Bitcoin Forum
August 15, 2018, 03:12:36 AM *
News: Latest stable version of Bitcoin Core: 0.16.2  [Torrent].
 
  Home Help Search Donate Login Register  
  Show Posts
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 [13] 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 ... 93 »
241  Alternate cryptocurrencies / Altcoin Discussion / Re: Decrits: The 99%+ attack-proof coin on: June 15, 2013, 08:55:16 PM
There might be a provable way to destroy their CNP deposits too, but I have to think on it.

I think there is. Evil CNPs won't fall for it, but it is a huge indication that they are evil, and this still works.

CNPs don't need to sign all communications with all peers--such as regular tx activity, but it will sign the hash of each TB it receives with a timestamp and some indicator of whether or not it believes it has been received in time and whether or not it agrees with that TB's state of the network. This is some algorithm that can be rooted in the 10 TB window or whatever, I don't have the exact mechanism yet.

If a CNP refuses to sign a TB that a client has seen from another CNP or from the shadow peers, the client can essentially immediately ban that CNP.

Hilariously enough, because the honest CNPs will do this, the dishonest network could destroy their deposits in a dishonest half of the network--but this would be a huge indication that the those CNPs are honest. For evilcorp to perform the reverse attack, the attack must be done in secret. On one side, all people watching know, on the other, no one watching knows. There must be a fully connected alternate network operating in secret. If it is a legitimate network split, things are hazier, but not unfixable. Unfortunately it may have to boil down to some kind of voting protocol to accept the network splits back in without penalty. Presuming it was an honest split, which should be so incredibly rare anyway, but the reasoning should be world news, the networks have every incentive to get back together peacefully and without penalty if there is a legitimate reason for the split. The money supply will be doubled if they don't. This applies to SHs too.

It gets back to whether or not EvilCorp can continue to fool everyone over an extended period of time. If someone receiving a tx that is intended to be double-spent, and it has confirmations from CNPs who acknowledge and accept the block the tx is in as the state of the network, the person who is potentially being defrauded has evidence that he is on an honest network. Even if those CNPs are evil and plan to reneg, if they accept some forked chain at a later time and ignore those signatures, their CNP deposits can be destroyed on an honest network.

This makes the CNP portion of the network much more powerful and reliable. I think this can work really well.
242  Alternate cryptocurrencies / Altcoin Discussion / Re: Decrits: The 99%+ attack-proof coin on: June 15, 2013, 05:52:02 PM
Good bye, anonymint. It's been fun.
243  Alternate cryptocurrencies / Altcoin Discussion / Re: Decrits: The 99%+ attack-proof coin on: June 15, 2013, 05:48:34 PM
Etlase2, good to see you are moving away from a decentralized currency.  Wink

Yes, I concede that if 7 billion people are not watching the network, all 7 billion people can't determine who is dishonest for themselves. But I also believe that 7 billion people can watch the network.
244  Alternate cryptocurrencies / Altcoin Discussion / Re: Decrits: The 99%+ attack-proof coin on: June 15, 2013, 05:40:51 PM
But what about these issues with missing TB?
What happens when SH from 1 to K signs TB, but SH K+1 releases his claiming previous K TBs did not arrive on time? And what if this (K+1)th TB contains transactions conflicting with ones in previous K blocks?
Blockchain does not have any data that would allow nodes to tell 'real' course of action and it would always resolve to some kind of voting between SHs?

Unfortunately, the situation here is not as well-defined. I've kind of gone back and forth on this, but honest CNPs will likely drop the section 2 TB data, wait until 10 honest TBs have come, then release the section 1 data so that the forking TB has no effect. If EvilCorp controls some significant amount of SHs in the same area of time, and controls a large percentage of the "trusted" CNPs--CNPs for whom non-connected nodes use as their view, EvilCorp could definitely cause problems. However, EC can't really use this attack to double spend, because anyone accepting a transaction is watching. If they see a block come that ignores the tx, they must wait longer. The longer EC waits before attempting this, the more people care about and have seen what is going on in between.

EC doesn't have to really convince anyone but the person(s) for whom it wants to dupe for this attack to actually accomplish something. After 10 TBs, EC must include the section 1s of the TB(s) it is attempting to reverse, or the counters for untrustworthiness are going to start going apeshit. If EC is trying to dupe someone out of a thousand, they might just wait around for a few minutes. If after a few minutes the tx has been confirmed and re-confirmed by 20 or so SHs, EC must deny 20 SHs per TB, resulting in an "untrustworthiness" counter that jumps by 20 each TB. If EC starts the reversal right away, the person being duped has no confirmation and sees a network split happening, potentially also seeing the bad/double spend in a later TB. This person will refuse the transaction at this point because it is obvious that a double spend is being attempted.

The larger the transaction, the longer you have to wait. And once EC does this once, everyone knows. A double spent transaction is provable, it's just not provable as to which side is honest.

Any CNPs that accepted the original TB in time but then are carrying the bad chain are provably dishonest for those connected to them, and perhaps provably dishonest to those who send the CNP's signatures around on these messages to other people that were watching at the same time. What this means is that anyone who sees it will remove all client-side reputation for that CNP. In fact, there might be a way to extend this further... hmm I think I have the beginnings of a really good idea about this, but I have to think more on it. But essentially, to get people to trust CNPs, they must provide a good view of the network for a long period of time. The client-side portion of these detection algorithms need to be robust. Since CNPs are much less anonymous than IP addresses, any time they perform this attack, they must create new CNPs and regain new trust all over. There might be a provable way to destroy their CNP deposits too, but I have to think on it.

