Conceptual fungibility security flaw in side-chains via Inter-blockchain Communication? about cosmos HOT 43 CLOSED

I thought the hub provides total ordering between the zones

from cosmos.

This risk is reduced if we expect shards to support fraud proofs which is easy if shard is running a BFT consensus variant like Tendermint but much harder if the shard is proof of work. So zones with overly centralized proof of work would be very risky. The Hub running Tendermint can blacklist zones if a fraud proof is provided.

from cosmos.

@zmanian could you elaborate, because I don't understand how a fraud proof can overcome the fact that due to faulty validators the source (sending) side-chain has become internally ambiguous (in the case of conflicting transactions, i.e. double-spends) or internally censoring/stalled. As for external consistency, there is no total ordering between the blockchains, thus there is no way to prove anything in any externally consistent clock or ordering. It is all relative. Afaics, the problem is fundamental and insoluble.

Afaik, a fraud proof is only meaningful within the threshold of BFT. I am talking about the BFT failure case where the attacking or otherwise faulty validators exceed the tolerance threshold. Above ¹/₃ the attack is censoring/stalling and afaik ²/₃ or more double-spending is possible.

from cosmos.

So I interpret your argument that the local double spend risk inside a sidechain can become a global double spend risk. I basically agree with you. I'm proposing that the total value in the side chain acts as a security deposit against byzantine behavior.

The side chain records a claim against the hub that funds are locked at sidechain height H.

If any one can provide a block at H +1 where the funds are spent, this is evidence that the chain is unsound and the hub can punish the sidechain by invaliding all current claims of locked funds inside the side chain.

from cosmos.

the source blockchain could even double-spend if the ²/₃ of the validators are malevolent. Thus the attacker creates inflation of the money supply

This is precisely what the hub is designed to protect against. The hub knows how many coins are in a zone, and so can and will prevent the zone from double-spending. If you park your tokens in a zone that isn't secure, e.g. because their validator set is compromised, then you may lose all of your tokens, but the failure of a zone doesn't bleed into other zones, as long as the hub is secure. So, no, a single broken zone won't inflate the token supply.

a fungible token is itself a total order

I would say that this is false. Rather, the fungibility of is what allows the hub to shard to many zones. If every token were unique, then the hub would almost have to track as much data as all the shards combined, which wouldn't make a good scaling solution. Fungibility allows us to just keep track of the total tokens in a zone as a single number, and this is what allows the system to scale.

from cosmos.

IoW, if ²/₃ of the validators are malevolent, they can censor and it is not objectively provable they are doing so, only circumstantial evidence can be supplied, which afaics means in that ²/₃ malevolent case your community hardfork proposal is unambiguous and subject to manipulation.

Same thing with Bitcoin.

In the simple scenario, the honest proposers (say there are 1/4 of them left) will propose blocks that include txs to be censored. There will be cryptographic proof that these validators proposed valid blocks, that were continuously voted against or ignored more or less by the same majority. So there would be statistical inference possible by examining the logs.

Likewise in Bitcoin, you can see what orphaned blocks were mined but were ignored by the majority of miners.

I'm not aware of any system that can prevent censorship even in the presence of +2/3 of malicious validators. The intuition is simple... a system should be able to tolerate up to 1/3 of validators going offline. +2/3 of validators maliciously ignoring 1/3 of validators is indistinguishable from that 1/3 of validators going offline. Ergo, +2/3 can do just about anything.

from cosmos.

So your argument is that the hub is in control of the relative ordering between zones. Also @tomtruitt thanks for the concise statement.

Afaics, the flaw in that conceptualization is that liveness failure is not an objectively provably malevolence nor is it objectively provable outside of a total order that a liveness failure did not occur. Thus the malevolent zone which double-spends can claim that the hub and/or receiving destination zone was not responding. Propagation can't be proved nor disproved outside of the internal clock of blocks for a blockchain. So it spends to a different hub and/or to a different destination zone, because the original destination zone isn't present on this different hub or because of the latter claim. That is unless you propose to hold zones (and all the hodler's tokens on those zones) hostage to hubs and other zones which fail for the same reasons zones can. As you know, liveness and safety interact in BFT and we must make sure we consider that interaction in all of our game theory analysis. I was caught numerous times (in my research work) by my own failure to do that (e.g. analysis of DPoS's claim of round-robin ordered witnesses).

