ArticMine PMed me after I wrote
that flaming post, and said he would reply after studying my posts. He has not yet replied. Does that mean I am correct and there is no solution for Monero. I think so.
It is fundamental. Afaics, you'd have to completely rewrite Moaneuro.
Rewrite Monero, is not necessary at all but some documentation on how the Cryptonote adaptive blocksize limits actually work is needed, especially given the formula in section 6.2.3 of the Cryptonote Whitepaper is wrong.
https://cryptonote.org/whitepaper.pdf. My response will come in time.
I will start by examining the Cryptonote Penalty Function for oversize blocks. This is critical to understand any form of spam attack against a Cryptonote coin. From the Cryptonote whitepaper I cited above the penalty function is:
Penalty =
BaseReward (
BlkSize / M
N - 1)
2The new reward is:
NewReward =
BaseReward -
PenaltyWhere M
N is the median of the blocksize over the last N blocks
BlkSize is the size of the current block
BaseReward is the reward as per the emission curve or where applicable the tail emission
NewReward is the actual reward paid to the miner
The Maximum allowed blocksize,
BlkSize, is 2M
NThe penalty is only applied when
BlkSize > (1 + B
min) M
N Where 0 < B
min < 1 In the Cryptonote whitepaper B
min = 0.1.
The error in the Cryptonote Whitepaper was to set
NewReward =
PenaltyFor simplicity I will define:
BlkSize = (1+B) M
NBaseReward = R
basePenalty (for a given B) = P
BNewReward (for a given B) = R
BThe penalty for a given B becomes:
P
B = R
baseB
2While the new reward for a given B becomes:
R
B = R
base(1 - B
2)
The first derivative of P
B with respect to B is
dP
B /
dB = 2R
baseB
In order to attack the coin by bloating the blocksize the attacker needs to cause at least over 50% of the miners to mine oversize blocks and for an expedient attack close to 100% or the miners to mine oversize blocks. This attack must be a maintained over a sustained period of time and more importantly must be maintained in order to keep the oversized blocks, since once the attack stops the blocks will fall back to their normal size. There are essentially two options here:
1) A 51% attack. I am not going to pursue this for obvious reasons.
2) Induce the existing miners to mine oversize blocks. This is actually the more interesting case; however after cost analysis it becomes effectively a rental version of 1 above. Since the rate of change (first derivative) of P
B is proportional to B the most effective option for the attacker is to run the attack with B = 1. The cost of the attack has as a lower bound R
base but would be higher, and proportional to, R
base because miners will demand a substantial premium over the base reward to mine the spam blocks due to the increased risk of orphan blocks as the blocksize increases and competition from legitimate users whose cost per KB for transaction fees needed to compete with the attacker will fall as the blocksize increases. The impact on the coin is to stop new coins from being created while the attack is going on. These coins are replaced by the attacker having to
buy coins on the open market in order to continue the attack. The impact of this is to further increase the costs to the attacker.
It at this point where we see the critical importance of a tail emission since if R
base = 0 this attack has zero cost and the tragedy of the commons actually occurs.
This is the critical difference between those Cryptonote coins that have a tail emission, and have solved the problem, such as Monero and those that do not, and will in a matter of time become vulnerable, such as Bytecoin.Afaics, the above does nothing to remove/ameliorate the
Tragedy of the Commons in Satoshi's mining algorithm[1], except if viewed as short-term solution while no miners have a significant percentage of the network hash rate.
The problem is that as
I explained for Ethereum, as transaction rate scales up and thus the block reward is dominated by fees, then unless there is a uniform distribution of hashrate amongst all full node miners (which is of course impossible since not everyone can locate their mining equipment next to a hydropower plant with 2 - 4 cents electricity or for that matter perhaps
free subsidized electricity in corrupt environs such as China), then those miners with more hashrate will have lower costs of verification. Thus they will be more profitable and can buy more hashrate faster than the other miners. Thus mining will entirely centralize over time, because the economics are designed to centralize mining. So since mining will centralize, then attaining 51% of the mining power will be guaranteed and thus the above algorithm can do nothing to stop miners from spamming the block chain size by paying transaction fees to themselves. But of course with 51% of the hashrate, they can do anything they want, except up to the limits of what public perception will tolerate. I am assuming of course that transaction fees in a free market will reflect actual (marginal) costs and that verification cost will be significant relative to other costs such as bandwidth.
