Are DECENTRALIZED, Scalable Blockchains Impossible?

Are DECENTRALIZED, Scalable Blockchains Impossible?_.md

Satoshi’s proof-of-work (PoW) can only end up a mining oligarchy or Hara-kiri self-destruct. Proof-of-stake (PoS) is only ever functional if it is already an oligarchy. I propose a solution to this mess^* in the PoTM section below.

Oligarchies extract maximum rents from their ecosystems, unlike decentralized protocols such as the Internet.

_{On A Pale Horse}

^* _{And PoW could get quite messy because potentially many interesting surprises may lie along the road to defeating decentralization and forming the mining oligarchy or Hara-kiri outcome.}

Blocks are a Tragedy-of-the-Commons

The tragedy is that the chronological ordering of blocks (of transactions) doesn’t have a decentralized objective consensus^* which isn’t deleterious to the commons. Hence the commons is either dissolved, destroyed or a coercive power must step into the destructive power vacuum to enforce order.

At a cursory examination, PoW may appear to offer an objective consensus based on a randomized, decentralized competition to burn electricity. Dissecting it further though, the monolithic grouping of transactions into blocks is incompatible with a sustainable decentralized objective consensus.^*

^* _{The phrase “decentralized objective consensus” is a pleonasm because an objective consensus by definition doesn’t require a (top-down, subjective) centralized coercive power to enforce a protective order for the commons. Coercion isn’t a consensus. Objectivity in this context is every participant while acting in its objective best interest has only non-relativistic^† strategy choices which are a Nash Equilibrium; thus providing objective consensus. An objective consensus’ relationship to the commons may be supportive and protective, or it can be dysfunctional and deleterious.}

^{† _{In a Nash equilibrium, the participants’ strategies don’t change relative to (i.e. dependent on) the strategies chosen by each other.}}

Dysfunctional if Significant Transaction Revenue

I predicted in 2013, 2013, 2014, 2016, and 2016, that the flaw in Nakamoto proof-of-work was transactions fees and block size as the transaction fees rose in prominence relative to the minted block rewards.

Research has modeled and tested in a simulator that the PoW revenue incentivizes dysfunctional objective consensus (and “even non-equilibria in some circumstances”) when the revenue from transaction fees becomes incentives significant compared to^* the revenue from the protocol dictated block reward. This isn’t some pie-in-the-sky academic conjecture. It’s the reality of what will happen. Vitalik was even aware of these “Game-Theoretic Attacks” before that research was published.

And the Byzcoin design didn’t resolve the problem (c.f. also longer explanation). Those who think that senders of transactions won’t be motivated to pay lower fees directly to an oligarchy of miners, fail to understand that fees on any PoW system must rise ever higher (in the case that block size is constrained as explained in the Oligarchy or Hara-kiri if Limited Block Size section, otherwise spiraling ever lower as explained in the Oligarchy or Hara-kiri if Adaptive Block Size Protocol section) until an oligarchy is formed to take control over fees.

Note regarding the flaw in Byzcoin which is the game theory of miners incentivizing transacting users to pay their transaction fees directly to miners out-of-band from the Byzcoin protocol, doesn’t apply to miners of Satoshi’s PoW offering to share their protocol dictated block rewards out-of-band, because the bribe to be shared is only at most of doubling of the reward for the “PettyCompliant” miner (and less than a doubling because the miner offering the bribe has to retain some reward). Thus PoW with significant protocol dictated block rewards is not vulnerable to the posited dysfunction.

Craig Wright of nChain explained this more generally from a microeconomics perspective:

_{Bitcoin was simplified to only involve the solution of securing the network to ensure that no alternatives could diminish the security of the system. This is, it forms a simple two-good, two-person Edgeworthbox economy form of a distribution problem. At each point, there is a known solution representing the way of distributing goods between members. Each of these states is mutually exclusive. Although each agent will express his or her own preferences for alternative uses, it remains simple to determine the overall maximal returns.}

_{Without alternatives, the mining solution becomes Pareto efficient.}

_{The primary problem with the addition of alternate forms of utility is how to choose which one is included, how much and then who decides. This additional created utility varies between the users of the network. That is, no two individuals will have the same preference for this use. This is even assuming a single use alternative and precluding the addition of multiple competing solutions. In these extended scenarios we come up against problems such as Condorcet’s paradox.}

Unlike the block reward which is dictated by the protocol, the miner controls which of the available transactions waiting in the mempool (to be added to a block) are included in the block. When transaction revenue is significant, this range of choice available to the miner mandates a different optimum strategy—which is to create a proliferation of competing chains instead of mining on the longest chain. At best, after some intervals much longer than the target block period (e.g. much longer than 10 minutes for Bitcoin), these excessive competing chains are orphaned, yet the excessive delays (up to hours or days) and variance of delay in the confirmation of transactions is dysfunctional, with “a growing backlog of transactions”, more aggressive selfish mining, broken market for transaction fees, and lowered security against 51% attacks. At worst, consensus is lost and the blockchain diverges into ever increasing numbers of forks!

^{The figure shows a scenario where forking might be more profitable than extending the longest chain.}

It becomes a tragedy-of-the-commons because if one miner publishes a block with X transaction revenue, other miners have the choice of instead of mining on that new block, continue mining on the prior block and publish a block with much less than X transaction revenue, leaving the excess transactions for the next miner to put in his block if he mines on that latter said chain instead of the former said one. Thus, instead of the miners being dictated to cooperate by an efficient longest chain strategy with the protocol dictated block reward, they instead create competing chains to divvy up the transaction revenue in different proportions. The research model and simulator determined that optimum revenue for the miner (absent negative externalities such as a collapsing usership and token exchange price) is to form a dysfunctional tragedy-of-the-commons strategy.

Even worse, my mathematical intuition causes me to doubt whether the complex “best case” dynamic equilibria of strategies depicted below can remain in equilibrium, because the complexity (chaos) is too high to presume there isn’t some strategy which dissolves the equilibria—with the outcome most definitely being bankrupting all lesser strategies (i.e. centralized control) and/or losing consensus. The authors admit this possibility, “we believe we have only scratched the surface of what can go wrong in a transaction fee regime” and:

_{Put another way, our results are only made stronger by simplifying assumptions, because we are claiming that weird and undesirable consequences arise even if one is willing to grant simplifying assumptions.}

And the more effective selfish mining is one strategy that devolves to centralized control over time (^{_{“Any deviant miner behavior that outperforms the default is thus a serious threat to the security of Bitcoin”}}).

