rpietila Altcoin Observer

[smooth]

I'm not talking some far-in-the-future hypothesis. I'm talking about the fact that Monero's blockchain is exploding in size with negligible amount of transactions it now process.

This premise is false. You are ignorant of the fact that Monero transactions are not "negligible." You likely assume they are because: 1. Most of the shitcoins, by contrast, have negligible transctions; and 2) Monero is relatively new. In fact Monero has gained nearly unprecedented adoption and usage for an altcoin (e.g. see post #1 on this thread), although at present most of that usage is speculation. That's still usage though.

The blockchain is growing at 6 MB per day with about 3% as many transactions as Bitcoin. There is a small constant factor difference in size between the two, roughly 5x.

Upcoming changes will likely alter this factor but in offsetting directions, so I expect this to remain fairly close.

There's no PHD needed to see that with anything close to BTC amount of transactions it would making running the full Monero node unsustainable for most users.

This is also false. Moore's law will likely make running a full node (even at close to Bitcoin volumes which no one expects) less expensive in the future, not more expensive.

There's many things I like in Monero, but if something looks unrepairable without dreaded hard fork, why not take the best from Monero and move it to a new currency which doesn't have the super-fat blockchain problem?

Hard forks are not themselves dreaded. Some development processes have become so politicized and dysfunctional as to make changing anything nearly impossible, and likewise some incompetent developers have done hard forks poorly. Both of those are what should be dreaded, and both of those will be avoided by Monero.

If hard forks are needed to make significant improvements to Monero they will be done (correctly).

[Joshuar]

Just so everyone knows, bitcoin has went through a hard fork, hell, darkcoin went through about 3 hard forks....it's nothing complicated, the only reason I should suspect some people here rather want a new coin, than a simple hard fork, is because they want to mine and accumulate coins from early with low difficulty. Crypto really has the greediest people...sad.

[itod]

I'm not talking some far-in-the-future hypothesis. I'm talking about the fact that Monero's blockchain is exploding in size with negligible amount of transactions it now process.

This premise is false. You are ignorant of the fact that Monero transactions are not "negligible." You likely assume they are because: 1. Most of the shitcoins, by contrast, have negligible transctions; and 2) Monero is relatively new. In fact Monero has gained nearly unprecedented adoption and usage for an altcoin (e.g. see post #1 on this thread), although at present most of that usage is speculation. That's still usage though.

The blockchain is growing at 6 MB per day with about 3% as many transactions as Bitcoin. There is a small constant factor difference in size between the two, roughly 5x.

Upcoming changes will likely alter this factor but in offsetting directions, so I expect this to remain fairly close.

There's no PHD needed to see that with anything close to BTC amount of transactions it would making running the full Monero node unsustainable for most users.

This is also false. Moore's law will likely make running a full node (even at close to Bitcoin volumes which no one expects) less expensive in the future, not more expensive.

Wait a minute, 6MB/day with 3% of Bitcoin transactions, and Bitcoins blockchain grows at 34 MB/day, that's not 5x the growth of blockchain compared to bitcoin, it's 5.82x, closer to 6x for the same number of transactions. You want to tell me that 6x bigger blockchain is not a design flaw, and it can be settled with well orchestrated hard fork? It's not only the question of disk space for a full node to use, it's the question of node's ability to successfully verify every block with such a large amount of data. Relying on Moor's law to solve the problem is not a rational approach. But then again, who am I to advise Monero developers what's best for their coin. If you think it's just fine - great, it's your child.

[smooth]

Wait a minute, 6MB/day with 3% of Bitcoin transactions, and Bitcoins blockchain grows at 34 MB/day, that's not 5x the growth of blockchain compared to bitcoin, it's 5.82x, closer to 6x for the same number of transactions.

I was using round numbers everywhere, it isn't exactly 3% nor exactly 6MB. These numbers can't be measured exactly because they vary constantly (especially transaction volume). Nor is your 34 MB number exactly right because that varies too.

You want to tell me that 6x bigger blockchain is not a design flaw

Exactly. It is a design trade off to achieve blockchain analysis resistance, unlinkability, etc.

If you don't think those things are important then you wouldn't accept that the trade off is worth it. Others clearly disagree.

6x is roughly equivalent to Moore's Law over a 5 year time period, which means the cost of Monero in inflation-adjusted computing resources is right about the same as Bitcoin was when it first launched. This is 100% normal in the computer industry. The equipment builders figure out how build  faster, bigger, and cheaper and the software builders figure out how build improved functionality. A form of "tick-tock" if you will.

