[neㄘcash, ᨇcash, net⚷eys, or viᖚes?] Name AnonyMint's vapor coin?

[TPTB_need_war]

Marketing can't be vague:

Perhaps it is safe route for the programmers of NEM to take. They will be assured of well paid jobs. But I don't see how these developments necessarily make NEM more attractive for investors or users of NEM?

We are trying to build a vibrant full economy on the blockchain with all kinds people, services, organizations and businesses, not just banks and big businesses, but boot strapping the NEM blockchain with services from major bank(s) and services from thousands of companies (if we get that to come to full fruition) isn't a bad way to bootstrap a chain.  If we have that as a base, then hopefully we can get all the rest of the regular people coming.

You have to ask yourself what is the advantage you bring to those businesses. And how does it scale. Is the relationship with the banks helping you bring something very enticing to them?

I don't have time to analyze this. But you need to think it out in detail.

And then you can articulate more than a vague statement to the prospective people interested in NEM how it helps them.

For example, I have thought out in detail exactly what I am going to write and how my target users are going to react at each detailed step in the way of interaction I have planned. And why I think they can't say no to the offer I am offering them.

[illodin]

Thanks for spelling it out for me guys. I still don't get one thing, why would the double spender need to prevent anyone else from winning a block forever?

Can't he just publish the series of blocks containing the double spend and stop mining as the honest miners will start mining on top of his last block? And when he wants to attack again start mining only then.

[TPTB_need_war]

Thanks for spelling it out for me guys. I still don't get one thing, why would the double spender need to prevent anyone else from winning a block forever?

Can't he just publish the series of blocks containing the double spend and stop mining as the honest miners will start mining on top of his last block? And when he wants to attack again start mining only then.

A single double-spend by someone investing in a majority of the control of the coin doesn't make much economic sense.

Against Dash and Satoshi's design (e.g. Bitcoin) that can theoretically be executed with a much less costly Finney attack (where the attacker wins a block but doesn't announce it right away and first announces his double-spend, which is even more likely in Dash's InstantX because the confirmation is instant making it much more feasible to fool the unwary merchant who was assured that InstantX is instantly confirmed so not to wait for chain confirmations), so no need to invest such massive resources. And there are other less costly attacks specifically on Dash that monsterer alluded to and I will be following up on in future posts.

So our crypto threat model for taking total control of the chain isn't really a single double-spend but rather:

• Ongoing double-spend or other mischief (e.g. dropping transactions by orphaning chains) to crash the price of the coin. This applies more to an altcoin that hasn't graduated to widespread adoption.
• Having the longest chain meaning they can blacklist any block announcement or transaction they want to, or even change the protocol entirely in subtle ways that the masses won't object to. This applies to a coin that has widespread adoption and geopolitical-economics implications.

Personally I am most concerned about state regulated pools and miners being able to blacklist transactions that don't carry KYC identification number on them, as dictated by some future NWO (or G20 cooperation recently announced) authority that has the power to take control of more than 49% of the hash rate ongoing. That is why even the excessive ongoing cost of such is not sufficient of an argument to me of security, because the State profits from being able to maintain their power of taxation and other monopolistic powers for those fascist corporations that effectively control (leech on) the State. Personally I think it is assured that is where Bitcoin is headed over time, because it is the most natural outcome.

So although the asymptotic math implication is astute and aids the conceptualization of a model, that is why I am not fully satisfied only with monsterer's distinction being that the cost is sublinear versus constant for PoS. And I was never satisfied with the standard retort from Bitcoin supporters that the people will move away from any ubiquitous coin which is being so abused, because the fact is the masses don't care. Once a crypto coin becomes ubiquitous we are stuck with that technology because the masses won't change their electronic unit-of-account and unit-of-exchange again. As long as the masses don't feel they are inconvenienced or troubled, they won't rise up to kill off such an insidious 49% attack that only blacklists those who don't comply with KYC. Instead for Bitcoin (perhaps with Lightning Networks for microtransactions) everyone will comply with KYC, not be blacklisted, and there will be no problem except for excessive taxation and global top-down command economy collapsing into a Dark Age that chokes off the Knowledge Age. For example, we can look forward to the EU, Obama, Putin, and China dictating to us what sorts of businesses we can't create, the net neutrality means we all pay through our nose an internet tax, and that we can't use encryption, etc.. Basically if we don't have permissionless commerce then the State can destroy humanity. That is way socialism dies. I'd prefer a permissionless release value so that the Knowledge Age can flourish and humanity can be free to conduct commerce without oppression of the Corporate-State-Fascism-Technocracy that we are sliding into now.

