Bitcoin Forum
February 16, 2019, 02:35:09 AM *
News: Latest Bitcoin Core release: 0.17.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 [23] 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 »
  Print  
Author Topic: MC2: A cryptocurrency based on a hybrid PoW/PoS system  (Read 194365 times)
tacotime
Legendary
*
Offline Offline

Activity: 1484
Merit: 1000



View Profile
May 08, 2013, 10:19:01 PM
 #441

I forgot to respond to something.
Do not just ignore people who abstain. Abstaining should be equivalent to voting Nay.

You will never see a Nay vote in attack blocks. Double spenders mine in secret.

That means their blocks have missing votes, not Nay votes. To offer significant PoS protection you must treat Nay and abstain as equivalent for block validity purposes.

That's true.  I had considered this before (and had noted in the paper to be aware that this indicates a possible attack on the network), but it's probably best to just invalidate any block without a majority Yea vote.

I'll get back to your other post soon.

Code:
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
1550284509
Hero Member
*
Offline Offline

Posts: 1550284509

View Profile Personal Message (Offline)

Ignore
1550284509
Reply with quote  #2

1550284509
Report to moderator
1550284509
Hero Member
*
Offline Offline

Posts: 1550284509

View Profile Personal Message (Offline)

Ignore
1550284509
Reply with quote  #2

1550284509
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
saigo
Full Member
***
Offline Offline

Activity: 126
Merit: 100



View Profile
May 08, 2013, 10:36:28 PM
 #442

Let me play devils advocate for the moment.

Can someone give me a short list of reasons ( bullet list ), why Joe-public will use this coin rather than the already established Bitcoin ?

The list needs to be free from techno jargon, so anyone can understand it.

If such a list can be produced, and it is convincing, then this coin stands a chance of success and perhaps grab a decent share of bitcoins 'market'

This is important, as such a list needs to be used aggressively in a strong marketing exercise if uptake of the coin by users and merchants is to occur. Otherwise this coin will just be another btce / Bter exchange toy, which will make some miners some BTC for a while.

Edit : and this shouldn't just be about the underlying features o
f the coin, think about peripheral things like the wallet, merchant / website interface etc.. What new innovations are there to pull me away from using / accepting bitcoin for my service, product, business ?

Saigō Takamori : ( 1828 – 1877) was one of the most influential samurai in Japanese history. He has been dubbed the last true samurai.
tacotime
Legendary
*
Offline Offline

Activity: 1484
Merit: 1000



View Profile
May 08, 2013, 10:38:57 PM
 #443

Let me play devils advocate for the moment.

Can someone give me a short list of reasons ( bullet list ), why Joe-public will use this coin rather than the already established Bitcoin ?

The list needs to be free from techno jargon, so anyone can understand it.

If such a list can be produced, and it is convincing, then this coin stands a chance of success and perhaps grab a decent share of bitcoins 'market'

This is important, as such a list needs to be used aggressively in a strong marketing exercise if uptake of the coin by users and merchants is to occur. Otherwise this coin will just be another btce / Bter exchange toy, which will make some miners some BTC for a while.

Okay

Quote
- Uses a new approach to secure hashing algorithms for the hash tree of a given block that should increase FPGA/ASIC resistance
- After 27 coin years it employs a system of voting to manipulate the interest rate of the block chain (users act as the central bank and regulate the rate of inflation)
- Difficulty is based on the linear weighted average of the block times for the past 18 days for PoW blocks
- New block reward adjustment algorithm is given that yields an 8% decrease in block reward per year
- Simple PoS design (tried to strip it of as many complexities as possible)
- PoW and PoS systems are designed to happily coexist, with favour slightly given to the PoW system
- PoS system also intended to prevent 51% attacks
- Coloured coins, e.g. for rewarding projects that you create arbitrarily
- Ledger system for regular coins that allows for a lightweight version of the blockchain instead of having to download the entire blockchain

If that's too technical:
Quote
- Chain will be GPU mineable for a little while longer than Litecoin
- Difficulty is similar to Bitcoin but harder to game
- Blockchain is more secure due to the presence of a proof of stake system
- Secure confirms expected to be obtained in 6 minutes
- Double spends are very unlikely, even more so than with bitcoin because they require 51% proof of work power and 51% stake
- Support for people who want to make their own random coins within the blockchain, e.g. if you wanted to reward people based on their contribution to cancer research
- Lightweight client that is intended to max out in the hundreds of MB at most of on-disk storage

Code:
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
saigo
Full Member
***
Offline Offline

Activity: 126
Merit: 100



View Profile
May 08, 2013, 10:54:34 PM
 #444

I think three points there that will catch the eye of the ordinary non-uber-technical user :

Improved security
Uses less disk space
Faster payment

Now, how much more secure is it, how can this be conveyed to the user in a daily life situation ?

For marketing I'd focus on those 3 things for the main big marketing push, ( plus any other innovations say on the wallet side, see my edit in OP ) and move the others to the 'small print' where people that are really interested and capable of understanding them will find them if/when they need to

Saigō Takamori : ( 1828 – 1877) was one of the most influential samurai in Japanese history. He has been dubbed the last true samurai.
tacotime
Legendary
*
Offline Offline

Activity: 1484
Merit: 1000



View Profile
May 08, 2013, 11:02:09 PM
 #445


As expected, the malicious stakeholder gets about 51% (0.52019) in the scenario of a 3 of 5 requirement, but in a 1 of 5 requirement, the stakeholder now has 97% control of the blockchain.  It get worse quickly with increasing malicious stakeholder wealth with the unanimous system; at 30% we see 83% control of the chain, and at 40% we see 92% control of the chain.


I don't disagree with your calculations. In fact, they accomplish just what I want. We don't want the same things (you prefer work; I prefer stake; you think energy use is okay; I think it is a big waste).

