In PoW currency you can remine a block to build a longer chain. In Nxt the order of generating accounts is determined, you
can't create a long chain that contains blocks generated solely by you. With 51% of the stake the odds to generate a
longer chain with 10 blocks are less than 0.1%. If someone buys a car with NXT they can wait a little bit longer to
counteract even 90% attack.
I like that you plan to make things deterministic. My ideas for pure PoS have also been deterministic.
There is a potential problem here though.
How do you deal with AWOL coin-owners? If I can't make a winning chain with 51%, then can the chain continue at all if 49%
of coins are lost?
Looking forward to the details so I can see how you address this and other issues.
It's a good chance to tell the details...
Each block has "generationSignature" parameter. An active account signs "generationSignature" of the previous block with
its private key. This gives 64 bytes which are hashed with SHA256. The first 8 bytes of the hash gives a number (I call
it a "hit"). The hit is compared to the current "target" (64bit number). If the hit is lower than the target then next
block can be generated.
The target for each account is proportional to the balance. Someone holding 1000 coins gets a 50 times bigger target than
someone with 20 coins. Thus the owner of 1000 coins will generate 50 times more blocks than the owner of 20 coins (in the
long run).
The target is not constant, it grows each second passed since the timestamp of the previous block. If noone generated a
block on the first second then the target becomes 2 times bigger and so on. The base target is the target on the 60 second
mark. If there is only a few active accounts then after a long time someone will generate a block because the target will
become very big. If you open the client and log with any funded account you can see a ticking timer in BLOCKS widget. It
shows when the target will become greater than your hit.
Where does a block's generation signature parameter come from?
It's the generation signature of a previous block signed by the generator of a current block.
Do the block comtents affect the generation signature parameter (I.e. is it a signed message)?
Or is it just the public key of the generator of the previous block?
comtents == content?
Nth block generation signature = Ed25519.Sign([N-1]th block generation signature).
Edit: The generator signs two messages each block, generation signature of the previous block and the header of this block
which contains payload hash.
Okay, so the txns included in each block do not affect the block's generation signature?
No. Transactions do not affect the signature.
Someone may attempt an "attack" by sending their generated blocks with different transaction sets to different peers. This
will just increase the rate of orphaned blocks. A few blocks later the network
i really really really need someone to answer this question for me:
can anyone explain to me how it is determined who has the right to author the next block. i understand that the more nxt
you have the higher your chance, but specifically how is the "winner" selected?
I know all of you guys who have 40k+ invested in this thing have to have figured out the answer to this question before you
dropped that kind of cash.
It's very similar to Bitcoin. Who gets correct nonce wins the block.
In bitcoin a nonce is hashed with the previous block until one gets a digest that is below the target threashold. There is
no POW in next so how are nonces used in this scheme? and where does the nonce come from? I really need as much detail as
you can give me. I will even send a tip if i come out of this conversation understanding what i hoping to understand.
Smiley
OH HECK YES! afk while i buy a million of these things Grin
oh but hey can you do me one more favor. can you link me to the original source where you got this information. i really
want to read more.
Other guy has answered on nextcoin.org about that.
No that was the first time and I wrote about it the same day that i thought of it. But you say that I posted it 1 day
before nxt right? that technically makes it my invention right? Grin
haha no I'm a scrub programmer. my highest programming accomplishment to date is chess in the console with no AI. I'm much
better at conceptualizing higher level abstractions than the logistics of implementation.
actually this is a really common thing. inventions are more often than not invented by a half a dozen people all over the
world at the same time. we probably thought of it at the exact same time and i just wrote about it first. here is wikipedia
on the phenomena
http://en.wikipedia.org/wiki/Multiple_discoveryill check it out.
I think I'm starting to get it. Is it true that the generationSignatures are totally deterministic? If you wanted too you
could spend computing power to calculate who would win the right to author blocks far off into the future?
Output of next signature depends only on input of previous one. For example:
F(x) = x*2
Then we have such a sequence of outcomes: 1, 2, 4, 8, 16, 32...
Transactions included into a block can't change it, there is a special "blockSignature" for them.
Great! im definitely beginning to understand.
So next question. What mechanism prevents people from purposefully creating accounts with public keys which will allow them
to author an upcoming block?
*edit* there is definitely a tip in this for you if you have good answers to all of my questions Grin
Cunicula (as attacker) and BCNext (as defender) came to the following algo:
1. Brand new accounts must wait 1440 blocks before they r given permission to forge blocks
2. Old accounts forge blocks as if their balance doesn't include coins received in the previous block
Amount that is used for forging is called "effective balance".
is it really that difficult to calculate out 1441 blocks ahead? it doesn't sound difficult. If it is so difficult now what
happens when computers become faster and more powerful in the future? is the plan to just fork it from time to time?
it seems like if the generationSignature was additionally a product of the hash of the public key of the account that
authored the previous block than that would add a measure of security for little additional cost. as in, unlike including
phony transactions to get the result you want out of the digest of a whole block, it would be difficult to coax the result
you wanted out of a public key funded with a large amount of cash 1441 blocks ahead of time.
