As the miners will never fork, that question's answer doesn't really matter, but my answer would be: no.  The 10 miners that have 75% majority hash rate will perfectly be able between themselves to use blocks of larger size.  By the time that the dreaded network effects affect THEM and force some of them out of business, the block sizes would be so big in any case that no normal user can download them.

If developing arguments in the form of a course is called trolling, I can understand why so many people have no clue about how things work.
Mathematical arguments of cryptographic nature, when the common knowledge is seemingly missing on which to build, need more than a few lines to be explained.  I wonder if you got your course on cryptography on a quarter of a page, and if you called the teacher a troll because he gave a text that was more than 20 lines.

In the exchange above, I tried to explain the need for the hash function not to be totally cracked in order for a special hash to be a proof of work.   That should be totally obvious to anyone knowing sufficient cryptography, but visibly the poster I was talking to didn't have that common base of knowledge - no offence.  He confused another notion in cryptography, namely key/password entropy of a secret key (which can indeed only be brute-forced if it is pure entropy) with the proof of work of brute-forcing a hash function, where no entropy is involved.

For anyone fluid in cryptography, what I say above is common knowledge, and easily understandable.  But not everyone here is a knowledgeable cryptographer.  So I made a small course on purpose to teach the difference between both notions.  Yes, it was a free course that I didn't polish.  If you want one, you'll need to pay me.

If the answer by the student is "professor, your course is more than 3 lines, I didn't read it" I stop teaching.

If the shared point of view is that anyone teaching with more than 3 lines is a troll, it is no surprise not many around are understanding crypto.  One needs more attention span than that to understand these matters.  It involves more than just spinal reflexes.   The frontal cortex needs to get involved too.

Right at this moment, I'm reviewing a scientific paper of about 26 pages full of calculations and arguments, 10 times more complex than what I wrote above.  I do this for free too.  I will not answer to the authors "Your paper was more than 5 lines, I didn't read it".

First of all, a coin that is for 50% or more in possession of any entity, is economically dead.   That whale can do anything with it on the market.  So if a coin is for 50% in possession of a whale, whether it technically fails or not, is not important, because it is economically dead already.

A PoS system should be such that after a short while, the "immutable history" is signed by more stake than a single, colluding economic entity is supposed to ever possess.  I would put that limit at a few %.  Any asset of which there is more than a few % in the hands of a single entity, is toxic or dead, because the market is too much in the hands of that entity.  Nobody has single-handedly the control over a few % of all $$ in circulation.

But even in the case an entity possesses 50% of the stake, you can have combined PoS signing systems (where a given block needs to be signed by a certain number of stakers) so that the probability that ALL signatures come from the same 50% of stakers, becomes arbitrarily low.  If you require, say, 100 signatures per block, chances that these 100 signatures are drawn from only the whale's staking nodes are 1/10^30 or something. (it is more complicated than this, but that's the gist).


Not really.  It will have imposed ITS branch and orphaned the other, and everybody will now mine happily on his branch, with modified past for ever.


The cost is the cost to maintain the security of the system in which you have a stake. I think the reward is inviting more problems than solving.  If you cannot be bothered to run an old PC, then you accept the increased risk of the system you're using.  Note that if everyone gets 1% on his stake, with a 1% inflation, you weren't really rewarded either.  Getting an interest equal to inflation is not a reward.
In fact, this becomes lucrative only if most stakeholders DO NOT stake.  Because then you get 1% interest, but overall inflation is smaller than 1%.  So this might give a "miner's consortium" making it difficult for people to stake, so that they get the full reward while most people don't.

Rewards corrupt.

You need, as you point out, a total conspiration in order to fake a decentralized system: you can check IP numbers, you can check so many things, and most of all, you can be part of it (several times, style Sybil) and check that you can see yourself on the network. 

If there is "one server on Mars", that server is one single point of entry, one IP number that can be a proxy to something totally different without having to compromise all of your knowledge about the world, about internet and everything.