However, the eventual resolution of all this is still murky. If there are no double spent transactions, it is rather easy, I think, but if there are, a potential algorithm must be considered to resolve it, or allow the network to fork on a double spend. EC could control 99% of the SHs, but almost none of the CNPs, and the fork will resolve on its own.

Also, this could lead to a very simple idea of "super CNPs" set up by trusted agencies for people who do not wish to be connected all the time. They could go to them for the answer when they are unsure. The super CNPs can be kept in check by anyone who is monitoring the network. These super CNPs don't even need to be anything other than something set in the client, voluntarily, by each user so that there is no centralizing attack possibility (the super CNPs wouldn't even know..). It is another layer of massive collusion that would be required to even attempt to fool anyone. I believe this is how ripple sort of works, but ripple gateways don't get paid and they hold IOUs like a bank. That would not be the case in decrits.
245  Alternate cryptocurrencies / Altcoin Discussion / Re: Decrits: The 99%+ attack-proof coin on: June 14, 2013, 06:43:30 AM
It appears to be fundamental.

Let me start by saying that your "can't do" attitude is reproachful. If I listened to everyone who told me that "you can't do this" over the last 2 years, we wouldn't be here debating the finer points of a system that, on its surface, solves or reduces a hundred different problems with bitcoin. And perhaps fiat too. Bitcoin presumes the financial incentive is not there to attack the network, or that it is difficult to surmount for some entity for which money is little object. There is no lesser presumption in decrits. Your see-sawing between "it's 51% attackable" to "it's completely inept" to "it's not anonymous enough" is a complete waste of everyone's time, including yours. Let me be stupid if you think I'm stupid, but go on your merry fucking way.

If, on the other hand, you are actually capable of changing your opinion, stop acting like a toad and start presenting arguments cohesively and in a focused manner, and perhaps progress could actually be made. Sor.rge and I have had a very productive conversation over PMs without you being the distraction that you have been since you arrived.

Now you may have noticed that I set up a little trap for you "upthread" by asking you what EvilCorp does in step 6 to control the network, and your answer was "well he controls the SHs he controls". We already know this. Yes, he can delay transactions, yes, he can delay other SH TBs if he controls enough in a row, but he does not control the network at 51% or at 90% of the shares.

Now, if this was proof-of-work or proof-of-hard disk, EvilCorp needs only control resources he may already control from say, attacking another network. But the only way to control decrits is to own decrits, something that can not be obtained anywhere else other than from within the network. So even if in the remotest of remote possibilities, someone does take control of the network and destroys it, whatever resources EvilCorp used to take control are now forever gone. He had to spend his fiat, or if a government printed fiat into hyperinflation to perform the attack, that government has essentially been overthrown. No government can stay in power without a sane monetary system. c.f. ROMAN EMPIRE. And now the people can just clone decrits, hell perhaps even agreeing to use the state of the network as it was before EvilCorp destroyed it, and destroy evilcorp's shares, and continue to prosper. No, this is not a simple transition, but it is a permanent fix to a temporary problem. EvilCorp has been eliminated regardless of whether or not the network continues in another form.

So, since EvilCorp/government is unlikely to perform this network destruction attack--as they go down with the ship--they will attempt to control. Except, to attempt the control you describe, they must continue to buy up shares in dramatically larger quantities than honest people. Being the "last TB" is mostly irrelevant. If he doesn't like what he sees, he can make 1 more opportunity for 3,000 DCR. He can make 2 more for 6,000 DCR. He can pick from what a GPU that can hash at 1MHash/s x 10 seconds or 10MHash for 30 billion decrits if a share costs 3,000 DCR. 30 billion decrits versus a millipenny of electricity. Are you going to continue to presume that these have the same difficulty to obtain?

And once he does find something he likes, he can't change the entropy after that unless he can throw another X million or billion decrits into the pool. And the options of what he might like boils down to "what few SHs can I give some strikes to?" He essentially has to buy everyone out of the currency before he can control it. All using a very simple, deterministic function. And he can't just withdraw and try again. Shares are not kept for 1 year as described in the OP except not really ever because then it suits your attack vector. Shares must be kept for 1 year or else you will lose your money. Your money is your control, not your hash power or your hard disk size. If you lose your money, you lose your control. Get it yet? If you don't keep adding or subtracting money from the system, you also lose your control. Get it yet?

This can even be extended to be even more difficult to obtain control of the last TB, if that truly is identified as a weakness. Program the function so that only the oldest 20% of the SHs are capable of creating the last TB. Now using removing money from the shares results in a multi-year penalty for each SH repurchased, or you'll have to control >80% just to have the opportunity to add billions more in shares to control the order. Meaning that adding shares and keeping them longer is the only way. And you must. keep. adding to continue controlling the order at a rate of 3,000 DCR per hash attempt.
246  Alternate cryptocurrencies / Altcoin Discussion / Re: Decrits: The 99%+ attack-proof coin on: June 14, 2013, 05:01:15 AM
The seed could be the hash of all transaction in the previous CB. You can't control the value of a hash, that's a major point of hashes: you can't find the content of a transaction which, when concatenated with the other transactions, will result in the given hash value. So you can't control the seed even if you control a part of the transactions.

You may not be able to control the seed, but you can see what the outcome will be with that seed, which means you can run it many times until you get something that you like. Hashing is a very cheap operation, cheaper still with server clusters targeting such activity. If you can see 4 billion futures, you only need to select the one that pleases you the most. So transaction activity can't be used for determining the next order.

