Scaling, Decentralization, Security of Distributed Ledgers (part 4)

in #cryptocurrency7 years ago (edited)

Click Here to read Part 3 of this blog.

Cardano’s Ouroboros

I’m loathe to attempt to explain in detail the fairly complex Ouroboros consensus system because as noted in follow-up comments that it’s not trivial to quantify, fully characterize, and compare distinct complex dynamic systems with probabilistic eventual consistency (aka eventual 100% finality/irreversibility).

Cardano has roughly the same performance and the same flaws as DFINITY which was covered in Part 3. However note that DFINITY’s actual safety threshold (or is it the liveness threshold?) is at high probabilities only up to roughly 33% instead of 50+% for Ouroboros, although finality is significantly delayed for Ouroboros as the attacker approaches 50%.

Essentially the original Ouroboros also employs (unbias-able?) secure multi-party randomness analogous (but as a shared secret instead of an independently verifiable randomness function) to DFINITY’s random beacon (BLS threshold signature scheme) but the choice “SCRAPE: Scalable Randomness Attested by Public Entities” is much slower and completes every epoch instead of every slot. However this doesn’t necessarily make finality of transactions much delayed compared to DFINITY, although AFAICT the DFINITY whitepaper lacks the rigor to help me analyze the comparison in the non-ideal, adversarial case. The model for attaining and deciding on finality for Ouroboros is different and significantly more complex to explain in the idealized, non-adversarial model than for DFINITY. And I really don’t find any value for non-expert readers in understanding the arcane minutiae. Suffice it to say that both Ouroboros and DFINITY are roughly equivalent in terms of what they offer to users, especially since they all have the “Past Majority Attacks” and other flaws of nothing-at-stake which means they’re (along with all extant non-proof-of-work consensus systems) really only secure as oligarchy clusterfucks. Although perhaps in certain specialized use cases (e.g. specialized private use by banks and not wide deployment to the public Internet) there might be some significant distinction between the two, but I haven’t identified those cases.

Additionally there’s a new variant of Ouroboros named Praos which employs a verifiable randomness function, but AFAICT it doesn’t have the DFINITY’s concept of notarization for witnessing finality (although I’m not sure that makes any quantitative difference because DFINITY didn’t analyze with rigor to quantify its eventual consistency in the non-ideal, adversarial case). Apparently the main improvement of this Praos variant is foiling an adaptive adversary.

Use Cases

I want to make it very clear that as discussed in the comment section, Ouroboros (and I believe also DFINITY) provably provides consensus within the 50+% Byzantine fault tolerance safety threshold and a separate liveness tolerance threshold. They provably solve a specific aspect of the overall set of issues with consensus systems. These systems may already be sufficient for some use cases. We should separate our analysis of these consensus systems from their application to projects that exist in cryptocurrency speculation markets.

So that's dandy minutiae on the provably secure proof-of-stake within the presumed tolerances, except I’m still focused on the following bottom line…

I want to raise a separate point which is the political-economic power vacuum problem when these consensus systems are widely deployed to the Internet such as is the case with the abject failure of Steem. In that case, the presumption that the adversary is not able to exceed the 50+% safety threshold is not a valid assumption for non-proof-of-work systems.

I’m also loathe to expend more effort explaining the nuances of various proof-of-stake consensus systems because they are nonviable for wide deployment to the Internet due to the nothing-at-stake vulnerability which I explained for DFINITY. I recapitulated the summary of this issue in the comment section below.

Thus my opinion on the speculation markets for non-proof-of-work projects is characterized as follows…

More Proof-of-Stake “Shitcoins”

I’m also loathe to expend more effort explaining proof-of-stake consensus systems because they are nonviable for wide deployment to the Internet due to the nothing-at-stake vulnerability which I explained for DFINITY.

These extant proof-of-stake systems only function because an oligarchy is in control milking the users. The oligarchy prevents the “Past Majority Attacks” yet extracts maximum rents in other numerous ways, such as monopolizing the rewards, fees, and doing market price manipulation.

That’s why I won’t waste more of my time analyzing the underlying proof-of-stake consensus component of more “shitcoins” mine-the-speculator FOMO schemes such as:

Skycoin’s Obelisk

So I guess by accident we save the most intriguing gem amongst extant consensus systems for last.

