Decrits: The 99%+ attack-proof coin

[sor.rge]

But do you want to discuss your proposal? In particular, the security proofs.

In response to what I've said, you mentioned

So now you must consider, as I have, a way to incentivize propagation.
...
I think the same can even go for the monetary system. Your quip about destroying money to redistribute wealth is completely baseless. That mechanic is purely for network defense. What I believe you are doing is conflating the ability to start a new currency from within the protocol. It always comes back to being able to fork away from malicious people so that there is no such thing as a 51% attack. And there is not in my design. The money is not destroyed in this scenario unless people universally choose the new currency (and the currency is not actually destroyed; only its value if no one uses that fork).

This is not a good answer to the proposed attack. You say that effectively this creates a fork and everyone is free to accept either branch. This is similar to saying that in bitcoin there is no 51% attack, users are free to choose a shorter chain if they prefer. It's simply not true. It's not the users, but the software in their wallets who will decide which chain to accept, and since it's the same program for every wallet they will all choose the same thing, given that they perceive the same situation. So one of the branches will die immediately, and per your rules it will be the honest branch.

Now for the propagation. I think the rewards for propagation, no matter how large, will not improve the defense against the attacks. The incentives are specified within the system, assuming that it still works; however if there is a possibility to break the system and gain complete control of it, the successful attacker will claim all the rewards and more. Even if the incentives will be designed in such a way that it would be impossible to claim them after a successful attack, the future gains from the complete domination of the system would still likely outweigh any lost rewards.
In short, the incentives cannot be used as a security measure. They may serve a role to keep the system efficient, but when it comes to security, they will not guard anything.

51% Rule of Decentralized Agreement
In any decentralized P2P system any consensus fork of agreement is controllable by controlling 51% of the peers.
It must be this way, else there is no way to eliminate minority opinions (minority forks of agreement).

I'm afraid this could be right. However, there is no hard proof so far. Perhaps there is an algorithm that decides which viewpoint is the most "honest", according to some reasonable definition of "honest", even if only a minority share it. Unfortunately, we didn't find it yet.

[Etlase2]

This is not a good answer to the proposed attack. You say that effectively this creates a fork and everyone is free to accept either branch. This is similar to saying that in bitcoin there is no 51% attack, users are free to choose a shorter chain if they prefer. It's simply not true. It's not the users, but the software in their wallets who will decide which chain to accept, and since it's the same program for every wallet they will all choose the same thing, given that they perceive the same situation. So one of the branches will die immediately, and per your rules it will be the honest branch.

Except bitcoin's design is not decrits' design. And the failure of proof of hard disk is the same failure as proof of work--the forking chain cannot be destroyed because they can just create new anonymous proofs with no penalty. On the other hand, with an enforced fork and forcing users to make this decision, the evil fork, unless they can convince the entire world that they are honest, will lose all of its money and will not simply be able to reattack the network as with physical media. Yeah, the "simpler" design is the far more powerful design.

At various points in this thread I have described several mechanics as to how users can identify an honest from a dishonest fork. The simplest is of course the fork where their honest friends and merchants are currently creating TBs.

I think the rewards for propagation, no matter how large, will not improve the defense against the attacks.

I believe you are presuming that a 51% attack is still viable. It is not. Even if a peer is only seeing the dishonest fork, he knows that a large portion of consensus is missing and that the network is not to be trusted until he figures out what is going on. You can't even dupe a newbie node because of the shareholder ledger design, again as previously described.

The incentives are specified within the system, assuming that it still works; however if there is a possibility to break the system and gain complete control of it, the successful attacker will claim all the rewards and more.

You need to be more specific. You are not referring to any actual attack, just a big generalization. EvilCorp can't make bad spends or do anything particularly nefarious, because everyone watching the network will reject it.

I'm afraid this could be right. However, there is no hard proof so far. Perhaps there is an algorithm that decides which viewpoint is the most "honest", according to some reasonable definition of "honest", even if only a minority share it. Unfortunately, we didn't find it yet.