Edit: However, I thought about it a bit more and decided it is not worth making a fuss over. Here are approximate percentages on attack resistance (this is for permanent 51% attacks, not lucky streaks from minority attackers; majority voting performs better against lucky streaks).

4 out of 7 majority voting: (99.95% work 5% stake; 99.5% work 10% stake ; 94.4% work 20% stake)
3 out of 5 majority voting: (99.90% work 5% stake; 99.1% work 10% stake ; 94.1% work 20% stake)

3 out of 3 unanimous voting: (99.985% work 5 % stake; 99.86% work 10% stake; 98.46% work 20% stake)
5 out of 5 unanimous voting: (99.99996% work 5% stake; 99.998% work 10% stake; 99.9% work 20% stake)

3 out of 5 majority voting is adequate when paired with a nonnegligible PoW block reward. I was fanatic for PoW protection because I wanted minimal energy use. I forgot about your big PoW rewards.

There is another issue I forgot, the waiting issue. To me it is no big deal, but I expect a huge fuss  from others. You should remove this weakness to avoid future problems.

You can always hoard coin-age by waiting (see numerous rants by killerstorm). To attack, you need 5% of stake-days, not 5% of stake. (e.g. so if you have x% of stake and bide your time for y voting cycles, then you can attack just like someone with xy% stake)


How about you buy most tickets with straight coins rather than coin-time? Coins are escrowed up until the tickets win or get invalidated. This approach sidesteps the waiting issue.

Sadly, it also excludes small holders from direct participation, though they could still use lottery pools, banks, etc. You have what ~ 60000 tickets. That is 160 coins a ticket if there are 10 million coins. A bit steep. To let small holders participate directly, perhaps allocate 10% of tickets based on coin-age and 90% based on straight coins. That would allow for some token grassroots participation. Honestly there will be a bulky blockchain to store. Smallholders would end up PoS mining via a banking system anyway. No point in designing a system that allows for infeasible use cases.

Question: When you purchase a ticket, could you then send the ticket key to a pool to manage for you (in exchange for a cut)? Or does transferring your ticket impose some risk? In my opinion, it would be good to attach some risk to letting other people mine for you (e.g. allow the ticket holder to steal the winnings). It would be bad to attack a huge risk to letting other people mine for you, (the principal used to purchase the ticket should be safe from theft).  This strikes a balance between discouraging centralization and encouraging participation in PoS mining.

Coins are already bought with straight coins instead of coin time...  You submit the coins to the chain and then they wait for the 29 days until maturity and are issued a ticket, but being able to purchase them has nothing to do with the age of the coins used to purchase them.  The 29 day lag phase is to help prevent manipulation of the tickets, which is another attack vector on the chain (if you can manipulate the block headers over this time period and before the time of the stake submission Tx, you can effectively select who the lottery winners are and which tickets are issued).  I like that there are absolutely no coins generated for 29 days, too.  But if you wanted to eliminate the lag phase, you could also use all previous odd blocks for ticket generation and even blocks for lottery generation, or whatever.  I'm not sure it's hugely advantageous to an attacker, as the window to claim the coins is so large (91 days).

To the question, you can transfer the tickets by just sending the private key used to purchase the stake Tx somewhere.  The risk would be that it becomes stolen along the way or by the pool itself, and the pool would risk having you steal the reward, so I'm not sure a pool would form by this means (seems pretty unlikely).  Rather, a stake pool would involve you sending a little of your coins their way, them using them to buy the stake ticket, then spending it to secure the blockchain and sending back the coins back to the user with interest at a certain time.  Large enough stake pools should be able to give daily interest, similar to PoW pools.  The risks will be for the pool operators to assess, as it's likely that people will try to hack them constantly, but if you transfer the tickets to effectively shielded and quiet network nodes, they should be difficult to find.

Code:
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
tacotime
Legendary
*
Offline Offline

Activity: 1484
Merit: 1000



View Profile
May 08, 2013, 11:09:05 PM
 #446

I think three points there that will catch the eye of the ordinary non-uber-technical user :

Improved security
Uses less disk space
Faster payment

Now, how much more secure is it, how can this be conveyed to the user in a daily life situation ?

For marketing I'd focus on those 3 things for the main big marketing push, ( plus any other innovations say on the wallet side, see my edit in OP ) and move the others to the 'small print' where people that are really interested and capable of understanding them will find them if/when they need to

In the best case (that the majority of both proof of stake and proof of work miners are honest), it's about twice as secure I would say.  Hence, the time for a secure confirmation should be one half that of Bitcoin, in that ideal case.  If a network attacker emerges to the scene, the case in Bitcoin is that there is no secure amount of confirmations.  In the case of MC2, no blocks will go through the network (>50% PoW) or only blocks that the attacker selects will go through the network (>50% PoS).  Only in the case of >50% PoW and >50% PoS can the attacker double spend.

One of the PoS arguments is that with PoW, the government can easily attack it by getting enough hashing power.  With MC2, by this attack vector you can only temporarily stop transactions from going through, and then, if this becomes a problem, you can force PoW miners to also have some PoS when minting a block.  This is a pretty unlikely case, though.  But, in any case, it should be more secure than Bitcoin from this type of attack.  But what PoS people like to ignore is that the government can also destroy these chains just by buying a lot of it if they wanted to.  Right now, if Bitcoin were PoS the cost to destroy it would only be about $1 billion USD (actually, way less if you write an algorithm to try to buy at the VWAP and bought progressively over a couple of years).  That's not really all that much money to a major world government.

MC2 makes the assumption that it's no more likely for persons with stake to be any more honest than PoW miners.