There is also afaics a math flaw in ArticMine's analysis. Unless
N is very small, then a miner with a significant but less than 51% hashrate is going to win a block in most every
N set, and thus they can hit the
2 * MN hard limit every time (or what ever rate of increase they deem most cost effective according to the Penalty cost being a function of a square), gradually ramping the median block size up over time. Thus the spam attack is not avoided, rather it just takes longer. And again I had pointed out that by shorting the coin, they can potentially recover their lost block rewards and profit. And if
N is very small, then the likelihood that a miner can win all N blocks with less than 51% hashrate increases. Also it is not clear to me from ArticMine's specification if
N is overlapping meaning a FIFO queue? But I doubt that makes any difference to my conceptual math point (note I have not written down the equations to precisely quantify this alleged flaw).
Also the
2 * MN hard limit means that block chain can't handle transient spikes in transaction load, e.g. such as would be required by Lightning Networks (which has sort of a garbage collection overhead which manifests has large spikes in transaction load).
Conceptually at the highest-level semantic model of the generalized essence, an anti-aliasing filter on transaction rate can't ameliorate the fact that a spam transaction is indistinguishable from a non-spam transaction.
To solve this problem we need to make the cost of what is burned when submitting a transaction greater than the cost of cumulative network verification costs. That both solves the economics of the first paragraph above and it also removes the need to limit the block size in any artificial way other than the burn cost. But in my design, I don't waste the burn cost and instead apply it to security in the form of unprofitable mining. Note that the only way to limit culmulative network verification costs is to centralize mining. And this is why I wanted to give up, because I didn't see any solution that didn't centralize mining. But then I realized the design I had for intra-block partitions can centralize while remaining controlled by decentralized PoW, thus effectively still decentralized. And this is why I say you will have to completely rewrite Monero (at least the consensus design portion of the block chain code).
Bumping up against the hard limit is probably wastefully expensive for this "attack"
What expense?
You're suggesting mining is (or can be) free? That's absurd. Even if it were free, this attack still costs you the reward.
I am suggesting the State (or those corrupt who control it) can charge the cost of mining to the collective (think the Three Gorges Dam that wrecked environmental devastation downstream, upstream and derivative effects all over China). I have made this point numerous times. And apparently (after everyone said I was crazy), it came true in China and if true was a factor that enabled China to capture an estimated 67% of the mining and 51% attack Bitcoin. Documentation of these statements is in my vaporcoin thread.
If the profit from shorting is greater than the reward, then it doesn't cost you anything. The free mining cost just makes it more likely you can sustain it long enough to reap your reward. How do we know the Chinese won't milk the investors while the block reward is high (mining at near $0 cost charging it the cost to the collective) and then also profit by shorting it all the way down from $1000.
We are bunch of naive geeks who are being reamed (mined) by savvy traders and strategists. These are no different conceptually than Rothschild's and Rockefeller's methods of yore. The players and technological field change, the game remains the same. (Yeah I am crazy conspiracy theorist whose analysis is always wrong)
Edit: haven't you been slightly suspicious of why the MSM publicized Bitcoin so much. That doesn't happen without the approval the global elite.
PoS(hit) can never be secure, because if it has a functioning markets (which it must in order to be widely adopted and liquid), then one can borrow stake, attack the coin (
which requires much less than 51% to for example delay transactions by some N blocks where N is a function of percentage of coin supply held), and then pay back the borrowed coin with cheaply bought coin as the price collapses due to attacks. You could simultaneously short it (i.e. which you did when you borrowed the coins, but sell some for fiat before you attack) for profits. Alternatively borrow fiat (or other cryptocoin), buy stake and short to profit and pay back loan. Also PoS can't distribute new coins, thus eventually the coin supply shrinks asymptotically to 0.
With PoW, your borrowed mining hashrate would eventually reach end of contract and the coin would repair itself. And you'd need much closer to 51% to do damage. You would hope to be able to purchase the coin at cheap prices, wait for it to rise back up and then sell it for fiat to pay back your loan. Much less plausible.
