There are so many details that you are skipping over here.
Some are explained throughout the thread, but I do tend to be wordy. This is the result of 2 years of ideating, and I had to focus on 4 completely new things, not just one, in the OP. I have around 50 or more pages of notes, and I wanted people to ask good questions and test the system rather than write a 20 or 30 page essay. But I was probably unconsciously obtuse in the OP with regards to section 1 because it is my baby.
Assuming you mean that every SH has to sign to each CB (the one that comes every days and should be a compilation of all intervening TBs), are you assuming that is random because of new SHs entering the SH pool since the prior CB? And so are you saying that each SH chooses a hash for itself when it joins, then it can't game this because it can't know a priori which SHs will enter the SH pool before the deadline of the next CB?
No, it is random because all the TBs are created,
then the CB compilation is signed by everyone during the next "potential" CB. There would be a delay of whatever the amount of time is given for SHs who missed their TB to sign the CB before losing their stake, probably around 3 CDs. Until that time is up, the SHs just sign TBs in the already predetermined order. An additional delay after the 3 CD period of perhaps 1 CD can ensure that everyone has all of the signatures who have signed, and at that point the new random number will be used to determine who is making TBs. These are things I don't have *exact* numbers for, but it is just a matter of weighing a few pros and cons when development gets to that point.
If my assumptions above are correct, then it means new SHs can't be selected to sign a TB until after the next CB.
This is correct.
But I am confused because it seems you may be referring to a hash of signatures of SHs which signed the TBs that in the CB? Because why is signing the CB relevant?
The hash just combines all the signatures together for the random number. It has to be the hash of the signatures, otherwise the last person to create the TB can adjust his TB in a million different ways to create a million different random numbers. If it is only a hash of the signatures during the
next CB period (for which he has no info), he has only the choice of two, and one will cause him to lose his large deposit.
You need to explain your system much more eloquently and tersely. It is very difficult to grasp the fundamental design in as few words as possible.
Well, it's a big concept, and there are not many people around here willing to think on different terms from bitcoin. That is why I try seeking those people out when I think I see them. Fewer still are going to be able to "get it" even if the OP is 30 pages. I would much prefer people to ask questions so that I can answer them and refer back to the answers for those who think they can spot vulnerabilities.
How do we prove which is the attack chain and which is the honest chain? Please try to be clearer in your writing. Write with the perspective of the reader who has no idea what is in your mind.
This is for the scenario where the attacker doesn't control the CNPs--which should be *significantly* hard. The honest network will add the evil network's TBs to their chain, but with the warning that they have not acknowledged many signatures attempting to achieve consensus. It's not even a warning, it's just something the clients can figure out based on the data. The honest TBs show that these signatures exist and that the evil network has not included them. The evil network can NOT do the reverse because then it is just continuing consensus. Therefore one network has all the signatures--the honest one--and one network has only some of the signatures.
We pay the bankers to enslave us. Don't use capital as a defense, because socialism always gives more capital to the those who will promise everything to the masses.
Capital is a defense because decrits capital cannot be created out of thin air. Someone who attempts to take control of the system must have a massive investment in the system. No early adopter will have power like this because bitcoin has the most retarded currency distribution scheme in the history of money. Decrits money cannot be monopolized by minters or early adopters, and it can't be purchased in massive fiat amounts because new currency will be distributed randomly to bring the price back down. Everything syncs together.
I have no idea what makes a CNP different than a SH. Because your proposal is so complex, it sounds like handwaving.
SHs are section 1, CNPs are section 2. SHs create the network data, CNPs distribute it. The requirements for being a CNP are lighter because each individual CNP is not critical to the network. They won't have to be online at a specific time or risk receiving a soft strike. Yet they still have a say in the network, because honest CNPs will not distribute the TBs of SHs who are being malicious by denying important transactions. This means that taking over the network requires taking over both halves of the network.
Please try to reduce it to simplified first concepts. So we can see what you are actually proposing which is unique and do thought experiments on failure modes.
