Fixpoint

Some kid finally found his way to the dragon's lair; and bearing questions, no less.

Some days later he emerged, singed and somewhat incoherent but apparently having learned something. Wonder of wonders!

A good thing, too, because the dragon, while not particularly tired, was beginning to bore of running in circles over the same basic points. At least now that they're so well-trodden, perhaps you can learn something from them, too.

lru: bitcoin question... if there existed an alternative to proof-of-work that had all the features except the high cpu requirement, would you switch to it? why or why not?
jfw: lru, I don't think that question is really answerable as a vague hypothetical like that. you'd have to clarify at least what would make it a true alternative in your view
jfw: to answer exactly as posed, no, because the requirement of consuming some earthly resource in order to modify the chain is *the* feature of proof-of-work, something that didn't do that wouldn't be a replacement at all
jfw: thus, 'proof of stake' or any other such bitcoin-on-the-cheap scheme is, until proven otherwise, highly suspect because basically the author is saying they want it to be cheaper (for them, their masters or who knows) to tamper with

lru: jfw: interesting... so in my view, a true alternative would have all the security features as proof-of-work, so that there would be no tampering with the new system either.... I just don't see how CPU usage has to be involved for that security guarantee, yet
lru: the security guarantees should come from the protocol and the math, not who has the most powerful machine... if there should be a block every 10 minutes, then the protocol could say that a hash of time+blockchain_head = the target hash, and perhaps the wallet ID that most closely matches has the right to create the next block of the chain... the time, the blockchain_head, and the wallet IDs are all well-known
lru: can be easily computed, but not easily forged or tampered with, nor easily guessed, since the transactions within that 10 minute period are random
lru: using wallet IDs as the comparison may be the wrong pick... perhaps online node IDs are better, encouraging more nodes... but my point is that I suspect this is possible without proof-of-work

jfw: lru: what are these node/wallet IDs or how are they generated such that they're well known?
jfw: or more to the point, such that I can't just regenerate a new set that's more favorable to me for the known blocks and thereby rewrite the chain?
jfw: it's a "history books are written by the winners" problem, if you will; how's a newcomer to evaluate who was "in the right" at the time?

lru: jfw: my first idea, when thinking "wallet ID", was that all data to make the decision would be in the blockchain, and therefore unable to forge or manipulate in advance to get extra powers, so you'd have to have coin at some point in the past before you could participate in maintaining the blockchain... but you're right with the nodeID... there would need to be some record of service as a node to qualify
jfw: lru: that sounds like "we'll make it impossible to manipulate by assuming it's already impossible to manipulate", then
jfw: absent proof of work or similar, there is no "the blockchain" but an infinity of possible blockchains, all equally mathematically valid

jfw: although something to compensate nodes for their service of maintaining the history rather than just miners for their service of finding the next block could be an improvement

lru: jfw: ok, this is getting to the heart of the matter for me, which is good... what is it that makes proof of work special in this regard? if everyone can calculate easily who the next "winner" is based on the existing blockchain and some rules, how is that different than everyone being able to easily calculate that block "X" does indeed solve the current difficulty of the proof-of-work problem?
lru: my goal when switching to "Node ID" was dual purpose, in that I wanted to avoid the incentive to add spurious wallet IDs to the blockchain, and reward actual nodes... so that is still a problem to be solved, but if a "pure calculation" method resolves all the incentives properly, I don't see how proof-of-work is still better, yet.
lru: and then there's the whole "Hashgraph" idea (hedera.com) which I haven't wrapped my head around yet, but promises to solve the byzantine generals problem too

jfw: lru: ok, to clarify this a bit:
sourcerer: 2024-06-17 15:35:10 (#jwrd) jfw: absent proof of work or similar, there is no "the blockchain" but an infinity of possible blockchains, all equally mathematically valid
jfw: with PoW, there is technically also that same infinity of possible blockchains. the difference is that it costs money to discover them!

