fluffypony_censorship.md

monero-project/research-lab#12 wrote:

I believe it's time to seriously review the proof of work algorithm used in Monero in light of the very serious consequences we have all witness with mining centralization in the Bitcoin community.

Some urgency might not be a bad idea, as the window in which we can make such broad and sweeping changes is narrowing.

Shouldn’t you mention my recent revelations as one of the potential the prior art sources of this new found urgency? I mean upstanding open source and all right.

https://www.reddit.com/r/Monero/comments/6r2xsm/is_moneros_anonymity_broken/dl75h7s/?context=3
^^ see the bottom of the yellow highlighted post for mention about blocks+PoW being the problem

Is Monero’s (or All) Anonymity Broken?
^^ summaries here and here

Are DECENTRALIZED, Scalable Blockchains Impossible?
^^ currently not complete, still being written to be more widely published within days

Shocking Crisis Coming to Cryptocurrency (in Sept?)

You’ll probably need my assistance given I’ve been researching, discussing about, and brainstorming the solution to this issue for the past years.

---

This might be a bit too radical/off topic but I think one issue that might be important to consider in PoW is the competitive exclusion principle: http://en.wikipedia.org/wiki/Competitive_exclusion_principle

I don’t believe this will help because ultimately every possible algorithm you can think of can be made at least an order-of-magnitude or two more efficient on custom hardware (per agreement I had with @tromp on this conclusion). And all 14nm/16nm ASICs are only manufactured in two fabs in the world. Mining is inherently a centralization paradigm in many ways. How could we know if some secret mining hardware (or even just very large economies-of-scale making the lowest-cost miner) is not already mining Monero? Why would they tell us if their motivation is to sustain a honeypot?

Even if you force the miner to have a copy of the entire blockchain, and even make disk or memory accesses a significant component of the computation, it can still be made more efficient with customized hardware. And economies-of-scale will I think always win the efficiency race.

We've investigated this before, mostly around Cuckoo Cycle, and at some point it fell by the wayside.

I intensely investigated different memory hard proof-of-work algorithms (some were my own) and even deeply analyzed @tromp’s Cuckoo Cycle. My conclusion is wider in scope: that proof-of-work is an evolutionary cul-de-sac (just “another failed mutation”).

The issue at the highest-level of abstract (i.e. generative essence) conceptualization is that, “impossible to have a fungible token on a blockchain in which the consensus doesn't become centralized iff the presumption is that the users of the system gain the most value from the system due to its monetary function”.

---

Do you think "tangle" type configuration (like IOTA) can be suitable and robust enough to fulfill the main function of Money- to be a storage of value that can be deferred through space/time?

They never showed how it converges without centralized servers enforcing that all transacting participants only run the same Monte Carlo strategy. Apparently given significant defection it will not converge on a single longest-chain, i.e. afaics it doesn’t converge decentralized. It also depends on proof-of-work (PoW).

The alternative for a DAG which does converge and doesn’t rely on PoW is Byteball’s Stability Point algorithm, but this has the downsides that I discussed with its creator @tonych last year. It has a peculiarity that afair transaction fees don’t scale with increasing exchange price of the token. More generally, essentially this is a closed set of delegates which decide the longest-chain, thus has the same weakness of TenderMint (and Vitalik’s Casper) in that if more than 33% or 50% (or what ever is the liveness ratio) stop responding then the longest-chain doesn't advance and requires a hard fork to unstuck, i.e. it is deterministic finality of confirmation not probabilistic as is the case for PoW.

^{(Note: this comment was not deleted by @fluffypony as of the time of writing this, but it is archived here just in case)}

Coincidentally, this paper came to my attention today - Proof of Work without all the Work
https://arxiv.org/pdf/1708.01285.pdf

Actually I thought of that conceptually before when I was trying to devise a solution for the liveness-gets-stuck issue that I mentioned about Byteball, but didn’t bother to fully develop the model, because it has a very obvious and fatal flaw because they ostensibly didn’t model the economics of it. Their model is the provability that it can’t be gamed algorithmically. But afaics, they didn’t model the economic ramifications of their algorithm.

