Decentralized Timestamp

[bluemeanie1]

1) it's a given that TX fees will need to increase over time
 

why is that a given?

because block rewards will decrease.

from the Bitcoin wiki : "The number of Bitcoins generated per block is set to decrease geometrically"

eventually the reward will be so small compared to the cost to generate them that TX fees will be required.  At that point we're not completely sure what will happen.  Tulips anyone? 

-bm

[ChuckOne]

In a double spend attack (including a "51% attack) the attacker would be the one generating the sequence of blocks.  That means each block relies on the prior block also made by the attacker.  The attacker signs a block and if it doesn't allow him to forge the next block, just keeps resigning it until it does (as pointed out a single digest can have an infinite number of unique signatures by changing the k value). The attacker attempts signatures until he produces a one which allows him to sign the next block as well.  The attacker then moves on to the next block.  If this seems kind of like a PoW it is.

Let me correct this nonsense.

As no ECDSA is involved and the only thing that can be used in

generation_signature_hash = sha256(generation_signature_of_current_block + my_public_key) <<<<< + means concat

to manipulate are:

generation_signature_of_current_block  << fixed by the previous block
my_public_key                                  << fixed by the number of accounts an attacker has


So, the only thing he can do, is to create billions of accounts holding at least >0 NXT to try out each of them.

[ChuckOne]

Signatures are dependent on the data they are signing and my public key, my public key is fixed but the data I am signing is not. I can add and remove transactions to the block to change the output of the signature. (Technically with ECDSA signatures you don't even need to do that, you just change the nonce used in signing to get a different signature)

There is no ECDSA involved. Just sha256.

Yes there is, when you sign a block with NXT you sign it using ECDSA. It is this signature that is used to calculate who gets to sign the next block and therefore you need to iterate through different ECDSA possibilities to produce the lowest value when you combine it with your public key and take the SHA256 hash of the two combined.

Show me the code.

This is what I mean:
 1) https://bitbucket.org/JeanLucPicard/nxt/src/046e59e4df43309a37c2789efd39dba4a873bbe2/src/java/nxt/Generator.java?at=master#cl-118
 2) https://bitbucket.org/JeanLucPicard/nxt/src/046e59e4df43309a37c2789efd39dba4a873bbe2/src/java/nxt/BlockchainProcessorImpl.java?at=master#cl-731

No ECDSA involved.

[bluemeanie1]

one problem with the ASIC race is that the force we're trying to secure the blockchain against is the same force that we're using to secure it.

It's hashing power on the attack and hashing power on the defense.  If the legit market calls hashing power into existence, then some future reversal or shift in circumstance can move that hashing power from defense to attack.  And with marginal profits from defense approaching zero, the miners are always balanced on this knife edge where the smallest change could make an atack more profitable than continuing defense.

I'm reminded of what Pratchett's character Vetinari said about hiring mercenaries:  You have to pay them to start fighting, and unless you are very lucky you also have to pay them to stop.

it reminds me of the cold war US-Soviet Nuclear Détente.

-bm

[jonald_fyookball]

1) it's a given that TX fees will need to increase over time
 

why is that a given?

because block rewards will decrease.

from the Bitcoin wiki : "The number of Bitcoins generated per block is set to decrease geometrically"

eventually the reward will be so small compared to the cost to generate them that TX fees will be required.  At that point we're not completely sure what will happen.  Tulips anyone? 

-bm

Yes but that "eventually" is a ways off.  
There's many more years of mining for block rewards.  
I don't think anyone is seriously worried about this
right now.  

Talk to me in 5 years about it.  

[Peter R]

I've been bashing my head against the wall with Bluemeanie over here too: https://bitcointalk.org/index.php?topic=613643.msg6841920#msg6841920

1.  He does not believe that the cost to produce a commodity tends to the market price of that commodity.  For example, the cost to produce 25 BTC (in USD) tends to the market value of those 25 BTC, so as the market value of bitcoin increases so to does the cost of attempting a 3-confirm double-spend.  He apparently disagree and calls this "pulp fiction economics."  

2.  He does not understand that "attacking the network" to attempt to reverse a colored-coin trade for bitcoin is sort of pointless.  If Bluemeanie buys my colored coin for 100 BTC and then double-spends to reverse the transaction (after spending a lot of money to do so), sure he'll end up with his 100 BTC back in the unlikely case that he is successful, but I'll end up with my colored coin back.  With coinjoin, the trade was a single transaction.  

Point 2 is why digital IOUs like colored coins are most likely to trade on the dominant network (which is presently bitcoin).  You can't trade digital assets for real bitcoins in a trustless way on the Nxt network like you can using colored coins.  Ironically, I was discussing this point with Nxt advocates and they told me that I was wrong here too--that you can trade Nxt assets for real bitcoins in a trustless way.    

[ChuckOne]

Signatures are dependent on the data they are signing and my public key, my public key is fixed but the data I am signing is not. I can add and remove transactions to the block to change the output of the signature. (Technically with ECDSA signatures you don't even need to do that, you just change the nonce used in signing to get a different signature)

There is no ECDSA involved. Just sha256.