Rather, the fungibility of is what allowsdisallows the hub to shard to many zones

The generative essence I previously cited will not be violated. There must be total ordering across all transactions for a fungible token. That seems to make scalability impossible without centralization (and centralization doesn't really scale from a political-economic perspective for the analogous reasons that closed-source doesn't scale), but I will posit a decentralized solution. Note decentralization refers to control, which is not equivalent to distributed or replicated.

Also it seems to me you also propose to hold all the hodler's tokens on a zone hostage to its validators. Thus it is not a fungible scalability. The cognitive load to evaluate the validators on each zone would cause all users to congregate around ever smaller set of zones that have the most community trust and oversight. I believe I avoid this dilemma in my unpublished design (subject to future peer review).

from cosmos.

In the simple scenario, the honest proposers (say there are 1/4 of them left) will propose blocks that include txs to be censored. There will be cryptographic proof that these validators proposed valid blocks, that were continuously voted against or ignored more or less by the same majority. So there would be statistical inference possible by examining the logs.

Afaics, the attacker can also destroy any statistical distance by voting for everything while still censoring once the attacker controls ²/₃+ of the validators. With +¹/₃ to -²/₃ of the validators, the attacker may be able to close the margin of statistical distance depending on the normal variance of network and validator responsiveness faults.

I will quote from my yet unpublished whitepaper:

1.1.2 Stalled, Censored, Double-spent Failures

With ¹/₃ or more (aka “+¹/₃”) but less than ²/₃ (aka “-²/₃”) of the validators colluding or Sybil attacked, an attack can boycott and thus veto all epochs stalling convergence, or veto only those epochs which include specific transactions the attacker wishes to censor.[^Tendermint-censorship] The non-colluding validators have only the option to boycott and thus veto all epochs (becoming indistinguishable from the attacker’s validators) or vote for those epochs the attacker votes for. Presuming the non-colluding validators could vote for all correct epochs (i.e. those not containing conflicting transactions), the faulty validators would be provably identified within some statistical subjectivity because they don’t vote for all of the correct epochs. But in the presence of asynchrony, collusion can’t be objectively distinguished from faulty or random propagation ordering. Thus the proof is only viable up to within some statistical distance from normal variance of network and validator reliability and coherence. The margin of statistical distance further decreases as the proportion of malevolent validators increases from +¹/₃ to -²/₃, because each censored epoch can be vetoed with a boycott of “+¹/₃” of the validators, so there is a commensurate increase in the proportion of censored epochs which some of the attacker’s validators can sign without granting quorums.

With the attacker controlling of ²/₃ or more (aka “+²/₃”) of the validators, it is impossible to prove which validators are faulty. The attack can also achieve a quorum on incorrect or malevolent epochs, such as those containing conflicting transactions such as double-spends. The non-colluding minority with -¹/₃ of the validators is unable to veto a chain reorganization and since propagation order is not provable from the data, it is ambiguous which of the competing chains was first and thus blame can’t be proven.

2.3 Byzantine Agreement is Fragile _{(Deterministic, Bounded, Permissioned)}

Compared to PoW’s probabilistic asymptotic finality wherein the participation of the consensus ordering nodes (i.e. the miners) is unbounded, free market, permission-less, and spontaneous, Byzantine agreement (and BFT in general, as well as any form of voting) requires a bounded, permissioned set of validators because otherwise there is no (not even an opportunity) cost limiting participation; thus the fault tolerance would otherwise be trivially exceeded with a Sybil attack.

Given the liveness of Byzantine agreement is -¹/₃ (or less if more safety is prioritized), if only +¹/₃ of the validators (aka witnesses in DPoS) are unresponsive and/or malevolent, specific transaction can be censored and/or block production stalled indefinitely. The permission mechanism that adds and removes validators from the approved set can also become indefinitely stalled or censored! A hard fork is required to unstuck the chain. But unresponsiveness is not a provable fault because propagation order is not provable. Thus a +²/₃ (or probably even less) attacker can make it appear that any -¹/₃ minority of validators was unresponsive even if they weren’t or make impossible to irrefutably prove which validators are stalling or censoring. Without objective accountability (aka irrefutable blame), it is impossible to enforce confiscation of any bond without rewarding the attacker by punishing the innocent. Thus there can be no cost to attacking. Without objectivity, the hard fork process can be mired in political manipulation and a “replace all the validators” whack-a-mole dystopia of repeating failure.

from cosmos.

I'm not aware of any system that can prevent censorship even in the presence of +2/3 of malicious validators.