Code:
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
saigo
Full Member
***
Offline Offline

Activity: 126
Merit: 100



View Profile
May 08, 2013, 11:32:39 PM
 #447

Ok, so perhaps it could be stated that MC2 is 'double the security of Bitcoin' ( that should set the forums alight Wink  )

The other point I can extract from your post is that it is more 'large organisation / government tamper resistant' ( need to rephrase that so it is a snappier line perhaps )

So,

Double the security
Faster payments
Lighter client footprint ( less disk space )
Increased resistance to attack from large powers

Great, when can I start using it  Grin

Saigō Takamori : ( 1828 – 1877) was one of the most influential samurai in Japanese history. He has been dubbed the last true samurai.
markm
Legendary
*
Offline Offline

Activity: 2198
Merit: 1002



View Profile WWW
May 08, 2013, 11:44:44 PM
 #448

Look. All I'm saying is drag the useful mining of the currency out as long as possible. Mining the coins is one of the biggest draws for new people to start participating, along with general speculation in the exchanges. The early miners should make their big bucks, not because they got in when the mining was PROFITABLE, but because they got in when mining was EASY. When mining becomes not profitable at all, or only profitable with expensive dedicated equipment, the increase in the number of people using the currency will slow, if not stop completely. You never want the flow of incoming adopters to slow. You want it to grow.

This is the beauty of BBQcoin, Tenebrix, Fairbrix, CoiLedCoin, GRouPcoin, GeistGeld and so on, the EASY coins that are NOT regarded as profitable. If they were regarded as profitable, they would be raped. Ordinary people using their CPU (BBQ, TBX, FBX) or their single GPU (p2pool bitcoin, merging the least-difficult of the merge-able coins) have been and still as of this moment continue to be able to quietly pick up a steady stream of such coins over the course of a year or more.

BBQcoin of course is no longer in that category, as it has finally moved on from that early adopter phase and started to reward its early adopters.

But the others listed are still there, still being ridiculed and ignored by Old Money, still quietly feeding the dreams of the common cryptocitizen.

Oh and by the way, GRouPcoin keeps on minting 50 coins per block forever, so there you go, your inflatacoin is already out there, already adopted by early adopters, already offering the common people lots and lots and lots of time to get in on it while it is still in the early adopter phase...

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
Etlase2
Hero Member
*****
Offline Offline

Activity: 798
Merit: 1000


View Profile
May 09, 2013, 01:45:22 AM
 #449

Sigh.  Undecided

Can you actually address ANY of the points that people are ACTUALLY bringing up? Strawmanning is uncool.

You're asking someone head-deep in bitcoinomics making arguments that are based around bitcoin-only definitions of inflation and deflation and relating currency to stocks/businesses etc. to make reasonable arguments. It isn't going to happen. Any coin that adopts yet-another-stupid-deflationary scheme is going to lose out to one that drops this nonsense once and for all. The scheme you're probably looking for is in my signature.

SaltySpitoon
Legendary
*
Offline Offline

Activity: 2044
Merit: 1485


Welcome to the SaltySpitoon, how Tough are ya?


View Profile
May 09, 2013, 01:54:01 AM
 #450

I'm just glad that there is actually some innovation coming out of this. I can't say I have a grudge against any coin in particular really, but I definitely do appreciate when they aren't just a 100% copy of an existing coin renamed and marketed to people who didn't get in early enough.

Also +1 for the method at which you are releasing. Going public weeks or months before the release of a client so not a small group of people getting in early. Not to mention that people can find flaws that can be fixed before it is released.

.FORTUNE.JACK.
      ▄▄███████▄▄
   ▄████▀▀ ▄ ██████▄
  ████ ▄▄███ ████████
 █████▌▐███▌ ▀▄ ▀█████
███████▄██▀▀▀▀▄████████
█████▀▄▄▄▄█████████████
████▄▄▄▄ █████████████
 ██████▌ ███▀████████
  ███████▄▀▄████████
   ▀█████▀▀███████▀
      ▀▀██████▀▀
         
         █
...FortuneJack.com                                             
...THE BIGGEST BITCOIN GAMBLING SITE
       ▄▄█████████▄▄
    ▄█████████████████▄
  ▄█████████████████████▄
 ▄██
█████████▀███████████▄
██████████▀   ▀██████████
█████████▀       ▀█████████
████████           ████████
████████▄   ▄ ▄   ▄████████
██████████▀   ▀██████████
 ▀██
█████████████████████▀
  ▀██
███████████████████▀
    ▀█████████████████▀
       ▀▀█████████▀▀
#JACKMATE
WIN 1 BTC
▄█████████████████████████▄
███████████████████████████
███████████████████████████
██████████▀█████▀██████████
███████▀░░▀░░░░░▀░░▀███████
██████▌░░░░░░░░░░░░░▐██████
██████░░░░██░░░██░░░░██████
█████▌░░░░▀▀░░░▀▀░░░░▐█████
██████▄░░▄▄▄░░░▄▄▄░░▄██████
████████▄▄███████▄▄████████

███████████████████████████
███████████████████████████
▀█████████████████████████▀
cunicula
Hero Member
*****
Offline Offline

Activity: 980
Merit: 1003



View Profile WWW
May 09, 2013, 05:07:19 AM
Last edit: May 09, 2013, 05:25:15 AM by cunicula
 #451

Coins are already bought with straight coins instead of coin time.
Right, sorry I got confused. Good choice.

In the best case (that the majority of both proof of stake and proof of work miners are honest), it's about twice as secure I would say.  Hence, the time for a secure confirmation should be one half that of Bitcoin, in that ideal case.  If a network attacker emerges to the scene, the case in Bitcoin is that there is no secure amount of confirmations.  In the case of MC2, no blocks will go through the network (>50% PoW) or only blocks that the attacker selects will go through the network (>50% PoS).  Only in the case of >50% PoW and >50% PoS can the attacker double spend.

