This discussion really distills down to this point.
If 50+% of the stake has someone they trust with a live version of events and all of them have the same version of events,
then they can all choose the correct fork and the remaining minority of the stake can see the majority has decided on a fork.
Then the attacker loses.

But you would still have an additional problem in that to detect double-spending with 100% objectivity requires 100% finality of epochs.
IOW, all of you in the 50+% stake will not be able to agree with 100% certainty on a double-spend without 100% finality.
Yet 100% finality of epochs (as opposed to probabilistic finality of transaction confirmation) requires permissioned set of validators of which only 1/3 of them can stall the entire chain
and the only way to unstuck the (transaction confirmation of the) chain is to hardfork.
The attacker then only needs control of 1/3 of the validators in order to short the token and profit.
The chain's protocol can't confiscate the security deposits of the non-responding validators because they may be legitimately under DDoS attack or suffering from some general failure such as Amazon or Azure outage.

Also permissioned validators is a political clusterfsck as described in the EOS section of @anonymint's most recent blog:

https://steemit.com/cryptocurrency/@anonymint/scaling-decentralization-security-of-distributed-ledgers

A consensus system with nothing-at-stake permissionless validators can fake a network outage by Sybil attacking the validator set.
Your Decrits design apparently forces new validators to queue up and be approved by many epochs before joining or leaving, but this is in essence a permissioned system,
because then 1/3 of the validators can stop the forward movement of the chain and those queued validators never become approved.
If you use an elapsed time instead of epochs, then that opens a different sort of security hole.

Everything you wrote as quoted above is the opposite of the possible outcome that @anonymint wrote about:

https://medium.com/@shelby_78386/the-caveat-though-is-that-when-the-attacker-can-fork-the-vested-interests-of-some-of-the-users-9340dd037a61

But perhaps the reason you didn't think so, is because you may not have realized the point above about 100% finality is required for 100% objectivity of live observers?

The attacker can profit even in the presence of security deposits.
That was one of the main points of the Medium post.
Apparently there is a great cognitive dissonance in interpretations of the game theory and economics between your thought process and that which is written at the linked Medium blog.
Did the above point about permissioned validators and 100% finality bring your understandings closer together?

Analogous to network synchrony, censorship can't be objectively proven.
And especially when the censorship is against a few billionaires or such that nobody believes or gives a fsck about.
People have a crab bucket mentality. They love to see some billionaires lose everything.
You seem to not have a very realistic appraisal of human nature and the madness of crowds, or perhaps you just haven't looked it this way before??

Disagree. They gain back what ever they "invested" by shorting one and pumping the other.
Besides they probably bought the hell out of the token when it crashed to 50 satoshis in the crypto winter,
then they pump it up, short, and crash the fscker with an attack.
Or they issued the ICO and bought the ICO from themselves taking 80% of the money at no cost.
Many different sorts of manipulations and schemes.

It's depressing. I want to caution you before you go thinking you have some magic cure.
Many people have thought deeply about these issues for the past 5 years.
You're not the only one.
Although you were probably thinking about non-proof-of-work consensus systems before most of us.
@anonymint was on proof-of-diskspace and then memory-hard proof-of-work ideas for most of 2013 whilst you were already designing Decrits.

Btw @Ix, if you're an excellent programmer and you are interested to collaborate, there's BTC funding and vestment available. But maybe you want to do your own.

Please don't make me repeat what @anonymint told me which I already posted for you, because I want to minimize my posts.
He had pointed out very clearly that TaPoS is not effective as a short-range objectivity and thus by implication it will not prevent short-range double-spends.
It is only effective against a long-range attack.
And the behavior of the chain can be made to respect the TaPoS, but @anonymint is not going to reveal his design today.

