DECENTRALIZED crypto currency (including Bitcoin) is a delusion (any solutions?)

[iamnotback]

And I found recently CIYAM speaking about a new 'proof-of-storage' here where I wonder if you could force now the miners also to have the entire blockchain stored locally for real:

https://bitcointalk.org/index.php?topic=1323657.msg15091671#msg15091671

In the post you linked, CIYAM apparently hadn't yet realized the insoluble Sybil attack problem for decentralized file storage, which I had originally pointed out in 2013, reiterated months ago, and reiterated again this week:

No decentralized storage can solve the Sybil attack on storage where many nodes are sharing the same storage, but collecting payments or otherwise deceiving the claimed redundancy as if they have multiple copies of the storage.

It is a fundamental weakness that can not be fixed. Decentralized storage can not work. Period. End of story.

Latency is not reliable enough to be used as an indicator.

I hope I don't have to repeat that again.

AnonyMint's very first attempt at a better consensus algorithm was proof-of-diskspace in 2013.

[hv_]

And I found recently CIYAM speaking about a new 'proof-of-storage' here where I wonder if you could force now the miners also to have the entire blockchain stored locally for real:

https://bitcointalk.org/index.php?topic=1323657.msg15091671#msg15091671

In the post you linked, CIYAM apparently hadn't yet realized the insoluble Sybil attack problem for decentralized file storage, which I had originally pointed out in 2013, reiterated months ago, and reiterated again this week:

No decentralized storage can solve the Sybil attack on storage where many nodes are sharing the same storage, but collecting payments or otherwise deceiving the claimed redundancy as if they have multiple copies of the storage.

It is a fundamental weakness that can not be fixed. Decentralized storage can not work. Period. End of story.

Latency is not reliable enough to be used as an indicator.

I hope I don't have to repeat that again.

AnonyMint's very first attempt at a better consensus algorithm was proof-of-diskspace in 2013.

Was not aware of that - tnx.

[iamnotback]

Steemit's PoW has a novel idea to incorporate signing into the PoW for the public key that will receive the coinbase block reward, so as to force the miner to have real-time access to the private key for each nonce attempted.

Daniel Larimer/Bitshares et. al claim some benefits which are explained at the following references:

https://steem.io/documentation/consensus/#mining-algorithm
https://steem.io/SteemWhitePaper.pdf#page=23

This is perhaps the first technical idea I've seen from the Dan Larimer group that I must frankly state is very good and I will likely adopt it for my own project. However, I would structure it differently to avoid the security caveats they noted. I would have the miner sign the hash(H, nonce), the use that as input to the PoW, e.g. PoW = hash(H,nonce,SIGN(hash(H, nonce))).

They think one of the benefits is that it will encourage the development of an ASIC which can perform faster elliptic curve signing and validation, and I presume this is so that they hope to be able to validate more transactions per second with more efficient hardware. But I don't claim that is a realistic expectation for a benefit, because well I expect to popularize unprofitable mining and thus the end of ASICs for mining forever.

The benefits I think are realistic are no botnets and no pools. Excellent. I had already eliminated farming out mining with another method (farming out can't be resistant to DDoS), and this idea from Dan's group completes attributes I'd like mining to have.

So for the first time, I need to tip my hat to Dan and kudos.

I remembered I had read something about non-outsourceable PoW in the past (perhaps also on Vitalik's blog) but I remember it has being more complex and unworkable so someone helped me find these old resources which I also remember having seen before and there is proof because I posted there (first one well before any possible sighting on Vitalik's Ethereum blog):

https://bitcointalk.org/index.php?topic=309073.20
https://bitslog.wordpress.com/2014/06/19/theoretical-and-practical-nonoutsourceable-puzzles/

The first one from Andrew Miller makes the valid point that if you kill all pools, then you force consolidation (centralization) of mining hashrate into to mining farms in order to control variance costs. But luckily that is an inapplicable issue in my plans for unprofitable mining.