[tromp]

I don't like any of the proof-of-work algorithms over Bitcoin's thus far (at least given what I think we know about Cuckoo hash thus far, i.e. seems to be highly parallelizable even if slightly sublinear thus I don't think it will keep GPUs at parity? It might have some role if the number of lightweight cores on mobile increases to some huge number).

What my Cuckoo Cycle benchmarking has shown so far is that 40 Xeon threads is not quite enough to saturate memory. But I imagine a few hundred will. An FPGA or ASIC will be able to generate the memory requests at a much faster rate using hardwired siphash24 computation, and so will hit the parallelization limit much earlier.

Because GPU memory is ill-suited for Cuckoo Cycle's random access to bitpairs in global memory,
which resist coalescing (1M consecutive accesses are on average 512 bytes apart on a large instance),
I expect the GPU to struggle to put hundreds of threads to use. That's why
I posted a $1000 bounty on the speed parity of GPUs and server CPUs for Cuckoo Cycle in
  https://bitcointalk.org/index.php?topic=707879.0
which is duplicated in the README at
  https://github.com/tromp/cuckoo

So you don't think my bounty is safe... care to have a go at it yourself?!

[cAPSLOCK]

Wouldn't be easier for people to just start over with a new currency than deal with a hard fork?

Exactly. The confidence in Monero after the hard fork will be shuttered. It's much better to admit it and try again with new coin than to let the whole concept limp in the future because of the initial design problems.

Are you guys serious? You really think if a better technology comes along, that it is easier to build that network out with a new coin (not to mention testing, getting a developer network behind it, promoting it, etc.) instead of just adding that to Monero, BTC, etc? And then rinse and repeat with each new technological advancement. That makes absolutely no sense.

I thought this same thing.  Hard forks probably do carry an inherent negative impact on a coin's value.  But depending on the reason for the fork that impact could easily be overshadowed by a positive response.  I think this factor is coin/situation dependent. 

A hard fork is serious business, but not the end of a coin in every case IMHO.  I am sure there is precedent for this.

Vericoin did an EXTREMELY controversial hard fork recently, and although the price has reflected a clear negative response the coin is by no means dead or dying because of the fork. (even though much of me thinks it should be)

[dga]

I don't like any of the proof-of-work algorithms over Bitcoin's thus far (at least given what I think we know about Cuckoo hash thus far, i.e. seems to be highly parallelizable even if slightly sublinear thus I don't think it will keep GPUs at parity? It might have some role if the number of lightweight cores on mobile increases to some huge number).

What my Cuckoo Cycle benchmarking has shown so far is that 40 Xeon threads is not quite enough to saturate memory. But I imagine a few hundred will. An FPGA or ASIC will be able to generate the memory requests at a much faster rate using hardwired siphash24 computation, and so will hit the parallelization limit much earlier.

Because GPU memory is ill-suited for Cuckoo Cycle's random access to bitpairs in global memory,
which resist coalescing (1M consecutive accesses are on average 512 bytes apart on a large instance),
I expect the GPU to struggle to put hundreds of threads to use. That's why
I posted a $1000 bounty on the speed parity of GPUs and server CPUs for Cuckoo Cycle in
  https://bitcointalk.org/index.php?topic=707879.0
which is duplicated in the README at
  https://github.com/tromp/cuckoo

So you don't think my bounty is safe... care to have a go at it yourself?!

(a)  It's not a good wage for the time it would take for the kind of people who could do it.  It's probably > 20 hours of work, which would suggest that a $5k bounty might start to get in the right range.

(b)  I believe from the rumormill that a fast CryptoNight implementation from day 1 of XMR was worth something north of $400k in net profit.  Just as a comparison against the value of keeping an optimized implementation private.

I don't think it's reasonable to ask you to put up more of your personal cash - but I think it's reasonable for anyone seriously considering adopting CC to help boost that bounty into the range it would be attractive for someone to actually demonstrate.

[smooth]

(b)  I believe from the rumormill that a fast CryptoNight implementation from day 1 of XMR was worth something north of $400k in net profit.  Just as a comparison against the value of keeping an optimized implementation private.

It is easy to throw out these crazy numbers in hindsight, knowing the coin was going to explode in value.

The coin traded for about 0.0002 or below for the first two weeks (total daily mining output <$3K). For the next week it traded at about 0.001 (total daily mining output about $14K).

