20:15
Zack
I guess as long as the settlement period is slow enough, we can use a hard fork to recover. The same way that we would if someone was trying to force an Oracle outcome.
23:03
Deleted Account
Crypto market sucks.
23:04
How are you expecting your project to survive it, Zack? Good that you have low overhead, I guess.
23:42
Zack
Since our overhead is practically zero, and I am so obsessed with the potential of futarchy, and I don't have any other obligations that would prevent me from working on this, I think that Amoveo will survive at least as long as I do.
Most of us are hoping for more than just survival. We want Amoveo to get popular.
23:44
Deleted Account
Well what you summarize here ^^ already puts this project ahead of most others
23:45
Have you taken a closer look at vega? Beyond your argument that tendermint/POS dont work?
00:02
Zack
Some issues I see with vega:
* dependence on PoS through Tendermint, as you said.
* it is a subcurrency based protocol, which is contradictory with scalability goals. It would be much better if they used derivatives instead.
* The market mechanism is on-chain, which means they will be unable to prevent front-running of traders.
https://youtu.be/mAtD0ba-hXU * the market mechanism is on-chain, which prevents scalability.
* they have margin calls being executed on-chain. It seems impossible to prevent an attacker from mining a block and censoring certain txs to cause margin calls to get executed.
00:33
[Riki]
Go make shoes
00:33
Split was done in over a year ago
00:34
U r boring with the split topic
00:35
And u are the minority obviously because the split was NOT adopted
00:37
It was adopted by the first VEO exchange
00:39
It was deemed pointless and irrelevant
00:40
plebs spoke the same way in 2012 when btc was double-digit $
00:40
Buying 1x10k veo or 10kx1 veo is the same
00:40
Just fix your perception
00:42
Deleted Account
You can apply the exact same logic to 1 BTC.
00:43
Yet mBTC or sats never saw mainstream adoption as "the standard unit".
01:05
Ben
did anyone succesfully deposited to
gj.com?
01:25
Mr Flintstone
I doubt deposits or withdrawals are working given how much higher the price is there
01:41
Instinct
Mine worked eventually after contacting admin, judging by their telegram most people have issues with deposits & withdrawals
02:36
Deleted Account
What do you make of Pantera investing in this? Doesnt this overlap with Augur?
02:38
Zack
I can comment about technology.
I am not knowledgeable about Pantera.
05:19
K
Don't know how well this is in actuality. DASH exploded about as much as ETH even though it had x10 less supply
05:20
The only people who don't invest because of supplies are noobs who in general don't have the big money anyways.
Deleted invited Deleted Account
Deleted invited Deleted Account
17:15
Thank you very much Zack
17:17
2 questions.
1. How do we prevent parasites ?
2. What’s the best mechanism for having trust less oracles?
17:50
Enri Topciu
Why there is a password asking if you want to send veo
18:53
Denis Voskvitsov
what wallet app are you using?
19:27
Enri Topciu
I’m using amoveo wallet for iOS
19:27
I wanted to transfer some veo to other wallet
19:27
It says enter password
19:54
Denis Voskvitsov
ok
it makes so to ensure you're the wallet's owner
did you set the password when created the wallet?
20:09
Enri Topciu
I have the login password
20:09
But I’m not sure about other password
20:10
Denis Voskvitsov
I guess it's the same password. have you tried it on sending?
20:10
btw, wallet app discussions can be moved to our group
@amoveo_wallet
21:46
Zack
Parasites only happen in blockchain designs where someone needs to extract rents from users to maintain security.
For example, in Augur the Rep holders need to collect trading fees in order for Augur to be secure. So if you make bets using Augur and do not pay these fees, that is a parasite contract.
In Amoveo there is no one who is collecting rents from the users, so we don't have the problem of parasite contracts.
2) here is documentation of amoveo's oracle design
https://github.com/zack-bitcoin/amoveo/blob/master/docs/design/oracle.md
23:12
Jon Snow
Btw, I Augur v2, I think they removed trading fee entirely
23:28
Zack
So what is the motivation to hold Rep?
23:31
https://www.augur.net/blog/augur-v2/in the section titled "REP Price Auction"
first sentence: "Adjusting fees paid to reporters by traders is one of the main mechanisms that keeps Augur secure."
23:31
Jon Snow
I think they bet on REP value comes from disputing
23:33
Zack
This documentation clearly says that Rep holders are paid trading fees in augur v2.
23:33
Jon Snow
So no fee paid to REP holder anymore in V2
23:35
REP used in reporting and disputing in V1 Augur awards reporting fees. While this seems logical enough, the volume of REP staked works out such that any fees gained this way are less than the additional gas cost of tracking them in the majority of cases. In order to spare REP holders this cost and to simplify the code, both reporting and disputing in V2 will simply not award reporting fees. The 40% ROI from disputing is considered more than enough of an incentive to encourage disputing
23:36
Zack
That section is talking about reporting-fees.
reporting fees are different from trading fees.
23:38
trading fees are paid when people buy and sell derivatives contracts in the markets.
reporting fees are fees paid during the oracle resolution process.
23:40
Jon Snow
Trading fee is paid to market creater I think not REP holder
23:40
Zack
in Augur part of the fee goes to the market creator, and part goes to the rep holders.
23:41
In Amoveo you can bet on oracles that have not yet been created on-chain. So it is free to make new oracles.
So we don't have to pay a fee to the market creator.
And there are no reporters or Rep in Amoveo, so we don't have to pay fees to rep holders.
This is why Amoveo doesn't have any vulnerability to parasite contracts.
02:01
Jon Snow
This innovation is actually pretty cool and very useful
Deleted invited Deleted Account
02:44
Asindu
Thanks for the response.
As for the case of Chainlink, what incentive to oracles have to exist at all? If they are not paid?
03:09
Mr Flintstone
you use an oracle if you need to enforce the payout of some contract and the other party isn’t cooperating to settle it
03:10
Zack
I think chainlink voters are paid.
03:29
Zack
How about we use futarchy to organize protests.
It seems like on some level, when protests are happening it is like a battle of consensus mechanism.
Governments target leaders and decision makers to stop a protest from succeeding. If futarchy is used to make decisions, there would be no leadership to target.
04:19
ALGO
There is a very large protest happening in Lebanon
04:19
Denis Voskvitsov
also Chile
04:19
Zack
Probably there is always a protest somewhere. There are like 7 billion people now
05:03
Zack
Often times protests become destructive in ways that are not helpful to achieving their goals.
Sometimes this happens because people who oppose the protest will cause damage and blame the protesters.
If protesters could use futarchy to organize themselves, then they would be less likely to be tricked into destroying things. And they will be able to show which events they are or are not responsible for.
17:04
Zack
If you base your strategy off of the fake news, you will have a bad time.
To find out what actions will help achieve your goals, it is better to use futarchy instead of listening to the fake news.
17:06
Futarchy could help us find out how to more effectively direct our money and research towards coming up with better medical treatment for aids.
17:15
A K
Only small missing step is how do ppl replace theRealDonald with futarchy
17:15
Imagine he won't be amused
17:16
Zack
futarchy isn't entertainment. It wont replace any media personalities or TV shows.
20:29
Jon Snow
AGREED! How come this AIDS curing coin still not go to the moon!
21:21
Jon Snow
In Amoveo land, we don’t believe voting
21:43
Zack
is Amoveo the only anti-democracy blockchain?
The only person who I hear hating on voting as much as we do is Vitalik.
22:16
ALGO
I believe you can pose this as an Oracle question using the Amoveo wallet interface
22:16
That should give you an answer :)
22:25
Zack
im pretty sure it would answer "bad question"
22:33
Živojin Mirić
But Futarchy would implode on that question
22:33
Don't play with it!!!
22:34
How can you vote on something that's dead?
00:52
Zack
Potential issue with sortition chains.
What if a mining pool operator specifically tries to own 1/2 of the money in a sortition chain.
If they owned that portion, it would maximize the effectiveness of manipulating the RNG to win the lottery.
If they had h% of hashpower, I think they could increase their odds of winning the sortition chain by (h/2)%, if we use our current RNG design.
00:56
but they have to give up a block reward to do it.
00:58
Zack
I wonder what the solution is.
Should each block have only a fraction of a bit of entropy? is that even possible?
01:01
Zack
oh, I think if you have 3/4 chance of a 0, and only 1/4 chance of a 1, then it is producing entropy more slowly
01:04
if the odds are 1/4 for 1 and 3/4 for 0, then a reroll on average is only going to switch the bit 3/8ths of the time instead of 1/2 of the time.
So it is producing 3/4ths of a bit of entropy per block, I think
01:05
if it takes us 2 days to make 260 bits, then that means we can't have a sortition chain shorter than 2 days.
I guess that doesn't matter. I doubt anyone wants such a short term sortition chain.
01:09
I guess we should produce 0 like 99% of the blocks, and only make a 1 like 1% of them.
then a mining pool with h% of hashpower would only have h/100% higher odds of winning the sortition chain.
01:10
Živojin Mirić
I find this interesting
01:10
Fundamentaly WRONG!
01:10
No time to explain bye
01:43
Zack
for many applications our random number generator does not need 256 bits of entropy.
Every bit of entropy that we use for a sortition chain is like 1 bit of specifying satoshi decimals.
a bitcoin can be divided into 100.000.000 parts.
That is about the same as if we had log2(10^8) = 26 bits of entropy.
01:48
26*100 is only 20 days of blocks.
02:27
Zack
if we select 0 99% of the time, and select 1 only 1% of the time, this only gives us an improvement of about 4x.
Because the last 100 blocks before our random sample, 25% of the time exactly 1 pool will get exactly one 1 in those 100 blocks, and the other 99 are all 0s.
So that pool is able to remine that block with very high probability.
02:56
Zack
How about if the final 100 blocks until we sample are all zeros, then don't finish generating entropy until we find our next 1.
02:56
I think we can simplify a lot of other stuff, as long as we don't know when the entropy will get sampled.
We can have 50-50 odds for each bit, and only sample the entropy if the unlikely event that (hash(header) % 100) == 0. So on average we need to wait 100 blocks past the expiration date.
03:00
oh, I think this doesn't work either.
whoever finds the block such that (hash(header) % 100) == 0, they can choose not to publish that block to make a reroll.
Nikita Voloshenko invited Nikita Voloshenko
04:01
Živojin Mirić
Is Loubotin shoe reseller winner?
04:06
Zack
if X1 is the odds of getting a 1 on your first try on the last block before the random sample, and X2 is the block before, and X3 is the block before that...
I think the relationship isn't exponential decay, it is like this:
XN = (1 -sqrt(1 - (4*X(N-1)*X(N-1)
/X1))) / (2*X(N-1)
/X1)
04:13
Živojin Mirić
I'm gonna run this in wolfram alpha and then call you back
04:13
Zack
here are the steps I used to calculate it.
X1 = 1/99
X2 = X1/(1-X1) = (1/99) /(98/99) = 1/98
X3 = X1/(1-X1-X2) = (1/99) / (1-(1/99)-(1/98)) = 98/9505
XN = X1/(1-sum(1, N, XN))
X1/XN = 1-sum(1, N, XN)
sum(1, N, XN) = 1-(X1/XN)
XN = sum(1, N, XN) - sum(1, N-1, XN) = 1-(X1/XN) - (1-(X1/X(N-1)))
= (X1/X(N-1)) - (X1/XN)
= X1(XN - X(N-1))/(XN * X(N-1))
XN*XN*X(N-1) = X1*XN - X1*X(N-1)
XN*XN*X(N-1)/X1 = XN - X(N-1)
XN*XN*X(N-1)/X1 - XN + X(N-1) = 0
XN = (1 -sqrt(1 - (4*X(N-1)*X(N-1)/X1))) / (2*X(N-1)/X1)
X(N+1) = (1 -sqrt(1 - (4*XN*XN/X1))) / (2*XN/X1)
04:27
Zack
can anyone rewrite that recurrence relation in closed form?