Note I have become more convinced that for technical and inertia reasons, Bitcoin can't scale even with Lightning Networks (because LN requires block chain scaling also for the worst case garbage collection surges and more importantly because LN isn't an end-to-end principled solution so it isn't always available and opaque to the ends thus it can't scale to spontaneous payments between 100s of millions of users). That isn't a 100% given, just my appraisal at the moment which is subject to adaptation. Thus I worry less about that NWO outcome coming from Bitcoin and instead worry more about the failure of Bitcoin and the implications thereof. But I think it is impossible the free market of hackers won't rise up with a solution. And I am one of them who is trying.

So that is one of the main reasons I have invented this new design, in addition to addressing the block chain scaling issue and the 1 second microtransaction instant confirmations issue (which is necessary to serve the viral growth I am planning for my marketing strategy). It all fits together. But executing this is a major undertaking and challenge for one past-middle-age man in a room in the Philippines (who also happens to have some sort of strange inflammation illness that mimics autoimmune disease such as Multiple Sclerosis, neuropathy, or something akin to that).

Edit: I explained to monsterer upthread, how I claimed to have reduced the electricity for PoW chain to an insignificant amount, thus correcting another long-standing issue with Satoshi's design.

If these claims sound like magic, then great. I prefer it to stay that way until I have already something launched. I have already revealed enough information that someone very determined could prove that my design is legit and implement it on their own. But that someone would need to be quite skilled. I am not spelling it all out in a coherent single paper at this time, because I am trying to keep potential copycats blinded for now. I have carefully phrased these discussions so that someone of monsterer's caliber can hopefully get the gist of it. I think it is important to at least verify that he wasn't able to shoot it down immediately due to some simple flaw. He needs a more comprehensive description to fully develop his analysis though. I am under no obligation to reveal details now, because I haven't launched nor sold anything to this forum (nor to the public any where yet). I am revealing some details now.

[smooth]

In PoW, there is an unbounded cost to preventing anyone else from winning a block announcement forever. In PoS, there is a bounded cost. The shape of the curve that monsterer mentions never levels off asymptotically.

And that is why PoS can't be asymptotically permissionless, but in theory PoW can be.

That's actually quite an elegant description. It says that if I own all the stake in a POS coin, I control it forever, no one else can mine a block for the rest of its existence. In POW you can't own all the hashes in the world forever (unless you have infinite electricity) because every hash has a cost, so your monopoly is only temporary.

People will argue that owning all the stake in the world is unrealistic, but in actual fact your level of control is directly proportional to your stake, so you can start causing problems much sooner and potentially cost free if you are shorting the coin.

Your degree of control is superlinear in the amount of your stake.

TPTB, satoshi's system is permissionless period, for two reasons, one being that control of <50% (or maybe some lower threshold with later analysis) is an axiom. The second being that permission isn't necessary to break someone's 50% monopoly (unless the monopoly controls 50% of the energy in the universe or something), similar to the above argument.

This may seem useless in the real world, but that's a different question from the mathematical properties of the system itself. We start with a clear description of the mathematical properties and then apply to the real world. In the process of doing the latter various additional assumptions are inevitably made.

[monsterer]

Your degree of control is superlinear in the amount of your stake.

Very interesting - can you prove it?

[smooth]

Your degree of control is superlinear in the amount of your stake.

Very interesting - can you prove it?

It's difficult to say exactly since we can't really consider all exploit strategies nor external factors.

But taking the model of "honest" staking at face value, at 49% you can only hope to maintain control for a limited number of blocks. At 50%+, you control the chain forever. That's clearly more than 4% increase.

Again assuming an "honest" staking model you can consider stake as votes and look to voting coalition models such Shapley–Shubik, where staking is viewed as voting between competing chains, and that is trivially superlinear in terms of voting power relative to stake share.