At that point public optimized miners started getting released and having an obvious effect on the hash rate (so we know they were being used, and the 100% monopolization assumption becomes increasingly implausible), where it remained for the next few weeks while increasingly optimized public miners were released.

Profits from mining and holding are speculation profits, not mining profits. People could make just as much by buying, and tens of thousands of coins were bought at those prices on OTC and cryptonote.exchange.to, so people were doing just that. Likewise, one could mine with an optimized miner at some huge advantage only to see the coin sink in value, but those too are speculation losses.

Nevertheless, I agree that a $1K bounty is uninteresting, and even $5K isn't that interesting unless you know for sure in advance that your approach is going to succeed (and that you will be the first one to get there). If you have to take risk, $5K is not nearly enough.

[smooth]

I thought this same thing.  Hard forks probably do carry an inherent negative impact on a coin's value.  But depending on the reason for the fork that impact could easily be overshadowed by a positive response.  I think this factor is coin/situation dependent. 

I do not agree it is inherently negative. In fact a coin where developers are unable make important changes (including hard forks) for whatever competence, organizational, or political reasons could see its value decline for that reason.

So I agree what what you said about it being coin/situation dependent.

Hard forks done for bad reasons or which are poorly executed will hurt a coin value.

[AnonyMint]

Do you think it is at all possible to design and implement a "perfect" privacy coin?

If so, can you design it? I've understood that even if you could, you wouldn't have the time / resources to implement it.

Ideally, what should happen in order for you to pull off such a project successfully? How much funding? How big of a team would you need? Who would you select in your team as developers?

1. yes but "devil is in the (so many and always multiplying complexity of...) details" so this is conjecture at this point. Often (as any programmer will attest to) estimates of design are proved grossly incorrect during actual implementation and refinement of a design that existed only in overview in someone's head.

Show me the code, talk is cheap.

2. unknown

3. 1 or 2 developers maximum (unpaid yet vested in project success), because the Mythical Man-Month shows that communication overload (politics and decision making) by groups actually retards the interative design and implementation process of software development. Open source is optimum as a refinement mechanism, not as optimal as an innovation model. Open source is more reactive than proactive. The metric is that if someone has some private innovation, they have to calculate whether they can gain more (or better chance of success) by trying to slog through the politics and decision making of consensus or go it alone. There are tradeoffs on either choice.

I believe that he has stated the he wouldn't want to be seen as a lead developer for such a project.

I did write or imply that.

Monero is the best anonymous system that we have at the moment,

I wanted to agree, but to really be anonymous you need to obscure your IP address connection too, so in that case you could just use Bitcoin.

You can start to make that argument once the I2P or  Tor support is running by default, but still one has to decide if they trust low-latency Chaum mix-nets or if they'd prefer to obtain an unregistered connection to the internet.

Note however that Cyptonote's untraceability and unlinkability adds a form of anonymity that can't be obtained with obscured IP address alone, and that is the correlation of people who have spent to you and you have spend to, so if any one of them leaks your identity then cascade to potentially all your transactions can be identified.

So I would say your point is reasonable, but not absolute.

Even if Zerocash worked and solved their infinite currency problem,

Won't Zerocash have the same problem with a unprunable blockchain?

Just how deeply ingrained to the CryptoNote technology are ring signatures?

Cryptonote could of course copy any new innovation if the community agrees, but they can't copy the developer of those innovations. And that is why the momentum will always stay with the innovator (assuming it continues to innovate and refine) and not the copycat. That developer has more insight into his innovations than the copycats do. And he doesn't have time to explain every damn detail to everyone. He would never get any real work done (the Mythical Man-Month communication overload point again).

If this hypothetical "perfect" cryptocurrency is ever designed, we can cross that bridge then. Hypothetically telling everyone how the hypothetical users of a cryptocurrency would react to a hypothetical hard fork brought on by the introduction of a hypothetical perfect cryptocurrency is...well...nothing more than your hypothesis.

I agree. Hypothetical is silly if taken too far, because no one can predict all of that, not even the person who might be working on the dreamcoin.

One point of my posts was to ascertain where Monero is exactly (to test my assumptions) and also to explain the weaknesses clearly so both that community and any competitors can see clearly where the issues lie.

I am not trying to play some political game wherein I want to spend all my time trying to prevent people from adopting Monero. I think the discussion has reached its fulfillment already.

Anyone speculating in anything fundamentally has to consider hypothetical situations and their associated probabilities.

Agreed, but we can't project very well in detail speculative unknowns. What we can say is that Monero is likely to proceed on its current trajectory.