I will be publishing a whitepaper which posits a solution to that situation and doesn't incorporate PoW. I contrast my solution to DPoS's flaws in my paper. I will summarize the flaws I posit to fix:

DPoS "solves" it by allowing the stakeholders to elect new validators. If +1/3 of validators censor the data from the election, then it requires +2/3 of stake to reach an unambiguous quorum (wherein the new validators can record in the blockchain the +2/3 quorum which elected them) because it becomes Byzantine agreement to coordinate the election election instead of the first majority seen by the validators (and Byzantine agreement is ambiguous with a quorum less than +2/3).[*] But this "solution" has the flaw that a 50+% (1/2+) attack from stake can prevent replacing the faulty validators (witnesses) with non-faulty ones. Additionally DPOS has the flaws that if +2/3 of witnesses are faulty, it is impossible to prove which witnesses are faulty. And if the stake is not 50+% (1/2+) controlled then voter apathy combined with voter differences of perspective coupled with the game theory of politics, means that replacing faulty validators can be a whack-a-mole problem. Thus DPoS really only works under a whale collusion ************, which of course they could censor, stall, and double-spend at will (and short the token to liquidify) but I think the more likely attacks are insidious.

P.S. I think all of us want to get on with coding in an ecosystem that has a correct scalable solution. I think we should all rally around such a solution, if one is ever found. So we can get on with creating. From my perspective of 3.5 years of analyzing this stuff and dreaming about being able to make web services where I don't have to ask permission from the banks and credit card /merchant account providers for type of service I want to monetize. And by now even morphing into to be able to monetize the developing world and even microtransactions.

[*] Has anyone looked at the Graphene code to see if they even handle cases like this?

from cosmos.

Tangentially but related, I am looking at Tendermint's Proof of Fork Accountability, and I am thinking off-the-top-of-my-head (i.e. not deeply contemplated) that proof is flawed because if you require that honest nodes can't sign again then a round can never timeout, because it is not possible to prove that nodes didn't sign a round. Thus an honest node which hasn't seen updates can only trust the next fork he sees which claims that prior rounds he signed expired. What am I missing?

This is why the +2/3 attacker can execute a double-spend and not get caught.

Btw, in my design, I've found that that only malevolence that can be objectively penalized with bond confiscation is claiming that some transaction was valid when it is actually invalid (not referring to conflicting transactions). Relativity of forks can't be punished. This is related to the general conceptual reason that side-chains are not viable.

from cosmos.

The generative essence I previously cited will not be violated.

There's no need for total ordering of transactions, only partial ordering, for fungible, countable, units.

Going back to your original post,

As I understand it, transacting between blockchains requires the source (sending) blockchain to confirm the transaction. This must be the case because there is no total order amongst all blockchains.

No, the source doesn't have to confirm the transaction. You don't even need to send w/ confirmation, if you're optimistic. If you want confirmation, it's handled by the hub.

Thus afaics, censorship in the source (sending) blockchain can censor (hold hostage) the ability to make the transaction to the destination (receiving) blockchain. Am I correct?

No.

from cosmos.

Tangentially but related, I am looking at Tendermint's Proof of Fork Accountability, and I am thinking off-the-top-of-my-head (i.e. not deeply contemplated) that proof is flawed because if you require that honest nodes can't sign again then a round can never timeout, because it is not possible to prove that nodes didn't sign a round. Thus an honest node which hasn't seen updates can only trust the next fork he sees which claims that prior rounds he signed expired. What am I missing?

I don't know what you mean, by "honest nodes can't sign again". They can't sign the same H/R/S again. They can sign for the same height, but later rounds. Rounds time out locally, there is no notion of a global round timeout. It doesn't seem that you understand how the BFT algo is safe & live. You must understand those two proofs, before you understand the fork-accountability proof.

from cosmos.

Tangentially but related, I am looking at Tendermint's Proof of Fork Accountability, and I am thinking off-the-top-of-my-head (i.e. not deeply contemplated) that proof is flawed because if you require that honest nodes can't sign again then a round can never timeout, because it is not possible to prove that nodes didn't sign a round. Thus an honest node which hasn't seen updates can only trust the next fork he sees which claims that prior rounds he signed expired. What am I missing?

This is why the +2/3 attacker can execute a double-spend and not get caught.

Btw, in my design, I've found that that only malevolence that can be objectively penalized with bond confiscation is claiming that some transaction was valid when it is actually invalid (not referring to conflicting transactions). Relativity of forks can't be punished. This is related to the general conceptual reason that side-chains are not viable.

