Decrits: The 99%+ attack-proof coin

[Etlase2]

I dont understand the need for absolute stability and in fact the notion of trying to enforce it probably brings more issues than it solves.

This is a misguided notion of Decrits, and I understand where you're coming from because my initial proposals for Encoin tried to force stability. Decrits will only attempt to maintain a stable cost to produce the currency. This has many different implications, almost all of which I think are better for a healthy currency than attempting to enforce stability. But that's a long-winded discussion of economics.

All you need to know about decentralized cryptocoins is that they are deflationary by nature. Over the LONG TERM, they will go up in value.

This is a silly presumption. Bitclones will not be the only implementation of cryptocurrency ever.

If businesses want to accept bitcoins they dont need to hold them. This is a crucial point in the crypto-economy.

One that I believe is a crucial failure if you expect BTC to replace fiat. All those notions of liberty and freedom go right out the window when bitcoins offer little reprieve from fiat.

Holding coins is for people or businesses that understand the long term deflationary value of a decentralized cryptocurrency.

Holding coins is for people that live in mommy's basement. Businesses need stable cash flows, and bitcoin will not provide that.

[1714057915]

1714057915

[1714057915]

1714057915

[1714057915]

1714057915

[Etlase2]

a) where does my money go?

Hay look, questions! Your money is digital bits on the internet, it doesn't go anywhere. But as far as how the money is represented in those bits, well the simplest way to explain that is that it moves from one ledger--general accounts--to another--shares.

b) can i buy more then one share? can i buy a majority anonymously?

Yes and theoretically yes. While I haven't gone deep down into the number-crunching hole of figuring out desirable ratios of SHs to say, people on Earth, suffice it to say that it will require massive amounts of monetary control over the network before being able to embark on such a proposition. Because the production of money is unbounded (and currency distributed randomly), obtaining this type of control will be difficult if not impossible.

Additionally, controlling >50% of the consensus does not give you supreme control over the network. You can't rewrite history, you can't make bad spends (a spend transaction for more money than is in an account), you can't even drop transactions or other SHs' Transaction Blocks because the Cloudnet, and the everyday peer, is watching. You would need to control a large portion of the consensus, a massive portion of the Cloudnet, restrict all SP communication, etc. to keep a lid on any nefarious activities. And unless all the good guys just legitimately quit, there will be the problem of a big hole in the consensus that *everybody* knows about.

c) who is the first SH?

There will be a bootstrapping process. The last part of that bootstrapping process before beginning the live network will be giving out something like 50-100 shares to people who have contributed to the project on the condition that they must perform the SH duties for at least 3 years before cashing out, or the entire share will be void (this will be maintained by the network). A similar deal but less restrictive for giving away CNP shares to hundreds or a few thousand that must be maintained for 1 year. There will be bonuses to minting (perhaps 5-10x) and share prices can be purchased at discounted prices (such as 1/3rd) during the live bootstrap, these bonuses will slowly evaporate as the bootstrap process comes to an end--3 years is what I've been using in my notes as the live bootstrap period.

[kokjo]

There will be a bootstrapping process. The last part of that bootstrapping process before beginning the live network will be giving out something like 50-100 shares to people who have contributed to the project on the condition that they must perform the SH duties for at least 3 years before cashing out, or the entire share will be void (this will be maintained by the network). A similar deal but less restrictive for giving away CNP shares to hundreds or a few thousand that must be maintained for 1 year. There will be bonuses to minting (perhaps 5-10x) and share prices can be purchased at discounted prices (such as 1/3rd) during the live bootstrap, these bonuses will slowly evaporate as the bootstrap process comes to an end--3 years is what I've been using in my notes as the live bootstrap period.

do you see your fail now?


your system is huge , complex and failish, there is alot of stuff that could and will go wrong. you are giving the power of the system to the devs(central control) from the start. and you cannot buy in with out all current SH agrees. and no one hold my money, and the network cannot do such a task without central control, or the possibility of fail.

bitcoin is different: anyone can buy hardware to mine, no one have(or can ever gain) absolute veto rights.

now give me my btc: 13MXCTA2CPYbREMqNaf5VK2ArSc3QYm8cc

[Etlase2]

your system is huge , complex and failish, there is alot of stuff that could and will go wrong. you are giving the power of the system to the devs(central control) from the start.

I was actually planning on making a point about this in accepting the bet, but talk is cheap, you will be proven wrong.

and you cannot buy in with out all current SH agrees.

