DECENTRALIZED crypto currency (including Bitcoin) is a delusion (any solutions?)

[monsterer]

Sure, but again, this only applies to someone who has never connected before and who doesn't know anyone on the network AND who has downloaded a version of the software that has no valid checkpoints in it.

Yes, this is a good description of a syncing node. The checkpoints thing is a mitigation, but I maintain that once you start using checkpoints for security, all you end up with is a centralised service with redundancy, not a decentralised or trustless system, which are they key tenants of cryptocurrency.

edit: simple thought experiment: if checkpoints are so great, why not use them for every single block and have a 100% attack resilient system?

[1713297709]

1713297709

[1713297709]

1713297709

[1713297709]

1713297709

[hv_]

I'm with spartacusrex.  The ultimate test is for someone to pull of one of these (theoretical) attacks and catastrophically and irreparably damage the network in some way, or at least prove that one of the attacks can be used to consistently and successfully attack the network and/or individual users.  Until this test is completed, I'm going to assume that POS and other variations (DPOS) is sufficiently secure.  

Also, it would be in everyone's best interest if POS was broken sooner rather than later while valuations are low.  So please, if you have a guaranteed attack, go ahead and do it and prove POS useless.

I'd expect this happening only if there IS already multi billion business available to attack.... as usually always too late.    

My hope is - and thanks to TPTB - that here is platform to elaborate on this issues in public, cause that's the risk managament we all can afford.

[HeliKopterBen]

I'm with spartacusrex.  The ultimate test is for someone to pull of one of these (theoretical) attacks and catastrophically and irreparably damage the network in some way, or at least prove that one of the attacks can be used to consistently and successfully attack the network and/or individual users.  Until this test is completed, I'm going to assume that POS and other variations (DPOS) is sufficiently secure.  

Also, it would be in everyone's best interest if POS was broken sooner rather than later while valuations are low.  So please, if you have a guaranteed attack, go ahead and do it and prove POS useless.

I'd expect this happening only if there IS already multi billion business available to attack.... as usually always too late.    

My hope is - and thanks to TPTB - that here is platform to elaborate on this issues in public, cause that's the risk managament we all can afford.

Why multi-billion and not multi-million?  These chains are already valued in the multi-millions.  Also, some of these attacks are free or nearly free, so why not just go ahead and do it (unless of course it can't be done, which I suspect). 

Again, until someone demonstrates that these attacks are possible and can cause significant damage, then POS is deemed sufficiently secure. 

[hv_]

I'm with spartacusrex.  The ultimate test is for someone to pull of one of these (theoretical) attacks and catastrophically and irreparably damage the network in some way, or at least prove that one of the attacks can be used to consistently and successfully attack the network and/or individual users.  Until this test is completed, I'm going to assume that POS and other variations (DPOS) is sufficiently secure.  

Also, it would be in everyone's best interest if POS was broken sooner rather than later while valuations are low.  So please, if you have a guaranteed attack, go ahead and do it and prove POS useless.

I'd expect this happening only if there IS already multi billion business available to attack.... as usually always too late.    

My hope is - and thanks to TPTB - that here is platform to elaborate on this issues in public, cause that's the risk managament we all can afford.

Why multi-billion and not multi-million?  These chains are already valued in the multi-millions.  Also, some of these attacks are free or nearly free, so why not just go ahead and do it (unless of course it can't be done, which I suspect). 

Again, until someone demonstrates that these attacks are possible and can cause significant damage, then POS is deemed sufficiently secure. 

Hope you did not apply for some op-risk position at any reasonable company with that sentence above.

[HeliKopterBen]

I'm with spartacusrex.  The ultimate test is for someone to pull of one of these (theoretical) attacks and catastrophically and irreparably damage the network in some way, or at least prove that one of the attacks can be used to consistently and successfully attack the network and/or individual users.  Until this test is completed, I'm going to assume that POS and other variations (DPOS) is sufficiently secure.  

Also, it would be in everyone's best interest if POS was broken sooner rather than later while valuations are low.  So please, if you have a guaranteed attack, go ahead and do it and prove POS useless.

I'd expect this happening only if there IS already multi billion business available to attack.... as usually always too late.    