04:53
Zack
its hard. I even watched a video on solving recurrence relations.
05:07
maybe if I don't neglect the higher order terms it will come out nicer.
05:10
Šea
Haha you're lurking here with your 2nd account?
05:12
I thought you are refering to last Zacks messages.. Then i realized its even worse. You heard about that archive software case and immediately entered the Veo chat to write it here 😂
05:12
You seem to have such an interesting life sir
05:13
Zack
when I include the higher order terms, it became the harmonic series.
05:15
Zack
1/99, 1/98, 1/97...
X(1) = 1/99
N<99: X(N) = 1/(100 - N)
N>98: X(N) = 1/2
X3 = X1/(1-X1-X2 + (X1 * X2)) = (1/99) / (1-(1/99)-(1/98)+((1/99) * (1/98)) = 1/97
05:21
so this means if we use N blocks of time to gather entropy, we can decrease the influence of a reroll down to 1/Nth as much as normal.
05:23
so if a sortition chain has 1000 veo in it, and the block reward is 0.1 veo, then we would need about 10k blocks to build up enough entropy.
05:24
if we had 100 sortition chains each with 10 veo, then we only need 100 blocks to build up enough entropy.
05:25
Živojin Mirić
Futarchy is GOD
05:25
You don't understand it's orders of magnitude above your capabilities of comprehension
05:25
You will see but it will be too late for redemption
05:26
How can I put it simply... You are just too stupid
05:26
No other way to say it
05:27
Like african tribe in front of superior ubermensch
05:27
What is there to explain
05:27
Futarchy brain is like god
05:27
Zack
There are smart people in Africa. There are smart people everywhere.
05:27
Živojin Mirić
I agree
05:28
But not smarter individually than futarchy itself
05:28
I am talking about tribes that did not evolve fsrther than ancient tech
05:28
Africa is not important
05:29
Your presumption is fundamentaly wrong
05:30
When you see it you will be free
05:30
Futarchy will set you free
05:30
Zack
I think it is pretty cool to find this relationship between the size of the block reward, the amount of money we can put in a sortition chain.
05:30
Živojin Mirić
It's beyond cool
05:31
"Cool" is not doing it justice
05:31
I can't wait when 200 years pass
05:32
Everything will be clear
05:32
Poems will be written
05:32
Zack
the new module for consensus RNG is going to be a lot more complicated.
I think we need to make the entire header hashes available to Chalang.
Because depending on the block height that a sortition chain expires at, it will read different entropy from the same blocks.
05:33
Živojin Mirić
I am at rest because mechanisms that are unstoppable have started turning and it's very comforting for my anxiety over the future of the human race
05:33
Zack
a database linking block heights to header hashes would probably be useful to optimize other parts of Amoveo as well.
05:34
haha, you can rest easy knowing that I will be anxious about this for you.
05:35
Živojin Mirić
Zack you even don't have to be because even though it is in your nature you started the mechanisms
05:35
Time. Will do the rest
05:35
Zack
If a sortition chain has 100 VEO in it, the entropy to settle that sortition chain will take as long as mining 100 new VEO.
05:35
Živojin Mirić
You can try to make it faster but in the grand scheme of things this small time period is irrelevant
05:36
I even don't have to live to see it fully in motion but I can live at peace
05:41
Zack
I think production cost doesn't matter in this case.
05:41
if someone can mine for free, that is bad for other reasons
05:42
but it wont mess up generating entropy for sortition chains.
05:42
Zack
I think this harmonic entropy generator might be useful for other blockchains too.
05:42
on-chain RNG is a thing that many people use in their mechanisms.
05:43
Živojin Mirić
You can't make sure that your penis is in your fucking pants and we are still alive, what kind of argument is that
05:43
I have to sleep, I hope I dream about futarchy
08:13
Zack
looks like if we take 1000 blocks to gather entropy using the harmonic RNG, about 7 will be 1's, and the other 993 will be 0s.
if all 7 miners who find 1's check to see if rerolling will increase their odds of winning, it is the same as 1 miner with 50-50 odds checking to see if rerolling will help them.
08:22
I guess participants in the sortition chain should control secrets that are used to possibly unlock their branch of the sortition chain.
08:23
but then, wouldn't you be trusting your ancestor sortition chain to reveal their secrets at the right time?
08:43
Noreg
Сколько можно намайнить 1080ти за сутки?
08:44
Also a russian channel
09:56
Zack
We want there to be two random options when you find a block, either a 0 or a 1.
And we want one of the options to be much more likely than the other. like 95% vs 5%.
And finally, we want the miner to be unaware of whether the 0 or the 1 is more common.
So the miner knows that they received a 0, but they do not yet know if the 0 or the 1 was the more common bit to find for this block height.
So they don't know if it is worth it to re-mine this block height.
We could use one of those programs where the internals are all an undecipherable cryptography mess.
So if a valid header is found, we can use the encrypted software to know if this header is a 0 bit or a 1 bit.
But we can't look inside the encrypted software to know how it decides which headers are 0s and which are 1s.
10:22
Zack
We could ask the oracle for the winning results of the big USA lotteries, and use that as the entropy to resolve our sortition chains.
10:23
it already has so much money on the line that if we wager more on it, it wont matter.
10:23
like the power ball lottery
10:33
Eric Arsenault
Zack you should suggest they use Amoveo
10:34
Zack
they are talking about a 5 year bet. that is a long time.
Deleted invited Deleted Account
19:46
Zack
There is this game that people play with flowers that have lots of pedals.
We keep passing the flower around the circle. You can take either 1 pedal or 2 pedals off of the flower when it is your turn.
Whoever takes the last pedal off is the loser/winner, depending on which rules you are playing by.
19:47
Zack
right. not bicycle pedals haha
21:36
Zack
is there some other way to reduce how much entropy a block provides besides making one of the bits more common than the other?
21:37
what if we take groups of blocks, and xor them all into one bit before including it?
21:38
We just need many sortition chain to all grab entropy on the same block height.
That way if an attacker tries to increase their probability of winning one of the sortition chains, it reduces their ability to optimize for winning the other sortition chains.
21:41
if there is just one sortition chain, the perfect attack can, on average, steal 1/4 of the value in the sortition chain.
If there are n sortition chains, each with the same amount of value, I think it is either 1/(4*n) or 1/(4*sqrt(n))
21:45
if you are rolling 1 dice, you want to roll a 1,2, or 3, and you get 1 reroll, you will win 75% of the time.
if you are rolling 2 dice, then it isn't win/lose. you can either win 0, 1, or 2. ideally you want 2, but you don't want 0.
I think this is an example of the sultan's dowery problem
http://mathworld.wolfram.com/SultansDowryProblem.html
21:47
oh, it is not the sultans dowry problem, because we just keep switching to the better option. we never have to settle.
21:50
oh, you do have to settle. because every time you reroll, you are giving up the opportunity to publish that block.
21:51
but it is unlike the sultans dowry problem because we know the distribution of how attractive the sultans wives are likely to be ahead of time
21:58
Maybe I found a fix for the harmonic RNG.
The previous design was spreading out 1 bit of entropy over a period of 100 blocks, which gave us a 7x improvement in the cost/benefit ratio of doing this attack.
Maybe what we need to do is spread out like 23 bits of entropy according to harmonic ratio over a period of like 1000 blocks.
So it's like we are chopping off the first very steep part of the harmonic ratio graph, and just using it's long tail.
22:19
Zack
=====================
We could follow a harmonic ratio like this, and stop gathering entropy if we have more than say 200 zero bits in a row.
So if you get a 1, you are resetting the timer for how long until it ends. This reduces how influential a 1 bit can be, so it reduces how much you can profit from your freedom to reroll.
22:32
It seems like there is a relationship between how much certainty we have in the expiration date, and how low we can reduce the damage from this kind of attack.
22:57
Zack
================
Thinking about the sultans dowry thing again.
An attacker with <50% hashrate only gets 1 or 2 rerolls.
If there are N sortition chains at the same height, it is like a bell curve, and I think the standard deviation is sqrt(N*p*(1-p))=sqrt(N/4). So 90% are between (N/2) +- sqrt(N)
If we have 100 sortition chains, and do 2 samples, there is about a 90% chance that both are below 60% of all the money. So 90% of the time, the attacker gets away with less than 10% from a reroll.
If we have 10k sortition chains and do 2 samples, there is about a 90% chance that both are below 51% of the money so, 90% of the time a reroll steals less than 1%
00:29
Zack
Extending the deadline this way only helps by a factor of about 2.
It decreases our ability to know who will win if we dont reroll, but it doesn't reduce our ability to predict who will win if we do reroll.
02:15
Zack
If we take 1000 blocks to generate entropy. and for each block N the odds of making a 1 bit instead of a 0 bit are (15/(30+n)), then that means that there will be approximately 50 1's in the sequence. If every time there is a 1, the miner rerolls to make more profit, this all sums up to the miners getting 1 bit of advantage over the rest of us.
So this is 50x more efficient than the first solution we were looking at.
We require 1/2500th as many sortition chains in parallel to achieve the same level of security .
03:00
Iridescence
nothing much to add to the discussion, just wanted to let you know that I appreciate your posts here and check in the lurk here from time to time
03:35
Zack
so the plan is that each block we mine, it should have a large probability of adding a 0 bit to the entropy, or a small probability of adding a 1 bit.
What if each block mined generated 10 bits like this?
So the majority of the time, all 10 are zeros, and rarely one of them is a 1.
03:50
So far, it seems like this strategy would give us another 10x improvement in security.
03:54
if we generate 2000 of these bits per block, then I think that we have more than a 1000x increase in the cost of the attack.
03:55
so now we have 3 techniques to increase security, and if we combine them all, I think we can securely have sortition chains with as much value in them as 1 million block rewards.
03:57
Goldy
Zack try to throw some light on the same
@indiabits
05:14
Zack
oh, I think re-using entropy between sortition chains actually makes it worse.
Because if there are N sortitoin chains sharing entropy, the attacker can reroll 1 block to attack sqrt(N) of them at once.
If instead we used different entropy for all of the chain, then the attacker could usually only reroll against one of them at a time.
05:16
if we use 100 sortition chains that share entropy, it is sqrt(100) times more secure than 1 sortition chain.
But if we don't share entropy, it is 100x more secure than 1 sortition chain.
Deleted invited Deleted Account
05:24
Zack
if there is a veo giveaway, I am first in line for free veo
05:25
BCjdlkTKyFh7BBx4grLUGFJCedmzo4e0XT1KJtbSwq5vCJHrPltHATB+maZ+Pncjnfvt9CsCcI9Rn1vO+fPLIV4=
@jsmitth send it here
05:40
Sy
34%? what did i miss?
05:41
Zack
I wish I had 34%
05:42
I have around 1/6th of the market cap. 16.66%
08:47
im pretty sure a better solution is still possible.