What should be calculated ahead to be able to generate all blocks?
My understanding is that the next generationSignatureB is a digest of generationSignatureA and generationSignatureC is a
digest of generationSignatureB ect... So what i mean is, what stops an attacker from calculating generationSignatures 1441
steps into the future and then creating and funding account that will win the right to author that 1441st block. It should
in theory be rather simple to generate 1441 signatures if it is a purely deterministic process right?
U must predict amounts on other accounts in 1440 steps, coz time when u generate a block depends on ur effective balance.
It's possible only for empty blocks. If someone's account becomes larger then he will get chance to inject his block into
ur chain completely ruining all ur computations.
oooh so the generationSignature is a digest of the previous generationSignature + the time-stamp of the previous block?
No. It's digest of prevGenSignature only.
How determined the generator (account) of the next block:
1. X = digest of prevGenSignature gives 256 bits
2. First 64 bits of X is a HIT
3. Target = BaseTarget (which is the same for all accounts) * Balance * Time_since_previous_block
4. If HIT < Target then next block can be generated
Edit: Target grows each second until it "crosses" HIT of one of the accounts
All you would have to do is brute force the creation of a key pair that digested the 1440th genSignature to a hit that was
below everyone elses target. It would be totally doable.
This problem is super solvable though. BTNext should make the BaseTarget adjustable with an algo similar to bitcoins re-
target algo. Then Increae the 1440 block (24 hours) restriction for effectiveBalance out to about 43200 (1 month) just to
be extra super safe (its best to pick absurdly safe parameters when dealing with billions or possibly even trillions of
dollars someday). Then finally make the nextGenSignature a digest of the prevGenSignature + the public key of the author of
the last block. You couldnt game it with intentionally selected keys because you would have to pick the key 1 month ahead
of time and there would be no way to predict who would author which blocks 1 month out since miners drop in and out of the
network at random.
1440 blocks is safe number coz u have to know who will sign the 1439th block which depends on the signer of the 1438th
block and so forth. To know future signers u must know future balances. Even if u know future balances u must know future
topology of the network to predict which blocks will be orphaned.
im so sorry to keep pestering you. but why is this the case. inorder to do this all you would have to do is brute force the
creation of a key pair that digested the 1440th genSignature to a hit that was below everyone elses target. It would be
totally doable. why must you need to know future signers?
Coz block 1440 winner is determined as Digest(Digest(Digest(...1435times...Digest(Signature_of_block_1)...))).
But that doesnt explain why you would need to know who future signers are. It only says that you would need to calculate
the 1440th generationSignature and pre-empt it by creating an account with a key-pair that would cause your hit to be lower
than everyone elses targets right? how do future signers effect that situation?
Output of the last digest depends on ur public key and generating signature of previous block. It's deterministic but still
can't be guessed. Look at this example:
Alice signs block 1 - signature is A
Bob signs block 2 - signature is Digest(A + Bob_public_key)
Charlie signs block 3 - signature is Digest(Digest(A + Bob_public_key) + Charlie_public_key)
See? U can choose any Charlie_public_key but without knowing Bob_public_key in advance it gives no advantage at all.
yep! i do understand. we just weren't communicating properly. as soon as i thought i saw a problem what you wrote up there
is exactly the solution i proposed. Grin bcnext is a freaking genius. I worked so hard to try to figure something out like
this myself to no avail. What i proposed in my thread is a far cry from this much better solution.
If the chain requires little computational resources to calculate, what prevents an alternative massive chain from be injected?
To inject an alt chain an adversary must own 51% of coins (90% with TF). Also there is a limit of 720 blocks for the max chain rollback depth.
ok but why? suppose I am one of the original 73 and i own 50 million nxt. What if i create an alt chain where my 50 million is spread into 50 1 million nxt account. Then i compute a chain where my 50 accounts author all of the blocks. Then i compute it to the point where that chain longer than the main chain. Specifically how do peoples clients know that this is not the real chain? All the maths would check out. The targets would update to the point where it didnt seem like transactions were coming in too quickly.
So then if you have a rule that says longest chain wins, and all the math was legit on this artificial chain that this guy created, everyone would adopt that chain. So you clearly need something more. If you make a rule that says the chain that, on average, has hits on lower targets wins than this would protect against the previously mentioned attack vector. But then if you use this rule clients would sometimes ignore longer but legitimate chains.
anyway just looking for some clarification here. thanks in advance.
What do u mean by
What if i create an alt chain where my 50 million is spread into 50 1 million nxt account. Then i compute a chain where my 50 accounts author all of the blocks.
? This doesn't look feasible having only 50 accounts (if I got ur idea correctly).
Sure so you would just write the blockchain as if only those 50 accounts were forging. The targets would readjust and even though only 50million nxt was being used to forge that chain, the blocks would still come in at ~1 minute. Or atleast thats how you would record it having happened. technically you would just be computing it all and building the fake chain yourself.