@anonymint thinks the distinction is that in the case of ambiguous nothing-at-stake forks from the perspective of those who were offline,
  they're more or less ambivalent to the outcome which doesn't affect them.
And without a strong compass, they can then be swayed by the powers-that-be to believe in the mainstream opinion.
Mainstream opinion is owned by those who own the corporate behemoths.
So the point is that relying on community opinion is centralization.
If instead there was objectivity, then the users who were offline at the time of the forking wouldn't need to trust CNBC, CNN, FOXNEWS, BLOCKINFO.COM, COINBASE, ZEROHEDGE, ALEXJONES, and all those other gatekeepers.
We want to destroy their power if we can come up with a design that can do it.
Tangentially (and somewhat offtopic), see how Thatcher was the moma to those men, who reverted to children without a compass after she was gone:

https://steemit.com/politics/@anonymint/re-anonymint-unfairness-of-tax-cuts-for-the-rich-explained-in-beer-20180602t081228178z

@anonymint's idea for ending the "new feature" forks is to solve most of the problems that drive a hype market for forks such as scaling and latency of confirmations.
The speculation in the market is significantly driven by idea that the market for cryptocurrency is still nascent and largely untapped.
There will always be such speculative snake oil in the future, but who cares when their market caps top out at $1 billion on the pump and dump, when the main cryptocurrencies will have market caps in the $100s of trillions.

His idea for solving the nothing-at-stake problem revolves around formation of objectivity with statistical evidence.
We must remember that finality is always probabilistic any way.


Offline users do not know which one is the main chain.
Ostensibly you presume that COINBASE et al are going to agree with what the users who were live thought they observed.
It can’t be proven that one live group’s network synchrony was superior to another group's.
The point is you are presuming objectivity where objectivity doesn't exist.



He thinks you have this transposed from the actual reality that is likely to be the case.
Not only do you presume that the powers-that-be who want to do this attack are nameless,
but you presume that the live users who speak out against the powers-that-be will not be nameless.

Why wouldn't the powers-that-be own COINBASE et al? They own everything.
These gatekeepers are always for sale to the highest bidder who can steal the most from society.
That is what corporations do. They maximize profit by any means possible.
They have a fiduciary duty to maximize profit. They do not have morals.
I know you do not believe in fairytales so why would you believe the world is some fantasy fairytale where corporations and gatekeepers do the moral thing so they can lower their profits?

And their motive may not be double-spending but rather censoring transactions (although they can do this with a majority of the stake in most designs any way) and even long-range attacks where they steal coinbase funds and downstream lineage UTXO and burn UTXO they can't steal in order to accomplish attacks on competitors and what not (including shorting the token and then going long again after their attacks or what not especially if they're trying to destroy that token):

https://bitcointalk.org/index.php?topic=4266048.msg39124755#msg39124755

https://medium.com/@shelby_78386/btw-i-noticed-in-your-responses-to-others-at-the-end-of-your-blog-youre-emphasizing-393f4ca0deff

Also for a competing token to their Bitcoin, maybe they just want to destroy your token and short it into the ground.

The powers-that-be get their power largely through manipulation.

P.S.
Ty for the debate on the merits.
You still have a slight tone of presumptious arrogance as if you assume the other person doesn't have a valid rebuttal for you,
but it's possible to interpret your tone here as just skepticism.
Apologies that @anonymint didn't understand in 2013 when you used to post from username @Etlase2, that groupwise cryptographically secure entropy is possible in a proof-of-stake system.
Ourobos and Algorand exemplified it is plausible within some security thresholds.

The concept of time presumes a universal total order, yet for time to exist requires friction which implies the lack of a total order (and unbounded partial orderings) because not all witnesses can observe all events in "exactly now" real-time.
A humorous example about losing car keys points out that the only entity that knows the reality of "now" is the entity observing it.
Each of our realities can't be communicated precisely, only related. No other entity will ever be able to know all the thoughts that passed in your mind as they occurred.

Therefore triangulation of observations doesn't exist and is always an approximation of reality and thus never 100% final.


