debasement coins have lower PoW security.

I already asserted that 51% attacks are pretty much impotent. It will require nearer to 100% attack to snuff out the minority and force them to adopt a protocol change, which is the major risk from a 51% attack in existing PoW designs. Also in my design 51% doesn't help for creating a double-spend.

The only need for the PoW in my design is to prevent a Sybil attack on the distributed confirmation resources. A 51% attack that orphans a legitimate chain of these statements about resources, can't undo the reality of the inertia that has been established on that orphaned chain. It can supplement the resources, but attempting to take away resources that already intertwined in the inertia will be ignored by all those nodes which are bound to lose income from unwinding that inertia. In other words, there will be sufficient allowance made for any reasonable orphan rate due to normal propagation delays and anything outside of that will have already accrued inertia and be impossible for the 51% attack to unwind in order to create a double-spend.

The reason that inertia alone couldn't be used to establish the single-point-of-truth on the resource set is because it doesn't have a definable boundary such as blocks that can be counted. Inertia is a local perspective (each participating node has a perspective on the inertia that is invested in) but it doesn't have global consistency. This is why I am confident the DAG coins such as Iota are flawed. Thus I still needed PoW for this global consensus, but the 51% can't win every block (only near to 100% can), so it is impotent in my design. The 51% can blacklist the minority's block solutions, but if the reasonable propagation delay is orders-of-magnitude less than the period of 1 block then such habitual blacklisting can be statistically distinguished from orphan rate and thus can be objectively identified as malicious and ignored.  Propagation ends up being the crucial design factor in design like mine. This is why I said I don't think Bitcoin can graft these things onto their existing paradigm. More details will forthcoming in the white paper.

That is far more details than I really wanted to release now. So any further questions that require explaining the details of my design might illicit from me, "wait for the white paper".

Edit: Bitcoin pays far too much to security. The only reason to pay anything for security in my design is because 0% debasement is deflationary because users lose private keys. By paying those losses back to users who transact, it transfers value over time from those who don't transact to those who do, which is favorable for encouraging more currency use and more network effects. What could be done instead is pay nothing for PoW mining and then pay debasement proportionally to every coin that transacted in that period (or pay weighted by coin days destroyed age). But this weighting by value would be incongruent with hidden values (private data). Instead the payment could be weighted by the number of transactions, which is functionally equivalent to paying for each mining share of PoW (assuming every transaction is required to include the same level of PoW). If the PoW allowed to be submitted with each transaction is less than the profitability for the confirmation node from typical transaction fee, then professional miners could not mine profitably. They might consider being their own confirmation node, except the assumption is transaction fees will in a competitive environment be very near to cost with very low profit margins so if the PoW was sufficiently high then professional miner couldn't overcome. But I think that is unlikely to be the case because of the asymmetry in the delay for a home user and cost for a professional miner to compute that PoW share. If private keys timed out (e.g. yearly), we could more precisely calculate the level of debasement needed, but this would be shocking to people that lose their coins because they were inactive. Instead if coins assumed to be lost were allowed to be spent, one could use demurrage to recapture excess prior debasement, but the problem is that doesn't spread the pain out equitably between those who were formerly invested in the coin but sold and those who are currently invested. Debasement is much less individually and immediately noticeable. Small levels of debasement are not an issue for users (nor investors). Heck Bitcoin's debasement is still nearly 10% per year and was much higher in the past. I think many people forget that many coins are lost (I've lost private keys for close to 1 BTC in 2 years already which is roughly 1+% of the volume of BTC that ever passed through my hands). With smaller balances and microtransactions, much larger percentage will be lost.

China doesn't enforce our copyrights.

Governments don't enforce our property rights when it conflicts with their power.

If not for the fact that not all global jurisdictions will comply, I would presume that authorities could probably track down the centralized sources of PoW that a botnet could be retrieving the PoW from. The botnet itself can't be targeted with legal action.

Generally speaking I do not even consider any ideas that involve relying on legal structures to enforce, because I am strongly anarchist/Libertarian. But it is also true that until there is a NWO world government totalitarianism that has a monitoring 666 chip on every computer and human, then enforcing law is leaky.