Of course we know that most (all?) PoS systems allow voting on multiple chains, so this may break down. Such systems tend to devolve to PoW though, since stakers are then competing with other stakers to find the combinatorially most-favorable chain state, in which case again control is superlinear in hash power. So I think it is correct.

[TPTB_need_war]

TPTB, satoshi's system is permissionless period, for two reasons, one being that control of <50% (or maybe some lower threshold with later analysis) is an axiom. The second being that permission isn't necessary to break someone's 50% monopoly (unless the monopoly controls 50% of the energy in the universe or something), similar to the above argument.

This may seem useless in the real world, but that's a different question from the mathematical properties of the system itself. We start with a clear description of the mathematical properties and then apply to the real world. In the process of doing the latter various additional assumptions are inevitably made.

That is not a definition of permissionless that applies to me when I am trying to get my transaction on a block chain that is controlled by 50% of the miners who are beholden to the State which has regulated that I must put KYC on my transaction and I refuse to. Or which has banned me from transacting because I refuse to sign the document that says Man-made Global Warming is a not a hoax (the status of which is stored in a database for my national id in the coming 1984). Or because I refused to show up for Putin's military parade last Sunday and the State's computer has decided to spank me. Or because Trump has banned Muslims from transacting and due to some glitch my national id confirms that I am Muslim who was born in Islambad.

You have moved the goalposts (constructed a strawman) based on moving the definition of permissionless. I don't find your variant of the definition of permissionless very relevant or useful in the threat scenario of a 50% attack. Because precisely that scenario is an asymmetry between the power of the individual and power of the collective (50% being the collective, e.g. one scenario is the masses being complacent against blacklisting which Satoshi's protocol doesn't prevent). Decentralization and end-to-end principle of networks is precisely removing the power of the collective (infrastructure) to dictate to the individual.

So sorry I must disagree even though you made a mathematical point worth reading and factoring into thoughts.

[smooth]

TPTB, satoshi's system is permissionless period, for two reasons, one being that control of <50% (or maybe some lower threshold with later analysis) is an axiom. The second being that permission isn't necessary to break someone's 50% monopoly (unless the monopoly controls 50% of the energy in the universe or something), similar to the above argument.

This may seem useless in the real world, but that's a different question from the mathematical properties of the system itself. We start with a clear description of the mathematical properties and then apply to the real world. In the process of doing the latter various additional assumptions are inevitably made.

That is not a definition of permissionless that applies to me when I am trying to get my transaction on a block chain that is controlled by 50% of the miners who are beholden to the State which has regulated that I must put KYC on my transaction and I refuse to. Or which has banned me from transacting because I refuse to sign the document that says Man-made Global Warming is a not a hoax (the status of which is stored in a database for my national id in the coming 1984). Or because I refused to show up for Putin's military parade last Sunday and the State's computer has decided to spank me. Or because Trump has banned Muslims from transacting and due to some glitch my national id confirms that I am Muslim who was born in Islambad.

You have moved the goalposts (constructed a strawman) based on moving the definition of permissionless. I don't find your variant of the definition of permissionless very relevant or useful in the threat scenario of a 50% attack. Because precisely that scenario is an asymmetry between the power of the individual and power of the collective (50% being the collective, e.g. one scenario is the masses being complacent against blacklisting which Satoshi's protocol doesn't prevent). Decentralization and end-to-end principle of networks is precisely removing the power of the collective (infrastructure) to dictate to the individual.

So sorry I must disagree even though you made a mathematical point worth reading and factoring into thoughts.

I've not moved the goalposts. The goalposts say very clearly that if one entity controls 50% then the system has largely failed (at least temporarily I suppose). I didn't say that, satoshi did. The premise in his design (whitepaper) is that it is not 50% controlled.

If you think that premise of satoshi's design is implausible, fair enough, but now you have deviated off into assumptions about world view, not the design or functioning of the system itself.

Those are his words: "As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network ..."

If they are, then all (or at least most) bets are off.

[TPTB_need_war]

TPTB, satoshi's system is permissionless period, for two reasons, one being that control of <50% (or maybe some lower threshold with later analysis) is an axiom. The second being that permission isn't necessary to break someone's 50% monopoly (unless the monopoly controls 50% of the energy in the universe or something), similar to the above argument.

