and the hashrate was a small fraction back around block 225K. Not sure, but I think it is harder to reorg now vs then?
It was the same then as it is now - back then, network power was less than it is now, so although difficulty was lower than it is now, blocks were still 10 minutes each.
|
|
|
If either of you had asked me in advance if the messaging hierarchy gave elevated peers the power to isolate nodes I could have cleared up a lot of false conclusions before you started jumping to them.
You didn't answer my question about ordering. You mentioned that ordering doesn't matter; I say ordering is the only thing which does matter. edit: working through the following will be informative: * Given some historical data transaction data for this system, how can any given node joining the network objectively judge that what they're being presented with is not fraudulent data? If you can answer that without having to resort to asking other nodes the correct state, then we can talk more seriously about your design.
|
|
|
How do I know when a transaction "has been accepted by a majority of the network"? What is the specific technical process that allows me to know exactly when that has happened?
An optimized network needs to be organized into a tree-like structure, with some nodes serving as trunks, some as branches, and some as leaves. The topography of a large network would always be changing as nodes connect and disconnect. Nodes can be elevated from leaf to branch to trunk depending on bandwidth and how long they've been connected. The higher the level of elevation of a node the more lower level nodes depend on it for messaging. If an elevated node disconnects, one of it's dependents can be promoted or they can switch to another node of the same level. This way transaction messages can be distributed from any one node to all other nodes on the network without any node receiving the same message twice. Once a transaction has reached every node on the network, acceptance of that transaction would bounce back in reverse direction until it returns to the node who originated the transaction message- the recipient. The recipient can then broadcast the transaction with Proof of Acceptance (POA). This is not a trustless system.
|
|
|
- Spend UTXO_A (mine) and create new unspent output UTXO_B (yours)
... - A few days have passed. I now spend UTXO_A, and create new unspent output UTXO_N to an address that I control
You're 2nd attempt to spent UTXO_A would simply be rejected because a majority of the network would have long since processed your first transaction. The rule that transactions should cancel each other and destroy the parent UTXO only applies before one of them has been accepted by a majority of the network. You initially said that ordering wasn't a problem, but all your statements implicitly contain a notion of ordering. 'Before' is a relative term which cannot be resolved without ambiguity in a trustless system. A 'majority' of nodes could easily be faked by any given attacker for very little cost; that is the entire reason we have mining in the first place.
|
|
|
So, I send you 25 BTC, wait for you to accept it and send me my physical item, then I spend the same UTXO to myself and both are destroyed by your new rule, giving me my money back. This is exactly the same as a regular double spend. You would lose your money, not get it back. UTXO A (mine) = 25 BTC send A (mine) to B (mine) send B (mine) to you (C, yours) send B (mine) to A (mine) B and C are destroyed, leaving A, the original 25 BTC belonging to me
|
|
|
When someone attempts to double spend, it doesn't matter which happened first, any two or more transactions that reference the same UTXO should void each other out and the UTXO should be destroyed
So, I send you 25 BTC, wait for you to accept it and send me my physical item, then I spend the same UTXO to myself and both are destroyed by your new rule, giving me my money back. This is exactly the same as a regular double spend.
|
|
|
Currently, the only exchange that I know of that is immune to a jamming attack is BTS.
It isn't immune; send enough place/cancel transactions and you'll grind the whole network to a halt.
|
|
|
Fault-tolerant is a good term I think. Perhaps that helps define its (possible) utility too.
Agreed. That's more accurate.
|
|
|
If I make a simple program to get a random number from 1 to 100, or base my program on a randomizer, how can that be repeated in every single node? Shouldn't they give different outputs? How can that be validated?
Let's say I want to make a betting app, based on the random rolling of dice. How can that work?
Pick a seed? No different to authoring a website, really in that regard.
|
|
|
if Ethereum is a distributed computing platform
It isn't; it's a replicated/redundant computing platform.
|
|
|
It is certainly true that valuing the PoW expended by the miners is essential for knowing where the break even point for a double spending attacker is. I.e. the point at which what they gain from the double spend == their lost block reward from orphaning their original blocks.