It is in the thread. Regardless, the algorithm does not choose for anyone. There is no need to automatically choose, because with consensus there is a clearly defined fork. This isn't possible with proof of work. It isn't even possible with proof of stake.

[sor.rge]

And the failure of proof of hard disk is the same failure as proof of work--the forking chain cannot be destroyed because they can just create new anonymous proofs with no penalty. On the other hand, with an enforced fork and forcing users to make this decision, the evil fork, unless they can convince the entire world that they are honest, will lose all of its money and will not simply be able to reattack the network as with physical media.

So the users will have to make this decision themselves? By this you admit that you don't have an algorithm to resolve the fork, and rely on human judgement to defend against the attack. In other words, you admit that your system is insecure.

At various points in this thread I have described several mechanics as to how users can identify an honest from a dishonest fork.

It could be nice if you put the main mechanic in the OP.

The simplest is of course the fork where their honest friends and merchants are currently creating TBs.

What if the user doesn't have any honest friends? I don't have any honest friends in bitcoin. I have no idea how to even approach the problem of finding them.
What if the honest friends are on different branches? What if they are offline? What if they, like me, have no idea what to do and they just look back at me in hope I will somehow point them to the right branch?
No, that doesn't answer any security question. It's like saying that you have to check bitcoin branches manually to spot someone reversing transaction.

I think the rewards for propagation, no matter how large, will not improve the defense against the attacks.

I believe you are presuming that a 51% attack is still viable. It is not.

It is until the algorithm to choose the best chain is written down and analyzed. So far we have a "largest consensus" rule, which I've shown to be insecure.

You are not referring to any actual attack, just a big generalization. EvilCorp can't make bad spends or do anything particularly nefarious, because everyone watching the network will reject it.

Consider the dropping SHs 51% attack above. Why is it going to be rejected? No oracle merchants are allowed in the algorithm, sorry

Regardless, the algorithm does not choose for anyone. There is no need to automatically choose, because with consensus there is a clearly defined fork. This isn't possible with proof of work. It isn't even possible with proof of stake.

Well, in bitcoin forks are clear as day: when a node receives two block broadcasts with different blocks pointing to the same parent. The algorithm chooses the chain which will eventually get longer. Merely detecting the fork and then offering the user to choose is not a good solution, since the users will not have enough information to make the right decision.

[AnonyMint]

What incentive do I have to further help someone who has made his intentions clear to take all of my ideas and use them for his own purposes as soon as he understands them? It may very well have been your intention from the start. It certainly did not take long for you to try to insert as much as possible of your idea to "simplify" things. It did take longer for you to realize the failure in this.

Sorry, you will have to work these things out on your own. You will not be getting help from me on how to design my protocol for your purposes.

I am not being hostile.

Because you want something from me. Again, I have nothing but disincentive to help you.

Your incentive is that if you can't write the algorithm down, then you can't implement it.

And open source means that anyone can steal as much as they want.

And your paranoia is feigned given I have been mentioning that either proof-of-share or proof-of-hard disk might be suitable. I really don't care if any of my ideas are incorporated. I obviously only care if we design something that works.

You are ducking the requirement to make your algorithms clear, because you fear failure and peer review.

[sor.rge]

You are ducking the requirement to make your algorithms clear, because you fear failure and peer review.

To me it's ok if he doesn't want to discuss the algorithms. There may be many legitimate reasons to do not disclose everything yet (he may try to patent it and so on).
Having no algorithm is another matter, however.

[AnonyMint]

So one of the branches will die immediately, and per your rules it will be the honest branch.

Indeed.

Now for the propagation. I think the rewards for propagation, no matter how large, will not improve the defense against the attacks. The incentives are specified within the system, assuming that it still works; however if there is a possibility to break the system and gain complete control of it, the successful attacker will claim all the rewards and more.

Exactly. That is what I was hoping he would realize if he tried to write down an algorithm for how his incentives were going to stop the 51% attack.

In short, the incentives cannot be used as a security measure. They may serve a role to keep the system efficient, but when it comes to security, they will not guard anything.