This may seem useless in the real world, but that's a different question from the mathematical properties of the system itself. We start with a clear description of the mathematical properties and then apply to the real world. In the process of doing the latter various additional assumptions are inevitably made.

That is not a definition of permissionless that applies to me when I am trying to get my transaction on a block chain that is controlled by 50% of the miners who are beholden to the State which has regulated that I must put KYC on my transaction and I refuse to. Or which has banned me from transacting because I refuse to sign the document that says Man-made Global Warming is a not a hoax (the status of which is stored in a database for my national id in the coming 1984). Or because I refused to show up for Putin's military parade last Sunday and the State's computer has decided to spank me. Or because Trump has banned Muslims from transacting and due to some glitch my national id confirms that I am Muslim who was born in Islambad.

You have moved the goalposts (constructed a strawman) based on moving the definition of permissionless. I don't find your variant of the definition of permissionless very relevant or useful in the threat scenario of a 50% attack. Because precisely that scenario is an asymmetry between the power of the individual and power of the collective (50% being the collective, e.g. one scenario is the masses being complacent against blacklisting which Satoshi's protocol doesn't prevent). Decentralization and end-to-end principle of networks is precisely removing the power of the collective (infrastructure) to dictate to the individual.

So sorry I must disagree even though you made a mathematical point worth reading and factoring into thoughts.

I've not moved the goalposts. The goalposts say very clearly that if one entity controls 50% then the system has largely failed (at least temporarily I suppose). I didn't say that, satoshi did. The premise in his design (whitepaper) is that it is not 50% controlled.

If you think that premise of satoshi's design is implausible, fair enough, but now you have deviated off into assumptions about world view, not the design or functioning of the system itself.

Those are his words: "As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network ..."

If they are, then all (or at least most) bets are off.

Yes I claim Satoshi pitted the collective against the individual whether he realized it or not. And I aim to correct that flaw in his design, because the correct idealism is about liberating the individual not subjecting us to the will of the majority (which turns out to be the complacency and natural corruption of the masses who are the majority).

I am challenging the fundamentals that Satoshi set up. I don't know if "Satoshi" intended that evil or just couldn't figure out how to improve the design.

I would trust "Satoshi" more had he admitted that issue instead of just claiming 50% is the barrier of correct functionality. In effect he pitted the individual against the collective as the long-term outcome. I doubt very much the group that was "Satoshi" didn't know that. This was a clever plot foisted on us. I am not undiscerning enough to be fooled.

Hiding the evil in the feigned idealism of "a better gold that has 21 million supply forever". Not to mention that means the supply will collapse to 0 over time.  

Satoshi was a clever marketer. That faux idealism of a better gold was put there very intentionally to blind men to the truth by their greed and love of stacking.

Lots of gullible geeks fell for it "hook, line, and sinker". Not me (links to the essay I wrote in 2013, Bitcoin : The Digital Kill Switch).

[illodin]

Against Dash and Satoshi's design (e.g. Bitcoin) that can theoretically be executed with a much less costly Finney attack (where the attacker wins a block but doesn't announce it right away and first announces his double-spend, which is even more likely in Dash's InstantX because the confirmation is instant making it much more feasible to fool the unwary merchant who was assured that InstantX is instantly confirmed so not to wait for chain confirmations), so no need to invest such massive resources. And there are other less costly attacks specifically on Dash that monsterer alluded to and I will be following up on in future posts.

But if the InstantX lock has been acquired (and the merchant will see in his wallet that the lock is on within a couple of seconds) the attacker's delayed block will be rejected by the network because it contains a conflicting transaction (all the honest nodes will obey the lock). To me it rather looks like InstantX is safer than Bitcoin in that respect or am I again missing something.

And yes you're thinking more broadly than just double spends, I will await for further attack vectors.

[TPTB_need_war]

Against Dash and Satoshi's design (e.g. Bitcoin) that can theoretically be executed with a much less costly Finney attack (where the attacker wins a block but doesn't announce it right away and first announces his double-spend, which is even more likely in Dash's InstantX because the confirmation is instant making it much more feasible to fool the unwary merchant who was assured that InstantX is instantly confirmed so not to wait for chain confirmations), so no need to invest such massive resources. And there are other less costly attacks specifically on Dash that monsterer alluded to and I will be following up on in future posts.