Quote
Since there is no control of the random generator, you'll have to resort to bruteforcing it. In order to prevent that, I proposed fixing all the seeds completely and not using any "entropy" by your terms. While this complicates the attack significantly, it's still not bulletproof. Maybe it's easier to deal with the possibility of bruteforce search of a favorable seed. If the proportion of shares that you own is p, to have n consecutive TBs you'll have to enumerate (1/p)^n seeds. For n=360, an hour of disruption, and p=0.9, a 90% attack, you will need to enumerate 29695907506101728.772544490140544 seeds on average. We can live with that.

We can't predict the advancement of computing power, we can limit the amount of currency available at any one point.

There is a clear issue I have been avoiding in regards to letting any kind of adjustable seed determine the next order which was the reason I wanted to use deterministic signatures originally and changed from the deterministic function idea that I did have as the earlier design-case. I do not want to go down that path yet because I do have potential solutions, and it does not have anything to do with SH security. But the less futures EvilCorp can see, the better.

In any case, Ed25519 can be required to be the SH signatory function. It has deterministic signatures, and these can be used to generate entropy. Without requiring a deterministic DSA, each SH could include a structure such as this { signature of CB hash, symmetric encryption key }, encrypted with symmetric encryption key. The encryption key is revealed in the next CB, and it is a verifiable, unpredictable entropy unless EC controls 100% of SHs. Even without deterministic signatures, EC is in the same situation where he must exclude his keys to change the order, and this will result in severe penalties and EC has only the limited number of futures equal to the number of shares he controls, and modifying it will cause him to lose money. But this introduces a significant delay...
247  Alternate cryptocurrencies / Altcoin Discussion / Re: Decrits: The 99%+ attack-proof coin on: June 13, 2013, 05:40:04 AM
Quote
6. nothing to do here

Translation: evilcorp can't do anything to modify the result of a deterministic function. Ergo, the entire line of horse doodie about entropy is completely irrelevant. AnonyMint has now admitted he is utterly flawed in his presumptions.

Quote
this gives power to delay transactions for significant periods of time.

And the circle of troll continues. Back to "well they can delay transactions" as if this is somehow even remotely the same as a 51% attack. A 51% attack in bitcoin allows an evilcorp to delay transactions indefinitely and prevent anyone honest from being able to profit at all from the resources they put in the network. A 51% attack in decrits means evilcorp can delay transactions, on average, a smidgen longer than a 50% attack. It does not have any affect on the profitability of the honest SHs, because--as described in the OP--transaction fees are distributed based on reputation, which can only be gained over time. It has nothing to do with what txes were included in your TB. It also means that if you frequently pull join/leave shenanigans to even attempt to get more TBs in a row, the profitability of evilcorp per amount invested in the network is reduced because because of its lower average reputation (not even considering early withdrawal penalties), and more importantly, the honest SHs are the beneficiaries.

AnonyMint is a gold-standard troll and nothing more.
248  Alternate cryptocurrencies / Altcoin Discussion / Re: Decrits: The 99%+ attack-proof coin on: June 12, 2013, 09:57:11 PM
WTF? He only has to spend the normal deposit transaction to position his SH at a desired ordered choice among the available choices given by your function.

Ok, since I really have no idea what argument you are making, let us make this really basic:

1. Imagine there are 10 SHs.
2. Imagine evilguy controls TB number 10, the consensus point.
3. Evilguy adds another SH via a deposit tx during his TB.
4. The SH randomization function is (Put new SH at end of list)
5. There are now 10 SHs in the exact order as before, plus evilguy's second SH at TB 11.
6. Huh
7. Evilguy controls the network

Can you please fill in part 6 for me?

Quote
If you control all the TBs, you control what goes in the consensus (as well as getting all the tx fees).

Oh hey look, more ideas from some other design that AnonyMint has in his head that can be attacked, because there just must be a way to attack it, and if the design doesn't have an attack, then we'll add to the design so that it does. You are unbelievably immature.

No one should pay any attention whatsoever to anything you have to say. You are some kind of sociopath.
249  Alternate cryptocurrencies / Altcoin Discussion / Re: Decrits: The 99%+ attack-proof coin on: June 12, 2013, 09:27:38 PM
but still the last TB can game this function and knows it a priori.

He can "game" it by spending (hundreds of) thousands of decrits. Then he must do this again at the next CB point.

Quote
The attacker only needs to target clustering his SHs in a consecutive order

By spending hundreds of thousands of decrits. And then what, denying SHs consensus? We've gone over that.

Quote
and then once he has all in a CB or nearly all,

With your pompous presumptions that 100% consensus won't be reached each CB.

Sure if you introduce fatal flaws in my design, fatal attacks could be found. Luckily, I know how to design a better system than you.
250  Alternate cryptocurrencies / Altcoin Discussion / Re: Decrits: The 99%+ attack-proof coin on: June 12, 2013, 08:44:20 PM
I have already stated that all it takes is a deterministic function to be applied to the current order of SHs. The only way to affect the outcome of this function is continually add or remove SHs from the equation. Adding costs significant amounts of money, subtracting has penalties in both power over the system and early withdrawals. There is no infinite possibility scenario for the attacker to perform. New joins will be added in a deterministic manner that has nothing to do with the public key.

Sor.rge, do not allow yourself to be derailed by what AnonyMint thinks is necessary due to his lack of competence.
251  Alternate cryptocurrencies / Altcoin Discussion / Re: Proof-of-Consensus is a dead-end, won't work on: June 12, 2013, 07:44:36 PM
I skipped the rest because it was all based on this.

