[ANN][YAC] YACoin ongoing development

[aso118]

Could be an exchange, maybe.

That was my first thought too - It might be bter or crypsty. 

If it is, we should see coins coming and going from the wallet as well.

[sairon]

Could be an exchange, maybe.

That was my first thought too - It might be bter or crypsty.  

If it is, we should see coins coming and going from the wallet as well.

If it's cryptsy's cold storage with YAC trading still disabled and some people too lazy to withdraw, though...

[Gorgoy]

One question I still have is : what is to prevent a user from forcing the generation of a POS block (which is just a flag when starting the wallet now, correct?), jumping offline before the generation is complete and coming back on 6 hours later.  Does it attach to the end of the blockchain? or does it insert where the blockchain was when the block was generated (not submitted), potentially orphaning 360 blocks?  

He can generate a PoS block wherever in the chain he likes, however with trust reduced to 1 it's useless to do so. And the "no consecutive PoS" rule prevents him from doing any damage even if he has millions of PoS-eligible inputs.

So, it appears that the genesis for the hash on a POS block is based on the coin age of the input.  If POS isn't successful (due to the most recent block being POS), then the coin age is not destroyed, and can be attempted later, which can be as soon as a minute (in an ideal model) as a miner finds a POW block to sit on top of the minter's POS block.

I just wasn't certain if the whole orphaning was being caused by the POS blocks having to be inserted into the blockchain at the point it was generated as opposed to when the minter was connected to the network.

Is cementing an option, or would that be really bad with our current distribution of hashpower (mostly centralized)?  https://en.bitcoin.it/wiki/Proof_of_Stake#Cementing

IMO cementing is a bad idea as it requires us to trust PoS (which we don't as of now).
Also there could be some race-conditions and other nasty issues that could easily result in network fragmentation.

I can't seem to wrap my mind around it, why is POS untrustworthy and POW trustworthy? So I have to trust a miner who has millions and millions of hashing power that he will not generate dozens of blocks in a series? That happens now, everyday and no one seems to care.

[Gorgoy]

Would you mind elaborating a bit?

1) You have to maximize an active weight. It doesn't matter how you do so, but you have to do it for any price (even for constant trolling from ignorant kids), because that's necessary to survive.

2) You have to make attack energy expensive, in order to prevent free attack attempts. Otherwise user will be able to use OpenVZ and 10000+ wallet copies to make 10000+ attempts without any problem.

NovaCoin maximizes active weight using a variable RoI and limited block reward. It also implements a variable trust idea, the consequtive PoS or PoW blocks has lower trust in comparison with a hybrid chain. Attacker have to generate a hybrid chain to make success.

Since YACoin is a fork of NovaCoin, who it not have this feature already it it? I mean YACoin comes from Novacoin.

[Joe_Bauers]

Would you mind elaborating a bit?

1) You have to maximize an active weight. It doesn't matter how you do so, but you have to do it for any price (even for constant trolling from ignorant kids), because that's necessary to survive.

2) You have to make attack energy expensive, in order to prevent free attack attempts. Otherwise user will be able to use OpenVZ and 10000+ wallet copies to make 10000+ attempts without any problem.

NovaCoin maximizes active weight using a variable RoI and limited block reward. It also implements a variable trust idea, the consequtive PoS or PoW blocks has lower trust in comparison with a hybrid chain. Attacker have to generate a hybrid chain to make success.

Since YACoin is a fork of NovaCoin, who it not have this feature already it it? I mean YACoin comes from Novacoin.

It's forked from an older version of Novacoin.

[sairon]

I can't seem to wrap my mind around it, why is POS untrustworthy and POW trustworthy? So I have to trust a miner who has millions and millions of hashing power that he will not generate dozens of blocks in a series? That happens now, everyday and no one seems to care.

You can generate PoS blocks without even trying and as it is now, they can "overwrite history", which is bad.
For PoW, however, you must spend a lot of electricity so it actually costs you something (quite a lot) trying to change history.

[senj]

I think I have a solution (not centralized) for comparing different blockchain forks.
However I need some more information.

How do yacoin clients fetch data from other peers - do they ask for latest block and then get them one by one by previous block link or do they go in other direction and ask peers for next block from the time of their most recent block on disk?

[senj]

1.
Private mining needs wider timespans between PoW blocks in order to keep difficulty low.

	t1	t2	t3	t4	t5
◔	▉	▉	▉	▉	▉

Average of PoW block intervals ( t[ i+1 ]-t[ i ] ) should be therefore longer with fake chains. And that can be used for chaintrust calculation.