Incorrect. The SHs that do not include share buying transactions will eventually have their transaction blocks dropped--I can go into a lot more technical detail on how this will work, but it is dry. It is a dead-simple mechanic to understand though once the whole idea of how the network operates is understood. For a later post though when I respond to Ukigo. When a SH comes along that does include the transaction, the CNPs will transmit that block as the current state of the network, and penalties will be applied to those SHs who "missed" blocks. I already made and addressed this argument for you in the second paragraph.

The network would fail upon its first share purchase if existing SHs acted the way you presume they can (unless one entity owns all SHs, CNPs, and clients). If *one* SH is honest, the network could theoretically continue with just that SH until more shares are purchased.

and no one hold my money, and the network cannot do such a task without central control, or the possibility of fail.

As I said, no one is holding your money, the network has only agreed to change the state of it.

[kokjo]

C. Preserving Anonymity of CNPs (and SHs) CNPs will often have to associate IP addresses with account numbers when joining or cashing out of the CN. This is terrible for privacy-minded people and they should not have to be forced to use some outside "laundry" service to disassociate this connection. To provide this, buy-ins and cash-outs may be performed with blind transactions (invented by Chaum).

you do know that blind signing can not be done without a central authority, and a person cashing out would therefor have to use a laundry service.


you really don't know what you are talking about do you?

[Etlase2]

C. Preserving Anonymity of CNPs (and SHs) CNPs will often have to associate IP addresses with account numbers when joining or cashing out of the CN. This is terrible for privacy-minded people and they should not have to be forced to use some outside "laundry" service to disassociate this connection. To provide this, buy-ins and cash-outs may be performed with blind transactions (invented by Chaum).

you do know that blind signing can not be done without a central authority, and a person cashing out would therefor have to use a laundry service.

Did you read the post I linked right after that sentence?

"Actually, I thought about it a bit more, and specifically under the Decrits system this would be possible because of the shareholder system.

Users blind their transactions and shareholders add them to a blind sig queue. Once there are enough in the queue (decided by the protocol, say 50 or so txes), a shareholder will sign all of them and have the coins deposited to his shareholder stake.[..] You have the slight chance of getting boned if the shareholder removes his share,"

While this is true, there is a non-gameable way to ensure this is a waste of time and money. The penalty for seeing more withdrawals than allowed (when the blind signees come to get their money) is bigger than the gain made by stealing money. For example, if a SH has a 3,000 DCR deposit, he will only be allowed to blind sign 2,500 DCR which will be added to his stake. If a transaction places his stake below 3,000 DCR, he will lose 3,000 DCR for a net of -500 and all reputation associated with his SH (3 years potentially down the drain). An "early withdrawal" penalty would be say 250 DCR, so it is also not a profitable avenue over just taking that penalty.

you really don't know what you are talking about do you?

Yes, yes I do know what I am talking about.

[kokjo]

Did you read the post I linked right after that sentence?

"Actually, I thought about it a bit more, and specifically under the Decrits system this would be possible because of the shareholder system.

Users blind their transactions and shareholders add them to a blind sig queue. Once there are enough in the queue (decided by the protocol, say 50 or so txes), a shareholder will sign all of them and have the coins deposited to his shareholder stake.[..] You have the slight chance of getting boned if the shareholder removes his share,"

While this is true, there is a non-gameable way to ensure this is a waste of time and money. The penalty for seeing more withdrawals than allowed (when the blind signees come to get their money) is bigger than the gain made by stealing money. For example, if a SH has a 3,000 DCR deposit, he will only be allowed to blind sign 2,500 DCR which will be added to his stake. If a transaction places his stake below 3,000 DCR, he will lose 3,000 DCR for a net of -500 and all reputation associated with his SH (3 years potentially down the drain). An "early withdrawal" penalty would be say 250 DCR, so it is also not a profitable avenue over just taking that penalty.

this cannot be done securely. the SH can steal the deposited money without any proof of doing so, due to the anonymity of the receiver and plausible deniability of blind-sig.

im convinced now, you really don't know what you are talking about.

[Etlase2]

this cannot be done securely. the SH can steal the deposited money without any proof of doing so, due to the anonymity of the receiver and plausible deniability of blind-sig.

im convinced now, you really don't know what you are talking about.

There is no plausible deniability to a non-repudiated digital signature, blind or otherwise. That is a basic tenet of digital signatures. A transaction arriving that brings the SH's account below 3,000 DCR is proof that the SH has stolen or is attempting to steal money. The SH could sign the 2,500 DCR worth of transactions, cash them all out immediately, and when any of the legitimate unblinded txes come in, the fraud will be revealed with proof for all to see, and the SH will lose the 3,000 deposit.