If I am correct, this means given a +2/3 attacker, there is never objectivity even if nodes come online often enough to see changes in the validator set. This means Casper and every variant PoS (which are just Byzantine agreement, because all designs are either Byzantine agreement or asymptotically probabilistic longest chain, as fundamentally there can't be anything else) will never be objective w.r.t. to nothing-at-stake. You must rely on social information and checkpoints.

For "the longest chain that rules them all" PoW, we assume the attacker can't afford to keep the chain hidden for too long, because must pay mining costs. Lesser PoW chains can in theory be attacked with repurposed hashrate.

from cosmos.

If I am correct, this means given a +2/3 attacker, there is never objectivity even if nodes come online often enough to see changes in the validator set. This means Casper and PoS will never be objective w.r.t. to nothing-at-stake. You must rely on social information and checkpoints.

I wouldn't call PoW "objective" either, if you disagree w/ the policies chosen by the +1/2 miners. You may very well want to choose the lesser PoW chain.

from cosmos.

So it spends to a different hub and/or to a different destination zone, because the original destination zone isn't present on this different hub or because of the latter claim.

Yeah, of course, what you're describing is broken. The whitepaper doesn't go into detail of solving that because it only assumes 1 hub, but we will solve it for the general case. What's not been described so far is the description of coin "path". A coin that travels in a circuit is not the same coin, it loses fungibility.

2.3 Byzantine Agreement is Fragile (Deterministic, Bounded, Permissioned)

Compared to PoW’s probabilistic asymptotic finality wherein the participation of the consensus ordering nodes (i.e. the miners) is unbounded, free market, permission-less, and spontaneous, Byzantine agreement (and BFT in general, as well as any form of voting) requires a bounded, permissioned set of validators because otherwise there is no (not even an opportunity) cost limiting participation; thus the fault tolerance would otherwise be trivially exceeded with a Sybil attack.

Staking tokens can be traded freely, in fact they're easier to transport than mining hardware. The drawback of PoW is potential unsafety during network partitions or other potential & plausible incidences. The last statement is better stated as "... participation; thus nothing to prevent any Sybil attack.". (Sybil attack & fault-tolerance doesn't really mix here).

from cosmos.

As I understand it, transacting between blockchains requires the source (sending) blockchain to confirm the transaction. This must be the case because there is no total order amongst all blockchains.

No, the source doesn't have to confirm the transaction.

If the source doesn't confirm, then transaction can be spent to multiple destinations because there isn't a total order amongst chains regardless of your hub concept, per the logic I already explained (the number of hubs are unbounded...). You are going in circles now and not realizing it yet― analogous to a dog chasing his tail until he bites the tail and realizes it is his own. Sorry I won't be able to continue, until you realize, because it is redundant for me to repeat the same explanation of your flaw. (which is my way of admonishing your future replies so I don't have to reply unless you make a point that is correct ... sorry but I have limited time and that is most efficient way to say if I don't reply, it means you are still wrong)

Sorry you are incorrect. I realize it is difficult to accept that the project is toast. But the truth can't be denied. You can continue if you want, but you are wasting your time and effort. (I can say this with more confidence as since I wrote my prior comments, I have refined the details in my own whitepaper based on the direction of analysis that my comments here steer me towards)

I do (think I) know how to solve this dilemma, but afaics the conceptual design y'all have is not even close (not in the right direction). Again sorry, but it is much better you know sooner than later. I am actually doing you a service. I could have kept quiet until my whitepaper is released (which will stir a lot of debate amongst experts and then via peer review it will be very clear and irrefutable).

from cosmos.

It doesn't seem that you understand how the BFT algo is safe & live.

BFT is not safe (from deliberate forking) nor is blame even provable when +2/3 (or probably much less per the statistical distance explanation I provided) of the participants are colluding.

Liveness is (potentially ephemerally) interrupted when +1/3 are colluding and/or unresponsive.

from cosmos.

I wouldn't call PoW "objective" either, if you disagree w/ the policies chosen by the +1/2 miners. You may very well want to choose the lesser PoW chain.

Objectivity is concerned with whether the consensus is reliable from an independent vantage point (i.e. without any social coordination), not whether it is a fraud because BFT has been exceeded (note exceeding BFT thresholds can defeat the said reliability but the fraud outcome is orthogonal to the reliability of the finality of consensus outcome, e.g. an attacker in both PoW and PoS/BFT can censor without forking so the former is fraud and the latter is also loss of finality of consensus). The objectivity of PoW is we don't have to trust any checkpoint nor even have to trust the genesis block that we've been given by another node, because the objectivity of the longest chain can be measured independently by every node (assuming all chains have propagated given asymptotic delay). However, this is only asymptotic probability of 1 for "the longest chain that rules them all". All lesser or non-ASICs PoW chains (in theory) do not have asymptotic finality, which I explain in much more detail in my whitepaper.