I tried explaining this to him, but he adamantly refused to accept it. There is no point in arguing with him.
252  Alternate cryptocurrencies / Altcoin Discussion / Re: No Money Exists Without the Majority on: June 11, 2013, 03:23:41 PM
That doesn't logically follow. Early adopters and greater fools is inherent in all investing, but that doesn't mean that one digital currency won't gain sufficient installed mass, to make competition impossible.

Bullshit. Switching to a digital currency requires dramatically changing the status quo in regards to money. Don't sit here and tell me that after that status quo is changed it could never be affected again. There is also *nothing* that precludes ongoing currency competition.

Quote
Booms and busts are caused by the fact that humans love (or feel they need) debt. I doubt this will ever change.

And who does debt make humans beholden to? Can we just completely eliminate that from the equation and lay the blame "on the numbers" rather than "on the system"? Seems awfully short-sighted to not even consider the latter.

Quote
However, the reason demand for debt will always be around is because not all the humans can compete and participate in the new technologies perfectly well. They use debt to compensate. And the majority is always behind the technological curve.

Thus you won't be able to prevent debt with a currency design, because debt is desired by the 51%. The political power will route around your attempts.

Arguments that are completely rooted in the idea of debt-based currencies. "The only option to maintain participation in the economy is debt, therefore people like debt." That is a non sequitur. Such simple logical fallacies cast doubt on any further conclusions.
253  Alternate cryptocurrencies / Altcoin Discussion / Re: Building the next generation FAST CRYPTO CURRENCY MINING MACHINE on: June 09, 2013, 06:06:05 AM
Instead of building a better miner... why not build a better coin.

Someone rang?

Quote
First flaw...
- Rewards are a gamble. They should be directly related to actual work provided, not a pot-luck. ... Your reward would be a direct fraction of the processing reward at the difficulty. Not a set reward, that excludes others actual work. That is just dumb, and as stated, already countered, thus, just leading to ASICs dominance. Eventually leading to one singular controller with the biggest asic-factory.)

In the Decrits proposal, people only create currency when it is profitable to produce the currency--there is high demand. The security of the network is separate from the monetary system. Security is paid for by tx fees. Coins are created as a block amount based on network activity, with each person wanting to mine part of the block "bidding" for it by producing small proofs-of-work. To reduce the "hardware tax" of the incentive to create ever more efficient hardware that ends up being more costly in the end (as explained by this thread), many coins are given freely away as a result of minting, via tx activity and account interest.

As these coins are given away, the incentive to continue creating coins quickly diminishes. Producing ASICs would quickly ramp up the difficulty so that ASICs are no longer profitable, and unlikely to ever see a return on the initial investment to create them, rather than the sunk costs of using a GPU. And new blocks of coins cannot be created unless there has been sufficient tx activity, so ASICs attempting to inflate the supply will quickly run into a wall where they can no longer mint until tx activity catches up.

It requires people to embrace the idea that using wasteful proof-of-work can not be the security of the system.

Quote
Second flaw...
- Poorly structured "tree branching", leading to 51% attacks. Though it can be corrected, it can not be avoided, and thus, 50% of this effort is wasted, and can lead to reversed transaction confusion, as "invalid transactions" get removed by the "corrected blocks". At minimum, no single entity/pool should be able to reach 33.333333% of the load. At the current time, pools are allowed to expand to 100% if desired. There should be a MINIMUM of 3x 33.333333% sections available for pool polling. Thus, always 3 separate entities, that can be confirmed, and can not "merge" works to become a 66.666666% pool, by obtaining two portions of the workload.

There is no competition in Decrits for who decides the network view. Shareholders stake the ability to create the network view with decrits. If they create a malicious view, their decrits can be destroyed, thus making it difficult to repeat the action. Each shareholder has a 10 second window where it can add transactions to be added to the chain. As long as the chain is relatively unbroken, small transactions can be reliably confirmed within 5-15 seconds.

Quote
Third flaw...
- Poor database structure and management. The "user", will eventually be burdened by a 385TB DB of transactions that only contain 1MB of transactions that relate to them. What are we at now, 9GB+ after 4.5 years, and growing exponentially with each transaction. (Users should only have to download transactions that pertain to them, and no more. Starting from the point at which they get that first transaction, and ignoring any other blocks that do not have transactions that do not pertain to them.)...

Decrits uses an account ledger that is updated by the consensus of shareholders every 10 days or so. Transactions after a set time are no longer necessary to maintain the state of the network. This limits the size on disk to the number of accounts times the number of bytes for an account. Somewhere on the order of 100 bytes. So even 1 billion accounts is only about 100GB. Additionally, because of the consensus system, "lite" clients can verify small blocks of accounts with only 50-100MB of data transferred per week in a network with millions of participants.

Quote
Fourth flaw...
- Lost accounts. There is no method of recovery for lost accounts. There are tools to assist with a recovery of a partial loss, if you have data to recreate it... but that only helps recover up to 100 keys beyond the point of where it can restore. Since, for some reason, new keys ask the network for the next 100 keys, instead of generating them sequentially, and selecting valid ones from YOUR selection, not asking the network for 100 more keys that you could never "guess", once a wallet is recovered. If it is ever recovered.

This is a software problem, not a network problem. Deterministic wallet addresses created by using personal information that is hard to obtain (good security questions) plus a sufficiently long password that must be securely kept, no one could lose their money due to a hard drive crash. Strongly enforcing this provision in the software is key to making this work.