jfw: 'if everyone can calculate easily who the next "winner" is based on the existing blockchain and some rules' - but lacking an authority to say which is the "existing blockchain", they cannot come to an agreement. because everyone has their own blockchain based on their own (actual or preferred) view of events.
jfw: if it's an authority based on earthly force, you have yourself a state currency; while if it's based on proven computational power, you have bitcoin.⁽ⁱ⁾

jfw: http://trilema.com/2020/forum-logs-for-31-oct-2017/#2356179 is all that comes up re 'hashgraph', doesn't look like it found anyone serious to advocate for it in the forum
jfw: http://jfxpt.com/2024/jwrd-logs-for-Jun-2024/#11795 - looking a bit into how these byzantine generals and their problems are used, it seems that Bitcoin solves the significantly more general problem; thus, while there can certainly be improvements made in the field of byzantine fault tolerant systems, these do not amount to an improved Bitcoin.
sourcerer: 2024-06-17 20:13:53 (#jwrd) lru: and then there's the whole "Hashgraph" idea (hedera.com) which I haven't wrapped my head around yet, but promises to solve the byzantine generals problem too

jfw: I also looked briefly into that hedera/hashgraph thing since indeed it's not the first time I hear of it; one could dissect it from the technical side and notice the total lack of consideration for the Sybil attack; on the other hand, this bit from the governance side says it all, really, on their idea of decentralization:

Second, the hashgraph technology makes it possible for the Hedera Council to specify the software changes to be made to network nodes, precisely when those changes are to be adopted, and to confirm that they have been adopted. When the Hedera Council releases a software update, network nodes will have their software automatically updated at exactly the same moment. Any node with invalid software (i.e., one that didn't install the software update) will no longer be able to modify the ledger or have the world accept their version of the ledger as legitimate.

jfw: replace "Hedera Council" with "Federal Open Market Committee" as you see fit.
jfw: lru: did you ever try running a btc node, by the way?
jfw: oh this shit is just too good, "Hedera will make the code publicly available for anyone to review it (at Version 1.0), while ensuring stability by using hashgraph software patents defensively to prevent forks."
jfw: so not only is it a closed network where only the annointed ones may operate nodes, but don't even think of running your own version of the network because they'll sue you. defensively.
jfw: pretty clear now why they didn't want in to bitcoin's web of trust; which is why that's such a darn good heuristic just by itself.

lru: jfw: lol, good find... suing defensively indeed, thanks
lru: I have not run a btc node yet... I once tried to run a monero node, as my hardware is slow and small, and the monero blockchain was smaller at the time. I'm encouraged to read, on your blog and elsewhere, that a 1T drive and a 4G RAM machine is enough to handle a full BTC node
lru: the largest disks I have are about 500G
lru: if I really want to just get a feel for it, I suppose I can run my own mini-multi-node btc network from the start
lru: start mining my own at block 1 :-)
lru: jfw: thanks for http://jfxpt.com/2024/jwrd-logs-for-Jun-2024/#11798 I certainly don't want to base it on earthly force, but math... same as PoW, but more efficient. I'm starting to think I need to write a blog post and hope someone carefully critiques it
sourcerer: 2024-06-17 21:39:47 (#jwrd) jfw: with PoW, there is technically also that same infinity of possible blockchains. the difference is that it costs money to discover them!

lru: jfw: your kind responses have inspired me to finally put this in document form, assembled from my notes over the years, thank you... if you have time and interest, I'd be grateful for any points and criticisms I may have overlooked. http://digon.foursquare.net/bitcoin/TaC.html⁽ⁱⁱ⁾

jfw: even 4G RAM is likely overkill after my last round of work but yeah the storage is what it is
jfw: http://jfxpt.com/2024/jwrd-logs-for-Jun-2024/#11816 - actually that'd be an idea for testing out the mining code in the reference implementation since afaik nobody's touched it in a good decade. you'd just need to remove the builtin checkpoint at block 195000⁽ⁱⁱⁱ⁾
sourcerer: 2024-06-19 04:25:06 (#jwrd) lru: start mining my own at block 1 :-)

jfw: lru: you're welcome, but it seems unlikely I'll be swayed by your proposal if you haven't yet appreciated the problem that PoW solves
jfw: why do you care about this sort of "inefficiency" anyway, how is it a problem for you?