But if the InstantX lock has been acquired (and the merchant will see in his wallet that the lock is on within a couple of seconds) the attacker's delayed block will be rejected by the network because it contains a conflicting transaction (all the honest nodes will obey the lock). To me it rather looks like InstantX is safer than Bitcoin in that respect or am I again missing something.

And if the attacker releases the block within the propagation delay so that some see the block announcement before they see the lock announcement. So there is an ambiguity. Which is correct the instantX announcement or block chain announcement?

Some might argue that attack seems solvable by making the delay on instantX confirmations a sufficient number of seconds (or what ever is the maximum propagation to every PoW mining node). But the problem is that P2P network for propagation can be Sybil attacked so some nodes could be isolated and controlled as to which announcement they receive first. So it is possible to use this as an amplification attack on PoW resources so as to effectively control much more PoW resources than you do control.

It isn't necessary to isolate propagation to a majority of nodes. The rule about propagation for InstantX is supposed to be cast in iron, meaning that any node what has seen a certain propagation order will forever ignore the chain that has decided the opposite ordering, thus you end up with massive forking. An attacker could force Dash into an unlimited number of forks and kill the coin. The only solution is my invention mentioned below. But in Dash's design that would require adandoning instant confirmations (for the reasons I explained upthread to monsterer ... or wait for the white paper for diagrams and eloquent explanation).

I am also concerned about Evolution and that the quorum must change periodically, so if on the next block the quorums are changing then an attacker can construct a spend on one chain with one quorum, and then on a hidden chain on another quorum, which is not illegal as the quorums have changed and the miners who are mining on that hidden chain are thus ignoring the announcements on the quorum which from their perspective no longer has permission to sign the transaction. The basic problem is that around the time of changing quorums, there is no objectivity as to which quorums are authorized. Thus two chains can spend twice. And so then the hidden chain is announced later and it is longer so it wins and the double spend has been achieved. Since Evolution promises these to be instant confirmations, the merchant will have long since assumed the transaction was irreversible and not have waited for 6 blocks or what ever is safe (assuming the attacker doesn't have 50% of hash power). Remember that hidden chains can be created with less than 50% of the hash rate. The basic problem is that propagation is misaligned with orphaning. There is only one way to solve this fundamental issue about ambiguity and that is my invention I published in 2014 to defeat selfish mining by including all the chains but you can't do that in Dash's design for the reasons I explained to monsterer.

Dash has more attack holes than Swiss cheese. And I will be explaining more of them which monsterer inspired me to realize. I use that euphemism because I want to spank speculators who think they know what they know. They don't. These technologies are much too complex for speculators to have any reliable clue about what is what. Illodin you are reasonably informed being a programmer yourself, but still you will miss some of the finer details because this stuff is not easy. It requires a lot of experience and thought to master. I even messed on these at times. It is quite complex.

[TPTB_need_war]

Your degree of control is superlinear in the amount of your stake.

Very interesting - can you prove it?

It's difficult to say exactly since we can't really consider all exploit strategies nor external factors.

But taking the model of "honest" staking at face value, at 49% you can only hope to maintain control for a limited number of blocks. At 50%+, you control the chain forever. That's clearly more than 4% increase.

Again assuming an "honest" staking model you can consider stake as votes and look to voting coalition models such Shapley–Shubik, where staking is viewed as voting between competing chains, and that is trivially superlinear in terms of voting power relative to stake share.

I was thinking of a point like that too. Proportional is clearly not correct.

+1 on the Shapley–Shubik reference.

Note that reaffirms the point that the cost in paid only once in PoS instead of unbounded, unless of course PoS devolves to PoW as you contemplate below...

Of course we know that most (all?) PoS systems allow voting on multiple chains, so this may break down. Such systems tend to devolve to PoW though, since stakers are then competing with other stakers to find the combinatorially most-favorable chain state, in which case again control is superlinear in hash power. So I think it is correct.

That is the "nothing-at-stake" issue.

Or competing on propagation and P2P Sybil attack advantages? In any case, still not proportional since distribution of wins is not likely uniform w.r.t. to resources applied given that the longest (or what ever attribute) chain wins in capitulation by the lesser resources, i.e. by definition a chain is asymptotically (some where near majority) a winner-take-all paradigm and it is as you point out non-linear due to Shapley-Shubik.

