[ANN][XEL] Elastic Project - The Decentralized Supercomputer

[Videodrome]

You guys deserve my respect.

I won't say why, but now I do respect your honesty.

Thanks.

These people are really honest.

I have asked for a refound (when there was the procedure) and they refound my BTC after few hours.

I'm not yet involved here but i hope this ambicious project will have a great future.

[xxxgoodgirls]

When will be the free distribution begins?

There's no free distribution, although you can participate to the crownfunding http://www.elastic.pro/crowdsale

[lopalcar]

First of all, the idea is very interesting and I will look closely "planing to throw a portion of BTC with a friend"

You have asked some excellent questions and I am partway through draughting a reply.  Please bear with me.

Thanks! great to know, will wait for that reply

[poornamelessme]

or who has access to the funds (which I still don't know exactly). I'll assume it's you and EK, but I thought I read somewhere another 3rd party would be involved.

I do not have, nor do I want to have, access to any funds. All I have is the signing key which is required to cosign Lannister's transactions. You also got that key now (PM). That doesn't mean that either of us has access to any funds, it just means that either of us is entitled to give the green light on Lannister's transactions spending funds from Elastic's wallet.

Yeah, saw that. Although I'm probably not the guy to get that key, as I'm not even currently invested in the project. When I asked who that 3rd party was, it didn't mean I wanted to be that 3rd party. Since lannister doesn't plan to publicly list what the funds are for, I'd never provide the key to him in the first place.

[Evil-Knievel]

Yeah, saw that. Although I'm probably not the guy to get that key, as I'm not even currently invested in the project. When I asked who that 3rd party was, it didn't mean I wanted to be that 3rd party. Since lannister doesn't plan to publicly list what the funds are for, I'd never provide the key to him in the first place.

I think the process is something like this:

Lannister creates a transaction spending a certain amount of funds from the multisig wallet. He creates a transaction, signs it with 1 of 2 required keys and gives the partially signed transaction to the community (or a subset of it). He explains what these funds are needed for. When someone who has the key agrees with it, then this someone signs the raw transaction with the second missing key and pushes it to the Bitcoin network. While there is no public ledger available, it is still known (to the community or again a subset of it) what these funds were needed for.

I am not the one to judge whether this scheme is the ideal solution or not and I am not the one to decide.
But I think that some sort of ticket system (or communication system) for the developers would be a first step towards more organization.

[Evil-Knievel]

What I have done this weekend: I have started implementing NXT's proof-of-stake scheme in conjunction with Cryptonite's mini-blockchain approach.
Seems to be working fine on the first sight. I will perform some test regarding how robust this scheme is during block reorganizations and especially during a "secret chain attack" (as Cryptonite calls it in their whitepaper).

I will try to summarize all my discoveries by tomorrow, and post them for public discussion.

[poornamelessme]

 He explains what these funds are needed for.

That method could work, but when I asked Lannister about posting details or providing a ledger on expenses, he replied with:

But there will be no detailed break-down of how the donated funds will be spent.

It doesn't have to be a super specific ledger, but the way he worded his response seemed like no information at all would be provided.

[xxxgoodgirls]

Yeah, saw that. Although I'm probably not the guy to get that key, as I'm not even currently invested in the project. When I asked who that 3rd party was, it didn't mean I wanted to be that 3rd party. Since lannister doesn't plan to publicly list what the funds are for, I'd never provide the key to him in the first place.

I think the process is something like this:

Lannister creates a transaction spending a certain amount of funds from the multisig wallet. He creates a transaction, signs it with 1 of 2 required keys and gives the partially signed transaction to the community (or a subset of it). He explains what these funds are needed for. When someone who has the key agrees with it, then this someone signs the raw transaction with the second missing key and pushes it to the Bitcoin network. While there is no public ledger available, it is still known (to the community or again a subset of it) what these funds were needed for.

I am not the one to judge whether this scheme is the ideal solution or not and I am not the one to decide.
But I think that some sort of ticket system (or communication system) for the developers would be a first step towards more organization.

It is a nice way of handling it in my opinion, although wouldn't it better to make it require more than just 2 signs?

[poornamelessme]

It is a nice way of handling it in my opinion, although wouldn't it better to make it require more than just 2 signs?

It would be better if it required 3 or more signs (although, again, I don't want to be the person with the 3rd key).

As it is, the 3rd key is just useful in case EK vanished for some odd reason (not that I think he'd vanish). Or if I was a maniac, and tried to get Lannister to release the funds somewhere where they shouldn't go.