lru: jfw: that's what I'm trying to do... appreciate, or even understand the problem that PoW solves... it's been a problem for me ever since the beginning, and made the system and design seem wrong to me, but in a way that I couldn't fully explain... I haven't participated in nor trusted bitcoin because of it. Sure, I've lost out in untold millions, probably... I was technical enough to be a miner at the beginning.
lru: but I didn't want to sink my time, effort, or finances into a system that did not make sense... many aspects made amazing sense, but PoW did not

lru: it also puzzles me why bitcoin fans seem married to PoW to such an extent that they *like* it... it is almost a cherished aspect of the system, to be able to burn megawatts of power on a digital racetrack... I do appreciate that there have been many crooks who have wanted to undermine bitcoin's security, anonimity, and sovereignty by trying to suggest alternatives to PoW, and maybe bitcoiners have been burned so often, their ears have grown deaf to any alternatives... I do not want to weaken bitcoin.
lru: if anyone manages to poke a hole in my theories, I will thank them and abandon that version of the idea... but I am not yet convinced that PoW is the only way to solve the problems it solves
lru: which is why I come to irc channels like this instead of the main bitcoin development lists, but maybe I'm mistaken

lru: I found it very interesting to find on your blogs (yours and dorion's I think) the idea that miners will someday defect and kick start a new round of bitcoin
lru: that sounds to me like a giant sign that PoW is a liability that needs to be fixed someday
lru: bitcoin-without-PoW or bitcoin 2.0, will likely have to start as a brand new coin, to avoid the problems of hardforking... if you are right, then this defection is an opportunity that I should be working on now
lru: anyway, at least I have a document to share with anyone who wishes to read it

lru: I very much like what I've read on your blogs, how the Intel Management system has inadvertently put downward pressure on hardware requirements, so that bitcoin can run on old, slower, smaller, hardware... that is a precious feature, and something that PoW is completely against... if the world goes to hell in a handbasket like many predict, that low-resource nature of bitcoin, combined with a low-resource form of "anti-mining" (for lack of a better word) could be a very useful thing

jfw: lru: is the objection coming from an environmentalist standpoint, like consuming energy is bad per se because it's hurting mother earth or something?
jfw: do physical racetracks seem wasteful to you, too?
jfw: anyways, if you say it just seems wrong and you can't say why, I don't have to pursue the point

jfw: http://jfxpt.com/2024/jwrd-logs-for-Jun-2024/#11827 - not like anyone has an unchosen responsibility to fix your head; but I can keep poking if it's helpful
sourcerer: 2024-06-19 20:04:46 (#jwrd) lru: it also puzzles me why bitcoin fans seem married to PoW to such an extent that they *like* it... it is almost a cherished aspect of the system, to be able to burn megawatts of power on a digital racetrack... I do appreciate that there have been many crooks who have wanted to undermine bitcoin's security, anonimity, and sovereignty by trying to suggest alternatives

jfw: http://dorion-mode.com/2023/04/the-ownership-of-bitcoin-custody-transactions-and-dispute-resolution/#footnote_17_1621 is one place the miner defection point came up; hard to say how far off that is but seems like a while yet.
jfw: so the grail you seek is a way to secure the chain without having to pay for it. sounds rather like the perpetuum mobile to me, though I can't as yet disprove the possibility. perhaps we haven't yet invented the calculus to come up with notions like conservation of energy.

jfw: "so that bitcoin can run on old, slower, smaller, hardware... that is a precious feature, and something that PoW is completely against" - um, you do realize that nobody is CPU mining anymore?
jfw: but generally the only security that miners give two shits about is their own physical capital; the need to trust the hardware is mostly a concern for those running nodes, holding & transacting coin

jfw: now as to your 'time and chain', if I'm following, it sounds like it comes down to mostly... proof of IP address, of all things.
jfw: which rather makes me suspect you don't know much about how IP addresses work, lolz. but for starters consider that it favors spammers & botnets that are good at dodging such obstacles, plus large ISPs or other institutions that control large blocks, and inconveniences everyone else
jfw: moreover, you don't even seriously consider how to prove it, but handwave it as an afterthought
jfw: to try to get a little closer to the root of it: do you know what the sybil attack is?