I'm not understanding you here. You will always have 51% attacks. Attacks will involve a weighted combination of PoW and PoS that exceeds 51%.
Regardless of the resource combination used, the attacker will be able to 1) select which blocks go through the network, 2) double spend, AND 3) prevent all txns.
This is true in bitcoin. I'm near certain it will be true for your coin as well.

There's an important omission in your whitepaper. You need a single-valued function that compares proof across blockchains.
 
In Bitcoin PoW, the single-valued function is the summation of difficulty targets for each block in the blockchain. If you copy this directly, you run into trouble.

Block Proof = PoW Difficulty
Chain Proof = Summation of Block Proof

A 51% PoW attacker can patiently mine in secret. His PoS difficulty will slowly adjust downwards. Eventually, his PoS difficulty will go low enough that he is able to overtake the main chain with negligible stake. PoS becomes a sham and only PoW matters.

You are using two difficulties. PoW difficulty, PoS difficulty. You need to consider two proof relevant numbers for each block.
To do this, define a single-valued function that maps the (PoW difficulty, PoS difficulty) pair into overall block difficulty.
The two difficulties make analysis of 51% attacks complicated. Resource requirements most likely depend on attack duration. That's a bit messy, but I don't think it is a problem.

My suggested single-valued function is a geometric average.
Block Proof = (PoW Difficulty)^0.5 * (PoS Difficulty)^ 0.5
Chain Proof = Summation of Block Proof = (PoW Difficulty in Block 1)^0.5 * (PoS Difficulty in Block 1)^ 0.5 + (PoW Difficulty in Block 2)^0.5 * (PoS Difficulty in Block 2)^ 0.5 + ...

Ideally, there would be some clever function that keeps the long-run and short-run resource requirements identical. Not sure what that clever function would be. The above will probably work though.

Another option would be to ditch PoS difficulty. You could either fix the ticket price permanently and allow the number of lottery tickets issued to change over time.
Or you could just give every satoshi a ticket by default. (e.g. define an easily derived ordering of all extant satoshis in the ledger, use the PoW hash to draw a random number, map the random number to the satoshi, the satoshi owner is the lottery winner). Every new block causes the ledger to update. Ledger needs to be ordered in exactly the same way for everyone.



          ▄▄▄███████▄▄▄
      ▄▄███▀▀       ▀▀███▄▄
    ▄██▀▀               ▀▀██▄
██ ██▀    ██             ▀██
  ███  ██ ▄██████████        ██
 ██    ▄███████████          ██
▄█ ▀   █████▀                  █▄
██   ██████▄▄ ███████████   ██
██   ██ ▀▀  ████████████    ██
██ ▄▄████████ ▄████▀          ██
▀█  ▀▀▀██████ █████            █▀
 ███   ▄    ██████            ██
  ██  ██ ▀  ██████████    ██
   ██▄    ▀ ██▀█████████   ▄██
   ████▄▄               ▄▄██▀
     ▀▀███▄▄       ▄▄███▀▀
          ▀▀▀███████▀▀▀
CHAMPION
.COIN████ ▌
[]

 
▄▄████████▄▄
▄████████████████▄
▄███               ██▄
▄████  █▀▀▀▀▀█▀▀▀█  ███▄
▄█████  █ ███ █▀▀▀█  ████▄
███▀    █ ▀▀▀ █▀▀▀█  █████
███  █  █▀▀▀▀▀▀▀▀▀█  █████
███  █  █▀▀▀▀▀▀▀▀▀█  █████
███  █  █▀▀▀▀▀▀▀▀▀█  █████
▀██  █  █▀▀▀▀▀▀▀▀▀█  ████▀
▀█  █  ███████████  ███▀
▀▄                 ██▀
▀████████████████▀
▀▀████████▀▀

 
▄▄████████▄▄
▄████████████████▄
▄████████████████████▄
▄████████████████▀▀▀███▄
▄███████████▀▀▀      ████▄
██████▀▀▀       ▄    █████
███▄         ▄█▀    ██████
██████▄    ▄█▀      ██████
█████████▄█▀       ███████
▀██████████  ▄     ██████▀
▀█████████ ███▄  ██████▀
▀████████████████████▀
▀████████████████▀
▀▀████████▀▀

 
▄▄████████▄▄
▄████████████████▄
▄████████████████████▄
▄██████  ▀█████████████▄
▄███████     ▀▀██████████▄
████████         ▀████████
████████           ▀▀█████
████████           ▄▄█████
████████         ▄████████
▀███████     ▄▄██████████▀
▀██████  ▄█████████████▀
▀████████████████████▀
▀████████████████▀
▀▀████████▀▀










A GLOBAL MEN’S GROOMING
BRAND BUILT BY CHAMPIONS
POWERED BY BLOCKCHAIN
tacotime
Legendary
*
Offline Offline

Activity: 1484
Merit: 1000



View Profile
May 09, 2013, 05:34:28 AM
 #452

Coins are already bought with straight coins instead of coin time.
Right, sorry I got confused.

In the best case (that the majority of both proof of stake and proof of work miners are honest), it's about twice as secure I would say.  Hence, the time for a secure confirmation should be one half that of Bitcoin, in that ideal case.  If a network attacker emerges to the scene, the case in Bitcoin is that there is no secure amount of confirmations.  In the case of MC2, no blocks will go through the network (>50% PoW) or only blocks that the attacker selects will go through the network (>50% PoS).  Only in the case of >50% PoW and >50% PoS can the attacker double spend.

I'm not understanding you here. You will always have 51% attacks. Attacks will involve a weighted combination of PoW and PoS that exceeds 51%.
Regardless of the resource combination used, the attacker will be able to 1) select which blocks go through the network, 2) double spend, AND 3) prevent all txns.
This is true in bitcoin. I'm near certain it will be true for your coin as well.