[jaynipal]

How do I take part and what BTC wallets are accepted ??

[Evil-Knievel]

How do I take part and what BTC wallets are accepted ??

Any wallet where you can extract the private key for the address which you send the BTC from is fine.
If you are unsure what to do, the safest thing you can do is download Electrum, transfer your BTC to one of your new Electrum addresses and then, from there, send it to the Elastic project.
Using the right-mouse menu in the addresses list you can then extract the private key for the address you have used. Keep it somewhere safe and never lose it.

[Dazza]

First, I'd like to apologise to the community for not contributing nearly as much to the discussion this weekend as I intended to.  Unfortunately I have had a migraine headache brought on by the intensity of my thinking about this project.  (Guys, I am physically suffering on your behalf.)  I spent much of Saturday lying in a darkened room.  Today, Sunday, I decided to take the afternoon off to go for a good long walk to help clear my head.  I also accepted an invitation to dinner this evening.  There is still only so long that I can stare at a monitor at a time before I have to retire.

For what I see in the withepaper, the arbitrary works won't be for secure the blockchain, but for reward the workers "aka miners".

That is correct

If this is the only purpose of this coin, won't be maybe better include this feature in a coin which already has some value?

First that is not the only purpose of the coin, at least in so far as I conceive of it.  I want this coin to be the best, most useful coin for general purpose trading that it can be.  To that end, I have consistently advocated low to zero transaction costs, and built-in escrow.  The latter, of course, is also necessary for the mining function - the workers will need some assurance that they will get paid for their work, while buyers will need some assurance that they won't end up paying miners who don't do the work, or produce incorrect results.

Why not an established coin?  The reasons for that are partly historical.  The project was founded by someone calling himself "Lionel Keys".  A brief googling on that name turned up nothing beyond this project, so I assume it was a pseudonym.  Lionel expressed great confidence in his original plan, which included the use of arbitrary work to secure the blockchain, and started the crowdfunding on that basis.  My judgement was that his entire plan was a shambles.  Despite Lionel's claims to have security proofs, which he never showed us, I found several vulnerabilities in his scheme, the most serious of which (the infamous Faster Algorithm Attack) rendered it unworkable  Lionel ended up transferring the project to Evil Knieval and ceased his involvement in it at that time or shortly afterwards.  It is unclear to me whether Lionel was an out-and-out scammer who never had any intention of delivering his coin, or if he intended to, and believed that he could.  If he did believe that, then he was wrong.

When EK took over, he made the decision, against my advice, to continue the crowdfunding under the same terms  before he had had time to sort out website and whitepaper, while allowing only a very short period for people to withdraw their contribution.  Thus, under his tenure, crowdfunding continued on a website which was still largely promoting Lionel's plan, which we knew at the time was unworkable.  We were openly discussing what we could and couldn't do in the threads here, so an attentive reader would know what he could and couldn't expect, but many people aren't that attentive.

Consequently it is in my view, our moral responsibility to adhere as closely to Lionel's original plan as is feasible, while recognizing (and being open about the fact) that many aspects of it are not feasable, and some things not even possible.  That plan called for the creation of a new coin.

There are also good non-historical reasons why we need a new coin.  First, we are going to be attaching an awful lot of data to our blockchain.  I think, if we went up to some other coin and said "Hey guys, we've got this great new project we want to build around your coin, which is going to increase the size of your blockchain by a factor of a thousand or more.  By the way, we don't even know for certain whether this project will work, though we are very hopeful", we might meet with some resistance from their current users and devs.

Second, a new coin allows us more freedom to choose the core features of the coin.  Currently consensus appears to be coalescing around Proof-of-Stake and Mini-Blockchain.  I know of no established coin with this particular combination.  Do you?

Third, when considering what features we need to add to our coin, in order to allow the market infrastructure to work, there will be no other devs or users with competing interests who might object.

Will this feature can be added to any other coin with same codebase?

The project is open source.  It will be open to the devs of other projects to incorporate our ideas, and even our code into their coins.  Whether they do or not will be a matter for them.

In the other hand, I don't have almost any clue on how the checking of the processed pieces of work will be done, how will you know if the result is correct if no one before computed it? 

Section 2.4 of the whitepaper purports to explain how we will do this.  I say "purports to" because it is still vulnerable to a devastating attack which I have yet to explain in detail to the community.  I had intended to do so this weekend.  I will try to do so this week, headaches, and real-world commitments permitting.

