[neㄘcash, ᨇcash, net⚷eys, or viᖚes?] Name AnonyMint's vapor coin?

[monsterer]

Are you assuming the masternodes have a majority of the PoW? Masternodes are orthogonal to miners.

No, I understand that. The problem (as I see it) is the masternode's quorum can be formed, scrapped and then re-formed with a conflicting double spend transaction all before their votes get embedded into the blockchain by the POW miners.

Could you unpack that for me? I didn't follow your math thought.

InstantX required the funds to be presigned over to masternode. I believe the idea in Evolution is all UTXO are eligible to spend through quorums without any presigning.

Last I looked, you needed to lock some collateral away to become a masternode, so acquiring N masternodes has a constant cost, as does acquiring a majority of them with which to perform the quorum attack described above. In regular POW chains, an <50% hash power attacker attempting to double spend has a longest chain production cost which is super linear in the number of blocks.

[1715272438]

1715272438

[1715272438]

1715272438

[1715272438]

1715272438

[TPTB_need_war]

How to not make an altcoin for the masses:

How do I install Java?
Check your java version HERE. If you are using Java Version 8, update 25 or above, you are ready to install the NEM client.

How do I open Port 7890?

 

fuhgeddaboudit.

[TPTB_need_war]

Are you assuming the masternodes have a majority of the PoW? Masternodes are orthogonal to miners.

No, I understand that. The problem (as I see it) is the masternode's quorum can be formed, scrapped and then re-formed with a conflicting double spend transaction all before their votes get embedded into the blockchain by the POW miners.

Well I presume Evan's claim is that honest PoW miners will respect the propagated quorum announcements. So unless the attacker has 49+% attack on PoW, then it is assumed the honest PoW miners will follow protocol. So I don't think the weaknesses is there other than the normal weakness of a 49+% attack (not 50% because Bitcoin loses 1% of its hash against an attacker due to lost time mining orphans). Evan even implied that the minority would fork away from the majority PoW if the majority is not respecting the quorum announcements. That is fine as long as there is no ambiguity, but I had already explained to you up thread numerous cases of ambiguity without my innovations.

Yet as I explained, without a majority of resources, one might still be able to DDoS jam all block announcements by spamming the quorums and block chains with double-spends, or surely can commit a Finney attack as I described.

The other flaw is the ambiguity of which quorum is valid when there is an orphan chain right at the edge transition from one set of quorums to the next (realize this change has to occur periodically otherwise transactions stay stuck on masternodes that might no longer exist or which are unresponsive).

This turns the cost of a double spend under instant X into a constant proportional to the amount of locked collateral I have, which is far worse security than regular POW, which is super linear in the number of blocks.

Could you unpack that for me? I didn't follow your math thought.

InstantX required the funds to be presigned over to masternode. I believe the idea in Evolution is all UTXO are eligible to spend through quorums without any presigning.

Last I looked, you needed to lock some collateral away to become a masternode, so acquiring N masternodes has a constant cost, as does acquiring a majority of them with which to perform the quorum attack described above. In regular POW chains, an <50% hash power attacker attempting to double spend has a longest chain production cost which is super linear in the number of blocks.

I don't see how having a majority masternodes helps to commit a double-spend? You need either a Finney attack (controlling one block solution), a majority PoW attack, or sending to both of conflicting quorums with an orphan chain right at the edge of the periodic quorum change.

I am very sleepy now, so it is possible I might be making an error.

[monsterer]

Well I presume Evan's claim is that honest PoW miners will respect the propagated quorum announcements.

The whole point of instant X is that it lets you accept 0 confirmation transactions, so by the time a block has been generated by a miner, this attack has been pulled off already. If you need to wait for a block, you might as well scrap it and just use plain POW?

[TPTB_need_war]

Well I presume Evan's claim is that honest PoW miners will respect the propagated quorum announcements.

The whole point of instant X is that it lets you accept 0 confirmation transactions, so by the time a block has been generated by a miner, this attack has been pulled off already. If you need to wait for a block, you might as well scrap it and just use plain POW?

Afaik InstantX and Evolution are different designs. InstantX was where you presigned (on the block chain) your UTXO to a masternode so you can spend it instantly in the future with that masternode as the designated confirmer.

Evolution is where all UTXO are eligible to be instant signed by the quorum that applies to your UTXO. The quorum changes periodically (every N blocks) based on hashes from ancient history of the block chain.

My understanding is these instant confirmations are still recorded in the block chain and if they are a double-spends, they are not recorded in the block chain. That is why the block chain size scaling issue (that is causing scaling problems already for Bitcoin) is not addressed by Evolution. Evolution is not a high volume microtransaction platform even if it didn't have the other flaws I enumerated.