High transaction fees for trading ... are in fact the major weakness...

There is no level of transaction fees that is stable. I don't enough time right now to collate all my posts about tx fees to summarize the reasons.

You really think if a better technology comes along, that it is easier to build that network out with a new coin (not to mention testing, getting a developer network behind it, promoting it, etc.) instead of just adding that to Monero, BTC, etc?

Agreed the value of the existing network inertia is one of the factors the person with the private innovation has to consider carefully for making the choice whether to contribute it to the existing community or launch a new coin.

Launching a new coin successfully is much more difficult than it seems. Go find one example in an altcoin? Dogecoin got the ramp up from making debasement decline extremely fast and now they are paying the price for it (which I think is the other theoretical egregious flaw that may destroy XMR).

Wait a minute, 6MB/day with 3% of Bitcoin transactions, and Bitcoins blockchain grows at 34 MB/day, that's not 5x the growth of blockchain compared to bitcoin, it's 5.82x, closer to 6x for the same number of transactions. You want to tell me that 6x bigger blockchain is not a design flaw...

As I wrote upthread, I don't think that 5 or 6x calculation is accurate. Because someone told me that Monero currently has a limitation wherein you can't mix too many inputs (incorrect?), so you need to mix multiple times to achieve the same level of mixing you would with one transaction without the limit. Thus many of the transactions are multiple mixes for the same transaction, thus the real bloat is orders-of-magnitude higher than Bitcoin.

But remember from upthread discussion between smooth and myself, that the level of that multiplier is less relevant. I explained (argued) that the real problem is one-time ring signatures make the blockchain unprunable.

Attacking XMR blockchain grow is merely a troll strategy to dismiss it, largely used by darkcoin bagholders

For the record: I don't (nor do anyone I want appease) own any DRK.

[smooth]

As I wrote upthread, I don't think that 5 or 6x calculation is accurate. Because someone told me that Monero currently has a limitation wherein you can't mix too many inputs (incorrect?), so you need to mix multiple times to achieve the same level of mixing you would with one transaction without the limit. Thus many of the transactions are multiple mixes for the same transaction, thus the real bloat is orders-of-magnitude higher than Bitcoin.

People are going to decide what degree of mixing is necessary for their threat model, and we don't know yet what will be typical.

To avoid massive (big data scale) linking and analysis of the entire blockchain, it may be that small mixes of 2 or 3 are sufficient. Even these offer an exponential explosion of paths once the tracing goes through multiple transactions (as opposed to mixes of 1, which offers no such explosion i.e. bitcoin).

As for mixes-of-mixes, those are more efficient than flat mixing (though perhaps vulnerable to some forms of analysis especially if not done carefully). If we assume everyone mixes with mix=2 five times there is an ambiguity factor of 32 to the original source of funds, yet the increase in total signature size on each transaction is only 9. This still does not get to orders of magnitude. Note that you don't need to create all the mix paths, only one path to the true source, because there is no way to identify which path leads back to it.

[smooth]

3. 1 or 2 developers maximum (unpaid yet vested in project success), because the Mythical Man-Month

Have you actually read MMM? My recollection (it has been a while since I read it) was that it suggests a core team size of a half dozen to a dozen, though with carefully delineated roles. The Monero core team is actually quite close to this ideal, though perhaps that is not so apparent from the outside. We have also done well to identify important projects that can be done largely independently of the core team (i.e. they have their own core team of manageable size). This is not an accident.

[AnonyMint]

3. 1 or 2 developers maximum (unpaid yet vested in project success), because the Mythical Man-Month

Have you actually read MMM? My recollection (it has been a while since I read it) was that it suggests a core team size of a half dozen to a dozen, though with carefully delineated roles. The Monero core team is actually quite close to this ideal, though perhaps that is not so apparent from the outside. We have also done well to identify important projects that can be done largely independently of the core team (i.e. they have their own core team of manageable size). This is not an accident.

I agree with you on refinement with a clear concrete specification— the author of MMM was working for IBM. Whereas I was answering to the innovation stage where there is no specification and everything in the entire holistic iterative design-by-inquiry is open to change. In that case it is difficult to create orthogonal roles and communication overload or miscommunication or disagreement gets in the way.

P.S. I edited my prior post in a few areas to make it more fair and balanced, e.g. the #1 answer and the link on the word "theoretical" to emphasize it is not a widely accepted fact.