Their algorithm is essentially scaling the amount of PoW difficulty (that all mining node ID’s must have to survive a PoW challenge round) by the rate of changes to the ID set. So assuming there is no attacker, then everyone agrees to play nice then the difficulty remains low. But the specific flaw is its communism because it steals from those who have greater or low-cost hashrate and redistributes to the marginal miners, because every good or bad ID has the same weighted vote. Of course the same entity can create more than one ID to spread its hashrate, but this is attackable because if the threshold of their splits are exceeded by an attacker who issues too many ID joins/deletes per round, then the split IDs are deleted by the challenge round and amplify the attacker’s effect. So the economic implications are amplification instability else communism. We must understand the economics of decentralized consensus.

Also it appears to me that it requires some trusted setup on the initial randomness to create a non-gamed ID member set for the committee which acts as the “server”. There may be other issues, as this is brand new so peer review is presumably lacking.

^{(Note: this comment never appeared on Monero’s Github because @fluffypony banned me. I’m writing it now for the first time)}

@b-g-goodell wrote:

TLDR: lethos3 and pierce403, in my estimation, are correct.

What is the relevance of when the ignorant loudly proclaim that other dull pencils are correct. It’s just helping other witless fall into the woodchipper.

Disclaimer: I am happy to be wrong, and I would rather be corrected than to continue disseminating false information.

Commendable, but then somehow you excluded my teachings from your willingness to learn.

PoW is Not Secure in Altcoins

CPUs are egalitarian…

Nope. Simpleton error.

…because many people already have them. We certainly can't provide every interested user in the world a big fancy ASIC mining rig

What part of this section of my upcoming blog were you not aware of (click the link in that quote below):

---

…and as revenue for PoW mining declined with the declining block reward so would the security against chain reorganizations that enable stealing coins.

PoW in altcoins is especially not defensible against fork offs (c.f. also the footnote in the section Oligarchy or Hara-kiri if Adaptive Block Size Protocol because Monero is justifiably terrified about this).

---

@b-g-goodell wrote:

I can't see the future of an ASIC-based POW system that doesn't resemble the current problem in the bitcoin universe.

Agreed. And even worse it is on altcoin. And even worse if the altcoin’s PoW users don’t have access to that ASIC because it is secret and the users are misled like sheep into thinking that CPU mining is “ASIC resistant”. Lol.

(And the perpetrator of the anonymity honeypot gains extra income to fund his accumulation of (eventually all of the) hashrate.)

@olarks wrote:

If Cryptonight ASICs are ever produced and are able to greatly increase efficiency over GPU and CPU mining breaking PoW egalitarianism then a new PoW should be seeked out.

Given that risk and the likely higher R&D capital cost for an ASIC version of memory hard PoW variants such as Monero’s CryptoNight, those willing to invest to create such an ASIC are likely to keep it secret and deployed for surreptitious domination of the hashrate.

Economies-of-scale Increasingly Centralize Mining Over Time

As long as miners are responsible and distribute their hashrate to smaller pools

Marginal miners are always declining in share of the network hashrate per the centralization economics I explain below and in my upcoming blog.

@b-g-goodell wrote:

It is unclear if the Monero proof of work can be optimized by specialized hardware.

Completely incorrect. See above.

I don't anticipate a long-term trend toward mining cartels due to PoW with Monero unless computer architecture starts to change.

You’re incorrect.

As I pointed out in the comment that @fluffypony deleted, the Cuckoo Cycle creator (i.e. expert) @tromp and I concluded that ASIC implementations (even for Monero’s CryptoNight PoW algorithm, not to be confused with Cryptonote ring signature anonymity) will always be orders-of-magnitude more electric power cost-efficient than general purpose computing for any PoW algorithm that can be devised. There is no way to avoid this fact of physics.