As stated there at the linked post.
The owners of the UTXO that is intertwined with the history by TaPoS don't want their UTXO to be reverted thus they will agree with the fork (the perspective of reality) which contains those TaPoS.
So the inertia is tying all the stake holders to the history.
Thus the nothing-at-stake is removed without consuming an external resource.
@anonymint helped Dan Larimer invent TaPoS in 2013.
It is probably the one significant invention he created that might help us convert nothing-at-stake to something at stake.
The inertia is that they have something at stake.
These are decentralized checkpoints which are implicitly a consensus and don't rely on any central party to state what the consensus is.

Vitalik argued that TaPoS can be subverted by bribing old UTXO owners to sell their private keys, but this is not only unrealistic but the current UTXO owners will not agree.
The unrealism is because the old UTXO owners and the new ones have a significant overlap.
The stakeholders en masse don't want to destroy their own money.
And this line of thinking will lead you towards the consensus system @anonymint has devised.
But you have to be cautious of the fact the majority are apathetic and can be divided-and-conquered by their own selfishness..

@anonymint says:
Checkpoint is useless against a majority of the world's hashrate. The attacker can even divide-and-conquer the vested interests of the majority of the users:

https://medium.com/@shelby_78386/the-caveat-though-is-that-when-the-attacker-can-fork-the-vested-interests-of-some-of-the-users-9340dd037a61

https://bitcointalk.org/index.php?topic=4266048.40#msg39124755



One possible solution which @anonymint first wrote about in 2014 (and @patmast3r mentioned in 2016 which I dismissed at that ime only the context of the Iota-style DAG) is that double-spending burns all the UTXO involved. All lineage balances are reduced by the destroyed value. And if the payer associates a KYC identity, then all (or the amount designated by the payer) UTXO of that identity are destroyed or used to pay all of the double-spends instead of burning them if the designated amount is sufficient to pay all. Or stated in another way independent of KYC, the payer may designate some other UTXO which is time locked guaranteeing he will not issue a double-spend. Note even if the attacker had forked the chain before commitment to the time lock and orphans the commitment, then the attacker doesn't succeed in double-spending because the network remembers the signed commitment regardless of it being on an orphaned fork and inserts into any subsequent block unless the attacker can sustain censorship of the winning fork indefinitely. Yet this penalty system has to have some expiration into finality, otherwise an attacker can maliciously burn lineage far in the past causing current descendent UTXO to be burned. The payee (and all payees down the lineage chain) then judge the risk of the transaction based on the amount of UTXO still guaranteeing against double-spend combined with the depth of the confirmations. It's important to understand that all consensus is probabilitistic because of the physics of our universe.

However this proposed solution may not work in general cases of smart contracts although it can adapted to smart contracts in smart contracts where each user action is provably either a descendent or replacement of a prior action, so that issuing replacements can be penalized. And each such linearlized action chain has to be independent of the other ones, so that removing actions in one chain doesn't impact other action changes. An example of an independent linearized action chain, is a blog author making sequential edits of his blog. That would be independent of the edits of the other blogs of that author and other authors. Note that these attributes are actually necessary in any smart contract system which employs blocks, because otherwise the block producer could influence the outcome of the interactions by controlling the ordering of contract transactions within each block. The smart contract thus can't assume these interactions are randomized nor deterministic from the perspective of the signers of the transactions. This is probably yet another security hole in many extant smart contracts.

Note this idea is employed in SPECTRE and @anonymint pointed out that it would be incompatible with Replace-by-fee in Bitcoin. Yet his most significant criticism was specific to the fact that SPECTRE doesn't form consensus around a single total order, so that criticism wouldn't apply to the idea above because the total order will designate that the double-spends are burned and can't be further transacted as UTXO. @anonymint's understanding of SPECTRE is that the status of UTXO being double-spent is interpreted by the payer and payees, not by any total order of the ledger and ledger validators.

Note this sort of design is also being discussed in the ECDSA signatures: why not force the reuse for r for spends from the same address thread.