Yes there is, when you sign a block with NXT you sign it using ECDSA. It is this signature that is used to calculate who gets to sign the next block and therefore you need to iterate through different ECDSA possibilities to produce the lowest value when you combine it with your public key and take the SHA256 hash of the two combined.

Show me the code.

This is what I mean:
 1) https://bitbucket.org/JeanLucPicard/nxt/src/046e59e4df43309a37c2789efd39dba4a873bbe2/src/java/nxt/Generator.java?at=master#cl-118
 2) https://bitbucket.org/JeanLucPicard/nxt/src/046e59e4df43309a37c2789efd39dba4a873bbe2/src/java/nxt/BlockchainProcessorImpl.java?at=master#cl-731

No ECDSA involved.

I think I see now the cause for this confusion. Let me put it simply:

generation signature is not block signature

generation signature = hash(generation signature of previous block concatenated with the forger's public key)
block signature = signature of block; forger's private key required


purpose of generation signature => providing the hit
purpose of block signature => providing block integrity

[bluemeanie1]

you're greatly misconstruing my points.

This is one VIEWPOINT on economics and it centers around the notion of scarcity.

-bm

[bluemeanie1]

2.  He does not understand that "attacking the network" to attempt to reverse a colored-coin trade for bitcoin is sort of pointless.  If Bluemeanie buys my colored coin for 100 BTC and then double-spends to reverse the transaction (after spending a lot of money to do so), sure he'll end up with his 100 BTC back in the unlikely case that he is successful, but I'll end up with my colored coin back.  With coinjoin, the trade was a single transaction.  

you clearly dont understand the nature of these risks and I suggest you do more reading here and less posting.

THANKS!   

-bm

[telepatheic]

I think I see now the cause for this confusion. Let me put it simply:

generation signature is not block signature

generation signature = hash(generation signature of previous block concatenated with the forger's public key)
block signature = signature of block; forger's private key required


purpose of generation signature => providing the hit
purpose of block signature => providing block integrity

You still aren't understanding me. You have to get lucky and be allocated a block randomly as per normal. Now you get the chance to create a block signature. Once you get this opportunity you can iterate through many different possibilities for the block signature such that the next block is guaranteed to be signed by you.

The crucial bit of the code is hash(generation signature of previous block concatenated with the forger's public key). If you are able to manipulate the signature of the previous block because you were randomly allocated the ability to sign the previous block then you can make sure this hash is very small.

[telepatheic]

2.  He does not understand that "attacking the network" to attempt to reverse a colored-coin trade for bitcoin is sort of pointless.  If Bluemeanie buys my colored coin for 100 BTC and then double-spends to reverse the transaction (after spending a lot of money to do so), sure he'll end up with his 100 BTC back in the unlikely case that he is successful, but I'll end up with my colored coin back.  With coinjoin, the trade was a single transaction.    

Some people don't use these special transactions and instead exchange coloured coins/ mastercoins directly for fiat or products or services, this enables successful double spends.

[Peter R]

2.  He does not understand that "attacking the network" to attempt to reverse a colored-coin trade for bitcoin is sort of pointless.  If Bluemeanie buys my colored coin for 100 BTC and then double-spends to reverse the transaction (after spending a lot of money to do so), sure he'll end up with his 100 BTC back in the unlikely case that he is successful, but I'll end up with my colored coin back.  With coinjoin, the trade was a single transaction.    

Some people don't use these special transactions and instead exchange coloured coins/ mastercoins directly for fiat or products or services, this enables successful double spends.

Correct.  Double spends are possible when trading blockchain assets for something external to the blockchain, whether the blockchain assets are bitcoins or colored coins.  The advantage of colored coins on the bitcoin network is they can be traded risk-free for bitcoins (since they are registered on the same blockchain and can be exchanged with a single coinjoin TX). 

In other words, there is an advantage to trading assets registered on a particular blockchain with the native currency of that blockchain because these trades can be made risk free (the trade either happens or it doesn't--one party can't get stiffed).   

[bluemeanie1]

2.  He does not understand that "attacking the network" to attempt to reverse a colored-coin trade for bitcoin is sort of pointless.  If Bluemeanie buys my colored coin for 100 BTC and then double-spends to reverse the transaction (after spending a lot of money to do so), sure he'll end up with his 100 BTC back in the unlikely case that he is successful, but I'll end up with my colored coin back.  With coinjoin, the trade was a single transaction.    

Some people don't use these special transactions and instead exchange coloured coins/ mastercoins directly for fiat or products or services, this enables successful double spends.

these assets are presumably exchangeable for something else outside the system.  Let's say I can exchange the cryptonote for gold at any time.  So I exchange it for gold, then release my counterfeit chain where I still own the gold note.  Then cash it in for gold again?

if such an event were to occur the entire system would collapse because confidence would be destroyed.

it's not difficult to execute such an attack.