The second links to a proposal I don't remember seeing before which is more similar to the one proposed for STEEM, which Andrew Miller also commented on:

http://hackingdistributed.com/2014/06/18/how-to-disincentivize-large-bitcoin-mining-pools/

And under the §Related Work, it links to:

http://hackingdistributed.com/2014/06/13/time-for-a-hard-bitcoin-fork/#comment-1435809647

That links to:

https://bitcointalk.org/index.php?topic=652443.0

Which appears to be exactly the same as the improvement I have suggested in the quoted post above.

[Piston Honda]

wbb has the answer

coming soon

[natall.com]

I have some ideas for this. I doubt it is possible to have a single big decentealised cryptocurrency but with many different cryptocurrencies decentralisation is possible(if one get killed the others will survive).

I do not view "unprofitable proof of work" as a viable solution, if it is unprofitable to mine the coin it will just ve easier for a government to kill it. You can decrease the performance gap between CPU:s, GPU:s and ASIC but you cannot eliminate it.

My idea is to use the masternode system where the block reward decreases exponentially with the number of masternodes, with that system there will be a incentive for a person/group not to own too many masternodes.

Another idea i have is to having fixed nodes controlling the network(999 nodes with one votes each), than the currency will be controlled by elite, you may not like it but maybe it is the only viable solution.

[GreenBits]

We were doing good before asics were made. We could do alot by looking at algos that allow more of the public to participate in mining on common devices, instead of requiring dedicated equipment that makes mining more a business endeavor than a casual pursuit at this point.

[hund]

Solution is already built in:
https://bitcointalk.org/index.php?topic=1536282.0

The solution is: dump to double digits because it's centralised and wait for everyone to liquidate their industrial mining. Market cleaned out, all good.

We need to flush the miningsector! It will occure naturally.

[iamnotback]

Solution is already built in:
https://bitcointalk.org/index.php?topic=1536282.0

The solution is: dump to double digits because it's centralised and wait for everyone to liquidate their industrial mining. Market cleaned out, all good.

We need to flush the miningsector! It will occure naturally.

Lol. Flush your nonsense.

[tempestb]

So long as mining is profitable, it will centralize to the person/organization/country who has the means to profit the most from it.  Yet without profit, you will hinder adoption.

It is a challenge to prevent centralization and be able to provide consensus rapidly enough for transactions to make sense for the consumer.

It's a difficult model.  You can (likely) solve the problem in code, but the other half of it is the non-code adoption of the currency by the general public in order to make it decentralized and effectively hosted so that the ledger/currency can exist and function.  So you have to incentivize.  And thus, you create centralization.

I don't know how you solve this.  Smart people are constantly thinking about it.  TPBB has an idea that may or may not solve it.  Still, the algo solution may not solve the issue with adoption.  You have to have both if you want your currency to thrive.

[iamnotback]

Yet without profit, you will hinder adoption.

If miners-for-profit are the main adopters of a token, then you don't really have a mass adopted currency.

The main problem to solve with unprofitable mining is to prevent the centralization of validation of the block chain, to do so without introducing other game theories for profit which destroy the Nash equilibrium, and to achieve this with a design that can scale to any level of transactions per second.

In profitable mining, every miner has an economic incentive to validate the block chain, lest the miner lose the block reward (coinbase+txn fees) because other miners will not mine on an invalid block.

In unprofitable mining, there is an analogous economic incentive to validate the block chain axammonChaxaupp disttnaxaupp envaxaupp axaronobboktonShaxaupp dinyaxaupp oldaxaupp olgfaxauictuchlioFaxaupp . That is the closest hint I have ever provided as to the correct design for unprofitable mining. One of the keys to achieving that is a shared economic incentive that binds all nodes to a Nash equilibrium.

[tempestb]

I don't speak Esperanto.

Your idea of a shared economic incentive is interesting, but it has to be enough to outweigh the costs of mining or in other words, hosting the register and handling transactions.  Electricity and equipment are real costs that need to be paid for.  Unfortunately, those costs are often too high for transaction fees to be enough.  (Especially with an infant currency)   

Of course, you'll have "believers" who will host it at a loss, but those decay unless use eventually provides the financial incentive to make it worthwhile.  Depending on how bandwidth/power/instruction hungry your process is will determine what that break even point would be for someone.

Even with slavery, someone is still paying for the gold miners to mine the gold.

