Bitcoin Forum
November 09, 2024, 04:16:04 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 4 5 6 »  All
  Print  
Author Topic: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies  (Read 17939 times)
Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
May 09, 2014, 05:26:47 AM
 #21

It's true that we don't know how to implement some of the author's proposed solutions, but he has a pretty good grasp of some very serious problems.

In particular, he has a good point about what happens when block rewards are multiplied by half.

There's an investment (in ASIC mining equipment) constantly seeking its most profitable allocation.  That allocation is an equilibrium in which each option pays identically.   

At the point where there's a block reward halving, one of the allocation options has its return cut in half, and the equilibrium has to find a new balance point.

If you're UNO, and you cut your block reward in half, the total rate of return is hardly affected at all because you represent such a tiny fraction of the total available income.  The allocation of that investment to mining your blockchain, though, gets cut approximately in half, because that's the point at which the return for mining it remains competitive.

If you're BTC, and you cut your block reward in half, the total rate of return is cut by almost half.  Suddenly, every *other* allocation opportunity is suddenly worth twice as much of the miner's remaining hash power investment as it was before, because that's the rate at which the return for mining it stays competitive with BTC.

Of course, the latter doesn't account for mining rigs that are no longer profitable to run at all.... 
Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
May 09, 2014, 05:39:57 AM
 #22

The author is wrong about the proposed timestamp solution, because we don't really have a practical distributed-timestamp scheme.  But there may be a simpler one (not requiring a distributed timestamp) that works.  I'll have to think about it, but it's certainly in the best interests of honest miners and honest transaction makers to provide accurate timestamps if it improves security against dishonest ones, so it isn't hopeless.

The author is right about increasing the security of mining by requiring miners to know both the hash of the current block and the hash of the previous block - the hashing operation they need to do is essentially the same, and making sure miners know what block they're building on would make certain classes of attack (diverting pool miners to another coin, using pool miners to build an unpublished blockchain, etc) which are currently easy to make undetectably, leave incontrovertible evidence.  That is a good idea and we should do it.

Foxpup
Legendary
*
Offline Offline

Activity: 4533
Merit: 3183


Vile Vixen and Miss Bitcointalk 2021-2023


View Profile
May 09, 2014, 08:00:31 AM
 #23

The name sounds strangely familiar. Isn't this the same guy who came up with the "selfish mining" nonsense a while ago?

Will pretend to do unspeakable things (while actually eating a taco) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4
I am not on the scammers' paradise known as Telegram! Do not believe anyone claiming to be me off-forum without a signed message from the above address! Accept no excuses and make no exceptions!
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4270
Merit: 8805



View Profile WWW
May 09, 2014, 08:26:45 AM
Last edit: May 09, 2014, 05:31:47 PM by gmaxwell
 #24

The name sounds strangely familiar. Isn't this the same guy who came up with the "selfish mining" nonsense a while ago?
No, he had another paper where he 'invented' a number of long used mining optimizations like elimiating the final three rounds, mining from a midstate, and merging adder carries, and then spent the last half ranting about how the geometric subsidy decline doomed Bitcoin to failure with strange all-caps bold words mixed in, and saying that we must adopt his proposal to adjust the subsidy every 600 blocks, while simultaneously ignoring that we made it through one subsidy halving without incident.  On the basis of the prior paper and some comments from people who's opinions I trust who read this one, I've pretty much given this one a pass myself.

His work on the mining optimization stuff, though— I recall it being largely redundant with work already deployed out there— was not unintelligent. The conclusions he was drawing—  well, I think everyone who wanders into Bitcoin experiences at least 20 instances of "Ah ha! it cannot work, I've found the flaw!", some of us just go through it a little more privately than others. Smiley

Rather than focusing on what the paper has wrong, it might be more useful to ask what it got right or what interesting questions it poses. Even a completely confused paper can sometimes inspire some interesting questions or approaches. I understand that it makes some pretty concrete fairly near term predictions about dogecoin which will be falsifiable, — and hey, making a falsifiable prediction would put it ahead of a lot of things.

You have to keep in mind that publications (esp pre-prints) are just another communications channel for people. By themselves they don't automatically mean the work is of cosmic importance or even that its intended to be. So if it helps you extract something useful from it you can think of it as a expanded forum post. One virtue of that form is that often forum posts are so incomplete that it's hard to even tell if you can tell what there idea is from the post.  In this case, where the author seems to have some misunderstandings about the non-existence of globally consistent time in a decentralized system, and he failed to actually describe his solution— well at least you could tell what was missing. Smiley  Don't let the bombastic language get to you, it's a cultural norm in some places to make every thought sound like some major revelation. Annoying at times, but you do yourself a disservice if you can't learn to ignore it and sieve out the good ideas that might be hiding behind the noise.