You are perhaps confused because of an omission in your whitepaper. You need a single-valued function that compares proof across blockchains.
 
In Bitcoin PoW, the single-valued function is the summation of difficulty targets for each block in the blockchain. If you copy this directly, you run into trouble.

Block Proof = PoW Difficulty
Chain Proof = Summation of Block Proof

A 51% PoW attacker can patiently mine in secret. His PoS difficulty will slowly adjust downwards. Eventually, his PoS difficulty will go low enough that he is able to overtake the main chain with negligible stake. PoS becomes a sham and only PoW matters.
I see.  You need a way to prevent such a fork from happening.  Why not just not disallow reorgs for any length of valid blocks greater than five?  There should be an easy way to detect this attack and reject it from ever entering the network.  I understand that you need to have reorgs to prevent the chain from forking, but it seems like a 12 minute string of blocks seen by no one else on the network is really unlikely.

Quote
You are using two difficulties. PoW difficulty, PoS difficulty. You need to consider two proof relevant numbers for each block.
To do this, define a single-valued function that maps the (PoW difficulty, PoS difficulty) pair into overall block difficulty.
The two difficulties make analysis of 51% attacks complicated. Resource requirements most likely depend on attack duration. That's a bit messy, but I don't think it is a problem.

My suggested single-valued function is a geometric average.
Block Proof = (PoW Difficulty)^0.5 * (PoS Difficulty)^ 0.5
Chain Proof = Summation of Block Proof = (PoW Difficulty in Block 1)^0.5 * (PoS Difficulty in Block 1)^ 0.5 + (PoW Difficulty in Block 2)^0.5 * (PoS Difficulty in Block 2)^ 0.5 + ...

Ideally, there would be some clever function that keeps the long-run and short-run resource requirements identical. Not sure what that clever function would be. The above will work though.
Another option would be to fix the ticket price permanently and allow the number of lottery tickets issued to grow with inflation and shrink with txn demand.

Benefit: Attack analysis is simpler.
Cost: Not sure. Probably more blockchain space is used up by the lottery data.
Well, in order for stake difficulty to go down on the other chain you need to use submit less stake Tx per block.  As the stake Tx go down, stake difficulty goes up (as it's a fraction of the supply needed to claim a stake submission Tx).  We can rate the trust in the block as the stake submissions * (1/stake difficulty) and select the chain based on this stake trust value too, which will likely be larger after summation among all the blocks up to where the fork emerged.  This may be untrue if few people in the network are submitting stake at the time and the malicious stakeholder has a lot.

If you fix reorgs to a certain length and incorporate the above it may be very difficult to perform a double spend, as stake difficulty only decreases once every 4.5 days.

Okay.  This behaviour can probably be simulated too, although it's a little more complicated, and I'm tired.  I'll think about it more later.

Code:
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
cunicula
Hero Member
*****
Offline Offline

Activity: 980
Merit: 1003



View Profile WWW
May 09, 2013, 05:53:42 AM
 #453

I see.  You need a way to prevent such a fork from happening.  Why not just not disallow reorgs for any length of valid blocks greater than five?  There should be an easy way to detect this attack and reject it from ever entering the network.  I understand that you need to have reorgs to prevent the chain from forking, but it seems like a 12 minute string of blocks seen by no one else on the network is really unlikely.

What about the Sibyl attack where you make so many peers that you can isolate nodes from communications temporarily? Doesn't matter what the entire network actually did. It just matters what you saw the network do. Feed some clients 5 secret sauce blocks and they are borked. Making temporary attacks like this permanent is not good.



          ▄▄▄███████▄▄▄
      ▄▄███▀▀       ▀▀███▄▄
    ▄██▀▀               ▀▀██▄
██ ██▀    ██             ▀██
  ███  ██ ▄██████████        ██
 ██    ▄███████████          ██
▄█ ▀   █████▀                  █▄
██   ██████▄▄ ███████████   ██
██   ██ ▀▀  ████████████    ██
██ ▄▄████████ ▄████▀          ██
▀█  ▀▀▀██████ █████            █▀
 ███   ▄    ██████            ██
  ██  ██ ▀  ██████████    ██
   ██▄    ▀ ██▀█████████   ▄██
   ████▄▄               ▄▄██▀
     ▀▀███▄▄       ▄▄███▀▀
          ▀▀▀███████▀▀▀
CHAMPION
.COIN████ ▌
[]

 
▄▄████████▄▄
▄████████████████▄
▄███               ██▄
▄████  █▀▀▀▀▀█▀▀▀█  ███▄
▄█████  █ ███ █▀▀▀█  ████▄
███▀    █ ▀▀▀ █▀▀▀█  █████
███  █  █▀▀▀▀▀▀▀▀▀█  █████
███  █  █▀▀▀▀▀▀▀▀▀█  █████
███  █  █▀▀▀▀▀▀▀▀▀█  █████
▀██  █  █▀▀▀▀▀▀▀▀▀█  ████▀
▀█  █  ███████████  ███▀
▀▄                 ██▀
▀████████████████▀
▀▀████████▀▀

 
▄▄████████▄▄
▄████████████████▄
▄████████████████████▄
▄████████████████▀▀▀███▄
▄███████████▀▀▀      ████▄
██████▀▀▀       ▄    █████
███▄         ▄█▀    ██████
██████▄    ▄█▀      ██████
█████████▄█▀       ███████
▀██████████  ▄     ██████▀
▀█████████ ███▄  ██████▀
▀████████████████████▀
▀████████████████▀
▀▀████████▀▀

 
▄▄████████▄▄
▄████████████████▄
▄████████████████████▄
▄██████  ▀█████████████▄
▄███████     ▀▀██████████▄
████████         ▀████████
████████           ▀▀█████
████████           ▄▄█████
████████         ▄████████
▀███████     ▄▄██████████▀
▀██████  ▄█████████████▀
▀████████████████████▀
▀████████████████▀
▀▀████████▀▀










A GLOBAL MEN’S GROOMING
BRAND BUILT BY CHAMPIONS
POWERED BY BLOCKCHAIN
tacotime
Legendary
*
Offline Offline

Activity: 1484
Merit: 1000



View Profile
May 09, 2013, 06:03:52 AM
 #454

I see.  Let me sleep on it and I'll think further about it.

