|
wozzek23
|
 |
December 01, 2014, 05:08:26 PM |
|
its basically about the problem which occurs in every pow coin, also btc.
the whole network hash rate (which secures the network and is meant to be decentraliced on miners all over the network) is tunneled through the major pools.
if a pool reaches more than 51% of the network hash rate, the pool operators could do attacks like doublespending etc..
its also easy to attack the network by compromising the pool servers of the 3 largest pools (which make up a hash rate greater than 51%)
edit: thelonecrouton, do you know some mathematical analysis, paper or something which shows why pool users gain more block rewards (pool finds more blocks statistically) than solo miners?
My assumption would be there is no difference at inifinite time
Great, thank you. |
|
|
|
|
Minotaur26
Legendary
 Offline
Activity: 1092
Merit: 1000
|
|
December 01, 2014, 05:10:31 PM |
|
I sure someone will dig up the percentages and it was incredibly lower than one percent. This is why we commissioned Kristov Atlas.
At this point you do sound more and more like a concern troll.
I can quite imagine I might be coming off that way, but Im not. It is admittedly a rather legitimate and serious concern so I think we can discredit trolling. ChildHarold is most definitely a concern troll, offering no facts and just trying to create a discussion hoping to include his solution as an alternative when it is not. The easiest way to respond to this is with facts so here we go: A concerned user could mix his coins using Darksend to a depth of 8 rounds, assuming a network of 1300MN, a person controlling 100 MN would have a 0.000000093986159131% chance of uncovering a particular transaction. A person controlling 50% of the network, meaning owning 650MN, would have a chance of 0.382253675331956000% of uncovering a specific transaction. In this case he would have to acquire 650000DRK in the open markets which would sky rocket the price, and do this knowing he has 99.62% probability of not uncovering the transactions he is looking for. The system is very well designed an attacker would have to control 90% plus of the network to have a chance of around 40% of uncovering a transaction at which point he would be the only one with Darkcoins and the price would surge to the thousands. Having said this, a really concerned user could just send his coins through more rounds. Other anon systems are vulnerable to sybil attacks too and use secret keys or cryptography that could one day be uncovered. Darksend is future proof. Besides this solid anon solution, it supports instantaneous transactions and the ahead of time mixing prevents timing analysis. It is really best balanced all around anon coin in the market and the market recognizes this period. I came in here to ask questions. I never claimed to offer facts or solutions. I wanted to know if Evan had changed his opinion of ZK since the landscape may have changed in the six months since his remarks. A convo about MN's began and it was good to get clarifications. A few FACTS about MN's have been explained and I am grateful for the responses. One thing I did suggest is that MN operators might be wary of U.S. providers like Amazon. I cannot deliver facts to substantiate my feeling about this. Im prob just paranoid. I am not sure it is a fact you'd need to own the darkcoins, just have backdoors into the servers the MN's are running on would seem sufficient (altho maybe not). Agreed this all sounds very unlikely but as long as there is a CHANCE of de-anonymization I'd like to know the odds. Thanks for doing the maths regarding these odds. I can be sure these numbers are good? cheers This is unofficial, please do your own math, but it should give you a good idea:  |
|
|
|
|
thelonecrouton
Legendary
Offline
Activity: 966
Merit: 1000
|
|
December 01, 2014, 05:12:57 PM
Last edit: December 01, 2014, 05:25:46 PM by thelonecrouton |
|
edit: thelonecrouton, do you know some mathematical analysis, paper or something which shows why pool users gain more block rewards (pool finds more blocks statistically) than solo miners?
My assumption would be there is no difference at inifinite time
You're right, over a long enough timespan it would be the same. The advantage of pooled mining for miners is that when one miner in the pool finds a block, they all share the reward, so the income is steady. Great for miners, completely crap for blockchain security. If the blockchain were maintained solely by Masternode consensus, the system would be hundreds of times more secure than it is now, and hundreds of times more expensive to attack.  Personaly I'd like a backup plan though, and if solo mining can be enforced (or heavily financially incentivised vs. pooled mining) at a protocol level then that would be great. And there are blockchain models that make that possible, if the will is there to adopt them. edit - example protocols: https://bitslog.wordpress.com/2014/06/19/theoretical-and-practical-nonoutsourceable-puzzles/http://hackingdistributed.com/2014/06/18/how-to-disincentivize-large-bitcoin-mining-pools/ |
|
|
|
|
|
superplus
|
|
December 01, 2014, 05:27:25 PM |
|
edit: thelonecrouton, do you know some mathematical analysis, paper or something which shows why pool users gain more block rewards (pool finds more blocks statistically) than solo miners?