You either don't understand or are unwilling to understand the concept. The SH can not just cash money out whenever he wants, there are specific rules associated with being a SH: number one among them being that the share money is locked for a period of 1 year. Anything above that amount (including tx fee payments) may be cashed out. Going below that amount is violating a rule of the network like trying to award 100 coins to yourself in a bitcoin coinbase transaction. No one honest will accept it. The system I have described is viable. If people are concerned about trolling, SHs with at least 1 year of service may be an option or a requirement to blind transactions.

[Come-from-Beyond]

There is no plausible deniability to a non-repudiated digital signature, blind or otherwise. That is a basic tenet of digital signatures. A transaction arriving that brings the SH's account below 3,000 DCR is proof that the SH has stolen or is attempting to steal money. The SH could sign the 2,500 DCR worth of transactions, cash them all out immediately, and when any of the legitimate unblinded txes come in, the fraud will be revealed with proof for all to see, and the SH will lose the 3,000 deposit.

What if SH decides to lose 3,000 just to be able to compromise the system? Any defense against such a situation?

[kokjo]

this cannot be done securely. the SH can steal the deposited money without any proof of doing so, due to the anonymity of the receiver and plausible deniability of blind-sig.

im convinced now, you really don't know what you are talking about.

There is no plausible deniability to a non-repudiated digital signature, blind or otherwise. That is a basic tenet of digital signatures. A transaction arriving that brings the SH's account below 3,000 DCR is proof that the SH has stolen or is attempting to steal money. The SH could sign the 2,500 DCR worth of transactions, cash them all out immediately, and when any of the legitimate unblinded txes come in, the fraud will be revealed with proof for all to see, and the SH will lose the 3,000 deposit.

so all addresses must be some how be under centrally control?

consider this:
BS is a blind signing bank.
AU is anonymous user.

AU creates a secret S and blinds it with a key K, and now have a message called K(S).
AU pays BS to blind sign K(S), and receives B(K(S)) back.
AU then unblinds B(K(S)): K^-1(B(K(S))) = B(S).
AU sends B(S) to BS and asks for it to be paid out.
BS have now S denies to pay out, claiming that the secret S have already been used.
AU is scammed without being able to proof it, BS can always show that it knows S and therefor that it has been "used".
BS wins, AU loses.

[cdog]

Businesses need stable cash flows, and bitcoin will not provide that.

Exactly, businesses need stable cash flows. Bitcoin will not replace the USD or any other currency anytime soon, thats just reality.

When Bitcoins becomes the obvious, defacto standard for all transactions (after the shit REALLY hits the fan), dollars will be worthless pieces of paper. Hell, we might be so fucked at that point that we go back to the stone age - before currency was even invented, where we just traded shit. Maybe Nuka-Cola caps will be worth more than Bitcoins. Who knows what that world will be like.

That will all happen very quickly when it does happen, but that time is far, far in the future from now.

Right now, businesses need to pay their rent and power bills in USD, Euros, or some other local currency. That isnt changing for years if not decades.

For these businesses, they can add a lot to their bottom line by accepting BTC or LTC and converting them into fiat immediately.

That helps the business, it helps the cryptocurrency, and it stimulates the overall economy. Its a win-win-win, thats what Im trying to explain.

If you need a further explanation, read here:

http://fallout.wikia.com/wiki/Nuka-Cola

[Etlase2]

What if SH decides to lose 3,000 just to be able to compromise the system? Any defense against such a situation?

"If people are concerned about trolling, SHs with at least 1 year of service may be an option or a requirement to blind transactions."

It does not solve the problem, but it makes the troublemakers have to spend a lot of time and effort to lose 500 DCR and the greater profitability of being a SH for an extended period. The bigger the penalty, the less money that can be blinded, so a trade-off must be made. It isn't a perfect system, but it should be an acceptable risk.

AU sends B(S) to BS and asks for it to be paid out.

AU sends B(S) to the network where every other SH will see it as a valid transaction and add it to his TB.

BS have now S denies to pay out, claiming that the secret S have already been used.

BS can not claim that the secret has been used without the unblinded transaction being published and debited from his account. As I have said multiple times, if more transactions signed by BS come in that would bring him below his share requirement, there is proof of fraudulent activity. On an individual tx basis it will not be possible to prove fraud, but as a whole it can be detected and punished.

AU is scammed without being able to proof it, BS can always show that it knows S and therefor that it has been "used".
BS wins, AU loses.

Both lose, but BS* loses more (and less than the early withdrawal penalty) and SH reputation. There is no rational reason to do this.

edit: sorry originally typed AU

[Etlase2]

That helps the business, it helps the cryptocurrency, and it stimulates the overall economy. Its a win-win-win, thats what Im trying to explain.