Readers might posit a shared “altruistic” incentive that miners wouldn’t defect to this dysfunctional strategy because of the negative impact on usership and token exchange price. But is negated by being an undersupplied^† public good—i.e. miners each figure that a little bit of defection can’t hurt because “even if 66% of miners remain default compliant, undercutting is profitable”, yet this slippery slope drives the optimum strategy into the dysfunctional one in a spiraling feedback loop. The cited research states, “We can realistically predict that PettyCompliant miners will arise”. Vitalik Buterin wrote:

_{Unfortunately, altruism… cannot be relied on…, because the value of coins arising from … integrity is a public good and will thus be undersupplied (eg. if there are 1000 stakeholders, and each of their activity has a 1% chance of being “pivotal” in contributing to a successful attack that will knock coin value down to zero, then each stakeholder will accept a bribe equal to only 1% of their holdings).}

^* _{But not necessarily greater than if incentives are still significantly altered, although it was modeled only with zero block reward.}

^† _{Tangentially note for contrast that the disincentive to 51% double-spend attack is not an undersupplied good.}

Oligarchy if PoS is Functioning

The Dysfunctional if Significant Transaction Revenue scenario applies always to PoS because there is no protocol dictated block reward;^* thus the only incentive for appending a block is to collect transaction fees. For that reason alone, PoS will not function unless it is an oligarchy. Because of the race to bottom of which fork will accept the lowest fees. For which the only solution is an oligarchy which has a monopoly in order to extract the maximum parasitic rents from the system that the market can bear (which is what we see with every such system whether it be DPoS or masternodes).

Yet the nothing-at-stake problem is another reason PoS can (at least in the plausible model where the majority of all stakeholders are not always online^†) only function if it’s an oligarchy.

Block forgers in PoS compete analogously to PoW miners to append their blocks to a chain yet in a nothing-at-stake tragedy-of-the-commons (c.f. also), which without an oligarchy in control of the “checkpoints” entropy^† mechanism^‡ enforcing the leader election process, would in theory devolve to a “precomputing attack” aka “stake grinding”^† (which is effectively proof-of-work computation and rewarded only with transaction fees thus Dysfunctional if Significant Transaction Revenue).

There’s no mathematical nor algorithmic way to decide amongst all the potential forks that can be forged within any interval, which is the legitimate one. In PoS unlike in PoW, due to the nothing-at-stake problem because the interval is relative to the autonomous choice of timestamp and nothing is burned, then forgers (i.e. stake-based miners) have the incentive to build their forged blocks on top of every forged block. The choice of which forged blocks to mine upon is either based on enforcement power (e.g. the grouping of stake with the most stake) else PoS devolves as stated. Even if the stake grouping with the most stake is not a majority of the stake, it must necessarily be coordinated (not randomly autonomous) in order to maintain the longest chain—thus fulfills the definition of an oligarchy in control. Algorithmic changes that attempt to penalize those who forge on more than chain are necessarily always going to be flawed and not resolve the issue, because there is nothing-at-stake. Transactions as Proof-of-Stake (TaPoS) isn’t a solution to this near-term forking divergence issue. Andrew Poelstra failed to note that penalizing for signing multiple histories doesn’t resolve the power vacuum that no unique near-term history is distinguished from all the others in the absence of coordination and thus definitionally an oligarchy:

This scarcity may be recoverable by punishing stakeholders who sign multiple histories. For example, if they use Schnorr or ECDSA signatures and are constrained to a specific choice of nonce, they must sign two messages with the same (key, nonce) pair in order to sign multiple histories, and this allows anyone to algebraically solve for their private key.

I explained in more detail along with explanatory condemnation of NEM, Nxt, and IOTA. The leadership election process for PoS is ambiguous. Even if the potential stakers are ranked such that the one with the highest ranking forges the next block, and forgers are penalized for forging on more than one chain, this is a security hole because the highest ranked staker can pretend to be offline and so the next ranked must forge the next block. Then after honest stakers have done so, the higher ranked staker forges a block orphaning those, which creates an ambiguity over who is cheating. Propagation is not objective in an asynchronous network.

Vitalik’s analysis of the probability of attacker achieving a double-spend (on his Slasher 1 or 2 designs) is irrelevant to the my point of whether it requires an oligarchy to function. His analysis failed to point out that the entropy for and thus the next signer is chosen by the current (or 3000 blocks back) signer, thus the only chain that wins is the one that the oligarchy signs every block they want to. Always the issue distills down to there’s no objective reference point because of nothing-at-stake. Tangentially, Slasher’s timestampers add Byzantine agreement’s liveness and quorum weakness to PoS, and I can show the double-spend security is thus much worse than Vitalik computed unless most of the stake is always online. The Ouroboros^† “provably secure” PoS alternative may solve this by creating objective entropy via secure multiparty computation presuming a majority of the stake is honest, but requires a majority of the stake to remain online and the network to remain bounded synchronous for said majority. I found the hidden liveness flaw in the proposed Proof-of-Approval and related it to and explained foundational issues of Byzanting Fault Tolerance (BFT).

In “theory devolve”, but I know of no documented cases where the theory was falsified in reality (without the deterministic “checkpointing” mechanism^‡ that enables oligarchy control to be expressed), because every extant PoS cryptocurrency I know of was distributed to an oligarchy thus avoiding the falsification test! 😲 How convenient. 😏

For example:

• Nxt’s ICO was distributed to 73 “founders”.
• Steem’s studiously premeditated sneaky mine with obfuscated mining instructions which whale-ified the studious.
• EOS’s year-long ICO enabling the issuer to buy the ICO tokens from themselves over and over again recycling the same ETH (probably anonymized though mixers/exchanges).
• Bitshares’ ICO ProtoShares machinations.
• NEM’s distribution to their own sock puppets which was all distributed by one guy and his sock puppets.
• Qtum rant.
• etc…

^* _{It’s pointless to distribute newly minted tokens in PoS because the probability of winning a block is proportional to stake (except worse in Nxt), thus all stake in the system would be debased proportionally by newly minted tokens such that no one would gain nor lose any relative wealth.}