My hope is - and thanks to TPTB - that here is platform to elaborate on this issues in public, cause that's the risk managament we all can afford.

Why multi-billion and not multi-million?  These chains are already valued in the multi-millions.  Also, some of these attacks are free or nearly free, so why not just go ahead and do it (unless of course it can't be done, which I suspect). 

Again, until someone demonstrates that these attacks are possible and can cause significant damage, then POS is deemed sufficiently secure. 

Hope you did not apply for some op-risk position at any reasonable company with that sentence above.

Still waiting.................

[TPTB_need_war]

More about checkpoints:

NXT PoS limits any reorgs to 720 blocks, so for NXT if the timeout is set above 720 blocks, then it will be beyond the reach of any attack.

That seems reasonable since checkpoints are required in PoS due to people selling their stake and then doing a long-range attack with stake they no longer own based on reorganization of historical transactions that create stake. Anyone who is buying NXT should hopefully understand the tradeoffs of a PoS system (centralized governance, advantage of less electrical consumption, my arguments against PoS in my prior post, etc).

It seems cut & choose with a fee is an appropriate DE protocol for any proof-of-stake coins with frequent checkpoints (that don't support CLTV), which in NXT's case appears to be enforced by nodes that are always online and can form objective reality from the chain they've seen while being online. In other words (an issue which we have discussed and identified in the linked threads I mentioned in my prior post), NXT's 720 block rule is ambiguous to nodes who've recently come online (they don't know which chain was first to appear and can be lied to by a node that has always been online, i.e. propagation is not objective reality to offline nodes), but afaik with proof-of-stake typically there are a more permanent set of nodes (dictators or elected delegates in Bitshare's DPoS) who control the chain, i.e. the coins are essentially centralized. Yesterday monsterer pointed out how PoS can be controlled with even less than 50% of the hashrate, so kudos to monsterer for articulating our prior insight with more clarity on the weakness of PoS.

So an imperfect DE protocol is arguably appropriate for an imperfect deCentralized consensus algorithm. Seems befitting and allows you James to monetize your work, since PoS coins are still quite popular for the time being (and with hubris I will joke that they will need DE to trade for my superior consensus algorithm invisible vaporcoin).

So what I am saying is I think you can monetize. I don't know how to monetize with the dual CLTV technically sound protocol (with my suggested "coin age" filtering improvement to squelch jamming attacks), as it seems to not require a fee.

Cut & choose seems to be inappropriate for proof-of-work coins due to the longer-range lie-in-wait rented hashrate attack on the probabilistic longest-chain-rule (LCR), unless they too are essentially centralized and have some frequent checkpoints generated by some form (either concentrated hashrate in always online nodes/pools that enforce checkpoints or lead developers who release checkpoints frequently) of centralized control.

[TPTB_need_war]

@TPTB_need_war another way to think about why PoS isn't as secure as PoW in general:

PoS does not reinforce historical consensus. Every subsequent block in a PoW chain makes the history below it more secure because the cost of reversing it is superlinear in the number of blocks built on top. In PoS, this is not the case, the cost of producing a block is a constant, therefore the cost of reversing history is a constant.

so with a 51% + selfish mining attack you would be able to unwind all hist tx in PoS? (with minor costs)

You can arbitrarily re-write history in PoS with <50%; I can produce a valid candidate chain longer than the canonical chain for a constant cost, whcih I then present to nodes which are syncing with the network who are unable to distinguish this objectively from the canonical chain.

edit: Since the cost of providing such information is very small, I can dominate the network with peers containing instances of my fake chain such that any syncing node querying peers at random would find a majority of my fake nodes.

I've added this to the post about PoS on the first page of the thread. You've pointed out that PoS can be Sybil attacked achieving an attack with less than 50% of the stake when the majority of the stake is not always online. In other words, PoS is only secure as a federation, not decentralized consensus.

[TPTB_need_war]

You can tell how much stake is used in creating a POS chain.

No you can't if stake has been sold and purchased, because the order of those transactions in time is entirely arbitrary and controlled by whom ever is claiming to have the stake now.

That is why PoS requires checkpoints and always online nodes with > 50% of the stake (who all agree with each other due to Nash equilibrium[1]) to avoid a Sybil attack.