My assumption would be there is no difference at inifinite time
You're right, over a long enough timespan it would be the same. The advantage of pooled mining for miners is that when one miner in the pool finds a block, they all share the reward, so the income is steady. Great for miners, completely crap for blockchain security. If the blockchain were maintained solely by Masternode consensus, the system would be hundreds of times more secure than it is now, and hundreds of times more expensive to attack. Personaly I'd like a backup plan though, and if solo mining can be enforced (or heavily financially incentivised vs. pooled mining) at a protocol level then that would be great. And there are blockchain models that make that possible, if the will is there to adopt them. i don't know exactly how this would be done on protocol level, but i definitely would vote for that solution! maybe this could be a topic to discuss with evan in detail after the next release is out. edit: nice links im gonna read them later on! |
|
|
|
|
|
salmion
|
|
December 01, 2014, 05:31:01 PM |
|
Mining and masternodes have to remain separate.
If the masternodes go down you can't mix. However if the two are linked you are putting all your eggs in one basket.
Every update would have to be absolutely perfect. You don't want to be in a situation where if something needs to be fixed with the MN network the coin stops.
|
|
|
|
|
|
child_harold
|
|
December 01, 2014, 06:05:57 PM |
|
This is unofficial, please do your own math, but it should give you a good idea: thanks for this. the final values presented here reflect a chain of 8 MN's, correct? but the default for DarkSend is set at 2 (or less than 8 anyway). is this also correct? obviously 8 is exponentially better than 2. Please correct any mistakes. thanks. |
|
|
|
|
superplus
|
|
December 01, 2014, 06:15:01 PM
Last edit: December 01, 2014, 06:25:19 PM by superplus |
|
This is unofficial, please do your own math, but it should give you a good idea: thanks for this. the final values presented here reflect a chain of 8 MN's, correct? but the default for DarkSend is set at 2 (or less than 8 anyway). is this also correct? obviously 8 is exponentially better than 2. Please correct any mistakes. thanks. yes, probability first row with 2 rounds would be ~0.038^2 second row ~0.057^2 and so on.. if that is too risky for you, you can set it to 8 in preferences |
|
|
|
|
Minotaur26
Legendary
Offline
Activity: 1092
Merit: 1000
|
|
December 01, 2014, 06:23:39 PM |
|
This is unofficial, please do your own math, but it should give you a good idea: thanks for this. the final values presented here reflect a chain of 8 MN's, correct? but the default for DarkSend is set at 2 (or less than 8 anyway). is this also correct? obviously 8 is exponentially better than 2. Please correct any mistakes. thanks. You are correct, the numbers are for 8 rounds, remember this only analyzes the rogue masternode argument and tries to answer the question: What is the probability of success, someone acquiring masternodes to uncover specific transactions would have? This has an economic component to it, as someone attempting this type of attack would have to acquire the coins on the open market driving the price to the stratosphere to have any chance of success and spending a lot of money. Mixing depth is configurable on the client from 2 to 8 rounds at the moment, the user chooses the level of anonymity he prefers if you are only buying herpes medicine and don't want people to find out 2 rounds might be more than enough to manage your risk, if you are buying on a dark market 8 plus rounds would be your choice. There is no particular reason why 8 rounds is the max, you could do more rounds if it was necessary. Also the mixing is done ahead of time, you may mix now and spend a year later, this is really good to avoid timing analysis. |
|
|
|
|
toknormal
Legendary
Offline
Activity: 3066
Merit: 1188
|
|
December 01, 2014, 06:36:46 PM |
|