Btw, for the "the longest chain that rules them all", I explain the mining farms have no incentive to double-spend (nor to allow 50+% to become rented by a double-spend attacker), because then they can't recover their huge sunk costs and they can't repurpose the ASICs and mining farms to another coin (too much social capital would be destroyed).

But I am not arguing for PoW as it is certainly a winner-take-all power vacuum, but so is everything else including your BFT consensus (until my whitepaper is released).

from cosmos.

Yeah, of course, what you're describing is broken. The whitepaper doesn't go into detail of solving that because it only assumes 1 hub, but we will solve it for the general case. What's not been described so far is the description of coin "path". A coin that travels in a circuit is not the same coin, it loses fungibility.

If I have time to do so, I will find your flaw when you publish the details. The generative essence is unavoidable because the number of hubs is unbounded.

The following Wikipedia quote concept applies analogously:

However, this only rescales the problem: a client may follow a fork of 721 blocks, regardless of whether it is the tallest blockchain, preventing consensus.

The underlying generative essence is that due to the fact that +2/3 BFT attack can't be held accountable, there is nothing-at-stake. Your bonding is useless for preventing forks.

from cosmos.

Staking tokens can be traded freely, in fact they're easier to transport than mining hardware. The drawback of PoW is potential unsafety during network partitions or other potential & plausible incidences.

All forms of massive (total order) centralization are anti-fragile. Contrast this with nodules of centralization which are themselves decentralized actors (partial orders) in a larger network. A network partition might also prevent staking from trading and communicating across the partitions. And centralization of mining and stake are both winner-take-all power vacuums.

participation; thus the fault tolerance would otherwise be trivially exceeded with a Sybil attack.

The last statement is better stated as "... participation; thus nothing to prevent any Sybil attack.". (Sybil attack & fault-tolerance doesn't really mix here).

Since the section is about BFT, then IMO the applicability of a Sybil attack to fault tolerance is the most contextual. Attempting to discuss everything about Sybil attacks (for ever possible context) in a section that is not primarily about Sybil attacks is IMO diversionary. Perhaps you had some specific Sybil attack in mind that is not applicable to fault tolerance that is somewhat contextual?

My white paper is primarily about consensus ordering and the known (and my posited new) reformations that sidestep the impossibility result of the FLP theorem.

Of course Sybil attacks can also apply in other contexts such as in some strategies for anti-DDoS, but that would be off-topic.

from cosmos.

As I understand it, transacting between blockchains requires the source (sending) blockchain to confirm the transaction. This must be the case because there is no total order amongst all blockchains.

No, the source doesn't have to confirm the transaction.

If the source doesn't confirm, then transaction can be spent to multiple destinations because there isn't a total order amongst chains regardless of your hub concept, per the logic I already explained (the number of hubs are unbounded...).

I don't know what you mean by "confirm". The Cosmos whitepaper has another notion of IBC "acknowledgement", and I thought you were referring to that. If you mean to ask whether they must "commit" the transaction on the source blockchain, then yes, (of course,) the source blockchain has to sign a block-hash that includes state-changes to include an outgoing coin packet. Then the hub will get this block-commit (block hash and commit signatures) from the source chain and commit that as in another transaction.

One might call that a total ordering from the perspective of the hub, but I like to be precise with my wording, and "total order" is not it.

The rules of the Cosmos whitepaper don't specify what happens when, say, a sidechain/zone were to violate the rules of its blockchain and say, re-arrange the order of txs. And the Hub maybe wouldn't even know or care, because to the Hub it looks like a normal Tendermint blockchain committing new blocks. So I wouldn't go so far as to call any multi-sovereigh-ledger system a "total ordering". It's hairier than that.

Sorry you are incorrect. I realize it is difficult to accept that the project is toast.

You don't understand what we're proposing.

Afaics, the flaw in that conceptualization is that liveness failure is not an objectively provably malevolence nor is it objectively provable outside of a total order that a liveness failure did not occur. Thus the malevolent zone which double-spends can claim that the hub and/or receiving destination zone was not responding. Propagation can't be proved nor disproved outside of the internal clock of blocks for a blockchain. So it spends to a different hub and/or to a different destination zone, because the original destination zone isn't present on this different hub or because of the latter claim.