It's also something any non-pyramidal cryptocurrency will provide. Will businesses choose the volatile rollercoaster of bitcoin? Or would they prefer something that is stable and immune to fiat inflation? When businesses can hold cryptocurrency without volatility, it will encourage them to find ways to use it outside of fiat, thus expanding the real value of the economy. Immediately cashing back to fiat does not expand this value--it makes for digital hot potatoes.

[kokjo]

AU sends B(S) to BS and asks for it to be paid out.

AU sends B(S) to the network where every other SH will see it as a valid transaction and add it to his TB.

AU2 which is accutually BS, double spends the transaction. because it know secret S, from the broadcast.

[Etlase2]

AU2 which is accutually BS, double spends the transaction. because it know secret S, from the broadcast.

There isn't a concept of "double spending" in Decrits because coins are not tracked individually, they are tracked by account balances (instead the concept is "bad spends"--spends that would take your account below zero, or in a SH's case, below 3,000). Every blinded transaction has an equal opportunity to any of the coins in the SH's account until it goes below the share size. Knowing S does not unrepudiate the transaction. The Decrits network will not just ignore this like Bitcoin does. There is no retribution for acknowledging it in Bitcoin though so it is not *completely* necessary (though the current implementation is rather bone-headed from a merchant's standpoint), whereas in Decrits the offending SH will be penalized.

[kokjo]

AU2 which is accutually BS, double spends the transaction. because it know secret S, from the broadcast.

There isn't a concept of "double spending" in Decrits because coins are not tracked individually, they are tracked by account balances (instead the concept is "bad spends"--spends that would take your account below zero, or in a SH's case, below 3,000). Every blinded transaction has an equal opportunity to any of the coins in the SH's account until it goes below the share size. Knowing S does not unrepudiate the transaction. The Decrits network will not just ignore this like Bitcoin does. There is no retribution for acknowledging it in Bitcoin though so it is not *completely* necessary (though the current implementation is rather bone-headed from a merchant's standpoint), whereas in Decrits the offending SH will be penalized.

lets say that we have 4 SHs. and 3 addresses, A with 10 "coins", and B and C with 0 "coins" each.

SH_1 receives a incoming transaction saying that A transfers 10 coins to B, TX(A->B).
SH_2 receives a incoming transaction saying that A transfers 10 coins to C, TX(A->C).

SH_3 have a incentive to support TX(A->B), for some irrelevant reason.
SH_4 have a incentive to support TX(A->C), for some irrelevant reason.

which transaction wins?

[Etlase2]

lets say that we have 4 SHs. and 3 addresses, A with 10 "coins", and B and C with 0 "coins" each.

SH_1 receives a incoming transaction saying that A transfers 10 coins to B, TX(A->B).
SH_2 receives a incoming transaction saying that A transfers 10 coins to C, TX(A->C).

SH_3 have a incentive to support TX(A->B), for some irrelevant reason.
SH_4 have a incentive to support TX(A->C), for some irrelevant reason.

which transaction wins?

SHs are assigned in random orders* to produce Transaction Blocks that cover specific 10 second periods in each CB. The transaction that wins will be based on which SH is the next to create a TB after the transactions have propagated. This is the basis for 5-15 second confirmations.

* - The "random" order is changed by the hash of the 100% SH signature consensus (or less than 100% with unsigning SHs losing their deposit--section 1.B.ii) of the prior CB.

[kokjo]

lets say that we have 4 SHs. and 3 addresses, A with 10 "coins", and B and C with 0 "coins" each.

SH_1 receives a incoming transaction saying that A transfers 10 coins to B, TX(A->B).
SH_2 receives a incoming transaction saying that A transfers 10 coins to C, TX(A->C).

SH_3 have a incentive to support TX(A->B), for some irrelevant reason.
SH_4 have a incentive to support TX(A->C), for some irrelevant reason.

which transaction wins?

SHs are assigned in random orders* to produce Transaction Blocks that cover specific 10 second periods in each CB. The transaction that wins will be based on which SH is the next to create a TB after the transactions have propagated. This is the basis for 5-15 second confirmations.

* - The "random" order is changed by the hash of the 100% SH signature consensus (or less than 100% with unsigning SHs losing their deposit--section 1.B.ii) of the prior CB.

this system smells fishy. ONE person decides what the outcome will be, and decides who will be next to make a decision? and SH that not agrees will loose their deposits.

you assume SHs agrees. which i assure you, they will not.

