Decentralized Timestamp

[telepatheic]

I agree with the fact that it can be attacked with less than 51% stake.  How little stake can be used depends on a couple of factors.  The time since last signing and balance are weighted in the "difficulty" of finding a hash so I am not comfortable putting an exact value on how little stake can be used.  That would require some simulations.  

In general though one could say that the structure allows a forger (any forger) to use computing power as a proxy for stake.  The effective share of the network is dependent on not just what share of the stake one has but also what share of the computing power.

NXT is completely transparent, that is you know all the public keys of the potential forgers. This allows you to know for certain if you will be the next person to be able to sign the block. To do this you have to calculate the required time in milliseconds that each public key on the network would exceed the target threshold. Admittedly this is computationally expensive. You have to compute a signature then check all the public keys to see if any of them would beat you, thankfully you can simply iterate the signature  until you have a very high likelihood of being able to sign the next block then check all the public keys to verify that you can definitely sign the next block. This will mean the next block will occur quicker than normal and therefore base_target will be reduced (not exactly sure how often it is recomputed) making the time between blocks larger and giving you more time to do your computations in order to guarantee the next block.

[gmaxwell]

I believe PoS could be used to raise the cost for an attacker further.  To date all the concepts I have sketched out have limitations I a find unacceptable but I believe there is a solution. Imagine if someday the hardware cost to attack the network was $5B but it also required another $50B in stake as well.

Here you are admitting that Bitcoin as it stands has a significant weakness.

All things are subject to attacks, to make them stronger one need to be honest about them. Bitcoin assumes that the majority of the energy expended on its POW is not controlled by a byzantine attacker. Maybe there are things that can be twiddled to make the costs of attack higher?  But that isn't something that comes quickly or easily— most of the times tweaks increase the cost of one already effectively unachievable attack but do so at the expense of opening up a new weakness which is currently absolutely precluded.

Talking frankly about attack costs doesn't mean that anything is weak on an absolute scale.  By contrast, the systems where their authors claim there exists no attacks that they can imagine are almost certantly intolerable insecure since a lack of attacks— even infeasible ones that we can be comfortable with— means that there is either indifference to security, inadequate understanding of their own system, or simply a massive failure of imagination— any of which could be hiding quite serious attacks.

[telepatheic]

I believe PoS could be used to raise the cost for an attacker further.  To date all the concepts I have sketched out have limitations I a find unacceptable but I believe there is a solution. Imagine if someday the hardware cost to attack the network was $5B but it also required another $50B in stake as well.

Here you are admitting that Bitcoin as it stands has a significant weakness.

Of course bitcoin has weaknesses, to date very little modelling of how bitcoin really works economically has been done. What happens if huge transaction fees (>1000BTC) are sent to the network, what happens if you convince 50% of the network to lease you their miners at double the market rate and what happens when market influenced transaction fees dominate the block rewards.

Bitcoin is based on the assumption that no one would ever lease out hashing power because it is always beneficial to reap all future returns rather than take a short term gain where an attacker could harm the network and perform a double spend. But people do lease out hashing power because they believe that attackers won't be able to lease out 50% of the machines and perform an attack. (Is that a valid assumption? How do we tell how many machines are currently used by attacking parties?)

An attacker with 10,000 BTC could hire enough hashing power to perform a double spend for lets say 1000BTC (probably a lot less than this in reality if miners didn't mind leasing you hashing power), the other 9,000 BTC can be double spent such that the attacker ends up with 9000BTC of cash/goods/services and 9000BTC of bitcoin. The attacker has increased in worth by 8000BTC, the miners on average have increased in worth by (1000BTC - work done producing orphaned blocks) and a lot of merchants/exchanges/service providers are out of pocket by 9000BTC.

[jonald_fyookball]

I believe PoS could be used to raise the cost for an attacker further.  To date all the concepts I have sketched out have limitations I a find unacceptable but I believe there is a solution. Imagine if someday the hardware cost to attack the network was $5B but it also required another $50B in stake as well.

Here you are admitting that Bitcoin as it stands has a significant weakness.

All things are subject to attacks, to make them stronger one need to be honest about them. Bitcoin assumes that the majority of the energy expended on its POW is not controlled by a byzantine attacker. Maybe there are things that can be twiddled to make the costs of attack higher?  But that isn't something that comes quickly or easily— most of the times tweaks increase the cost of one already effectively unachievable attack but do so at the expense of opening up a new weakness which is currently absolutely precluded.