Foxpup
Legendary
*
Offline Offline

Activity: 4533
Merit: 3183


Vile Vixen and Miss Bitcointalk 2021-2023


View Profile
May 09, 2014, 08:37:10 AM
 #25

The name sounds strangely familiar. Isn't this the same guy who came up with the "selfish mining" nonsense a while ago?
No, he had another paper where he 'invented' a number of long used mining optimizations like elimiating the final three rounds, mining from a midstate, and merging adder carries, and then spent the last half ranting about how the geometric subsidy decline doomed Bitcoin to failure with strange all-caps bold words mixed in, and saying that we must adopt his proposal to adjust the subsidy every 600 blocks, while simultaneously ignoring that we made it through one subsidy halving without incident.
Oh, right. There are so many terrible papers floating around it's getting hard to keep track of them all. Undecided

Will pretend to do unspeakable things (while actually eating a taco) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4
I am not on the scammers' paradise known as Telegram! Do not believe anyone claiming to be me off-forum without a signed message from the above address! Accept no excuses and make no exceptions!
TooDumbForBitcoin
Legendary
*
Offline Offline

Activity: 1638
Merit: 1001



View Profile
May 09, 2014, 07:46:55 PM
 #26

Quote
I mean it like saying taking a spacecraft to the moon is a flawed strategy when we could just teleport there instead.  Also teleporting to the moon will require some teleportation capabilities and stuff.

Steve Martin once lectured on "How to Be a Millionaire and Not Pay Taxes":

"...First, get a million dollars. ..."




▄▄                                  ▄▄
 ███▄                            ▄███
  ██████                      ██████
   ███████                  ███████
    ███████                ███████
     ███████              ███████
      ███████            ███████
       ███████▄▄      ▄▄███████
        ██████████████████████
         ████████████████████
          ██████████████████
           ████████████████
            ██████████████
             ███████████
              █████████
               ███████
                █████
                 ██
                  █
veil|     PRIVACY    
     WITHOUT COMPROMISE.      
▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂
|   NO ICO. NO PREMINE. 
   X16RT GPU Mining. Fair distribution.  
|      The first Zerocoin-based Cryptocurrency      
   WITH ALWAYS-ON PRIVACY.  
|



                   ▄▄████
              ▄▄████████▌
         ▄▄█████████▀███
    ▄▄██████████▀▀ ▄███▌
▄████████████▀▀  ▄█████
▀▀▀███████▀   ▄███████▌
      ██    ▄█████████
       █  ▄██████████▌
       █  ███████████
       █ ██▀ ▀██████▌
       ██▀     ▀████
                 ▀█▌




   ▄███████
   ████████
   ███▀
   ███
██████████
██████████
   ███
   ███
   ███
   ███
   ███
   ███




     ▄▄█▀▀ ▄▄▄▄▄▄▄▄ ▀▀█▄▄
   ▐██▄▄██████████████▄▄██▌
   ████████████████████████
  ▐████████████████████████▌
  ███████▀▀▀██████▀▀▀███████
 ▐██████     ████     ██████▌
 ███████     ████     ███████
▐████████▄▄▄██████▄▄▄████████▌
▐████████████████████████████▌
 █████▄▄▀▀▀▀██████▀▀▀▀▄▄█████
  ▀▀██████          ██████▀▀
      ▀▀▀            ▀▀▀
ByteCoin
Sr. Member
****
expert
Offline Offline

Activity: 416
Merit: 277


View Profile
May 10, 2014, 01:04:51 AM
 #27

I know Nicolas Courtois and had I not seen the paper linked from his web page I would have assumed that someone had just added his name to this rubbish in order to give it some gravitas.

He should have given his old supervisor a red pen (with plenty of ink left ) and asked him to review the paper first. There are portions which are OK but he's certainly gone a long way down in my estimation.

Bytecoin
kadter
Newbie
*
Offline Offline

Activity: 11
Merit: 0


View Profile
May 10, 2014, 01:46:16 AM
 #28

The trustless trust is a logical fallacy Cheesy
odolvlobo
Legendary
*
Offline Offline

Activity: 4494
Merit: 3403



View Profile
May 10, 2014, 03:58:45 AM
 #29

Well, I read nearly all of the 46 pages (as much as I could) and I can summarize it in a single sentence:


If the profitability of mining BTC falls (due to a decreasing block reward) low enough such that a competitive currency becomes more profitable to mine, the hash rate will plummet and present an opportunity for a 51% attack.