R u talking about a situation when TF penalizes forgers that skip their turn?
If no, then cumulative difficulty will be 20 times lower and blockchain won't be accepted as longest. (This is how it's now)
If yes, then nodes will choose a branch where their balance is higher.
So instead of longest chain, it uses cumulatively most difficult chain?
Yes. "Longest" is just a convenient word used since Bitcoin times.
If we went for "chain that demonstrates the participation of most stake" rather than "chain that is longest" you can imagine a situation where a couple of confirmations could get rolled back. though you would see the risk coming because it would only come after a ridiculously slow block. so any time you have a really really really slow block, you just trust the confirmations a little less after that right? and after a few you still have strength.
Actually, time gap between blocks doesn't matter when TF is enabled. We can use anisotropic time scale and forge blocks exactly each 60'000 ms. In the future when Internet becomes much faster we could process blocks at 2-3 blocks/min rate. Time between blocks is used only to choose the next forger, we don't have to wait that long. I've never mentioned this coz BCNext prefer that people don't realize full power of TF until Nxt network becomes strong enough to survive an attack from entities with billions of dollars in the pocket.
So what happens if the network is able to predict too far into the future? Too far being 24 hours. If you can make even reasonable guesses as to who will author a block 24 hours from now the entire system breaks down.
This requires too much memory and computing power and still very non-reliable.
Cunicula offered to assign a unique id to each coin and do the lottery by choosing the owner of next winning coin. His approach requires only 1 computation for each block prediction. BCNext used other approach that requires to iterate thru all accounts to pick the winner, this greatly increases requirement to computing power necessary for prediction.
so ive been thinking more about how to clients can handle choosing the right chain. im not sure i still understand exactly how nxt does it. but i independently figured out how it could be done. so i thought maybe you would find some value in my independent evaluation.
Suppose you have a hand full of chains and we want to figure out which one is the real one. First compare the genesis block of the chain to a hash of the correct genesis block which is downloaded with the client. Discard any chains that have a genesis block that does not digest properly. Next look at the time that the genesis block was published. Then look at the targets that hit each block and reverse engineer the exact time of each block. Add all of those times up and make sure that the sum total is < the current time. Discard any chains that claim to be time traveling back from the future. Finally, from the chains that you have left, take an arbitrarily large number and subtract the target that was used to hit on each block from that arbitrarily large number. Add all of those values to-gather. Once added togather the chain with the largest summed value is proven to be the one with the greatest stake participation.
Maybe your way is better but if you happen to find anything wrong with it than atleast you have a backup plan now.
Nxt works this way but that arbitrary number is ZERO. What benefit do we get when it > 0?
lets see:
(0-6)+(0-5)+(0-7)+(0-6)+(0-5)+(0-7)=-36
(0-5)+(0-4)+(0-6)+(0-5)+(0-4)+(0-6)=-30
-30>-36, the second chain is indeed the one with more stake. yep all checks out. didn't have a paper and pencil in hand at the time of figuring it out.
i just want to reiterate how brilliant this all is. it blows my mind.
Anon136's video described it as the chain that had the most stake involved in forging the blocks was the 'correct' one, even though there may be a longer chain.
It's slang. "Longer chain" == "chain with the most stake involved".
@Anon136
If so, could we stick to the 'longer chain' theme? It's just because it makes more sense to most people (even those that are familiar with graph theory).
i mean it works as slang but it is technically incorrect since its trivially easy to make a chain as long as you want. you could make a 1 million block long chain on my desktop computer in minutes if i wanted.
Err, so, what?
Sorry, but it's a bit confusing if you don't know what's right and what's wrong.
In plain english: what's the right way of finding consensus in NXT?
by looking for the chain that demonstrates the greatest stake participation without claiming to be from the future.
Ah, okay.
Just to get that sure:
- the longest branch in the sense of graph theory is totally irrelevant
well idk anything about graph theory but yes the length of the chains is irrelevant.
Okay, so now we have:
Consensus in NXT is found by looking for the branch that demonstrates the greatest stake participation without claiming to be from the future.
This is achieved by summing up the targets on each branch and the branch with the smallest total is the correct one.
Got it right?
No. U sum 1/target and want to get the highest value.
there we go cfb. thanks that clarifies what i was going to ask you about. thanks as usual.
additionally there is a conversation that i lost which deals with the fact that when we calculate who has the right to author the next block first, the two most acceptable submissions are considered equally valid. this means that when trying to calculate who will author blocks out into the future, you never know which one of those two eligible nodes will end up getting orphaned and which will become part of the main chain. meaning that when you try to calculate the hash chain out into the future it becomes
("how far out you want to calculate"^2)*"total number of stake holders"
potential outcomes. since you need to calculate 1440 blocks into the future to game the system by preemptively planting stake that will win in the future (due to the 1440 block holding period before stake becomes active). this becomes an imposable large space to make predictions in. especially since there is a fee for transactions set at 1NXT right now meaning each guess costs 1NXT.