Quote
Fifth flaw...
- Burden of load that does not expand, will only diminish in time. A diminished burden of load will result in failure of the network, as machines become fast enough to handle all transactions at once. Thus, leaving only one operator running the whole show. In the advent of ASIC's, it will turn the 30,000 GPU load-balanced network into 1,000 ASIC operators, which will fade into 10 Super-ASIC operators, which will end-up as 1 Super-Super-ASIC operator running the trillions of micro-transactions, and thus, not be able to "keep-up" the burden of the load, while manipulating the entire market that still exists.

"Handling" transactions is only a matter of bandwidth and CPU time. ASICs do not handle anything regarding transactions, only finding a nonce for proof of work. It is not required at all to secure the network. In decrits, as transaction volume increases, transaction fee receipts increase which encourages decentralization because to get paid, you only need to invest decrits into the security of the network, or you can also get paid by being a transmitting node. The Decrits proposal, coupled with its account ledger, will be highly bandwidth efficient, and the CPU time required to verify transactions can easily scale with home PC processing power.

Quote
Conclusion... Build a better coin. Otherwise you are just adding to the future problem, creating a super-asic.

See my signature for a link to the decrits proposal.
254  Alternate cryptocurrencies / Altcoin Discussion / Re: Decrits: The 99%+ attack-proof coin on: June 08, 2013, 05:40:57 PM
So I'm making a list.  Who are you and what are your qualifications for being a lead dev on an crypto?  Please let us know.

Edit: you can answer here or here. https://bitcointalk.org/index.php?topic=225643.0.

Cheers.

As far as real name, several people already know it (including anonymint), but at this point I don't think it's necessary to make it public. I don't plan on being another satoshi though. There is nothing dishonest about my design that would cause me to need to hide my identity.

As far as qualifications, I've been programming since I was about 12, but only as a hobbyist. After learning about bitcoin I went on a two year study of economics, cryptography, network protocols, byzantine fault tolerance, and so on while discussing and refining the various proposals that have eventually led to this one, the 6th, which I think is as close to perfect as an imperfect system can get. So, no qualifications really. Just a vision with the ability to come up with the design implementation whenever I need to dig further.

Have you written a white paper, or is the OP the closest thing you have?

I like the idea of innovative currencies, I will be including Decrits in my list of new innovative currencies and (attempting) to explain a little bit about it.

Keep up the good work, the future of crypto currencies depends on people like you.  Smiley

No white paper... there are many things that have been addressed in various ways that I see as weaknesses in bitcoin or money in general. I'd rather just implement it. Thanks for the support, though.
255  Alternate cryptocurrencies / Altcoin Discussion / Re: No Money Exists Without the Majority on: June 08, 2013, 05:16:08 PM
We technologists have looked deeply for an alternative to Bitcoin, that would eliminate its 51% attack vulnerability, and have concluded with the 51% Rule of Decentralized Agreement, which implies that no decentralized digital currency will ever be able to (sustain an) escape from the desires of the majority of society.

There will never exist a form of highly fungible money (not gold, fiat, nor digital currencies) that will escape from the desires of the majority of society.

It seems to me as if you are agreeing with my point about currency clones and how if they are incentivized with a pyramid-like distribution, they can only be the norm rather than the exception. Even with perpetual debasement, no algorithm or fixed measure can determine the needs of the "51%".

Quote
The desires of the majority of society will always migrate towards boom and bust socialism.

I disagree with this point. Booming and busting is a factor that I believe is heavily exacerbated by a manipulated economy. While the technology cycle may be at the heart of the matter, it is the bankers and/or governments that extract a vast amount of the new wealth and freedom derived from technological/knowledge advancement primarily for themselves. Then they redistribute it in ways that centralize power within the government and wealthy.

Quote
The only way to fund everything is widespread debt and unfunded future promises, i.e. funding by obfuscating mutual self-destruction in debt and misallocation (causing destruction) of human capital.

I have at a few different times mentioned how I believe a currency that disincentivizes creating debt or accepting debt-notes would allow for new types of power structures to emerge. For example, an Open Business where new knowledge acquisition is funded by the people who want the knowledge. The easiest example is Open Pharmaceuticals--where people pay to have research done for targeted diseases. Then the Open Business recoups its costs and repays investors, perhaps saving some for new directions of research (or to help pay for failures), and then releases the knowledge for all. No scientists have been made billionaires by contributing to pharmaceutical research and development, so their effect on this equation would remain relatively unchanged. The knowledge-producers are rarely the ones that see the benefit. You seem to have proposed a similar idea but in regards to software.

Quote
Thus what gold standard proponents don't understand is that the insoluble political power vacuum that gives rise to booms and busts does not exist nor derive from the form of money used, but rather exists naturally in every society as explained above. The malfeasance of the leaders is not the source of the problem either, rather exist as a manifestation of the insoluble political power vacuum described above. So changing the form of money used or regulating or removing the corrupt leaders won't fix the fundamental driver of the phenomenon, and the insoluble outcome will occur again as exhibited over and over again throughout human history. The power elite are not even in control.

You conflate government-mandated co-opted production with monetary systems that are controlled by the same people. What significant monetary systems have been controlled by the people instead of the wealthy or the government? There aren't any of note. Gold provided it some times, temporarily throughout history, but it always eventually lost its "decentralization" due to the properties of FRB and the several mass confiscations.

