PoW vs PoS conundrum - presenting a new form of PoA.

[dinofelis]

.........
My statement in that gedanken experiment is that your 100 000 nodes will not get one single block, and will certainly not enforce their rules on the network.  As such, they have no power to do so.
.........

Of course full nodes that don't mine will never get a block.  'Good' non-mining full nodes could enforce the rules, though, but only if it somehow happens that at least one 'good' node is between every conspiring 'evil' mining node so they would not be able to propigate blocks to eachother. Last I saw (which was a while ago), the large pools have a special semi-private "relay network" for their mining full nodes they use, and they could always directly connect to eachother. Users that actually want to get their transaction into a block (since non-mining full nodes don't make blocks) would have to connect to an evil node. There's also nothing stopping the 'evil' guys from popping 100 000 non-mining evil nodes on the network to make it easier for users to connect to the evil-net.

Indeed, you've got it.  It is too much seen as "evil guys vs good guys".  One should see it as "rule set A" vs "rule set B".  If users and miners agree on rule set B, then no matter how many non-mining full nodes only accept rule set A, this doesn't enforce rule set A at all (whether rule set A is the "historical" or the "new" rule set doesn't matter here).

You are right that IF there's a vast majority of non-mining full nodes with rule set A, then a user connecting RANDOMLY to just a full node will most probably only see a "stopped" block chain.  The user has to specify a miner node that follows rule set B in order to get his transactions through, and get the live block chain (according to rule set B).  So a vast swarm of disagreeing non-mining full nodes can somehow perturb a bit the network, until users configure their wallets to ignore them, and only go to rule-B miner nodes.

And in fact, this is a very good thing, because otherwise, the attack of launching 100 000 full nodes with a different rule set would impose that different rule set, which is against the very idea of PoW securing the block chain: a sybil attack with full nodes would be sufficient if it were true that non-mining full nodes impose their rule set.

Purely technically, as you point out, only miners need to agree amongst themselves to use rule set B, and then only a block chain according to rule set B will be built.  But, as was pointed out regularly, and as was used erroneously as an argument indicating the power of non-mining full nodes, miners will not want to alienate users.  Technically, they can, but economically, they would ruin themselves, because alienating the users who sustain the market cap, and who are finally the buyers of their minted coins would kill the revenue of the miners, as they will now technically mine coins nobody wants to buy.

But an army of non-mining full nodes, in disagreement with the miners (and the users) has no power to impose its rule set, whether that rule set is a "new" one (a kind of sybil attack with an army of nodes) or the "old one" (as "guardians of immutability").  They can at most initially perturb the communication of transactions and blocks, and will in the end be ignored.

That was my point.

[kiklo]

Purely technically, as you point out, only miners need to agree amongst themselves to use rule set B, and then only a block chain according to rule set B will be built.  But, as was pointed out regularly, and as was used erroneously as an argument indicating the power of non-mining full nodes, miners will not want to alienate users.  Technically, they can, but economically, they would ruin themselves, because alienating the users who sustain the market cap, and who are finally the buyers of their minted coins would kill the revenue of the miners, as they will now technically mine coins nobody wants to buy.

But an army of non-mining full nodes, in disagreement with the miners (and the users) has no power to impose its rule set, whether that rule set is a "new" one (a kind of sybil attack with an army of nodes) or the "old one" (as "guardians of immutability").  They can at most initially perturb the communication of transactions and blocks, and will in the end be ignored.

That was my point.

Glad to see the part in blue finally sunk in.
In none of my references , did I infer the users were not part of the full nodes only the miners,
The Business Users combined with their own dedicated Full Nodes to the accepted standard of compliance,
can block the miners non-compliance thru ignoring their nonstandard blocks (which prevents theft of their Personal Business Inventory) & the Economics reprisals the miners would suffer from the Business dropping BTC.
Which was my point.

 

[David Rabahy]

I'm delighted we found the users to help us see a fuller picture of dynamics.

Still the users have to find good verses bad full nodes or they could be misled.