-bm

[bluemeanie1]

2.  He does not understand that "attacking the network" to attempt to reverse a colored-coin trade for bitcoin is sort of pointless.  If Bluemeanie buys my colored coin for 100 BTC and then double-spends to reverse the transaction (after spending a lot of money to do so), sure he'll end up with his 100 BTC back in the unlikely case that he is successful, but I'll end up with my colored coin back.  With coinjoin, the trade was a single transaction.    

Some people don't use these special transactions and instead exchange coloured coins/ mastercoins directly for fiat or products or services, this enables successful double spends.

Correct.  Double spends are possible when trading blockchain assets for something external to the blockchain, whether the blockchain assets are bitcoins or colored coins.  The advantage of colored coins on the bitcoin network is they can be traded risk-free for bitcoins (since they are registered on the same blockchain and can be exchanged with a single coinjoin TX). 

In other words, there is an advantage to trading assets registered on a particular blockchain with the native currency of that blockchain because these trades can be made risk free (the trade either happens or it doesn't--one party can't get stiffed).   

even if you want to believe this scenario still somehow preserves the value of Color Coins technology you ignore the fact that you can reverse price collapses and market rallies.

-bm

[ChuckOne]

You still aren't understanding me. You have to get lucky and be allocated a block randomly as per normal. Now you get the chance to create a block signature. Once you get this opportunity you can iterate through many different possibilities for the block signature such that the next block is guaranteed to be signed by you.

The crucial bit of the code is hash(generation signature of previous block concatenated with the forger's public key). If you are able to manipulate the signature of the previous block because you were randomly allocated the ability to sign the previous block then you can make sure this hash is very small.

Why do you still referring to the block signature? It has nothing to do with forging.

You cannot iterate through many different possibilities for the generation signature because there is only one possibility for each account.

[telepatheic]

Why do you still referring to the block signature? It has nothing to do with forging.

You cannot iterate through many different possibilities for the generation signature because there is only one possibility for each account.

I've looked through the code again and I am wrong. The generator signature is completely deterministic and  not a signature just a hash. This allows a forger to look ahead and see likely next values of the generator signature/hash and so simply transfer coins to a public key calculated such that it has a high probability of being a future forger.

[gmaxwell]

The generator signature is completely deterministic and  not a signature just a hash.

It was a signature in their original code. Whats is it a hash over now?

[telepatheic]

It was a signature in their original code. Whats is it a hash over now?

It is the SHA256 hash of the previous generation signature concatenated with the block signers public key.

[shekelsteingoyberg2]

So I was discussing this with a friend was wondering if you guys had any input, how would you go about creating a decentralized system that agrees on the current time?

Preferably not Proof of Work.

Thanks.

https://research.microsoft.com/en-us/um/people/lamport/pubs/time-clocks.pdf

Re-invent the wheel for your special protocol?

[iruu]

This leads to fun outcomes like old stake holders can exit the system (sell their coins) and then sell their old keys to people go fork off the chain at a point in the past, at no cost to themselves. Someone who is later handed two histories— the real one and the simulated one— cannot distinguish them, they can tell— perhaps— that someone was naughty, but that doesn't help them decide which chain is the good one.

That's not true, as in that's not a characteristic of PoS. It's a characteristic of flawed PoS.  

A transaction in block x has to be equivalent to signing it by stake held in inputs (or accounts, whatever the design of the system is).  
Transactions have to be valid in only one blockchain, as to not be replayed.  
If A has 30% of stake, the fake empty block created by A has the same validity as a block generated by A with A's selling transaction to someone. Now the buyer and A can both create their equivalent blockchains. However, all it takes to make one blockchain one valid is another stake signing one block in one of the blockchains in the future.

Fake block stake validity, all by A:
30%, 30%, 30%

True blockchain stake signed:
30% (A's stake, selling), 30% (buyer), 30% (buyer) + 1% (someone else, B)

By signing third block, B effectively validates all blocks before him. So now first fake block has 30% of stake behind it, and true block (with selling transaction) 31%.  

There are a number of other related implications.  A number of different modifications have been proposed, but so far all of them seem to be obfuscation and not actually fix the underlying issue, which seems a bit fundamental.

You can read more about this in Section 5 of https://download.wpsoftware.net/bitcoin/asic-faq.pdf

It's trivial to create a rule which makes one block with identical stake better than another, like a comparison of hashes. This would lead the honest nodes to completely ignore the worse block. To break that would be equivalent to acting directly against self financial interest, for no reason, and as long as all people in control of a currency don't act against their interests, everything works.  
It's no different to PoW. If I own serious money in a specific cryptocurrency, I'm not going to endanger that, because that would be very costly, although indirectly, just as mining forks in PoW is costly.

Most people living in skyscrapers don't steal and destroy bricks from foundation.  

Note that it takes just one person with one coin to behave correctly, even if literally everyone else is signing all forks, and everything works.  

Why for no reason? Because this shouldn't be profitable, if it is, it's a design error. I don't think it's that important though.