A server has a root owner.  The data that that server receives and sends back are entirely at the discretion of that root owner.  I don't see how that root owner could prove its absence of potential interference on the system.  You don't need to corrupt all of society and all of the world to change stuff on the server on which you are root password owner.  The computer on Mars can be just a proxy to just any computer on earth.  Maybe my desktop.  Why would you trust my desktop (behind a proxy server on Mars) ?


Those "20 computers" are the most involved computing infrastructure in the whole world !  That said, 20 root passwords determine indeed bitcoin.  For the moment, they are not colluding.  However, why then not replace this with these 20 guys signing digitally each block and promising not to sign more than a block per 10 minutes in a round-robin way ?  That's just as secure, isn't it ?
And wastes much less electricity ?  Or not ?

You think that 5 entities obtaining half of the "distribution" is a fair system ?

That is very simple to answer, even though philosophers through the ages didn't like the answer, and tried to obfuscate the question.

An economic system is good, if it is good for me (if it brings me happiness, and if it avoids my suffering).
An economic system is bad, if it is bad for me.

Good (ethical good) is what is good for me.  Bad (ethical bad) is what is bad for me.  There's nothing else. 

Of course YOUR good and MY good are not in agreement ; so we have to play a power game.  We might find an agreement where I understand that if I want too much of my good, inflicting too much bad on you, will motivate you to do bad things to me ; and vice versa.  Your ability to do bad things to me, my ability to do bad things to you, is the collateral we put up to find a mutually beneficial agreement.

I think it is the fundamental property of conscious beings, because conscious beings experience joy (good) and suffering (bad), so they optimize their actions for maximal good and minimal bad.

Society (as a whole) is not a conscious being.  So there's no such thing as "good for society" and if ever there were, society will have to decide for itself, against me (and against you).

But all that is good.  What is not good, is that he got into power.  Stalin was right as a citizen.  But the problem was that there was power for him to take, and as a citizen who understood government, he used its power to the full extend.  What was bad was not Stalin, but the fact that there was power.

You want an immutable and permissionless trustless system, ideally anonymous.  If the system is not immutable, then the one that is able to change the rules or the history at will, once you got in, can totally alter the value you are holding, or the things you planned to do with it.  He can even change your balance, or wipe your existence on the system.  Without immutability (of rules and history), you are doing the equivalent of signing a blanc cheque, or a blanc contract, to whomever has the ability to change the rules or the history.

If the system is not permissionless, one can kick you out, or stop you from using the system according to the rules, for your political, economical, religious, racial or social cercle identity, or simply because you happened to annoy for a known or unknown reason, those that can grand permissions or not.  So the system must be open to any participant.

==>  essentially, those being able to give permissions, to modify history or to modify the rules are a power house ; in the end power always converts to monetary and hence value advantage.  This is why you don't want that.

Because the system's role is to be able to do what the powers that be don't want you to do, or don't want you to do that easily, or because your using of the system may be frowned upon by the powers that be who have all the means to make your life miserable, using the system should be possible without giving out one's identity.

But this also puts the problem that because everybody can access the system, without identity check, that the system most resist Sybil attacks, and of course, malicious people wanting to bring the system down, or take over the power over the system.

The system cannot have any leader, capable of changing the rules of the history (power house) nor anyone deciding upon permission to use the system or not.  As such, you are obliged to have the system running by every participant, as there cannot be a centrally run server, with a root owner, that could change the history on it, change the rules by which it functions, allow or disallow participants in the system, and be able to know all (network) identities of all participants and their actions.

==> necessity of a decentralized system, in order to obtain permissionlessness and immutability, and the lack of any form of centralized leadership.  But this leads to the necessity of trustlessness and resistance to corruption or Sybil attacks.


How do you know that server is really under the ice, and not in the room of a power-hungry maniac ?  And what happens if that computer fails ?  Who has the root password to that server ?  Who can pull the plug ?  What network provider has control over all that happens on the network interface of that server (excluding people for instance) ?


Who can control those 20 computers ?  Who is deciding on the "hardcoded" (who is coding them ?) check points ?  What if tomorrow, these 20 computers are running an entirely different block chain ?  Is there even a block chain on them, or is it just a database pretending to be a block chain ?