09:28
Zack
I think maybe we should follow the 10/(20+n) curve for a while, and then switch to the 1/(2+n) curve for the last 50 blocks or so
17:16
ALGO
Members of the
Exan.tech team are working on the side with Warwick Trading Society to set up a lottery giveaway in return for students learning about the project
Arthur icoholder invited Arthur icoholder
17:49
Arthur icoholder
Where can I buy your coin with a credit card?
17:49
Maybe this coin available on platforms where I can buy using Visa / MasterCard, such as indacoin and waves platform, changelly?
17:50
Zack
I think that is not yet possible
18:11
A la Veil, with a DLT license from Gibraltar
18:11
Just 3 markets for now
22:32
Zack
I think the harmonic rng doesn't work.
There must be some tail of the series such that the expected number of p-bits that which return 1 is 1.
Half the time it is all zeros, 1/4 of the time there is one 1. 1/4th of the time there is 2 or more ones.
Looking at the 1/4 of the time where exactly one 1 is found, whoever finds it gets a free reroll.
I think the harmonic series trick can only increase security by a factor of 4 at best.
But the fact that we can get better by a factor of 4 hints that more is possible.
22:35
What we want is for that tail that on average finds 1 block, we want the distribution to be like 98% chance of all 0s, 0.01% chance of one 1, and 1.99% chance of >one 1's.
22:36
It seems like the way to do this, every time we find a 1, the probability of finding ones needs to increase. And every time we find a zero, it decreases.
22:43
The trick is coming up with a version that is expected to expire within some reasonable time period
01:59
How do you guys think quantum computing can effect Amoveo/VEO?
02:11
Zack
John Martinis. He was in charge of my physics lab practical class for a semester.
He taught me about calculating the range of accuracy for new values when combining values that have known levels of accuracy.
I know some of those grad students assembling this thing in the video.
I am pretty sure there are already soap bubble computers that meet the definition of "quantum supremacy" they are giving in the video. but I guess that would be "soap-bubble supremacy"
02:12
ill check out the paper
02:59
Zack
It looks like they have some hardware that is really good at measuring some quantum vibrations.
But I still think quantum computers, in the sense of a computer that is really fast and can impact cryptographic systems, it is impossible.
Ill try and explain what they are doing and why it is not actually giving any evidence that quantum computation is possible.
Imagine if we gathered up all the technology in the world to scan and analyze a mouse. We are looking at every muscle twitch, every whisker flick, every heart beat.
If the mouse is in a similar position, at a similar time of day, when exposed to the same stimulus, certain kinds of measurements should be more common.
Now imagine if we wanted to run a computer program that could simulate all aspects of the mouse, to calculate from scratch all the data we can gather from measuring the mouse.
It would take existing computers thousands of years to simulate all the chemistry of even a few seconds of a mouse's existence.
So, does this mean that the mouse is a computer that is better at computing the average behaviour of mice in comparison to silicone based computers?
Yes, mice probably are more efficient at computing the behaviour of mice than any simulation that could be created. It is a ASIC for computing what mice do.
mice have achieved "mouse-simulation-supremacy"
quantum computers have achieved "quantum-simulation-supremacy"
But that doesn't bring us any closer to breaking a cryptosystem. modeling a cryptosystem in terms of the likelihood of various mouse behaviour is much less efficient than just doing the cryptography normally.
Trying to model a cryptosystem in terms of various quantum behaviours is similarly much less efficient than just doing the cryptography normally.
Martini's team needs to find a way to make it look like they are progressing towards an achievable goal, otherwise funding will disappear.
They are building some very interesting hardware for measuring quantum systems, but I think they still don't have evidence that quantum computation will ever be possible.
08:34
Iridescence
Zack, you are a great example of a developer that knows his stuff. 👍
08:47
Zack
In 2014 when I chose to start researching cryptocurrency, I was also choosing to not get involved with martinis' quantum research.
I think quantum computation isn't relevant to blockchain. It is just a coincidence that I am knowledgeable about physics.
09:13
Zack
I think martinis lab has had the most qbits in a computer for the last 5 years at least.
There is no hidden team with more qbits.
09:15
https://news.ycombinator.com/item?id=21332768Some people on hacker news are agreeing with me about how this isn't showing that quantum computation is possible.
Instead of using a mouse as an example, they use the examples of calculating the brightness of every location in a room due to a lamp, or calculating how water behaves when poured over a bumpy surface.
These are other problems that are exponentially complicated to simulate, but can be done in the physical world instantly by literally putting a lamp in a room.
09:23
In wwii, the British invented dopplar radar technology in order to see the German bomber planes more accurately.
In order to keep the dopplar technology secret, they made press releases about how everyone in their military is eating carrots for improved night vision.
Military frequently lie about what technology is available to them to try and maintain an advantage against the enemy. This helps to avoid leaking sensitive data.
If some military claims to have quantum computation, but they refuse to share their work, it is certainly a lie.
In order to do good science, you need the review of experts. Getting their review means publishing your work as open source.
As the number of experts in a field increases, the relative disadvantage of closed-source research gets worse and worse. Because you are preventing a larger and larger portion of researchers from reviewing your work.
Trying to do closed source research today is practically impossible, because there are billions of people, and so many of them have become expert researchers.
09:44
Zack
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.405.286&rep=rep1&type=pdfHere is a paper from 1992 in the field of anthropology, and it seems to anticipate the possibility of PoW blockchains.
It shows that if there is a rule that punishes anyone who fails to punish rule-breakers, that such a system can enforce any arbitrary rule set with a stable nash equilibrium.
In the language of blockchains: for PoW to be secure, there needs to be a rule that miners should only mine blocks on top of valid blocks. If a block breaks any one of the consensus rules, then miners should not build on top of that block or any of the descendants of that block.
As long as this rule exists, then we can also enforce any other arbitrary set of rules about what a valid block would look like.
Deleted invited Deleted Account
16:00
Deleted Account
hello admin ,which one could i talk cooperation about listing ?
19:01
Sy
You do it for free?
19:07
[Riki]
the talk? yes 😄
19:23
Zack
Thinking about the RNG again.
How about this: we will have some expiration date at height H.
For every block before H, we generate 1 bit of entropy.
lets call block H as B(2), and block H+N as B(N+2).
the probability that the pbit from B(N) is a 1 is 1/N.
If we ever get to B(11), then we are done generating entropy.
If we generate a p-bit of "1" for any B(N), then we start the process over at B(0).
So if you roll a 1, then you can reroll and you will almost certainly get a 0, but there is only a 1 in 10 chance that your "1" is the last "1".
So an attacker would have to do 10x as many rerolls in this set up in comparison to attacking the harmonic series with a concrete expiration date.
The expected amount of time between the expiration date, and when we can get our money out of the sortition chain is:
10 cycles * average cycle length =
...
I think the average is something like 10/3, or sqrt(10) or log(10).
19:31
1/2 the cycles take 1 block.
1/3rd of the remainder take 2 blocks.
so we can make an upper bound of
1/2 + (1/3)*(1/2)*2 + (1/3)*10 -> 1/2 + 1/6 + 3.3 -> about 4.
Looks like it is following sum(1/n), which is approximately the same as log2(n).
So I think the expected number of blocks till expiration will be 10*log2(10) for this example.
So if we are willing to wait on average N*log2(N) blocks to get our money out after expiration, then we can increase the level of security by Nx.
if N=100, then it takes about 700 blocks on average, about 5 days, to get our money out of the sortition chain, but we reduce the losses from attacks by 100 fold.
19:47
Zack
so we could fit 100 fold more money in each sortition chain.
Instead of ~4 block reward each, we could fit ~400 block rewards in each sortition chain.
19:48
if we had 1/2 the block time, and 1/2 the block reward per block, would that make this RNG process faster or slower?
21:08
Zack
So lets consider it from a concrete game theory perspective.
An attacker has 30% of the hash power, and 50% control of a sortition chain's value.
They will win a sortition chain if the current random number is selected, so they want that all the pbits are zeros.
If this attacker is willing to do rerolls, how much money needs to be in the sortition chain for this to be profitable?
include the cost of locking up 1/2 the money in the sortition chain.
If the attacker does not interfere, the odds that this is the last cycle and that they will win is about 1/n.
The odds that only one 1-pbit would be found during a cycle of length N is
sum from i=1 to N of (odds that only block i is a 1 pbit)
= sum from i=1 to N of (prob of all zeros)*(1/(prob of 0 pbit))*(prob of 1 pbit)
= (1/N)*sum from i=1 to N of (1/((i-1)
/i))*(1/i)
= (1/N)*sum from i=1 to N of 1/(i-1)
=~ log(N)/(N)
the number of rerolls an attacker would need to do to have 1 bit of influence =
1/(probability they are winning at the start of the harmonic cycle)/(probability that only one 1-pbit would be found during the cycle)/(probability that the attacker is the one to find the 1-pbit block)
= 1/(1/2)/(log(N)
/N)
/0.30
=(10*2*N/(3*log(N)))
=(20/3)*(N/log2(N))
if the harmonic cycle is 128 steps:
= (20/3)*(128/7)
= 120.5 rerolls.
21:40
Zack
Instead of focusing on the cost of re-mining the block for influence, it seems like it is better to focus on the cost of leaving your money locked up in sortition chains for such a long time.
You need to lock up a lot of liquidity in order to steal a very small amount.
22:10
Zack
if the harmonic cycle length is N, so far I am only able to increase the security of rerolls by log2(N).
lockup costs scale linearly with N, so that wont work either.
Nuelo@catex.io |CatEx Exchange IEO/LISTING invited Nuelo@catex.io |CatEx Exchange IEO/LISTING
23:39
Zack
Maybe we need to look at it from the perspective of pareto optimization.
Currently, rerolling is happening privately. We don't know who is rerolling, or when it is happening.
Maybe if we allow people to explicitly reroll, by mining a block with higher than normal difficulty, that will give us the extra data we need to make a better solution.
23:41
or maybe they pay a fee in VEO instead of in PoW.
00:52
Zack
If we made the block time 1 hour, then the block reward could be 10x higher, so reroll would cost 10x more, and we could fit 10x more in each sortition chain.
00:54
Instead of being able to directly calculate if you have won, we could set it up so everyone gets a score, and if you owned more of the sortition chain, you score is probably higher.
Whoever has the highest score wins.
This would give us a factor of 3 improvement.
00:57
3*4*10*log2 (100) makes about 70 Veo per sortition chain.
If we run 1000 of them in parallel, and had 14 blocks per day, and they each last 2 months, then every block is only settling 1 or 2 sortition chains.
1000 sortition chains * 70 Veo each is already bigger than the market cap.
So it seems like if we combine all the very low quality optimizations, they add up to something within the tolerable range.
01:01
Maybe the last bits generated should use oracles as a source of entropy, and we can use block hashes for earlier entropy. That way we aren't overwhelmed with oracles, and we can prevent reroll attacks.
02:07
Zack
combining all these improvements:
===========
(starting example) * (harmonic) * (harmonic resets) * (slow blocks) * (off-chain score) * (sortition chains in parallel)
C = cycle length = 200
2 * log2(C) * 2 * 1 * 3 * 1000 =
91726 veo in the sortition chains at one time.
about 92 veo in each one.
so we need to keep the (block reward)>((market cap)/(92*(# of sortition chains we can handle in parallel))).
and maybe we will find a way to make the 92 into an even bigger number.
02:11
if we have 14 blocks per day, that is like 5000 blocks per year.