Since you can only spend on one quorum (or for instant x, then one designed masternode), then it is normally impossible to double-spend.

The double-spend risks comes from the holes in their design that I enumerated in my prior post(s).

[smooth]

InstantX was where you presigned (on the block chain) your UTXO to a masternode so you can spend it instantly in the future with that masternode as the designated confirmer.

That is not how it works. Masternodes would lock outputs based on a signed request. No other masternodes would (unless hostile) approve a conflicting lock. There doesn't seem to be any real mechanism for enforcement other than assuming masternodes play nice. (There is no risk to collateral for example.)

In the event that masternodes do create a conflicting locks, then PoW blocks will resolve the conflict. I don't really understand how a merchant is supposed to rely on this, since a conflicting lock can be discovered after the merchant has accepted the supposedly "confirmed by IX" payment.

I guess it is intended for low value casual payments like buying coffee. No exchanges accept it afaik.

[monsterer]

My understanding is these instant confirmations are still recorded in the block chain and if they are a double-spends, they are not recorded in the block chain.

They might well be recorded in the blockchain, but what use is that to a merchant who accepted the deposit (at 0 confirms) and took irreversible action when the transaction was confirmed?

Since you can only spend on one quorum (or for instant x, then one designed masternode), then it is normally impossible to double-spend.

The double-spend risks comes from the holes in their design that I enumerated in my prior post(s).

I don't see how it's impossible at all. If I own a majority of masternodes, I can do whatever I like with my quorums and it doesn't just result in a 'no quorum achieved' it can result in double spends at 0 confirmations. Like I said before, if the system is designed to wait until 1 block has passed (in order to observe the quorum results), then you might as well throw it all away and just use POW?

I guess it is intended for low value casual payments like buying coffee. No exchanges accept it afaik.

Rather like accepting a transaction at 0 confirmations... except it gives merchants a false sense of greater security which is actually really bad in general.

[illodin]

My understanding is these instant confirmations are still recorded in the block chain and if they are a double-spends, they are not recorded in the block chain.

They might well be recorded in the blockchain, but what use is that to a merchant who accepted the deposit (at 0 confirms) and took irreversible action when the transaction was confirmed?

When an InstantX lock is achieved (takes a couple of seconds usually) and broadcasted (and the merchant will see in his wallet the tx got IX comfirmation), how do you propose to reverse that?

I don't see how it's impossible at all. If I own a majority of masternodes, I can do whatever I like with my quorums and it doesn't just result in a 'no quorum achieved' it can result in double spends at 0 confirmations. Like I said before, if the system is designed to wait until 1 block has passed (in order to observe the quorum results), then you might as well throw it all away and just use POW?

If you own a majority of masternodes why would you do something that undermines your wealth? The 1000 coin collateral is there for a reason and that is to have an incentive for the nodes to act in the best interest of the network.

I guess it is intended for low value casual payments like buying coffee. No exchanges accept it afaik.

Rather like accepting a transaction at 0 confirmations... except it gives merchants a false sense of greater security which is actually really bad in general.

Transaction locking is a concept where a client sends the network an intention to lock funds from a specific input to a specific output (or multiple of each). This is done by relaying an object consisting of a full transaction and the locking command. The user will sign a message using the input(s), and relay the message throughout the network.

    Transaction Lock: (“txlock”, CTransaction, nBlockHeight, Signed Message)

Locking messages will propagate across the whole Darkcoin network and reach all clients. Once the lock has reached everyone, a set of deterministically selected masternodes will form a consensus. Next, upon a successful consensus, a message will be broadcasted across the network and at this point all clients will respect the lock on the funds.

[monsterer]

When an InstantX lock is achieved (takes a couple of seconds usually) and broadcasted (and the merchant will see in his wallet the tx got IX comfirmation), how do you propose to reverse that?

Read the thread and find out.

If you own a majority of masternodes why would you do something that undermines your wealth? The 1000 coin collateral is there for a reason and that is to have an incentive for the nodes to act in the best interest of the network

Yes, this is the common rhetoric we hear from POS stake disciples as well. Despite the fact that you can short coins on exchanges these days, this argument does nothing to dissuade the irrational attacker.

[illodin]

When an InstantX lock is achieved (takes a couple of seconds usually) and broadcasted (and the merchant will see in his wallet the tx got IX comfirmation), how do you propose to reverse that?

Read the thread and find out.

Before I do that (please consider I'm not a crypto developer, just a random user with cursory knowledge compared to you guys), could you even give a hint does it involve having 50% of the mining power as well?