Code:
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
tacotime
Legendary
*
Offline Offline

Activity: 1484
Merit: 1000



View Profile
May 09, 2013, 03:34:17 PM
 #455

Quote
A 51% PoW attacker can patiently mine in secret. His PoS difficulty will slowly adjust downwards. Eventually, his PoS difficulty will go low enough that he is able to overtake the main chain with negligible stake. PoS becomes a sham and only PoW matters.

Okay.  Such an attack when you manipulate stake difficulty seems pretty unlikely.  The following reasons are why:
1) The stake difficulty adjusts every 4.5 days and is based on the linear weighted average of the previous four 4.5 day periods (no per-block adjustments ever occur).
2) You need to wait 29 days after submitting the ticket for it to mature before you even have the chance to spend it.

This means that an attack like this will involve mining a hidden chain for at least one month, probably closer to two depending on your hash power.

But the way to mitigate the attack is similar to what you described (I'm not sure why you described it as the square root of the difficulties?), but just assign a blockchain score of:
block=1{summation}block=n of  (PoW Difficulty in Block 1 * (PoS Difficulty in Block 1)^-1) + ... + (PoW Difficulty in Block n * (PoS Difficulty in Block n)^-1)
where n is the current block in the chain.  Now it should be difficult for the attacker to manipulate the chain, because his chain should have a lower score if he tried to lower either the PoW or PoS difficulty.  Again, this attack is not an easy one and requires you to mine for a long time.

Let's say an attacker has 51% PoW and 10% PoS.  The attacker can generate more PoW blocks in his chain, but he can never validate the majority of them and his cumulative difficulty score will certainly be lower than the main chain, making a double spend impossible.

Let's say an attacker has 10% PoW and 51% PoS.  The attacker can validate or invalidate any block they choose, but the attacker's likelihood of a successful double spending is very low (the same as with bitcoin with 10% of the network hash rate).

The only time you can get absolute certainty that a double spend can succeed is with 51% PoW and 51% PoS.  But you suspect there is a flaw in this logic, and now I'm really worried and losing sleep over it. X)  I will try to come up with a simulation program for this so we can play with it and see what the longest valid fork you can make is.

Code:
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
chrono.v
Newbie
*
Offline Offline

Activity: 12
Merit: 0


View Profile
May 09, 2013, 04:55:28 PM
 #456

I said that a no cap coin could be successful. I didn't call for a massively inflationary coin. You can look at inflation in two ways. There's the overall number of currency units, and there's the number of currency units per person using the currency. As long as the number of grows slower than the number of currency users, you have an increase in the overall money supply but a decrease per capita.

Here's the thing lots of people don't grasp. Excessive DEFLATION can be just as bad as excessive inflation. An economy needs the money to move around, be passed from person to person. The more this happens, the more an economy tends to grow. If your money goes up in value just from you holding it, you're less likely to spend it on something. The Great Depression in the U.S. during the '30s was a result of deflation. There wasn't enough money to go around, and so lots of people didn't have any.

And that's the crux of it. Yeah, sure, you can make a currency divisible up to x units, however many you want that too be.  And in the pure mathematical theory of it, yeah, sure, that could totally work, even on a worldwide scale. The problem you run into with that is that people are trained to view fractions of the base currency unit as being not worth much at all. Because, almost universally, they aren't. I can buy a gumball with a quarter. I'm not aware of anything I can buy with a dime, nickel, or penny.

Over the last week or however long that I've been reading and posting in this thread, I've been getting a very distinct vibe along the lines of "we're gonna get in first, and we'll be rich. And then all the other people can go screw themselves. And while they're doing that, they'll also use this currency, because it's so awesome. While they're off screwing themselves"

That sounds amazingly like what I would expect major banks to say, except about quantitative easing aka government/tax funded bailouts instead of about getting there first.

Also, and this is what really bothers me, if there's a small number of coins overall, it's a lot easier for an enthusiastic early adopter to grab a huge amount of them, and then walk in front of a bus while he congratulates himself on how awesome he is. At this stage in the game, it's fairly unlikely that anyone who knows what crypto currency is will find his wallet, so, hey, there goes 30 percent of the money supply

The Great Depression was not caused by "not enough money" moving around. The Great Depression was seeded with the Federal Reserve's inflation policy and ignited by the policies of the New Deal. If you want to learn what really happened, read David Stockman's "The Great Deformation" and http://wiki.mises.org/wiki/Great_Depression.

Deflation encourages saving and investment, whereas inflation encourages consumption. If a currency with a relatively fixed supply (given that hybrid PoS / PoW currencies need to have minimal inflation in order to work) based on the free market appreciates by 400% annually from a beginning market capitalization of a few million current US dollars to a market capitalization of a fraction of the total market capitalization of all fiat currencies and of gold, or that is to something like 20 trillion current US dollars, then the holder of such a currency is called a saver, and such a saver will also want to invest part of his or her profit while the currency is appreciating, and a significant percentage of his or her total profit once the currency has reached its true market capitalization.

Therefore, the saver is also called an "investor". This is something that people who believe in Keynesianism and Monetarism don't understand, that savers are investors.