If we can support 1000 sortition chains in parallel, that means annual inflation would be 5%
if we could support 10k sortition chains by making the software more efficient, then we could lower inflation to 0.5%.
02:11
Mr Flintstone
it seems as though we will not need to wait material portions of the human lifespan to mature these chains sir but I appreciate the concern
02:12
thank you for jumping into this chat and sharing your well formed views
02:22
Zack
the harmonic process, it takes B steps, and increases security log2(B).
We can have even more time to spare, I am thinking we can layer this inside of itself.
the entire process is generating 1 bit, but along the way it make a bunch of p-bits.
I am thinking we can use the entire harmonic process for each of the pbits.
so it would take Bx as many blocks to generate the entropy, but it would provide security of log2(B)*log2(B). if we got it to work, it would work out to a factor of 3x improvement.
02:24
this is because in order to do a reroll of the outer game, you would need to make log2(B) rerolls in the inner game
02:28
maybe we can set B to 4, and put the harmonic game inside of itself 6 times, so it would take around 64 blocks to generate the entropy, and provide 64x security.
02:30
oh, that would take 262k blocks, not 64.
02:31
maybe we can play many of these harmonic rng games simultaneously, using different parts of the entropy from each block.
02:38
I feel like if there are multiple sortition chains that are getting their entropy from the same block height, it must reduce an attacker's ability to influence those sortition chains in their favour. Because optimizing one will limit their ability to optimize the other.
It is weird though, because this trick is decreasing the frequency of attacks, which is something we want. But it is also decreasing the cost of attacks, which is something we want to avoid.
02:39
it creates more situations where an attacker has the ability to influence 2 sortition chains simultaneously in their favour, using only 1 reroll.
02:47
If we can get the frequency of attacks low enough, the severity isn't so important. it is all probabilistic value inside sortition chains anyway, so having an extra 1% chance of losing everything is identical to paying 1% of how much you have as a fee.
02:48
Mr Flintstone
people tend of be risk averse though and are less comfortable with 1% chance of losing everything vs 1% fee
02:48
Zack
it is literally identical in sortition chains
02:48
you could use either set of words to describe the situation, and it would be honest
02:50
Mr Flintstone
maybe I am not understanding but I think Without rerolling attackers you can reliably trade your 1% chance of losing everything for a 1% fee? and with the attackers I am not sure how you hedge the 1% chance of loss of everything?
02:53
Zack
once rerolling is happening, the sortition chain is already being settled.
My expectation is that almost everyone will sell their stake in the chain before that point in time.
This is why the attacker is able to buy up exactly 1/2 the stake to optimize for this attack.
So when you cash out your stake, it will be worth less based on the probability of a successful reroll attack.
02:56
if there are S sortition chains being settled at the same block height, I guess an attacker could influence sqrt(S) of them with a single reroll.
Which means S-sqrt(S) are free of influence
If there are 1000, 1000-sqrt(1000) is about 968.
so 97% of the sortition chains would be unaffected.
02:58
its like taking 2 samples of a bell curve and going with the higher one.
the advantage is based on the standard deviation, which is related to sqrt(S).
03:00
my other strategies were all about reducing the profitability of attacks, this one is for reducing the frequency.
How do I combine the results to know how much VEO I can safely store in a sortition chain?
03:03
seems like we multiply by (1 - (1000-sqrt(1000))
/1000)
= 1/sqrt(1000)
Which is the best strategy so far.
03:14
this solves it well enough so that now I will focus on taking out the parts that are harder to program, and don't give enough benefit.
05:24
Zack
oh no...
What if an attacker has 95% of a sortition chain?
Then if they are losing, a reroll is going to give them the money 19 times out of 20.
05:28
the case we were looking at before was 1 reroll increased your odds of winning by 50%.
this time it increases by 95%.
So it only worse by a factor of 2.
06:02
miners can write a timestamp that is a minute in the past, and everyone would still accept that block.
06:06
Bitcoin is a good source of rng data for now. But we want to be able to grow bigger than bitcoin.
06:07
The Oracle is Amoveo's central value proposition. Our design is very strong.
09:56
Zack
if we use verified delayed functions,
Like hash(hash(hash(.....(hash(<<"seed">>)))))
there are ways to use financial derivatives to have high confidence in the result of these kinds of functions without running them yourself.
Our oracle system makes it fairly easy to import this kind of computationally extensive information into Amoveo.
But, we would need to have some really big security margins.
it would take at least this long to solve it for most hardware: (best ASIC for solving the linear problem) * (10 blocks of time)/(your computer's speed)
I don't have the experience in hardware to know how big of a period of time this is, or how hardware will change over the years due to financial incentives.
Maybe it would take 10k blocks to solve one of the verified delay problems, which could make it difficult for the oracle reporters to access that data.
10:51
Zack
refusing to reveal the key gives you 1 bit of influence over the outcome.
one bit of influence can be worth as much as 25% of the money locked up.
So if his collateral is less than 25%, it can be profitable to attack.
If there are multiple participants who can reveal, then any one of them could attack.
10:52
that is why I came up with the harmonic strategy. each block can have less than 1 full bit of influence.
11:16
Zack
Maybe we should have a second kind of pow that only finds one block per week, and gives a much bigger reward. We could use that block for generating entropy, because rerolling it would be more expensive.
11:17
It would also make it easier to get all the sortition chains to share entropy
Grizzily invited Grizzily
16:41
ALGO
Welcome to the Amoveo group Grizz
18:46
Zack
The threshold signature scheme needs at least t of the n randomly selected users to participate.
Let's suppose an attacker has H portion of stake/hashpower.
The number of signatures that the attacker has control of is usually H*n. But it has standard deviation of H*sqrt (n).
So if we set n=100, then standard deviation is H*10.
So 0.1% of the time (once per week with 10 min blocks), the attacker controls more than H*n + (3*sqrt (n))
If for any single block, the attacker controls more than t/n of the signatures, then the attacker can predict the entropy ahead of time.
An attacker that can predict the entropy can know which parts of the currency space they need to own to win the next round of random selection.
So once the attacker breaks this random number generator once, they will be able to maintain centralized control of this blockchain forever. They will be elected block producer of every block from now on.
If the attacker doesn't control enough hashpower to do this attack alone, it is cheap to bribe other validators to reveal their signatures ahead of time, so the attacker can anticipate the entropy that will be generated.
18:50
If n/t is less than 1/2, it is easier to attack by stuffing the ballot box. Controlling lots of participants.
If n/t>1/2, the it is easier to attack by withholding signatures and preventing new random values from being generated.
If no new randomness is prevented, then we can predict which accounts will be elected to generate future randomness, so an attacker knows which parts of the currency space they need to control to successfully take down dfinity.
18:51
It t/n = 1/2, then both vulnerabilities are about equal
18:52
Since pos can't make randomness, and randomness is necessary for sharding, it seems like PoS is less scalable than pow.
19:01
================================
Thinking about harmonic RNG. The trick where we have multiple sortition chains in parallel.
If the users decided they wanted the ability to win more money than a single sortition chain, they might make the same bet in multiple.
That way they can possibly win a larger amount.
But making the different sortition chain's outcomes correlate together this way, it breaks the trick where the sortition chains are in parallel.
It reduces the cost to attack by 1/sqrt(# correlated sortitoin chains).
19:32
Zack
I guess for big lottery applications, we should use the Oracle to grab entropy that can't be manipulated.
For payment and derivative applications we can generate enough entropy on-chain.
19:47
Zack
I think the second to last bit's influence is as much as the last sqrt (2).
And the nth to last bit is 2*(1/sqrt (2))^n
So we need to do the harmonic trick for more than one bit.
But taking half harmonic steps did not work.
I am thinking each block needs to make multiple p-bits. That way we can provide fractional amounts of entropy between 1 and 2 bits.
Or maybe we need to combine a bit with a pbit, so they sum to the required amount.
19:58
Actually, the pbit system is providing a lot more than 1 bit of entropy.
It has multiple 1 bits and multiple 0 bits.
19:58
It's weird trying to calculate the amount of entropy provided by data that isn't over uniformly distributed probability space.
I think maybe we need some math from Huffman encoding.
20:00
Oh, I think the amount of entropy in a given sample is log2 (1/(probability of that sample occuring))
20:04
Živojin Mirić
Loubotin is now dev?
20:04
Zack
So if we take 100 blocks of time to run the process, the most likely outcome is 100 zero p-bits. The probability of that is 1/100.
So a lower limit on the number of bits of entropy provided is log2 (100)
20:04
He has not written code.
20:05
Živojin Mirić
Ok thx
20:08
Zack
(1/sqrt (2))^log2 (100) = 1/32nd as much influence in the second to last block vs last block.
20:15
Having more than ~90 bits of entropy can not make it more secure. 90 bits is our computational limit today for cryptography.
20:16
A system of "extra data" is just giving attackers more opportunity to inject entropy. Does not work.
20:16
Reorgs are not the issue. Reroll are.
20:17
We are worried miners will refuse to publish some blocks, because the rng is not in their favor
20:18
Živojin Mirić
Was just thinking about rerolls
20:18
Zack
I responded to why that is not a solution for us.
20:20
Maybe a better way to think of reroll, it is like the miner is trying to find blocks where they win before anyone else finds a block where they lose.
20:21
I responded here.
We can't know the time delay ratio. Maybe it is infeasibly large.
20:23
You only need to apply the second hash if the first succeeds.
20:35
1) that would break our goal of being easy to implement on asics
2) retargeting economics would just reduce the difficulty to the point where nothing has changed. stacking 2 hash algorithms is just making a longer hashing algorithm.
21:33
Mr Flintstone
while it would be nice to have native rng asking the oracle about bitcoin blocks works as a stopgap until the value in sortition chains gets very high so we shouldn’t delay the implementation of sortition chains
21:34
Zack
The rng designs we have been looking at would all be a part of the smart contract. So we could keep making changes as we learn more.
21:34
Mr Flintstone
that is good
Deleted invited Deleted Account
23:02
Zack
harmonic resets is more powerful than I had previously calculated.
I found a more accurate way to model it, and it is providing Nx security, not log2(N) like we were thinking before.
23:06
if we are willing to wait on average N*log2(N) blocks to settle, then we can make it Nx more secure.
00:34
Zack
oh, my new analysis is no good.
The attacker does indeed mine Nx blocks with 0 pbits to publish, but since he is receiving block rewards for all those blocks, the cost is zero.
00:57
Zack
===========
so lets go back to the pareto analysis idea.
If this attack is happening, the attacker is spending value to reroll to steal probability space from users.
So a pareto improvement would stop the attacker from wasting value re-mining blocks, and the users would receive 99% of the cost of re-mining those blocks.
So the net effect is that the attacker spends 1% less value to execute the attack, and the users have 99% of the cost of the attack less stolen from them.
01:04
I think we can't enforce any pareto improvement mechanism because ownership in the sortition chain is off-chain.
01:13
Maybe we should vary the block reward, so that if you find an unlikely p-bit value, the reward is higher, and if you find common ones, the reward is lower.
So for example, block B(8) has a 1/8 chance of being a 1-pbit, or a 7/8 chance of being a 0 pbit.
so if we pay out only 1/2 a block reward for the 0 pbit, we can afford to pay out ~10x as much for the 1-pbit, and the average block reward per block would be constant.
So rerolling would cost 10x as much.
01:23
A novice is someone who is comfortable using all the popular techniques in a field.
A master is someone who has made every mistake you can make in a field.