Quote
It must be the case that savings in fungible money can not be a perfect perpetual claim on future human productivity, because otherwise past innovation eventually owns all future innovation.

This is a very apt statement.

Quote
Money and socialism are intertwined and this will never change.

We have to get to a Star Trekkian utopia at some point, don't we? Wink In the mean time, a system must be devised to separate the control and creation of money from the elected or unelected leaders. Any system that does not allow for the "51% attack" on the money supply is simply going to get replaced now that the cryptocurrency paradigm exists. It seems as if again you are agreeing with me here, though we clashed on this point in the decrits thread. Co-opted production (government socialism) is not the same as co-opted money creation. I do believe my design has the blueprint to make much smoother transitions through the bust periods, and perhaps slow the boom periods simply because money is not created from nothing. Once money is no longer tied to debt-notes or to strictly limited supplies controlled by a few, how different could the cycles be? There is only one way to find out.
256  Alternate cryptocurrencies / Altcoin Discussion / Re: Decrits: The 99%+ attack-proof coin on: June 07, 2013, 07:33:56 AM
Some numbers for perspective:

Assume 4,000 tx/s [visa levels], assume every tx only pays the min tx fee of 0.01 decrits, that is 1.262B DCR per year that runs through the security system. This is not improbable 10 to 20 years from now I don't think. At least for whatever cryptocurrency has become the most popular.

For each SH to receive a 2%, non-compounding, rate of return if a share costs 3,000DCR, there will need to be DCR631m (1.262b/2, since 50% goes to CN) / DCR60 shareholders, or 10.5 m SHs supported by visa-like tx levels. 2% non-compounding is rather low, but the return can be invested in other ways, and that's 10.5 m SHs at minimum tx fees. 10.5 m x 3,000 is 31 billion DCR invested into just the SH side of network security. (As a side note I have considered an algorithm to increase the share price if the SHs total starts getting insane, 7 m or so "should be enough for anybody".)

CNPs will need significant bandwidth to run a visa-like connection (estimated 160Mbit/s, quite reasonable 10 to 20 years from now), but if there are say 1 million CNPs, that is 630 DCR per CY or 53 DCR per month, enough on its own to pay for a high-speed connection today, could easily pay for the costs of upgrading to a top-tier package with some profit on the side. Remember, little to no inflation in decrits, hopefully anyway. Tongue Performing a 50% attack on the CNPs would require 150m DCR (assuming 150 DCR deposit), and a 50% attack really is useless against the CNPs. CNPs that are being devious can be pretty damn obvious (to be detailed later), so clients will stop using them and will stop using their ID codes in txes, so they won't get paid, so the attack is nothing more than a waste of time. This is part of the subtle and not so subtle dichotomy between the CNPs and the SHs, and further enhances the network's foundation.

And every single client of the network could still detect any attack on it for about 1-2kB/s of bandwidth--an amount that might be free to everyone by that point if meshnets exist. Anyone who has any value in the network will be incentivized to watch it. And it is very cheap to do so. *Every single person* doesn't have to watch it though, they can be pretty sure if several million other people agree that this happened that it is probably true. If you haven't seen the pyramids in Egypt, does that make you believe that they do not exist? Where are the people who say it isn't true? Employees of the NSA? Wink

Of course when the network is smaller there will not be several million people, but the same rule applies on a smaller scale. Those who have value in the network will be incentivized to watch. Someone can throw away 30 billion USD to try taking it down, but if the people who care are watching, the attack will be ineffective and the network will have gained that value at the very least by redistributing that fiat attack among the decrits users' fiat holdings (by selling some when the price was too high). If it encourages an economic shift towards decrits, then decrits permanently appreciates over fiat.

Efficiency and decentralization is paramount in every aspect of the design. With massive decentralization comes massive resilience. And a sane monetary system controlled by the people to boot.
257  Alternate cryptocurrencies / Altcoin Discussion / Re: Decrits: The 99%+ attack-proof coin on: June 06, 2013, 10:27:42 PM
Quote from: sor.rge
1) The assumption of reliable time-bounded propagation. This can be disturbed in various ways by the attacker.
Counterpoint: If the attacker already has this type of power, he doesn't need anywhere near 51% to control the network. Compare bitcoin with it's 10-20 nodes with the network view. An attacker need only disrupt a couple of them to cause complete chaos. In Decrits, he will need to disrupt massive portions of the internet.

Quote
2) Race conditions with the timeouts. The malicious peers can release the critical information when its time is running out, in this way dividing the opinions of the observing nodes. Some of them will believe the message is late, others that it was on time. This confusion potentially will open the possibilities for other attacks.
You are going to have to be clearer. I can imagine several different things that you mean by "timeouts" so instead of covering them all in a jumbled mess, I'd prefer clarification.

Quote
3) The nodes which didn't observe the attack, and only see the resulting fork, will still not know whom to trust. Both parties will claim that the other didn't release their TBs on time or didn't accept legitimate TBs which were released on time.
I explained why this is ok--I'm sure not very well though. A PTB will effectively stop the attack on the network, meaning there will not be any 51% attack, but just an attack on perhaps 5-20 honest SHs (the attack you and anonymint brought up as potentially being more critical--making small forks). But those SHs that were attacked can not be denied consensus, because the evil chain must include the PTB or it is screaming network takeover attempt. A PTB should essentially be thought of as a critical stop to network activity. Until a node sees a chain with it included, it should not transmit that chain, and and anyone using the network should not make transactions until they see a chain with that PTB.