This makes no sense without further clarification. The funds in the hub that is censoring txs are owned by a smart contract or other that tracks the consensus of the hub. How does the source zone simply "spend to a different hub"? Are you suggesting that the source zone will hard-fork to double spend coins that were already sent to the hub?

No, censorship is not always provable. It doesn't stop people from using Bitcoin though. You say that "mining farms have no incentive to double-spend". Where is the incentive for hub validators to censor transactions?

All we're doing is building an architecture from proven constructs. You haven't disproven any of the proofs in the whitepaper, including the proof of fork-accountability.

BFT is not safe (from deliberate forking) nor is blame even provable when +2/3 (or probably much less per the statistical distance explanation I provided) of the participants are colluding.

What kind of forking? Creating two blocks at the same height? Yes, blame can be determined in that case, even with +2/3 collusion. Do you mean hard/soft forking the rules of the chain? Did they do something that they weren't allowed to do according to the constitution? If not, then no problem. If they did break a (constitutional) contract, then they're very much destroying the value of that validator set. In the case of atoms, atoms aren't given away for free, we're assuming that people were willing to sacrifice 2/3 of the market valuation of the staking tokens to censor transactions.

It seems to me that your "generative essence" states that anything that isn't Bitcoin must be flawed, and you're running in circles convincing yourself that it must be true. Sorry bud, it just isn't true.

Cosmos is simply a network of inter-networking distributed ledgers. We've created primitives for simple BFT consensus, fork-accountability, and interchain packet delivery w/ IBC. There's tremendous freedom to construct safe systems on top of such infrastructure, and the devil is in the details.

from cosmos.

If you mean to ask whether they must "commit" the transaction on the source blockchain, then yes, (of course,) ... One might call that a total ordering from the perspective of the hub, but I like to be precise with my wording, and "total order" is not it.

Who said it was a total order?

It's hairier than that.

That is precisely the reason your system is insolubly broken and that it is not a total ordering because the hubs are unbounded. The only known secure way to have unbounded participation is with a probabilistic, asymptotic finality. My understanding of these fundamentals, indicates to me you are still going in circles because you don't have a holistic conceptualization of how PoW and Byzantine agreement are related but different in a taxonomy of possible reformations that sidestep the FLP impossibility result. I will quote again what I wrote:

because there isn't a total order amongst chains regardless of your hub concept, per the logic I already explained (the number of hubs are unbounded...). You are going in circles now and not realizing it yet ...

My currently 30,000 word whitepaper will hopefully expound and make this all conceptually more clear.

from cosmos.

You don't understand what we're proposing.

I believe I do understand at a fundamental concept level of what is possible and what is secure in the taxonomy of possible reformations that sidestep the FLP impossibility result.

from cosmos.

This makes no sense without further clarification. The funds in the hub that is censoring txs are owned by a smart contract or other that tracks the consensus of the hub. How does the source zone simply "spend to a different hub"? Are you suggesting that the source zone will hard-fork to double spend coins that were already sent to the hub?

We can go back and forth trying to coalesce our perspectives and the details, but the fundamentals I have stated are inviolable. So it really doesn't matter. We can sort out the details to your satisfaction later. You should probably write a more complete specification of what you are trying to say above so that I could respond more meaningfully. I don't want to play a cat & mouse back forth trying to figure out what each of us is referring to. Nevertheless, the fundamentals I have stated will be inviolable.

from cosmos.

No, censorship is not always provable. It doesn't stop people from using Bitcoin though. You say that "mining farms have no incentive to double-spend". Where is the incentive for hub validators to censor transactions?

I said mining farms can't recoup their sunk costs by shorting or other means that destroy the ecosystem; whereas, in theory stake based systems have no such unrecoverable sunk costs. You really need to understand the wealth effect of share markets. Owning 50% of stake doesn't mean 50% of the market cap is a sunk cost or could even be ever liquidated.

Working on crypto-currency block chain consensus systems is multi-disciplinary. You must be an expert economist as well as a computer scientist and a physicist.

All we're doing is building an architecture from proven constructs. You haven't disproven any of the proofs in the whitepaper, including the proof of fork-accountability.

As I have stated, fork accountability is not provable when +2/3 of validators are colluding:

BFT is not safe (from deliberate forking) nor is blame even provable when +2/3 (or probably much less per the statistical distance explanation I provided) of the participants are colluding.