^† _{The requirement for the oligarchy to “deterministically” control said “checkpoints” can be alleviated in so called “provably secure” PoS by employing secure multiparty generation of entropy, but at the cost of the “liveness assumption” that a majority (or “67%”?) of that stake is always online, and for a honest majority of the stake that the network is always synchronous (i.e. 100% reliable network transmission within a upper bounded latency threshold)—either of which seems to be onerous and unrealistic unless the majority of the stake is a tightly controlled oligarchy. The proposed solution to the liveness and synchrony requirements is a delegated PoS (DPoS) option, but which thus reverts it back to a power vacuum which requires an oligarchy. Note PoW in altcoins also needs checkpoints because PoW is Not Secure in Altcoins. Ethereum’s bonded penalties are also flawed, but that is a longer explanation than I can put here.}

^‡ _{Such PoS “checkpoints” become relativistic, proliferate discordantly, and thus don’t have a single-point-of-truth (SPOT) in the absence of an oligarchy with a majority of the stake grouping to agree on them, because the nothing-at-stake tragedy-of-the-commons provides no incentives for emergent (bottom-up) convergence of a majority of honest participants. Alternatives to “checkpoints” which also enable oligarchy control to be expressed, include for example delegated PoS (DPoS)—which is an elected oligarchy.}

Oligarchy or Hara-kiri if Limited Block Size

A PoW block size limit would mitigate transaction revenue growth somewhat by eventually kicking the minions (minnows) off chain. Yet transaction revenue could still grow. To avoid the Dysfunctional if Significant Transaction Revenue outcome, the block reward must perpetually remain significantly higher than the transaction revenue unless a coercive power steps into the power vacuum to enforce order. Such a perpetually inflationary coin wouldn’t be accepted by whales and speculators as the reserve^* unit-of-account of cryptocurrency. Inflationary cryptocurrencies (i.e. the inflationary act of proliferating “altcoins”) are gamed to redistribute more of the reserve unit-of-account (e.g. BTC) to the upper tiers of the power-law distribution of wealth. Perpetually inflationary PoW is not an escape from mining oligarchy because it’s network hashrate is eventually (but asymptotically) entirely owned by the lowest-cost miner. C.f. more details.

Given that the whales and miners are economically the same entity that can form an oligarchy to make the dolphins pay all the transaction fees for the whales’ transactions via miner profits. Regarding this math, the miner that pays to self (or whale who owns the transaction) the transaction fee for those transactions with much higher fees, is not displacing significant transaction fee revenue that would otherwise be earned by not doing so (due to block size being limited), because the whales’ transactions have a much higher multiple of fee per KB than the transactions of the dolphins. Thus those miners who refuse to participate in these kickbacks to the whales are much less profitable and thus eventually lose hashrate relative to those more profitable miners that do. This is why the oligarchy forms naturally. And note the social harm (i.e. damage to the ecosystem) rises as the square or exponentially with the excessive transaction fees.

The oligarchy must cooperate to prevent (or will undoubtedly arise anyway due to the amplified selfish mining if not first succumbing to Hara-kiri in) the Dysfunctional if Significant Transaction Revenue outcome that otherwise results with most revenue coming from transaction fees as block reward declines asymptotically to zero. This oligarchy with limited block size and diminishing block reward, is the most likely outcome^† for Bitcoin although most are fooled into thinking otherwise by the intentionally created dog and pony circus distraction of warring factions:

^{We’d be in Las Vegas already, if that disruptive BlackDog Cash (BDC) had helped pull the rope.}

I’m Trevor:

Craig Wright of nChain argued that PoW is subject to defection from any oligopoly:

_{In a proof of work system, oligopoly strategies, or the formation of cartels fail due to the impact of the most profitable firm seeking to defect. In all cartels, the least profitable firm needs to be propped up by the other members. The scenario always leads to dissent and the eventual failure of the oligopoly.}

He fails to account for the fact that ASICs are a monopoly, not a competitive market; and that an oligarchy must form in order to deal with the aforementioned multifaceted transaction fee constraints/pricing dilemma.

^* _{In What is Money?, I explained that reserve currencies are not perpetually stable, but instead have a cycle of rise, peak, and fall (as all things in nature) that coincide with the consensus of PUBLIC CONFIDENCE in that unit-of-account, because otherwise a perpetual single standard-of-money would require a non-relativistic universe—i.e. where nothing can exist.}

^† _{The SegWit “Mt. Box” fractional reserve banking scaling will likely be only on Litecoin after the SegWit fork of BTC is destroyed. There’s also Ethereum’s Raiden.}

PoW is Not Secure in Altcoins

Changing the PoW design to instead burn the transaction fees would disincentivize miners from including transactions; and as revenue for PoW mining declined with the declining block reward so would the security against chain reorganizations that enable stealing coins.

PoW in altcoins is especially not defensible against fork offs (c.f. also the footnote in the section Oligarchy or Hara-kiri if Adaptive Block Size Protocol because Monero is justifiably terrified about this).

C.f. more details.

Detecting the Existence of a Mining Oligarchy

In early 2016, I explained and claimed that Satoshi had not solved the Byzantine Generals Problem because there is no way to distinguish which miners are traitors (analogous to identifying which components are failing in Byzantine fault tolerance) due to the relativistic nature of BFT algorithms. My explanation was theoretically correct that even extreme effects such as high orphan rate (in the absence of network latency increase) and long-range chain reorganizations are plausible even without an “attacker” controlling a majority of the network hashrate—i.e. subjectivity over who are traitors and whether they’re attacking or in the linked example just speculating. Although in real world practice given subjective social context it might be determined that those effects are judged to be a majority hashrate attack (although it wouldn’t be 100% definitive). However as @smooth contemplated but didn’t articulate an appropriate example, it occurs to me now that long-term sustained egregiously high orphan rate or especially definitive the lack of Dysfunctional if Significant Transaction Revenue outcome would be effects that are (^{_{within 1 − P(unknowns) probability}}) only plausible if an oligarchy controls a majority of the network hashrate.

C.f. the section 5.1.2 Invisible Majority Hashrate Attacks excerpted from the (not yet published) 2016 rough draft of my Hypernet (formerly named Bitnet) consensus algorithm white paper.

Oligarchy or Hara-kiri if Unlimited Block Size

If mining is sufficiently decentralized such that no oligarchy of miners can gain 51% network hashrate control in order to limit the block size, then as I had first stated in 2013 unlimited block size (which also means no protocol enforced minimum transaction fee) is a race to bottom with transaction revenue declining towards zero (c.f. also the explanation I made in the context of Monero if assuming it didn’t have a minimum fee). Thus without a block reward, also a race to the bottom for the security allowing long-range chain reorganization to double-spend (i.e. steal) coins.