[CoinHoarder]

[1]

Another scenario is DDoS attack other stake holders when their turn to mine a block, then jack up your transaction fees sky high when its your turn to mine a block. Note this has many variants as follows: I do not think the following is possible in dPoS (I'm not sure about other forms of PoS), because delegates cannot change or set transaction fees by themselves. Transaction fees can only be changed by committee members which are elected by stakeholder vote. Not including a transaction because it doesn't have a certain amount in transaction fees seems silly, because the next honest delegate will do so and the honest delegate will get whatever fees are associated with the transaction. They would basically be giving up free money, putting a big red flag on their witness campaign, and it would be very likely that would get them voted out. Part of the incentive for delegates to stay honest is the future income of blocks produced in the future, although as I stated earlier... even if they are dishonest there is not much they can do other than withhold transactions from blocks (and the transaction would be included in the next block produce by an honest delegate.) The way I understand it, DPoS' main weakness is that all consensus algorithms suffer from.. a 51% attack. [1] Another scenario is DDoS attack other stake holders when their turn to mine a block, then jack up your transaction fees sky high when its your turn to mine a block. You forgot my point that the attacker can short the coin. And that delaying transactions is an attack that could cause the share price to crater. Or DDoS attack all the others and then force all transactions on to your block. This is the problem with PoS and DPOS, because the ordering of who will mine is known before the transactions are sent. That is a major flaw compared to PoW.

I didn't forget anything. All I am saying is DPoS is not susceptible to this kind of attack. You state all forms of PoS can suffer from this type of attack: "Another scenario is DDoS attack other stakeholders when their turn to mine a block, then jack up your transaction fees sky high when its your turn to mine a block". All I said was that this is not possible with DPoS because the attacker cannot change transaction fees with DPoS unless he has a majority stake. The attacker shorting the coin then doing any random attack on a cryptocurrency is a different attack vector altogether (and there is no cryptocurrency invulnerable to these types of attacks.) The attack vectors should not be commingled. Just because it can be attacked another way doesn't mean that it can be attacked in the way you stated. I could go on to explain how this attack can be performed on PoW cryptocurrencies, but I am sure you can rationalize your own scenarios. I am sure your cryptocurrency will be susceptible to this type of attack (exploit while shorting) as well, but obviously I cannot prove or disprove that at this time as you still have not released any details.

[CoinHoarder]

centralizes control according to stake, which is a finite resource

....

there is no way to distribute new coins (must distribute proportional to stake in order to be fair thus effectively no change in coin distribution)

You still are under the misconception that stake is a finite resource within PoS cryptocurrencies.

By marrying PoS and PoW it is possible:

A. Far advance warning of an cryptocurrencies' distribution/fundraising, with a clear objective and roadmap for the project and a set timeframe for the distribution/fundraising.
B. A working closed source beta, to be open-sourced after the original distribution period
C. PoW distribution (50% of the genesis stake)
Ca. Use several different mining algorithms, with each having an their own separate difficulty and the same chance to find the next block (implemented in several coins.. MyriadCoin was the first)
Cb. Use at least one algorithm per different types of mining hardware (one for Scrypt ASICs, one for SHA256 ASICs, one for CPUs, one for ATI GPUs, one for NVIDIA GPUs, etc..)
Cc. The point of this is to allow people with all types of minin hardware to participate so it is inclusive of everyone.
D. A regular IPO distribution (50% of the genesis stake)
Da. This is to allow people to participate in the initial distribution that do not want to hassle with mining equipment.
E. Launch said closed source beta into the wild after the distribution/fund-raising has occurred and switch to PoS
F. To mitigate claims of having an unfair PoS distribution to early insiders...
Fa. Have an annual block-limited PoW period that issues more coins to PoW miners.
Fb. The amount of tokens mined in the annual PoW periods should be reduced each year until eventually there is only a small amount of coins issued annually in perpetuity (aka. a tail emission).
Fc. This is intended to mimic the block reduction scheme and distribution of most PoW currencies, but with an added tail emission.

I am less certain about this, but I think that if the parameters/economics of the above are designed sufficiently then it can even thwart this gripe as well:

attacking the coin is a one-time cost of stake that sustains forever, whereas for Proof-of-Work the attacker must continue to expend resources on mining to maintain an attack

Since the attacker would have to compete during the annual PoW phases to retain control of the PoS cryptocurrency, it can no longer be considered a "one-time cost".