That is a fundamental of Byzantine agreement. The discussion of how to prove this is in my white paper. One could take my words there and construct a formal proof. I may do it as time allows. I need to go look at my whitepaper if I cited a reference on that or if just developed my own proof. I may edit this comment after I've had a chance to review that section of my whitepaper. I've been away from it during the holidays.

It seems to me that your "generative essence" states that anything that isn't Bitcoin must be flawed, and you're running in circles convincing yourself that it must be true. Sorry bud, it just isn't true.

Lol. I am a huge critic of Bitcoin. If that is what you are using to convince yourself, then you are not on solid footing.

from cosmos.

What kind of forking?

Any ordering of blocks. It is a fundamental of Byzantine agreement. You will see this clearly when you see it developed from fundamentals. You are mixing in details which can't impact the fundamentals. As I said, we can later help you fit your details into the fundamental findings or theorems.

I think you come at this from a piecemeal understanding of Byzantine designs and not from a fundamental generative essence of Byzantine faults when ordering a set of quorums amongst a fixed set of voters (validators).

from cosmos.

shelby3 every system is vulnerable when 2/3 is malicious. bitcoin is not different.
How POW will be safer then POS if CCP decided to manipulate BTC network?
I am no telling fantasy, This is very probable since CCP is getting serious about btc.
What if almighty-chinese-communist party point a gun at Chinese miners head and ordering them to send very very large amount of btc to CCP controls address?How POW is safer then POS under this scenario?

from cosmos.

@LeeBlues I was warning about China's centralization of Bitcoin more than a year ago.

But miners can't transfer BTC which they don't have the private keys for. They could hardfork the protocol and mint more coins than scheduled, but this would tank the price and thus destroy their ability to recover sunk costs in mining equipment and datacenters presuming the ASICs are not repurposable.

Bitcoin mining farms have no incentive to do anything which would destroy the long-term price because of their massive sunk costs.

PoS doesn't have this security. There is nearly nothing-at-stake. 50% of the stake is not worth a liquid 50% of marketcap. Shorting might even be as or more liquid than selling (since selling could ignite a stampede).

The issue of +2/3 can't be held accountable in Byzantine agreement means that bonded validators are impossible. There is no way to assign blame in order to confiscate the bonded collateral! Thus there is nothing-at-stake. Casper and Tendermint have a fundamental error about this. They assumed bonded validators are possible but they are impossible if +2/3 are colluding. And we can never prove when +2/3 are colluding or not colluding.

Bonded collateral and Byzantine agreement are fundamentally incompatible. This is a fundamental finding of critical importance.

from cosmos.

As I have stated, fork accountability is not provable when +2/3 of validators are colluding:

BFT is not safe (from deliberate forking) nor is blame even provable when +2/3 (or probably much less per the statistical distance explanation I provided) of the participants are colluding.

Incorrect. So far from what I've seen, you're conflating censorship/liveness attacks with double-spend attacks in making that false claim which you still haven't proven. You don't need a 30,000 word whitepaper to disprove our fork-accountability proof, just point to our error in the wiki.

As I said, we can later help you fit your details into the fundamental findings or theorems.

No need, we've already done so by building upon DLS, which btw shares an author w/ FLP. All we've done is refine a family of BFT algos, and added the ability to attribute blame to 1/3+ in the case of double spend forks, no matter the % of Byzantine voting power.

I said mining farms can't recoup their sunk costs by shorting or other means that destroy the ecosystem; whereas, in theory stake based systems have no such unrecoverable sunk costs. You really need to understand the wealth effect of share markets. Owning 50% of stake doesn't mean 50% of the market cap is a sunk cost or could even be ever liquidated.

In theory the mining hardware is made of mostly reusable components (power adapters, fans, heat sinks, solar cells, etc) and what cannot be recouped are minimal in costs (the ASIC chip). In practice this is where we are headed. When we have better batteries for storing excess electricity from power plants, even they won't have much stake in PoW.

On FLP,
Bitcoin circumvents FLP first because it makes synchrony assumptions. E.g. blocks will be broadcast to miners within 10 minutes or so. The only other way to circumvent it meaningfully is w/ something like HB or other common coin schemes. Bitcoin PoW is also nondeterministic as miners use "random" nonces.

I believe I do understand at a fundamental concept level of what is possible and what is secure in the taxonomy of possible reformations that sidestep the FLP impossibility result.

Then why are you so focused on FLP? It's sort of a nonissue. Even PoW circumvents FLP in the most trivial of ways.

The only known secure way to have unbounded participation is with a probabilistic, asymptotic finality.