But probably before that self-destruction point is reached, the marginal miners will have fallen away and a 51% oligarchy is able to take control in order to effectively limit the block size.

Bitcoin Unlimited’s Orphan Rate Equilibrium Theory Debunked

Bitcoin Unlimited’s FAQ originally (click “FAQ” at the linked archive) claimed that orphan rate would be a natural countervailing force against block sizes that are too large for the network to handle; thus they claimed would provide a decentralized free market equilibrium between competing forces determining block size which would scale with ever increasing network capacity.

However, I pointed out mathematically that proportional increase in propagation delay due to block size increase, results in proportional increase in orphan rate. Although proportional increases in block size due to including proportionally more transaction fees, would not result in proportional more revenue due to the non-increased factor (i.e. the protocol dictated block reward), I also explained that the proportional increase in orphan rate only causes a minuscule nominal reduction in revenue when the orphan rate is very low.

Thus Bitcoin Unlimited’s claims are incorrect because revenue increase provided by the block size increase, exceeds the minuscule revenue loss incurred by the resultant orphan rate increase. Thus, with the help of others such as @dinofelis I explained there is no equilibrium point because the block size would only be limited by failure of the entire system wherein the orphan rate would reach a high enough level that the consensus diverged into competing forks that couldn’t converge on a longest chain. I also explained the flaws in mathematical model in Bitcoin Unlimited’s research.

Bitcoin Unlimited’s Empty Blocks & Bandwidth Equilibrium Theory Debunked

I explained that Andrew Stone’s theory of miners voting with empty blocks as a means of regulating average block size, is flawed because it starves the relative revenue of miners with less bandwidth, such that their share of the network hashrate declines relative to miners who can mine huge blocks. This is especially true if the transaction revenue in the huge blocks is significant relative to the protocol dictated block reward that every mined block receives. Thus Xthin is a way for large economy-of-scale miners to attack marginal miners leading to increased centralization of mining.

Also @dinofelis and I explained that since empty blocks can’t be validated, then this motivates a miner reputation system which is a slippery slope to a mining oligarchy. And I explained that Xthin’s prevalidation before block announcements is inapplicable to the case where the miner is creating an empty block because the miner’s bandwidth was insufficient to keep up with prevalidation propagation.

Craig Wright’s (nChain’s) DECENTRALIZED Scaling Debunked

Craig Wright’s (nChain’s) arguments for scalability don’t prevent the outcome from being Hara-kiri in the Dysfunctional if Significant Transaction Revenue, unlimited block size, or Hara-kiri if Adaptive Block Size Protocol dysfunctional scenarios. In that case, an oligarchy can form to ameliorate/prevent a Hara-kiri devolution. Yet all alternative scenarios are ultimately an oligarchy also, because of the block size and transaction fees contention issue (c.f. the last paragraph of this section and the Oligarchy or Hara-kiri if Adaptive Block Size Protocol section) eventually overcomes any near-term appearance of semi-stable decentralization (e.g. such as with a myriad of large pools).

When its necessary to form an oligarchy by forcefully diminishing the hashrate of those who will not cooperate in an oligarchy, then whether validation costs decline towards epsilon is irrelevant because in the absence of a block size limit, miners with more hashrate can spam (with miner created transactions) large enough blocks (so validation costs are economically significant) thus forcing asymmetrically higher validation costs per unit of revenue (also per unit of hashrate) for miners with less hashrate. This is because miners with lower hashrate will do more validation per block they win (for their revenue) than the miners with higher hashrate. Note this is the mathematical reality because the spamming miner who creates his spam transactions doesn’t need to validate his own spam transactions. If despite Craig’s data of a 1.2 seconds network propagation diameter to 99% of the hashrate at current minuscule transaction volume, propagation delay becomes economically significant due to the egregious transaction spamming but at a lower level of spam than the validation costs become relevant, then we replace the asymmetrically higher validation cost flaw with the asymmetrically higher relative orphan rate (and thus less lower revenue per unit hashrate) flaw. Either way, economies-of-scale in mining drive PoW towards ever increasing centralization of hashrate control.

Oligarchy or Hara-kiri if Limited Block Size applies in the case of a block size limit. Else if the block size limit will be periodically raised by governance and not by Oligarchy or Hara-kiri if Adaptive Block Size Protocol, then said governance devolves to an oligarchy due to the power vacuum of the Iron Law of Political Economics.

Selfish-mining

In theory PoW mining can become centralized by continuous selfish-mining (and stubborn mining) given a miner (or complicit group of miners)—with at least 33% of the network hashrate (or much less than 33% when the orphan rate is very high such as in Dysfunctional if Significant Transaction Revenue outcome)—is unopposed by an environment in which selfish-mining game theory is not dominant. Such as not with the threat of mutual destruction due to other opposing large hashrate pools which could also selfish-mine. Craig Wright claimed that he would debunk selfish-mining, but ostensibly he failed. Craig appears to have modeled the honest and selfish miners as independent events, but the 33.3% hashrate selfish miner gains a probabilistic informational advantage because only wins a hidden block in 33.3% of the cases; thus can disregard 66.7% of the other cases.

That evidence of selfish-mining hasn’t been detected on Bitcoin so far is expected given that Bitcoin is mined by large opposing pools and (as Craig Wright correctly pointed out) has very high (hashrate weighted) network connectivity centrality. Selfish-mining is probably not viable unless the network is already dysfunctional such as in Dysfunctional if Significant Transaction Revenue outcome or some highly volatile PoW altcoins, in which case detection by orphan rate or timing gap analysis would be inconclusive and countermeasures within difficulty adjustment delays would be infeasible.

IOW, selfish-mining is a defense mechanism which kicks on only to form an oligarchy to ameliorate when the blockchain is (and would otherwise) diverging into dysfunctionally high orphan rate.

Oligarchy or Hara-kiri if Adaptive Block Size Protocol

Monero’s^* (and any that can possibly be contemplated) adaptive block size protocol (c.f. also) avoids the Hara-kiri if Unlimited Block Size outcome by limiting the block size to the intersection of the demand curve with an enforced^† minimum transaction fee equation regime wherein for Monero the minimum fee per transaction automatically (per the equation) declines proportionally to the increase in median block size. The supply of block size adapts dynamically (per the equation) to said demand.