If the reward is not in the form of a "coin" then I'm not really sure that "double spending" applies at all (as that is dependent upon there being a "coin" is it not?). Let me suggest a hypothetical example where the "reward" is simply the ability to send an encrypted message (via the block chain) to another account. Bitcoin uses the block reward partly to incentivise miners not to double spend, because they stand to lose their block reward attempting to orphan the best block. If you have a non coin based reward, I'm not sure the same can be said.
|
|
|
I think it could be possible for the reward to be other than "coins". There is no such thing as a "reward without money price [direct or indirect]". It is useless. It might be useful to discuss why you think this is the case? It is certainly true that valuing the PoW expended by the miners is essential for knowing where the break even point for a double spending attacker is. I.e. the point at which what they gain from the double spend == their lost block reward from orphaning their original blocks.
|
|
|
The confirmation times are sped up by the fact that most blocks only require low POW (and the minters can be preparing their difficult POW between the block where the information is sourced from and the block their POW tx needs to appear by).
Understood. Presumably you're compensating the miners for their difficulty PoW, though? That is what I haven't decided upon yet (but in reality it is likely to be necessary to at least have some reward). IMO it is essential for a couple of reasons: 1. Without a competition to mine, the maximum hash rate of the network is unknown, which means confirmation cannot easily be bounded as adversaries may lie in wait instead of using their power 'for good' 2. With no incentive to behave in favour of the network as a whole, rational behaviour may cause divergence
|
|
|
The confirmation times are sped up by the fact that most blocks only require low POW (and the minters can be preparing their difficult POW between the block where the information is sourced from and the block their POW tx needs to appear by).
Understood. Presumably you're compensating the miners for their difficulty PoW, though?
|
|
|
I concluded that this system has a similar security model to plain PoS, since identities never get 'consumed' like they would in a PoW chain. I'm not sure if this is similar to your design?
Although the design has not yet been completed (it's about half-way there) what I have envisioned doing with regards to accounts is to have a regular need to provide a difficult (and memory exhaustive) POW so that you can't create Sybils without incurring more and more POW. In my design, this was also true, but I realised it was exactly equivalent to buying stake in a PoS system; once you have your identity, you have a constant probability of producing a block, therefore a constant cost for attempting a double spend. I was looking to design a system with equivalent security to a PoW chain but with improved confirmation times, so I stopped exploring at that point.
|
|
|
The question of incentive becomes more of an issue should the best minter not mint and then no-one else wants to (although I think in reality this wouldn't occur unless the platform had been basically abandoned).
Perhaps you are thinking this approach has a Sybil problem but as account creation is strictly controlled (by a much harder proof of work that has to repeatedly occur at a regular interval) then it becomes increasingly more difficult to create Sybils (so POW is being used to prevent Sybils but accounts are being used so that intensive POW is only needed infrequently).
I imagined something similar sounding recently: 1. 'Identities' were generated by miners in a similar way to how blocks are mined in bitcoin, with increasing difficulty etc 2. These identities can then be used to mint blocks 3. The influence of a particular identity would be proportional to the 'difficulty' when the identity was created originally https://bitcointalk.org/index.php?topic=1295981.msg13300342#msg13300342I concluded that this system has a similar security model to plain PoS, since identities never get 'consumed' like they would in a PoW chain. I'm not sure if this is similar to your design?
|
|
|
Why isn't this possible in a PoS system with bonded stake?
1. Short the coin 2. Pay 100% of on-line stakers to transfer their stake to themselves in one common block (12 o'clock midnight, for example) 3. The chain auto DoSes itself as no blocks get produced until the stake bonds again post transfer 4. Profit
How extensive is this damage? Can the chain recover at all since no blocks can be produced?
|
|
|
What you have provided is not a proof at all. We can go into meaningless and long discussions, and that crap is not what you can get by providing a (formal) proof. So please provide a real (i.e. formal) proof.
The only point of disagreement in general has been centered on the difficulty of acquiring a majority of recent private keys. That is sadly unprovable.
|
|
|
Indeed - the approach that CIYAM uses is known as a "hash chain" (which functions like a PRNG meaning that the next best choice of minter is random).
Without some external source of entropy, why can't participants just preimage the PRNG to know when to mint so they always win when they do? The question is whether there needs to be any "reward" at all (assuming that you don't require increasing costs of hardware and electricity in order to run a full node).
As I see it, unless there is a trust based model like PoS, rational participants do not act in the benefit of the chain as a whole because the timely confirmation incentive is ill defined in a system with no rewards.
|
|
|
This is an very informal proof, because I wanted it to be as readable as possible for the majority of readers. I hope this will finally show why Proof of Stake (PoS) is not a viable consensus design.
Ok, now please provide a formal proof for minority of readers who can't understand an informal one (e.g. me). What don't you understand?
|
|
|
|