[1] but the Nash equilibrium doesn't exist if one can earn more profit by shorting the coin or attacking an exchange, etc.. PoS is a mess that requires centralization. Note that Satoshi's PoW is also a mess that also centralizes as well due to the economics of mining+verification and wastes a lot of electricity (Bitcoin is already controlled by the Chinese mining cartel), so it is sort of stalemate at this point which explains the popularity of PoS (other reason PoS is popular is it is technically easier to implement and it is much superior for controlling P&D schemes and top-down governance).

The point about checkpoints is that when your protocol depends upon them for security purposes, you might as well just throw the whole thing in the bin and use a 100% centralised service, which will be exactly as secure and a lot faster, cheaper and easier to use.

Bit harsh.. There are many other benefits to a decentralised system, that 'needing-one-32-byte-checkpoint-at-first-logon' doesn't screw up.

Decentralized nodes provide DDoS resistance, higher availability and uptime. But a centralized controller can provide decentralized nodes. The significant advantages of decentralization derives from decentralizing control so that failure modes are removed that revolve around disagreements or vested interests. You can see that PoS has no Nash equilibrium unless it is controlled by one "winner take all".

I'm with spartacusrex.  The ultimate test is for someone to pull of one of these (theoretical) attacks and catastrophically and irreparably damage the network in some way, or at least prove that one of the attacks can be used to consistently and successfully attack the network and/or individual users.  Until this test is completed, I'm going to assume that POS and other variations (DPOS) is sufficiently secure.  

Also, it would be in everyone's best interest if POS was broken sooner rather than later while valuations are low.  So please, if you have a guaranteed attack, go ahead and do it and prove POS useless.

PoS systems have already been attacked, I believe it was by an exchange. But that is not even the main point, which apparently you are also not cognisant of.

The main point is that the centralization required to obtain a Nash equilibrium in PoS is the attack. A centralized system is a political and vested interest leverage against everyone who uses the system. For example, the centralized control can veto feature changes, such as how the Chinese mining cartel has vetoed a block size increase for Bitcoin so they can ostensibly force transaction fees high to fatten their profits.

Still waiting.................

The ill-informed hubris that n00bs slobber on threads is incredulous.

The 50% attacks have already occurred numerous times for PoS and PoW coins. You are just blinded because you are not looking at all forms of "attack". Typical myopia of n00bs (non-experts) who haven't conceptualized all the issues thoroughly. Live and breathe this stuff for years as monsterer, smooth, and myself have and then you may start to have the foresight that we have. We would simply appreciate a bit more respect for the effort we have invested.

I am respectful to those who respect those who invest effort. This is called a meritocracy. I put the mirror in the face of weekend warriors who disrespect those who have done their homework.

[smooth]

I'm with spartacusrex.  The ultimate test is for someone to pull of one of these (theoretical) attacks and catastrophically and irreparably damage the network in some way, or at least prove that one of the attacks can be used to consistently and successfully attack the network and/or individual users.  Until this test is completed, I'm going to assume that POS and other variations (DPOS) is sufficiently secure. 

Also, it would be in everyone's best interest if POS was broken sooner rather than later while valuations are low.  So please, if you have a guaranteed attack, go ahead and do it and prove POS useless.

I didn't read the whole thread so maybe this is covered but the reason* these attacks don't happen in practice is that none of the deployed chains actually operate as decentralized consensus systems. They are centralized in some manner with checkpoints, centrally signed blocks, etc.

This makes them impossible to attack but it also makes them a sham. They're just centralized systems implemented in an inefficient way that gives the appearance of decentralization.

* The other reason these systems aren't necessarily attacked is that attacking takes work, and often no one really cares (competent people have better things to do). Shadowcash was recently deanonymized due to a mathematical flaw that rendered their anonymity technique utterly and completely worthless, and which existed in their design for over a year, with a bounty offered. But the flaw was only discovered by accident. Apart from this accidental discovery, the flaw could easily have stayed there for years longer but that would not have made the system any less worthless. Do not assume that since something hasn't been broken yet, it is secure. That is completely wrong.