Remaining design options for any adaptive block size algorithm:

1. Transaction fee regime revenue is kept sufficiently below the block reward revenue to avoid the Dysfunctional if Significant Transaction Revenue outcome:

   • Oligarchy or Hara-kiri outcome because the block (aka tail) reward is allowed to decline too low (^{_{with transaction revenue even lower per the prerequisite of #‍1}}); thus the low security is self-destructive. Oligarchy must 51% attack to enforce an Oligarchy if Limited Block Size outcome so as to rectify the low security; otherwise Hara-kiri outcome chaos of forks offs and double-spends that will occur due to 51% attacks.
   • Oligarchy outcome because the block reward is perpetually inflationary (and significantly so); thus the lowest-cost miners asymptotically takeover the network hashrate. That oligarchy may retain the high inflation or may 51% attack to enforce a Oligarchy if Limited Block Size outcome to remove the inflation and force the dolphins to pay the costs of the security for the whales (^{_{c.f. the Oligarchy or Hara-kiri if Limited Block Size section for explanation}}).

2. Oligarchy or Hara-kiri outcome for the Dysfunctional if Significant Transaction Revenue outcome.

The eventual unavoidable oligarchy control outcome of Adaptive Block Size Protocol is particularly damning for a cryptocurrency which offers (especially explicit) anonymity set mixing such as Cryptonote/Monero’s^* ring signatures, because it guarantees (if not already is, then) it will eventually be a honeypot!

Because it applies to miners who exceed the median block size, adaptive block size penalty prevents large economy-of-scale miners from attacking marginal miners with extra zero cost transaction spam demand fabricated with transactions that pay the fees to self. Yet note if this cost is only ~2% of protocol dictated block reward, it isn’t likely sufficient (also archived) to suppress transaction spam for a deanonymization honeypot.

     .     .     .

^* _{Monero’s research lab has initiated a discussion in a search for possible solutions to its quagmire. @fluffypony deleted the post I made but it is archived here, here, and here. I responded to @fluffypony and that comment is also archived here and here. @fluffypony continued to deleted more of my comments, and he banned me. The deleted comments are here.}

^† _{The governance which sets and periodically adjusts the human chosen constants in the minimum fee equation according to dynamic market exchange price and market demand factors, is a centralized political control which is corruptible according to the Iron Law of Political Economics.}

Proof-of-Transacting-Majority (PoTM)

The ever increasing share of the network hashrate by the lowest cost mining farms is only possible because miners are paid to compete with their resources in the leader election process. Miners are continuously competing to be the next leader who adds a block of transactions to the ledger.

The Dysfunctional if Significant Transaction Revenue flaw of non-inflationary PoW (and of all PoS which is not an oligarchy) exists because a single leader decides which transactions are included in each block.

It’s roughly analogous to the mess (and various game theories) of a crowd of people attempting to stampede out of a burning building through one door and bribing (or eventually clubbing to death, i.e. the Hara-kiri outcome where dead bodies pile up blocking the door) the doorman to be first.

PoTM inverts the control of PoW/PoS. PoTM corrects those flaws by giving the transacting users control of which shard of the decentralized ledger they append their transactions to. Each shard holds a fraction of the UTXO database; and cross-shard transactions are possible. Users’ light-weight (but slightly more powerful than Satoshi’s “SPV”) wallet clients autonomously blacklist (i.e. don’t transact on) any shards that objectively attempted malfeasance (by employing cross-shard transactions on the fraction of the UTXO that would otherwise be trapped on the blacklisted shard). Control of shards is delegated to relative ordering stamping (as opposed to time-stamping) nodes, but ordering nodes have no effective power to succeed in malfeasance because they are monitored for correctness w.h.p. by massive redundancy of the ongoing validations by online wallet clients of transacting user. Upper bounded synchrony (of the longest chain of the transacting majority) is securely provided by the transparency of this objectivity via statistically validated propagation. This upper bounded synchrony^* prevents ordering nodes from cheating, because payees wait for the DAG of shards to reach the synchrony bound (elapsed time period^†). Think of this roughly as death to attackers by a million paper cuts.

Ordering nodes compete only for service fees; which is not a race to bankruptcy because real-time proof-of-publishing (aka “0-confirmations”) is not possible for cross-shard transactions. Transaction fees are burned providing an objective, probabilistic proof of the longest-ordering chain on the DAG of shards with a TaPoS-like immutability assurance against long-range chain reorganizations (but burned so more aptly named TaPoW since stake is permanently consumed presuming the TaPoW is a sufficient defense against nothing-at-stake in the long-range chain reorganization attack scenario). Objectivity (i.e. defense) against near-term double-spend attacks requires either the payee to be online from the time the transaction was published on a shard up to the aforementioned synchrony bound period, or weak subjectivity^† (aka community and social information) to distinguishing forks which the online transacting majority has objectively rejected (due to the aforementioned upper bounded synchrony), when the attacker controls significant stake and is willing to burn some of it to (perhaps only ephemerally) outrun the chain (on the DAG of shards) of the transacting majority.

With this billion transactions per second design, we’re moving towards a world where each action a user does is a transaction on a blockchain, so most users will be permanently online. With initiatives such as Urbit, we’re moving towards a world where every user has a server (capable of a light-weight client delegated duties to conserve mobile battery) that is always online. Thus the weak subjectivity will eventually become more of a scarcely needed insurance policy. From the get go, weak subjectivity will be best handled by having community trusted nodes/services which wallet clients automatically configure or suggest, then users augment with any users they trust in their WoT. The only requirement for correct weak subjectivity is that at least one (and preferably a plurality) of honest users’ clients in each trust circle are online at all times^*. The wallet clients communicate the relevant information automatically. Any conflicts in the relevant data for a particular user’s trusted set would require the user to manually intervene to remove the dishonest member from the trusted set: imagine the rare occurrence of a red alert in the wallet client and the user reaching out on a community forum for technical assistance.

This design scales to billions of real-time transactions per second because of the extreme numbers of shards and low inter-shard communication/validation overhead. High transaction volume and velocity-of-money improves the viability of this design. This is the blockchain that can scale to the Universe, not just earth. “Think Big or Go Home” is my motto.

Because transaction fees are burned, the money supply perpetually shrinks (after the onboarding period in which new tokens are minted). Afaik, this will be the first deflationary cryptocurrency. It is not possible to create a secure deflationary currency with PoW or PoS.

