DECENTRALIZED crypto currency (including Bitcoin) is a delusion (any solutions?)

[TPTB_need_war]

A blockchain with unbounded entropy? doesn't sound very deterministic to me.

You were talking about society. 

Sorry please pay attention to what I write so I don't have to repeat myself

I did. You wrote about society. I will not reply again to you. You are now on ignore idiot.

[1713921569]

1713921569

[sidhujag]

A blockchain with unbounded entropy? doesn't sound very deterministic to me.

You were talking about society.  

Sorry please pay attention to what I write so I don't have to repeat myself

I did. You wrote about society. I will not reply again to you. You are now on ignore idiot.

Nope, re-read. Not sure how you can mis-interpret "therefor you must act in benefit of the entire network (team) to have the most efficient and effective system" in this context, "idiot"

[TPTB_need_war]

I am adding this to the post on the first page of this thread documenting the insecurity of proof-of-stake (PoS):

Also, how can a PoS coin be attacked using this? Does this mean that PoS coins are more secure as atomic altcoins than PoW?

Unlike hashrate (electricity), stake only has to be purchased once and attack forever, so therefor rental prices for stake should be much lower (since stake costs less than hashrate).

"stake costs less than hashrate" this appears to be the same as saying donuts cost less than springs.

Sometimes the stake required to attack will cost more than hashrate and vice versa. So it all depends on the specific coins being talked about.

I am making a mathematical asymptotic argument similar conceptually to the arguments about Big O and Big Theta computational complexity classes (wherein at any particular/small values the conclusion might be opposite of the asymptotic reality). The point is mathematical structure in that stake only has to be purchased once, whereas electricity has to be paid continuously. Thus in terms of mathematical structure (all other variables the same, e.g. market cap, etc), then hashrate will be structurally more expensive than stake. Stake is not as secure as hashrate because stake is paid once for an eternal attack and hashrate must be paid continuously else the attack ends (is finite in duration). In short, stake enables an infinite duration attack (at no extra cost) and thus stake is free and hashrate is finite and thus it is not free. If you don't believe that, then just consider that one can short a PoS coin (thus recovering the cost of the stake making it less than free) and the market is likely to sell off the coin during any stake-based attack because the market understands the only way to overcome the attack is to fork the coin. Whereas with PoW, the market may ignore the attack because it will be ephemeral unless the attacker can profit from the attack enough to pay for the ongoing cost of the electricity.

This is the fundamental reason that PoS is not secure. Apparently some PoS coins have been attacked with stake, and the common case are the exchanges which control huge amounts of stake.

And I am not thinking it is so easy to cause deep reorgs at will. It could be that the DE for low security coins needs to be done over longer periods of time and in small increments, ie overlapped micropayment channels.

I presume I did not adequately explain the economic argument. The point is that once you incentivize profitable PoW attacks, the attacker can now sustain an attack indefinitely (or the DE is abandoned). Thus there is no longer period of time which is sufficient (from a mathematical structural perspective, although there might be particular cases that are secure, you can't state them with equations that enable reliable decisions). I understand you want to find some reasonable middle ground, but I presume you would play with fire if you pursued this similar to those who argued that PoS was an acceptable middle ground (yet even today we see that Bitshares' DPOS is probably controlled by a few exchanges and I think someone told me Nxt is controlled by a dictator).

I comprehend and am aware of the stance that says nothing is perfect and choose some practical middle ground. But I argue we can do better than some muddled middle ground where for example Bitcoin is already controlled by a Chinese mining cartel that has 65% of the hashrate and is provably lying about the Great Firewall of China being a hindrance for them (their motivation is obviously to make higher profits with higher transaction fees by constraining block size). This outcome I predicted in 2013, even I nailed in 2013 the block size as the specific failure mode, and everyone was arguing at that time that I was loony. Their % of the hashrate will increase on the next block reward halving this year, because the marginally profitable miners are the first to go (and I suspect the Chinese mining cartel is getting subsidized electricity with political connections/corruption).

You can make the reasonable argument that the insecurity of the proposed cut & choose algorithm only impacts those altcoins without CLTV and thus it is better than no DE for those coins. In that case, maybe I can agree with that. But do fully acknowledge the Pandora's box security threat so enabled (but at least isolated to those who trade for those altcoins). Thus I don't think it will be a very popular case, if proper disclosures are made. Who would trade BTC for an altcoin where they might lose their funds due to an attack (particularly even a long-range lie-in-wait attack) and where the developers of that altcoin are unable to add the CLTV op code.

I am not conviced by general statements, especially when they have counterexamples that prove they are incorrect. I can easily name many PoS coins that are more expensive to obtain stake enough to attack against a set of PoW coins whose hashrate is lower.