• How do users reliably find good full nodes?
• How does a user evaluate the blocks provided to them?
  

Even full nodes face the first question.  I configure my full node with 60 connections (enough more than the default of only 8?) and just hope the builders of the software did a good job and that the network hasn't partitioned me away from the good ones.  I do manually compare to various public sources of the blockchain, e.g. blockchain.info, etc., and hope they aren't compromised.  My confidence in being able to reach apparently good nodes has built up over the years but I don't want to become complacent.  I do examine peers for misbehavior and disconnect or ban them if I don't like what I see.  I watch various news outlets including this forum for indications of trouble.  If I am left behind or worse misled for awhile then I hope that eventually I will find the good ones and catch up and if needed replace the crap from the bad ones.

This I know; my fiat-denominated holdings are debased without any real effective say or recourse.  The only redeeming fact is so is everyone else's so I don't lose ground.  I feel very badly for folks without any appreciable holdings; the poor get poorer relative to the rich.  Bitcoin, by the rules, can't be debased; this is one of the attractive features of Bitcoin over fiat for me.

[dinofelis]

Purely technically, as you point out, only miners need to agree amongst themselves to use rule set B, and then only a block chain according to rule set B will be built.  But, as was pointed out regularly, and as was used erroneously as an argument indicating the power of non-mining full nodes, miners will not want to alienate users.  Technically, they can, but economically, they would ruin themselves, because alienating the users who sustain the market cap, and who are finally the buyers of their minted coins would kill the revenue of the miners, as they will now technically mine coins nobody wants to buy.

But an army of non-mining full nodes, in disagreement with the miners (and the users) has no power to impose its rule set, whether that rule set is a "new" one (a kind of sybil attack with an army of nodes) or the "old one" (as "guardians of immutability").  They can at most initially perturb the communication of transactions and blocks, and will in the end be ignored.

That was my point.

Glad to see the part in blue finally sunk in.
In none of my references , did I infer the users were not part of the full nodes only the miners,
The Business Users combined with their own dedicated Full Nodes to the accepted standard of compliance,
can block the miners non-compliance thru ignoring their nonstandard blocks (which prevents theft of their Personal Business Inventory) & the Economics reprisals the miners would suffer from the Business dropping BTC.
Which was my point.

 

I never contradicted that.   My point was simply that non-mining nodes have no way to impose their rules on the system.  That's all I said.   That holds.  In order to see the "power" or rather the absence of power of the full nodes, of course you have to "undo" them of all the other possible elements that might have power, so that these element's power is not confused and taken as a proof that it are the full nodes themselves that have this power.  As such, we have to, artificially, consider full nodes that have no links with users, nor with miners.  And then we see that these "naked" full nodes, even if they are in a large majority (because you fired 100 000 of them up on amazon), cannot impose their rules.

On the other hand, users, even with light weight wallets, DO impose their rules, through their decision to support, or not to support, the market cap.  They don't need to run a full node themselves, they can configure their light weight wallet to connect directly to the mining nodes that run their preferred version of the rules.  They do this by simply voting with their money, dumping the coins if they don't like it.

So users have power through their decisions to sustain, or not, the market cap and miners don't want to disgruntle them, because miners depend on the money spending/coin buying users to dump their coinbase on them.

All this was very clearly illustrated during the ETH/ETC split.

[dinofelis]

I'm delighted we found the users to help us see a fuller picture of dynamics.

Still the users have to find good verses bad full nodes or they could be misled.

• How do users reliably find good full nodes?
• How does a user evaluate the blocks provided to them?
  

Even full nodes face the first question.  I configure my full node with 60 connections (enough more than the default of only 8?) and just hope the builders of the software did a good job and that the network hasn't partitioned me away from the good ones.  I do manually compare to various public sources of the blockchain, e.g. blockchain.info, etc., and hope they aren't compromised.  My confidence in being able to reach apparently good nodes has built up over the years but I don't want to become complacent.  I do examine peers for misbehavior and disconnect or ban them if I don't like what I see.  I watch various news outlets including this forum for indications of trouble.  If I am left behind or worse misled for awhile then I hope that eventually I will find the good ones and catch up and if needed replace the crap from the bad ones.