2.
Window for one PoS block opens randomly

Prevents miners to exclude PoS blocks and replace it with more profitable PoW. I think it also makes it a bit harder to prepare for network takeover with private PoW mining on lower difficulty after PoS is found. With shortening intervals on each Nfactor change it also enables gradual PoS mechanism takeover.

Example formula: mod(last1440blocks.getTransactionCount(), x) ==  0
X could range from 500 ( approx. 1-3 times a day ) down to 10 (every ten minutes).


3.
No two consecutive PoS blocks allowed (prevents PoW block orphaning)

What would be an possible attack scenario or significant shortcoming if this is implemented?

[ilostcoins]

Is it ok to set the trust score for a POW block to be the difficulty? For a POS block, if the previous block is POW, assign the same trust score as that POW block; if the previous block is POS, divide that POS block score by 2 (or a similar factor)? The propagation of a POW block score through the following POS blocks would then die down quickly. The score for any chain is just the sum of scores from individual blocks. I'm not sure whether N factor need to be accounted for here.

The basic issue seems to be that there is no obvious way to compare the trustworthiness of a POW and a POS block. POW blocks can be compared with difficulty, which is tied to how costly it is to generate them on average. POS block doesn't have any obvious cost of generation that can be compared. If I'm not mistaken, YACoin is currently using coin-age for this comparison in a way that greatly favours POS, hence the potential for a POS block to be selected over a long sequence of POW blocks. However, coin-age isn't a cost at all because there is no alternative use for it. The money you use in POW mining is a cost because there are some other nice things you can use the money on, and you sacrificed that opportunity. In the above suggestion, I'm just trying to rate a POS block similarly as a POW block at the time, unless it's following another POS block. The part about getting lower trust score if the previous block is POS, is not because I want to put POS on a lesser footing. It's just because I don't want the influence of an individual POW block to propagate far.

In any case, regarding some kind of criteria for keeping POS:POW blocks ratio near an expected/optimum value, the following need to be considered. Let's say you increase or decrease the score of a chain based on how close the POS:POW ratio is to 1:10. Denote POS block by S and POW by W. A short sequence like WWW may then be chosen over a sequence like SWS at some point in time. However, that could then quite easily be followed by 20 W's. Considered as a 23 blocks chain together with the 20 W's, the previously rejected SWS segment could then have a very favourable role to play in the score. The point is if trust score depends on some larger scale features of the blockchain which span many blocks, the score contribution of an individual block can change over time, from unfavourable to favourable in this example. The very same criteria that leads to rejection of some blocks, could turn around and value those highly at a later point. Having a score assignment criteria that looks farther into the past should also provide more opportunities for this effect to show.

Another question I think we should think about now is whether the block target for POS should be decreased. For example, changing it from 10min to 5min could make it more helpful in case POW is generating too few blocks, but the average block numbers per 10 minutes is only changing from 11 to 12.

[sairon]

I had a similar idea a while ago (with no-consecutive-PoS rule, though): http://pastebin.com/L8THNBZ4
Not sure if lowering the PoS interval would help us much.

[alenevaa]

Can we define the criteria that no one POS-block can orphan more than N POW-blocks? Where N for example = 7.

[sairon]

Can we define the criteria that no one POS-block can orphan more than N POW-blocks? Where N for example = 7.

What we need is a proper way to calculate the chain trust.

[senj]

Another thing regarding chaintrust calculation:

Since reward considers difficulty and get's lowered with higher difficulty, private miners would produce higher supply in equal timeframe.
EDIT: presuming PoS block count is equal or similar (but that can be enforced)

[sairon]

Another thing regarding chaintrust calculation:

Since reward considers difficulty and get's lowered with higher difficulty, private miners would produce higher supply in equal timeframe.

Not neccessarily true with eg. 50% PoS blocks in the attacker's chain.
Relying of PoW difficulty itself might be ok, though - see the pastebin a few posts higher.

[senj]

As mentioned before: PoS block spacing and thus occurrence can be controlled.

Difficulty alone is most useful for block to block comparrisson (but not only that).
I am trying to point out that PoW currency supply can be used as additional input for calculating chaintrust. It can be looked at as a historical difficulty average.

Even if you leave the attacker control over number of PoS blocks, you can still average the sum of PoW rewards over number of PoW blocks and use that as factor.