Of course there are scenarios where a PoW coin pays less % of debasement to mining thus requires less cost for a short-term attack than a PoS coin with a huge market cap. This is primarily because Satoshi's PoW design is incorrect. I have a solution to this by making mining unprofitable so that no debasement is paid for mining.

Both the current PoS and PoW designs are flawed. That is one of the major innovations I am working on.

Sorry, general scare statements dont work on me.

The generative essence statement I made upthread was referring to the fact that given no reference point, DE would not be secure,. Without a reference point, nothing can be proven about crypto currency (e.g. double-spends can't be prevented, etc), thus the requirement for a reference point is essential (even Satoshi's PoW suffers from the fact that it is probabilistic and didn't solve the Byzantine General's Problem because it can't identify an attack from a non-attack because the longest chain rule is self-referential). I can make such a general statement and be 100% certain there is no possible exception, because it is a fundamental inviolable mathematical structural issue.

The reference points are provided by my upthread "Coin Days Destroyed" suggestion a few days ago and the point yesterday in this thread about hard-coding the destination addresses in the CLTV. In order words, those reference points do not depend on future confirmations, but are past history (the age of the UXTOs being spent) and future invariants (the hard-coded destinations).

I was just starting treatment for fatty liver disease over the past 2 days (along with running around getting a diagnosis and other foggy brain matters) so apologies that only this morning did I feel alert enough to write a coherent explanation such as this.

Only specific failure cases, which can then be generalized and solutions usually devised. I know that if I just say, sure in theory it wont work and dont push for a solution, then it would limit things to BTC <-> LTC and gradually more and more, so at worst it is a slow process, but we dont have to outrun the bear, we just need to be more secure than a CE.

There is a distinction between theory and inviolable mathematical structure. I will give you another example that I learned when I started to teach myself cryptography over the past 3 years. That is zero knowledge proofs are impossible without an asymmetric trap door function, i.e. they can't be done with hash functions. That is not theory. It is an inviolable fact due to the mathematical structure.

NXT PoS limits any reorgs to 720 blocks, so for NXT if the timeout is set above 720 blocks, then it will be beyond the reach of any attack.

That seems reasonable since checkpoints are required in PoS due to people selling their stake and then doing a long-range attack with stake they no longer own based on reorganization of historical transactions that create stake. Anyone who is buying NXT should hopefully understand the tradeoffs of a PoS system (centralized governance, advantage of less electrical consumption, my arguments against PoS in my prior post, etc).

Couldnt any coin use data from the BTC blockchain from some hours in the past to create a backstop from massive reorg? By using the massive PoW of BTC, a PoS or weaker PoW would get an externally verifiable reference? Why couldnt that be used as the generative essence you say is required?

[...]

But maybe I misunderstood your objection and the above has a fatal flaw?

I assume you mean writing some meta-data into the stronger block chain, that the weaker block chain could refer to as evidence. The hindrance is that decentralized block chains have no external reference point. There is no way to enforce that a particular block in one chain came before a block (nor within some # of blocks after a block) on another chain. Block chains are self-referential, and that is precisely why we need CLTV to implement decentralized exchange. It is also why Blockstream's side chains have security which is as weak as the weakest side chain (because a reorganization in one chain erases coins that have already been reserved in other chains for maintaining the one-to-one exchange peg), which is btw why afaics Side chains are implausible (hopefully this post won't get deleted by the moderator, hehe).

[brekyrself]

TPTB_need_war:

You mentioned a few times about obscuring your IP address for true anonymity with crypto blockchains.  What are your thoughts on the latest direction for bitcoin core 0.12.0.  Tor seems like such a mixed bag depending on what your trying to accomplish.

"Automatically use Tor hidden services

Starting with Tor version 0.2.7.1 it is possible, through Tor’s control socket API, to create and destroy ‘ephemeral’ hidden services programmatically. Bitcoin Core has been updated to make use of this.

This means that if Tor is running (and proper authorization is available), Bitcoin Core automatically creates a hidden service to listen on, without manual configuration. Bitcoin Core will also use Tor automatically to connect to other .onion nodes if the control socket can be successfully opened. This will positively affect the number of available .onion nodes and their usage.

This new feature is enabled by default if Bitcoin Core is listening, and a connection to Tor can be made. It can be configured with the -listenonion, -torcontrol and -torpassword settings. To show verbose debugging information, pass -debug=tor."