Bingo! And yet we have to spell it out for him like this (given his claimed two years of design thought).

51% Rule of Decentralized Agreement
In any decentralized P2P system any consensus fork of agreement is controllable by controlling 51% of the peers.
It must be this way, else there is no way to eliminate minority opinions (minority forks of agreement).

I'm afraid this could be right. However, there is no hard proof so far. Perhaps there is an algorithm that decides which viewpoint is the most "honest", according to some reasonable definition of "honest", even if only a minority share it. Unfortunately, we didn't find it yet.

Such an "honesty" algorithm can not exist because it would need a reference point from outside the system, in order to avoid the alternative of a 51% peer power security from within the system. In a decentralized system there is no outside point of reference.

Perhaps the only possible exception is if there was some reference point from the minority within the decentralized system that did not eliminate minority opinions.

And worse yet, the hard proof that we need a consensus is that we can't even autonomously prove that an event occurred before a moment in time (to prove which is earlier in a double-spend) using an external point of reference without consensus voting. We can prove that an event occurred after a point in time, by signing with a newspaper clipping as Satoshi did to show that he wasn't premining. However, to prove an event occurred before a point in time, requires many observers agreeing that it did, because the future will have occurred by the time we are looking back in history. History is always a memory of the observers and can not be proven autonomously. Thus there is no one history, but multiple histories depending of which observers are telling.

The threat of a 51% attack is not the end of the world for us. It is no worse than Bitcoin, and we may be able to improve on reducing the likelihood of a cartel obtaining 51%.

[AnonyMint]

Except bitcoin's design is not decrits' design. And the failure of proof of hard disk is the same failure as proof of work--the forking chain cannot be destroyed because they can just create new anonymous proofs with no penalty.

This is irrelevant, if the following penalty can never be decided.

On the other hand, with an enforced fork and forcing users to make this decision, the evil fork, unless they can convince the entire world that they are honest, will lose all of its money and will not simply be able to reattack the network as with physical media. Yeah, the "simpler" design is the far more powerful design.

We know of no decentralized way to determine that evil fork is evil. We have shown why in the prior several posts where we discussed the 51% attack.

At various points in this thread I have described several mechanics as to how users can identify an honest from a dishonest fork. The simplest is of course the fork where their honest friends and merchants are currently creating TBs.

And exactly how will you get the rest of the world to agree that this minority is honest? What metric will the non-friends all over the world look at objectively?

Can there be such a decentralized metric other than the 51% power within the system?

I believe you are presuming that a 51% attack is still viable. It is not. Even if a peer is only seeing the dishonest fork, he knows that a large portion of consensus is missing and that the network is not to be trusted until he figures out what is going on. You can't even dupe a newbie node because of the shareholder ledger design, again as previously described.

Incorrect. We showed in the prior posts (on page 16 of this thread) that the evil consensus could contain all the TBs, yet still gain control such that only the evil peers will be able to sign the CB (that has the most signatures given 51% of peers).

The incentives are specified within the system, assuming that it still works; however if there is a possibility to break the system and gain complete control of it, the successful attacker will claim all the rewards and more.

You need to be more specific. You are not referring to any actual attack, just a big generalization.

We already showed the specific 51% attack. You need to show how you stop it algorithmically. I don't believe you will be able to, unless it is some sort of minority consensus reference point algorithm?

I'm afraid this could be right. However, there is no hard proof so far. Perhaps there is an algorithm that decides which viewpoint is the most "honest", according to some reasonable definition of "honest", even if only a minority share it. Unfortunately, we didn't find it yet.

It is in the thread. Regardless, the algorithm does not choose for anyone. There is no need to automatically choose, because with consensus there is a clearly defined fork. This isn't possible with proof of work. It isn't even possible with proof of stake.

Ditto the points made above. By what decentralized metric does any peer choose to ignore the majority fork?

[Etlase2]

So the users will have to make this decision themselves? By this you admit that you don't have an algorithm to resolve the fork, and rely on human judgement to defend against the attack. In other words, you admit that your system is insecure.