I have yet to persuade my fellow devs that the Section 2.4 scheme is not just broken, but irreparably so.  I'm not happy about that, as it was substantially my idea in the first place.  I have some ideas amounting to a completely different approach as to how we will be able to provide buyers with some assurance that their results are correct, which I will articulate in due course.  They are quite low tech, and not without their own security risks, but those risks are well-understood.  I don't believe less-than-bulletproof verifiability will be a project-killer, after all, centralised commercial cloud-computing provides no verifiability at all, yet it flourishes.

The target of this "coin" will be mainly build the toolkit for allow scientists or other in need of computing power recruit the necessary resources? I mean, the problem I mentioned above will need to be solved by the coders using the toolkit you provide or this toolkit will already have an easy to implement mechanism for check the validity of the processed tasks?

We will need at the very least to produce a software development toolkit, a miner's package, and a wallet.  If my ideas are accepted, then they will work together to provide several mechanisms to allow buyers to give themselves some assurance that they won't be paying for incorrect results, while simultaneously allowing workers to give themselves a similar assurance that they will get paid for producing correct results.

And... I understand that the reward to the miners comes from the one in need of computing power, "he need X flops and will pay Y coins for each flop" so he subbmit the required ammount of coins and the network distribute it among participants, right? Ant the transactions fees goes to "POS" miners or to the "workers computing the workunits"?

It's more likely that it will be "Y flops for each coin".  But it won't be flops as such.  We hope eventually to implement this on a wide range of hardware, so we will need a custom metric which will approximate to the average effort expended by the various processors, or at least the processors capable of running that particular program. Obviously if a program contains CUDA commands then it can't be run by a CPU-only miner.  And the system should ensure that no miner receives a job his hardware is incapable of or unsuited to.

Section 2.4 of the whitepaper does in fact describe a custom metric, namely the buffer B which is filled at a constant rate.  I think this idea is still workable, indeed improvable, so long as we do not rely on it in the form given in the paper to provide verifiability.

I hereby propose that the unit for the custorm metric be called "the computron".

Anyways, I still don't know how you will manage to split in little portions any kind of work "nice if you found a way " but for what I read, even boinc, folding@home or any other project work with redundant workunits which are computed several times from different members and then results are checked, right? so... did you found the way to achieve this?

Well, boinc is an infrastructure, as is our project, which allows for a range of programs to be run.  I don't know much about it, what its limitations are, etc., nor do I know much about folding@home.  I am very familiar with GIMPS.  Some of their jobs take weeks, months, or even years to complete, though the latter are not handed out routinely.

The idea that we can prove program execution correct or provide any kind of security by running it in 10ms segments at a time is dead-in-the-water, and I see no point in not just running it from beginning to end, or until funds run out.  Nor do I see any reason to impose arbitrary limits upon the duration of a run.  If both buyer and worker are willing, and if the buyer has sufficient ELC, then I don't see why programs lasting days, weeks, or even years, shouldn't be run.  On the other hand, it should also be possible for a worker to generate a save file, and return that to the buyer.

PD: Didn't followed the history of this coin, so maybe this things has already been addressed

Much of the above has been said before, but it's scattered across multiple posts in several different threads.  It's good to get it all down in one place.  Perhaps Lannister would consider adapting this post into a technical Q&A on the website.

[Evil-Knievel]

Just a small update from me:

Those are the parameters (inspired by the NXT PoS scheme) that I have been using when implementing the PoS mini-blockchain.

The target block generation time is 60 seconds.
Let Bavg be the average block generation time over the last 3 blocks, and Tlast the last block's base target.
Then, the current Block's base target value is

Tcurr = Tlast * min(Bavg, 67)/60

if Bavg was longer than 60 seconds, and

Tcurr = Tlast - Tlast * (3/5) * max(Bavg, 53)/60

else.

Now, each PoS miner determines his personal target value which depends on his effective balance he has at the time the block is forged.
Assume user u has the effective balance Bu and Boverdue denotes the time that has passed since the very last block has been found, then his personal target value is Tu = Tcurr * Boverdue * Bu.

The user signs the block with his private key. The signature must be normalized and deterministic to avoid turning the PoS into a PoW by resigning the transaction with different r-values (i.e., the degree of freedom in form of a random number in regular signature schemes) over and over again until the PoS hash of the block meets the target value requirement. The PoS hash, to mention it, is different from the real hash of the block. The real hash takes the entire block into account, while the timestamp as well as the transactions themselves are also not accounted when creating the so-called PoS hash. In fact, for practical reasons, the hash of the previous block + the PoS signature is enough here I think. This is again to avoid turning the PoS to a pure PoW by varying the timestamp, rearranging, creating additional or leaving out present transactions, etc. to try out many different blocks until one eventually meets the target requirement.