[TPTB_need_war]

brekyrself, wrong thread. I answered you:

https://bitcointalk.org/index.php?topic=1342065.msg14012825#msg14012825

[TPTB_need_war]

Relating to James the experience that has been gained by all the discussions we've had in this thread and the related threads:

I assume you mean writing some meta-data into the stronger block chain, that the weaker block chain could refer to as evidence. The hindrance is that decentralized block chains have no external reference point. There is no way to enforce that a particular block in one chain came before a block (nor within some # of blocks after a block) on another chain. Block chains are self-referential, and that is precisely why we need CLTV to implement decentralized exchange.

OK, so we are in agreement on most everything.

I want to better understand the above as it seems the main issue to prevent much stronger security. I apologize if I am asking kindergarten level questions on this, but I dont understand the external reference point impossibility. Please bear with me.

Apologies in advance to readers that I will spew a lot of words about the phrase, "kindergarten level questions". I just feel awkward because I don't desire to measure myself or others that way. My intent is all about maximizing production (of myself and others). And I have weaknesses and commit lapses of logic (or insufficient research) sometimes/often.

I didn't mean to belittle anyone's sincere inquiries. Apologies if that seemed to be my tone upthread. To any degree that I felt frustration upthread, it was due to for example when someone conflates 'theory' with "highly abstract mathematical structural fact" and my frustration being not with them (for how can they understand my confidence in some insight if I don't explain it to them) because it is my problem if I am too low on energy or time to explain that distinction. Again it isn't the fault of another person that sometimes I am thinking/articulating in abstractions. And I don't make any claim about relative knowledge or capabilities (except to trolls and intentionally condescending people who deserve to have a mirror put in their face, which is not you James). I just tend to think in abstractions often, but not always (obviously I also think in terms of implementation and example cases otherwise I wouldn't have also written 100,000+ lines of commercially successful code as you have James). I just grow weary sometimes, because verbiage on forums has to repeated over and over for each person. I have 10,000+ posts already on this site. Lol. James your effort on implementing DE is worthy of my reciprocal effort (as you know I've told you that I hope your DE is available for the altcoin I am working on). Apologies the past few days have been exhausting/distracting/struggle for me as I alluded to about my health. Also I am reasonably burned out from too many posts on these forums over the past 3 years in contagion with the chronic health debacle/suffering I've been battling. Again apologies if I don't always communicate with perfect attention to apparent tone and with careful/optimum eludication.

I like concrete examples:

At noon, BTC block noon_txid appears. This is available to the entire bitcoin p2p network. At first it is a bit vulnerable to a reorg due to any pair of linked blocks would override it. After the next block, it would take 3 blocks to overtake, etc. So after 2 hours, we are past the timestamp variance and also have 10+ blocks protected by zillions of hashes.

ALL the altcoin chains can refer to this noon_txid. Let us call it noon_txid_inalt. I am pretty sure this is possible to do. And I am pretty sure that the presence of noon_txid_inalt proves that it came AFTER noon_txid. Please let us ignore odds of sha256 collisions.

In my previous post, I said bi-directional. So the BTC blockchain now gets the noon_txid_inalt and puts that into its blockchain (a bit past 2PM). call this the noon_altconfirm txid.

I claim that we now know that noon_txid happened before noon_txid_inalt which happened before noon_altconfirm txid. It looks like I can segregate blockchain events on different blockchains into definite categories of time ordering of "before" and "after"

What part of the above is insufficient to satisfy the requirements for the external reference?

There is no way to prove that the consensus of the weaker block chain placed those meta-data records in the stronger block chain. There is some meta-data, but it is meaningless, because consensus is the entire challenge of decentralized protocols that require consensus.

Off topic note that per the CAP theorem, Bitcoin forsakes Partition tolerance in order to achieve Consistency and Availability of consensus. You can think of the other block chain as being another partition. We've been discussing these abstract theoretical issues over in the Altcoin Discussion forum in threads such as The Ethereum Paradox, DECENTRALIZED crypto currency (including Bitcoin) is a delusion (any solutions?), and Satoshi didn't solve the Byzantine generals problem. Also include some discussions between monsterer, smooth, and myself in my vaporcoin's thread. So I have the advantage of a few months of discussions about these abstract topics.

[monsterer]

Another way to think about why PoS isn't as secure as PoW in general:

PoS does not reinforce historical consensus. Every subsequent block in a PoW chain makes the history below it more secure because the cost of reversing it is superlinear in the number of blocks built on top. In PoS, this is not the case, the cost of producing a block is a constant, therefore the cost of reversing history is a constant.