I admit that my design is universally better than bitcoin's. Not selecting a fork is completely by design choice, because it is the only way to be 99%+ attack proof. There are two ways a fork can occur: if there is a legitimate split such as a country hitting the "off switch" on the internet, in which case everyone is aware; the other is an intentionally dishonest split by creating a fork in secret or not-secretly dropping the TBs of the honest side.

In the latter case, everyone is still aware of the fork because consensus either is or it isn't. They know that one of the two halves is being intentionally dishonest. Therefore they cannot be fooled. What does it matter if they cannot initially determine which fork is dishonest if they can't be fooled into doing anything?

Even still, as long as the individual is aware of both networks, both networks must operate identically in regards to tx activity or the dishonest network will be easily ousted. The dishonest half can *not* do anything nefarious while the people are deciding which is honest. So if both are available and both are operating, there really is no network interruption.

What if the user doesn't have any honest friends? I don't have any honest friends in bitcoin. I have no idea how to even approach the problem of finding them.

What if the honest friends are on different branches? What if they are offline? What if they, like me, have no idea what to do and they just look back at me in hope I will somehow point them to the right branch?
No, that doesn't answer any security question. It's like saying that you have to check bitcoin branches manually to spot someone reversing transaction.

No, it isn't like bitcoin branches. Some pseudo-anonymous group of peers has elected to bring on a massive fork of the network, and everyone knows it. If the network has any kind of use, this will be massive, massive news. If it is some nefarious evilcorp, that means every honest merchant is not partaking in the split and will say so. If it is some evil government, they either say nothing or give some ultimatum to attempt to force its citizens to use its fork or whatnot.

This attack can't just happen without some kind of agenda, or the money is as good as burned. The decision to which network is honest will be simple unless somehow a large group of various entities and people decide the network isn't doing what they want. In this case, section 4 comes into play and they can create their own network with the rules they want. They will not be able to force the users of the network to use those rules without the consent of the people using the network.

Well, in bitcoin forks are clear as day: when a node receives two block broadcasts with different blocks pointing to the same parent.

This is not clear because the PoW is anonymous. Bitcoin cannot aggregate PoW blocks that are attacking the network into separate piles. It has no clue and dumbly accepts whatever chain is longer. Since there is no penalty for attacking the network, nothing can be done about it anyway other than developers patching out each attack that anonymous PoW throws at the network.

[AnonyMint]

Okay now we are making progress.

Not selecting a fork is completely by design choice, because it is the only way to be 99%+ attack proof.

Okay that is a crucial statement.

You propose a system that has multiple truths, thus potentially double-spends. But you propose a resolution below...

Even still, as long as the individual is aware of both networks, both networks must operate identically in regards to tx activity or the dishonest network will be easily ousted. The dishonest half can *not* do anything nefarious while the people are deciding which is honest. So if both are available and both are operating, there really is no network interruption.

Good point, but it requires the minority forks continue to be extended by some peers, otherwise the majority fork could exclude transactions and there would be no minority fork to prove they were excluded.

The evil fork CBs could be withholding TBs from the minority forks or at least the minority forks could be forced to be one CB delayed on including these, and including the TBs from the minority forks. This doesn't refute your point.

Assuming the minority peers can identify the dishonesty of the majority fork (which I questioned in my prior post), the other key question is do the minority peers have an incentive to continue the minority fork?

Detection and incentive may be the same mechanism. If they can try signing the CB of majority fork, and if they are continuously ignored and not allowed to sign the CB that has the most signatures, and if many CB signatures (note I am not referring to TBs here) in the minority fork are not included in the majority fork CB, then they should have an idea that the majority CB is ignoring the minority. Also this means they can't get paid transaction fees (nor minting if we use proof-of-hard disk) in the majority fork, so they must stay with the minority fork to earn anything.

So perhaps there is a decentralized way of finding dishonesty?

But what is the specific algorithm to trigger this decision by autonomous minority peers?

Some pseudo-anonymous group of peers has elected to bring on a massive fork of the network, and everyone knows it. If the network has any kind of use, this will be massive, massive news.

