ArticMine PMed me after I wrote
that flaming post, and said he would reply after studying my posts. He has not yet replied. Does that mean I am correct and there is no solution for Monero. I think so.
It is fundamental. Afaics, you'd have to completely rewrite Moaneuro.
Rewrite Monero, is not necessary at all but some documentation on how the Cryptonote adaptive blocksize limits actually work is needed, especially given the formula in section 6.2.3 of the Cryptonote Whitepaper is wrong.
https://cryptonote.org/whitepaper.pdf. My response will come in time.
I will start by examining the Cryptonote Penalty Function for oversize blocks. This is critical to understand any form of spam attack against a Cryptonote coin. From the Cryptonote whitepaper I cited above the penalty function is:
Penalty =
BaseReward (
BlkSize / M
N - 1)
2The new reward is:
NewReward =
BaseReward -
PenaltyWhere M
N is the median of the blocksize over the last N blocks
BlkSize is the size of the current block
BaseReward is the reward as per the emission curve or where applicable the tail emission
NewReward is the actual reward paid to the miner
The Maximum allowed blocksize,
BlkSize, is 2M
NThe penalty is only applied when
BlkSize > (1 + B
min) M
N Where 0 < B
min < 1 In the Cryptonote whitepaper B
min = 0.1.
The error in the Cryptonote Whitepaper was to set
NewReward =
PenaltyFor simplicity I will define:
BlkSize = (1+B) M
NBaseReward = R
basePenalty (for a given B) = P
BNewReward (for a given B) = R
BThe penalty for a given B becomes:
P
B = R
baseB
2While the new reward for a given B becomes:
R
B = R
base(1 - B
2)
The first derivative of P
B with respect to B is
dP
B /
dB = 2R
baseB
In order to attack the coin by bloating the blocksize the attacker needs to cause at least over 50% of the miners to mine oversize blocks and for an expedient attack close to 100% or the miners to mine oversize blocks. This attack must be a maintained over a sustained period of time and more importantly must be maintained in order to keep the oversized blocks, since once the attack stops the blocks will fall back to their normal size. There are essentially two options here:
1) A 51% attack. I am not going to pursue this for obvious reasons.
2) Induce the existing miners to mine oversize blocks. This is actually the more interesting case; however after cost analysis it becomes effectively a rental version of 1 above. Since the rate of change (first derivative) of P
B is proportional to B the most effective option for the attacker is to run the attack with B = 1. The cost of the attack has as a lower bound R
base but would be higher, and proportional to, R
base because miners will demand a substantial premium over the base reward to mine the spam blocks due to the increased risk of orphan blocks as the blocksize increases and competition from legitimate users whose cost per KB for transaction fees needed to compete with the attacker will fall as the blocksize increases. The impact on the coin is to stop new coins from being created while the attack is going on. These coins are replaced by the attacker having to
buy coins on the open market in order to continue the attack. The impact of this is to further increase the costs to the attacker.
It at this point where we see the critical importance of a tail emission since if R
base = 0 this attack has zero cost and the tragedy of the commons actually occurs.
This is the critical difference between those Cryptonote coins that have a tail emission, and have solved the problem, such as Monero and those that do not, and will in a matter of time become vulnerable, such as Bytecoin.Edit June 12, 2022 02:37:35: PM Previous edit January 18, 2016, 05:45:13 AM
This edit is after the start of the tail emission so R
base = 0.6 XMR, and over six years since the original post. I wish to note the following:
We add a transaction of size T
T to a block at a point B in the penalty, and define B
T = T
T / M
N; the new penalty becomes R
base(B+B
T)
2. The difference between the old and the new penalty is then R
base(2BB
T + B
T2)
a) The cost of the attack in 2 above with B = 1, which was later called "The Big Bang" attack can be shown to have a lower bound of 4R
base by analyzing the game theory of the Monero fee market. The only assumption that is needed is a free market of miners and users acting in their enlightened self interest. To understand this fee market one needs to consider a mining adding transactions to a block. The miner adds transactions in the order of the fee per byte (this is actually a very good approximation, where the B
T << B, to the discrete optimization problem). The miner will then stop given one of the following:
1) The miner runs out of transactions
2) The additional penalty to add a transaction is greater than the fee paid by the transaction
3) B = 1 (There is no more space in the block)
The key to the game theory is that:
The last transaction added to the block has paid the lowest fee, and this fee corresponds to the highest additional penalty paid to add a transaction to the block One can then place a lower bound on the cost of a Big Bang attack per block at B = 1 as 4R
base. R
base goes to feed the penalty compensating the miners for an effective coin burn, while 3R
base goes to the miners who profit at the expense of the attacker. The original wording gives the impression that the cost per block to the attacker is only R
base. This latter cost per block is actually the additional cost per block for a Big Bank attack as an add on to a 51% attack as in 1 above.
b) The analysis in a) above does not take in to account the additional cost and delay to a Big Bang attacker as a result of Long Term Median that was added starting in 2019
c) The additional cost to a Big Bang attacker due to orphan block refers to, Peter R. Rizun,
A Transaction Fee Market Exists Without a Block Size Limit, August 2015
https://www.bitcoinunlimited.info/resources/feemarket.pdf. This leads to an additional effective penalty. that is exponential in the blocksize and proportional to the block reward. This is of course subject to the assumptions in the paper.