I’m purposely not explaining every detail of this design at this time, because I don’t want to give away my design for others to copy before I launch the Hypernet (formerly named Bitnet) altcoin project. Of course it will be open sourced with detailed specifications and game theory analysis provided at the appropriate juncture. For example, I’m not explaining here how the DAG of shards and cross-sharded transactions work. Nor all the intricate details of for example how to make this all work with Merkle trees and squelching DDoS amplification attacks. Nor permissionless entry and exit of ordering nodes from the system, as well as a reasonable bound on their proliferation, which all interacts with the liveness ratio criterion per the tradeoff in FLP impossibility theorem for the deterministic finality. An example of the myriad of details of the design include the statistically massively redundant validation security model with diminishing over time (so as to bound chargeback risk contagion) fractional chargebacks downstream upon late systemic discovery^‡ of invalid transactions (a separate concern from probabilistic non-repudiation/irreversibility of spends via double-spending by orphaning chain forks)—which is a necessity for massive scaling.^†

We have the decentralized Internet. Soon we’ll finally have truly decentralized money and decentralized blockchains. Hypernet is coming. Get ready.

     .     .     .

^* _{Security and convergence of consensus can be compromised both in my design and IOHK’s Ouroboros: A Provably Secure Proof-of-Stake Blockchain Protocol if—for a honest majority of the relevant entities—the communication network latency exceeds the chosen constant elapsed time upper bound. For Ouroboros the relevant entities are the online stakeholders and for my design they are the ordering nodes and the online transacting users. My design appears to have the anti-fragile advantage that the entities are forced to relay to each other in a massive virtual mesh topology, thus network hiccups (and dishonestly as well) are statistically ameliorated. Both designs implicitly rely on weak subjectivity to provide the safety^† as required by the FLP impossibility theorem^† given the liveness and fault tolerance criterion. In Ouroboro the weak subjectivity is encoded into the trust of the majority of the state—which is presumably significantly more centralized than the transacting majority. Whereas, in my design it is implicit in the assumption that user clients will leverage a WoT when transitioning from offline to online. My design doesn’t depend on the weak subjectivity for users that remain online when there’s a near-term attack; and otherwise, it only requires some fraction of the transacting majority to be always online with that fraction declining as WoT trust diameters increase. Ouroboros is a non-sharded (single leader election) design thus the real-time transaction confirmation improvement is limited (roughly 5 - 10 X faster block period than Bitcoin) and scaling will be limited by O(n²) propagation and validation which will be even lower than the stake-weighted average throughput of the staked nodes, although the delegated PoS (DPoS) variant improves scaling somewhat but at the unacceptable (ecosystem network effects) cost of it being an oligarchy. C.f. also the ^† section footnote in Oligarchy if PoS is Functioning}

^† _{The elapsed time is a deterministic finality (“confirmation”) of ledger immutability when combined with the weak subjectivity; whereas, PoW has only probabilistic finality. Weak subjectivity is required for safety due to FLP impossibility theorem that applies to deterministic (not probabilistic), asynchronous Byzantine (fault tolerant) agreement consensus. Without the weak subjectivity, the burned TaPoW is long-term probabilistic finality but near-term has an amplified risk because such a dominant attacker can fork off with the nothing-at-stake because no physical resource is actually burned and only a minority of the transacting majority’s UTXO was double-spent. However, even without the weak subjectivity, the probabilistic finality long-tail risks are similar to PoW. The risk of a dominant whale or oligarchy forking off a long-range chain reorganization is as unlikely with the burned TaPoW as it is for PoW, because the UTXO of the non-colluding transacting majority is at stake because the attacker can’t recreate it on the fork because he can’t recreate all the TaPoW of the non-colluding transacting majority. Although the attacker can recreate burned TaPoW for his own stake (thus burning some of it), the non-colluding transacting majority will never long-range fork off due to economic losses of their UTXO if doing so.}

^‡ _{An event which has an astronomically low probability of occurrence, because of the massively redundant validation, the not-undersupplied altruistic prime incentive for users to be honest, and the fact that payees have a selfish incentive to validate and announce invalid transactions unless the payee is the attacker who re-spends. Thus payees also have a selfish incentive to validate the entire payment chain on their UTXO back to the point of the system’s choice of diminishing chargeback repudiation. Remember “Risk is not perfect, every system is probabilistic”. Bitcoin has this very low risk also (which increases with centralization of mining) that miners might not validate every transaction before they start mining, and thus not want to discard (throw away) a block they found before competing the validation. @dinofelis and I had discussed this on Bitcointalk.org in the context of Xthin and Bitcoin Unlimited: c.f. the links in the section Bitcoin Unlimited’s Empty Blocks & Bandwidth Equilibrium Theory Debunked.}

Q & A

What happens when a client connects to multiple shards and transmits a double spend?

_{Bingo! I’m not going to tell anyone how I made that secure that until launch. That is one of the clever details of the design. Double-spending is impossible without what amounts to a 51% attack by a dishonest majority of all (the automated light-weight node wallet clients of) online transacting users. I distinguish transacting users from hodling users, because they are greater in number and the payees have the selfish economic incentive to validate.}

Also, what if a majority of clients on a shard conspire with the ordering node?

_{A double-spend requires a dishonest majority of online clients on ALL shards.}

_{The system is stable unless a majority of the online users of the system are dishonest and/or the offline users’ WoT deceives the user’s client into transacting on a fork when they come online. But if only one online member of the offline user’s trust circle is honest, then it is impossible for the offline user’s client to be deceived.}

Is there a scenario that can arise where ordering nodes collaborate?

_{Not successful against a honest majority of online clients. And the reason is intertwined with the details of the clever protocol for the DAG of shards, which I will not publish at this time. The offline clients can be fooled if they do not have a honest WoT to tell them which fork is the one the honest online majority is transacting on.}

_{A grouping of dishonest ordering nodes can only make a fork, but they can’t double-spend because the honest online transacting majority will choose the fork which confirmed transactions within the bounded synchrony period.}

Can clients act as ad-hoc ordering nodes?