01:47
Zack
eventually we get to a part of the tail, where on average we are expected to find 1 more 1-pbit.
If the attacker has H portion of the hashpower, they will find that block H portion of the time.
the cost of re-mining the block can be as high as block_reward*cycle_length/2, and it only gives 1/2 a bit of control.
So I think we finally solved it.
if we use N*log(N) many steps to gather entropy, we can increase the cost of reroll attacks N-fold.
01:50
I think we can get rid of the harmonic-resets tool.
So it only takes N blocks to increase the cost of attacks Nx.
03:34
Zack
I keep looking into it, im feeling pretty confident it works this time
03:35
I still think it might be possible to do better
03:47
I think we can have several of these entropy processes at different stages of being settled running all the time.
So a block could be a 0 pbit for one of the RNG process, and a 1 pbit for a different one.
03:50
it would need to be a part of the consensus mechanism, we couldn't fit this in a smart contract.
03:52
oh, I guess overlapping wouldn't be good, since the block reward for 0 pbit blocks would be too low. it would make too much variance for miners.
04:02
So the entire blockchain can only have 1 refreshrate for it's RNG. and we need to choose between refresh rate speed vs how much security it offers.
A refresh rate of once per 4000 blocks means that we could safely put 4000 blocks rewards into a single sortition chain.
04:06
I must have tried more than a dozen different math techniques on it, but I think we we have finally got it.
07:46
Zack
so to recap.
We need the expected reward for mining a block to be the same as 1 block reward.
So if we pay slightly less when a miner finds a 0 pbit, then we can pay a much higher reward for when they find a 1 pbit, and it works out to paying as much as a normal block reward on average.
The cost of a reroll is the same as the reward you were paid for finding a block.
We can make the cost of rerolling 1 pbits much higher, to reflect how much more influence an attacker has for rerolling a 1 vs rerolling a 0.
Deleted invited Deleted Account
18:06
Zack
Maybe it would be useful for me to review some other random number generators being used in blockchain, to show that they are insecure.
Like when I reviewed PoS or when I reviewed oracles.
Deleted invited Deleted Account
21:17
K
Cardano and EOS must be the biggest projects that have one
21:54
Zack
any idea where they document their RNGs?
01:03
K
It’s in the praos paper
01:04
Google ouroboros praos eprint
01:17
in this paper: "We also assume the availability of a random oracle. As usually, this is a functionH:{0,1}∗→{0,1}W available to all parties that answers every fresh query with an independent,uniformly random string from{0,1}W, while any repeated queries are answered consistently."
hahahaha
They just assume that the problem is solved. They never bothered to actually solve it.
01:27
So Cardano is based off of these assumptions:
1) >2/3rd of stakers will always run the default software, even if it is more profitable to run alternative software.
2) a secure random number generator exists, and no one can influence it at all no matter how much money they are willing to spend.
And yet, they still wrote hundreds of pages of dense math.
I think all the dense math is security theater. If anyone points out how Cardano doesn't work, they say "you don't understand our hundreds of pages of math, so you have no right to critique Ada."
Pascal Tallarida | jarvis.network invited Pascal Tallarida | jarvis.network
03:13
Zack
oh, maybe by "random oracle" they are talking about the fact that the outcomes of this special hash function are evenly distributed in probability space
03:30
Zack
oh I see. they have multiple people who can leak pre-committed information. They can't edit the info, all they can do is verifiable reveal bytes that they had pre-commited to.
I think I saw this idea in one of Vitalik's essays before.
So the issue with this strategy, is that they still have the freedom to not reveal data.
And there is going to be some miner who mines the last block before the randomness is sampled. That miner can either reveal or not reveal the next lumb of data from his per-committed stream, so he has 1 bit of freedom.
03:44
im pretty sure I can make a construction right now that has all the power of this paper.
assuming the existence of a cryptographically secure hash function.
Everyone who wants to participate in generating randomness, they select a random value R.
Next they calculate hash^1000000(R).
So they take the hash of R, and the hash of that, and the hash of that... one million times. and they store store all 32 megabytes of intermediate values.
So if I have already revealed hash^n(R), the only value I can reveal next is hash^(n-1)(R). and anyone can quickly verify that hash(my new reveal) = my old reveal.
So every reveal is the commit for the next reveal.
03:45
the problem with this strategy is that people can choose to not reveal. in particular, the miner who mines the block where the random sample occurs, he can choose whether or not to do his reveal at the last moment.
03:47
or someone who is working with the block producer to make a last minute optimization
03:49
our applications are different though.
If they are taking random samples of users owning stake to decide who makes the next block, it isn't a big deal if someone can pay a bunch of money to make the odds of being selected 11% skewed.
03:50
If someone could steal 11% of a sortition chain consistently, that would make sortition chains not useful.
03:53
if someone with 1/3 of stake had a reroll, it could only steal
1/3 * 1/3 = 1/9 =~ 11% of a block reward.
a reroll in a sortition chain could steal 25% of all the value in that sortition chain.
03:58
I think this
RNG could be good enough for what algorand and cardano are intending to use it for.
08:17
Zack
I am trying to look up any other math that involves harmonics.
It seems like the physics of musical instruments is related.
Some fourier transformation math is related.
There is some quantum mechanics that involves the 3d spherical analogue of harmonics.
It seems very strange than this sequence is appearing in blockchain secure random number generation.
08:21
a sequence of improbable events where the likelyhood of event N = the likelyhood that none of the events 0, 1, 2, ... N-1 have occurred.
08:24
H(N) = PI from m=0 to (n-1) of (1-H(m))
08:35
The harmonic sequence has another property.
Lets say the sequence is C blocks long for gathering entropy.
If we calculate E(N) = how likely our best guess about the entropy will be correct
= N/C
So our confidence in the final outcome is increasing linearly with blocks being found.
08:57
Zack
the harmonics are a projective invariant. it would be very cool to use projective geometry to prove something in blockchain.
09:47
Zack
I added a uniqueness proof to the document to show that only the harmonic sequence can let our confidence increase linearly with the block rewards found.
10:24
Zack
This is the limit of what the pbit strategy can offer. No other sequence of probabilities would be better.
10:43
Zack
Harmonic series happen in systems that involve a constant rate.
Our constant rate is the influence each block has over the entropy produced.
The p1 (i) = harmonic (i) because p 1(i) varies as 1/(the accumulative amount of influence so far)
12:02
Zack
An ideal RNG could only be as secure as the accumulated block rewards of all the blocks built to generate the entropy.
It doesn't matter how long the block time is. Only the accumulation of rewards.
So it is time dilation invariant.
It doesn't matter what block the entropy gathering process starts on. So it is time translation invariant.
It doesn't matter how long each block takes. to it is time dilation invariant.
it doesn't matter how big each block reward is, only the total accumulation of rewards. so it is reward dilation invariant.
it doesn't matter how much money or hashpower the participants have, so it is reward translation invariant.
It doesn't matter if the block_time/block_reward is changing by some constant factor on every block.
so the cross ratios are invariant to projective transformations in the time-reward plane.
Therefore, it must be the harmonic sequence. Since only the harmonic sequence is projective invariant.
12:02
ive always wanted to prove something using projective geometry.
13:19
Deleted Account
Hi. Amoveo is written in erlang? I saw the educational blockchain in python and really liked the idea of creating a mininal blockchain
13:19
Zack
yes, Amoveo is in erlang. I wrote the python one too.
13:20
Deleted Account
Cool. As I understand Erlang has true distributed network features so to speak. I spent quite a bit of time with ZeroMQ and came to dislike it, and then a long time on Clojure
13:21
Carl Hewitt worked on Actor Models in the 70s and scheme came out of that
13:21
Zack
the python one has some known vulnerabilities. Amoveo is a lot better.
13:22
Deleted Account
Have you ever come across datomic? Written by the guy who invented Clojure. It has some amazing features due to having immutability in the language
13:23
Zack
I have not looked at datomic.
13:26
this is a place to talk about Amoveo. not random clojure libraries.
13:26
Deleted Account
Great talk which got me into it. But its on JVM so not really applicable. I will checkout Amoveo code to learn. The python stuff is not active anymore I assume?
13:26
Zack
Amoveo is the only blockchain I maintain that is secure.
14:08
Ben
there is btw. a coin that uses 3d Rendering as POW, just as a side node, to you point of geometry, i think it was called raycoin
14:09
Zack
harmonic series is the only projective invariant.
this geometry has nothing to do with graphics.
It is to find a more elegant proof that harmonic RNG is the best RNG.
14:10
Ben
ok, did not follow your previuos conversation.
01:07
Zack
A projective geometry proof, using a construction, that this is the optimal sequence of probabilities to use for pbits to generate secure entropy.
01:08
I think technically this proof is valid under circle inversion geometry as well.
cloudedlogic invited cloudedlogic
20:02
Zack
The physicist who discovered a lot of quantum mechanics, his name was Paul Dirac.
He was famous for being a poor communicator.
He could explain and prove his final results, but was never able to explain what techniques he used to make these discoveries.
His proofs are all with equations and words. He doesn't use any geometry to prove the final results.
His background was projective geometry, and he would tell people that he used geometry to make his discoveries. but at that time, there was no one else who both understood projective geometry and quantum physics, so no one else understood him.
When Paul Dirac died, they went through his papers to try and figure out how he was able to discover so many wonderful things. There were piles and piles of papers with projective geometry diagrams, but there was no explanations for what the diagrams represented.
So for me, it is very exciting to find a practical application of projective geometry. I feel like I am helping to uncover lost secrets.
20:04
The projective version of the proof is like 20 fold shorter than the algebraic version. Maybe projective geometry is a more powerful kind of math.
01:05
Jon Snow
If Zack has a Chinese name, would veo pump?
01:12
P
I heard Zhang He is still available
01:12
make sure you like all the right things first tho
04:48
Zack
half the joy of research is in seeing the beautiful math along the way :)
Deleted invited Deleted Account
Jhooson Wubitch invited Jhooson Wubitch
Deleted invited Deleted Account
13:08
Deleted Account
How does amoveo compare to Chainlink?
13:16
Deleted Account
Interesting stuff. Why is chainlink getting so much exposure, considering it's vulnerabilities?
13:16
Are people just not aware?
Toasted Coconut invited Toasted Coconut
17:28
Your project BD has sent me a E-mail about listing. Who should I contact?
Zack
20:16
Zack
Reviewing random number generators that are used for PoS consensus is no good. it is practically a completely different problem from RNG in PoW used for gambling.
What are blockchain projects that use randomness for gambling? Those are what I should be reviewing.
In particular, is anyone gambling based on bitcoin block hashes?
20:24
gambling, probabilistic payments, and using probabilistic value for scalability are 3 use-cases for RNG where it could be useful for me to review their design.
21:22
Zack
I think this design will only break if someone is betting more than 2 block rewards of value.
21:23
Maybe sortition chains are the first blockchain application that has such a high level of security requirements for RNG.
21:23
Deleted Account
I'm not aware of many projects, but as far as I know there are multiple "provably fair" betting-type of games that rely on the block hash as a source of RNG seed.
21:24
That does sound likely.
02:06
at this point it is hard to know which RNG strategy would be better
02:38
K
Doesn't the fact that in EOS, BPs are public entities make the tragedy of commons essentially a non issue? Any BPs that participated in an attack could easily be prosecuted in the real world and have their reputation ruined for life
02:39
It would cost a lot more for a company to choose to completely ruin it's own reputation and possibly end up in jail
02:42
Zack
If it is possible to use some centralized external mechanism to force the block producers to follow some additional rules, then the centralized authority may decide to use that power to enforce rules that you dislike.