However if you are up against the
corrupt State that charges cost of PoW mining to the collective, then we're screwed with profitable PoW also, except I have the idea to use the unprofitable PoW of every person's computer in the world (with latency preventing them from farming out to ASIC), which seems might be even too much of an expense for China to hide the subsidization of.
First I refer to both of your 2013 posts in which both the case of a fixed blocksize (with fees theoretically going to infinity, in practice they are bound by transferring the value of the coin to the miners) and an infinite blocksize (fees go to zero) both fail. I do not dispute either of those scenarios, in fact I have no problem giving you credit for them since you came up with them before I did.
You clarified and refined the explanation and conceptualization, or at least brought it to my attention again, which is why I credited (and thanked) you for focusing me on that again in my Decentralization thread.
You propose a tragedy of the commons on the premise that the block reward is dominated by fees. When I first read this response I stopped right at that point since a block reward dominated by fees is actually not possible in a Cryptonote Coin short of actually setting the fees in the consensus code. This I thought would be clear from my previous comments, but it appears this needs some clarification.
The reason the above two scenarios do not apply to a Cryptonote coin with a tail emission such a Monero becomes apparent when one considers the economics of the total block reward components of fees and base reward (new coin emission). If the total in fees per block significantly exceed the base reward then it becomes economically attractive for miners to burn coins to the penalty by mining larger blocks. The block size rises until the total fees per block fall below a level where it is uneconomic for the miners to pay the penalty by increasing the blocksize.
If I understand correctly that by "burn coins to the penalty", you mean that miners will create fake transactions to themselves? Thus the cost of the penalty is being charged to the miner who can't generate fees from himself.
But that is incorrect rationale, because your and my entire point has been that the
Tragedy of the Commons is due to market demand for scaling, then the block size is unbounded. Your (and my) entire point was that without any bound, then transaction fees would trend towards 0 and thus an oligarchy MUST form because verification is not only not free, but more saliently verification is less profitable any miner that has less hashrate than the other miner who has the most hashrate (since all miners have to verify the entire block chain and thus verification costs are the same for all full nodes and have to amortized over income from blocks).
Thus you've accomplished nothing in terms of the fact that verification will centralize.
I explained in this thread
starting from first principles as to why the abstract Byzantine Generals Problem can't be solved decentralized. Period!
Thus that guarantees that it doesn't matter how you try to obfuscate this reality in numerous technobabble. smooth is incorrect to question whether Bitcoin is directly correlated to the BGP. I could explain that too, but I grow weary of foruming.
This level is comparable to the base reward. It is at this point where the need for a tail emission becomes clear, since without the tail emission the total block reward (fee plus base reward) would go to zero.
The base reward not going to zero does nothing to solve the
Tragedy of the Commons, as explained innumerable times by me and reexplained again above.
The second claim is that a spam attack by a less that 50% subset of the miners is possible.
No I wrote what a 51% attacker could do to game theory Monero's penalty algorithm and I said otherwise if you make N too small in Monero's penalty algorithm, then a < 50% attacker can win more than N blocks with some probability.
As I explained I in the original post this is not possible since one has to either to purchase coins on the open market and pay them to other miners to burn them against the penalty or use hashpower to generate the coins and then burn them to the penalty.
Again you are not addressing that the
Tragedy of the Commons is due to market demand for scaling, not from the miner creating transactions to himself. Thus the rest of your logic is inapplicable.
..
If I understand correctly that by "burn coins to the penalty", you mean that miners will create fake transactions to themselves? Thus the cost of the penalty is being charged to the miner who can't generate fees from himself.
But that is incorrect rationale, because your and my entire point has been that the
Tragedy of the Commons is due to market demand for scaling, then the block size is unbounded. Your (and my) entire point was that without any bound, then transaction fees would trend towards 0 and thus an oligarchy MUST form because verification is not only not free, but more saliently verification is less profitable any miner that has less hashrate than the other miner who has the most hashrate (since all miners have to verify the entire block chain and thus verification costs are the same for all full nodes and have to amortized over income from blocks).