If you own a majority of masternodes why would you do something that undermines your wealth? The 1000 coin collateral is there for a reason and that is to have an incentive for the nodes to act in the best interest of the network

Yes, this is the common rhetoric we hear from POS stake disciples as well. Despite the fact that you can short coins on exchanges these days, this argument does nothing to dissuade the irrational attacker.

I don't think I claimed it did. Anyone (with enough resources) could buy up all Bitcoin miners and do what ever he wants with them. Should I dump all my BTC asap?

Regarding shorting, to be able to short there needs to be actual coins on an exchange so they can be sold in the first place. Most coins are in the masternodes, a lot are in hot/cold storage controlled by random holders/users, and a tiny percentage is in the exchanges, and even tinier percentage of those are being offered for shorting. Hard to make profit shorting considering the amount of masternodes you'd have to own. Of course the possibility to do so is there, but it's not as simple as it's being made out to be.

[monsterer]

Before I do that (please consider I'm not a crypto developer, just a random user with cursory knowledge compared to you guys), could you even give a hint does it involve having 50% of the mining power as well?

No.

don't think I claimed it did. Anyone (with enough resources) could buy up all Bitcoin miners and do what ever he wants with them. Should I dump all my BTC asap?

Ok, so I'll make this easy to understand. Say I buy up enough bitcoin mining hardware to actually stand a chance at creating a double spend and I spend an equal amount of money acquiring masternodes. Is this situation equal from the attackers perspective?

The answer is no. Because I still have to use my bitcoin miners to outpace the rest of the entire network in order to build the longest POW chain. My masternodes have no such trouble, for them, creating a quorum is completely free of cost, therefore so is the attack.

[illodin]

Ok, so I'll make this easy to understand. Say I buy up enough bitcoin mining hardware to actually stand a chance at creating a double spend and I spend an equal amount of money acquiring masternodes. Is this situation equal from the attackers perspective?

Not equal, but similar enough. You can double spend for a while until no one trusts the currency or low confirmation numbers anymore.

[TPTB_need_war]

We can't escape from proof-of-work (PoW) and maintain decentralized consensus. Period.

I'd love to see a proof of that. Not meant as a challenge and I don't necessarily disagree at this point. It just seems hard to say that because we don't know of a way there can't be a way, and such a proof would be interesting.

In fact I have a vague notion of idea that may be possible, but I haven't reduced it to a usable form. (Not at all related to PoS or other such techniques, and my idea may too devolve to PoW in some unseen way.)

Let's start with the refutations I did in the past couple of months to some old quotes from jl777 about the ability to game stake and shorting together. I think the insight was there. I need to get back to that when attempting to prove it and write a paper. I didn't want to dig right now as it is a lower priority tangent for me at the moment. Hey that is no attack on jl777 as he has said he is agnostic to the choice of PoW or PoS, so he will adjust as to what is proved. To prove that assertion will be more difficult than just having a single insight, similar to proving P ≠ NP.

My comment may have been unclear. I have a vague notion of a (maybe) non-PoW method that might actually work.

I have no idea whether it is possible to prove that no non-PoW method is possible. I don't think showing that PoS is impossible (not sure if we are even there yet, but as you say, refutations of claimed PoS methods always seem reasonably easy, if tedious) is sufficient.

I'd love to see a proof of that. Not meant as a challenge and I don't necessarily disagree at this point. It just seems hard to say that because we don't know of a way there can't be a way, and such a proof would be interesting.

This is no proof, but you can say for certain that the cost of executing a double spend in any POS system is a simple constant proportional to the amount of stake you control. In POW, the cost is super linear in the number of blocks, which is far better security.

I am bringing a conversation about block chain consensus over from the wrong thread to this one which is more applicable to recent discussion of my design, Dash's, etc..

I can see there was no way for me to respond without being forced to do the work that I was trying to delay since it isn't the highest priority for me.

We had our 2 hour daily brownout so I wasn't able to complete my thoughts. I was actually editing the prior post when the brownout hit. I haven't had time to get a battery backup set up (the high quality charger and inverter can't even be purchased here and was on order from the USA since July but another thing on my TODO list that this chicken running around with his head cut off can't keep up...because my waking hours are finite).

jl777 (and others, actually jl777 didn't start the thread I am referring to) had made the argument (many moons ago, not necessarily reflecting his opinion now as all of us are continually learning) that someone who purchased stake to game theory control a proof-of-stake coin would not have an incentive to do so because they wouldn't be able to extract their stake fast enough on the exchanges if they did something harmful to the coin that negatively impacted its market value. I pointed out (some months after that thread had died) that logic doesn't hold true if it is possible to short the coin. The profit can be attained external to the coin itself, i.e. another example of unbounded entropy of life (Second Law of Thermodynamics). I am thinking the reason this relates to my attempt at a conceptual proof of P ≠ NP (and also to my point today to smooth about why Zerocash anonymity is paradigmatically distinct from IP obfuscation), is because it is yet another example of where unbounded entropy can't be made into a barrier (other than Coasian barriers which fail in waterfall collapse).