[ilostcoins]

I had a similar idea a while ago (with no-consecutive-PoS rule, though): http://pastebin.com/L8THNBZ4
Not sure if lowering the PoS interval would help us much.

I mentioned the PoS interval not as something directly related to chain trust calculation. Just that since we're going to have a hard fork anyway, may as well think broader about what else we may want to put in and change things in one go.

[ilostcoins]

...
I am trying to point out that PoW currency supply can be used as additional input for calculating chaintrust. It can be looked at as a historical difficulty average.
...

I think block reward (excluding transfer fees) is completely determined by difficulty of the block, and therefore, does not provide any information independent of difficulty. Not sure if it may simplify certain computation though.

[Thirtybird]

Let me quote Balthazar on how Novacoin does it and utilize the thought process that's already gone into it and the scrutiny I'm sure it's been given.

Original message is here : https://bitcointalk.org/index.php?topic=143221.msg2392797#msg2392797

Protocol update: Preconditions and prospects.

Just like PPCoin, NovaCoin uses ChainTrust score instead of ChainWork (used by BTC, LTC and another PoW-based systems).

We decided to implement the new chain trust score calculation algorithm. It will prevent pure PoS double-spend attacks even without broadcasted checkpoints. Now I'll try to describe, how it works in comparison with an old algorithm.

Old chain trust score calculation algorithm basics:

1) PoW block always adds 1 to current chain trust score;
2) PoS block adds (CBigNum(1)<<256) / (bnTarget+1) to chain trust score.

Result: we have dictatorship, stakeholders are Gods here.

Benefits: It's impossible to perform PoW-based double-spend or DoS attack.
Flaws:

• Owner of enough stake weight (25% of total weight or more) able to perform PoS-based double-spend or DoS.
• Double-spend could be prevented by broadcasted checkpointing.

New chain trust score calculation algorithm will be more complicated. Here is the concept (1/3 and 2/3 are parts of example, final ratio values can differ from this):

1) PoS block adds (CBigNum(1)<<256) / (bnTarget+1) to the total chain trust score only if it has PoW block as parent;
2) PoS block adds only 1/3 of "usual" PoS block trust score if it has PoS block as parent;
3) PoW block adds (CBigNum(1)<<256) / (bnPrevBlockTarget+1) to the total chain trust score, if it has PoS block as parent;
4) PoW block adds 2/3 of previous block trust score to the total chain trust score, if it has PoW block as parent.

Result: Hybrid chain always has higher trust score than pure PoW or pure PoS chain.

Benefits: It's impossible to perform pure PoW or PoS-based double-spend. DoS-like attack scenario is also impossible in such cases. Attacker must combine enough PoW & PoS generation power to get success.

Flaws:

• System will become slightly less energy efficient. But still more efficient than PoW-based system.
• 

According to release plan, new algorithm will be introduced in 0.4.3, but will be inactive on the main network until 20 Sep 2013.  

[sairon]

Let me quote Balthazar on how Novacoin does it and utilize the thought process that's already gone into it and the scrutiny I'm sure it's been given.

Original message is here : https://bitcointalk.org/index.php?topic=143221.msg2392797#msg2392797

<snip>
Flaws:

• System will become slightly less energy efficient. But still more efficient than PoW-based system.
• 

According to release plan, new algorithm will be introduced in 0.4.3, but will be inactive on the main network until 20 Sep 2013. 

Yeah, but another flaw is that the protocol does not enforce alternation of PoW and PoS. Say an attacker somehow manages to make a chain that 100% alternates between PoW and PoS - it WILL have higher trust score and WILL overwrite the old chain. Also note that this type of attack will have lower energy cost than the network spent on its non-perfect chain. Perfect chain costs less (!!) than imperfect one.

However, if we were to actually enforce such alternation, pools will be starving when PoS block should be generated.

[senj]

...
I am trying to point out that PoW currency supply can be used as additional input for calculating chaintrust. It can be looked at as a historical difficulty average.
...

I think block reward (excluding transfer fees) is completely determined by difficulty of the block, and therefore, does not provide any information independent of difficulty. Not sure if it may simplify certain computation though.

Here is an example I had in mind:
Rogue miner is mining private chain and when he gets far into the future he starts mining with higher difficulty than he thinks real difficulty will be at that time. If you just compare latest blocks when he releases his chain you might prefer his fork.

Remind you that I do not know how chain forks get compared in detail.