I haven’t been this intrigued about a consensus system since I read the Byteball whitepaper. I remember telling various friends on bitcointalk.org to buy some Byteball back when the market cap was only $1 million. Unfortunately for me, I couldn’t be bothered with trying to figure out how to get registered on an exchange to buy it at that time because I was preoccupied with the horrific delirium of my chronic illness (c.f. also). Like Byteball, Skycoin’s Obelisk has some warts and problems though.

I had been following Skycoin since 2015 and apparently at that time (or later in 2016 and then gotten confused about the two different whitepapers) only read what I thought to be the original consensus system whitepaper (although it’s dated 2016) which was not worthy of my attention. I think I may have read the June 2015 whitepaper later in 2015 or 2016, but remember it was approximately June 2017 that my health went into a tailspin and by August I was down to 50 kilos in body weight. So given the very intense delirium I was experiencing at that time, I vaguely remember dismissing that June 2015 whitepaper as being culpable to web-of-trust manipulation as I explained in Part 3 for Stellar SCP—and analogous to how the politics of voting is manipulated as I explained about DPoS. At that time in Q3 2015, I apparently didn’t have the mental concentration or energy to either fully understand the whitepaper, or moreover other possible ramifications of it.

Almost Totally Ordered

The June 2015 Skycoin whitepaper summarizes in §2 Related Work: Cryptocurrency on pg. 3 the non-antifragile, potential collapse of web-of-trust in Stellar SCP:

Stellar [32] also use a relationship based solution to resist Sybil attack similar to ours, however, their algorithm has a major defect that it relies on the assumption that for a node, if 80% of its followees agree on a opinion, then 80% of all nodes agrees on the same opinion, but the assumption only stands when a node follows an overwhelming majority of all nodes.

Stellar SCP enforces a total order such there’s no convergence on consensus unless all non-faulty (i.e. non-Byzantine) nodes will have the same correct consensus but apparently that only holds for assumptions about the web-of-trust as quoted above. Whereas, Obelisk forsakes total consensus for an accepted error rate for non-Byzantine nodes that will be fooled into having the incorrect consensus. By allowing for some nodes to be fooled by their inadequate choices of trust, the overall consensus system becomes more robust and it’s much more likely that the rest of the non-Byzantine nodes will not have a catastrophic failure of liveness nor incorrect consensus.

The downside though is that for an “acceptable” 5% error rate, the safety threshold is 87+%. I remember that was one of the reasons I originally thought the design would be unacceptable because it’s possible some small percent of the users won’t have an objective consensus even if they’re always online. I still think that’s a significant problem, but it does put the onus on users to establish reasonably wide and very reliable web-of-trust choices, because they won’t be able to lazily presume they can piggyback on the entire network only converging on a single total order as is the case for Stellar SCP.

So significant error rates will have to accepted if users are making poor trust choices and the adversary is able to garnish more than 13% of the nodes. What I find particularly interesting is that if we relax the error rate to ≤50%, the resistance against an adversary is presumably (and I didn’t compute it) impregnable, although I don’t think such a setting would be useful in the context of being the cryptocurrency consensus system. Even more intriguing in the context of another possible application of the Obelisk concept, is how significantly the math for the safety threshold would improve if some significant percentage of the non-Byzantine nodes are always online observing some synchrony driven truth about consensus about which they’re always unequivocally decided.

IOW, Stellar SCP ties every node’s fate to the fate and trust choices of the other nodes— which has the omnipresent and insoluble failure modes of voting as aforementioned in the context of DPoS. Whereas, Obelisk enables the reliable trust in the network to route away from the unreliable trust and partition the consensus into two competing partial orders. So this is more akin to self-responsibility. All non-Byzantine nodes to some greater extent than Stellar SCP, pay for their own mistakes in choices of trust, instead of causing others to suffer with all their shoelaces tied together in “One for all, all for one.”.