Many want to argue against PoS making the point about nothing-at-stake (the ability to apply your stake to multiple chain candidates simultaneously because no external resources are consumed by applying stake unlike PoW where electricity is consumed and each hash computed is unique to that chain). But I don't view nothing-at-stake as the fundamental issue. The fundamental issue is that the entropy of stake is bounded. Thus if you own sufficient stake you can control every single outcome of the mining. No matter how you jumble it to make it more difficult it remains the fact that finite entropy can be known a priori and thus controlled. This is the point I (as AnonyMint) made to the author of Decrits back in 2013 on bitcointalk.org. Whereas with PoW, even if an entity controls 99.999% of the hash power, no one can win every block announcement unless they have 100% of the hash power. Now with Satoshi's design that fact didn't help security once the adversary had 49+% of the system hash power because the adversary could always form a longer chain that blacklisted the block announcements of the minority. But in my reformulation of PoW, I claim that (in theory) even a 99% adversary can't monopolize and destroy the permissionless quality of the consensus.

Second Law of Thermodynamics: In any cyclical process, the entropy will either increase or remain the same.

Entropy: a measure of the amount of energy that is unavailable to do work.

One might argue that if it ends up being a comparison between controlling 100% of the stake versus 100% of the PoW, there is no distinction. The distinction remains that the stake is finite and bounded by the money supply (even if it is increasing, we know what it is a priori), thus one can know (even if the calculation is very jumbled and obfuscated) when they've acquired sufficient stake to control the outcome of mining (and thus double-spends, force their changed protocol on the minority for complex reasons, etc). Whereas, PoW is always unbounded. On any block announcement, no one can't predict a priori how much PoW resources will be applied to solving it. And this is only possible because PoW is an unbounded, consumed resource and PoS is a bounded, unconsumed resource. I am currently developing an abstract conceptualization that this is very much analogous to the dichotomy (duality perhaps) of categories that I believe can maybe be employed to prove P ≠ NP.

What this categorical theory tells us is that PoS can't be permissionless and PoW can be. Up until recently, apparently no one had figured out how to make PoW permissionless against a 49 - 99% adversary. I claim to have solved that. Yes there are tradeoffs as guaranteed by the CAP theorem.

PoS is a private club of trust and reputation. It is not a mathematically trustless paradigm we can use to make a decentralized paradigm for the internet.

[monsterer]

Not equal, but similar enough. You can double spend for a while until no one trusts the currency or low confirmation numbers anymore.

Not at all similar. Outpacing the chain in POW is super linear in the number of blocks, that means the more blocks you need to produce, the higher the cost to you and this relationship is a curve which curves upwards towards 'very high cost'.

Once you own some masternodes, the cost is zero for the attacker.

[illodin]

Not equal, but similar enough. You can double spend for a while until no one trusts the currency or low confirmation numbers anymore.

Not at all similar. Outpacing the chain in POW is super linear in the number of blocks, that means the more blocks you need to produce, the higher the cost to you and this relationship is a curve which curves upwards towards 'very high cost'.

Once you own some masternodes, the cost is zero for the attacker.

Similar in being able to double spend only a short while until people notice what's up and dump their coins and/or stop accepting them as a payment. Does the superlinearity effect get to matter enough to offset the fact that if you crash the currency your masternode coins are now worth zero but you could still sell the mining facilities and hardware and recoup some of the cost?

[TPTB_need_war]

I am very sleepy now, so it is possible I might be making an error.

monsterer was correct yesterday about other weaknesses in Dash. And I need to explain why my design doesn't have those same weaknesses. Guys plz wait I am catching up on messages. I will be back to explain soon...

[monsterer]

Similar in being able to double spend only a short while until people notice what's up and dump their coins and/or stop accepting them as a payment. Does the superlinearity effect get to matter enough to offset the fact that if you crash the currency your masternode coins are now worth zero but you could still sell the mining facilities and hardware and recoup some of the cost?

I'm not sure what you're asking any more and I don't have time to keep trying to get the point across. If you're interested, please read up on the maths and other issues in more detail.