[CoinHoarder]

PoS usually pays dividends to stake holders (and even relays a percentage to the developers thus must register as a Money Transmitter with FinCEN) thus arguably creating investment securities under the Howey test and thus must be registered with the SEC or face possible jail time. I argue this impacts the resilience.

This might apply to most forms of PoS, but dPoS destroys transaction fees. I don't think that you can count that as having paid dividends to shareholders, as there are no transactions to each shareholder doing so. Yes, destroying transaction fees increases shareholder's percentage of the pie, but I think it is a bit of a stretch to claim it is the same as paying dividends to shareholders.

The other flaw of PoS, and especially DPOS and Dash masternodes (as pointed out by smooth et al) is you are paying yourselves via the shares from an enterprise that issued unregistered investment securities and which also requires each stakeholder to register as a money transmitter with FinCIN. I can't fathom how you convinced yourself that you are not going to jail in the future or end having to lick the boots of the SEC as Erik Voorhees did to wiggle out of jail time.

1. Again, dPoS is not paying dividends.
2. This point is conjecture from "armchair forum lawyers" (read: not lawyers). Obviously, most cryptocurrencies operate in a grey area, but to claim it is black and white like that is stretching the truth.

[iamnotback]

Electricity and equipment are real costs that need to be paid for.  Unfortunately, those costs are often too high for transaction fees to be enough.

Given the obligation of the validators to do the unprofitable proof-of-work is vacated, the remaining electricity costs approach epsilon.

CoinHoarder has written nonsense, but I will not waste my time rebuking him now. I will rebuke him in a comprehensive manner at the appropriate time in the future, although the main issue with DPoS was recently explained to him. I don't intend this to be a personal insult. I am just speaking factually. Nonsense is nonsense. Note I am not speaking to his legal point, because he knows damn well that I had a major epiphany in my legal interpretation since the time of the posts that he is quoting.

[CoinHoarder]

Electricity and equipment are real costs that need to be paid for.  Unfortunately, those costs are often too high for transaction fees to be enough.

Given the obligation of the validators to do the unprofitable proof-of-work is vacated, the remaining electricity costs approach epsilon.

CoinHoarder has written nonsense, but I will not waste my time rebuking him now. I will rebuke him in a comprehensive manner at the appropriate time in the future, although the main issue with DPoS was recently explained to him. I don't intend this to be a personal insult. I am just speaking factually. Nonsense is nonsense. Note I am not speaking to his legal point, because he knows damn well that I had a major epiphany in my legal interpretation since the time of the posts that he is quoting.

I am sure everyone can decide for themselves what is nonsense and what is not. Unlike you, I am able to convey my thoughts in an easy to understand manner without linking to walls of text and hundred page threads. I am sure most people can easily understand my objections to your arguments.

I still maintain that you are pumping your vaporware. I just retreated from that thread because you kindly asked me to.

Also, just because you posted something does not mean I am aware that you did so. I don't have time to read all of your posts. You are still linking to the post that lists your qualms with PoS as if you still maintain those qualms, so excuse me if you have changed your mind.

[iamnotback]

I don't have time to read all of your posts.

And I also don't have time to spoon feed you. You'll know at the appropriate time why you were incorrect. Until then, enjoy your beliefs.

[iamnotback]

Proof-of-Stake Isn't Trustless Because It Has No Time Objectivity.

[iamnotback]

How I Fixed Satoshi's Design

Looks like some random Bitcoin dev posting under a throwaway account:

https://www.reddit.com/r/Buttcoin/comments/4vmh35/meth_users_re_assure_each_other_that_etc_the_coin/d5zxr7s?st=irci5tcm&sh=bcbbaec2

There was a really good summary of why Casper's planned sharding is flawed.

Apparently everybody is still oblivious to my solution.

If you shard the blockchain, you've still got to verify it. You can't have shards trusting each other, as that breaks Nash equilibrium (there are game theories other than the one that guarantees the security of the long-chain rule).

But if you have every shard verify every other shard, then you don't have sharding any more.