[hv_]

@TPTB_need_war another way to think about why PoS isn't as secure as PoW in general:

PoS does not reinforce historical consensus. Every subsequent block in a PoW chain makes the history below it more secure because the cost of reversing it is superlinear in the number of blocks built on top. In PoS, this is not the case, the cost of producing a block is a constant, therefore the cost of reversing history is a constant.

so with a 51% + selfish mining attack you would be able to unwind all hist tx in PoS? (with minor costs)

[monsterer]

@TPTB_need_war another way to think about why PoS isn't as secure as PoW in general:

PoS does not reinforce historical consensus. Every subsequent block in a PoW chain makes the history below it more secure because the cost of reversing it is superlinear in the number of blocks built on top. In PoS, this is not the case, the cost of producing a block is a constant, therefore the cost of reversing history is a constant.

so with a 51% + selfish mining attack you would be able to unwind all hist tx in PoS? (with minor costs)

You can arbitrarily re-write history in PoS with <50%; I can produce a valid candidate chain longer than the canonical chain for a constant cost, whcih I then present to nodes which are syncing with the network who are unable to distinguish this objectively from the canonical chain.

edit: Since the cost of providing such information is very small, I can dominate the network with peers containing instances of my fake chain such that any syncing node querying peers at random would find a majority of my fake nodes.

[hv_]

@TPTB_need_war another way to think about why PoS isn't as secure as PoW in general:

PoS does not reinforce historical consensus. Every subsequent block in a PoW chain makes the history below it more secure because the cost of reversing it is superlinear in the number of blocks built on top. In PoS, this is not the case, the cost of producing a block is a constant, therefore the cost of reversing history is a constant.

so with a 51% + selfish mining attack you would be able to unwind all hist tx in PoS? (with minor costs)

You can arbitrarily re-write history in PoS with <50%; I can produce a valid candidate chain longer than the canonical chain for a constant cost, whcih I then present to nodes which are syncing with the network who are unable to distinguish this objectively from the canonical chain.

edit: Since the cost of providing such information is very small, I can dominate the network with peers containing instances of my fake chain such that any syncing node querying peers at random would find a majority of my fake nodes.

Thanks - in principle I knew - but I'd like to have a really rigid statment from others as well:

If big banks, corps and all those PWCs, Deloittes, R3s,.... would just do tiny risk Analysis (and I fear that's where they're strong) of that above, would they invest in PoS ( they do not control) ?

[monsterer]

Thanks - in principle I knew - but I'd like to have a really rigid statment from others as well:

If big banks, corps and all those PWCs, Deloittes, R3s,.... would just do tiny risk Analysis (and I fear that's where they're strong) of that above, would they invest in PoS ( they do not control) ?

Conjecture: banks are only interested in blockchains to replace their internal, expensive, legacy settlement systems. They have no interest in anything public or risky - they want total control.

[hv_]

Thanks - in principle I knew - but I'd like to have a really rigid statment from others as well:

If big banks, corps and all those PWCs, Deloittes, R3s,.... would just do tiny risk Analysis (and I fear that's where they're strong) of that above, would they invest in PoS ( they do not control) ?

Conjecture: banks are only interested in blockchains to replace their internal, expensive, legacy settlement systems. They have no interest in anything public or risky - they want total control.

Not quite. Banks would like to see e.g. all their OTCs build into smart contracts....

Further: Would you trust some Slockit-Hotel ? Some self-employed car ... ?

[Kettler]

Thanks - in principle I knew - but I'd like to have a really rigid statment from others as well:

If big banks, corps and all those PWCs, Deloittes, R3s,.... would just do tiny risk Analysis (and I fear that's where they're strong) of that above, would they invest in PoS ( they do not control) ?

Conjecture: banks are only interested in blockchains to replace their internal, expensive, legacy settlement systems. They have no interest in anything public or risky - they want total control.

Will there be one block chain used by all the banks or several banks will share one block chain and incompatible to others?

[hv_]

Thanks - in principle I knew - but I'd like to have a really rigid statment from others as well:

If big banks, corps and all those PWCs, Deloittes, R3s,.... would just do tiny risk Analysis (and I fear that's where they're strong) of that above, would they invest in PoS ( they do not control) ?

Conjecture: banks are only interested in blockchains to replace their internal, expensive, legacy settlement systems. They have no interest in anything public or risky - they want total control.

Will there be one block chain used by all the banks or several banks will share one block chain and incompatible to others?

Who knows ? I strongly believe that a first and much more simpler solution is in a (bank - wide-) shared DB / hyper ledger thingy.