In my view, this scenario is possible (any scenario is possible), but it is extremely unlikely because of the economics. Furthermore, if it does happen, then the other currency is probably preferred over bitcoin anyway and a switch to the other currency would be a positive result.

Join an anti-signature campaign: Click ignore on the members of signature campaigns.
PGP Fingerprint: 6B6BC26599EC24EF7E29A405EAF050539D0B2925 Signing address: 13GAVJo8YaAuenj6keiEykwxWUZ7jMoSLt
bitfreak!
Legendary
*
Offline Offline

Activity: 1536
Merit: 1000


electronic [r]evolution


View Profile WWW
May 10, 2014, 04:28:35 PM
Last edit: May 10, 2014, 06:45:41 PM by bitfreak!
 #30

I received this paper earlier today in a Google Scholar Alert. I couldn't spend more than 5 minutes reading it... so many misconceptions and holes in their knowledge of Bitcoin. It's got some interesting graphs though.

XCN: CYsvPpb2YuyAib5ay9GJXU8j3nwohbttTz | BTC: 18MWPVJA9mFLPFT3zht5twuNQmZBDzHoWF
Cryptonite - 1st mini-blockchain altcoin | BitShop - digital shop script
Web Developer - PHP, SQL, JS, AJAX, JSON, XML, RSS, HTML, CSS
Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
May 10, 2014, 07:04:57 PM
 #31

Look, he made one mistake; we don't have a practical distributed timestamp protocol, so his proposed solution to that one problem doesn't work.

But he's right about there being a security improvement if miners have to know what they're mining on. 

He's also right about the effects of block reward halving on hash power allocation. 

Those are real problems with viable solutions, and we can fix them, so why is everybody focusing on the one thing he got wrong?

DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
May 10, 2014, 07:12:11 PM
Last edit: May 10, 2014, 07:40:17 PM by DeathAndTaxes
 #32

He's also right about the effects of block reward halving on hash power allocation.  
No he isn't or at least not his conclusions on what "will" happen are just speculation.

The author claims that when the block reward is halved that hashrate will be halved.  That is probably not true unless the operating margin on EXISTING hardware is <0 (or another coin is more profitable) after the halving.  For a user with a 0.5 J/GH rig and $0.10 per kWh electrical rates the 0 operating margin point is ~1 PH per $1 in USD exchange rate.  So at the current exchange rate the network would need to be >450 PH/s for that miner to have a negative operating margin.  The exchange rate would hopefully be higher by 2016.  At the ATM it would require 1,200 PH/s.

The block halving will probably dry up sales of new mining hardware (actually they will dry up months prior in anticipating of the drop) but for a miner who already owns SHA-256 hashing power he essentially has three options

a) continue to mine bitcoin for half the revenue
b) sell the hardware to a miner with lower costs (namely cheaper/free electricity and cool climate)
c) mine an altcoin.

The author jumps right to c.  To date (other than brief periods of pump & dump) no sha256 coin has been more profitable than bitcoin to mine.  The author predicts the hashrate will fall by 50% which would assume that no miners opt for "a" or "b".  Still even if that is true there is no certainty that a halving in hashrate will make Bitcoin vulnerable to a 51% attack.  The hashrate today is 70 PH/s.  For the halving to make the operating margin negative would require a hashrate of 450 PH/s (current exchange rate, $0.10 per kWh, 0.5 J/GH).

So say in 2016 that does happen.  The hashrate drops from 450 PH/s to 225 PH/s which is more than 3x the current hashrate.  The Bitcoin network still has ~50% of the hashrate of known miners.  The idea that it is suddenly trivial to perform a 51% attack is an unsupported conclusion.


Quote
But he's right about there being a security improvement if miners have to know what they're mining on.
Which has nothing to do with the Bitcoin protocol.  The Bitcoin protocol does include information on the prior block in the blockheader.  Some pools use a protocol which ommits that however it is possible for miners in pools to be in control of the blockheader.   Pool mining is a protocol that is built on top of the bitcoin protocol, it isn't part of the bitcoin protocol.  It would be like saying if you made some changes to anti-counterfeiting features on the dollar bill you could reduce credit card fraud.  The credit card network is an independent network built on top of the cash network.

Quote
Those are real problems with viable solutions, and we can fix them, so why is everybody focusing on the one thing he got wrong?

The bitcoin protocol reward is not going to be changed.  Period.  It would be a breaking fork and you will never achieve a super majority to support any fork.  There are already methods which allow a miner to be in control of the blockheader and miners frankly don't really give a crap.  You can't force them.  It is more a social problem then a technological one.


Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
May 10, 2014, 07:30:31 PM
 #33



He's also right about the effects of block reward halving on hash power allocation.  
No he isn't or at least not his conclusions on what "will" happen are just speculation.

His "speculation" is that at least half of miners are willing to switch to mining a different coin if it's more profitable.  The rest is just a math problem about how to optimize profits.  I don't think that's at all in question.

Seriously, you can set this up as an equation.
Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
May 10, 2014, 07:32:35 PM
 #34


The bitcoin protocol reward is not going to be changed.  Period.  It would be a breaking fork and you will never achieve a super majority to support any fork.  


You're probably right about that; it would destroy the value of the sunk-costs in ASICs for starters, which means the miners would scream bloody murder.

bitfreak!
Legendary
*
Offline Offline

Activity: 1536
Merit: 1000


electronic [r]evolution


View Profile WWW
May 10, 2014, 07:39:31 PM
 #35

I don't think anyone is really going to argue that a smoother shift in the block reward would be less preferable than one which halves instantly after a long period of time, but that's just the way Bitcoin is and there are altcoins designed to remedy that issue (I'm guessing that's the issue being discussed, like I said I didn't read the paper properly).

Which has nothing to do with the Bitcoin protocol.  The Bitcoin protocol does include information on the prior block in the blockheader.  Some pools use a protocol which ommits that however it is possible for miners in pools to be in control of the blockheader.   Pool mining is a protocol that is built on top of the bitcoin protocol, it isn't part of the bitcoin protocol.
I knew that had to be the case, I thought I was going crazy there for a moment, thanks for clearing that up.

XCN: CYsvPpb2YuyAib5ay9GJXU8j3nwohbttTz | BTC: 18MWPVJA9mFLPFT3zht5twuNQmZBDzHoWF
Cryptonite - 1st mini-blockchain altcoin | BitShop - digital shop script
Web Developer - PHP, SQL, JS, AJAX, JSON, XML, RSS, HTML, CSS
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
May 10, 2014, 07:43:41 PM
 #36

His "speculation" is that at least half of miners are willing to switch to mining a different coin if it's more profitable.  The rest is just a math problem about how to optimize profits.  I don't think that's at all in question.

Which is dubious in itself but lets assume the network is 450 PH/s the day before the halving and after the halving 50% of miners leave for this non-existent altcoin which is still more profitable than Bitcoin even with the difficulty that comes from 225 PH/s.

Ok so Bitcoin has 225 PH/s worth of miners.
CoinX has 225 PH/s worth of miners.

How exactly is it now trivial to 51% the Bitcoin network?

Quote
Seriously, you can set this up as an equation.
Yeah you can and with any realistic guesstimates you don't reach the conclusion the author reached.

TooDumbForBitcoin
Legendary
*
Offline Offline

Activity: 1638
Merit: 1001



View Profile
May 10, 2014, 07:56:36 PM
 #37

Quote
Which is dubious in itself but lets assume the network is 450 PH/s the day before the halving and after the halving 50% of miners leave for this non-existent altcoin which is still more profitable than Bitcoin even with the difficulty that comes from 225 PH/s.

Should be fun to watch.

1.  Reward halves.
2.  Half the hashers depart.
3.  Reward per hash on bitcoin network doesn't change.
4.  No change in profit for the half that stay!  (Increase, really, if you count fees).

I wonder how the 50% who leave will make that decision.



▄▄                                  ▄▄
 ███▄                            ▄███
  ██████                      ██████
   ███████                  ███████
    ███████                ███████
     ███████              ███████
      ███████            ███████
       ███████▄▄      ▄▄███████
        ██████████████████████
         ████████████████████
          ██████████████████
           ████████████████
            ██████████████
             ███████████
              █████████
               ███████
                █████
                 ██
                  █
veil|     PRIVACY    
     WITHOUT COMPROMISE.      
▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂▂
|   NO ICO. NO PREMINE. 
   X16RT GPU Mining. Fair distribution.  
|      The first Zerocoin-based Cryptocurrency      
   WITH ALWAYS-ON PRIVACY.  
|



                   ▄▄████
              ▄▄████████▌
         ▄▄█████████▀███
    ▄▄██████████▀▀ ▄███▌
▄████████████▀▀  ▄█████
▀▀▀███████▀   ▄███████▌
      ██    ▄█████████
       █  ▄██████████▌
       █  ███████████
       █ ██▀ ▀██████▌
       ██▀     ▀████
                 ▀█▌