According to trust theory
https://github.com/zack-bitcoin/amoveo/blob/master/docs/basics/trust_theory.mdif there is someone who can steal from you, you need to pay them enough bribes to convince them to not steal from you. If it is cheaper or more profitable to steal from you, then the bribes need to be even higher.
So a trust-free alternative should be able to out-compete any tools that rely on centralized enforcers.
02:44
K
This isn't just one centralized external mechanism. BPs are based all around the world
02:46
Zack
either it is possible for centralized external authorities to punish block producers, or it is not possible.
02:48
K
can't china punish miners? or any major country where large mining facilities are located?
02:48
Then those ASICS are
02:49
K
You can also fork stake away
02:49
K
So isn't the problem the same for EOS' DPOS and POW?
02:52
K
'The crabs in a bucket model breaks down if ever there is one individual who has physical control over the majority of hashpower. ' Doesn't china have physical control over the majority of hashpower
02:53
My argument is that you'd have to increase your bribe by A LOT more if you are bribing public entities
02:53
Zack
earth has 100% of the hashpower. So it is 100% centralized to earth.
Land is only 1/3rd of earth, and yet it has 100% of the hash power. the oceans have 0%.
So it is centralized onto the land.
02:54
K
Chinese government is a centralized authority no?
02:54
Zack
The Chinese government is centralized.
02:54
K
and they have physical control of the majority of hashpower
02:55
the chinese govenrnment has control of practically 0%.
02:55
K
Any mining facilities located in china can easily be seized by them.
02:55
they practically do
02:55
Zack
I think it is not legal to mine in China?
So it is not legal for anyone in the government to control any mining hardware.
02:56
K
how does 80% of the hashing power of bitcoin come from a country where it's illegal to mine
02:56
Zack
like, do you think the USA government has control of 100% of the meth produced in USA?
02:56
just because it is produced in USA doesn't mean the USA government has control
02:57
K
If Meth was legal and business that produced it were all registered and known then yes
02:57
they would have control as they could easily take over those facilities
02:58
Large miners aren't hiding from the government in china.
02:58
Zack
according to crabs in a bucket theory, if any government decided to enforce extra rules on bitcoin miners, the profitability of official miners would decrease vs hidden miners.
Fairly rapidly all the mining power would be in the black market.
02:59
its like how they legalized weed in Canada, but it is all in the black market still. The legal weed is so expensive that no one buys it.
02:59
the Canadian govenrment is trying to force too many rules. so legal weed operations can't make a profit.
02:59
so the black market operations out compete them
03:02
Won't it be extremely profitable when coins owned by an attacker are forked out making the supply decrease as well?
03:03
Also I'm still convinced that tragedy of commons would be much more expensive on DPOS than POS due to more publicity. You'd be paying to destroy reputations and possibly freedom
03:03
I guess PoW is more secure, but another question would be is DPOS secure enough to function?
03:04
Zack
I don't know what you are talking about.
03:05
K
If a new fork is created where every coin that is voting for a BP that is part of the attack is destroyed
03:06
the new fork would likely be much cheaper and so when businesses move onto that fork again the price increase would also probably be immense
03:06
along with the lower supply
03:07
Zack
the cost of a bribe is (((fraction of stake that they own)+(their reputation))/(value of total stake))^2
if the value of their reputation exceeds how much less stake they own, it could be more secure.
Like if we are comparing a blockchain with a market cap of $1000, and lets assume that a big company like Walmart promised to secure this $1000 blockchain no matter what, the value of Walmart's reputation is worth a lot more than the $1000 of stake that could support the system in PoS.
03:07
K
Possibly secure enough right?
03:08
Imagine multiple billion dollar companies all supporting a single blockchain
03:08
Zack
DPOS and POS are basically the same as using a centralized company.
It is a competitor to Amoveo the way NASDAQ is a competitor.
03:09
K
I disagree. DPOS will be using many companies - not just one
03:09
so it is nothing like nasdaq
03:09
Zack
it might be able to compete against centralized companies.
If trust-free solutions exist, then all the trusted solutions will fail.
So POS and DPOS can only possibly succeed for applications where POW is impossible for some reason.
03:09
a company is made up of many people.
03:10
K
all under the same reputation though
03:11
Zack
Whatever methods a company does to provide more trust than an individual, those exact same methods are available to a group of companies trying to provide further more trust.
03:12
POS, DPOS and companies are competing to provide the most trust for the lowest cost.
trust-free tech like Bitcoin provide zero trust. No trust is needed.
03:13
MKUltra
Yeah they are partnering with the local Govt.
Communist party effectively controls the mining industry, if they wanted to stop it or seize it they definitely could
03:14
Zack
if they attempted to enforce any policy at all against miners, then the mining industry would go dark very quickly.
Because the miners who exist outside the regulation would outcompete the miners who are obeying expensive regulation.
03:14
MKUltra
Zack how are things. Y’all still moving Amoveo along?
03:14
K
How long would it take for anonymous miners to finally outcompete china?
03:15
K
I don't see how this isn't similar to attackers coins getting destroyed
03:15
MKUltra
I think you are looking at this backwards. Mining companies aligned closely with the communist party will always outcompete the black market miners.
03:16
K
You argument as to why Bitcoin is trust free is that if an attack did happen, mining would become more and more cheaper for normal miners
03:16
But this is the same for PoS. The supply would decrease dramatically
03:18
MKUltra
There’s less regulation I bet if you are aligned with the state, that’s kinda the nature of these centralized authorities right?
03:19
Anyways good to see everyone still here and the discussion as lively as ever
03:38
Zack
you are conflating two completely different discussions.
1) why can PoW survive the Chinese government?
PoW is secure against central authorities who want to enforce their moral code because any miners who need to obey an additional set of moral rules will make less profit and be outcompeted by miners who aren't restricted from taking the most profitable strategies.
2) why does PoS fail under low-value bribery attacks?
PoS is insecure because in PoS it is possible to punish censorship. So in PoS a coalition to take control is stable, which makes it cheap to use bribes to take control of the consensus mechanism.
https://github.com/zack-bitcoin/amoveo/blob/master/docs/other_blockchains/proof_of_stake.mdThe question of how well PoS could survive the Chinese government doesn't matter. PoS can't survive at all, even if no governments wanted to attack it, it still breaks.
03:46
K
It isn’t cheap to bribe the reputation of companies and people and the freedom of people.
03:47
A coalition isn’t stable as the chain can always be forked by the community with the attackers coins destroyed
03:49
What if the Chinese government attacks bitcoin for a decade straight. No normal miners would be making any profit throughout those whole ten years and miners would dwindle making it ever more cheaper for China to maintain 51% hash over time
03:51
Zack
if you attempt to recover by undoing history this way, you are giving the attacker the ability to do double-spend attacks instead.
03:52
if the chinese government made life hard for bitcoin miners, then everyone who is mining bitcoin who the chinese government can control, it will stop being profitable for them to mine.
So the chinese government will no longer be controlling any of the miners.
03:53
the value of the bribes are a small fraction of the value of the system that can get destroyed by the bribes.
03:54
K
I’d imagine a trillion dollar dpos chain would be secured by the biggest companies in the world all under different governments
03:55
How would that be able to be bribed?
03:59
How much would you need to bribe microsoft, amazon, google etc for them to attack EOS
04:01
Zack
I was off by a factor of sqrt(number of sortition chains) in the RNG design.
Looks like if we use N blocks of time to generate the entropy, and we have S many sortition chains, we can only put 2*N*sqrt(S) block rewards in them in total.
Each sortition chain only has 2*N/sqrt(S) block rewards in it.
If we have 1000 sortion chains, and each sortition chain lasts for 1000 blocks (1 week), we would only be able to have around 60k block rewards in the sortition chains at a time.
To fit the entire market cap, we would need something like 4000 sortition chains lasting for 4000 blocks each.
04:10
Now we have these 2 different RNG strategies that are both giving the same amount of security.
I am trying to find a way to combine them to offer a higher level of security.
04:31
Zack
Maybe the trick is to generate 2 independent pbits for every block.
the first pbit is for generating entropy according to harmonic rng.
the second pbit is a part of some data encoding the block height where the RNG process will end.
This way miners would have even less confidence in the entropy we are producing, because they would need to correctly guess how 2 different sets of pbits will progress.
04:42
I think this doesn't work because changing the date we finish on, and changing one bit of the entropy, they are both identical things.
So having 2 pbits per block is identical with moving from the harmonic sequence 1/(2+N) to some other sequence 2/(2+N)
04:51
K
Zack has Charles hoskinson ever replied to your pos paper?
04:57
If Germany had futarchy back then, they would have known what awful things would come from allowing Hitler to gain power.
I think Hitler would not have been able to take power and that WWII would not have happened.
Blockchains are a protocol, they could have existed before electric computers.
05:01
If Hitler had exclusive access to Futarchy, and the rest of the Germans were excluded from this powerful tool.
I think that is not so different from how history actually happened. Hitler had lots of advisors, so he could know a lot of economic consequences of his decisions. A dictator can make markets to find out the answers to questions he is interested in.
Maybe he didn't take as full advantage of this tool as he could have, but it was certainly an option available to him.
05:03
Futarchy has only recently been named, but it is something that has existed since before written history.
People have always used the prices in markets to make decisions.
But historically, very few people have had the power to create new markets just to answer their questions.
Blockchain is exciting because it brings the power of futarchy to everyone who wants to use it. You don't have to be a king or dictator.
05:09
Are we headed towards a future with 4000 sortition chains and 12 veo in each one?
06:01
Zack
What if we made it recursive?
The act of collecting your winnings from the sortition chain should require revealing a secret that you had committed to before we started deciding who would win your sortition chain.
06:02
Block rewards can add entropy because not collecting a reward costs as much as that reward.
Not collecting a sortition chain you won is massively expensive. So we can add a lot of entropy here.
06:04
We could use the winner's pubkey + randomness that won the previous sortition chain.
Solana.Capital invited Solana.Capital
07:04
Solana.Capital
suppp veo, something I missed? Massive drop in price
07:05
I'm what you would call a dark miner 😊
07:06
Zack
it is a small project. volatility is normal.
07:06
Solana.Capital
ok great so nothing to worry about 😃
07:08
I think maybe we can snowball the sortition chain. so every time we close one, we can open another that is a little bigger.
08:00
Zack
maybe the way to do is if each sortition chain is like, building up randomness. And once it has enough to securely close, then it does.
So it follows the harmonic series 1/(2+N)
and if a different sortition chain, say worth 300 block rewards gets closed, we need to fold that entropy in wit the entropy being gathered, and we can jump ahead to step 1/(2+N+300) in the harmonic series.
Cam Strong invited Cam Strong
15:39
Zack
the issue is that a winner of a sortition chain can send the value to themselves secretly.
So they could have more than one way to claim the winnings.
So I haven't yet found a way for them to not have influence over the entropy when taking their sortition winnings.
16:00
Šea
Hi let me help you. You are probably exiting the group after every conversartion because you don't want to be spammed with a lot of random messages from here. Guess what, you can mute notifications so your phone doesnt ring every time someone posts here, how cool is that?? To disable notifs, just click on 3 vertical dots up on the right and there you will see the disable option
16:17
Zack
This secure RNG stuff is exciting from a theoretical perspective.