[AnonyMint]

You can start to make that argument once the I2P or  Tor support is running by default, but still one has to decide if they trust low-latency Chaum mix-nets or if they'd prefer to obtain an unregistered connection to the internet.

For the record, I think it was my posts some months ago that caused them to realize they needed IP obfuscation.

So my posts are also in some ways constructive for Monero.

I did however make criticisms about I2P and Tor not being entirely trustable (perhaps against determined hacker or especially probable against a global adversary). I've also conceded that is adds a layer of anonymity with some probability.

[AnonyMint]

And here is an example of what I predicted w.r.t. to innovation originating from smaller teams.

Boolberry looks better thanhas some innovations on Monero (at least until Monero adds I2P and copies these features, then Monero has the better name).

1. It prevents the cascade of linkability when other users in your mix don't mix as much as you do (although this could lead to gridlock if not managed somehow).

2. It claims to prune the blockchain by an estimated 30 - 70% (note this is still not enough to deal with the 100s of Petabytes scaling criticism I made upthread, because it is only a constant factor). Edit: when I formerly thought deeply about pruning Cryptonote, it seemed you'd have no way to prevent someone in your mix from not spending forever, thus making pruning impossible in that case. So I have some doubt about his claim.

3. It cleverly uses block chain random data to determine the random lookup indices for memory hardness, thus in theory computation can not be traded for space. Thus it is faster with roughly the same ASIC resistance as Monero. Note this does not make it ASIC proof nor does it remove my concern that the strategy could cause a complex ASIC to appear later which would be proprietary for some longer duration thus causing centralization of mining as compared to an ASIC that was ubiquitous sooner due to not being complex (off the shelf designs being already available). I admire this idea as a short-time way to help insure CPU-only. I need to study it more to see if I can find any flaw.

4. It has a novel block chain debasement (emission) schedule based on an algorithm that relates to difficulty change. I need to study this before commenting. Edit: this is Infinium-8, not Boolberry.

My suggestion to the Monero core. Go make a deal with Boolberry immediately. Given him a lot of coins and make him your #1 developer and give him a lot of control.

[r0ach]

off topic:  I'm trying to figure out the most efficient way of converting a standard PoW chain that's still being mined to a DPOS system.  Bitshares did just a "snapshot of the chain" method of PTS>BitsharesX.  I was thinking proof of burn would be useful, but it seems like it would have the exact same centralization or central point of failure as the snapshot method, and I was hoping this is something people would be able to do over a long period of time without entirely trusting a central authority.  It seems like the snapshot method is something I'll have to use.

[AnonyMint]

4. It has a novel block chain debasement (emission) schedule based on an algorithm that relates to difficulty change. I need to study this before commenting.

This is Infinium-8, not Boolberry.

Thus this changes my opinion about the need to make a big deal with the Boolberry developer. I thought all the innovations had come from him.

P.S. I edited my prior post.

[r0ach]

4. It has a novel block chain debasement (emission) schedule based on an algorithm that relates to difficulty change. I need to study this before commenting.

I don't like variable block reward based on hashrate/difficulty.  We've already seen it in Darkcoin and others before it.  It mostly serves as a pyramid scheme attribute.  If I did debasement in PoW, I would use flat 1% most likely, 2% max.  I'm not a believer in PoW anymore at all though besides it's vital need in distribution.  It's a complete dead end.  Summary of issues = the cartoon I created below:

[smooth]

As you point out BBR has some features that are interesting and well-designed, though there are also some issues with them.

I admire this idea [blockchain as scratchpad] as a short-time way to help insure CPU-only. I need to study it more to see if I can find any flaw.

It certainly is not CPU-only even short term as there have been private GPU miners with a significant advantage since shortly after launch (and public ones recently).

We have studied every BBR feature. I'm not familiar with Infinium-8 yet. As always it is hard to keep up with the flood of shitcoins. I'm pretty sure the mining reward as a function of difficulty idea comes from some bitcoin clones though. It is not new.

[smooth]

off topic:  I'm trying to figure out the most efficient way of converting a standard PoW chain that's still being mined to a DPOS system.  Bitshares did just a "snapshot of the chain" method of PTS>BitsharesX.  I was thinking proof of burn would be useful, but it seems like it would have the exact same centralization or central point of failure as the snapshot method, and I was hoping this is something people would be able to do over a long period of time without entirely trusting a central authority.  It seems like the snapshot method is something I'll have to use.

The snapshot method is being more fully developed by some bitcoin folks here: https://bitcointalk.org/index.php?topic=563972.0