I would think it is simpler: can't you just connect directly to the mining pool node with whom you are in agreement concerning the rules, and that's the only connection you really need ?  Of course, the number of connections that this node accepts may be limited...

This I know; my fiat-denominated holdings are debased without any real effective say or recourse.  The only redeeming fact is so is everyone else's so I don't lose ground.  I feel very badly for folks without any appreciable holdings; the poor get poorer relative to the rich.  Bitcoin, by the rules, can't be debased; this is one of the attractive features of Bitcoin over fiat for me.

Well, it can't be debased until miners and users decide so.

In fact, and I'm very surprised that this didn't happen yet, I wonder how it comes that people create alt coins with a new genesis block, and not as a hard fork from bitcoin.   If you create an alt coin which is a hard fork from bitcoin (that is, which takes as initial distribution, the unspend outputs on the bitcoin block chain at a certain block number, and whose private keys can sign a single transaction on the altcoin's block chain) you do away with all the problems of premine, initial distribution and so on, and you buy this coin the whole bitcoin user base.
We've seen this with the ETC/ETH split: all ETH holders were now also ETC holders.  In the ETC/ETH split, the two coins are very similar, but there's no need: the forked-off coin can be entirely different, just like an altcoin is different.  The only thing that is taken from bitcoin is the user base and the initial distribution.  As such, there can even be no need for mining/minting the coin any further.

If ever this happens, and I don't see how this can not happen in the future, you have ACTUALLY the same effect as a debasement.  The bitcoin market cap will split over both coins (of course, initially with the large majority still on bitcoin).

Sound money doctrine is misguided, because it makes the assumption of a single, unique monetary asset.  When monetary assets are in competition, and can be created/forked/... then there's no such thing as a sound money doctrine, by the flexibility of the market for monetary assets, and the variability of the market cap of each asset.  The creation of new assets automatically debases the "fixed number" ones.

[coinfusion]

Even full nodes face the first question.  I configure my full node with 60 connections (enough more than the default of only 8?) and just hope the builders of the software did a good job and that the network hasn't partitioned me away from the good ones.  I do manually compare to various public sources of the blockchain, e.g. blockchain.info, etc., and hope they aren't compromised. 
.....

It seems like not such a good idea to have so many outgoing connections, as it's using up the scarce resource of 'full nodes with non-firewalled open incoming ports'. You may instead want to force the default amount of 8 connections to nodes with operators you trust and allow as many incoming connections to your machine as it can handle without causing high relaying delays.  I believe there are a few folks who are attempting to identify those that are connecting to unusually large amounts nodes, as such a technique can be used to discover the origin of transactions. There are some remaining fragments of a sanitized thread about this here: https://bitcointalk.org/index.php?topic=978088.0

[David Rabahy]

Hmm, my outgoing is the default value of 8.  I changed total connections from 8 to 60, allowing for 52 incoming.  I would gladly reduce the outgoing below 8 if that is better.  I'd be really happy to force my outgoings to know/trusted entities but I kinda thought that would be counter to the whole idea of being trustless.

I certainly do not want to contribute to any weakening of Bitcoin.

Someone has got to enable incoming or who will the non-full node users connect to?  I configured by phone-based wallet to use just my full node.  It would be really nice if I could reserve a connection for just it but I usually don't have any trouble connecting pretty quickly.

[dinofelis]

Hmm, my outgoing is the default value of 8.  I changed total connections from 8 to 60, allowing for 52 incoming.  I would gladly reduce the outgoing below 8 if that is better.  I'd be really happy to force my outgoings to know/trusted entities but I kinda thought that would be counter to the whole idea of being trustless.

In reality, if you use someone else's software to set up your full node (for instance, if you download bitcoin core) you are already not in a trustless situation, because you trust the author of the software.  Truly trustless would imply that you implement the rules yourself in your own full node software, according to the principles (the "rule set") that you intend to require.  In practice this is not feasible of course, but this simply illustrates the silliness of the concept of trustlessness when taken to the extreme. 