And as described in §9 Discussion and Limitations: Distributed Oracles on pg. 15, fooled nodes can rectify their mistaken trust choices (although not retroactively undo any double-spending losses already suffered as a payee) and semi-objectively (via triangulation of community oracles) move back to what they perceive to be the majority consensus. Although I argued that community oracles can be gamed by an adversary, that wouldn’t be the case if the reliable trust converged with “objective” (i.e. subjective but a triangulated decentralized) majority. IOW, an adversary can fool some of the people (and especially when the adversary controls or bribed centralized trusted community entities such as politicians, foundations, banks, and major companies), some of the time, but not a majority of the decentralized first hand observations all of the time. The partial orders of Obelisk’s web-of-trust theoretically (as modeled and simulated) enables the reliable trust to fork off instead of catastrophic failure and loss of “objectivity”. Nevertheless the currently application of Obelisk as the entire consensus system is not perfect in this regard.

Simulated Annealing

The convergence on consensus propagates somewhat analogously to a the wave in stadium audience crowd. The nodes propagate their best estimates (aka trial guesses) of the consensus and then as these guesses circulate, the nodes continue to refine their guesses and propagate them. So the gradient changes in guesses reduce until an equilibrium is formed. If that equilibrium is a live-lock of repeating oscillation that doesn’t progress or a dead-lock of no change in estimate but for which nodes do not share a consensus, then we can conclude that the consensus diverged instead.

I’m impressed that Obelisk incorporates §5.2 Simulated Annealing Model into the “sky” model variant of mean field theory (MFT) for opinion dynamics. Simulated annealing is how the molecules in slowly cooled ice are able to optimally pack themselves based of small localized gradients allowed because the global temperature gradient is slow. Whereas, if ice is cooled too fast, cracks develop because the molecules weren’t given sufficient time to experiment on random gradients to self-organize the optimal packing.

As Fig. 3 on pg. 10 shows:

The simulated annealing by itself converges too slowly because it is oscillating too much between trial gradients, but when combined in the “sky” model with the more aggressive §5.1 Majority Rule Model (which doesn’t always converge by itself because it’s too aggressive and over-commits thus getting stuck as shown above), the convergence is more optimal as shown above.

No Instant Confirmations

The downside of Obelisk is that consensus convergence requires 10+ rounds. Presumably each round will consume “a few seconds”.

Also I have not reviewed their scalability plans such as sharding if any. But I didn’t also for DFINITY. Nevertheless the slow confirmations remain regardless of any orthogonal work on scalability.

But I would rather have slower confirmations than the oligarchy clusterfucks of extant proof-of-stake systems!

Not Entirely Trustless

Analogous to Stellar SCP, there’s no explicit reward as an incentive mechanism to motivate nodes to be honest and make the wisest web-of-trust choices. However, unlike Stellar SCP unless they’re bribed by an adversary, the non-Byzantine nodes have the implicit incentive to not end up fooled and on the incorrect partial order. And unlike Stellar SCP, Obelisk nodes aren’t required to have their web-of-trust to encompass 80% of nodes, thus trust choices need not exceed the Dunbar limit. Nevertheless, non-Byzantine nodes remain vulnerable to transitivity in failures of web-of-trust.

Disclaimer

I haven’t verified the math, the mean field theory, nor the simulations cited in Skycoin’s whitepaper. It’s not beyond the boundaries of plausibility that it could all be a grand hoax. I’m becoming more suspicious the more I dig in Skycoin’s history. However, the whitepaper is listed on Professor Jiwu Shu’s website. But its so called claim development team is non-existent even though there’s real code and coding activity ongoing on Skycoin’s Github.


The linked webpages and whitepapers cited in this blog have been archived at archive.is and/or archive.org.

Sort:  

here's quote from synth:
The new consensus algorithm is beyond anything in any of the papers we have published. The new Skycoin consensus algorithm being implemented is significantly improved and different from what was published in the original white papers.

We are delaying publication of the new consensus algorithm and mechanism, because we do not want it stolen by other coins. We have to be ready with a large marketing push.

Otherwise, someone will just take it, rename it and do a shitcoin ICO on top of our work. We have already had coins in China try to clone the methods we have already published and do shitcoin ICOs on top of them.

The new consensus algorithm is amazing and bullet proof. It is so simple to implement, understand and simulate. It is just a complete revolution in distributed consensus.