_{Not unless they are a whale that burns systemically significant amount of TaPoW or otherwise have a significant volume of transacting users. To launch an ordering node requires enough transaction volume that the other ordering nodes must acknowledge the burned TaPoW. The aforementioned online user clients automatically enforce this by massively redundant statistical sampling (thus for scaling purposes, they are not full nodes in isolation but collectively they are).}

_{Although launching an ordering node is permissionless, the design of the system musn’t be unconstrained otherwise the ordering nodes could spam each other (thus amplify DDoS) with proliferation of shards. The client protocol will target parameters which should result in some X number of ordering nodes roughly. I’m thinking 10,000 shards.}

Given your currency will be perpetually deflationary, what is your position on inflationary vs deflationary money supply, i.e. consciously expanding the units in circulation (like the FED does) vs having a fixed supply (like BTC) that is deflationary against the worlds growing economic output? Or perhaps even a currency supply where units are removed or burned from existence by some authority. I thought Martin Armstrong was more in favor of an expanding supply that would keep pace with economic growth.

I have explained in this document—w.r.t. to the technological possibilities for eliminating seigniorage—that no decentralized ledger design which doesn’t burn the transaction fees can function without being controlled by an oligarchy. Even PoW with perpetual inflation where the inflation increases to be cardinal to the revenue from transactions fees to maintain incentives compatibility in the absence of an oligarchy, requires an oligarchy to regulate the sufficient (for the said requirement) but not excessive level of inflation. Any PoW design which instead attempted to automatically adjust the level of inflation w.r.t. to transaction revenue will experience runaway inflation due to the ability of miners to pay themselves transaction fees.

Deflation is generally thought to be bad because we live in debt-based economics that boom/bust with expansion/contraction of debt. But note the relevant deflation is driven by hoarding/divestment due to downswing in PUBLIC CONFIDENCE, which interacts with regulation of the issuance of new money supply (presuming money can’t be destroyed without stealing it, e.g. burning transaction fees is voluntary).

I believe MA’s stance is based on the assumption that deflation concides with excessive saving and adversion to risk (which is why ZIRP has failed, because that signified increased adversion to risk and the monetary effects were arbitraged into Asia where PUBLIC CONFIDENCE was booming). The postulate is that we need debasement (inflation) to motivate savers to invest and take risk, rather than sit on their money expecting to be more valuable with no risk. Nature takes care of this, even creating new monies/arbitrage as necessary to provide new money supply, once the opportunity cost is high enough. Economies reach a point of maximum pessimism and then boom again. Monetary policy interacts with boom and bust, but can’t ever eliminate boom and bust. Static without a cycle would be non-existence as I’ve explained elsewhere.

PoTM is a deflationary system which decreases the money supply not by stealing and where increase in rate of decrease of the money supply can coincide with high velocity-of-money (i.e. booming PUBLIC CONFIDENCE) and slowing of the rate of decrease of the money supply can coincide with low velocity-of-money (i.e. declining PUBLIC CONFIDENCE). That monetary policy has the effect that savers are more incentivized to hoard than to invest as booming increases and vice-versa. This seems like a better natural regulation than a monetary supply that increases the rate of increase of the money supply as booming increases and then collapses with a Minsky Moment reset destroying most of the supply.

My position is increasingly we will trade non-fungible knowledge in an Inverse Commons and be less concerned with fungible money and its tragedy-of-the-commons. I am also contemplating the protocol automatically burning fees charged to savers proportional to (a small fraction of) aggregate burned transaction fees in the system, so that savers just can’t sit on their money indefinitely to avoid burning transaction fees. IOW cap the maximum level of disincentive to invest at risk.

Savers in PoTM who never transact asymptotically end up with 100% of the money supply but aren’t a security risk, as they would be with PoS. This inability of the stake to interfere with objectivity of the consensus is the significant reason that PoTM isn’t an oligarchy but PoS always must be. Because PoTM is not depending on the longest chain of burned transaction fees to prove which is the honest chain. The honest majority (via their WoT to help each other monitor the online synchrony) stay on one chain due to massive statistical redundant oversight. No amount of burned transaction fees can fool the honest majority into following a chain (partial ordering in the sharded DAG) which didn’t propagate within the synchrony bound. The burned fees are necessary to prevent spam, to provide a timing demarcation since there are no blocks (e.g. if a MMORPG games needs to demarcate an epoch to unblind the secure multiparty commitments to the entropy for PRNG), to measure relative economic relevance of shards (e.g. for ordering nodes to prioritize their P2P network connections), and to provide an unambiguous/objective metric of the longest of the plurality of possible honest partial orders the honest majority would approve otherwise the honest majority wouldn’t objectively converge on a single partial order. The partial orders which are dishonest are objectively discarded due to violating the propagation bound and thus the longest chain metric is not involved in identifying honesty.

Comparison to Other DAGs

Transaction or block DAGs (which aren’t PoTM’s sharded DAG) are composed of descendant transactions or blocks which back-reference to antecedent transaction(s) or block(s) which were each formerly a tip (aka leaf) branch of the DAG:

_{Partial orders of an unsynchronized DAG.}

Byteball

Byteball is the only one of the transaction DAG designs which is somewhat sound. Byzantine agreement is employed for finality, not PoW. Yet it suffers the following damning flaws as compared to my PoTM design:

• Centralized consensus: the set of witnesses for the quorum-required “Stability Point” Byzantine agreement consensus algorithm are effectively anointed (not permissionless). Election of delegates (which btw is also the case for DPoS) is always a political-economics power vacuum which is effectively controlled by the greatest power.

• Liveness risk: the anointed (not permissionless) set of witnesses for the quorum-required “Stability Point” Byzantine agreement consensus algorithm can censor some or all of the transactions (from the stability points they define which indicate a transaction is final and acceptable to the payee). If 50% (or only 33% if designed securely^†) of the (necessarily limited to only) 12 witnesses stop responding (making Byteball fragile w.r.t. to^‡ DDoS and network isolation attacks), i.e. insufficient quorum, the stability points become stuck, don’t move forward, and require a hardfork to become operational again. Tendermint and Ethereum’s Casper (and any other Byzantine agreement consensus system) also have this same flaw, because is irremediable attribute^† of Byzantine (fault tolerant) agreement. I had discussed these flaws with @tonych (real name Anton Churyumov) the creator of Byteball.

  
  _{Byteball’s “stability points” with genesis unit labeled “G”.}

  The censorship of the ‘some’ case is not possible in Byteball if all transactions (or let’s say not probably plausible if a significant minority or a majority) back-reference each other (although potential censorship of the ‘all’ case remains regardless), but there is no mechanism in Byteball to encourage that.