[Etlase2]

this system smells fishy. ONE person decides what the outcome will be,

Is it not the same for bitcoin? One person will eventually win the lottery by finding a winning block. His view of the network is accepted as "the" view. Although in reality it is actually just a few pools that can make that determination and can easily collude. Perhaps pools give you warm fuzzies, but they are far less decentralized than the system I propose.

and decides who will be next to make a decision?

Absolutely, unequivocally, not. I specifically noted how the random order would be determined to help you understand this. The Consensus Block only exists if it is agreed on by all SHs. The reason why I designed the consensus period to be so long is so that a) SHs do not have to constantly monitor the network (they only need to be online around the time in which they have to create a TB), and b)

you assume SHs agrees. which i assure you, they will not.

to give an ample window of time to organize the Transaction Block chain so that whoever is going to provide a TB or CB signature (if they missed their TB or had their TB dropped by the CN or other SHs) has the opportunity to do so. I did not cover the Transaction Block chain in the OP because it starts getting into the very technical details of network security, which I have already promised Ukigo that I will detail soon.

There are only two reasons why consensus of the network can not be reached:

1) EvilCorp. owns a significant amount of shares and is trying to make it look like TheGoodGuys are not attempting to reach consensus. This is thwarted by the larger and more diverse CN, as well as CNCs and SPs, watching network activity. They will refuse to acknowledge newer blocks that have not acknowledged previous blocks. This is not a hard and fast rule, it is determined by the will of the entire network. The longer you wait to acknowledge a TB that has propagated, the more likely your TB will fail. The only way to get around this is to also control the vast majority of the CN, and really, a large portion of the CNCs/SPs as well. At this point you are just playing with yourself. Don't forget that this will also require a not insignificant percentage of all the coins in existence.
2) Internet infrastructure goes down/governments block outside access/specifically target decrits. These are all solved by meshnet technology. While it's easy to say "it will be solved in the future", this is not a problem the network can fix, though of course it will have ways to recover from minor and even major splits, but only if they are reasonably temporary*. And even for an extended period people locked out of the network only need to get through a few dozen bytes to maintain consensus.

edit: * - Reasonable is a fairly long time, on the order of 10-30 CDs depending on how it finally ends up working out and how strong of a possibility this really seems (not that likely, but China for example could be a problem with its history).

[kokjo]

this system smells fishy. ONE person decides what the outcome will be,

Is it not the same for bitcoin? One person will eventually win the lottery by finding a winning block. His view of the network is accepted as "the" view. Although in reality it is actually just a few pools that can make that determination and can easily collude. Perhaps pools give you warm fuzzies, but they are far less decentralized than the system I propose.

and decides who will be next to make a decision?

Absolutely, unequivocally, not. I specifically noted how the random order would be determined to help you understand this. The Consensus Block only exists if it is agreed on by all SHs. The reason why I designed the consensus period to be so long is so that a) SHs do not have to constantly monitor the network (they only need to be online around the time in which they have to create a TB), and b)

you assume SHs agrees. which i assure you, they will not.

to give an ample window of time to organize the Transaction Block chain so that whoever is going to provide a TB or CB signature (if they missed their TB or had their TB dropped by the CN or other SHs) has the opportunity to do so. I did not cover the Transaction Block chain in the OP because it starts getting into the very technical details of network security, which I have already promised Ukigo that I will detail soon.

There are only two reasons why consensus of the network can not be reached:

1) EvilCorp. owns a significant amount of shares and is trying to make it look like TheGoodGuys are not attempting to reach consensus. This is thwarted by the larger and more diverse CN, as well as CNCs and SPs, watching network activity. They will refuse to acknowledge newer blocks that have not acknowledged previous blocks. This is not a hard and fast rule, it is determined by the will of the entire network. The longer you wait to acknowledge a TB that has propagated, the more likely your TB will fail. The only way to get around this is to also control the vast majority of the CN, and really, a large portion of the CNCs/SPs as well. At this point you are just playing with yourself. Don't forget that this will also require a not insignificant percentage of all the coins in existence.
2) Internet infrastructure goes down/governments block outside access/specifically target decrits. These are all solved by meshnet technology. While it's easy to say "it will be solved in the future", this is not a problem the network can fix, though of course it will have ways to recover from minor and even major splits, but only if they are reasonably temporary*. And even for an extended period people locked out of the network only need to get through a few dozen bytes to maintain consensus.

edit: * - Reasonable is a fairly long time, on the order of 10-30 CDs depending on how it finally ends up working out and how strong of a possibility this really seems (not that likely, but China for example could be a problem with its history).

and what happens when they are corrupted?

you really don't understand the sybil attack do you?