If we design a mining game that is mine-able on GPUs much more efficiently than CPUs, and if Monero then sees a price increase, then ASICs would be just around the corner.

If a GPU can do it, an ASIC can do it better.

Agreed. My deep study of memory hard PoW algorithms also lead me to conclude that favoring the GPU (over the CPU) causes the R&D and setup capital costs to be less for implementing an ASIC. But any PoW algorithm (including Monero’s variant of CryptoNight) can be implemented to be orders-of-magnitude more electrical power cost-efficient on an ASIC if the capital cost investment is justifiable.

The centralization of Bitcoin is directly due to ASICs and the impossibility for a CPU or even GPU miner to break even.

The PoW algorithm is only one economies-of-scale aspect of what can cause PoW consensus algorithms to centralized the control over mining. See my upcoming blog for a more thorough treatment of the subject.

It is simpleton to conclude that general purpose computer mining could ever be secure, because as you noted about botnets (which includes the hijacking of Amazon & Azure EC cloud server accounts that allot $1500 a month budget on server CPUs!) and more saliently because ASICs can always be created for any PoW algorithm that can be devised (even secretly by the entity that wants to aggregate all the coins surreptitiously and make your Monero a honeypot surreptitiously). The creators of Cryptonote, CryptoNight, and all of Monero’s cryptographers are all anonymous—and even @fluffypony doesn’t trust them (archived here, and sourced from discussion at BCT). Another instance of not trusting them (archive here). Remember “Beware of Geeks bearing gifts”.

In that same post (archived here), @fluffypony also admits that Monero “is as good as dead” if it isn’t mutable thus centralized so it can be hard forked as desired.

Accumulating a majority of hashrate right now can only be accomplished by state actors

Incorrect. My upcoming blog explains ongoing centralization is concentration over time due to economies-of-scale, because economies-of-scale begets more economies-of-scale as it is more profitable than lower economies-of-scale.

this is a value of decentralized computing: if many coalitions are capable of launching an attack but any one coalition needs more than 50% of the network to make such an attack

If we are concerned about a botnet controlled by a single entity coming in and rewriting our blockchain or selfishly mining, the solution is more competition between botnets, not less.

Economies-of-scale are never (held) all precisely egalitarian (i.e. not precisely equally distributed). Thus the (entity with the) highest economies-of-scale will gradually overtime via its higher profitability eventually aggregate more than 51% of the hashrate.

And the perpetrator of the anonymity honeypot gains extra income to fund his accumulation of (eventually all of the) hashrate.

Anonymity + (PoW ν PoS) = honeypot.

Amplify this with the lack of black-swans to upset that trend, because for example there are only two 14nm/16nm ASIC fabs in the world: GlobalFoundries and TSMC; thus the elite of most cost-efficient ASIC mining have the future locked down:

---

@peronero wrote:

Not sure how to take seriously any 'decentralize mining' proposal that would centralize mining in two US-based corporations subject to export regulations that already restrict the proliferation of high-end hardware along political lines.

---

@catcow wrote:

ASICs solve this problem since it is probably extremely difficult for even the most well funded actors to design and build their own ASICs faster and better than the main industry can. Anonymous cryptocurrencies like Monero are the most likely to be attacked by a nation-state I think, for obvious reasons, so ASICs for Monero wouldn't be all bad…

See rebuttal immediately above.

@bigreddmachine wrote:

One last thought: I'm not convinced an "egalitarian" PoW ensures mining decentralization. Mining will always move towards a state of semi-centralization because economies of scale and regional cost advantages will always be an important factor in mining…Mining will always consolidate around players that can afford the investment.

Semi-centralization is not stable in PoW and instead collapses into a (perhaps even surreptitious) oligarchy for the reasons I have explained here in this thread and furthermore in my upcoming blog Are DECENTRALIZED, Scalable Blockchains Impossible?.