I have been thinking if we really need the PoS signature at all, or whether it might be enough to just include the public key of the user that stakes the current block. This, however, might allow one entity to solve PoS blocks for all other accounts that have a positive balance. This again opens up the system for certain attacks, where the network's staking power can be drastically increased and decreased quickly by only one attacker allowing him for messing around with the base target values. I suggest sticking with the PoS signatures as described above.

The PoS hash must be below the user's personal target value Tu. If so, he found a block. A higher target value basically means a higher probability of finding a block.

This scheme is adjusting the target value per block. I have performed some first tests and have been staking for a day: the average block time converges towards 60 seconds. I am posting it for public review, in case I have missed something.


While I will reply in more detail soon, let me say this for now:

I hereby propose that the unit for the custorm metric be called "the computron".

I love the computron .

[Dazza]

For your interest,

I will upload the base client along with an automatic "2 node" testnet setup script for simple and quick testing by wednesday.
You will be able to easily (at the click of a button, or rather, by typing one bash command) create a working testnet that consists of 2 connected nodes which both keep solving PoS blocks. Using a simple command line interface, you are also able to send around ELC and see the mini-blockchain in action.

In a next step, we can then take this as the basis and work on finishing and integrating the "verifiable computation" logic.

The "ELC" we will be able to send around, won't be the real ELC, it will be Monopoly money. won't it?  Otherwise people who haven't taken part in the crowdsource won't have any ELC to send around.

If so, can we make it really clear that this is toy money, that we'll give some to anyone who asks, to let they play with it, and that the real blockchain won't be launched until later.

[Evil-Knievel]

The "ELC" we will be able to send around, won't be the real ELC, it will be Monopoly money. won't it?  Otherwise people who haven't taken part in the crowdsource won't have any ELC to send around.

If so, can we make it really clear that this is toy money, that we'll give some to anyone who asks, to let they play with it, and that the real blockchain won't be launched until later.

You are absolutely right. Let's call them "TELC" (Toy ELC) or something to avoid confusion. Also, the version will only run with the testnet flag set.
I have by the way fixed a few things in my explanation one post above yours. I have originally missed the difference between PoS hashes and regular hashes of a block.

[Dazza]

The user signs the block with his private key.

My understanding is that each account will have a public key.  Any given user will generally have several accounts.

The signature must be normalized and deterministic to avoid turning the PoS into a PoW by resigning the transaction with different r-values (i.e., the degree of freedom in form of a random number in regular signature schemes) over and over again until the block meets the target value requirement. The timestamp itself is also not accounted in this scheme, to avoid turning the PoS to a PoW by varying the timestamp.

I have been thinking if we really need the PoS signature at all, or whether it might be enough to just include the public key of the user that stakes the current block. This, however, might allow one entity to solve PoS blocks for all other accounts that have a positive balance. This again opens up the system for certain attacks, where the network's staking power can be drastically increased and decreased quickly by only one attacker allowing him for messing around with the base target values. I suggest sticking with the PoS signatures as described above.

I think signatures are mandatory for just this reason.

The hash of the block (here, we use the PoS hash not the real hash, this does not account a few parts of the entire block such as the timestamp or the transactions as well as their merkle hashes)

If it does not include the transactions or their Merkle hash, how are these to be validated?

If it does include one of these things, what is to stop an PoS miner from manipulating transaction or other data in the Merkle tree to turn this into PoW?

My feeling is that there is no way to avoid this scheme turning into PoW, albeit giving stakeholders an advantage proportionate to their stake.  Effectively this will be hybrid PoW/PoS.

I will post a followup explaining my own idea for a pure PoS scheme.

I hereby propose that the unit for the custorm metric be called "the computron".

I love the computron .

All hail the computron.

[Dazza]

You are absolutely right. Let's call them "TELC" (Toy ELC) or something to avoid confusion. Also, the version will only run with the testnet flag set.

Can we also make sure that any wallet or other software we release that uses the toy blockchain has big flashing lights to remind the user that the money isn't real.

I have by the way fixed a few things in my explanation one post above yours. I have originally missed the difference between PoS hashes and regular hashes of a block.

I'll have a look to see if the points raised in my previous post have been addressed.