100% finality of confirmations requires a permissioned set of validators which has significant downsides to liveness.
See also the explanation below in response to @Ix.

Indeed that ends up being exactly the case.
See also the further discussion of Byzcoin in the OmniLedger discussion in @anonymint's latest blog.
So both of you were prescient.


Fixed that misspelling for you. Sorry I couldn't resist a little humor given the context of the discussion that was quoted from. In honor of the favorite word of the MSM in the Trump era.

For another slant...
and I don't understand how any slant which doesn't attack other members of this forum can be considering trolling...
a free exchange of ideas is not trolling.

That paper makes projections about the timing and quantity of qubits that will be available in the world based on what is currently known by the pawns in public academia.
We must look instead to the queens and kings on the chessboard.

The Manhatten Project exemplified that when national security is at stake, governments can mount intensive capital resources to accelerate and focus development of a key technology.
When Bitcoin is the international reserve currency with a $500 trillion marketcap 20 years from now, there will be a huge payoff for the Zionists if they can complete their destiny as preordained in Revelation where all wealth/control will become concentrated on the hill in Jerusalem.
Presumably they will make the necessary investments.
They will already control all ASIC mining because they control the very high capex fabs.

The Chinese recently made an advance in quantum communication encryption insuring that a man-in-the-middle must destroy the information when attempting to read it:

https://www.insidescience.org/news/china-leader-quantum-communications

I'm not implying that the sober assessment isn't worthy. I'm just noting that it shouldn't be taken as 100% certain gospel.

I do not think we should be complacent about trying to eliminate the threat from quantum computing.

Such effort must be open source and it must be widely supported, otherwise those who are successfully working towards such might conveniently die in "accidents".

However, in the past @anonymint thought quantum computer would never likely be any faster on Grover’s algorithm than classical computers with parallel memory tables where he cited a paper by Daniel Berstein, but perhaps that is only until you meet the state.

Then you probably wont get enough liquidity.
Polo acted that way because allegedly client was broken.
I'm not sure which conf you used, but seeing how many users complained as well, it's not unlikely that polo didn't actually have same problems.
And it probably wasn't worth it for them to try to set it up properly because it was low liquidity coin in the first place.

Do you know how much Qora is still on polo?

Yeah well...
~20 people who voted 100+ times are apparently not allowed to win because it's considered cheating.
Outrageous.

Agreed.
Costless witnesses have nothing-at-stake.

Albeit an imperfect proxy which can theoretically be broken thus breaking the assumption that probabilistic finality is asymptotic.

We can in the multiverse.
Quantum computing will (if it is achieved) open a portal into the multiverse.

Not necessarily.
For example, transactions can be converted into inertia which becomes probabilistically unlikely to be double-spendable.

Hope these out-of-the-box thoughts help your conceptualization.

Then the transactions are only probabilistically final, not 100% final.
100% finality requires 2/3 of the validators to approve of the epoch.
Your blog is in error to claim you have an advantage over Ouroboros in this respect.
You can find links to the "math of safety and liveness" in @anonymint's latest blog.

See also this post

Anonymity isn't really the killer app of permissionless, trustless ledgers.
They generally disrupt top-down control, gate-keepers, and rent-seeking parasites in many ways.

The page of the Iota whitepaper which @anonymint cited explains that Iota mitigated the vulnerability in their (flawed) DAG design by making the proof-of-work difficulty very low.
But such a low difficulty in a blockchain consensus system would make the block period so fast relative to the network synchrony that
the orphan rate would skyrocket and the chain would no longer converge on a longest chain and/or attacking it would become much easier.

Yet the principle Iota employed could perhaps be applied to a different design that employed some sort of DAG that is not flawed. For example, @anonymint has been researching such designs.

Possibly some non-proof-of-work consensus system could be found that doesn't suffer from the nothing-at-stake vulnerability but that seems unlikely.