Stalin is a typical form of government, when you look through history and through different governments.  However, he wasn't smart enough to optimize extortion from its people, and overplayed his hand.   Take 5000 years of "government" and think of what they brought the people, and what they took from the people.  Don't forget warfare, it is an important aspect of government.
(and don't think our "democracies" are different, they are simply smarter in optimizing extortion: they replaced violence and brutality by propaganda and politically correct media and "education").

But the idea that losers must be eliminated in a competitive system is not necessarily a bad one, if they cannot be put to good use.  I consider life as a system that emerged as a competitive game to evolve towards something that will become a self-powerful system, ,that is, a self-concious universe, or will go down without reaching this final goal.  I consider humanity to be a transitional species that allows life to "switch gear" and to go from the random Darwinian algorithm to self-constructing intelligence (machines).  There's no room for "poor humans" in this transitional species, that is only here for the transition to self-designing machines, who will bring competition, improvement, warfare, joy and suffering to higher levels than was possible with biological systems.

Hard-coded check points are a centralized consensus mechanism.  Let's the dev then sign all blocks, that's the same.

So you only need to bribe the dev to change the check points he only can provide and your "decentralized consensus immutability" is gone too.


Identical to dev signed software with checkpoints he can change at will too.

I think you didn't fully appreciate the decentralized consensus problem.  If you propose a centralized dev solution, you're missing the point all together.  Let the dev's computer sign all blocks for that matter.  No more problems.

If your attention span is too short to read a one-page argument, I can't help.  One should make things as simple as possible, but not simpler.  But to make it as simple as possible, you'd have to pay me, because that's a lot of work for little interesting return.

This is why I claim that the burden of decentralized trustless systems is so big, that it only pays in those circumstances where the paranoia is justified: in unregulated finance, in illegal/criminal affairs, and other such endeavour, but will not go mainstream.  There's, indeed, no point.  This is the niche for crypto.  It can be a big niche.  But not mainstream.  That's silly.  Too much burden.  It is like going to buy bread with a tank.  Too much overhead, too much hassle.  Unless you're in a war zone.

In normal society, we hold one-another by fear of the consequences of being openly dishonest, even if we would like to be dishonest all the time, we're forced, in the same way, into honesty most of the time, unless we are in power - being in power is exactly what allows you to be dishonest without consequences, which is why power is wanted by most dishonest people, who get into power.  But even there, they cannot be as dishonest as they would like and are afraid of the consequences of their dishonesty (to a lesser extend than normal people, but nevertheless).

The point is that with limited collateral, you can make them hold, within certain boundaries, at 1-1 exchange ratio.  This is what "fractional reserve banking" is all about: having sufficient collateral to be able to guarantee the 1-1 exchange ratio for individual transactions between coin issuers (and to regulate issuing the coin sufficiently so as not to deplete the reserve).

That is: if you play both on the amount of coin in circulation to keep market value near 1:1 ratio, and use the fractional reserve to guarantee the exact 1-1 ratio, MOST OF THE TIME, that works out.

The real "backing" of a currency, in a fiat system, is by the non-fluid value that has been handed over when the currency was printed, and can serve, if not bogus, to obtain more reserve from the central issuer.


Honestly, last time I heard talking about the "legacy economy" was during the dot-com bubble years, and the "new economy".  While economic transformations are certainly a fact, when people start talking about the "old economy", I know a bubble is about to burst.
Things usually happen more gradually, less revolutionary and in more unexpected ways than one often presumes.

I agree with you, but that is because the fiat system is not a "fractional backed currency" system - exactly like you say, but is an "asset fluidification system".  This is why the fiat system is not really working so badly as people may think.  The caveat is elsewhere.

A bank is in fact nothing else that uses its reputation to exchange illiquid debts for liquid money.  As such, a bank doesn't do "fractional reserve banking" for value ; it only does it for money.  But normally, a bank is fully backing all its emitted bank money, by the assets it got in return.  It sells "liquidity", but it doesn't "create value out of thin air".  A bank, normally, possesses more assets than the money it issued, so it can "buy back all of its money" with the assets it has.  This is perfectly honest.