If I was strategy commander for Darkcoin (which I'm not by the way  ), I'd create some kind of contingency whereupon the mining majority could somehow protect the masternode majority in some kind of symbiotic dependency. i.e. to subvert the masternode population you'd have to subvert the mining population as well. You have that utterly arse backwards. 90% of mining goes through 5 pools. And you would need at most 3 of them to control or destroy the coin. Mining provides exactly fuck all security. I doubt it. I realise that it's fashionable right now to be maligning the idea of pools because of their "potential" to threaten the network. But the reality is that pools are still aggregations of decentralised mining power, Its subscribers are generally actors in good faith. You can't just "buy up" that kind of mining power. On the other hand, masternodes can be bought. I don't have enough technical understanding to know how much of a threat this poses to the network or even if it's a threat at all, but I've set up a masternode and could envisage how, overtime, a single player could monopolise the network. Aggregated mining is not the same thing as "centralised" mining. Whereas if I bought up 50% of the masternodes that WOULD be centralised masternoding because I have control over all those masternodes myself - they can't "wander off" to another pool. |
|
|
|
|
|
droptable
|
|
December 01, 2014, 06:49:43 PM |
|
yes, a 51%-attac is a bad thing. but its not the end. so when a 51A happens, the second (or more likely, some minutes after ) people will point their power elseware. is the state of the shares concerning? yes. is the end of the world near? no. //BUT thank you for your concerns. Its good to have people around pointing out weaknesses!An attacker that controls more than 50% of the network's computing power can, for the time that he is in control, exclude and modify the ordering of transactions. This allows him to:
Reverse transactions that he sends while he's in control
Prevent some or all transactions from gaining any confirmations
Prevent some or all other generators from getting any generations
The attacker can't:
Reverse other people's transactions
Prevent transactions from being sent at all (they'll show as 0/unconfirmed)
Change the number of coins generated per block
Create coins out of thin air
Send coins that never belonged to him
|
DΛRKCOIN -> is now -> DΛSH
----------
not DashCoin, not DarkDash, not anything. The Name has been / is changed the tech stays the same |
|
|
TaoOfSaatoshi
Legendary
Offline
Activity: 2156
Merit: 1014
Dash Nation Founder | CATV Host
|
|
December 01, 2014, 06:50:44 PM
Last edit: December 02, 2014, 12:04:41 AM by TaoOfSaatoshi |
|
VOTE FOR EVAN DUFFIELD IN COINSSOURCE'S PROOF OF HONOR VOTE!!! Yes, it's time to show the world what the Darkness is about, once again! I don't know of a developer who is more deserving... https://twitter.com/darkcoinorg/status/539475273616732160Twitter Voting Instructions:https://www.rebelmouse.com/GetIntoTheDark/vote-evan-duffield-for-the-201-852705188.htmlPlease RT, bump when needed, and VOTE whenever you can! Details are in Tweet, or on my site. GOOD LUCK, EVAN! |
|
|
|
oblox
Legendary
Offline
Activity: 1442
Merit: 1018
|
|
December 01, 2014, 06:50:46 PM |
|
I think the selection of rounds needs to go. A full anon phase should be 8 rounds. Afterwards, if a person wants added anonymity, they can reanonymize their funds another 8. With there no longer being a fee per round, but rather random fees for usage, letting the user select anything less than 8 seems foolish.
|
|
|
|
|
thelonecrouton
Legendary
Offline
Activity: 966
Merit: 1000
|
|
December 01, 2014, 06:51:04 PM |
|
If I was strategy commander for Darkcoin (which I'm not by the way ), I'd create some kind of contingency whereupon the mining majority could somehow protect the masternode majority in some kind of symbiotic dependency. i.e. to subvert the masternode population you'd have to subvert the mining population as well. You have that utterly arse backwards. 90% of mining goes through 5 pools. And you would need at most 3 of them to control or destroy the coin. Mining provides exactly fuck all security. I doubt it. I realise that it's fashionable right now to be maligning the idea of pools because of their "potential" to threaten the network. But the reality is that pools are still aggregations of decentralised mining power, Its subscribers are generally actors in good faith. You can't just "buy up" that kind of mining power. You don't need to buy up that much mining power, all you have to do is compromise one or two servers. Which defeats the whole point of having all that mining power in the first place. There is no such thing as an 'aggregation of decentralised mining power' - it's a fundamental contradiction in terms. |
|
|
|
|
|
droptable
|
|
December 01, 2014, 06:59:47 PM |
|
I think the selection of rounds needs to go. A full anon phase should be 8 rounds. Afterwards, if a person wants added anonymity, they can reanonymize their funds another 8. With there no longer being a fee per round, but rather random fees for usage, letting the user select anything less than 8 seems foolish.