[dinofelis]

Even full nodes face the first question.  I configure my full node with 60 connections (enough more than the default of only 8?) and just hope the builders of the software did a good job and that the network hasn't partitioned me away from the good ones.  I do manually compare to various public sources of the blockchain, e.g. blockchain.info, etc., and hope they aren't compromised. 
.....

It seems like not such a good idea to have so many outgoing connections, as it's using up the scarce resource of 'full nodes with non-firewalled open incoming ports'. You may instead want to force the default amount of 8 connections to nodes with operators you trust and allow as many incoming connections to your machine as it can handle without causing high relaying delays.  I believe there are a few folks who are attempting to identify those that are connecting to unusually large amounts nodes, as such a technique can be used to discover the origin of transactions. There are some remaining fragments of a sanitized thread about this here: https://bitcointalk.org/index.php?topic=978088.0

Well, if I were a miner that agreed with other miners and with a majority of users on a rule set, *against a whole bunch of non-mining full nodes that do not want this rule set*, I'd have all reasons to set up sufficient infrastructure to have my node accept thousands of incoming connections.  After all, if I'm a miner, I have enough resources to do so, no ?  Compared to the investment in the hashing resources that I have to own, or I have to rent, this network resource enabling me to allow users to connect to me or to a few of my peers seems small I' d think.
If we are, say, 5 mining pools owning 95% of hashing power agreeing on the rule set, we could set up each one of us, a big publicly known node that accepts a lot of incoming connections. 

[iamnotback]

Incorrect. Transaction fees make the consensus diverge. You need to catch up on the latest research.

Interesting. Can you point us to the latest research on this topic please?

I'm also interested in finding out what's wrong with transaction fees (apart the obvious divergence they cause with PoS).

But more to the point, I don't see what's wrong with "making the consensus diverge".

I will quote from my upcoming whitepaper which refers you back to some posts I had already made on this forum:

Byzcoin is incentives incompatible due to the sharing of rewards amongst the witnesses― yet in general PoW is incentives incompatible as transaction fees become a significant portion of the miner’s reward.<sup>[^broken] [^nofix] [^goose-egg]

[^broken]</sup> Miles Carlsten, Harry Kalodner, S. Matthew Weinberg, Arvind Narayanan. On the Instability of Bitcoin Without the Block Reward. CCS '16 Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 154-167, Oct 24, 2016. Freedom-to-tinker.com blog post.

^{[^nofix]} Shelby Moore III. Byzcoin is flawed. Bitcointalk.org, “DECENTRALIZED crypto currency (including Bitcoin) is a delusion (any solutions?)” thread, post #880, Nov 13, 2016.

^{[^goose-egg]} Shelby Moore III. Byzcoin an attempted fix for Goose Egg outlier. Bitcointalk.org, “DECENTRALIZED crypto currency (including Bitcoin) is a delusion (any solutions?)” thread, post #871, Nov 12, 2016.

See also this which I had published before to this forum in my decentralization thread:

https://gist.github.com/shelby3/c0d6e0ed132be7e4577df3663c81ee09

[iamnotback]

Neither PoW nor PoS will be suitable because they both become centralized. Ditto any hybrid.

The world is not going to invest in an ecosystem controlled by whales. The entire point of crypto-currency is for it to not controlled by anyone.

Any resource will always become centralized. There is a power-law or exponential distribution of resources in nature. So to achieve decentralization, we can't design the security due to a resource, e.g. stake or mining hardware.

When people invest in open source it is because they know their investment can't be destroyed by some whales (who give preferences to certain protocol changes or whatever over time), because the source code is open and decentralized unlike closed source. Ditto with the Internet being decentralized (no one controls it), thus everyone is eager to invest in it.

The whales are also the weakest point that can be attacked by governments or whatever.

We need a new design that is inherently decentralized as controlled by the protocol. I plan to launch such a design health willing.