Astute insight. Thanks. I probably would have thought of that too had I focused on it. I haven't expended much effort thinking in detail about how PoS works in its many variants.

[illodin]

Against Dash and Satoshi's design (e.g. Bitcoin) that can theoretically be executed with a much less costly Finney attack (where the attacker wins a block but doesn't announce it right away and first announces his double-spend, which is even more likely in Dash's InstantX because the confirmation is instant making it much more feasible to fool the unwary merchant who was assured that InstantX is instantly confirmed so not to wait for chain confirmations), so no need to invest such massive resources. And there are other less costly attacks specifically on Dash that monsterer alluded to and I will be following up on in future posts.

But if the InstantX lock has been acquired (and the merchant will see in his wallet that the lock is on within a couple of seconds) the attacker's delayed block will be rejected by the network because it contains a conflicting transaction (all the honest nodes will obey the lock). To me it rather looks like InstantX is safer than Bitcoin in that respect or am I again missing something.

And if the attacker releases the block within the propagation delay so that some see the block announcement before they see the lock announcement. So there is an ambiguity. Which is correct the instantX announcement or block chain announcement?

I don't know the exact details but this seems non-issue to me. If the merchant receives the false block before he gets to know about the IX lock, his wallet will display only one standard confirmation, and he should therefor await for more confirmations (it's displayed differently than a successful IX). But he won't get more confirmations as the network elsewhere has rejected the block and won't mine on top of it.

If most of the selected masternodes see the block solution first however, they won't sign the IX lock and the transaction falls back to standard confirmations.

[smooth]

Against Dash and Satoshi's design (e.g. Bitcoin) that can theoretically be executed with a much less costly Finney attack (where the attacker wins a block but doesn't announce it right away and first announces his double-spend, which is even more likely in Dash's InstantX because the confirmation is instant making it much more feasible to fool the unwary merchant who was assured that InstantX is instantly confirmed so not to wait for chain confirmations), so no need to invest such massive resources. And there are other less costly attacks specifically on Dash that monsterer alluded to and I will be following up on in future posts.

But if the InstantX lock has been acquired (and the merchant will see in his wallet that the lock is on within a couple of seconds) the attacker's delayed block will be rejected by the network because it contains a conflicting transaction (all the honest nodes will obey the lock). To me it rather looks like InstantX is safer than Bitcoin in that respect or am I again missing something.

And if the attacker releases the block within the propagation delay so that some see the block announcement before they see the lock announcement. So there is an ambiguity. Which is correct the instantX announcement or block chain announcement?

I don't know the exact details but this seems non-issue to me. If the merchant receives the false block before he gets to know about the IX lock, his wallet will display only one standard confirmation, and he should therefor await for more confirmations (it's displayed differently than a successful IX). But he won't get more confirmations as the network elsewhere has rejected the block and won't mine on top of it.

If most of the selected masternodes see the block solution first however, they won't sign the IX lock and the transaction falls back to standard confirmations.

This is what the IX white paper says:

"If attackers gain control of the 10 Masternodes for a given block and propagate multiple conflicting messages, the network must appropriately handle the conflict. For example, an attacker that controls a large portion of masternodes might propagate a message to Merchant B and nowhere else ,while propagating a messages to many other nodes spending the inputs back to himself.
In this case it is suggested that conflicting messages will cancel each other out and clients wait for normal block confirmation."

Controlling the 10 masternodes is not implausible at all (and doesn't necessarily require a "large portion" as the paper claims), since the attacker gets to choose the time of the attack, and may also be able to game the selection somehow.

In general you can't assume that everyone sees everything at the same time, or even that people know they haven't seen something they haven't seen. When there is wording like "propagate to all nodes" or "all nodes will do X" in the description, you can be sure that issues are being missed, ignored, or papered over.

[TPTB_need_war]

Against Dash and Satoshi's design (e.g. Bitcoin) that can theoretically be executed with a much less costly Finney attack (where the attacker wins a block but doesn't announce it right away and first announces his double-spend, which is even more likely in Dash's InstantX because the confirmation is instant making it much more feasible to fool the unwary merchant who was assured that InstantX is instantly confirmed so not to wait for chain confirmations), so no need to invest such massive resources. And there are other less costly attacks specifically on Dash that monsterer alluded to and I will be following up on in future posts.