[TPTB_need_war]

The self-referential aspect of block chain consensus is non-intuitive and it is easy to totally screw up the conceptualization of it:

There is no way to prove that the consensus of the weaker block chain placed those meta-data records in the stronger block chain. There is some meta-data, but it is meaningless, because consensus is the entire challenge of decentralized protocols that require consensus.

Off topic note that per the CAP theorem, Bitcoin forsakes Partition tolerance in order to achieve Consistency and Availability of consensus. You can think of the other block chain as being another partition. We've been discussing these abstract theoretical issues over in the Altcoin Discussion forum in threads such as The Ethereum Paradox, DECENTRALIZED crypto currency (including Bitcoin) is a delusion (any solutions?), and Satoshi didn't solve the Byzantine generals problem. Also include some discussions between monsterer, smooth, and myself in my vaporcoin's thread. So I have the advantage of a few months of discussions about these abstract topics.

So the issue is not time sequence, but the fact that it is hard to know if the weaker chain put the data in there as part of a consensus or as part of an attack?

If that is the issue, I am confused why we care so much about it? The metadata in the altcoin chain refers to the BTC data, so why does it matter who put it there? It either matches the BTC data or it doesnt. If it matches, it creates a verifiable time sequence. If it doesnt match, then it would be ignored. Could you make a simple example that shows how an attacker can bypass the BTC "clock" and double spend?

Because the altcoins are not confirmed spent on the Bitcoin block chain. The altcoin chain is free to disagree with the Bitcoin block chain.

The point about relative ordering of blocks between two chains (i.e. two partitions) is relevant to why it is impossible to enforce that the altcoin chain must follow the Bitcoin block chain's consensus. If you think out how you would attempt to specify a protocol for the altcoin chain so that it must obey the Bitcoin consensus, you will soon realize that it is impossible because no external truth exists in a block chain.

I dont think using bitcoin as the reference clock violates the CAP theorem as it defines the bitcoin data as definitive source of data, so Consistency is achieved, along with availability. [I dont want to get into whether bitcoin itself has done this or that with byzantine whatchamacallits]

Maybe to solve the Partition part, the metadata for the altcoin metadata needs to get back into the BTC chain. We are talking about a slow process, but even if it takes a day for all the back and forth, it seems that it isnt impossible. I just dont understand what exactly is needed.

Maybe it is like spontaneous creation of life from inert chemicals which is (nearly) impossible [please it is just an example, dont want to get into any creation/evolution debate either!], but once it is there, it is hard to stop it from replication. And kind of hard to deny that it exists. Since we now have bitcoin, maybe building on it allows to achieve the desired result (better altcoin security) without any violation of proven theorems by changing the problem.

James

P.S. CAP seems to vary from principle, conjecture, to theorem based on exact and precise definitions, I dont know if bitcoin is the exactly same behavior as in the proven CAP theorem, or if a bitcoin + extra is unable to change it to be beyond the confines of what is proven. I dont like to fight against math proofs, but if there is any level of abstraction in the proof then it is usually possible to "work around" it by transforming the problem to a different problem that isnt proven impossible. Since I am not trying to disprove the CAP theorem, but rather create a cross chain security mechanism that isnt covered by the CAP theorem proper

Sorry but you will need to read and understand deeply the threads I linked to. We've analyzed this already and it is an inviolable mathematical structure.

[YarkoL]

Also, it would be in everyone's best interest if POS was broken sooner rather than later while valuations are low.  So please, if you have a guaranteed attack, go ahead and do it and prove POS useless.

Check this out
https://bitcointalk.org/index.php?topic=897493.0

[TPTB_need_war]

Lighting Networks will be the next technobabble lie that I need to slaughter:

https://www.coingecko.com/buzz/eric-lombrozo-7-use-cases-lightning-network

Most of that is bullshit. I will endeavor to explain why in the future...essentially LN is centralization thus another sham with similar failure modes...

[hv_]

I'm with spartacusrex.  The ultimate test is for someone to pull of one of these (theoretical) attacks and catastrophically and irreparably damage the network in some way, or at least prove that one of the attacks can be used to consistently and successfully attack the network and/or individual users.  Until this test is completed, I'm going to assume that POS and other variations (DPOS) is sufficiently secure.  