In my design, even with majority control over the stake of the system you could attempt censorship only (actually you could attempt a 51% attack but you'd need to convince the network that a natural fork had occurred due to a split in the network but this is implausible), but you'd end up on your own fork that the honest minority is ignoring (and additionally you would have destroyed some of your stake in the process). My system always converges consensus according to the rules of the protocol chosen by the transacting users who are honest (i.e. the honest users stay on the same fork).

Note propagation ordering is not objectively provable, but...a proxy is... (wait for the whitepaper).

A concept that is going to be introduced to blockchains is Byzantine fault detection (although it is not new in the literature external to blockchains). The following is in my whitepaper and it is a quote from a cited research paper:

> In a practical system that needs to tolerate up to `f` concurrent Byzantine faults, BFT cannot be implemented with less than `3f + 1` replicas. Moreover, BFT scales poorly to large replica groups; as more servers are added, the throughput of the system may actually decrease...
>
> ...Fault detection is weaker than masking. For instance, detection is insufficient for dealing with faults that have serious and irreversible effects, such as deletion of all copies of an important document. However, detection may offer an efficient and scalable alternative to BFT for faults that have limited or recoverable effects, including freeloading, censorship, and denial-of-service...
>
> ...Lastly, the presence of accountability alone deters certain types of attacks on a system, because it identifies and exposes faulty nodes.

[alkan]

See also this which I had published before to this forum in my decentralization thread:

https://gist.github.com/shelby3/c0d6e0ed132be7e4577df3663c81ee09

Thanks for the links.

I agree that a blockchain design that relies on transaction fees as the sole incentive for miners can lead to a Tragedy of the Commons. However, transaction fees used in addition to some other reward (which is significantly greater than the average tx fees) don't suffer from this issue.

Alternatively, one could also think of having fixed-size or fixed-percentage tx fees which afaics wouldn't be exposed to the market failure you describe. If the transactions include a reference to a recent block (TaPoS), the blockchain would reveal how long (no. of blocks) it takes for a transaction to be included in a block. That information could be used to automatically adjust the tx fees similar to block difficulty so that the total fee market would eventually decide about the fees.

[alkan]

Any resource will always become centralized. There is a power-law or exponential distribution of resources in nature. So to achieve decentralization, we can't design the security due to a resource, e.g. stake or mining hardware.

I agree with your statement for a) negotiable resources like financial stake or any kind of hardware and b) under the assumption that more resources mean more influence on the consensus and more rewards. As far as I can see, both conditions can be relaxed though.

For a) one can use non-negotiable resources that aren't prone to centralization. In a recent proposal, I suggest to restrict the creation of new minting accounts to a certain rate so that time (in the absolute sense, not work or computing time) becomes a limiting factor for an attacker that tries to gain more influence on the consensus. This adds an additional layer of security to my "dual token" PoS scheme since everybody's time is limited due the finiteness of life. And this security layer will asymptotically tend to infinity as more and more blocks (and minting accounts) are created.

To avoid b), all you need is a reward mechanism that destroys the coupling between resources and influence so that gaining more influence becomes unprofitable.

[alkan]

In my design, even with majority control over the stake of the system you could attempt censorship only (actually you could attempt a 51% attack but you'd need to convince the network that a natural fork had occurred due to a split in the network but this is implausible), but you'd end up on your own fork that the honest minority is ignoring (and additionally you would have destroyed some of your stake in the process). My system always converges consensus according to the rules of the protocol chosen by the transacting users who are honest (i.e. the honest users stay on the same fork).

It's certainly desirable to have such a property. I'm asking myself to what extent a regular PoS could withstand a majority control over the stake by some adversary, at least with regard to users who have been online for a long period before the attack (letting new users aside). Altcoins like NXT or Peercoin are vulnerable to a double-spend attack if an attacker can build an alternative chain faster than the rest of the network. But what if we change the chain selection rules as follows?

