monero-project/research-lab#12 wrote:
I believe it's time to seriously review the proof of work algorithm used in Monero in light of the very serious consequences we have all witness with mining centralization in the Bitcoin community.
Some urgency might not be a bad idea, as the window in which we can make such broad and sweeping changes is narrowing.
Shouldn’t you mention my recent revelations as one of the potential the prior art sources of this new found urgency? I mean upstanding open source and all right.
https://www.reddit.com/r/Monero/comments/6r2xsm/is_moneros_anonymity_broken/dl75h7s/?context=3
^^ see the bottom of the yellow highlighted post for mention about blocks+PoW being the problem
Is Monero’s (or All) Anonymity Broken?
^^ summaries here and here
Are DECENTRALIZED, Scalable Blockchains Impossible?
^^ currently not complete, still being written to be more widely published within days
Shocking Crisis Coming to Cryptocurrency (in Sept?)
You’ll probably need my assistance given I’ve been researching, discussing about, and brainstorming the solution to this issue for the past years.
This might be a bit too radical/off topic but I think one issue that might be important to consider in PoW is the competitive exclusion principle: http://en.wikipedia.org/wiki/Competitive_exclusion_principle
I don’t believe this will help because ultimately every possible algorithm you can think of can be made at least an order-of-magnitude or two more efficient on custom hardware (per agreement I had with @tromp on this conclusion). And all 14nm/16nm ASICs are only manufactured in two fabs in the world. Mining is inherently a centralization paradigm in many ways. How could we know if some secret mining hardware (or even just very large economies-of-scale making the lowest-cost miner) is not already mining Monero? Why would they tell us if their motivation is to sustain a honeypot?
Even if you force the miner to have a copy of the entire blockchain, and even make disk or memory accesses a significant component of the computation, it can still be made more efficient with customized hardware. And economies-of-scale will I think always win the efficiency race.
We've investigated this before, mostly around Cuckoo Cycle, and at some point it fell by the wayside.
I intensely investigated different memory hard proof-of-work algorithms (some were my own) and even deeply analyzed @tromp’s Cuckoo Cycle. My conclusion is wider in scope: that proof-of-work is an evolutionary cul-de-sac (just “another failed mutation”).
The issue at the highest-level of abstract (i.e. generative essence) conceptualization is that, “impossible to have a fungible token on a blockchain in which the consensus doesn't become centralized iff the presumption is that the users of the system gain the most value from the system due to its monetary function”.
Do you think "tangle" type configuration (like IOTA) can be suitable and robust enough to fulfill the main function of Money- to be a storage of value that can be deferred through space/time?
They never showed how it converges without centralized servers enforcing that all transacting participants only run the same Monte Carlo strategy. Apparently given significant defection it will not converge on a single longest-chain, i.e. afaics it doesn’t converge decentralized. It also depends on proof-of-work (PoW).
The alternative for a DAG which does converge and doesn’t rely on PoW is Byteball’s Stability Point algorithm, but this has the downsides that I discussed with its creator @tonych last year. It has a peculiarity that afair transaction fees don’t scale with increasing exchange price of the token. More generally, essentially this is a closed set of delegates which decide the longest-chain, thus has the same weakness of TenderMint (and Vitalik’s Casper) in that if more than 33% or 50% (or what ever is the liveness ratio) stop responding then the longest-chain doesn't advance and requires a hard fork to unstuck, i.e. it is deterministic finality of confirmation not probabilistic as is the case for PoW.
(Note: this comment never appeared on Monero’s Github because @fluffypony banned me. I’m writing it now for the first time)
@b-g-goodell wrote:
What is the relevance of when the ignorant loudly proclaim that other dull pencils are correct. It’s just helping other witless fall into the woodchipper.
Commendable, but then somehow you excluded my teachings from your willingness to learn.
PoW is Not Secure in Altcoins
Nope. Simpleton error.
What part of this section of my upcoming blog were you not aware of (click the link in that quote below):
@b-g-goodell wrote:
Agreed. And even worse it is on altcoin. And even worse if the altcoin’s PoW users don’t have access to that ASIC because it is secret and the users are misled like sheep into thinking that CPU mining is “ASIC resistant”. Lol.
(And the perpetrator of the anonymity honeypot gains extra income to fund his accumulation of (eventually all of the) hashrate.)
@olarks wrote:
Given that risk and the likely higher R&D capital cost for an ASIC version of memory hard PoW variants such as Monero’s CryptoNight, those willing to invest to create such an ASIC are likely to keep it secret and deployed for surreptitious domination of the hashrate.
Economies-of-scale Increasingly Centralize Mining Over Time
Marginal miners are always declining in share of the network hashrate per the centralization economics I explain below and in my upcoming blog.
@b-g-goodell wrote:
You’re incorrect.