We had our 2 hour daily brownout so I wasn't able to complete my thoughts. I was actually editing the prior post when the brownout hit. I haven't had time to get a battery backup set up

Have you considered getting a laptop? Get one with a high enough res screen that during normal operation you can plug it into a monitor, then when your power goes out you can continue to work on the built in screen.

[TPTB_need_war]

Not equal, but similar enough. You can double spend for a while until no one trusts the currency or low confirmation numbers anymore.

Not at all similar. Outpacing the chain in POW is super linear in the number of blocks, that means the more blocks you need to produce, the higher the cost to you and this relationship is a curve which curves upwards towards 'very high cost'.

Once you own some masternodes, the cost is zero for the attacker.

Similar in being able to double spend only a short while until people notice what's up and dump their coins and/or stop accepting them as a payment. Does the superlinearity effect get to matter enough to offset the fact that if you crash the currency your masternode coins are now worth zero but you could still sell the mining facilities and hardware and recoup some of the cost?

Illodin please read my prior post where I point out the attacker can short the coin to leverage as an advantage the decline in the value of the coins.

monsterer is making a mathematical point. His point is actually tied to my point that the entropy is unbounded for PoW. In PoW, there is an unbounded cost to preventing anyone else from winning a block announcement forever. In PoS, there is a bounded cost. The shape of the curve that monsterer mentions never levels off asymptotically.

And that is why PoS can't be asymptotically permissionless, but in theory PoW can be. But Satoshi's design was not in the sense that the 49+% attacker could take control of the longest chain and blacklist the minority and potentially use this leverage the same as an attack on PoS could. Yet monsterer's point remains valid even for Satoshi's design in that the cost of sustaining the attack for PoW is an ongoing consumption of a resource, and for PoS it is only the initial cost of buying the stake which could be completely recovered already by shorting the coin.

smooth there is your proof that there is a categorical distinction in the security. QED.

We had our 2 hour daily brownout so I wasn't able to complete my thoughts. I was actually editing the prior post when the brownout hit. I haven't had time to get a battery backup set up

Have you considered getting a laptop? Get one with a high enough res screen that during normal operation you can plug it into a monitor, then when your power goes out you can continue to work on the built in screen.

Lol. I am the guy who has two flat tires and no time to get them replaced. I been intending since September to refill the Gasol for cooking, but instead the girls have to use an electric burner (@ $80 per month!) because I had no time to drive 1 km over to the Gasol station. Yeah common sense doesn't seem to apply to a chicken running around with his head cut off. I'll post a pic my gf snapped of me working so you can see what I mean. I laughed.

Note all my supplements lined up on my desk. Note the lack of a shower since early October.

[monsterer]

In PoW, there is an unbounded cost to preventing anyone else from winning a block announcement forever. In PoS, there is a bounded cost. The shape of the curve that monsterer mentions never levels off asymptotically.

And that is why PoS can't be asymptotically permissionless, but in theory PoW can be.

That's actually quite an elegant description. It says that if I own all the stake in a POS coin, I control it forever, no one else can mine a block for the rest of its existence. In POW you can't own all the hashes in the world forever (unless you have infinite electricity) because every hash has a cost, so your monopoly is only temporary.

People will argue that owning all the stake in the world is unrealistic, but in actual fact your level of control is directly proportional to your stake, so you can start causing problems much sooner and potentially cost free if you are shorting the coin.

[TPTB_need_war]

Not equal, but similar enough. You can double spend for a while until no one trusts the currency or low confirmation numbers anymore.

Not at all similar. Outpacing the chain in POW is super linear in the number of blocks, that means the more blocks you need to produce, the higher the cost to you and this relationship is a curve which curves upwards towards 'very high cost'.

Once you own some masternodes, the cost is zero for the attacker.

Similar in being able to double spend only a short while until people notice what's up and dump their coins and/or stop accepting them as a payment. Does the superlinearity effect get to matter enough to offset the fact that if you crash the currency your masternode coins are now worth zero but you could still sell the mining facilities and hardware and recoup some of the cost?

Just as in the case that asymptotic computational complexity models don't guarantee that there aren't real world scenarios that deviate from the asymptotic case, the same applies in this case.

You can paint scenarios where it seems PoS and PoW both have risks. But the point of the asymptotic analysis is that at the extreme, mathematically PoS can't be persmissionless but in theory PoW could be if you can find a way to squelch the power of the longest chain to blacklist the minority. Even if you can't squelch that longest chain power, it remains true that theoretically the attacker of the PoW chain must continue attacking forever at unbounded cost of electricity (and updated hardware), else eventually the control returns to the honest minority.

Squelching the power to blacklist in the short-term appears to maybe be a form of anti-aliasing. I need to better conceptualize and explain this.