We are trying to construct monetary freedom orthogonal to dependence on governments.

I don't consider a copyright to be property, rather I consider it to be theft from the future (degrees-of-freedom). Coasian barriers are stable until they burst.

The serious vulnerability exists if someone has implemented SW security model, because then no one can proof that a transaction was invalidly signed for. This is the inversion of the property of proving that all the signatures are valid. You can proof it was validly signed for, but not invalidly signed for. So that is the only possibility of what Maxwell could have meant. Thus we are not guessing what he meant. Reading that linked Reddit thread, he was clearly unaware that BBR had implemented SW, thus he took the word of peanutbuttercoin literally and said that if you have SW security model without hashes of the signatures, then you have serious vulnerability in your security model. But this does not apply to BBR, because BBR never implemented a SW security model.

Someone should post a clarifying remark at the Reddit thread so that Maxwell's comment isn't taken out of context. Most people won't realize the context within which he meant vulnerabilities could exist.


That is not the issue Maxwell was referring to.

Nevertheless, I agree that not putting a hash of the signature in the block chain is silly, because then you can never verify from an archive which fork has only transactions that were signed for. But this flaw is not the same as SW security model, because of the fact that BBR requires the valid signatures to be present and verified by all full nodes up to a large number of blocks of history (to the last checkpoint where signatures were discarded).

Even in my SW security model block chain design, I keep the signature hashes and it is still possible to download the entire block chain (of that node's perspective of the longest chain) and verify it. The Satoshi security model is retained in some sense. The differences revolve around the risk of being a less-than-full node. And I don't think Wuille fully comprehends yet all the issues. And the issues are different depending on the holistic block chain design. This is very complex, so I'll defer to a future white paper on this where I can more exactingly cover the various cases and details.

Yeah except the longer fork could claim the signatures are missing. And they could be for UTXO that have not yet been spent on the other fork, so there is no way to show that one fork has signatures for those UTXO and the other doesn't. And you could have a bunch of valid signatures for recent time window wherein signatures are not supposed to be yet discarded. So then how do you prove those old UTXO were not signed for? You need for the owners of those UTXO to sign a message saying they didn't yet spend their outputs. If the adversary had some way to determine which UTXO are those where the private key has been lost, he could steal them this way.

Sounds far-fetched though.


Re-reading the context where "nullc" commented (didn't realize before that username is Maxwell), I think he means in that in the context that BBR would be fully supporting a SW (segregated witnesss) with proof-of-fraud as the security model. Apparently Maxwell took peanutbuttercoin at his implication that BBR had implemented the SW security model, which in fact BBR has not really. So Maxwell's comment is due to a failure of communication as to what BBR has actually implemented.  SW security model requires proof-of-fraud, which requires being able to prove which signature was used for a transaction so it can be shown the signature was invalid in the proof.

Edit: someone might want to make a clarifying post on the Reddit subthread. I am not going to do it.

Which is what I wrote also:


I did not suggest they were going to abandon Satoshi's security model. I explicitly stated they are not. Period.


As an additional tangential point, it is possible to get the benefits of using only segregated witness security model, while also still allowing full nodes to download the entire block chain. But Bitcoin better dare not do that, because as I pointed out, the Bitcoin network can't guarantee propagation nor assign blame when some proof-of-cheating doesn't propagate to an innocent less-than-full node. The implications are perhaps less severe in Bitcoin's case because it isn't attempting 1 second transaction confirmations and making PoW orthogonal to transaction confirmation. So when I say they better not do that, I mean (qualify my prior post) within the context of using segregated witness to maximize scaling of distributed transaction confirmation.


I believe Maxwell is referring to the inability of the segregated witness to construct a proof-of-cheating. And the implication is if you didn't do this historically, then you can't soft fork to add the segregated witness feature. But I didn't read Maxwell's comments, so I am just extrapolating based on the quick read of the one epistle fro Wuille I linked to.