It is deepening our understanding of PoW.
It shows us how to transform concepts from the information-theory perspective of blockchain to the game-theory perspective and back.
Information theory and entropy is already well connected to many fields of study, like the physics of heat for example.
https://en.wikipedia.org/wiki/Information_theorySo now we may have a way to take concepts from the rich field of information theory, and import them so they will be useful in the sparse field of blockchain-game-theory, this could potentially open up a flood-gate of new research opportunities for improving PoW.
16:31
If I give you a random number, and you ask "how random is this number?", maybe the correct answer should be in units of value. like "It would cost $1000 for someone to manipulate one bit of this random value, so this randomness is worth $1000 per bit."
16:41
A sortition chain that has N bits of randomness to determine its outcome can be safely divided up into 2^N units.
So if a sortition chain has 1 VEO inside of it, and we have 10 bits of entropy, then the smallest amount of value you can securely own inside this sortition chain is (1 VEO)/(2^(10)) which is about 0.001 VEO.
18:26
Zack
Here is an idea to make the harmonic RNG more convenient.
Before every block had a pbit that was either a 1 or a 0.
Now each block rarity-number, which is how unlikely it is to find this classification.
If a classification is rare enough that it only occurs 1/10th of the time, then we make the block reward like the 10th pbit of the harmonic sequence. (BR/2) + pbit*BR*10,
Now every sortition chain has it's own way of looking at a block to decide if it is a 1 or a 0.
If a block has a more rare classification, then we make that block more likely to be a 1 pbit.
This means that each sortition chain can be following it's own harmonic series. So we can sample the entropy at any time we would like, the system doesn't depend on having a single frequency.
I think this does not increase the security, since sortition chains that expire at about the same block height will have entropy that is highly correlated.
01:18
Zack
I keep going back and forth trying to decide about this factor of sqrt(number of sortition chains).
It seems like splitting up the value into N many sortition chains makes the attack sqrt(N) time less profitable.
But it is also decreasing the number of chains that can possibly get attacked simultaneously by a factor of sqrt(N).
So maybe they combine to give us a full factor of N of security?
01:24
in the second paragraph:
in its current implementation, IOTA relies on a centralized Coordinator to provide security given the risk of dishonest actors seeking to undermine the nascent network.
There is no reason for us to waste time studying centralized services like IOTA.
01:43
Zack
if an attacker has 1 bit of control of the randomness for 1 big sortition chain he controls 1/2 of, he can earn an extra 1/4 of that sortition chain.
So if you are not the attacker, 50% of your funds disappear.
if an attacker has 1 bit of control of N linked sortition chains he controls 1/2 the money of, he can earn up to 1/(4*sqrt(N)) from the reroll.
So if you are not the attacker, 1/(2*sqrt(N)) of your funds disappear.
I guess it is only a factor of sqrt(N) security. too bad.
02:34
Zack
How about in order to collect your winnings from a sortition chain, you need to go through a commit reveal process.
And if anyone else can predict your randomness too soon, they can delete the entire sortition chain in exchange for a prize.
That way there is a large incentive to not tell anyone else the secret.
This way any miners who find blocks during the step where the secret is protected, they won't be able to calculate the value of a reroll.
02:39
I think this achieves the snowball strategy.
So every time we close a sortition chain, it allows us to make a new bigger one.
02:41
If a sortition chain is worth 1000 block rewards, I think closing that sortition chain with this trick would let us skip 1000 blocks of the entropy generating process
03:19
Zack
Yes. I guess this plan doesn't work.
If the attacker owned 95% of all the sortition chains, as well as 10% of the hashpower, then the entropy from the sortition chains isn't adding any security
03:26
If we are on bit N of making entropy, and the person closing a sortition chain is selecting bits N+5 and N+6, that means there are 5 bits between when they make this decision and when they reveal.
So they have about 1/2^5 confidence in the state of the system when their secret will get revealed.
So I think we can get this to work. As long as the attacker has less than 1/2 the hashpower, and we generate at least the final few bits using mining.
03:35
In order to be the best blockchain, we need to be the best at supporting financial derivatives.
Which means we need to be very scalable.
Which means we need sortition chains.
Which means we need a cheap and secure source of randomness.
The secure rng problem is at the center of what needs to be solved to build a global cryptocurrency.
03:36
Generating the last 2 bits of secure entropy usually takes 3/4 of all the time spent generating entropy.
A trick that makes earlier bits fast, but doesn't make the last 2 bits faster, is not useful.
03:48
Jon Snow
Oh man, I remember about 2 years ago Iota people said they plan to remove coordinator shortly lol. I guess Coordinator is here to stay
05:50
Deleted Account
Besides on-again-off-again China, crypto market seems to be out of gas. No new money coming in. Just flat.
06:22
Zack
I think it is possible to combine the harmonic strategy with the uncertain expiration strategy.
Start with the uncertain expiration strategy, and make these changes:
Instead of one bit per block, have one pbit following the harmonic sequence.
If there is a 1 pbit on step N, then pay N block rewards.
Now if someone tries to attack it by not publishing blocks where they lose, if they don't publish a 0 pbit, it has basically no impact on the outcome. If they don't publish a 1 pbit, it is massively expensive.
06:24
As a first estimate, this means a sortition chain that takes 100 blocks to build up entropy, it can have 100^2 = 10k block rewards in it.
06:49
Jon Snow
Flat is the new Up!
06:55
Zack
well, maybe this can't work.
because if we find a 0 pbit, we are supposed to leave the entropy unchanged. So how could we possibly have a random lottery to see if the game should end on this round, if the entropy is not changing?
maybe we use the existing entropy as a seed?
07:17
Deleted Account
More
07:35
I think using the existing entropy as a seed does work.
12:26
Grizzily
Your project BD has sent me a E-mail about listing. Who should I contact?
Zack
12:26
Someone contacts me about that but i forget
Deleted invited Deleted Account
15:51
Sy
run the node, implement?
what do you need us for if you dont even try, nobody will pay you and im pretty sure nobody contacted you either...
17:08
Deleted Account
nihao
Deleted invited Deleted Account
00:16
Jon Snow
Which exchange are you from?
06:16
Zack
I think if we combine the harmonic RNG strategy with the uncertain expiration strategy, instead of using the harmonic sequence 1/(2+N), we will be using something like C/(2+N)^2
06:36
Zack
I cant find a way to combine the strategies to get (number of blocks)^2 security
06:47
so maybe this frame of reference allows us to finally make a hybrid pow/pos consensus mechanism that makes sense.
The PoS aspects can be set up to add higher security guarantees for the RNG.
06:49
how about a PoW/PoS hybrid mechanism where the PoS aspects are fully optimized to increase the security guarantees of the RNG.
For example, mining a block could require locking up a deposit for the next 100 blocks. you get the deposit back when you reveal a secret.
instead of getting the deposit back in full, there could be a 1/N chance that you get the deposit back and it is N-fold bigger.
so we can use the PoS to enhance the RNG.
06:53
Mr Flintstone
where do you get the entropy for the 1/N roll
06:53
Zack
(block hash % N) == 0
07:20
Zack
How far in the future can we make the sortition chains expire, and the value is still fungible?
07:21
I guess the real reason we would want to expire a sortition chain is because the amount of history you need to sync to be able to use that sortition chain has gotten too large.
07:23
every time someone gives up ownership of part of the sortition chain probability space, we need to keep a record of this.
07:27
but, each person only needs to know about the history of the fraction of the probability space that they actually own.
So we are only keeping one copy of the entire history.
In the main chain where every full node downloads the entire history, so even analyzing a sortition chain that hasn't closed, it is far more efficient than doing it on the main chain.
07:28
Some people could specialize in owning parts of the sortition value that have very complicated history that needs a big database to remember.
07:28
so if your proofs get too long, you could swap them out for clean coins.
07:32
the sortition chain has state channel inside of it.
You can do smart contracts inside the state channels, and none of that smart contract state needs to be recorded inside the sortition chain when you settle the state channel.
As long as you and your partner agree on the final outcome, you can both just sign over the result, and only that gets recorded in the sortition chain history.
07:35
So, our sortition chain structure, it is recursive inside of itself.
We can have the inner sortition chain layers have an earlier expiration date than the outer layers.
And in this way, we can prune some of the history from inside the sortition chain without having to record anything on-chain.
07:39
Mr Flintstone
so this is pos because your stake has an influence on the rng used in the next block? why wouldn’t this be vulnerable to tragedy of the commons style bribery attack?
07:40
Zack
If we had a sortition chain that was going to last 50 years, then it would gather 50 years of block rewards.
So the last 25 years, we are expected to find one 1-pbit on average, worth (how many blocks we have in25) block rewards.
Whichever mining pool finds this block that is worth 25 years worth of block rewards.
There is no way we can expect them to fairly distribute that to miners, right?
07:41
nope. I stopped working on the pos strategy for now.
Now I am just trying to think about what sortition chains will look like, given the limitations as they exist with the best tools we have developed so far.
07:41
it seems like if we spend a longer time gathering entropy, we can store more value in them.
07:41
but 25 years of block rewards all at once, it just doesn't seem reasonable
07:42
What is the upper limit for how big of a bonus reward we can reasonably give to mining pools?
07:42
Mr Flintstone
seems like our best tools currently available involve asking the oracle something
07:43
Zack
why do you think that?
07:45
Mr Flintstone
for one it allows us to ask about bitcoin blocks at minimum
07:46
Zack
If each sortition chain can only last 1 month, and there are 4000 blocks per month, and we can close 10 sortition chains per block, then given our current level of understanding, we could securely have 4000*sqrt(10*4000) block rewards = 8000 veo in sortition chains.
07:46
if it got popular, I think the block reward would go up, and so we will be able to fit more into the sortition chains
07:47
so I think we have already passed the good-enough threshold
07:47
what is annoying is that each sortition chain would only have 2 veo in it. haha
07:48
yeah, I guess using bitcoin randomness is a lot better for now
07:49
I would like it if we had some sort of clear path towards success. so you could see how we could become the world reserve currency.
If Amoveo can only function as long as the total demand is less than 1000*(bitcoin block reward), that is a limit on how big we could get.
07:52
I think the answer to this secure consensus randomness question is going to be important for being able to predict which kind of blockchain will win.
07:54
oh, not 2 veo per sortition chain. actually 0.2 veo per sortition chain. haha
08:12
Zack
So if you want to make a 10 veo bet with someone, all we need to do is duplicate that bet into at least 100 different sortition chains
08:12
so you just keep track of 100 different state channels, each with signed smart contracts of the bet
08:15
its so weird how we can trivially make any amount of randomness between any pair of people, but we are so limited at coming to agreement about randomness in bigger groups.
08:52
Zack
How about an on-chain slot machine, and if you win, you need to reveal a secret that you had committed to in order to claim your winnings.
As long as we have a constant stream of people playing this game, the entropy released from earlier players can determine which later players will win, and it will produce extra entropy to run the sortition chain too.
08:55
I guess the problem is that if everyone who is playing the slot machine during a period of time is all actually the same person, then they could take over.
09:29
Zack
So instead of the harmonic strategy. We should use the uncertain expiration strategy.
Then we can have sortition chains that aren't expected to expire for decades, and it will work.
Because the inner layers can have earlier expirations, allowing us to prune old proofs.
09:31
Oh, I have been modeling it wrong.
There is a period when spending is allowed. And then there is a period when we are generating entropy.