But it would be much better if we don't rely on an external point-of-reference, in fact I assert this is a security attack vector, because it would require the users setting some flag in their peers or some centralized server doing it. What about my decentralized method above for detecting the attack?

Well, in bitcoin forks are clear as day: when a node receives two block broadcasts with different blocks pointing to the same parent.

This is not clear because the PoW is anonymous. Bitcoin cannot aggregate PoW blocks that are attacking the network into separate piles. It has no clue and dumbly accepts whatever chain is longer. Since there is no penalty for attacking the network, nothing can be done about it anyway other than developers patching out each attack that anonymous PoW throws at the network.

Agreed retaining multiple forks is a crucial design statement. Now we need to decide if we can avoid double-spends and mulitple truths in a decentralized algorithm. See above.

Since there is no penalty for attacking the network, nothing can be done about it anyway other than developers patching out each attack that anonymous PoW throws at the network.

So we penalize the evil peers who do not sign the minority fork CB, since they can't all sign it, for if they did, it would no longer be the minority.

So this is the importance of proof-of-share, that we can destroy it as you've stated above and upthread (unlike proof-of-hard asset since the asset can't be destroyed by an algorithm).

[AnonyMint]

Ok Etlase2 has clarified that minority forks should be incorporated into an algorithm to decide which is the honest fork.

The only decentralized algorithm I see for potentially detecting this dishonest majority fork is noting it excludes many CB signatures from the minority fork. However the minority fork will also be missing CB signatures from the majority fork. So how do we know algorithmically that the majority is dishonest?

Sorry I just don't see an algorithm here. This is not a hostile intent, I am merely searching for the truth on this matter.

Besides even if you can resolve the above, then I can propose an attack where the majority creates a plurality of minority forks.

Sorry I don't think you can escape from the 51% Rule of Decentralized Agreement.

[sor.rge]

Besides even if you can resolve the above, then I can propose an attack where the majority creates a plurality of minority forks.

Yes I also had this idea today. It's even worse than a single attack. The evil cartel doesn't need to make a visible "disaster" by dropping a lot of people at the same time. It will just chop them off in small batches, each one too small to be "heard" by the masses.

[Etlase2]

The next task you gentlemen are realizing is to separate the security from the propagation. Somewhere, I think I mentioned this. Oh yeah, in the OP. Start moving on to that system.

[AnonyMint]

The next task you gentlemen are realizing is to separate the security from the propagation. Somewhere, I think I mentioned this. Oh yeah, in the OP. Start moving on to that system.

Purposefully and arrogantly evasive. Address the specific points.

We have stated why we don't think that matters. And we have asked you to tell us an algorithm that refutes our statements.

As if the cartel can't get 51% of the CNPs or what ever you propose for specific architecture for propagation. Tell us this magic algorithm please?

[Etlase2]

Purposefully and arrogantly evasive. Address the specific points.

I was intending to be playful and get you to start making the connection yourselves, because it seemed that progress was being made.

As if the cartel can't get 51% of the CNPs or what ever you propose for specific architecture for propagation. Tell us this magic algorithm please?

51% of the CNPs does not accomplish anything.

[bitcoiners]

Purposefully and arrogantly evasive. Address the specific points.

I was intending to be playful and get you to start making the connection yourselves, because it seemed that progress was being made.

As if the cartel can't get 51% of the CNPs or what ever you propose for specific architecture for propagation. Tell us this magic algorithm please?

51% of the CNPs does not accomplish anything.

So I'm making a list.  Who are you and what are your qualifications for being a lead dev on an crypto?  Please let us know.

Edit: you can answer here or here. https://bitcointalk.org/index.php?topic=225643.0.

Cheers.

[AnonyMint]

51% of the CNPs does not accomplish anything.

Evil signing peers may only propagate to their evil CNPs. Thus you've solved nothing. That is why I asked for your specific magic algorithm.

I knew already vaguely what you are proposing and I am asking for the specific algorithm. You force me (and others to waste time) with guessing games. "Playful" is entirely disrespectful of our time.