Talking frankly about attack costs doesn't mean that anything is weak on an absolute scale.  By contrast, the systems where their authors claim there exists no attacks that they can imagine are almost certantly intolerable insecure since a lack of attacks— even infeasible ones that we can be comfortable with— means that there is either indifference to security, inadequate understanding of their own system, or simply a massive failure of imagination— any of which could be hiding quite serious attacks.

gmaxwell, not sure if you stated elsewhere, but what is your opinion of DECOR?

[bluemeanie1]

An attacker with 10,000 BTC could hire enough hashing power to perform a double spend for lets say 1000BTC (probably a lot less than this in reality if miners didn't mind leasing you hashing power), the other 9,000 BTC can be double spent such that the attacker ends up with 9000BTC of cash/goods/services and 9000BTC of bitcoin. The attacker has increased in worth by 8000BTC, the miners on average have increased in worth by (1000BTC - work done producing orphaned blocks) and a lot of merchants/exchanges/service providers are out of pocket by 9000BTC.

this problem is compounded by the Color Coins technologies that carry asset notes on the BTC block chain.  It's going to make such an attack practically inevitable.

-bm

[DeathAndTaxes]

Here you are admitting that Bitcoin as it stands has a significant weakness.

This kind of shit makes me just not want to post at all.  No it isn't an admission to anyone who can read.  All security models involve assumptions upon which they derive their strength.  The assumption for Bitcoin is that the attacker will not gain 51% of the network hashrate.  If that assumption is flawed then the model can be attacked.  Likewise any other security model will involve different assumptions possible ones which are easier for an attacker to invalidate.

You will notice the words "I believe", it isn't "I know". No alternative is going to be a magic bullet which eliminates all weaknesses and creates no new ones.   It is entirely possible that I am <gasp> wrong and that there is no such alternative along those lines that would result in an overall stronger network.  Security is ALWAYS about compromise.  

Guess what I can solve the "51% attack" right now.  I will give you this model for free.  A single central authority accepts transactions, verifies them, and publishes the results in the form of a ledger and diff.  These results can be verified cryptographically by any user of the network.  Transactions can be verified within seconds, nodes don't need to maintain more than a minimal amount of historical records and an attacker that isolates a node can't lie to the node it can only block information.   No amount of computing power could allow an attacker to break that system (assuming the cryptographic primitives remain strong).  It isn't 51% proof it is 100% proof.  Of course that trades the potential for an attacker to gain the majority of the computing power for the potential for the central authority to be untrustworthy.  That tradeoff is not worth it but it does "solve" most of the major limitations of the Bitcoin protocol.   Feel free to use it.

Do you get tired of being a shill?  Don't you ever just want to think and discuss?  Why not just read the post and agree or disagree without looking for some angle to exploit?  Don't you find it tedious and small?  At one time this forum (especially this section of the forum) was a place to learn, think and explore.  Lots of healthy debate, discourse, and sometimes it got heated but it was about learning.  I guess that is dead now.  Honestly I don't give a shit anymore.  This will be my last post.

On edit: edited for clarity.

[bluemeanie1]

Here you are admitting that Bitcoin as it stands has a significant weakness.

This kind of shit makes me just not want to post at all.  No it isn't an admission like that.  All security models involve assumptions.  The assumption for Bitcoin is that the attacker will not gain 51% of the network hashrate and that gaining that would be prohibitively expensive.   You will notice the words "I believe", it isn't "I know".  An alternate security model will be a tradeoff.  There is no guarantee the modified assumptions will make the network more secure.  Security is ALWAYS about compromise.  The system which is most secure from an attacker with significant resources would be where an absolute central authority that manages the network.  No 51% is possible but you now need absolute trust in the central authority.  Although it solves one problem it creates another and I wouldn't consider that an acceptable tradeoff..

tantrums aside,

#1) It's been established that an attacker needs far less than 51% of the hashing power.

#2) Hashing power is now a Liquid Commodity, as in it can readily trade hands.  This also has the effect of reducing the price of said hashing power.  Staging and executing an attack does not even require hardware procurement, the entire thing could be executed from a single internet connection anywhere in the world + a modest amount of capital.

#3) the point I keep raising- the PAYOFF for such an attack is going to increase exponentially due to Color Coins, Counterparty, etc.

it seems whenever anyone raises these points some people on this forum have a fit.

-bm

[jonald_fyookball]

Here you are admitting that Bitcoin as it stands has a significant weakness.