We have perfected what Satoshi started.

We are even doing a pilot of running SQL databases on top of "blockchain" using this consensus algorithm, where each transaction is a commit modifying the data.

We are considering whether we want to file for a patent (with open source licensing of course), in order to stop copycats and shitcoins. In the US, if you invent something, someone else can patent it first and then sue you for using your own algorithm (first to file). So we have to consider our legal and marketing strategy for how we can release the consensus algorithm so that it is not copied.

I think towards the end of the year there will be a major release.

For instance, someone copyrighted the Skycoin logo and the logos of 60 other coins in one country and then can goto the coins and exchanges and shake them down for using the logo.

So we have to have the patents registered, the copyrights registered, etc to stop these patent and copyright trolls. Which is one reason we have not released more about it.

What Hash Graph has (and everything else we have evaluated), is just a poor man's version of what our algorithm can do with less complexity and faster. We have the only algorithm that has instant transactions with no 51% attack and which can be used unchanged for both public and private chains.

The algorithm is based upon mathematics, so the validity and convergence of the algorithm is not affected by the bugs in a particular implementation or the errors in a specific paper about a specific implementation of the algorithm.

Loading...

I fell in a rabbit hole reading all your posts and links. Yikes! But it was really informative. Did the same thing when I found blog posts by Synth from Skycoin. You two share many interesting thoughts.

Skycoin does a biweekly AMA with Synth on Youtube. You can post questions in the comment section or even join in on the chat. Would love to see you two debate about consensus algorithms. Below is the link to Synth's previous AMA (you can start adding questions to the comment section for the next session).

P.S I'm bummed bitcointalk deleted most of your posts but really glad to see you being active here.

Cheers

Haha, that happens to me too when I try to find one of my old posts.

Yeah I guess one of these days I’m going to need to track this Synth dude down and chat.

Loading...

Hi anonymint, I enjoyed reading your articles & leanrt a lot from it, would you mind sharing your opinions on Komodo's dPoW and Skycoin's Obelisk consensus ?

Komodo’s dPoW

I have a conflict-of-internet on dPoW because I helped @jl777 brainstorm the idea for it but I wasn’t involved in working out the details nor the implementation. I regretfully made some public comments around the time of the ICO launch which might have limited the size of the participation in the ICO and that may have temporarily strained my relationship with @jl777. So I don’t want to repeat that by writing anything about that could cause any damage to it. I have no investment in Komodo though. Actually I personally am only invested in Steem and Bitcoin at the moment so my lack of investment in Komodo shouldn’t be construed to have any meaning. I will just say that dPoW fixes the long-range nothing-at-stake problem of proof-of-stake because it (last time I checked) relies on the Bitcoin blockchain for objectivity (which could become very expensive in the future and I have not analysed what other game theory issues might be introduced by checkpointing in an external chain). That resistance to nothing-at-stake is important. It enables the proof-of-stake to run at low-energy and very fast between checkpoints in the proof-of-work chain. It’s not the way that the project I am contributing to will attempt to fix nothing-at-stake though.

Skycoin’s Obelisk

I will take another look at Skycoin. I had very crudely analyzed their whitepaper some years ago and it basically appeared to use a web-of-trust similar to Stellar SCP which I analyzed in Part 3 of this blog series, so probably the same flaws of Stellar SCP apply. If I have time, I will add some more meticulous analysis to this blog for Obelisk.

EDIT (7 hours later): I have studied Skycoin carefully and I have some positive impressions. I will be adding my analysis to this blog shortly. Skycoin has the most unique innovation I have seen yet. Not the original whitepaper (which was junk) but the recent one by Houwu Chen which is pure gold. The Asians are ready to make their mark on the world!

thank you for the answer

Yw. Added the Skycoin analysis to my blog. Enjoy! Hope it’s helpful.

thank you, your articles are very informative, I'll try to digest all of it, btw I shared your post on Cardano's Ouroboros onCardano's forum and there are some counter arguments https://forum.cardano.org/t/scaling-decentralization-security-of-distributed-ledgers-part-4-steemit/13118

Loading...