Basically your idea must have something to do with separating the peers that sign the TBs and CBs from the propagation of them to other peers.

We can require in the protocol that signing peers are not allowed to propagate to other signing peers, thus they can not withhold. All communication must be done through these other CNP-type peers. But we can't stop them from controlling the CNPs they wish to propagate through. And there is no way to require them to propagate through every CNP.

Shuffle the cards incessantly, but there will always be a 51% Rule of Decentralized Agreement.

If I am wrong, prove it by stating an algorithm. I hope I am wrong.

[Etlase2]

51% of the CNPs does not accomplish anything.

Evil signing peers may only propagate to their evil CNPs. Thus you've solved nothing.

Except that it solves the propagation weakness. Now there *are* two defined chains, regardless of any evilcorp shenanigans. The second chain will not be lost. If evilcorp controls 90% of the CNPs, that means 1 in 10 of them is carrying the honest chain. It won't take very long for any non-network node to find the missing portion of consensus.

I have some serious game-theory adjustments to the simplistic 90% attack as well to make it far less viable than it even already should seem. But those are details that need not be explained until implementation, because they are not relevant to showing the futility of this attack.

"Playful" is entirely disrespectful of our time.

Except that you have refused to see the reasoning behind each aspect until you have discovered the worthiness of it on your own. And you have repeatedly derailed me in trying to get you to see the overall picture. The implementation details are irrelevant until you do. So it is your own fault.

We can require in the protocol that signing peers are not allowed to propagate to other signing peers, thus they can not withhold. All communication must be done through these other CNP-type peers. But we can't stop them from controlling the CNPs they wish to propagate through. And there is no way to require them to propagate through every CNP.

But as long as they can't prevent the fork, they can't take control, so none of this is necessary or worrisome unless you expect evilcorp to control the entire view of the network. With the efficiency of the system, this borders on completely impossible. Even peers who only maintain SH sigs (that 1kB/s for 5 million SHs figure I previously described) will know who caused the fork. On a sufficiently large network, evilcorp will have to fool the entire world.

There are layers of interconnectivity that must be unraveled here. You have tried to reverse engineer the system and have not been successful. I tried to get you to stay on one course and failed because I let you bog me down with less relevant details. I won't make that mistake again.

[AnonyMint]

Evil signing peers may only propagate to their evil CNPs. Thus you've solved nothing.

Except that it solves the propagation weakness. Now there *are* two defined chains, regardless of any evilcorp shenanigans. The second chain will not be lost. If evilcorp controls 90% of the CNPs, that means 1 in 10 of them is carrying the honest chain. It won't take very long for any non-network node to find the missing portion of consensus.

You keep shuffling around some details which are just repeating the same flawed logic. There is no possible decentralized metric for peers to know which one of these forks is the honest one.

You have presented no algorithm for deciding which fork is the honest one.

How long are you going to play this shell game with us?

We can require in the protocol that signing peers are not allowed to propagate to other signing peers, thus they can not withhold. All communication must be done through these other CNP-type peers. But we can't stop them from controlling the CNPs they wish to propagate through. And there is no way to require them to propagate through every CNP.

But as long as they can't prevent the fork, they can't take control, so none of this is necessary or worrisome unless you expect evilcorp to control the entire view of the network. With the efficiency of the system, this borders on completely impossible. Even peers who only maintain SH sigs (that 1kB/s for 5 million SHs figure I previously described) will know who caused the fork. On a sufficiently large network, evilcorp will have to fool the entire world.

Agreed the system can record multiple ledgers. This is irrelevant. You must address the fundamental issue above.

[sor.rge]

Let me recap what I understood so far about the attack resolution.

We (the honest people) know that there is a fork. Suppose we also know that it was created intentionally (although this point can also be attacked). We also know the two sets of peers who disagree. Each party claims that the other didn't sign in time, or didn't sign the right thing. We keep both, as opinions. They must be synchronized to some extent, otherwise we will observe one of them doing something strange, detect the fraud and dismiss their branch (algorithm pending). However they will not be fully synchronized, since in their respective branches they didn't loose the money while their adversary did. So the branches will gradually diverge. But everyone will be cautious to accept the questionable money from the disagreeing peers, because their branch can be eliminated at any time, so the divergence will not be a big problem apparently. It will load the systems though, because they all need to check everything twice for both branches.