But if the InstantX lock has been acquired (and the merchant will see in his wallet that the lock is on within a couple of seconds) the attacker's delayed block will be rejected by the network because it contains a conflicting transaction (all the honest nodes will obey the lock). To me it rather looks like InstantX is safer than Bitcoin in that respect or am I again missing something.

And if the attacker releases the block within the propagation delay so that some see the block announcement before they see the lock announcement. So there is an ambiguity. Which is correct the instantX announcement or block chain announcement?

I don't know the exact details but this seems non-issue to me. If the merchant receives the false block before he gets to know about the IX lock...

Don't think only of the merchant (payee). Think of the consistency of the block chain. Pay attention to the issue of forking (disagreement between mining nodes which leads to them refusing to mine each others' chains), which afaics is the main threat (other than when masternodes can lie and get away with it, which is another attack vector monsterer caused me to realize I need to explain because I did also consider that attack vector in my design).

[TPTB_need_war]

Against Dash and Satoshi's design (e.g. Bitcoin) that can theoretically be executed with a much less costly Finney attack (where the attacker wins a block but doesn't announce it right away and first announces his double-spend, which is even more likely in Dash's InstantX because the confirmation is instant making it much more feasible to fool the unwary merchant who was assured that InstantX is instantly confirmed so not to wait for chain confirmations), so no need to invest such massive resources. And there are other less costly attacks specifically on Dash that monsterer alluded to and I will be following up on in future posts.

But if the InstantX lock has been acquired (and the merchant will see in his wallet that the lock is on within a couple of seconds) the attacker's delayed block will be rejected by the network because it contains a conflicting transaction (all the honest nodes will obey the lock). To me it rather looks like InstantX is safer than Bitcoin in that respect or am I again missing something.

And if the attacker releases the block within the propagation delay so that some see the block announcement before they see the lock announcement. So there is an ambiguity. Which is correct the instantX announcement or block chain announcement?

I don't know the exact details but this seems non-issue to me. If the merchant receives the false block before he gets to know about the IX lock, his wallet will display only one standard confirmation, and he should therefor await for more confirmations (it's displayed differently than a successful IX). But he won't get more confirmations as the network elsewhere has rejected the block and won't mine on top of it.

If most of the selected masternodes see the block solution first however, they won't sign the IX lock and the transaction falls back to standard confirmations.

This is what the IX white paper says:

"If attackers gain control of the 10 Masternodes for a given block and propagate multiple conflicting messages, the network must appropriately handle the conflict. For example, an attacker that controls a large portion of masternodes might propagate a message to Merchant B and nowhere else ,while propagating a messages to many other nodes spending the inputs back to himself.
In this case it is suggested that conflicting messages will cancel each other out and clients wait for normal block confirmation."

Controlling the 10 masternodes is not implausible at all (and doesn't necessarily require a "large portion" as the paper claims), since the attacker gets to choose the time of the attack, and may also be able to game the selection somehow.

In general you can't assume that everyone sees everything at the same time, or even that people know they haven't seen something they haven't seen. When there is wording like "propagate to all nodes" or "all nodes will do X" in the description, you can be sure that issues are being missed, ignored, or papered over.

Do masternodes have a monopoly on propagation to mining nodes in Dash?

I was thinking of a propagation network like Bitcoin where anyone can join if they behave. In Dash only masternodes can propagate? If yes, that seems to make the potential to attack propagation much greater.

The attack I described for the Finney attack didn't even require conflicting InstantX announcements, rather the conflicting announcement of the transaction being spent on the block versus on the instantx permissioned masternode. Even if InstantX are prelocked to a specific masternode, it must be possible to unlock the funds back to the general UTXO otherwise that would be a risk of losing funds to a masternode that refuses to sign. So thus the Finney attack can just unlock the funds in that case to create the double-spend of the InstantX transaction (by unspending it). No matter how it is designed, it can be attacked. I don't even need to know which way it is designed. I can reason it is flawed in any way.