[Dazza]

I'll have a look to see if the points raised in my previous post have been addressed.

I think I responded to the most up-to-date version, though I missed your explanation for why you omitted those values.  You are quite correct that the entire merkle tree can be treated as one giant nonce. This is a problem that I have been thinking about from the very earliest versions of the Lionel whitepaper.  But if we don't include these values into the PoS hash, what is to stop someone promulgating a completely different merkel tree and claiming that these are the true data?

[Evil-Knievel]

If it does not include the transactions or their Merkle hash, how are these to be validated?

If it does include one of these things, what is to stop an PoS miner from manipulating transaction or other data in the Merkle tree to turn this into PoW?

My feeling is that there is no way to avoid this scheme turning into PoW, albeit giving stakeholders an advantage proportionate to their stake.  Effectively this will be hybrid PoW/PoS.

I think if we use two signatures:

- the full signature for the integrity of the block
- and the PoS signature which is only there to check if the user was allowed to forge the block

it should be fine. I am sorry if I did not make it clear enough that we use both hashes signatures simultaneously.
I hope my feeling is not misleading me, but I am pretty sure that we can avoid any PoW on the PoS function this way and still having the maximum security and integrity of the blockchain.

[Dazza]

I will post a followup explaining my own idea for a pure PoS scheme.

I'm in the possibly advantageous position of knowing that PoS is a respectable way to secure a blockchain, but not actually knowing how anyone does it.  Therefore I'm starting with a blank mental slate, but approaching it from a mindset that says "how can I make this work?" rather than "can this be made to work?"

My idea is that, instead of having the PoS miners compete to find a hash that meets a particular target, said target being easier for large stakeholders than for smaller ones, why not just award the block to the PoS miner with the largest stake value?  Of course, the "stake value" cannot just be the account balance, otherwise the same account would win block after block after block, until spent or until another account achieved a higher value.  Moreover the winning miner could prevent that from happening simply by refusing to include in his blocks any transaction that would put a competing account over the value of his own.

I propose that "stake value" of an account be the time integral of the account balance since the last time that account won a PoS block, or the from the time of its creation, if it never has.  In addition to keeping track of an account's balance, therefore, we would also have to keep track of it's stake value.  We would not have to recalculate it every block, instead we could just record the block number when it was last recalculated, and recalculate every time the balance changes.

In order to generate one block per minute, quite regularly, I propose the following process.

At time x minutes and 00 seconds, each node will have (tentatively) chosen the previous block winner.  Let's assume for the sake of arguement that every node has chosen the same block.  This would be the situation after the first genesis block.

The next 40 seconds I call the refectory period.  No blocks timestamped during this period will ever be accepted by any node.  (Also no node will judge any block the winner, if it receives that block before its timestamp, though it might accept if it is otherwise acceptable, just in case the rest of the network decides to choose it anyway, which they might, if they receive it later.  A node could accept multiple competing blocks)

The next 20 seconds is the bidding period.  During this period, any account holder may generate and sign a block, (or start distributing a block generated earlier, though there will be no advantage in doing this).  Other nodes will accept it if its stake value is greater than any other block already received.  They may also accept it if it is lower, but it is still high enough that the node believes that it might win the global contest anyway. (It can never win the local contest because it doesn't have the greatest stake value known to the node.)  Nodes may also choose to reject (i.e. delete from memory) previously accepted blocks which it judges to no longer have a chance to win the contest.  However, nodes will only ever attempt to distribute the highest scoring block they know about.

At the end of the bidding period, each node chooses the winner.  Most likely every node will have chosen the same block, the one which globally has the highest stake value, and the next refectory period can begin like the last, only this time, that account will have a stake value of zero.  Sometimes the highest value block may not have reached every node, and on rare occasions, for example if the highest stake-value block was released close to the end of bidding, another block might be judged the winner on the majority of nodes, Call this block the global winner.

After another refectory period, the next round of bidding begins.  Each node submitting a block will chain it from what it thinks the winner of the last round was, but each accepting node will accept high scoring blocks from the other last round contestants.  The next block winner (as judged by each node) will be the highest scoring block across all the competing chains.

Because most submitted blocks will extend the chain of the previous global winner, it is likely that the next global winner will extend that chain.  Over time, the side chains will be extended by fewer and fewer blocks until no node considers them to be a winner, at which point they die.

Because this system doesn't care what the hash value is, there is no way to turn it into PoW.  It is pure PoS.  Thoughts?  Comments?  Criticisms?