It is really important for the developers of Netcoin and its initial users to understand the economics behind currencies well, otherwise they are going to make severe mistakes in Netcoin's development.

To learn economics, read http://library.mises.org/books/Gene%20Callahan/Economics%20for%20Real%20People.pdf, David Stockman's "The Great Deformation", and https://mises.org/journals/qjae/pdf/qjae14_3_3.pdf.

The only flaws in Austrian economics are Mises' Regression Theorem and the reliance on anarcho-capitalism.

Both types of coins are going to make early adopters rich, but I think part of the success of Bitcoin is you can look at it now and you can know if it reaches 0.5-1% of the global economy it's going to be worth $70,000-100,000 each coin. This is actually desirable, what I'm saying is it's a good thing for Netcoin if those people who hold it are encouraged to hold it for years in hopes that each Netcoin could be worth millions. This turns people into long term stake holders and proof of stake encourages this even further. If Netcoin produced 11 million instead of 21 million then we would know that at some point if it's technology really is better than Bitcoin it's going to go head to head with Bitcoin. It's not going to aim for 2nd place like Litecoin, but instead aim for 1st place.

What I'm saying is you're not going to have any long term holders of a coin like Feathercoin, Chinacoin, or any of those coins with billions of coins being created or trillions of coins being created because there is no incentive to save these coins. And as far as spending goes, you don't have to give people an incentive to spend money. When the infrastructure exists to make it easy for people to get exactly what they want the moment they want it with these coins then people will start spending them.

We don't need to have a billion coins and be tricked into feeling rich when we can have millions of coins and actually live rich. The dollar already has trillions, and there will be no reason why we should make it cheap for billionaires and millionaires to buy into these reserved slots. 11 million coins will make it twice as expensive to buy into these reserved slots as before which would mean you'd still have the potential that some billionaire could buy a bunch of coins while they are cheap, but I don't see why we should make that easy. I see it where you have a limited supply you have limited slots,  just like not everyone can have a billion dollars, and no one has a trillion dollars,  not everyone should have a Bitcoin or a Netcoin. If we let everyone have one then the value of each wont be as high because a millionaire isn't going to pay a million dollars a coin when we'll give him a coin for 10 cent.

These opinions are mine only, anyone is free to disagree and now is the time to debate. I've made my position known, I do not support the Chinacoin/Feathercoin/Litecoin (cheapcoin) model. I support the idea of diversity where you have some cheap coins for certain purposes such as pump and dump but then you have some coins where we might want to save them for 10 years because they are so rare, and then some coins which are in the middle. Bitcoin is the center of the bellcurve and is the normal coin and normal is 21 million. Rare would be less than 21 million, and inflationary would be more than 21 million and despite the sentiments of others on this forum when I see a coin based on Litecoin with greater than 21 million total, the higher the total number of coins and the faster the generation of these coins the less likely I am to buy them and the more likely I am to see it as a pure speculation sport coin for pump and dumps or a coin so miners who premined or who got in early can make a quick profit.

Your argument is based on the position that there is psychological benefit to a currency's supply being limited so that one whole number unit is worth hundreds if not millions of US dollars.

This is a flawed argument as there is marginal, if any, psychological benefit. The average user is not going to care if one whole number unit of his currency is worth 1 current US dollar or 100,000 current US dollars, as he or she is going to simply hold 100,000 times the amount of the former if the latter's scenario is the case.

A currency's worth is derived from its supply being relatively stable, and durable, portable, and divisible.

The divisible part is where current cryptocurrencies are flawed. If Bitcoin were to reach a 20 trillion current US dollar market capitalization, its smallest unit would still be worth a significant amount of current US dollars, not making it satisfy the divisibility property.

I believe that the supply for the perfect cryptocurrency needs to be 10 trillion units, divisible to 8 decimal places. This would allow its smallest unit to be usable to round off the smallest transactions even if market capitalization for the currency was greater than 70 trillion current US dollars.

Remember that a significant portion of the world still needs to industrialize, and that further productivity gains are still possible, from making free markets actually work to technology improvements. This increases the total market capitalization of all possible currencies from 70 trillion current US dollars.

@tacotime
With all due respect for your engineering
 efforts, there are simpler way to make
PoW ASIC-proof :
http://hal.archives-ouvertes.fr/docs/00/56/31/13/PDF/bg10_ij.pdf

Maybe this (or similar) hash , embedded
 into Scrypt (instead of SHA256) can do the trick.

You ( as a HW expert) can judge, which
 classes (and there are more than plenty of them) of chaotic hash-functions are HW-proof.
For ex. : the paper referred above has
 sisters, descr. 3 - 4 similar functions
 by the same authors.

Chaotic hashes was excluded from SHA3 competition, namely because they are BAD in HW.

There are completely another types Xaos-based
 hashes :
http://www.academicjournals.org/ijps/PDF/pdf2011/9Oct/Qing.pdf

Taco, what do you think of this chaotic hash? ASICs and FPGAs might be defeatable, even if the problem is that the efficiency of energy consumption takes a hit.
tacotime
Legendary
*
Offline Offline

Activity: 1484
Merit: 1000



View Profile
May 09, 2013, 06:01:46 PM
Last edit: May 09, 2013, 06:12:05 PM by tacotime
 #457

Because it's bad in terms of throughput in a software implementation doesn't necessarily mean that there will be no advantage from using an ASIC.  In fact, I would be surprised if fast syndrome based hashes or chaotic hashes weren't still much faster on an FPGA/ASIC, as at the end of the day it likely just boils down to yet more logical gates being used.  I'm leaning much more towards algorithms that have had more extensive cryptanalysis done on them so that I can ensure the blockchain is secure rather than applying a hash that requires a bloat of logic gates (which may or may not be reducible; a lot of these implementations are probably just straight C++).