It sort of puts EvilCorp on the spot. Stop the shenanigans or go ahead and fork. Everyone that is currently watching the network will see the fork forming. It won't happen instantly, it has to be as a factor of time. If they continue to fork, more and more people will see the untrustworthy network for what it is. Everyone watching knows of the attack. More will start asking for TB data, more will start seeing the fork.

Even if people are late to the game, they will receive the missing TBs assuming they are not isolated. To actually destroy the shares of the honest network, it must pretend as though the honest SHs refuse to reach consensus. While a TB from 2 hours ago could have been made 10 seconds ago, a new node will keep a counter from the time *it* saw the TB. Honest SHs must still add section 1 to the chain regardless of how late it is (unless it is so late that it is past the absolute deadline where shares are destroyed). This is what brings consensus. So anyone hopping on prior to that deadline will start counters. If there is a fork, the honest half will have all, or mostly all of the signatures in consensus that any node could see (including but not accepting). The dishonest half must exclude those whose shares it wishes to destroy.

If it does not exclude those, they only receive a strike. It is an attack vector, but it is not a critical one as I said. If they include the PTB then start another attack, the untrustworthiness will build more (it would have to go down over time). So if they do not want people to know who all of the dishonest SHs are and provide a long period of time for everyone to find out, they must settle for giving a few, random honest SHs strikes.


I really don't think this can be countered by any "well an attacker can control this or that view of the network". If they have the capability to do something like that, any defense for anything is impossible. It is essentially saying "you have fixed every single thing but complete and utter control. Your currency is 99% attack proof." And I say "thanks, that's what I been sayin brah" Cheesy
258  Alternate cryptocurrencies / Altcoin Discussion / Re: Decrits: The 99%+ attack-proof coin on: June 06, 2013, 06:08:06 AM


This idea is still in the formulative stages, so bear with me. I have mentioned it a few times but wasn't totally confident in how it would work--but I also admitted that. This is one of the last ideas I came up with before writing this proposal--and so had the fewest blanks filled in. I'm still not 100% confident in this idea, but it probably has promise as a starting point. The caveat is that it does rely on honest network propagation. But propagation is so cheap in this design and is encouraged in several significant ways, and if the reward is a 99% attack proof network as long as most people pay attention...

Structure of a TB is two sections:
1. (block #, hashes of prior unacked block(s), "potential" CB hash ), signature
2. (part 1, tx activity, ongoing CB hash), signature

I have mentioned previously that TBs are a valid network view within a 10 TB window. As long as TB 54 is acknowledged by TB 64, no transactions in 55-63 can override one in TB 54. This is to allow for quick face-to-face confirmations for small txes. Originally the idea was that a SH would receive a soft strike if his TB was not accepted within that window, and then section 1 only needs to be added to the chain (saves data, section 2 won't affect anything anyway) at a later time to confirm that this SH did indeed sign the potential CB and is agreeing to consensus.

Now, I mentioned this in only one post somewhere, but instead of giving a soft strike then and there, give another 100 TB grace period where only section 1 gets added, but no soft strike. This would essentially allow a 15 or so minute grace period for network propagation. It leads me to come up with a deeper game-theoretic idea for this to deter minor trolling of this mechanic, but it's tangential at the moment. After that point a soft strike will be given. But the same data (section 1) is used to eventually add the signature data to the chain without it being necessary for the SH to do anything. Assuming the network is honest.

The longer this TB has been on the network but has not been acknowledged in the chain, the more untrustworthy the network becomes from the point of view of each node that maintains the consensus (again, 1kB/s @ 5 mil SH--it is the section 1s of the TBs). Want a formula? Fine.

Untrustworthiness = number of TBs since each TB was missed

So if 1 block goes unacknowledged for 100 blocks, it is 100. If 1 block goes unacknowledged for 100, and a second block for 50, the total is 150. Each node will have a slightly different idea of this untrustworthiness. However, the 51% EvilCorp must continue to deny honest SHs because they are acknowledging those section 1 TBs of the portion of the network it is trying to attack.

Say a number of 500 should be ringing all kinds of alarms on all clients paying any whit of attention. (This is something that needs test scenarios.) Then give a number larger than that to allow for others to catch up on untrustworthiness, say 1000, for honest SHs to create a Potential TB. This TB will essentially "call out" the situation and create an honest fork starter point. It will acknowledge the missed TBs--and they will not take soft strikes--and all the other SHs will receive soft strikes in this potential TB. This threshold could be user defined (we couldn't really force it anyway) so that it is more difficult for EvilCorp to even predict how the honest SHs will react.

An honest network must include this into the chain even if the block was maliciously created. Those peers in the block will be given strikes--though most already would have anyway for being missed and arriving late. The honest chain includes an evil PTB but does not accept it.

An evil network must also include it and not accept. And in doing so it can only give those peers strikes, it can't exclude them from consensus. But it could already give them strikes anyway. If the evil network does *not* include it, it is a beacon flashing all over the place to *stay away* for anyone that receives this PTB.

Either way, SHs that agree with the PTB will continue that chain even if they have minor doubts (threshold of say 300--this is still significant). This could be done automagically for the initiating SH with the 1000 point figure as a guideline. At this point the 51% attack must stop, or anyone monitoring the network even for a few minutes knows which chain is honest, because the evil network must keep denying the existence of new honest TBs (in which case the attackers that were used get strikes). Even a threshold of 10 is probably very suspicious, but it is an idea that needs testing. Honest SHs that get caught in the evil network because they were not monitoring long (shame on you) can learn that the evil network is continuing to be evil by denying TBs, and then acknowledge the honest chain in the next CB. All of the evil SHs can too, but the effect can not be used to repeatedly disrupt the network as they are receiving strikes. These strikes will probably be of the "medium" variety. I have been using the term "soft strikes" for minor problems implying that there may be more heavy-handed ones. It is something I need to develop.