I am not sure that it is possible to reduce it all that much, because reducing it inevitably leads to accusations of vulnerabilities. While most of us here have a deep understanding behind proof-of-work because we have read lots of things to understand it, it is complete gibberish to most people. I have been asked to write a white paper, but I don't think proof-of-consensus can be proven independently of the surrounding system. Proof-of-work is fairly easy in that regard, but it also leaves gigantic vulnerabilities (51%, etc.) wide open. I suppose a white paper could say that additional SHs can join for a significant number of proof-of-work tokens (decrits), and then that proof-of-work remains as a valid percentage of all proof-of-work unless its creator does something recognizably bad such as approving a bad spend or creating two TBs for one time period. That also demonstrates the energy efficiency of the system.
Okay I like this fundamental conceptual point. Missing signatures apparently is a key aspect of your design. But no where in your original explanation do you start by explaining this. And I still don't understand how technically that can be enforced on a fork.
It can be enforced as a fork because unless the evilcorp killed the people running those SHs, they are still out there transmitting TBs. If a large group is missing, nodes will be massively on-edge trying to find someone transmitting their data. From each client's perspective, if consensus was at 99% yesterday and it is at 90% today, big warning signs should be flashing in the client that
something is not right. This is why consensus is infinitely better than proof of work. There is no simple way to know how trustworthy proof-of-work is. Consensus either is or it isn't, and if it isn't, be *extremely* cautious.
At this point, nodes who have not been paying attention to the network will have a tough time deciding which is the real network (but not *that* tough because unless the attacker has been part of the network since its inception and has grown along with it, it will look obvious based on the consensus history which network is the one attacking).
How is that technically identified and please explain it in simple language?
Shareholders sign a ledger that acknowledges the state of existing shareholders (the hash of this ledger) prior to their joining the consensus. This ledger contains the history of shareholders joining and leaving the consensus since the genesis block. Each piece of information is heavily bound by about 100 bytes of data so even many years down the road this block will be a small and easy to transmit. When SHs sign out, they sign this block again, essentially saying that "at this point in time, there are no problems with the network," this is proven because his signature is on the current consensus-approved ledger!--the state at which (almost) all SHs last agreed on consensus.
However, when people do not sign out of the ledger and they do not sign the current consensus, the eventuality of this is a loss of 3k DCR, something that is supposed to represent a significant enough amount of money that people will not lose it lightly.
So, while this next part is not some guaranteed, fool-proof way of identifying a malicious network, it makes a whole lot of common sense: as each shareholder leaves the network to retrieve his 3k DCR back, he signs the block again proving that consensus was reached among the rest of the shareholders currently signed in. If we follow this chain from the genesis block, the evil network must be in place almost throughout the network's history to look as if it has as much of the consensus's agreement as the honest network. The honest network will have the ongoing consensus of the entire network's history on its side. The malicious network will be comprised of mostly newer SHs that have not been seen in consensus with any of the historic SHs.
I made the example of how bad it looks to perform a 51% attack on a network with 100,000 honest SHs in the second half of
this post. If the network is at 100% consensus with 100k honest SHs, and 101k evil SHs join up to perform a 51% attack, the evil network will have 0% consensus while the honest network will have 49% consensus.* This is not a realistic attack (you'd have to be incredibly rich and incredibly stupid), but it identifies the mechanism.
* - The 49% figure is actually not correct, it will depend on how many SHs had signed out previously, but it gets the gist across. This is a client-side activity so how it ends up determining these figures is not set in stone. SHs who signed out were not attacked by any of the existing SHs at the time, so their weight is added to those that are still around. This weight continues on until we get to a point where two networks exist, one with far less people having approved of them and there is an *ongoing network attack* that is causing a whole bunch of prior, honestly performing SHs to potentially lose their shares.
Capital can buy many peers. How to identify which ones are the good ones? Especially if the bad ones are only dropping transactions from those not playing by the rules of their cartel which by that time includes most of the popular merchants?