[smooth]

Do masternodes have a monopoly on propagation to mining nodes in Dash?

No.

[illodin]

The attack I described for the Finney attack didn't even require conflicting InstantX announcements, rather the conflicting announcement of the transaction being spent on the block versus on the instantx permissioned masternode. Even if InstantX are prelocked to a specific masternode, it must be possible to unlock the funds back to the general UTXO otherwise that would be a risk of losing funds to a masternode that refuses to sign. So thus the Finney attack can just unlock the funds in that case to create the double-spend of the InstantX transaction (by unspending it). No matter how it is designed, it can be attacked. I don't even need to know which way it is designed. I can reason it is flawed in any way.

If the lock can't be acquired within 20 seconds iirc it will lapse. Can't find a link to back my memory though. And I don't know how and by whom it is canceled either.

Don't think only of the merchant (payee). Think of the consistency of the block chain.

It's starting to get too complex for me for now, I guess I'll need to draw a picture of a forking network to understand the implications. Thanks for being patient with me and trying to explain.

[TPTB_need_war]

Regarding shorting, to be able to short there needs to be actual coins on an exchange so they can be sold in the first place. Most coins are in the masternodes, a lot are in hot/cold storage controlled by random holders/users, and a tiny percentage is in the exchanges, and even tinier percentage of those are being offered for shorting. Hard to make profit shorting considering the amount of masternodes you'd have to own. Of course the possibility to do so is there, but it's not as simple as it's being made out to be.

Before reading your post, I had written in another thread:

Arguments along the lines of "if that is true, why didn't happen yet" are refuted with:

1. Perhaps only I am the one who realized how to attack it. And I just described it today.
2. There isn't much incentive to do that attack, because (from what I've heard about most of the trading volume on altcoins being fake) there isn't any way to extract any significant value from Dash via shorting.

<joke>An illiquid coin not used as a currency with all the coins locked up as a pump and dump game for speculators is already an attack.</joke> 

Point is that if you have a widely used currency, shorting will be possible.

We are talking about what sort of design should we all support that can scale up and be used by millions of users. That is our goal right?

[smooth]

Regarding shorting, to be able to short there needs to be actual coins on an exchange so they can be sold in the first place. Most coins are in the masternodes, a lot are in hot/cold storage controlled by random holders/users, and a tiny percentage is in the exchanges, and even tinier percentage of those are being offered for shorting. Hard to make profit shorting considering the amount of masternodes you'd have to own. Of course the possibility to do so is there, but it's not as simple as it's being made out to be.

Before reading your post, I had written in another thread:

Arguments along the lines of "if that is true, why didn't happen yet" are refuted with:

1. Perhaps only I am the one who realized how to attack it. And I just described it today.
2. There isn't much incentive to do that attack, because (from what I've heard about most of the trading volume on altcoins being fake) there isn't any way to extract any significant value from Dash via shorting.

An illiquid coin not used as a currency with all the coins locked up as a pump and dump game for speculators is already an attack.

Point is that if you have a widely used currency, shorting will be possible.

We are talking about what sort of design should we all support that can scale up and be used by millions of users. That is our goal right?

It also isn't true that physical coins have to back a short, even on exchanges (but certainly not off exchanges or on derivative exchanges where people may simply owe coins or have negative exposure to the price of coins they don't have, by whatever mechanism).

When you lend coins on an exchange the borrower sells them to short. Now the buyer of those coins may lend them out again. Collateral margin requirements limit overall leverage but the collateral need not be in the same coin. Leverage of a particular coin is unbounded i.e. an arbitrary short interest may be rooted in a limited (much smaller) amount of physical, as long as sufficient physical exists to settle the largest individual trade.

There is no realistic possibility to enumerate potential incentives that exist outside the system.

Szabo:

Similarly, small-game/large-game problems often arise when software or security architects focus on an economics methodology, focusing on the interactions occurring within the defined architecture and failing to properly take into account (often because it is prohibitively difficult to do so) the wide variety of possible acts occurring outside the system and the resulting changes, often radical, to incentives within the system. For example, the incentive compatibility of certain interactions within an architecture can quickly disappear or reverse when opposite trades can be made outside the system (such as hedging or even more-than-offsetting a position that by itself would otherwise create a very different incentive within the system), ...