Without a hash of the signature, there is no way to verify that a block chain was constructed with signatures, i.e. a 51% attack could steal coins. I presume BBR avoids this by enforcing that a fork from before a check point (where signatures were discarded) isn't allowed. Problem is even if someone saved the signatures, there is no way to absolutely prove that if a fork of BBR appears with greater cumulative PoW, that it isn't the valid one other than assuming the community and the lead dev can point to which checkpoints are the correct ones.

I think the original motivation was to remove signatures from the data that is hashed so as to make the hash of the transaction (the TX ID) orthogonal to the signature data, so as to deal with malleability since due to the use of ECDSA there are two versions of the same signature that are equivalent (one of the reasons Wuille says he wants to replace them Schnorr signatures instead).

But then to do what they are calling a "segregated witness", the security model changes from every node verifying every detail for themselves, to every node assuming that some node will publish a proof-of-cheating if any activity was incorrect. In other words, these non-full nodes are able to maintain a UTXO (and thus aren't as dumb as SPV lite nodes) but don't verify every signature themselves. So in order to construct that proof-of-cheating, there must be a means to refer to which transaction on the block chain an invalid signature applied to which can be proven because of including a hash of the signature in the block chain. So in other words, malleability only applies until the transaction gets into the block chain. Once it is in the block chain, it is safe to hash the signature data and this enables segregated witness to function as intended.

Apparently BBR is including the signatures in the hash of the TX ID. Cryptonote doesn't have the malleability issue due to ECDSA because CN employs ed25519  which is an Edwards curve (variant of Schnorr). BBR isn't really doing a segregated witness. Rather BBR just discards signature data after assuming all full nodes had verified enough blocks of history. This is just checkpointing with lossy compression. Whereas, segregated witness is where all nodes don't verify the signatures and proof-of-cheating is used as the security model instead. Remember smooth, I had told you my design required a change in the security model.

However, I don't think Bitcoin can implement segregated witness correctly:


Wuille admitted this:

http://diyhpl.us/wiki/transcripts/scalingbitcoin/hong-kong/segregated-witness-and-its-impact-on-scalability/


Which I think is why they are not proposing for segregated witness to exist without the current security model still in force. And I think once they dig down in DDoS, they will realize you can't mix the two.

This is why I say Bitcoin can't graft this on. It is stuck where it is. We will need an altcoin to start over from scratch. (well I've been wrong before about certain details, so wait for me to write a very detailed paper before assuming this is certain)

Note I had mentioned to you in private weeks (or months?) ago that I had discovered a way to restore the security model to equivalent of Satoshi's. I thought I had. But once I dug into the details of DDoS, I found issues.


Thanks. Believe it or not, I realized I had probably conflated the two users (I think it dawned on me when clicking the link in Tifozi's post), but as scatter brain and busy as I am on other work, I just didn't have the energy to correct. I wouldn't have even pointed this out (which is myself adding noise), except I can bury it here at this end of this other useful post.

If they are buying Bitcoin, then I think they don't get it, because Bitcoin has no end-to-end principle privacy capabilities. I am speaking about an altcoin that will have those capabilities.

I was in Manila (at age 27) when she first took up chess there at age 6. That her heritage originates from a developing world economy such as the Philippines and that she emphasizes Levon's trait to see the good in others seems to indicate an idealistic leaning. I am also amazed that a GM would share his time with us and even share some of his inner thought processes with us relative n00bs. Also I noticed his friendly demeanor both in his communications here (if Levon is languagehasmeaning) and also the handshake he did with Magnus Carlsen in a Youtube that I viewed.

Up thread he stated there were still some tricks remaining in this game. And he had advocated moving the rook over to the right side, but the consensus moved the knight instead. I wonder what he foresaw as a possibility? I was observing on that Youtube speed chess match with Carlsen, that Magnus sacrificed a pawn to get move more aggressively with his King and bishop to get behind the front line of pawns of Levon. I wonder if Carlsen could see that a draw was likely and decided to be more creative in hopes of win? I notice that my urge when I dabble in chess if I want to be more aggressive and creative than conservative (but I am not good enough at chess to do it with appropriate consideration). I read that Carlsen doesn't follow any one set of opening strategies and is very creative. Any way, I don't really understand all this. I haven't studied. A lot to think about and I don't have the free time.