Also, it would be in everyone's best interest if POS was broken sooner rather than later while valuations are low.  So please, if you have a guaranteed attack, go ahead and do it and prove POS useless.

I'd expect this happening only if there IS already multi billion business available to attack.... as usually always too late.    

My hope is - and thanks to TPTB - that here is platform to elaborate on this issues in public, cause that's the risk managament we all can afford.

Why multi-billion and not multi-million?  These chains are already valued in the multi-millions.  Also, some of these attacks are free or nearly free, so why not just go ahead and do it (unless of course it can't be done, which I suspect). 

Again, until someone demonstrates that these attacks are possible and can cause significant f, then POS is deemed sufficiently secure. 

Hope you did not apply for some op-risk position at any reasonable company with that sentence above.

Still waiting.................

I'll be waiting to everybody playing with own money or  otherones just read & understand page 9 of

http://www.dtcc.com/~/media/Files/Downloads/WhitePapers/Beyond_the_Horizon_White_Paper_Systemic_Risk.ashx

and my strongest wish is that those parts there will be adjusted esp for investments into crypto ccys ASAP.
Hereunder should go as well all elaborated stuff from this thread and much more,otherwise I fear that crypto ccy will never reach next level of investments and stay nichy by burning small people money that just have NO clue about proper risk management.

[monsterer]

This makes them impossible to attack but it also makes them a sham. They're just centralized systems implemented in an inefficient way that gives the appearance of decentralization.

I couldn't agree more with that statement - a lot of people are being deceived with PoS, which is a great shame.

[TPTB_need_war]

This makes them impossible to attack but it also makes them a sham. They're just centralized systems implemented in an inefficient way that gives the appearance of decentralization.

I couldn't agree more with that statement - a lot of people are being deceived with PoS, which is a great shame.

ftfy

Well you don't need to find historical keys (in order to rewrite the history of PoS block chains), when you can make them for nearly 0 cost.

Simply buy and sell on an exchange, and your cost will only be the spread.

Then short the coin, and start attacking.

Obviously this doesn't apply to illiquid meaningless microfloat altcoins. We are talking about whether PoS is viable for a mainstream decentralized coin. Not.

For a centralized coin, then anything works, you don't even need PoS nor PoW (except to fool people with).

max reorg depth in NXT is 720 blocks

Checkpoints are centralization.

For a centralized coin, then anything works, you don't even need PoS nor PoW (except to fool people with).

If we don't have decentralization, then the entire plot has been lost.

Do you need an example? Here you go (remember the Chinese mining cartel allegedly controls 65% of the Bitcoin hashrate):

https://www.reddit.com/r/btc/comments/48nnaw/the_truth_comes_out_core_devs_have_convinced/

[hv_]

Here you can qualify what might happen analog, Great Monopoly


https://i.imgur.com/Vbdz4Qi.jpg

[TPTB_need_war]

otherwise I fear that crypto ccy will never reach next level of investments and stay nichy by burning small people money that just have NO clue about proper risk management.

I think I know what needs to be done and I think I have the knowledge and skills to do what needs to be done. But words are cheap... silence is golden...

[TPTB_need_war]

Back to partitions, I've read about sharding today, the post was written by Vitalik and it describes exactly what is being implemented. It said clearly that if a call from one transaction group is made to another transaction group it would produce "out of range" exception. Its not clear to me why you even discuss the possibility of such calls that would be executed.

Review the upthread discussion of the impossibility of sharding the gas.

Why do I have to repeat myself? You claim to be a programmer of 10 years. You can't remember what you read 2 pages ago in the thread 

The second thing I did I watched an interview with Vitalik where he said that in Ethereum 2.0 they are thinking about getting away from every node executing every transaction. In a paper you quoted before exactly such solution is described with double decker blockchain where one layer is used to simply store the state. This seems to be the exact solution they are going to adopt.

I will repeat again for the 10th time in this thread. Every validator must be able to validate the entire history of the lineage of transactions for the shard that validator is responsible for. Otherwise that validator can't be sure it is not going to lose its funds (i.e. electricity for PoW or deposit for the proposed consensus-by-betting) because it approved an invalid transaction due to some lie in the history as trusted but not validated. Combine this with the impossibility of sharding the gas as explained already to you. The white paper you referred to is for a crypto currency, thus there is no gas (from other shard) that must be atomic with the execution of the sharded script (as was explained to you upthread!).

need_war you need to understand that there are no problems in computer science that can't be solved.