This kind of shit makes me just not want to post at all.  No it isn't an admission like that.  All security models involve assumptions.  The assumption for Bitcoin is that the attacker will not gain 51% of the network hashrate and that gaining that would be prohibitively expensive.   You will notice the words "I believe", it isn't "I know".  An alternate security model will be a tradeoff.  There is no guarantee the modified assumptions will make the network more secure.  Security is ALWAYS about compromise.  The system which is most secure from an attacker with significant resources would be where an absolute central authority that manages the network.  No 51% is possible but you now need absolute trust in the central authority.  Although it solves one problem it creates another and I wouldn't consider that an acceptable tradeoff.

Do you get tired of being a shill?  Don't you ever just want to think and discuss?  Why not just read the post and agree or disagree without looking for some angle?  Don't you find it tedious and small?  At one time this forum (especially this section) was a place to learn, think and explore.  I guess that is dead now.  Honestly I don't give a shit anymore.  This will be my last post.

This is too bad that you're losing patience, because I was enjoying the
conversation and we need people like you who really know what
they are talking about in the discussion.

Competing cryptocurrencies are potentially disruptive to bitcoin, and
Its no secret bluemeanie is part of the NXT development team, so
I would suggest not to take it personally.  I wouldn't quite agree
he is shilling.

This is bluemeanie's job so to speak... to challenge us.
Whether or not his motive is promote NXT, we should
try to have the discussion. 

[bluemeanie1]

This is too bad that you're losing patience, because I was enjoying the
conversation

and he knows that- that's what's making him angry.

-bm

[telepatheic]

this problem is compounded by the Color Coins technologies that carry asset notes on the BTC block chain.  It's going to make such an attack practically inevitable.

-bm

Also satoshi didn't envisage mining like it is today. It is possible for the hashing power of all inefficient (uses more power than would gain in rewards) mining machines (and hence not connected to the network) to outnumber the hashing power of all mining machines on the network. This requires low block rewards in real terms, expensive electricity costs in real terms and a relatively small difference in efficiency between the inefficient and the efficient mining machines. In this case an attacker could gain 51% hashing power very easily  to perform a double spend since unused miners are virtually worthless (satoshi didn't envision this).

We need much more discussion about the security assumptions of bitcoin. New technologies may allow us to gain more security/decentralisation in some areas but at a potential trade off with other areas.

[bluemeanie1]

telepathetic,

 not to mention that there is a (unknown and likely linear) relationship between intrinsic value of BTC and cost and presence of hashing power.  Thus this means that, at best we need to have a certain amount of hash power present and running in order to support what Color Coins wants to support.  If this hash power fails to emerge, then you will have a huge catastrophe.

 another point- why do we need to run an ASIC for every bond issued in the universe when models such as NXT remove this requirement?  Then we can expand the economy indefinitely.

 it goes back to the gold bug mentality.  They insist that we must base our economy on gold because gold is valuable[1], however they ignore the fact that it is only valuable because we agree that it's valuable.  How valuable is gold to a chimpanzee?

-bm


[1] we must base a cryptocoin on hashing because hashing is hard

[jonald_fyookball]

telepathetic,

 not to mention that there is a (unknown and likely linear) relationship between intrinsic value of BTC and cost and presence of hashing power. 

Somewhat.

There was high correlation until the price crashed after gox.  Now prices are half of what they were, yet hashing power has increased.

[bluemeanie1]

telepathetic,

 not to mention that there is a (unknown and likely linear) relationship between intrinsic value of BTC and cost and presence of hashing power. 

Somewhat.

There was high correlation until the price crashed after gox.  Now prices are half of what they were, yet hashing power has increased.

that's because it was overpriced.

-bm

[Cryddit]

Colored Coins etc. make it much harder to know how much value we need the blockchain to protect.  The fact that these values are essentially "hidden" from the protocol means we can't tell what we need to do to maintain any kind of parity with them.

One popular (and possibly correct) view of things is that in the long run the cheapest available price of electricity times the amount of electricity spent per block, will approach the value of the block reward in a PoW system. 

Right now we have a Bitcoin block reward worth approx. $12000.  If this view is correct, we should expect, worldwide, to see about $12000 worth of electricity (increasingly concentrated where electricity is cheapest) expended per block by hashing rigs. 

Right now transaction fees are providing a very small percentage (one third of one percent?  I think?) of the block rewards. 

At  some point in the future, moving to transaction fees as a primary source of mining revenue, implies that each kilowatt-hour of electricity invested in securing the blockchain will have to secure three hundred times as much value (relative to its own value) from attack as it does now. 

I'm convinced that's not really enough.  If we stick with Proof-of-work, we're going to have to start charging transaction fees based on how much value is changing hands, because we want to buy security proportional to the value we're trying to secure, not proportional to the amount of space it takes to store the transaction.  And that means the amount of value changing hands has to be visible, and that therefore Colored Coins etc will have to be more 'transparent' in terms of the protocol knowing how much they're worth (and therefore how much security we need to buy to keep them secure).