Thus you've accomplished nothing in terms of the fact that verification will centralize.
I explained in this thread
starting from first principles as to why the abstract Byzantine Generals Problem can't be solved decentralized. Period!
Thus that guarantees that it doesn't matter how you try to obfuscate this reality in numerous technobabble. smooth is incorrect to question whether Bitcoin is directly correlated to the BGP. I could explain that too, but I grow weary of foruming.
...
I will respond to this because it is the crux of the entire argument. In Cryptonote the blocksize is bounded by the total of what market will pay in total fees for a block vs the base reward because a rational miner will not add transactions to a block that causes a net loss of fees received vs penalty paid. Also if demand falls then the blocksize falls with no recovery of the penalty. So total fees per block cannot fall to zero in the presence of a block reward. If the base reward is zero then yes the blocksize is unbounded.
Edit: Total fees per block can fall to zero only if the blocks are very small, below the minimum threshold, currently 20 KB (60 KB after the fork to 2 min blocks) for Monero
Your error is of course as I already stated, that transactions can grow unbounded due to market demand for more transactions, and since the Monero block size limit is bounded by the market demand as you have admitted, then it is unbounded.
Thus fees (not block reward) will trend towards 0 because no miner can enforce a bound on the block size so the miners will compete with each other to provide the lowest fees since there is no limit on the number of transactions a miner can put in a block (i.e. the payer can send a transaction with lower fees and wait some extra confirmations until the miner with lower fees wins the block).
But as I already stated, this means those miners with more hash rate will have higher income than those miners will less hashrate, yet all miners have the same verification costs. Thus mining will centralize to an oligarchy. Satoshi put a 1MB block size limit to keep verification costs much lower than the block reward, so that Bitcoin would not centralize too quickly.
I rest my case. Monero has not prevented the
Tragedy of the Commons. Please don't make me explain it again.
...
Your error is of course as I already stated, that transactions can grow unbounded due to market demand for more transactions, and since the Monero block size limit is bounded by the market demand as you have admitted, then it is unbounded.
Thus fees (not block reward) will trend towards 0 because no miner can enforce a bound on the block size so the miners will compete with each other to provide the lowest fees since there is no limit on the number of transactions a miner can put in a block (i.e. the payer can send a transaction with lower fees and wait some extra confirmations until the miner with lower fees wins the block).
But as I already stated, this means those miners with more hash rate will have higher income than those miners will less hashrate, yet all miners have the same verification costs. Thus mining will centralize to an oligarchy. Satoshi put a 1MB block size limit to keep verification costs much lower than the block reward, so that Bitcoin would not centralize too quickly.
I rest my case. Monero has not prevented the Tragedy of the Commons. Please don't make me explain it again.
Actually the error is on your side since you expect a rational miner to pay a penalty in order to add a transaction to a block with a minimal or zero fees which are far less than the penalty. Please do not make me explain the basics of how Cryptonote works again.
I rest my case. Monero has prevented the
Tragedy of the Commons.
My logic has nothing to do with the miner paying a penalty.
Per the math I replied to, the Monero penalty is based on exceeding the median of recent N blocks. Since (as you claim, but see Edit below) that median will scale over time to match the market demand for transactions thus no penalty will be incurred for adding all the transactions, then verification costs will eventually cost more than or a significant portion of the tail emission block reward as transaction volume scales.
The point is there is no bound on transaction volume.
Thus the logic I stated takes over (where lower hashrate miners are unprofitable and centralization is forced economically):
But as I already stated, this means those miners with more hash rate will have higher income than those miners will less hashrate, yet all miners have the same verification costs. Thus mining will centralize to an oligarchy. Satoshi put a 1MB block size limit to keep verification costs much lower than the block reward, so that Bitcoin would not centralize too quickly.
Please check your logic more thoroughly before responding. Because you are incorrect. So find your error before posting please.
Edit: my point about transaction fees trending towards 0 is correct but not necessary for my argument as explained above. The reason txn fees trend to 0 despite Monero's penalty for creating blocks which exceed the median of recent N blocks is that payers can send the txns with the lowest fee that any miner will accept. Thus Monero's block size will trend to 0 if the penalty feature works as designed.