I shared your post on Cardano's Ouroboros onCardano's forum and there are some counter arguments https://forum.cardano.org/t/scaling-decentralization-security-of-distributed-ledgers-part-4-steemit/13118

I see he updated his post and I’m happy my elocution is closer to mutual agreement. He still has a few concerns and I would like to address those herein.

I appreciate the following quoted correction to what I had written in 2017 (which was posted on my behalf by @‍Traxo):

This quote is wrong in the assumption that Ouroboros requires >50% of supply to be locked in stake. The actual requirement is that >50% of active stake is online. Which means that if only 30% of all supply is locked in the stake for the current epoch - then >50% of THAT number (>15% of supply) is ONLINE - i.e. nodes that control >15% of total supply are on average online for that epoch.

Okay that concurs with for example my recent suggestions in the Proof-of-Approval thread at bitcointalk.org for how to active sufficient liveness by only considering the stake which is activated during an extended interval. That also improves security because we know that stake isn’t moving to new public-key identities during that locked-in interval. So I entirely concur that is a viable mechanism.

In that comment he actually mentions that Ouroboros addresses the “nothing-at-stake” problem right in the whitepaper and argues that as long as the majority of the stake is honest - nothing-at-stake is not possible, because of the forkable strings analysis.

However, I think his reply about “honest majority” which I excerpted from above as quoted (and his point about different possible thresholds for BFT) is missing the essence of my point. I am referring to the fact that even if the consensus of the current online majority is correct and secure, this does nothing to help the objectivity of the users who were offline and come online and are presented with an unbounded number of forks by the historic safety threshold busting attacker (and note below the safety threshold busting attacker can do insidious attacks instead overt double-spends). These are the “Past Majority Attacks” mentioned in the original Ouroboros whitepaper. IOW, if any time in this history of the chain an attacker had ever attained in excess of the safety threshold control over the total stake, then all bets are off w.r.t. to the objectivity for offline users. This is essentially a nothing-at-stake issue because the historic attacker has no cost to maintain that vulnerability forever even after he long since sold his stake.

Separately I have another concern which is to his point about “honest majority”. As he and I both know, the security of the online majority does not prevent an attacker who exceeds the liveness threshold from making the entire system stuck, nor does it prevent an attacker exceeding the safety threshold from censoring and taking all the rewards in the system (which is the more subtle attack than double-spending). My point is this is the economic incentive (aka economic power vacuum) which drives the formation of an oligarchy in all extant proof-of-stake systems. Also the designs which try to compensate by requiring a super majority to exceed safety tolerance then have only minority liveness tolerance (so more easily stuck).

Those two paragraphs summarize why I do not consider extant proof-of-stake systems viable for the Internet. But don’t fret, I posit that I probably already know to fix those issues.

Yet Charles ignored my attempted communications on bitcointalk.org and Skype when I was very ill and asked for him to help me out to bring me to Hong Kong in 2016 (from the Philippines where I was trapped in poverty and shitty healthcare system suffering from gut Tuberculosis and not even knowing it, thought I had Multiple Sclerosis) so I could get proper healthcare and then work on his team. Remember Charles and I briefly exchanged messages on Skype to discuss possibly launching a project together after he left Bitshares and before he found Vitalik, but I had to decline because of my declining health in 2013 (which became horrific by 2015). Anyway, due to my hard work even while in horrific delirium and thanks to the kindness of others by 2017 I finally received loans to go to Singapore and they diagnosed my illness and I was undergoing highly liver toxic antibiotic treatment during the entire 2017 and just now finally coming back to the sort of health where I can work effectively. Please tell Charles that Wadler is incorrect about the global canonicity of typeclasses. I will also add that I was critical of WAVES and at the time I thought “Russian scammers” were trying to sell FOMO hype to greater fools. Charles wants to be friends with everyone so presumably he didn’t like my abrasive public comments. But at the time I was trying to figure out how does one launch and finance a project in this industry when ICOs are really illegal but the “Russian scammers” can use jurisdictional arbitrage to get away with it, while we US citizens can’t compete without incriminating ourselves. Also my experience with trying to hire freelance coders from Eastern Europe and Russia had given me a bad impression. Also I was very ill at that time and suffering intensely every minute of every day and was trying to find a way out of the horrific hole I was stuck in, so I suppose I wasn’t in a very good mood. Anyway, since that time I've become more knowledgeable about various options and also met online more people from that side of the world where I’ve never visited. And I have also become bewildered at even the attitudes of developers in my own birth nation. The world has gone insane with social justice, democracy, and socialism nonsense. ← highly recommended to click that link and read! My impression is that Charles seems to subscribe philosophically in some degree to that madness about the anti-pattern named ‘governance’. And obviously so does Dan Larimer. I hope Charles reads this.