The problem, as AnonyMint has already stated, is that there seems to be no way to end the situation. The malicious peers may keep creating branches until they become unmanageable.
I understand the "trusted party" proposal, however it's not a solution because the trust is not formalized within the system. If we are to accept trust-based resolution, then the whole security of the system relies on this trust mechanism, therefore we need to look more into that. BTW there is a proposal for trust-based coin on this board already, it's called eMunie.

[Etlase2]

The problem, as AnonyMint has already stated, is that there seems to be no way to end the situation. The malicious peers may keep creating branches until they become unmanageable.

Except to perform this attack, EvilCorp must control some significant portion of consensus. It must be able to deny honest TBs from the chain, which it can only do if it controls many TBs in a row. AnonyMint and I went over this in significant detail.

If TB 3 is honest, and TB 4 is evil and he does not include TB 3, and TB 5 is honest, he includes TB 3 and TB 4 and EvilGuy accomplishes absolutely nothing. No fork is created. Trying to create a fork in the open can not work.

If a large group of SHs collude in secret to create another chain that includes the honest TBs but makes it look as if the honest side is excluding theirs, they must not acknowledge consensus with this collusion of peers for days. You aren't going to do this without the entire network-using population noticing. Then they release their chain with "full consensus" and expect anyone to believe them. It doesn't look like they have the better chain because none of their chain is actually confirmed by the other side, even if it includes the honest sides' signatures. How can those signatures confirm TBs they did not see?

But that rightly only gets us back to there being more than one chain.

So we have one chain made in secret that no one knows about, and one public chain that has been used for days while the evil consensus has built up. Every single person who has monitored the network knows which chain was public and available. Every single person. This requires 1kB/s at 5 million SHs. We are already assuming 5 million SHs, how many more million or billion people are paying attention to the network at this point? No decision needs to be made for them, they already know the honest chain. They will not accept some chain days later that attempts to make what is already public knowledge look as if it was the secret chain.

So the only people we have to worry about are those who have not monitored the network and are completely oblivious to the world's monetary system takeover attempt (hehe). They will be notified any time they go to use the money by everyone who has paid attention. Unless you can get Starbucks, Amazon, Walmart, your local mom & pop store, to all agree to be nefarious and collude against the few people who have been oblivious.

I understand the "trusted party" proposal, however it's not a solution because the trust is not formalized within the system. If we are to accept trust-based resolution, then the whole security of the system relies on this trust mechanism, therefore we need to look more into that. BTW there is a proposal for trust-based coin on this board already, it's called eMunie.

It isn't trust, it is consensus. eMunie is a sybil attack's playground. And "already" implies that it came before decrits, which it did not.

You keep shuffling around some details which are just repeating the same flawed logic. There is no possible decentralized metric for peers to know which one of these forks is the honest one.

You have presented no algorithm for deciding which fork is the honest one.

How long are you going to play this shell game with us?

It is in the OP and I have reiterated it throughout the thread. CNPs will drop suspicious TBs. Any honest peer monitoring the network will. Thousands of TBs mysteriously appearing days after their consensus window probably qualifies as suspicious. The exact implementation is just a detail. The network is easy and efficient to monitor. EvilCorp can't fool anyone monitoring the network.

So for someone who is oblivious, I ask again, do they believe Amazon, Best Buy, Walmart and their friends regarding which network is honest, or do they go with the nefarious group that isn't saying anything? The only point that matters for an oblivious person is when they go to pay for something which requires another party. Will this person also be oblivious? How many oblivious people does it take to cause a problem? Can we have an entire network of oblivious people that EvilCorp can fool? Because that's what it takes to be successful in this attack. But they're only fooling oblivious people. And they lost their entire deposit on the honest chain.