In fact, an FSB hash has already been done on FPGA: http://csg.csail.mit.edu/6.375/6_375_2009_www/projects/group2_report.pdf

Quote
As stated earlier, our first approaches to implementing FSB failed to fit on the FPGA. We
had problems with both too much on-chip memory usage and too much combinational logic.
The tables below lists our resource usage before and after we made the area reducing changes.

Component First Version Final Version
ROM Bits 2,477,824 435,968
Combinational Logic 158,518 60,327

As I said before, with optimization it's like you can get these chaotic based hashes to fit into an FPGA too.

Code:
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
BubbleBoy
Sr. Member
****
Offline Offline

Activity: 504
Merit: 250



View Profile
May 09, 2013, 07:49:31 PM
Last edit: May 09, 2013, 08:01:14 PM by BubbleBoy
 #458

But maybe one can come up to chaotic hash,
which will be provably impossible to
implement in ASIC/FPGA !?

This goal is provably impossible in itself. The CPU/GPU is an ASIC. The best you can hope for is that your hash schedule explores ALL the features of the CPU at MAXIMUM efficiency, making an identical CPU the only possible ASIC design. All the features: FPU, MMX/SSE2, memory segmentation and virtualization, all of the cache, branch predictors, debug and JTAG registers and the myriad other tiny atavisms that make a modern CPU work.

If you don't use them all with maximum efficiency, then a stripped down CPU or GPU optimized for the specific features you use will have a better performance at the same density/power/price point. In practice it's unlikely you hit even less than one order of magnitude gap between a software version on a generic CPU and custom software on a custom ASIC.

So I'm not sure I understand the appeal of ASIC resistance. The most you can achieve is to make the ASIC design very expensive. This will hold ASICs at bay for a few years, but if the currency is successful and the mining market is large then an ASIC will eventually be designed. When someone does it, it's game over, he controls the mining market. A huge entry barrier will dissuade other competitors to do the same because the potential benefit is lower.

If you absolutely must do proof of work, for example to control the currency price like in Eltase's design, then a simple scheme for which ASICs are easy to make or already exists (like bitcoin PoW) is much better from an economic standpoint.

                ████
              ▄▄████▄▄
          ▄▄████████████▄▄
       ▄██████▀▀▀▀▀▀▀▀██████▄
     ▄████▀▀            ▀▀████▄
   ▄████▀                  ▀████▄
  ▐███▀                      ▀███▌
 ▐███▀   ████▄  ████  ▄████   ▀███▌
 ████    █████▄ ████ ▄█████    ████
▐███▌    ██████▄████▄██████    ▐███▌
████     ██████████████████     ████
████     ████ ████████ ████     ████
████     ████  ██████  ████     ████
▐███▌    ████   ████   ████    ▐███▌
 ████    ████   ████   ████    ████
 ▐███▄   ████   ████   ████   ▄███▌
  ▐███▄                      ▄███▌
   ▀████▄                  ▄████▀
     ▀████▄▄            ▄▄████▀
       ▀██████▄▄▄▄▄▄▄▄██████▀
          ▀▀████████████▀▀
              ▀▀████▀▀
                ████
MIDEX
▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂ GET TOKENS ▂▂▂▂
▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂
BLOCKCHAIN BASED FINANCIAL PLATFORM                                # WEB ANN + Bounty <
with Licensed Exchange approved by Swiss Bankers and Lawyers           > Telegram Facebook Twitter Blog #
thesnoo23
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
May 09, 2013, 08:00:16 PM
 #459

But maybe one can come up to chaotic hash,
which will be provably impossible to
implement in ASIC/FPGA !?

This goal is provably impossible in itself. The CPU/GPU is an ASIC. The best you can hope for is that your hash schedule explores ALL the features of the CPU at MAXIMUM efficiency, making an identical CPU the only possible ASIC design. All the features: FPU, MMX/SSE2, memory segmentation and virtualization, all of the cache, branch predictors, debug and JTAG registers and the myriad other tiny atavisms that make a modern CPU work.

If you don't use them all with maximum efficiency, then a stripped down CPU or GPU optimized for the specific features you use will have a better performance at the same density/power/price point. In practice it's unlikely you hit even less than one order of magnitude gap between a software version on a generic CPU and custom software on a custom ASIC.

So I'm not sure I understand the appeal of ASIC resistance. The best you can hope for is to make the ASIC design very expensive. This will hold ASICs at bay for a few years, but if the currency is successful and the mining market is large then an ASIC will eventually be designed. When someone does it, it's game over, he controls the mining market. A huge entry barrier will dissuade other competitors to do the same because the potential benefit is lower.

If you absolutely must do proof of work, for example to control the currency price like in Eltase's design, then a simple scheme for which ASICs are easy to make or already exists (like bitcoin PoW) is much better from an economic standpoint.


Dear God in heaven, someone who has a damn clue.
chrono.v
Newbie
*
Offline Offline

Activity: 12
Merit: 0


View Profile
May 09, 2013, 08:14:29 PM
 #460

But maybe one can come up to chaotic hash,
which will be provably impossible to
implement in ASIC/FPGA !?

So I'm not sure I understand the appeal of ASIC resistance. The most you can achieve is to make the ASIC design very expensive.

The greater the ASIC resistance the more expensive the production of the ASIC will be. What can be at least tried is to make it as expensive as possible to produce the ASICs, while taking care that the code can still maintain network performance. Maintaining network performance and making it as hard as possible for attackers to try and take control of the network, even as the market capitalization reaches the greatest heights, is the objective.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 [23] 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 »
  Print  
 
Jump to:  

Bitcointalk.org is not available or authorized for sale. Do not believe any fake listings.
Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!