This is why I don’t understand why would it be necessary to create a post about the Ouroboros, but then quickly dismiss the topic by saying - “anyways honest-majority is bullshit” :slight_smile: I think a separate detailed post like “Viability of the honest majority assumption in PoS vs PoW consensus protocols” would be much more suitable and hella interesting.

I will edit my blog again to make it more clear that DFINITY and Ouroboros provably solve the specific aspect of the security and liveness of proof-of-stake within the Byzantine fault tolerance thresholds of the model. Then I will make it more clear that I’m making a separate point that the political-economic power vacuum problem is still not yet solved in any extant published system that I’m aware of. And I will continue my claim that until that political-economic power vacuum issue is resolved, I don’t believe these systems are viable for wide Internet deployment in use cases similar to the abject failure of Steem.

Loading...

My reading of Skycoin whitepapers Sky: an Opinion Dynamics Framework and Model for Consensus over P2P Network (WP1) and A Distributed Consensus Algorithm for Cryptocurrency Networks (WP2) certainly did not leave me an impression of its consensus system being a gem.

WP2's assumption (0.3.2 page 2) that node is somehow more than a procedural engine capable of generating fresh content.

Node is a content generator. The node is able to receive raw data (e.g. low-level, elementary events such as transactions) and produce an independent research that leads to a new opinion (e.g. block hash).

The entire analysis (in WP1) is done using mean field theory perhaps under the assumption that the mean behavior of the nodes fully defines the desired (and undesired) properties of the system. Unfortunately, it is the edge cases, not the mean behavior, that are the most critical to a system like this.

And even without using the analysis for all the edge cases, all the protocol can offer is a mere 13% failure tolerance.

Theoretic analysis and simulations both show that it can tolerant failures by at least 13% random nodes ...

Note that it is 13% of nodes not stake. Also note that the nodes are rather inexpensive to create (at a cost of approximately $70/hour per 10,000 nodes).

I could be wrong but I am completely missing the point or usefulness of this protocol.

Loading...

Congratulations @anonymint! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of comments received

Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word STOP

Do not miss the last post from @steemitboard!


Participate in the SteemitBoard World Cup Contest!
Collect World Cup badges and win free SBD
Support the Gold Sponsors of the contest: @good-karma and @lukestokes


Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Chaum’s Elixxir

David Chaum is the original creator of decentralized Ecash (where double-spending would remove anonymity) and the concept of mixnets for anonymity.

Quick look at the brief white paper:

  1. It is only a token ledger, no smart contracts nor STEEM-like functionality.

  2. The so called “scaling strategy” doesn’t actually address scaling issue that every node in the system has to verify every block. Nor does it allow block to produced simultaneously. In short, it doesn’t scale to 100s of millions of transactions per second all over the globe.

  3. Elixxir employs innovative stateless hash-based signatures, but hash-based signatures do not scale with Moore’s law.

  4. Mixnets are inferior to Zerocash’s zk-SNARKs and zk-STARKs. Also it is technically incorrect to state that a single honest node can protect anonymity, because of correlating metadata, including for example the fact that a transaction will send more than one token in Elixxir providing potentially multiple blocks for the transaction to be deanonymized.

  5. The claim that Elixxir can’t be 51% attacked is myopic. It can still be 51% attacked at the holistic level because a 51% attacker can reorder transactions in a long-range attack which thus removes the transactions for the forfeited security deposits. Thus the claims of egalitarianism are not correct. Aggregation of the controlling resources can still put the system under centralized control.

Hey dude, have you covered Hashgraph at any length? If so, could you direct me where?