jfw: also we don't have to get into it now but ftr I can't let this political point slide: dorion & I don't recognize any such "main development lists" as legitimate, it's all been quite hijacked by softforkers of various descriptions.
sourcerer: 2024-06-19 20:08:22 (#jwrd) lru: which is why I come to irc channels like this instead of the main bitcoin development lists, but maybe I'm mistaken

lru: physical racetracks are wasteful, yes, but I at least see the point to them, and don't object, and often enjoy them... PoW on the other hand, spends a lot of energy, but doesn't *do* anything... I mean, yes, it solves the problems right now, but is not viewed as a problem of its own^(iv)

lru: regarding sybil attack, yes, I was thinking about them under a different name... let's take a university with a giant IP address space... at least that "attack" places a full node on all those IP addresses... what does PoW give us in a similar practical vein?
lru: I'm of course not married to IP addresses... if I can figure out a proof of node knowledge instead, that might be better

lru: http://jfxpt.com/2024/jwrd-logs-for-Jun-2024/#11843 << "without having to pay for it" sounds like mockery, and it would be well placed if PoW actually paid for anything, but I don't believe it does... I believe there exists a formula X that achieves all the security that PoW does, without the empty repeated calculations... ideally, with as few calculations as possible
sourcerer: 2024-06-19 22:37:58 (#jwrd) jfw: so the grail you seek is a way to secure the chain without having to pay for it. sounds rather like the perpetuum mobile to me, though I can't as yet disprove the possibility. perhaps we haven't yet invented the calculus to come up with notions like conservation of energy.
lru: and you may be right that the calculus doesn't yet exist

lru: regarding "main development lists", I was gathering that... I assume you run a full node yourself, and use your own bitcoind, and a number of others use the same bitcoind? I'm slightly impressed that all these different bitcoind's are still working together, even after all the attacks.
lru: the potential unravelling of bc3 and sigwig (sp?) addresses in the future made for some fascinating reading
lru: anyways, thanks for the pokes :-)
lru: time to think about non-IP ways of identifying full, functioning nodes

jfw: http://jfxpt.com/2024/jwrd-logs-for-Jun-2024/#11852 - they both do the same thing: tell you who wins!
sourcerer: 2024-06-20 00:31:08 (#jwrd) lru: physical racetracks are wasteful, yes, but I at least see the point to them, and don't object, and often enjoy them... PoW on the other hand, spends a lot of energy, but doesn't *do* anything... I mean, yes, it solves the problems right now, but is not viewed as a problem of its own

jfw: http://jfxpt.com/2024/jwrd-logs-for-Jun-2024/#11855 - mockery not intended, it seems exactly what you're looking for, "as few calculations as possible" even; perhaps it sounds to you less virtuous in those terms, dunno. coin holders pay miners via inflation and transaction fees. what they get for that could be debated but the payment is clear
sourcerer: 2024-06-20 00:38:50 (#jwrd) lru: http://jfxpt.com/2024/jwrd-logs-for-Jun-2024/#11843 << "without having to pay for it" sounds like mockery, and it would be well placed if PoW actually paid for anything, but I don't believe it does... I believe there exists a formula X that achieves all the security that PoW does, without the empty repeated calculations... ideally, with as few calculations as possi
jfw: what they get for it in theory, which you don't seem to grasp, is that an attacker will have to expend even more real value, and increasingly so over time. that's the only security there can ever really be: economic.^(v)

jfw: it's like having a gold vault, "what use are all these armed guards I'm paying for? all they do is sit around"

jfw: http://jfxpt.com/2024/jwrd-logs-for-Jun-2024/#11860 - segwit, but sigwig is a pretty great misspelling.
sourcerer: 2024-06-20 00:43:12 (#jwrd) lru: the potential unravelling of bc3 and sigwig (sp?) addresses in the future made for some fascinating reading

jfw: http://jfxpt.com/2024/jwrd-logs-for-Jun-2024/#11853 - so they put all the IPs on one box. costs ~nothing. and costs the same ~nothing to hold onto the IPs as long as they like, eternal king of the network that you've handed them. hashes on the other hand cost something to produce, every single time.
sourcerer: 2024-06-20 00:32:27 (#jwrd) lru: regarding sybil attack, yes, I was thinking about them under a different name... let's take a university with a giant IP address space... at least that "attack" places a full node on all those IP addresses... what does PoW give us in a similar practical vein?