If I am not mistaken, perhaps the EquiHash in Zcash had some quantum computing resistance,
but it seemed to have some other flaws, but the details are not fresh in mind at the moment.

I presume that mathematically it must be possible to design a proof-of-work system which is quantum computing resistant. But haven't delved into it.

Mircea Popescu is working on a proof-of-work which is ASIC-resistant but don't know if it would be quantum computing resistant.
My concern is it may introduce a DoS vulnerability because the validator doesn't have a deterministic bound on computation.

Who are you replying to? What specific issue are you attempting to take issue with?

Let me presume that you're trying to say that if public opinion can be ambiguous then why approve blocks at all?
If that is your point, then the answer is that proof-of-work is not ambiguous because there is an objective longest chain proven by the cumulative difficulty by adding the difficulty of all the blocks in the chain.

IOW, to avoid making posts which are noise, it is helpful to learn Bitcoin 101 before commenting here.
Anyway, educating is okay but the problem is if someone does not respond correctly, then incorrect ideas promulgate.

---

@d5000, I think you may remember the discussion you had last year with @anonymint (under one of his former pseudonyms) in Theymos' thread about altcoins.
So it seems the points you are making here are reiterating some of that discussion about nothing-at-stake.
@anonymint wrote down his analysis of the nothing-at-stake issue which will seem to apply to all of these non-proof-of-work consensus systems:

https://gist.github.com/shelby3/e0c36e24344efba2d1f0d650cd94f1c7#oligarchy-if-pos-is-functioning

He does not think there will be any non-proof-of-work design that escapes from the nothing-at-stake problem except under the conditions he already mentioned when a super majority of the users are always online and network remains within a bounded asynchrony.
He is confident a nothing-at-stake vulnerability can be identified in Proof-of-Approval.
But who has the time to find the nothing-at-stake flaw in all of these non-proof-of-work designs?
It is like everyone wants to try to reinvent the wheel of nothing-at-stake finding some way to blind themselves to the fact their design is also vulnerable.



The inviolable rule is that 100% finality of transaction confirmations can only be obtained with a permissioned validator set.
And then of course there’s the liveness issue that the chain can get stuck and require a hardfork to unstuck.
And of course what you wrote about the political corruption that results from that and/or delegating stake.
That was covered again in detail in the discussion of EOS/DPoS in @anonymint's latest blog:

https://steemit.com/cryptocurrency/@anonymint/scaling-decentralization-security-of-distributed-ledgers

I asked @anonymint in private Crypto.cat to respond one more time, and he was reticent because he said clearly @Ix has some vendetta and the discussion is turning nasty. He agreed to reply one more time for me for this thread, because of the technical errors that need to be corrected. Here follows verbatim the response he wrote to me in Crypto.cat...

---

@anonymint remarked to me that powers-that-be will be able to afford that, and it ties directly into his point about who "Satoshi" probably really was.
Seems this argument offends people who want to believe Satoshi is some inept Japanese hacker who created Bitcoin from his garage located next to his/her/it/their extended family kabota.

@anonymint says that your conclusion is not quite right or let's say it's incomplete.
After sufficient time the TaPoS combined with burning has inertia because users don't want to have the tokens reverted by a fork.
So essentially it's a more decentralized variant of checkpointing.
Will not help objectify consensus in the short-range case though.

I had relayed what @anonymint wrote about proof-of-stake:
https://gist.github.com/shelby3/e0c36e24344efba2d1f0d650cd94f1c7#oligarchy-if-pos-is-functioning

This response is applicable to all nothing-at-stake systems, so I will reply in this thread.

Your reply belies the fact that @anonymint refuted it before you wrote it.
Did you not see the linked Medium post I cited for you in the prior post:

https://medium.com/@shelby_78386/the-caveat-though-is-that-when-the-attacker-can-fork-the-vested-interests-of-some-of-the-users-9340dd037a61

Public opinion can be manipulated.
Just look at every fork war that has taken place already for evidence.
There's no objectivity in public opinion.
Just a lot of chest thumping and arguments about whose furk is longer and fatter.