It's not exactly unbounded, PoW works by offloading the membership function to the physical world, where access to energy and hashing ability are bounded in many ways.

from cosmos.

BTW, The old Tendermint whitepaper with a third round of voting makes this even clearer. There, forks are trivially attributable to double signers.

from cosmos.

In theory the mining hardware is made of mostly reusable components (power adapters, fans, heat sinks, solar cells, etc) and what cannot be recouped are minimal in costs (the ASIC chip). In practice this is where we are headed.

The provisioning, assembly and disassembly is also a major cost.

The turnkey mining farms in shipping containers seem to be highly optimized with specialized cooling systems that are orders-of-magnitude more efficient than general use datacenter systems. Datacenter cooling is specific to density.

Afaics, you are again violating a fundamental generative essence, which is that specialization (and related concept maximum division-of-labor) is more efficient and where society/technology is headed.

Also I think we are talking about the reality now, not 10 years from now. It am confident that PoW is not the long-term solution. And I am also confident Tendermint/Cosmos/Byzantine agreement is not also.

from cosmos.

The only known secure way to have unbounded participation is with a probabilistic, asymptotic finality.

It's not exactly unbounded, PoW works by offloading the membership function to the physical world, where access to energy and hashing ability are bounded in many ways.

Referring to the definition of unbounded and bounded...

Then please tell me the bound of the energy and resources in the universe.

Byzantine agreement is bounded participation with a finite set of voters (validators). Please don't muddle what are precise definitions.

And that bounded participation has tradeoffs.

from cosmos.

Energy in the universe does not equal energy I'm able to utilize

from cosmos.

Incorrect.
No need

You think?

from cosmos.

Energy in the universe does not equal energy I'm able to utilize

What is the finite bound of what any participant can utilize? (rhetorical question)

Please write it down. I'll be waiting forever for you do to so.

from cosmos.

Referring to the definition of unbounded and bounded...

Then please tell me the bound of the energy and resources in the universe.

Byzantine agreement is bounded participation with a finite set of voters (validators). Please don't muddle what are precise definitions.

And that bounded participation has tradeoffs.

Eh, according to that model, even Bitcoin isn't secure, unless we accept social consensus to choose local forks (just as we do w/ Tendermint PoS for long-range attacks and reorg-hardforks upon double-spend forking), for otherwise the three legged pods from Mars will surely troll our Bitcoin blockchain w/ their superior access to solar energy.

This conversation is spamming our Slack and really, I haven't seen anything interesting be substantiated, so I'm going to close this issue. If you want to continue, take it to our Reddit, where we'll have a better discourse format (tree-based conversations).

https://www.reddit.com/r/TheCosmos/

from cosmos.

I'm going to close this issue. If you want to continue, take it to our Reddit

No problem. I prefer you continue working on what is insolubly (i.e. can't be fixed) broken. I will prove it unequivocally later after you've wasted a lot more time and effort.

This conversation is spamming our Slack

Those are going to be famous words. Frame them.

from cosmos.

When you imply that the energy and resources available to the universe have more bearing than the ability to use them economically and then call people dummies. Wow yeah I'll stay out of this conversation as it will just make me wish I could slap you.

from cosmos.

+1 jae

from cosmos.

When you imply that the energy and resources available to the universe have more bearing than the ability to use them economically

I didn't imply anything. I correctly used the term bounded and unbounded as defined in the dictionary.

You seem to want to talk about something different.

The fact that PoW is not bounded and Byzantine agreement is, has ramifications. You may be interested in other ramifications that don't pertain to that attribute of boundedness, but that was irrelevant to the point about the misuse of definitions.

and then call people dummies.

When you use an argument which is inapplicable to the discussion of a definition, that indicates something about your intellect.

from cosmos.

Your argument was ridiculous and when I pointed that out you called names. Tells more of your intellect than mine. I really don't want to keep talking to you as you seem like you spiral down this path of name calling indefinitely and I don't appreciate being attacked by strangers for no good reason

from cosmos.

Your argument was ridiculous

Absolutely not. The boundedness attribute has some serious ramifications. For example, Byzantine agreement can get stuck (requiring a community driven hardfork) if liveness threshold is exceeded, but PoW can never get stuck. Censorship with empty blocks is not the same as stuck due to liveness threshold.

Please stop with your immature whining. We are having a technical discussion.

from cosmos.

The discussion ended about the same time you resorted to name calling and you are continuing to attack my character for no good reason. That is not immature whining. It is pointing out your bizarre behavior. Good bye

from cosmos.