jfw: and I'll annoyingly predict that any other 'node ID' scheme you come up with will fail in the same way - it will be cheap at least for certain players to print all the IDs they want. because that's what you're optimizing for. or else they're not cheap, in which case you're just reinventing some more complicated PoW.

lru: http://jfxpt.com/2024/jwrd-logs-for-Jun-2024/#11867 << that could be that I'm missing something there, but I view the security of the blockchain itself, that is, all those chained sha256 checksums, as providing that security... each block added increases the security of the chain. I never viewed the PoW as adding much security to that chain, because the security of the sha256 checksum itself is already so high
sourcerer: 2024-06-20 01:07:28 (#jwrd) jfw: what they get for it in theory, which you don't seem to grasp, is that an attacker will have to expend even more real value, and increasingly so over time. that's the only security there can ever really be: economic.
jfw: ever done a "git rebase"? you make your change at whatever depth and then just recompute all the checksums, what
lru: true, and if the university sybil attack could guarantee a large enough match field, they could rebase the blockchain regularly... similar to the 51% attack I suppose... my goal was to have the forward pointing decisions spread out randomly, and sybil defeats that if it's high enough

jfw: what's a "forward pointing decision" I wonder?
lru: it's how I want to use the blockchain itself, plus current time, to decide the winner... nothing outside the blockchain except the timestamp is used, limiting attacks. If Node A won at blockchain block #5000, he will always win at #5000, because the history itself determines it
lru: each new block should scatter the winner randomly through the blockchain history
lru: I originally thought wallet ID, but trying to limit it to useful nodes to kill two birds with one stone

jfw: unless owner of node A also owns node B (or bribes its owner) which won at block 5000-N, who tweaks the hash until A is the winner of 5000 in the revised history.

lru: sure, but then they would be duplicating a PoW attack within the 10 minute window, but instead of matching a minimum set of bits, they need to match the maximum set of bits for Node A to win
jfw: only more bits than anyone else. which won't be hard since you suppose nobody else is 'mining'.
jfw: and they're not constrained to 10 minutes to do it, if they miss the deadline they'll simply switch to targetting 5001, it's a series of random guesses so there's no "progress" lost

lru: doesn't your idea of attack call into question the security of sha256 itself though?
lru: if 5001 is the new base, any progress made in 5000 is lost
lru: although it's all shooting in the dark, you're right, but the target in the dark does keep moving

jfw: mno, you don't make "progress" buying lottery tickets. and no it doesn't require reversing sha.
jfw: I have to sign off but maybe give it a reread and some more mulling
jfw: should be back tomorrow
lru: thanks for the pokes! :-)
jfw: ah, I'd just suggest, do try thinking more from the attacker's perspective, it's essential in cryptography.
jfw: or I suppose in any other game, for that matter.

lru: http://trilema.com/2014/the-woes-of-altcoin-or-why-there-is-no-such-thing-as-cryptocurrencies/#comment-155626
lru: http://trilema.com/2014/the-woes-of-altcoin-or-why-there-is-no-such-thing-as-cryptocurrencies/#comment-155630
lru: Wish I could ask why
lru: ntp is one of the basic services I install on servers, about as basic as wget or ls, so to me that's a surprise

jfw: he's not talking about the size or availability of the code or something like that. what is the topology of ntp, the protocol? otherwise put, what does it do?
jfw: (iirc it was discussed a bunch in the logs too in the earlier days, partly in context of the desire for fully-hands-free nodes using the Pogo and such, which never materialized)

jfw: http://jfxpt.com/2024/jwrd-logs-for-Jun-2024/#11882 - I see I overcomplicated things here to emphasize the sybil point. if the claim is that the winner of block N will always be its winner because history says so, it's readily contradicted: the winner of block N-1 can put out any number of different versions of his block, favoring who he pleases to win the next; the cost is low because no PoW is required. Then it extends to the winner of an older block too, by adding a linear amount of 'mining' work per block to ensure they win each step. the guesses required is on the order of the number of live node IDs, so no terahashes required.
sourcerer: 2024-06-20 01:52:20 (#jwrd) jfw: unless owner of node A also owns node B (or bribes its owner) which won at block 5000-N, who tweaks the hash until A is the winner of 5000 in the revised history.
jfw: http://jfxpt.com/2024/jwrd-logs-for-Jun-2024/#11788 <<<<<<<
sourcerer: 2024-06-16 17:19:06 (#jwrd) jfw: it's a "history books are written by the winners" problem, if you will; how's a newcomer to evaluate who was "in the right" at the time?