[bluemeanie1]

Colored Coins etc. make it much harder to know how much value we need the blockchain to protect.  The fact that these values are essentially "hidden" from the protocol means we can't tell what we need to do to maintain any kind of parity with them.

One popular (and possibly correct) view of things is that in the long run the cheapest available price of electricity times the amount of electricity spent per block, will approach the value of the block reward in a PoW system. 

that's perhaps the asymptotic value of a block reward in a PoW system- we will always have secondary costs although they will theoretically get lower as time goes by.  But really can we predict much of anything in that time frame?

Right now we have a Bitcoin block reward worth approx. $12000.  If this view is correct, we should expect, worldwide, to see about $12000 worth of electricity (increasingly concentrated where electricity is cheapest) expended per block by hashing rigs. 

Right now transaction fees are providing a very small percentage (one third of one percent?  I think?) of the block rewards. 

At  some point in the future, moving to transaction fees as a primary source of mining revenue, implies that each kilowatt-hour of electricity invested in securing the blockchain will have to secure three hundred times as much value (relative to its own value) from attack as it does now. 

I'm convinced that's not really enough.  If we stick with Proof-of-work, we're going to have to start charging transaction fees based on how much value is changing hands, because we want to buy security proportional to the value we're trying to secure, not proportional to the amount of space it takes to store the transaction.  And that means the amount of value changing hands has to be visible, and that therefore Colored Coins etc will have to be more 'transparent' in terms of the protocol knowing how much they're worth (and therefore how much security we need to buy to keep them secure).

the problem of transaction fees is even more serious and I've pointed this out before.

1) it's a given that TX fees will need to increase over time

2) if they increase past a certain threshold and the use of bitcoin becomes more expensive than alternatives like Paypal, not only will Bitcoin become unattractive for users, it will become unattractive for investors, and thus there will be a collapse in price.  I can't see how we can avoid this future as the computation requirements to run the bitcoin network get larger and larger.  Again, NXT does not have these issues.

-bm

[jonald_fyookball]

1) it's a given that TX fees will need to increase over time
 

why is that a given?

[Cryddit]

one problem with the ASIC race is that the force we're trying to secure the blockchain against is the same force that we're using to secure it.

It's hashing power on the attack and hashing power on the defense.  If the legit market calls hashing power into existence, then some future reversal or shift in circumstance can move that hashing power from defense to attack.  And with marginal profits from defense approaching zero, the miners are always balanced on this knife edge where the smallest change could make an atack more profitable than continuing defense.

I'm reminded of what Pratchett's character Vetinari said about hiring mercenaries:  You have to pay them to start fighting, and unless you are very lucky you also have to pay them to stop.

[jonald_fyookball]

one problem with the ASIC race is that the force we're trying to secure the blockchain against is the same force that we're using to secure it.

It's hashing power on the attack and hashing power on the defense.  If the legit market calls hashing power into existence, then some future reversal or shift in circumstance can move that hashing power from defense to attack.  And with marginal profits from defense approaching zero, the miners are always balanced on this knife edge where the smallest change could make an atack more profitable than continuing defense.

I'm reminded of what Pratchett's character Vetinari said about hiring mercenaries:  You have to pay them to start fighting, and unless you are very lucky you also have to pay them to stop.

interesting.

I think what we might see in the future is some kind of normalization. 

The network hashrate growth will slow down, stop, or possibly decline at some point...
Mining will be seen less as opportunistic, and more in line with other businesses
that require years to reach breakeven.

So, profits may shrink, but things may become more stable and predictable.

[ChuckOne]

What do you mean by iterating through thousands of possible current block signatures?

Signatures are dependent on the data they are signing and my public key, my public key is fixed but the data I am signing is not. I can add and remove transactions to the block to change the output of the signature. (Technically with ECDSA signatures you don't even need to do that, you just change the nonce used in signing to get a different signature)

There is no ECDSA involved. Just sha256.

[telepatheic]

Signatures are dependent on the data they are signing and my public key, my public key is fixed but the data I am signing is not. I can add and remove transactions to the block to change the output of the signature. (Technically with ECDSA signatures you don't even need to do that, you just change the nonce used in signing to get a different signature)

There is no ECDSA involved. Just sha256.

Yes there is, when you sign a block with NXT you sign it using ECDSA. It is this signature that is used to calculate who gets to sign the next block and therefore you need to iterate through different ECDSA possibilities to produce the lowest value when you combine it with your public key and take the SHA256 hash of the two combined.