My hypothetical solution is a statistical one (where the economic interests of all shards become intertwined) combined with eventual consistency where it is required to maintain the Nash equilibrium.

SegWit is (in one aspect but not entirely as afaik it really just centralizes proof-of-work) generally analogous to a similar conceptual idea I had thought of and dismissed, because it relies on the trust that the economically impacted parties will verify before eventual consistency is required, not on the proof that those parties did verify before it was required. The game theory gets quite complex because there are externalities such as shorting the coin. So it is possible I may have a mistake and we will find out once I publish.

Reviewing the video I had done for this thread back in February where I critiqued some aspect of Casper:

I did make one video on Ethereum when I was feeling not so energetic, so you can sort of get a feel for myself as a public speaker but note I was suffering from my illness when I made this:

http://www.coolpage.com/commentary/economic/shelby/Shelby_Ethereum_Paradox.avi (Feb 15 2016)

At the end of that rambling video, I finally got to the point. But amazingly I didn't come to the very obvious conclusion on how to fix the problem that computation on a blockchain faces. I basically stated it in the last part of that video, but I failed to connect the dots.

Now I see the solution. It was right there in front of our face all along. Why has no one seen it 

(Of course I am not going to tell you. You tell me. I want to see if anyone else can figure it out)

[iamnotback]

Blockchain-Free Cryptocurrencies: Framework for Truly Decentralised Fast Txns

https://eprint.iacr.org/2016/871

https://iohk.io/docs/research/A%20Blockchain-free%20Approach%20for%20a%20Cryptocurrency%20-%20Input%20Output%20HongKong.pdf

I am very sleepy and haven't read the paper entirely, just scanned it. So I will likely have to some errors in any analysis I do in this groggy state-of-mind.

I want to rattle off a potential list of flaws that come to mind immediately.

1. It is not plausibly scalable for every payer to receive notice of, nor validate/record the graph metrics for, every transaction in the network. Payers must rely on some supernodes, which then become fulcrums for selfish game theory strategies which likely can break collaborative Nash equilibrium assumption. For example, a supernode could lie about a double-spend, causing massive orphanage once discovered, possibly gaining profits by speculatively shorting the value of the token. Supernodes could collude to do such malfeasance, even a 51% attack. So the claim that the resistance to centralization has been entirely mitigated seems to be debatable. The paper does mention pruning (from computations) the ancestors when their fees have been consumed, but afaics this doesn't mitigate the need of verifiers to receive a broadcast of every (or large fraction of all) transaction(s).

2. There is no total order in the described system, thus any partial order DAG only exists from the perspective of those partial orders which reference it. Thus the reward for any DAG is always subject to being retaken by an entity which can apply more PoW than was originally applied. Thus the selfish-mining flaw appears to apply. A miner with 1/4 or 1/3 of the a DAG partial orders's hashrate lie in wait to allow others to waste their PoW on a DAG while building a hidden parallel DAG claiming the same rewards. Then release the hidden DAG later orphaning all those said transactions and rewards, thus increasing their share of the rewards (including minted coins) relatively speaking higher than the proportion of their hashrate would otherwise provide without the selfish mining strategy. And it appears to me to be catastrophically worse than for Satoshi's design, in that there will be multiple unmerged DAGs branches at any moment, so the attacker probably needs much less than 1/4 of the network hashrate to selfish mine any one of those coexistent DAGs branches.

The first natural but often unstated assumption is that a majority of players follow the correctness rules of the protocol.

From the analysis I did of Iota's DAG, it seems impossible to presume the majority players obey any Nash equilibrium in a blockless DAG design. It appears to be a fundamentally insoluble issue. In other words, it is not sufficient to analyze the security and convergence game theory (properties) from a holistic systemic perspective and instead per DAG branch partial order strategies arise.

3. I intuitively expect some flaw around the variable control over fees collected per unit of PoW expended, i.e. control over difficulty. But I am too sleepy to work through this part of the paper right now.

I considered a design like this last year. And I came to the conclusion that there is no way to avoid centralization employing proof-of-work incentivized by profit, regardless of any design that could possibly be contemplated.

Btw, I don't understand why that paper failed to cite the prior art of Iota's and Sergio Demian Lerner's DAGs.