lru: ok, so a new idea has emerged for me given that response: one could almost say that bitcoin uses PoW to soak up all possible CPU resources for its own security, as opposed to the non-PoW mechanism which leaves everyone's CPU's free to invent a possible attack (slightly tongue in cheek analysis, but still interesting idea) :-)
lru: there *is* supposed to be a time limit in TaC, but perhaps 10 minutes is not enough of a challenge anymore to prevent creating blocks that favour your friends

lru: jfw: re ntp: what does it do? it synchronizes time across a network of machines... if trust is a concern, you run your own NTP server on your own private network, with your own clock source
lru: I don't believe that time needs to be millisecond precise for something like TaC, but having the network agree on the current time, within a few 10s of seconds, seems to be a small ask to me

lru: jfw: I'm understanding your history books winner problem now, and added the attack to my TaC document, thanks!^(vi)

jfw: NTP operates as a star topology, receiving the time from a trusted central authority, traditionally the USG. kinda the opposite of p2p. and if you say each node can be his own time source, then great but NTP is no longer relevant to your protocol and you can't assume agreement on the current time across the public network.

jfw: http://jfxpt.com/2024/jwrd-logs-for-Jun-2024/#11908 - sounds like a somewhat confused formulation but getting warmer perhaps.
sourcerer: 2024-06-20 22:36:16 (#jwrd) lru: ok, so a new idea has emerged for me given that response: one could almost say that bitcoin uses PoW to soak up all possible CPU resources for its own security, as opposed to the non-PoW mechanism which leaves everyone's CPU's free to invent a possible attack (slightly tongue in cheek analysis, but still interesting idea) :-)
jfw: I mean, it's not "all possible cpu", and cpus aren't likely to be inventing anything, current "AI" buzz notwithstanding

lru: PoW is almost a misnomer, when I think about it now... a better name might be proof of power, because there is a time element involved, even in PoW
lru: if I use the terms as physics uses them
lru: as for my tongue-in-cheek analysis, yes, I realize not all cpu, or even fpgas :-)

jfw: the term seems fine to me, it proves execution of a certain expected number of hashes, no time component. power then would be the rate at which you can solve blocks.
lru: right, but given how PoW works, the required power increases over time, as more computing power comes online, thereby guaranteeing time without a clock

jfw: I really can't tell what you're saying now. maybe stop thinking in terms of "almosts"s, lol. would you like to earn almost-money so you can put almost-food on the table in your almost-house?
lru: lol
lru: yeah, I hadn't realized all the problems of determining time and history, and so I couldn't fully appreciate what PoW was doing... but now I see a glimmer of it.
lru: since I'm seeing a glimmer of it, I'm not surprised you're having trouble understanding what I'm saying just yet :-) this is more of a thank you for the pokes as I'm learning
jfw: cheers then.

1. Not that central banking is the only alternative, to be sure; you can have private bank notes, shop scrip, game currencies, etc. The better the authority, the less it's going to smell like Monopoly money. [^]
2. Check it out, a few days of talking beats years of spinning. Of course, that site is a ways from being a proper blog, but one thing at a time, right? It's titled "TaC - Time and Chain alternative to Proof-of-Work". [^]
3. whaack, cruciform, jwm, sstacks, anybody? Bueller? [^]
4. Bitcoin did create new problems; just not, I think, the ones he would prefer. [^]
5. There's a Trilema ref I'm missing or possibly butchering here; all that's coming to mind is the "fine print", that money still gotta be backed by cool. [^]
6. The next step, I suspect, will be a fresh layer of wallpaper to cover the gaping hole it left in the wall. But who knows. [^]