False. Make the Halting Problem decideable.

Please don't insult my superior intelligence and experience again with your (ostensibly not even freshman level) learning curve (and the inability to remember the famous Halting problem from freshman CompSci at the university).

Back to partitions, I've read about sharding today, the post was written by Vitalik and it describes exactly what is being implemented. It said clearly that if a call from one transaction group is made to another transaction group it would produce "out of range" exception. Its not clear to me why you even discuss the possibility of such calls that would be executed.

The second thing I did I watched an interview with Vitalik where he said that in Ethereum 2.0 they are thinking about getting away from every node executing every transaction. In a paper you quoted before exactly such solution is described with double decker blockchain where one layer is used to simply store the state. This seems to be the exact solution they are going to adopt.

need_war you need to understand that there are no problems in computer science that can't be solved. If particular architecture doesn't work they will change it to the one that works. The whole thing about blockchain with all the excitement around it seems to me like we say in Russia "sucked out of finger" . But that doesn't mean that Ethereum is not gonna work and that we won't be able to make money on it. Crazy youngsters like Vitalik will develop lots of shit on Ethereum just because people have nothing better to do. No point to talk further, what I studied so far is enough for me to start pouring money in mining farm for it.

Than they need to come over the CAP theorem - could be a bit tricky. 

'Proof' is there:

https://bitcointalk.org/index.php?topic=1319681.msg13490710#msg13490710

 

Let's talk generalities that apply to any block chain partitioning system.

As monsterer and I discussed upthread, it is possible to partition transactions (and even scripts as "transactions") as long as the partition state is not shared between partitions. Once you need to share any state between partitions (e.g. gas), then those partitions need to validate all the history of each other, otherwise the Prisoner's Dilemma is created and the Nash equilibrium is lost.

Fuserleer claimed he had developed a more granular data structure (not precisely a block chain, although discussion revealed the difference from a block chain was semantic illusion) wherein he can isolate only those histories that are dependent and thus I presume more efficiently merge partitions by validating only the relevant history for the state that is being moved cross-partition. That is one way to go that is different than the design I am contemplating (assuming I have described his design correctly since he hasn't revealed the details). Fuserleer's design would I presume in theory allow to partition validation and only validate what you need to when you need to, but there are several issues I can expect:

• The miner/validator may not have the financial incentive to include transactions which have a high validation burden.
• The economic problem of validation centralizing over time remains, thus it seems the attempt to keep them decentralized by using partitioning is pointless.
• The unbounded amount of delayed validation work has implications similar to delays seen when garbage collection locks up your browser for 5 minutes.

I had also pointed out upthread a more high-level reason that scripts can't be assumed to have isolated state due to uncontrollable externalities, but even if someone argues I am incorrect on that point, it is unarguable the gas can't be sharded (again even if we apply Fuserleer's unreleased design, it will economically centralize).

[TPTB_need_war]

I have some posts at Reddit that are relevant to this topic:

https://www.reddit.com/r/btc/comments/49a14r/how_the_heck_are_actual_bitcoin_users_who_want_a/

[TPTB_need_war]

Added this to the Proof-of-stake flaws on the first page of this thread:

Bitshares instant transactions aren't reliable, because there is only one designated confirmation node for each block period, so the performance of blocks can vary.

Poor performers get voted out, and are no longer permitted to form blocks. Only historically reliable block producers are allowed to mine.

Then it is not decentralized, permissionless. A permissionless system should be able to scale while still permitting slower nodes. In short, yeah you can guarantee anything with total control, but you also insure a power vacuum which is winner-take-all. It is an Iron Law of Political Economics.

But even your reply is technically ignorant, because the point I was making is that no one can guarantee that a node performs well 100% of the time. Nothing on the internet is perfectly reliable. The fault tolerance must be built into the system by allowing many nodes to confirm transactions simultaneously, not a synchronous queue as is Proof-of-Stake's idiotic design.