As I pointed out in the comment that @fluffypony deleted, the Cuckoo Cycle creator (i.e. expert) @tromp and I concluded that ASIC implementations (even for Monero’s CryptoNight PoW algorithm, not to be confused with Cryptonote ring signature anonymity) will always be orders-of-magnitude more electric power cost-efficient than general purpose computing for any PoW algorithm that can be devised. There is no way to avoid this fact of physics.
Agreed. My deep study of memory hard PoW algorithms also lead me to conclude that favoring the GPU (over the CPU) causes the R&D and setup capital costs to be less for implementing an ASIC. But any PoW algorithm (including Monero’s variant of CryptoNight) can be implemented to be orders-of-magnitude more electrical power cost-efficient on an ASIC if the capital cost investment is justifiable.
The PoW algorithm is only one economies-of-scale aspect of what can cause PoW consensus algorithms to centralized the control over mining. See my upcoming blog for a more thorough treatment of the subject.
It is simpleton to conclude that general purpose computer mining could ever be secure, because as you noted about botnets (which includes the hijacking of Amazon & Azure EC cloud server accounts that allot $1500 a month budget on server CPUs!) and more saliently because ASICs can always be created for any PoW algorithm that can be devised (even secretly by the entity that wants to aggregate all the coins surreptitiously and make your Monero a honeypot surreptitiously). The creators of Cryptonote, CryptoNight, and all of Monero’s cryptographers are all anonymous—and even @fluffypony doesn’t trust them (archived here, and sourced from discussion at BCT). Another instance of not trusting them (archive here). Remember “Beware of Geeks bearing gifts”.
In that same post (archived here), @fluffypony also admits that Monero “is as good as dead” if it isn’t mutable thus centralized so it can be hard forked as desired.
Incorrect. My upcoming blog explains ongoing centralization is concentration over time due to economies-of-scale, because economies-of-scale begets more economies-of-scale as it is more profitable than lower economies-of-scale.
Economies-of-scale are never (held) all precisely egalitarian (i.e. not precisely equally distributed). Thus the (entity with the) highest economies-of-scale will gradually overtime via its higher profitability eventually aggregate more than 51% of the hashrate.
And the perpetrator of the anonymity honeypot gains extra income to fund his accumulation of (eventually all of the) hashrate.
Anonymity + (PoW ν PoS) = honeypot
.Amplify this with the lack of black-swans to upset that trend, because for example there are only two 14nm/16nm ASIC fabs in the world: GlobalFoundries and TSMC; thus the elite of most cost-efficient ASIC mining have the future locked down:
@peronero wrote:
@catcow wrote:
See rebuttal immediately above.
@bigreddmachine wrote:
Semi-centralization is not stable in PoW and instead collapses into a (perhaps even surreptitious) oligarchy for the reasons I have explained here in this thread and furthermore in my upcoming blog Are DECENTRALIZED, Scalable Blockchains Impossible?.
You guys are not factoring in many factors into your analysis, including for example that miners can pay themselves the transaction fees and that only a constrained block size doesn’t diverge into Hara-kiri self-destruction. Even Monero’s adaptive block size algorithm is not stable and collapses either into an oligarchy or Hara-kiri self-destruction.
@b-g-goodell wrote:
Nope. Miners will simply have one of each kind of hardware necessary in the proportions of their invocations.
Cryptonote/Monero Designed to be a Honeypot
Actually all the possible outcomes for Monero are only oligarchy or Hara-kiri. Which means the only survival outcome for Monero (as currently designed) is as a honeypot.
All the assumptions were enumerated in the blog I wrote and the comments that ensued below it and on Reddit which is linked from those said comments.
No one has presented any cogent argument refuting any of my assumptions. Everywhere you Monetards have posted your denial, I have refuted with correct rebuttals.
You Monerotards are playing a censorship and marketing spin game now in order to deceive your users and trap them in a honeypot. It’s despicable. Anytime you want to debate me, then just start doing it in a public forum where I will not be censored. My watchers will find it and alert me and I will show up and refute all your nonsense illogic.
I already suggested that the wise next move for Monero would be to redo that 3 years old (published in 2014) MNL-001 research paper from Monero Research Labs, which I refuted in the comments at the bottom of my blog.
You should do that immediately so the inferior technology of Verge can’t steal Monero’s lead in the anonymity sector!
The onus is on your group to develop a quantitative model that determines the levels of ring signatures of mixins that might (or might not) probabilistically ameliorate/squelch all the vulnerabilities I laid out in my blog. Until then, we can only assume that we do not know and can’t rely on the “anonymity” offered by Cryptonote/Monero.
Isn’t it getting into your thick skulls already that my technical admonitions come true, because I research the technologies extensively.
I told you already son. You have no choice.