   ▄███████
   ████████
   ███▀
   ███
██████████
██████████
   ███
   ███
   ███
   ███
   ███
   ███




     ▄▄█▀▀ ▄▄▄▄▄▄▄▄ ▀▀█▄▄
   ▐██▄▄██████████████▄▄██▌
   ████████████████████████
  ▐████████████████████████▌
  ███████▀▀▀██████▀▀▀███████
 ▐██████     ████     ██████▌
 ███████     ████     ███████
▐████████▄▄▄██████▄▄▄████████▌
▐████████████████████████████▌
 █████▄▄▀▀▀▀██████▀▀▀▀▄▄█████
  ▀▀██████          ██████▀▀
      ▀▀▀            ▀▀▀
Cryddit
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
May 10, 2014, 08:23:27 PM
 #38

Okay, you're getting the problem set up wrong.  As long as bitcoin is dominant, it doesn't lose fully half of its hashing power when it halves its reward. 

Let's say that there is some unit of hashing power that pays 10$ per hour.

If equilibrium has 90% of the effort on BTC at a given moment and 10% on altcoins, then we can conclude that the value of BTC produced by that hashing, per hour, is worth $9 and the value of altcoins produced by that hashing, per hour, is $1. 

Now if BTC cuts its reward by half, suddenly it's producing only $4.50 worth of value per hour for that amount of hashing power.  The total value being produced by that hash power - the new equilibrium rate - is now $5.50 per hour.

Bitcoin at its halved speed produces that value when it gets 9/11 of that amount of that hashing power and the alts, at the same speed as before, produce that value when they get 2/11 of that hashing power.  This is the new point at which the ratio of hashing power to value produced is equal for bitcoin and the alts.

What happens is that the amount of hashing power devoted to the alts nearly doubles, and the reallocation comes out of the amount devoted to bitcoin. 

When he uses UNO as an example, UNO halving its reward has effectively no impact on the rate of value production, so the equilibrium rate is relatively unaffected.  That makes it very simple; At the same rate, half the value produced buys half the hash power. 
bitcoinbeliever
Newbie
*
Offline Offline

Activity: 54
Merit: 0


View Profile
May 10, 2014, 10:21:30 PM
 #39

Hand-waving distributed timestamps into existence can't be confused with this idea

 https://bitcointalk.org/index.php?topic=3441.msg48484#msg48484

which relies only on nodes' local clocks, and then only on their keeping accurate time over the short term; they don't have to be military-atomic-clock accurate and it doesn't matter what time zone they are in.  Instead of trying to create a distributed time protocol, the existing consensus mechanism is used with nodes simply voting to reject blocks containing double-spends they detect themselves.  They actually already make this decision ... they just don't tell anyone.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1079


Gerald Davis


View Profile
May 10, 2014, 10:38:24 PM
Last edit: May 11, 2014, 03:39:03 PM by DeathAndTaxes
 #40

Hand-waving distributed timestamps into existence can't be confused with this idea

 https://bitcointalk.org/index.php?topic=3441.msg48484#msg48484

which relies only on nodes' local clocks, and then only on their keeping accurate time over the short term; they don't have to be military-atomic-clock accurate and it doesn't matter what time zone they are in.  Instead of trying to create a distributed time protocol, the existing consensus mechanism is used with nodes simply voting to reject blocks containing double-spends they detect themselves.  They actually already make this decision ... they just don't tell anyone.

If you could trust nodes voting you wouldn't need mining to begin with.  There is no guarantee that all nodes know about all transaction at any point in time.  There is no guarantee nodes will learn of transactions with any guarantee on timeliness or nodes will learn of transactions in the same order.   The composition of the network is also continually changing

The network isn't a single unified block of memory it is a coalition of independent systems.   If we could trust anonymous decentralized nodes to "vote" in a secure manner they could simply agree on the ordering of transactions amongst themselves and you wouldn't need blocks and you certainly wouldn't need a proof of work.   The unresolved problem is preventing a sybil attack.  Satoshi saw that in a pseudonymous decentralized network, where an attacker could cheaply create thousands or even hundreds of thousands of nodes, that no vote based on 1 node = 1 vote could be trusted.  The proof of work is a mechanics to force a consensus among nodes which may conflicted views on the ordering of transactions.  Proof of work creates a canonical ordering of transactions and all nodes update their internal ordering to match that.  If nodes could reject blocks based on "incorrect" ordering then it would imply they already know the canonical ordering.  If they know that, they you don't need mining to begin with.
Pages: « 1 [2] 3 4 5 6 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!