You guys are not factoring in many factors into your analysis, including for example that miners can pay themselves the transaction fees and that only a constrained block size doesn’t diverge into Hara-kiri self-destruction. Even Monero’s adaptive block size algorithm is not stable and collapses either into an oligarchy or Hara-kiri self-destruction.

@b-g-goodell wrote:

you are correct that swapping them around would break inflexible hardware

a mining game using more than one cryptographic hash function could possibly work

Nope. Miners will simply have one of each kind of hardware necessary in the proportions of their invocations.

Cryptonote/Monero Designed to be a Honeypot

shelby3: … After all, in a high-txn-fee-with-respect-to-block-rewards environment, you are correct that PoW doesn't operate too well.

Actually all the possible outcomes for Monero are only oligarchy or Hara-kiri. Which means the only survival outcome for Monero (as currently designed) is as a honeypot.

I will also engage with you about your claimed honeypot situation if you identify all of your assumptions, …

All the assumptions were enumerated in the blog I wrote and the comments that ensued below it and on Reddit which is linked from those said comments.

…fix the ones that are blatantly incorrect…

No one has presented any cogent argument refuting any of my assumptions. Everywhere you Monetards have posted your denial, I have refuted with correct rebuttals.

You Monerotards are playing a censorship and marketing spin game now in order to deceive your users and trap them in a honeypot. It’s despicable. Anytime you want to debate me, then just start doing it in a public forum where I will not be censored. My watchers will find it and alert me and I will show up and refute all your nonsense illogic.

…if you develop any verifiable concrete numbers on the complexity of solving the combinatorial problems associated with de-anonymizing a cryptonote blockchain…

I already suggested that the wise next move for Monero would be to redo that 3 years old (published in 2014) MNL-001 research paper from Monero Research Labs, which I refuted in the comments at the bottom of my blog.

You should do that immediately so the inferior technology of Verge can’t steal Monero’s lead in the anonymity sector!

The onus is on your group to develop a quantitative model that determines the levels of ring signatures of mixins that might (or might not) probabilistically ameliorate/squelch all the vulnerabilities I laid out in my blog. Until then, we can only assume that we do not know and can’t rely on the “anonymity” offered by Cryptonote/Monero.

However, I will not engage with you if the conversation will resemble something like "Like it or not, you are going to use my solutions!!1 Checkmate, son!!112 Fluffypony is gestapo1l1khj."

Isn’t it getting into your thick skulls already that my technical admonitions come true, because I research the technologies extensively.

Your choice.

I told you already son. You have no choice.

^{(Note: this comment never appeared on Monero’s Github because @fluffypony banned me. I’m writing it now for the first time)}

@lethos3 wrote:

I have not seen a rebuttal of the points brought forth by @b-g-goodell

Because your leader banned the rebuttal. The rebuttal is above, but you can’t see this. Cryptocurrency is going to improve the world by burning the books with centralized control?

@lethos3 wrote:

go back to Litecoin.

^{(prior interaction on Redditard)}

Witless pride cometh before thy falleth…

Buy the rumor, sell the news of the RingCT spike (see chart) upgrade.

Pattern of 2014 spike and crash to 2015 lows appears to be repeating. Should drop to 0.005 BTC eventually (may have one more spike up first):

^{(Note: this comment never appeared on Monero’s Github because @fluffypony banned me. I’m writing it now for the first time)}

I know your thoughts on Monero as far as the tech, but any thoughts on where the market's taking it? I've been holding a significant amount since $2, so I've had a very nice appreciation. I am wondering if it's maybe topped out for now and with your analysis, I am thinking it's best to just move out of it completely or at least 50%. I like LTC for it's stability and as a bit of a hedge on BTC. What do you think on BCC? I don't really like it and I know your thoughts on the likely eventuality and I already have my majority holding in BTC, so would it possibly be a good thing to hold as a hedge as well, or stick with LTC? Thanks!