- Each client keeps track of every received block and chain fork in a list.
- Every received block is scored by the client by comparing it with the blocks in the list. The score depends on the common prefix that the new chain shares with the existing chains. The more blocks the new chain has in common with highly scored chains, the higher score it will get. If the common prefix is low with regard to all other chains, or if the prefix is only high for chains with low scores, the new block will receive a low score.
- A weighted random function is used to select which chain to build on.
- Double-mining is prevented by some punitive scheme.
- Even if the attacker can build an alternative chain faster than the rest of the network, it's difficult for him to overtake the legitimate chain since his blocks will be scored down by the honest nodes.

Note propagation ordering is not objectively provable, but...a proxy is... (wait for the whitepaper).

What exactly do you mean by "propagation ordering", the fact that you cannot objectively prove which of two blocks was created first?

[hv_]

I m still very astonished that PoS promoters try to work against the laws of physics or restaurants:

There is no free lunch!

Security comes from order keeping and due to dissipation and entropy increase you just have to work! to keep that order and security.

With PoS there will be never such security since you can mine all day but spend nothing ( or very few) for work - despite PoS promoters work hard in mind to overcome simple laws, but you cant fix physics.

I wonder if there is some theorem out there like the CAP that describes what I mean?

If not, we should try formulate this here.


To PoS promoters: Go back to work!

[kiklo]

I m still very astonished that PoS promoters try to work against the laws of physics or restaurants:

There is no free lunch!

Security comes from order keeping and due to dissipation and entropy increase you just have to work! to keep that order and security.

With PoS there will be never such security since you can mine all day but spend nothing ( or very few) for work - despite PoS promoters work hard in mind to overcome simple laws, but you cant fix physics.

I wonder if there is some theorem out there like the CAP that describes what I mean?

If not, we should try formulate this here.


To PoS promoters: Go back to work!

Shows alot of asshats, think they know how stuff works, but at the end of the day , most of those asshats are just plain wrong.

We know PoW is an energy hog ,
We know PoW will Centralize due to economics (BTC, LTC & Doge already have centralized to China)

We hear alot of BullShit security horror stories about how easy it is to attack a PoS coin.

Yet , every time one of you genius rant about the death of PoS due to a security flaw.
I offer you ZEIT's exposed Proof of Stake jugular for you to Prove your ever so deadly theory.
You want to know what has happen each and every time, not a Damn Thing, because your imaginations and the real world are not the same fucking thing.

So again, if any of you brilliant asshats can take down a Proof of Stake coin with your scary laser beams.
ZEIT as always is waiting , bring it on, and break this coin with your attack or SHUT THE FUCK UP!

 

[hv_]

I m still very astonished that PoS promoters try to work against the laws of physics or restaurants:

There is no free lunch!

Security comes from order keeping and due to dissipation and entropy increase you just have to work! to keep that order and security.

With PoS there will be never such security since you can mine all day but spend nothing ( or very few) for work - despite PoS promoters work hard in mind to overcome simple laws, but you cant fix physics.

I wonder if there is some theorem out there like the CAP that describes what I mean?

If not, we should try formulate this here.


To PoS promoters: Go back to work!

Shows alot of asshats, think they know how stuff works, but at the end of the day , most of those asshats are just plain wrong.

We know PoW is an energy hog ,
We know PoW will Centralize due to economics (BTC, LTC & Doge already have centralized to China)

We hear alot of BullShit security horror stories about how easy it is to attack a PoS coin.

Yet , every time one of you genius rant about the death of PoS due to a security flaw.
I offer you ZEIT's exposed Proof of Stake jugular for you to Prove your ever so deadly theory.
You want to know what has happen each and every time, not a Damn Thing, because your imaginations and the real world are not the same fucking thing.

So again, if any of you brilliant asshats can take down a Proof of Stake coin with your scary laser beams.
ZEIT as always is waiting , bring it on, and break this coin with your attack or SHUT THE FUCK UP!

 

Lol

Looks like you got hit and need some defensive now.

I ve already done your worst attack, I ve never invested into piece of shit and feels like majority is with me.

 sorry

[kiklo]

Lol

Looks like you got hit and need some defensive now.