Which one is the attacker's fork? Again, please read the Medium post that was cited.


Which section of your white paper explains this?

I presume @anonymint was speaking figuratively for the dramatic effect.
Thanks for the more plausible estimate.
Probably the quantum computer would be even slower than 1 Ghz, but I think his point about the potential threat remains valid.


What if we don’t know we're real close? What if quantum computers become a state secret?
Also what if the extant miners at the juncture refuse to change the protocol because they're complicit?


Are they better? See this:
https://steemit.com/cryptocurrency/@anonymint/scaling-decentralization-security-of-distributed-ledgers-part-2

Who could have guessed that BTX would tank when the biggest news in last few months is getting BTX/BTC pair listed on yet another (among many others) exchange that nobody cares about.
And when the person who single-handedly wrote BTX whitepaper leaves few hours after releasing it to the public and demonizes the project to the max,
and team (which btw Pete called "lazy", lol) responds like this: https://twitter.com/Bitcore_BTX/status/1000066406711472128


And on the top of that the only "hope" to see at least small green candle is getting some random funds from getadcoin, which apparently can easily be gamed by bots.

Another message from @anonymint which I received in private chat.
He says that section 4.2.5 Scenario: Voices Colluding to Fork the Network is correct that with non-proof-of-work systems only the users which were online during the attack can detect malvolence and this requires bounded/partial asynchrony (i.e. not fully asynchronous as are Byteball  and Hashgraph).
So if those assumptions for super majority of users being online and bounded network asynchrony are not fulfilled, then security deposits are insufficient for security, although they might or might not help rate limit.
So without any effective penalty on malevolence there's no cost to attacking it regardless if the validator set is permissionless or permissioned.

He presumes the same vulnerability can be found in every non-proof-of-work design including Proof-of-Approval.

@anonymint recapitulated his point is that only idiots would leave their public keys bare.
And certainly the person who invented Bitcoin is not an idiot and would certainly realize no worthy person would opt to leave addresses bare.
So to presume that he only added hashing because scripts need to be cryptographically compressed when referenced is not really an application of Occam’s Razor.
Occam’s Razor would not presume that Satoshi was so sophisticated as to become ignorant just so that he could fulfill your theory.
Occam’s Razor assumes the simplest and most natural reason.


Nice deception isn’t it.
So the elite can steal the BTC from themselves and make it look like they stole from this inept Japanese dude who created Bitcoin in his garage next to a kabota.


As @anonymint stated, he was very meticulous about cryptographic security. So why would you assume he became non-meticulous in other cases of Bitcoin’s design?

Why is it that you think the anonymous person (or group) who created the technology that is disrupting the entire world was only capable of very limited thoughts compartmentalized to the convenient areas where you would like them to be?
Is it because you really want to believe Satoshi was inept?

You presume Satoshi is compartmentalized in just the areas you need him/her/it/them to be, but that is a very complex proposition.
The simplest assumption is that Satoshi was not perfectly compartmentalized in just the precise areas we need him/her/it/them to be.
For example, to presume he/she/it/them would be too dumb to not put hashing on addresses unintentionally is a very complex assumption in light of someone of Satoshi’s meticulous attention to detail w.r.t. cryptographic security.

I live in Europe, and @anonymint lives in the Philippines.
Please note that I'm not @anonymint.
And mods can verify this because I'm not using a VPN.

---

@anonymint says he was wondering where the original creator of Decrits had disappeared.
He remembers the intensive discussions with you in these forums back in 2013.
He said he will look at your whitepaper.

He does not think Satoshi would be so haphazard, footloose, and unpremeditated as you presume him to be.
Scripts could contain bare addresses then if your argument was valid. But instead he always made addresses hashed. And he put a lot of thought into making sure that the cryptography couldn’t be cracked by for example his paranoid use of double-hashing.