I’m going to share this with others in our private chat here (and probably also on my Gist) and get their feedback also.

Congrats on hodling XMR since $2. The chart looks to me like it might rocket back up to another spike yet, but overall I think the chart looks very precarious and eventually probably going to decline. It appears to be repeating a pattern from 2014-5 where it spiked up (because of @rpietila!) and then came back down lower than the lowest of the dips on the spike up. This current spike appears to be driven by the RingCT upgrade (adding value hiding) and the lying propaganda that Monero’s adaptive block size is some advantage w.r.t. to Bitcoin’s Scalepocalypse (which in my upcoming blog I have clearly explained it isn’t).

Thus to me it appears to be two spikes driven by overzealous lies (that the proponents really believed and are still maybe in delusion about!) and propaganda.

So yeah, at $50 I would be taking some profits on XMR and thinking about where to shift the funds. I would probably take 25 - 33% profits now or anytime it is above $50. And then on any spike, I would be at least 50% out of it, and probably more in the realm of 80% out. I would not sell all, but keep a stoploss perhaps around $35 - $40 to sell all if drops that low (as I’m thinking in that case it is headed perhaps down to 0.005 - 0.0013 BTC, so the stoploss decision also depends on the BTC price).

LTC is perhaps only stable in the sense that if you buy it at 0.01x then you can’t likely lose too much and the upside is in the realm of 0.03 - 0.05. Above 0.02 I expect high volatility.

I’m holding all my BCC/BCH from the fork off aiming for $1000 - $1500 to take profits. I’m probably not interested to buy more unless if it drops to $150 - $200, i.e. less than 0.005 BTC then I probably can’t resist to buy more as it seems like a nobrainer (but still I would not go too excessively overweight because the BTC forking outcome is likely to be very chaotic and I don’t want to get trapped in something that dies).

I haven’t studied Byteball’s chart (remember I was telling everyone to buy it when it was $1m marketcap), but really that is the only DAG thing that isn’t total nonsense, so it might get some inflows with the Scalepocalypse worsening perhaps in September and Byteball’s second phase of their onboarding plan kicking in about now (giving discounts to merchants and I don’t expect it to work very well but it is probably good for the hype value near-term).

Personally as BTC hits $4000 - $5100, I’m taking some profits into US dollars and waiting for a crash in crypto due to BTC+SegWit potentially being stolen back to TRB perhaps by Sept/Oct/Nov.. It is difficult though to predict when TSHTF. I need some US dollars any way for my ongoing expenses. I don’t have a lot of BTC to speculate with anyway.

Further on the topic of Monero’s future…

Afaics, Monero has always had the problem that it really doesn’t address any real market or effectively solve any problem that people have. I think that is the reason for the spikes in price because people suddenly think Monero has become relevant with RingCT, Kovri/I2P integration, adaptive block size, and “egalitarian PoW”, but now via my lucid writings coming to realize it was all a mirage. So then back to the drawing board for Monero to try to figure out some relevancy in the cryptospace for their stillborn cryptocurrency.

@mbarkhau wrote:

I think Bram Cohen has an idea he calls "Proof of Space" which is worth pursuing.

Proof-of-Space is a researched concept already.

@catcow wrote:

Proof-of-Capacity satisfies these requirements, as storage space will always be readily available and cannot be optimized dramatically by specially designed hardware, and storage itself uses no electricity.

Huh? Reading and/or writing from a hard disk or SSD does indeed consume electricity. Idle storage that isn’t accessed doesn’t offer any PoW function.

Proof-of-storage is not going to stop customized hardware from being created which operates at orders-of-magnitude higher electrical efficiency. You’re thinking that hard disks are commodities and thus economy-of-scale can’t attain any cost advantages. But commodity disk storage is not designed for maximum electrical efficiency. Rather it is designed for maximizing performance and costs per byte.