The FED does the same.  The FED issues base money in return for assets.  It "fluidises" assets into currency.  There is not really something wrong with that.

The thing that really goes wrong, the caveat I referred to, is when one gets "loops", that is, fake assets that do not represent value but are indirectly self-referential.  If you can issue money for such assets, then things go wrong.  The simplest thing is a bank lending to another bank, with as underlying asset, the other bank lending to the first.  


This is indeed a big cluster of self-referential assets which are totally bogus.  It is this cluster fuck which is a ticking bomb under the fiat system, but not its basic principle, which can be sound.

The point is that people buying altcoins don't think they buy bitcoins.  While people having $10 000,- in their bank account don't realize they have bank dollars, and not "dollars".

But the PoW security in bitcoin is not about guessing passwords.  It is in proving that you have done gazillion hashes, to have a funny outcome of the hash.  This is why your example, although correct, has nothing to do with my argument.

If you can reverse the hash function, you don't need to perform gazillion hashes to obtain a funny hash result.  You start with the funny hash result, and you calculate backwards what you needed to put in to find the funny hash.  Given that you have not *total choice* of what you put in, but only special fields, you need also to be able to search quickly in the solution space, so you really have to crack the hash problem entirely.   But the PoW security has nothing to do with guessing passwords.  It is finding inputs that produce funny hash results, and for that, the assumption is that you have to TRY RANDOMLY.  If you can reverse the hash function, you don't have to try randomly to find the hash result you started from, because it is the result of a calculation.
Look again at my toy example, it illustrates perfectly in a simplistic setting what I'm saying here.

The "proof of work" in bitcoin is: providing such a block header, that its hash is a funny result starting with a lot of zeros.
In that block header, you have to have the hash of the previous block (cannot change it), the version number (cannot change it) and the date (cannot change it).  You can change the nonce, and the merkel tree hash.

So if you can resolve the inverse hash function so that it has many zeros (or ALL zeros), and you can search in the solution space for those headers that have the right previous block hash and the right version number, you find one or several possible results for hte merkel tree hash and the nonce.

With that given merkel tree hash, again, you inverse to find the "free parameter" hash of the coinbase, and all imposed hashes of all transactions.  If you can search the solutions in this solution space that satisfy the conditions on the other hashes, you find the free value of the coinbase transaction hash.

You invert again: you now have the coinbase transaction itself, in which you have to fix a lot of bytes, but you leave free the "coinbase comment section".  Searching in the solution space, again, will give you one or multiple solutions satisfying the boundary conditions of the transaction (the fixed pieces) and will give you the comment section.

Filling in this comment section gives you the right coinbase transaction that will then produce the hash that, combined with the other transaction hashes, gives the right merkel tree hash, that, when filled into the block header with the right previous hash and the right version number and nonce, will give a hash of ZERO !  The highest possible PoW, much more than the whole existing block chain !

Hello,

As you've seen, I'm quite favourable for PoS, but I'm against any erroneous argument in favour of anything.  Arguments should hold water.  I think you are having PoS arguments which are not always correct.


==> this is not a valid argument of course.  That is like saying "no hacking software is available right now, so hacking is not possible"


This is not a solution, because the "checkpoint" itself is a consensus resolution.  You could just as well say that blocks that have been confirmed once, shouldn't be orphaned.  In fact, "checkpoints" are nothing else but "blocks of blocks" in the same way that blocks are "blocks of transactions", and the consensus resolution is: WHICH BLOCK ? on the block level, so the check point is the consensus resolution of "which block of blocks ?".

Nothing fundamentally irreversible is done with check points that wasn't already done with the blocks themselves ; unless you introduce trust, at which point, the whole consensus resolution becomes simple: the trusted party will determine consensus, and we don't need block chains any more, just a digital signature.