  
  _{Majority of witness can censor a partial order (even if it’s not a double-spend).}

• Unscalable transaction fees: fees increase as the price of the token increases. There is no fee market so fees can automatically adjust. The constant fee design (denominated in byte tokens) makes it uneconomic to issue some transaction events when the exchange price (and thus market capitalization) is too high or inadequate spam resistance when the exchange price is too low.

• Inadequate validation insecurity: analogous to the flaw of delegated PoS (DPoS), only the bounded set of (necessarily limited only 12!) witnesses do validation. The other unbounded transacting users necessarily being light clients for scaling aren’t doing validation, because they can’t be online always so they must trust “proofs” from witnesses.

• Limited scaling: there are no shards. Proof-of-publication to the ledger has to all be funneled through the permissioned set of 12 witnesses similar to DPoS in order for any finality on the transactions to be assured.

• Not real-time confirmation: transactions are confirmed by the validating witnesses who sign “stability points”, with reach round of the quorum completing in roughly “~30 seconds”.

^† _{To justify this claim requires I extract from the Hypernet (formerly named Bitnet) white paper, a long and technically detailed section that explains Byteball’s “Stability Point” algorithm. I will delay this for a future blog.}

^‡ _{Byteball (and my PoTM) aren’t vulnerable to the “forward secrecy” issue because of the TaPoS/TaPoW which effectively locks the history against long-range chain reorganizations. C.f. the ^† section footnote in Proof-of-Transacting-Majority (PoTM).}

SPECTRE

SPECTRE^* is a block DAG:

_{A Block DAG. Each block may refer to several predecessor blocks by including their hash in its header.}

There’s also a blog intro and the 2016 version of the paper.

SPECTRE is notable because of its rigorous mathematical analysis of an unbounded plurality of pairwise partial orders to provide some of the properties of probabilistic consistency, safety, progress, and liveness that we normally expect from the single total ordering of Satoshi’s PoW longest-chain rule.

Yet afaics, it suffers the following damning flaws as compared to my PoTM design:

• No total ordering: the system is unable to totally order conflicting transactions; thus for example can’t be used for smart contracts (such as those of Ethereum) which mutate a global state.

• Weak Liveness: if a payee issues a conflicting transaction such as to increase the transaction fee (unless accept traceability) or to employ the system as a synchronization oracle, the transaction can become indefinitely frozen (even for perpetuity) in unconfirmed state, because the system is unable to totally order conflicting transactions.

• Throughput contention: throughput can’t scale proportionally to the increased volume of blocks produced unless there is a significant backlog of transactions (which is a result of the requirement that throughput be constrained), because otherwise (the necessarily uncoordinated) blocks have a higher probability of including duplicate copies of the same transactions.

• Not real-time confirmation: approximately 5 seconds confirmation if no backlog, but backlog is required for avoiding throughput contention. Much faster than Bitcoin, but far too slow for recording every user action in applications on a blockchain a la Steemit.

• Scaling centralization: throughput constraint (e.g. 1 MB per 10 minutes) is hardcoded in the protocol in order to both avoid throughput contention and to contain the synchrony assumptions “𝐷” (via “𝐵 kb”) of the probabilistic confirmation. To increase the throughput requires a centralized hardfork.

• O(n²) doesn’t scale decentralized: presuming miners have an incentive to maximize the breadth of their leaves of the DAG they reference, then every honest node has to receive and validate every transaction. Thus lower hashrate miners have to expend the same bandwidth and validation costs as higher hashrate miners that win more blocks, which thus drives hashrate share centralization to the larger hashrate miners over time, unless an acceptable lower bound on transaction fees coupled with the upper bound on number of miners renders the costs insignificant. The total bandwidth requirements of the system scale ϴ(n²) thus limiting the number of miners.

• Perpetual inflation required: ditto Dysfunctional if Significant Transaction Revenue flaw applies.

• Lacks game-theoretic analysis: for example, I have some doubt whether the DAG converges given that miners are paid for blocks even if they don’t maximize the number of leaves referenced. If transactions fees become significant, then Dysfunctional if Significant Transaction Revenue flaw applies. One might presume that miners have an incentive to maximize referenced leaves in order to maximize the value of the tokens they mine, but that is presuming there aren’t other countervailing incentives around for example minimizing validation and bandwidth costs.

• Obscure doubt about fungibility: this is the weakest of my criticisms yet I want to keep it on record.

SPECTRE is a very complex system and I don’t know of anyone other than the authors who has completely digested all of its proofs, algorithms, and even game theory that doesn’t appear to be analyzed in its paper. I digested a sufficient amount of the paper to understand that the (inherently irreparable in such a non-total ordering design) deficiencies enumerated above make it uninteresting for me to analyze further.

^* Spectrecoin is not based on the SPECTRE consensus algorithm.

IOTA and DagCoin

IOTA and its research proposal predecessor DagCoin don’t record any form of objective transaction finality (such as Byteball’s stability points) for the unsynchronized partial orders of transactions in the ledger!

Transactions include some PoW so that tips (leaves) of the DAG branches are extended with probabilistically more cumulative PoW as new descendant transactions are issued, but there is nothing forcing these unsynchronized partial orders to converge on a single-total ordering, i.e. there is no probabilistic finality of transaction confirmation. In fact, (in the absence of IOTA’s “Coordinator” centralized servers) the partial orders will have conflicting orders due to double-spends, and there is no leadership election process nor witnesses set to decide on the ordering of the conflicts. Although the transaction nodes of the graph are accepted by payees which have an incentive to insure their funds are in a single total ordering of the DAG, it is impossible for them to coordinate such autonomously. Therefor, defection from the Monte Carlo model presumption by some transactions breaks the convergence to a total ordering.

The (load of misleading technobabble bullshit) theory of their convergence to a single total ordering—which was based on either network propagation order (which experts know can never be provably consistent for all nodes without some synchronization algorithm) and/or a model requiring enforcement of the Monte Carlo algorithms employed by the payer and payee—are inherently insecure without the centralized Coordinator due to natural unconstrained divergence. IOTA employs centralized servers named “Coordinator” (apparently not mentioned at least in the early revisions in the whitepaper) to enforce the whitepaper’s Monte Carlo strategy on all participants. IOTA has been challenged numerous times by numerous people (including myself challenging @Come-from-Beyond the developer) to remove their Coordinator centralized enforcement in order to prove that IOTA will function decentralized, and afaik they have never done so. The was further elaborated here and here.

I was threatened with a lawsuit by the “IOTA Founder” @iotatoken (real name is David Sønstebø) if I attempt to publish these truths.