The amortization of the hardware cost is not the major cost component of mining. Rather it is the electrical consumption cost that is, especially when a entity has a near monopoly on an orders-of-magnitude advantage. For ASICs, there are only two fabs in the world which can deliver 14nm and they have of course limited output capacity. Ditto for any customized hardware designed to maximize electrical efficiency of hard disk sized space.

@iamsmooth (this is smooth from BCT and Steemit and smooth_xmr from Reddit) wrote:

But in that very same paragraph you dismiss a lot of advantages to a more egalitarian algorithm including greater pressure on those who do achieve economies of scale to remain honest because they are less likely to achieve total dominance, and preventing access to hardware from itself becoming a source of (potentially catastrophic) centralization.

How is that you figure the lowest-cost marginal miners don’t eventually aggregate more profit and thus more hashrate share over time?

Craig Wright also debunked the microeconomics plausibility of egalitarian mining.

The access to commodity hardware doesn’t help when those with higher economies-of-scale are (probably surreptitiously) continually adding hashrate share because they are more profitable due to their higher electrical efficiency, because as I analyzed in the past, every possible PoW that could be envisioned, can be implemented orders-of-magnitude more efficient with customized hardware.

One other quibble. In addition to the consensus role you described (enumerated list), PoW also serves to distribute coins without becoming a source of concentrated wealth or power that may serve to undermine the legitimacy of the token or the ability of the broader base of users and investors to have any influence. To serve this role requires that mining remain economically competitive and lack significant barriers to entry. An oligopoly of miners who are able to exclude entrants and mine at a high sustained profit margin might work perfectly fine from the point of view of timestamping (hell, even an actual monopoly might work if, as satoshi suggested, the monopoly miner sees mining honestly as more profitable than attacking the network) but would be a massive fail for distribution.

Good to know you understand why every PoW distributed coin is surreptitiously majority held by those with the most economies-of-scale. We observe now Bitmain preparing to take control for its clients who remain anonymous. Don’t fool yourself into thinking your silly CryptoNight PoW algorithm has been a defense. Rather it is only a way of obfuscating the honeypot reality from fools who can’t read (see above). With the mining surreptitiously centralized, Monero is undoubtedly a honeypot and I challenged you guys to do the rigorous math, but so far nothing from your side but silence.

I agree on the point of at least thinking about alternatives in the event it becomes necessary to 'fire the miners'.

Implausible. You can only fork off your coin regularly into the PUBLIC CONFIDENCE stampede abyss attempting to do so, as I recently argued.

@onidlo wrote:

Quantifying Decentralization

I posted a rebuttal at Medium:

This entire blog is nonsense because:

enumerate the essential subsystems of a decentralized system,

Impossible due to Sybil attacks on all the metrics you can measure w.r.t. to who controls the consensus mechanism in PoW and PoS.

As for Ethereum, it is obviously not decentralized because one man (King Vitalik) had the power to hard fork it. What is all this nonsense about measuring clients. In PoW, the nodes have no economic relevance whatsoever. Hashrate and stake distribution determines the control and both of those can be Sybil attacked.

@DanielPlante wrote:

There is a PoW + PoResource (ie, DRAM) that can't be spoofed.

The explanation is here: https://twitter.com/Daniel_Plante/status/846930293164457984

Once again you simpletons have not thought this out. Commodity DRAM is designed to balance power consumption with latency and random-access speed to optimize a general purpose computing pattern.

Any algorithm you can think of it is going to be orders-of-magnitude more electrically efficiently implemented by using custom hardware suited to optimize the pattern of access you are advocating.

Even if you dream up a randomizing access pattern similar to Monero’s existing CryptoNight, there are still ways to optimize trading storage for computation. I did this deep analysis already.

General purpose computing commodity hardware can never be as efficient as customized hardware for a specific algorithm.

Fuhgeddaboudit!