So everyone monitoring the network (assuming wide propagation) knows which network is "more honest" by this mechanic. Either everyone gets back together to play nice, or a fork permanently emerges. Honest SHs caught in the dishonest network have a chance to reconcile, so no one honest can be hurt too badly by not sufficiently monitoring the network. And from then on everyone will be on extremely high alert.

Essentially, this system will let a 51% attack get nowhere near that point. To accomplish a true 51% attack, it must be carried out over the full 10 CD consensus period. Throughout this period, the EvilCorp must continue to deny honest SHs, and they continue to add to the untrustworthiness of their network. Unless they can suppress tiny amounts of data in the wild with insane accuracy--in which case they could simply kill the network via that mechanic without needing any SHs if they have so much control over the internet (need meshnets to become a reality to defend against this).

The incentive for a SH to put himself on the line is the fact that the untrustworthiness of the network is so high, if he is honest he is likely to be excluded anyway and receive a strike. Perhaps there could be a specific incentive if his PTB is continued too.

I guess sorrge was right about calling it trust. It is different to get out of my head and into electronic ink. There needs to be an avenue to fork without necessarily causing a catastrophe. This design leaves open the possibility of an undo button. Honest SHs can still come back at the cost of evil ones coming back as well. But  they have not accomplished anything other than receiving a strike and disrupting the network temporarily. The failure is not critical which is critically important. And it is not easily repeatable without significantly more investment. How much will depend on how clever the strike system can be (combined with early withdrawal penalties and other things).

And from the very first minute or two of this attack anyone partaking in a large face to face transaction will know something unusual is up. It depends on how reliable the network is on average. These are things that are really hard to predict ahead of time, but it is important for defining transactional security.

Sorry for the super long post, but I feel like if I don't recap a lot of things, the mechanism will not be clear.

TL;DR VERSION: Each node watching the network keeps an internal idea of how untrustworthy the network is based on TBs it has seen that are not included in the TB chain. At some high trigger point, a SH node will create a different type of TB that will call to exonerate the missed TBs and penalize the offending SHs. This will create two potential future CBs, allowing the network to fork if necessary. If the evil 51% of SHs continue down the forked path, they generate more untrustworthiness that more people will see as the consensus period continues. The fork can be resolved by taking strike penalties. Honest SHs may be unjustly penalized (but not permanently) if they have not been monitoring, but it is the risk they take by not even monitoring the TB section 1 data. Clever penalties can make this attack very costly or ineffective while barely hurting the honest network. This premise does rely on wide propagation of all network data, but the alternative is an attack where EvilCorp has incredible control over the internet and can prevent that propagation, in which case it could simply cause the network to fail anyway without all the shenanigans.

After this, I have slow down the discussion. I really am spending too much time on this. A wiki makes much more sense, and it will allow me to update where vulnerabilities are found, or to make things clearer over time rather than murkying up a thread. There is too much crap jumbled in my head that causes me to make mistakes. And I have the urge to be protective and defensive. Combine these things and well... but there are a whole bunch of other things that still need input too, and I had promised in earlier proposals to promote an open discussion of all the ideas prior to ever launching the currency. Being paranoid is not the way forward, even if AnonyMint has given me some reason to be.

Have you reconsidered at all your opinion of the currency distribution scheme AnonyMint? I made a pretty significant point about purchasing power lost being voluntary. If you want "in", start offering goods and services for decrits. There has to be a stable platform for commerce.

I have briefly looked over your other thread, may comment on it later.
259  Alternate cryptocurrencies / Altcoin Discussion / Re: Decrits: The 99%+ attack-proof coin on: June 05, 2013, 10:44:40 PM
Ok I'm a tard and even I forget and miss things. There is a deeper issue that Anonymint has raised that isn't as simple as 50% vs 100%. I shouldn't post while distracted. Most of my last couple of posts are not a correct description of how the attack I believe Anonymint/sorrge propose is defended against.

It requires a rehash of several concepts that are in the thread, but I will put something cohesive together later. I apologize for misconstruing it.

Edit: as I said I'm posting from a phone and takes awhile, but you acknowledged the problem ax while I was posting.
260  Alternate cryptocurrencies / Altcoin Discussion / Re: Decrits: The 99%+ attack-proof coin on: June 05, 2013, 10:25:44 PM
Confirming or acknowledging there is no difference. Each TB is essentially a separate entity that governs a 10 sec window; the chain is required to keep tx times very low as the consensus can only be continuously updated if each new TB has acked all of the changes to the network state as of this moment.

If evilcorp is confirming the TBs of others, it is accepting the network as everyone sees it. There is no way around this. If it is not confirming the TBs of others, they will have a bad consensus block on the next round.

As far as how long to wait... I know you don't want to hear this but it's explained earlier in the thread. I had admitted several times I did not have a fully fleshed out idea for this, and that it would have to be based on running some numbers vs potential attack vectors. However I did post the beginnings of what I think is a really good solution all around... Somewhere.

I am currently posting from a phone and won't have regular Internet again for a few more days, so it's difficult to link and I can't work on the wiki. I *would* like to be able to convince at least one person that the system is viable though before embarking on that.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 [13] 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 ... 93 »
Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!