You are coming from a different attack scenario that I can see is based on what you posted about bitcoin. But this really can't apply. The big players can not drown out the small players. Sure, they can delay transactions, but they can't eliminate them. They can't change transaction fees, because that is akin to changing the coinbase reward in bitcoin. It isn't acceptable behavior. They can fail to acknowledge TBs that do not please them, but unless they also control the CNPs, doing this will cause an irreparable fork. At this point, it is up to the people to decide which network they want to use. Would you think perhaps people are more enlightened about money if they are using a system such as this? Would these megacorps be able to convince everyone to use
their fork that they created through force? Governments could
try, but when it is as simple as clicking a button or two to deny that network all power, it is an awfully big chance to take. If they fail, which is something that can only be decided by the people, they lose the entirety of that stake and massive amounts of power.
You are talking about all things in your mind which the reader has no clue about.
I have explained a lot of these concepts throughout the thread.
The internet can't propagate reliably in 10 seconds. I guess you assume these have to propagate by the next CB?
I haven't devised an exact system. It will be much faster than the next CB though. TBs will have to propagate within perhaps a 10-TB window. Because CNPs will be encouraged to connect to each other in a big hub-and-spoke kind of fashion, propagation time should be very low. The math of this will have to be gone into detail to make it as unlikely as possible for an evil group of SHs to attempt denying an honest SHs TB from being approved within the window. CNPs will be encouraged (via the client software) to drop future TBs that do not acknowledge TBs that it has seen, and this may eventually require user intervention on the CNP's part, or it would require a SH to have missed this chain because of the dropped TBs and include it (for each malicious TB that does not propagate, the window extends another TB). This could cause a mini-fork, and it's a pretty complicated concept that I haven't fully fleshed out to be honest. Worst-case scenario a number of TBs is picked that is fairly resistant to even an 80 or 90% attack because the attackers can't be presumed to control everyone or the network fails on principle. In this instance, the worst the attackers can do is cause a few SHs to receive soft strikes once in awhile. It is an attack vector, but it requires much more than 50% of SH control to perform it at all reliably, and if it takes too long for EvilCorp to get an honest SH kicked out (soft strikes are eventually forgiven), then it can't do anything. They won't be able to target specific SHs, only random ones, so this process will be very difficult and take lots of time in which more honest people can join, or worst-case the ongoing attack is identified and something that isn't automatic is done about it.
So how can we avoid duplicated transactions in the TBs? Or are duplicates okay and somehow they get merged for the CB?
Duplicates are ok, and they don't require much data as I've already pointed out. If a TB is delayed (or the SH fails to create it), the next TB in line can include the transactions for that window so that they are "approved" in a timely manner. However, if this TB is missing, large face-to-face transactions know to wait until the missing block can no longer replace the transactions in the following TB. You might have to wait a few minutes for large purchases, but small purchases have far better security than 0-confirmation bitcoin transactions.
But if there is no consensus until the CB, how does anyone trust a TB until it is in a CB after days?
Based on the current consensus. In addition to signing the CB, the SHs are signing the ongoing changes as well. If the chain of transaction blocks is relatively complete, a network attack/split/whatever is not currently in progress. The one risk you take is that the network may be attacked or split within the next few days. Even then, unless your transactions are being specifically targeted, you are probably completely safe, similar to bitcoin. If your transactions are being targeted, well seeing as how EvilCorp has been handled so far should assure you that your transaction is safe on the honest network. EvilCorp will have to create a network split just to deny your transaction, and then must get the entire world to agree that his view is correct.
If the network split is legitimate--say the government of one country has shut down its peoples' outside access to the internet--everyone knows which network is on the outside, and not to implicitly trust transaction security if you are on the outside too. I don't believe that governments will have this power for long though, as meshnet technology is advancing, and supporting a network like this could be its raison d'etre.
Could you unpack that into english please?
EvilCorp can't perform any useful attack (delaying inevitable transactions is not useful, only annoying) unless they intend on forking the network in which case they will lose all of their money unless they can convince everyone that they are actually honest. The system is undefeatable.
Realize that without peer review, you can't be sure that there are not holes in your design. But if we can't understand what you are saying, we can't review it.
There may be unforeseen attack vectors, but they will be far less powerful than bitcoin's 51% attack. Peer review is unlikely to catch these anyway. A wiki is being set up by Ukigo so I can start explaining this in a drillable-down format so that the answers to advanced questions are easy to find.