have you seen my proposal? https://darkcointalk.org/threads/darksend-security-bulletin.2963/#post-29041i haven't heard back from someone smarter than me (or more into crypto-stuff). someone willing to tackle my idea? |
DΛRKCOIN -> is now -> DΛSH
----------
not DashCoin, not DarkDash, not anything. The Name has been / is changed the tech stays the same |
|
|
|
semajjames
|
|
December 01, 2014, 07:05:49 PM
Last edit: December 01, 2014, 07:39:20 PM by semajjames |
|
Risk Management 101 - Why Serious Investors won't touch DRK:Serious Investor: "I've heard about these decentralised currencies, like Darkcoin, where no one person or group controls the currency, what do you think, pet Security Analyst?" Security Analyst: /goes away for two minutes and finds this graph - https://chainz.cryptoid.info/drk/#!extractionSecurity Analyst: "Actually boss they aren't decentralised at all." Serious Investor: "What do you mean?" Security Analyst: "Well in theory the security of the network is provided by many thousands of individuals and their mining machines, but in practice only 2 people and 2 machines need to be compromised to own, dictate the policy of, or destroy the coin." Serious Investor: "But aren't there many thousands of miners?" Security Analyst: "There are, but 1000000 miners all directing their efforts through 2 pools is from a security POV exactly the same as there being just 2 miners. Control those 2 pools, or the people that run them, and you effectively own the whole currency." Serious Investor: "Well, I'll be taking my $millions elsewhere then, thanks." This is a pessimistic assessment and assumes that the miners will not react in the coin's best interest when a genuine threat to the balance of power emerges. Prior incidents of over-concentrated hashing power with Bitcoin and more recently with Darkcoin (w/r/t suchpool) show that hashing power will move away from threats that could jeopardize the coin's value, and so the miners' interest in the coin security is obtained via coin value. I know there is a push to make DRK p2pool only but there are less heavy handed methods we can try. For example, masternode operators could elect to donate a percentage of their earnings to p2pools so that p2pool payouts are more attractive than mining pools. Providing you use a node suitable for your location P2Pnode mining already is considerably more than profitable than pool mining, in general I think ppl are misinformed,naive or just plain lazy not to use them |
|
|
|
|
defunctec
Legendary
Offline
Activity: 1092
Merit: 1000
|
|
December 01, 2014, 07:46:46 PM |
|
If I was strategy commander for Darkcoin (which I'm not by the way ), I'd create some kind of contingency whereupon the mining majority could somehow protect the masternode majority in some kind of symbiotic dependency. i.e. to subvert the masternode population you'd have to subvert the mining population as well. You have that utterly arse backwards. 90% of mining goes through 5 pools. And you would need at most 3 of them to control or destroy the coin. Mining provides exactly fuck all security. I doubt it. I realise that it's fashionable right now to be maligning the idea of pools because of their "potential" to threaten the network. But the reality is that pools are still aggregations of decentralised mining power, Its subscribers are generally actors in good faith. You can't just "buy up" that kind of mining power. On the other hand, masternodes can be bought. I don't have enough technical understanding to know how much of a threat this poses to the network or even if it's a threat at all, but I've set up a masternode and could envisage how, overtime, a single player could monopolise the network. Aggregated mining is not the same thing as "centralised" mining. Whereas if I bought up 50% of the masternodes that WOULD be centralised masternoding because I have control over all those masternodes myself - they can't "wander off" to another pool. Buying 50% of the masternode network would cause huge price spikes, making it more profitable to own a masternode, bringing more investors into the game. The attacker would have to constantly buy darkcoins to combat new investors setting up masternodes. I don't think having 50% of the masternode network will even be possible. |
|
|
|
|
aigeezer
Legendary
Offline
Activity: 1450
Merit: 1013
Cryptanalyst castrated by his government, 1952
|
|
December 01, 2014, 07:55:30 PM |
|
I have found the last few pages of questions/answers/debate really useful. Please don't stop posting that kind of thing - it is very stimulating compared to the troll-wars here a while back. Tactical suggestion: as questions and answers become predictable/routine/stale, put the best into a FAQ page conspicuously available from the OP. Refer people there as appropriate, but take any novel question very seriously - a lot may depend on getting the answer right, down to the finest detail. Re the concern troll issue - my position is that motivations are unknowable so it is useful to take every question at face value. The better the answers, the better the coin. |
|
|
|
|
|
|
|
child_harold
|
|
December 01, 2014, 08:35:24 PM |
|
This is unofficial, please do your own math, but it should give you a good idea: thanks for this. the final values presented here reflect a chain of 8 MN's, correct? but the default for DarkSend is set at 2 (or less than 8 anyway). is this also correct? obviously 8 is exponentially better than 2. Please correct any mistakes. thanks. yes, probability first row with 2 rounds would be ~0.038^2 second row ~0.057^2 and so on.. if that is too risky for you, you can set it to 8 in preferences I'd argue the min MN chain should be at least 4 long. Assuming (with medium paranoia settings) that the "bad guy" has a handle on 10%-20% of MN's (100-250 nodes), then with a 2 MN chain length the above numbers predict between a 1%-4% chance of a de-anonymization. This is far too high IMO. I have found the last few pages of questions/answers/debate really useful. Please don't stop posting that kind of thing - it is very stimulating compared to the troll-wars here a while back.
… in pursuit of anon |
|
|
|
oblox
Legendary
Offline
Activity: 1442
Merit: 1018
|
|
December 01, 2014, 08:38:23 PM |
|
I'd argue the min MN chain should be at least 4 long.
Assuming (with medium paranoia settings) that the "bad guy" has a handle on 10%-20% of MN's (100-250 nodes), then with a 2 MN chain length the above numbers predict between a 1%-4% chance of a de-anonymization. This is far too high IMO.
There should be no option to select rounds... it should be 8 minimum with those that want added mixing to go above that. With no fees per round, it makes sense not to have less anon'd coins (those in which the user chooses less than 8 rounds). |
|
|
|
|
|