[hv_]

@TPTB_need_war another way to think about why PoS isn't as secure as PoW in general:

PoS does not reinforce historical consensus. Every subsequent block in a PoW chain makes the history below it more secure because the cost of reversing it is superlinear in the number of blocks built on top. In PoS, this is not the case, the cost of producing a block is a constant, therefore the cost of reversing history is a constant.

so with a 51% + selfish mining attack you would be able to unwind all hist tx in PoS? (with minor costs)

You can arbitrarily re-write history in PoS with <50%; I can produce a valid candidate chain longer than the canonical chain for a constant cost, whcih I then present to nodes which are syncing with the network who are unable to distinguish this objectively from the canonical chain.

edit: Since the cost of providing such information is very small, I can dominate the network with peers containing instances of my fake chain such that any syncing node querying peers at random would find a majority of my fake nodes.

Again - this is killing!     Nobody wants to argue against ?   -   So  PoS    is  PoS(hit)  = high risk  = don't trust ?

[spartacusrex]

You can arbitrarily re-write history in PoS with <50%; I can produce a valid candidate chain longer than the canonical chain for a constant cost, which I then present to nodes which are syncing with the network who are unable to distinguish this objectively from the canonical chain.

edit: Since the cost of providing such information is very small, I can dominate the network with peers containing instances of my fake chain such that any syncing node querying peers at random would find a majority of my fake nodes.

Can you elaborate on how you can do that ?

You can tell how much stake is used in creating a POS chain.

If you have less than 50% of the total coins, but more than 50% of the staking coins (the ones used for mining), ok. Rewrite away.

If you have less than 50% of the staking coins, then how is your chain going to show it is more valid than a chain that has more POS stake involved ?

Also, any node that has already connected to the network, can distinguish an attack chain, by checking for a block hash checkpoint, that it knows from previous connections to the network. Even if the attacker has more than 50% of the staking coins.

This attack would apply to those who have never connected before. And in that case, some checks would be required.

The simplest check, ask someone who is connected to the network already.

If you have never connected before, and don't know anyone who is on the network, then it's more complicated..  (although you could say that downloading the software is a risk in itself - is it legit or hacked, and any legit version would include some checkpoints)

..

POS has it's pros and cons, for sure.

[monsterer]

The simplest check, ask someone who is connected to the network already.

If you have never connected before, and don't know anyone who is on the network, then it's more complicated..  (although you could say that downloading the software is a risk in itself - is it legit or hacked, and any legit version would include some checkpoints)

And if I have a majority of fake nodes broadcasting my fake chain to those who wish to sync, the chances of asking my fake node is greater than 50%, isn't it?

The point about checkpoints is that when your protocol depends upon them for security purposes, you might as well just throw the whole thing in the bin and use a 100% centralised service, which will be exactly as secure and a lot faster, cheaper and easier to use.

[spartacusrex]

The simplest check, ask someone who is connected to the network already.

If you have never connected before, and don't know anyone who is on the network, then it's more complicated..  (although you could say that downloading the software is a risk in itself - is it legit or hacked, and any legit version would include some checkpoints)

And if I have a majority of fake nodes broadcasting my fake chain to those who wish to sync, the chances of asking my fake node is greater than 50%, isn't it?

Sure, but again, this only applies to someone who has never connected before and who doesn't know anyone on the network AND who has downloaded a version of the software that has no valid checkpoints in it.

The point about checkpoints is that when your protocol depends upon them for security purposes, you might as well just throw the whole thing in the bin and use a 100% centralised service, which will be exactly as secure and a lot faster, cheaper and easier to use.

Bit harsh.. There are many other benefits to a decentralised system, that 'needing-one-32-byte-checkpoint-at-first-logon' doesn't screw up.

[hv_]

The simplest check, ask someone who is connected to the network already.

If you have never connected before, and don't know anyone who is on the network, then it's more complicated..   (although you could say that downloading the software is a risk in itself - is it legit or hacked, and any legit version would include some checkpoints)

And if I have a majority of fake nodes broadcasting my fake chain to those who wish to sync, the chances of asking my fake node is greater than 50%, isn't it?

The point about checkpoints is that when your protocol depends upon them for security purposes, you might as well just throw the whole thing in the bin and use a 100% centralised service, which will be exactly as secure and a lot faster, cheaper and easier to use.

Thanks ! Sounds really monstreous!

So everybody feel free to run   Multi Billion Contract Solutions on a PoS system.  

[HeliKopterBen]

I'm with spartacusrex.  The ultimate test is for someone to pull of one of these (theoretical) attacks and catastrophically and irreparably damage the network in some way, or at least prove that one of the attacks can be used to consistently and successfully attack the network and/or individual users.  Until this test is completed, I'm going to assume that POS and other variations (DPOS) is sufficiently secure. 

Also, it would be in everyone's best interest if POS was broken sooner rather than later while valuations are low.  So please, if you have a guaranteed attack, go ahead and do it and prove POS useless.