I ve already done your worst attack, I ve never invested into piece of shit and feels like majority is with me.

 sorry

Funny thing is,
We don't need you too, last thing I want to see is your lying butt profit when our coin succeeds.
Notice not if but When.

Like I said the only thing that happens from your security threats to PoS.
Not a Damn Thing,  It is like you don't even exist except to run your mouth spewing falsehoods.

 

[alkan]

That looks funny.  Your "child accounts" act in fact like a kind of second token, of which you need PoS to mint the first (base) token of the chain and also to "mint" child accounts (the second token), and there's an opposite PoS relationship in that you need some base tokens to "fill" the child account (second token).    Aren't you afraid of a serious divergence of PoS of child accounts in the hands of a few ?  I see your system as a kind of "double PoS" with feedback between the two, for two different tokens: base tokens (the "currency") and mint tokens (the "child accounts").

I recently posted an article where I explain my approach in more detail. Would love to hear you opinion about it.
https://hackernoon.com/decentralized-objective-consensus-without-proof-of-work-a983a0489f0a#.r9fwu9non

[alkan]

It's certainly desirable to have such a property. I'm asking myself to what extent a regular PoS could withstand a majority control over the stake by some adversary, at least with regard to users who have been online for a long period before the attack (letting new users aside). Altcoins like NXT or Peercoin are vulnerable to a double-spend attack if an attacker can build an alternative chain faster than the rest of the network. But what if we change the chain selection rules as follows?

- Each client keeps track of every received block and chain fork in a list.
- Every received block is scored by the client by comparing it with the blocks in the list. The score depends on the common prefix that the new chain shares with the existing chains. The more blocks the new chain has in common with highly scored chains, the higher score it will get. If the common prefix is low with regard to all other chains, or if the prefix is only high for chains with low scores, the new block will receive a low score.
- A weighted random function is used to select which chain to build on.
- Double-mining is prevented by some punitive scheme.
- Even if the attacker can build an alternative chain faster than the rest of the network, it's difficult for him to overtake the legitimate chain since his blocks will be scored down by the honest nodes.

It looks like this paper provides a solution to the problem.

The paper replaces Bitcoin's Longest Chain Rule by a Weighted Fork-Resolving Policy (FRP):
In a block race,
1. if one chain is longer than the others by no less than k blocks, a miner mines
on the longest chain;
2. otherwise the miner chooses the chain with the largest weight;
3. if the largest weight is achieved by multiple chains simultaneously, the miner
chooses one among them randomly

From a miner’s perspective, the weight of a chain is the number of its in time blocks plus the number of in time uncle hashes embedded in these in time blocks. Whether a block is in time is evaluated from the miner’s local perspective. A valid block is considered in time if (1) its height value is bigger than the miner’s local chain head or (2) its height is the same as the local chain head and it is received no later than τ after receiving the first block of this height. Conversely, a valid block is late if the receiving miner has received a block of the same height τ before receiving this block

An interesting result is that when k = ∞, the defense can prevent a malicious miner with more than 50% of mining power from taking over the network by sacrificing partition tolerance. Honest nodes (that are online) can thus withstand an attacker with >50% of the power as they would just continue to build their chain, while the attacker would land on its own fork.

In my design, even with majority control over the stake of the system you could attempt censorship only (actually you could attempt a 51% attack but you'd need to convince the network that a natural fork had occurred due to a split in the network but this is implausible), but you'd end up on your own fork that the honest minority is ignoring (and additionally you would have destroyed some of your stake in the process). My system always converges consensus according to the rules of the protocol chosen by the transacting users who are honest (i.e. the honest users stay on the same fork).

Note propagation ordering is not objectively provable, but...a proxy is... (wait for the whitepaper).

What about new nodes joining the system? How can they decide which is the right chain in case of such forks?
"Objectively provable" would mean that you don't just rely on subjective scoring rules like the paper cited above. So, does your model really provide objectivity for newcomers?