So either txn fees trend to 0 or block size trends to 0.
Sorry you can not defeat the fundamental fact that decentralization can't have a solution to the Byzantine Generals Problem. That is fundamental and inviolable. Waste years of your life, but you will still never defeat Physics and the fact that the speed-of-light isn't infinite.
Edit#2: you will probably think that payers will increase their txn fees so that their txn gets added to a block because miners aren't motivated to add too many transactions to incur the penalty (for miners that accept lower txn fees than the other miners which drive the median block size). But some of the txns will get added which have this lower txn fee, but payers can only be sure their txn is added timely if they pay the maximum txn fee that any miner requires (or some amount higher than the lowest fee), thus the miner may be able to afford to pay the penalty by including these extra transactions thus driving the median block size upwards over time and thus eventually driving the txn fees to 0 (the point is miners have no incentive to exclude txns with any level of txn fee when it doesn't cost them anything to add a transaction to block thus the trend will be ever lower and lower txn fees ... the entire point of my rebuttal to your math is what your penalty algorithm does not reach equilibrium). Which was my point that the penalty feature of Monero will not work as intended. But if it does work, it will drive the block size to 0. There are many other scenarios but they all have failure modes (analysis by case enumeration is very piss poor methodology to do academic work, rather I have started from first principles to show abstractly that no decentralized solution to the BGP can possibly exist). So choose your poison because there is no way to escape the problem that verification MUST be centralized in order to solve the Byzantine Generals Problem.
Let me take a stab at explaining for laymen, my debate with ArticMine.
Monero has a feature that charges a penalty deducted from the coinbase block reward (e.g. analogous to the 25
BTC per block reward in Bitcoin). The Monero penalty is calculated based on how much larger the block is relative to the median of the preceding N blocks. The intended effect of this feature is that block size will scale to market demand without any
Tragedy of the Commons collapse into dysfunctional/degenerate outcomes. Note miners also earn income from transaction fees, so we have to analyze the complex interplay (i.e. game theory and any Nash equilibrium) between Monero's penalty algorithm, block size, block reward, and transaction fees, as well as any costs (see next paragraph).
Bitcoin has “
scalepocalypse”
Tragedy of the Commons collapse into dysfunctional/degenerate outcomes as transaction volumes scale up, because either:
- There is a block size limit and thus transaction fees will rise to the level of transaction values as transaction volumes far exceed that limit, in order to prioritize which transactions don't fit in the limited sized blocks.
- Or block size would be allowed to have no limit, in which case transaction fees will decline to the cost of verification (the cost for the miner with the most hashrate!) since in the absence of a block size limit the miners have no incentive to not include transactions which provide some more income per block (regardless how small that income per transaction is for as long as it exceeds costs). Note the bandwidth/propagation delay cost argument is moot because again the miners with most hashrate have the lowest bandwidth/propagation delay cost and they set the lowest transaction fees since they have the lowest costs[1] (readers thus note these issues are very complex and requires to have many variables in one's head at the same time to give a correct holistic analysis). The unbounded block size case leads to an oligarchy of the monopoly on hashrate so those in the mining cartel can have pricing power and also because (as I explained in the prior sentences) those who have more hashrate also have lower costs, thus they over time aggregate more hash rate than other miners (because they are more profitable).
The simplest rebuttal to ArticMine is that if the penalty feature of Monero works as intended so as to allow the block size to expand to the market demand for transaction volume, then the “
scalepocalypse”
Tragedy of the Commons collapse economics that I explained in the prior paragraph for the case of unbounded block size also applies to Monero. Monero's penalty feature only prevents a miner from bloating the blocks with
fake transactions paying to themself (because the miner would have to pay the penalty for exceeding the median block size, but is receiving no transaction fees to pay for the cost of the penalty from
fake transactions); and Monero's penalty feature is intended to scale block size to actual market demand.
Thus I have explained there is no Nash equilibrium in Monero's penalty feature (unlike for Satoshi's longest chain rule where there is indeed a Nash equilibrium because if miners don't converge on the longest chain then all their chains are invalid/orphans and worthless without consensus). ArticMine is probably thinking that since miners have different costs, the equilibrium point for transaction fees will be the weighted average but I have explained the holistic economics by which this weighted average is driven by the costs of the largest hashrate miners until they control all the hashrate[1].