You can introduce checkpoint-like PoS signatures, but you have to realize that they do not grave in stone anything more than block resolution already did.  Orphaning checkpoints is not different in principle from orphaning blocks.

If a big economic actor, especially a state, wants to destroy a coin, just any coin, it can.  Central banks can destroy immediately any coin that is available, not by technical means, but by economical means.  It doesn't cost them anything.

How does it work ?  A central bank can, if it is legally allowed to do so, buy up any "asset" and issue fresh fiat against it.  The central bank can hence print as much fiat as necessary to buy up 95% of the stash of any coin.  The FED can print, fully legally if bitcoin is recognized as an "asset", the 20 billions needed to buy up all bitcoin.  In doing so, they pump the price to the sky.  But no problem, the FED can print just as much dollars as needed to buy up the whole stash, because the stash itself serves as "asset backing the printing".  As the price of the asset is rising, the FED's balance becomes more and more positive.  People will fight for the few bitcoins still around, and spend huge amounts of their savings on it, while the liquidity of bitcoin decreases like hell.  Bitcoin to the moon.
And then, the FED will sell bitcoins, first slowly, to destroy the amount of dollars they printed on it, now that it is "to the moon".  Once they have gotten most of the printed dollars back out of circulation, they dump the whole stash to oblivion by putting the 95% of the stash in circulation the same week.  So many people will have lost their savings, that bitcoin is done for ever.

No finite resource asset can win an attack from a printing FED, because all other actors have to bring in true value, and the FED can print for nothing.  This is why "one big crypto currency" is a lunacy.  Any big fiat central bank can destroy it when it wants on the market.

As you say, the nothing at stake attack is very difficult to perform on a mature chain.  The "value function" should be chosen well, in such a way that a historical reorganization is essentially impossible to perform, because you would need, in redoing the chain, so many collusions of former stake holders (which were stake holders by PoW not by PoS) that you will not be able to find all the signatures necessary to do so.

The problem with most PoS systems right now is that they also reward the staker.  This reward has to be unique, and will be fought over.  If there is no reward, then there's no battle to be had.  There's no incentive for a random stake holder to absolutely want to stake on a secondary chain and hence increasing the risk that the system he has a stake in, crumbles down.

Yes, so ?


No, of course not, it conserves entropy as long as the input is smaller than the output.  But that was not the point.  In other words, your example is right, but non sequitur for what I said earlier.


Nope. That's your error.

Providing a "hash with conditions" is a proof of work *because of the assumed irreversibility of the hash function* ; because you have no other way of satisfying the condition on the hash output, but to try randomly at the input.

However, if you crack the hash function, that is, if you can find EASILY all input solutions that give a given output hash, then providing a hash that satisfies a given condition is NOT a proof of work any more.

This has nothing to do with your example of transforming entropy, because proof of work is not a matter of entropy.

Let us take a very simple example.  Suppose my silly hash function is again:
f(n) = (K.n + C) mod M, with K,M and C fixed parameters of the hash function.  I'm a naive guy thinking that my hash function is a good, irreversible function.

Essentially, my hash function takes on ANY number n, and produces a number between 0 and M-1.  Let us say that M is a big prime number, with 256 bits, and K is of that order too and C too.  If you put arbitrary numbers into this function, you get arbitrary-looking numbers out.

Now, if I want you to give me some proof of work, I give you a number A, and I want you to find a number N so that:

f ( f(N) XOR A) < Z

If my hash function is irreversible, the only thing you can do is to try this function so many times as needed, which must be on average 2^256 / Z times.

However, if f is reversible (and it is !), I pick a number, say, Z/2.  I calculate (easily) an inverse value U such that f(U) = Z/2.  I calculate easily V = A xor U, and I calculate just as easily W such that f(W) = V.

W satisfies the condition I asked, but I didn't have to provide for any work of the order of calculating 2^256 / Z hashes.  Hell, I could put in Z = 0, and with the same effort, I calculate U' such that f(U') = 0 (even before you gave me A!) ; I calculate V' = U' xor A ; I calculate W' such that f(W') = V'.  Done.