If one instead assumed that ALL (or nearly all) payers will choose to wait for the lowest cost miner to win a block (and include their transactions, i.e. queueing up in a line that grows longer and longer) and thus set their transaction fees accordingly, then Monero's penalty feature would force the block size to trend to 0. I of course don't think payers will do this, thus I stated that either the block size trends to 0, or the block size scales to market demand. But per the prior paragraph, when the block size scales to market demand, then the transaction fees decline to the lowest cost miners over time (which is essentially trending to ~0), and thus the largest hash rate miners will be incentivized to form an alliance so they can have some pricing power over transaction fees.
Monero has solved nothing and has the same insoluble “
scalepocalypse”
Tragedy of the Commons collapse economics as Bitcoin.
Btw, I know how to solve this problem and the solution will be in my coin. Iota appears to have solved this problem as well, but my analysis concludes Iota will fail to converge without centralization of the system as well. The only distinction of what I am proposing to do in my coin is that the verification cost centralization is under the control of decentralized payers. Iota can't do this because if the payers don't stay with the same centralization, the convergence is lost. Whereas, in my coin design the payers can move their PoW shares at any time, because my design has a longest chain rule.
| [1] | This is mathematically unarguable for payers willing to wait for their transaction to be confirmed until the largest hashrate miner wins a block. It is also true in that the transaction fees are set by a weighted average of frequency of block wins by miners according to hashrate. And since I explained that miners with more hashrate aggregate more hashrate over time due to having lower costs, then the long game centralization/domination of transaction fee weighted average trend is unarguable as well. |
This response starts with the correct assumption that decentralization alone can't have a solution to the Byzantine Generals Problem (the failure of proof of stake), and then proceeds to make little sense on the unrelated problem of scaling the blocksize in POW coins. The latter problem Monero solves. Keep in mind that an equilibrium between fees per block, base reward and blocksize without a collapse to zero or "infinite" fees, the problem Monero solves, does not by itself speak to the miner centralization issue.
Whether proof of work introduces enough external entropy into the system to solve Byzantine Generals Problem is far from clear because there are a host of centralizing and de-centralizing factors interacting with each other the majority of which have not been taken into consideration in the previous discussion.
The underlined portion was refuted above.
Now I will address your abstract theoretical errors in the non-underlined portions quoted above...
The
Nash equilibrium failures of PoS are caused by the fact that the centralization is in the stake. What I showed abstractly in this thread is that every BGP solution will have some element of centralization, because BGP can't be solved without a reference point because otherwise there is no objective reality.
The longest chain rule employing external entropy from PoW provides no reference point other than the longest chain. As I explained to smooth and monsterer, so any attributes that can't be detected from the LCR, e.g. whether the coin is under 51% attack doing double-spends or censoring transactions, thus can't be objectively known/proved so that
all observers agree (i.e. these attributes are undecidable).
Thus Satoshi's LCR employing PoW does not solve BGP and can't solve it without some centralization. Period!
The key insight is to control how and where the centralization will be in the system. The error Bitcoin and Monero have made is the centralization is out-of-control of the payers. I have fixed that.
Thus the abstract BGP analysis does apply to the conclusion that Monero (and Ethereum) have deluded themselves into thinking they can avoid centralization and instead gets centralization in a way they did not want.
Sorry you were wrong on every single point you wrote.
Edit: PoW LCR is necessary to enforce the following conditions assumed by BGP that don't exist in a decentralized network otherwise (but again there is no objectivity other than the Nash equilibrium of the longest chain):
Afaics the paper has an important omission which is that when the disloyal generals (traitors) are not colluding (i.e. can't trust each other) then they have no reliable means to disrupt the loyal consensus. So my analysis will focus on the case where the disloyal generals are colluding.
[...]
(note also that the definition of oral messages assumes conditions A1, A2, and A3 which can't exist in a decentralized network where Sybil attacks are possible)
PS: By the way, classical BGP mentions somewhere that traitors collude AFAIK.