We need to stop the spending once we start generating entropy.
So i guess we can't use extremely long time periods for sortition chains this way.
09:54
Jon Snow
Asking for me?
16:52
Zack
if each sortition chain only has 1 block reward in it, then it only takes 1 block to generate the entropy.
If we launch a new sortition chain on every block, and make the expiration date as far in the future as the genesis block is far in the past, then it all works out, right?
so block number N creates a sortition chain to expire at height N*2
16:55
oh, once they start expiring, then we have too many bitcoin to fit into all the factories
17:57
Zack
how much money we can fit into sortition chains is so connected to how big the block reward is. It makes me think that we would need to lock the block reward to a single value, and stop using governance to update it.
17:58
or maybe the block time should be based on how long it takes for a certain amount of tx fees to accumulate, instead of a fixed amount of time.
18:01
oh, maybe we can just adjust the constants that define each sortition chain every time we change the block reward.
If we transition to be paying out 1/2 as many block rewards per hour, and we are on harmonic step N, then we would jump to step 2N.
if the odds of expiration on any block were 1/L, then we adjust them to be 1/(2*L).
01:06
Zack
Everyone who was ever involved with ICE is now banned from Amoveo.
01:10
why is ICE here in TG?
01:10
Mr Flintstone
Like the exchange?
01:10
P
are you harbouring illegals Zack? xD
01:11
Zack
everyone is mad at github for not banning ICE. So I wanted to pre-emptively ban them, so we don't get cancelled.
01:14
if so understandable. cancel culture is sadly real
01:17
Zack
Many of my friends have lived their entire living memory on an expired US tourist visa. I hated ICE before it was cool.
01:35
Zack
maybe we can have lots of small sortition chains, and set it up so a single signature over a single smart contract can be valid for many of the different individual sortition chains.
So it you own 1 veo or more, it is like owning veo normally, and if you own less than 1 veo, it starts behaving more probabilistic.
06:37
Zack
Lets say there are 1000 block rewards in a sortition chain.
Instead of closing the chain once and paying out all 1000 block rewards to one winner, what if we break it up into 10 steps.
In the first step we give out 1 veo to a winner,
in the second step we give 2 veo to a winner,
in the third step we give 4...
until we give them all out.
Any any step, the winner can choose to not collect their prize. If they make that choice, it has one bit of influence on the entropy for the remainder of the sortition chain prizes.
06:38
so we only need to gather up enough entropy to close a sortition chain worth 1 block reward, and that is enough to start the process of closing this multi-step sortition chain.
06:40
the choice to not collect your prize, it is worth (Block reward)*(2^N)
and it gives you one bit of influence over the remaining prizes.
06:45
I guess this strategy doesn't work for the cases where the attacker owns >1/2 of the money in the sortition chain.
06:58
if we can assume that the attacker has less than N-1/N of the money in the sortition chain, then every step can give out N/(N-1) times as much of a prize as the previous.
07:05
I think this also doesn't work in the limit where everyone has very small amounts of the sortition chain.
Because it would never make sense to not collect your prize.
So we can safely assume that everyone will collect every prize.
So an attacker who controls the entropy at the beginning, will control it all the way through.
07:13
===================
looking at the uncertain expiration model, everyone has a secret to tell them if they have won in a certain round or not.
So if you spend your money to someone else, they will have a different secret that will allow them to win under different conditions, even though they are owning the same money.
So maybe the secret that you use to know if you have won, we can take entropy from that secret.
07:38
Zack
im feeling pretty confident about this one. I think we may finally have broken the (number of blocks)*sqrt(number of sortition chains in parallel) barrier.
07:39
and what is nice, we wont have to have weird blocks that pay out thousands of block rewards all at once.
07:48
oh, I think this might be contradictory with how our sortition chain can end up creating a new sortition chain when it is closed.
07:51
but maybe we can adjust the sortition chain tx types design to make it work.
08:24
Zack
yes, it seems like this design is possible.
you will need to provide evidence for all levels of the sortition chain at once when you are collecting your winnings, so it will be important to make sure that all the contracts together are still small enough to fit into a block.
08:26
if you are one of a trillion people owning value, then overall it will contain at least 30 binary chalang contracts to prove that you won.
But these binary contracts only need to be like 1000 bytes long, so it should still be easy to fit it all in a block.
08:31
oh, I think it still breaks down if the attacker has the vast majority of the value in the sortition chain.
Because it allows them to anticipate what random values will come next.
08:45
Maybe there is some mixed solution where we use lots of p-bits from the miners, mixed with entropy revealed by winners of chunks of the sortition chain.
17:57
Zack
How about we have N block rewards in a sortition chain, and we use the harmonic process to get enough entropy to close a sortition chain with N/20 block rewards. So 20 times smaller.
And we break up the sortition chain into 20 equal sized chunks.
So an attacker can skip out on winning one of the chunks to get a bit of entropy control over the remaining.
I think this allows us to trade off having N-fold more on-chain data in exchange for needing N-fold less time to gather entropy.
So it is the optimization we need to make sortition chains useful even when there are few users.
18:26
Zack
If the attacker controls most of the value in the sortition chain, it ends up acting the same as 20 sortition chains sharing the same entropy.
Only a factor of sqrt (20) improvement.
Deleted invited Deleted Account
22:26
Zack
How about we give the users of the sortition chain the option to pay an extra fee to cash out their part of the sortition chain without using randomness.
So if you own 2% of the sortition chain, you have the option to pay a bigger fee to receive exactly 2%.
If the option of precise payout is available, then we will be able to react to an attacker who is trying to own >50% of the value in a sortition chain to attack us.
And that means we can safely build randomness with the strategy where each person collecting their winnings reveals entropy to determine the next winner.
22:26
If you cash out 2%, then the remaining 98% is still available for the remaining participants in the sortition chain to win.
06:54
Zack
There are still lots of details to work out, but this seems like a promising strategy so far.
02:18
K
Sorry to bring this up. The subcurrency is based on how many transactions are being created. More transactions = more power. Theoretically, won't actual businesses using IOTA be generating the majority of these transactions. Bribing actual businesses that are using IOTA to generate themselves profit would cost much more than holders of a proof of stake coin right?
02:59
Zack
if the transaction fees are very high, then you can prevent people from making spam transactions, and you can be sure that everyone who makes a transaction really wants one.
but this comes at the cost that transactions are expensive.
When we talk about "blockchain security", we mean something similar to kilometers-per-liter of gas for cars.
Every kind of car will get you where you want to go, but a car with better fuel efficiency will cost less to get there.
When we say that one blockchain design is "more secure", what we mean is that it is more affordable to achieve the same level of cost to attack this blockchain.
I wrote more about this here:
https://github.com/zack-bitcoin/amoveo/blob/master/docs/basics/trust_theory.mdSo a design that only offers you security by making transaction fees very high, it is not secure at all.
05:14
Zack
If you distribute stake between a larger number of people in PoS, then the bribes needed to break it become cheaper.
05:20
is this strategy a kind of PoS?
We have security guarantees based upon the portion of stake owned by an attacker in an individual sortition chain.
Deleted invited Deleted Account
15:58
This is what the ardor/nxt cto has to say about ur argument
Deleted invited Deleted Account
James Dean invited James Dean
01:36
Zack
This plan is only for sharding hard drive lookups.
I knew that hard drive lookups would be important. That is why I invented the stateless chain idea for Amoveo.
We include all the Merkel proofs you need to verify a block. So a full node does zero hard drive lookups to sync the blocks.
You only look at the hard drive to generate new transactions, and you only need to know about the part of the consensus state that contains the data your transaction will use.
01:38
Sortition chains is a plan to exponentially shard everything. Besides hard drive lookups, it will shard:
* bandwidth
* consensus state
* writing to consensus state
* reading from consensus state
* processing turing complete transactions
01:39
Maybe I should make a chart of the goals of various sharding plans.
Deleted invited Deleted Account
04:33
Deleted Account
hiii
05:20
What other sidechain or sharding strategy should I add?
06:35
Zack
https://ethereum.github.io/blog/2014/09/17/scalability-part-1-building-top/Vitalik wrote about scaling ideas in 2014.
Amazing how he wrote about probabilistic payments and payment channels right next to each other on the same page, and it still took us so long to realize that they can be combined into sortition chains.
His description of off-chain oracles is more similar to our oracle design than it is to Augur or Hivemind.
00:03
Zack
I added a bunch more info to this chart.
Like about Ethereum Plasma, and Lazy Ledger.
02:09
Zack
im thinking of renaming "sortition chains" to "plasma lottery"
Deleted invited Deleted Account
08:29
Deleted Account
Hello
12:19
Živojin Mirić
wilkommmen mira fren helloo and very much txh
Deleted invited Deleted Account
05:38
Zack
https://github.com/zack-bitcoin/amoveo/blob/master/docs/design/sortition_chains_random.mdI think this RNG is a kind of hybrid pow-pos consensus. Because guarantees are coming from the assumption that less than a certain percentage of the value in the sortition chain is owned by the attacker.
A combination of PoW, the sortition system of collapsing state, and the ability to split sortition chains into smaller sortition chains as necessary, they come together to give us the guarantee that the attacker doesn't have too much.
Maybe we can use this technique to make some tools developed for PoS blockchains into something actually viable.
05:50
Are there other sharding strategies that I should add to the chart?
06:27
Zack
I think it is good we figured out the details of rng first.
Now we know that we need to settle the sortition chain in chunks that get bigger exponentially, and we need to give users the freedom to divide the sortition chain into two sortition chains, so they own 100% of the value on one of them.
10:54
Zack
Given what we have learned about how RNG will work, can we use our current strategy where sortition chains are able to produce sortition chains when they settle? Or do we need to settle all layers at once?
If we allow sortition chains to create sortition chains, then that means a smart contract can be bigger than a single block. It would allow us to scale by an additional exponential factor.
So it is the better solution, if possible.
20:37
X | NPC
Elaborate, please
05:10
Deleted Account
Hello everyone
07:06
Zack
So, lets say a sortition chain allows for divisibility to 1/2^N of the value stored in it, and it has B block rewards of value in it.
the current plan is to divide it up into log2(B) batches, and each batch is giving us a bit of entropy.
but what if we instead got each bit of entropy from the sortition chain creating a child sortition chain.
So in this design, a child sortition chain could not have >1/2 the probabilistic value of it's parent.
If you own value in a child sortition chain, and you are expecting to win, then you could provide evidence that the child sortition chain won, so that later you could provide evidence that you won.
So in each situation, if you do not provide the required entropy, the cost to you is as high as all the stake in the sortition chain.
Deleted invited Deleted Account
08:43
Deleted Account
Hi, what is amoveo?
Jerry [ViteX Ref 1039631644] invited Jerry [ViteX Ref 1039631644]
Deleted invited Deleted Account
17:15
ALGO
Hey Veronica, you can use a number of resources to learn about Amoveo. My suggestion would be to read the
Amoveo.io website to get a quick overview.
17:17
Zack's github also provides an in depth look at Amoveo and its underlying technical foundation and potential capabilities in use.
https://github.com/zack-bitcoin
22:34
Zack
It seems like this technique will not work. Because there will be many people who are able to provide evidence to make one level of the sortition chain settle correctly.
So the attacker can have confidence in how it will turn out.
So it isn't adding any entropy.
22:45
If we need to divide each sortition chain into log2(B) batches, to get it to use entropy correctly, and each batch needs log2(# users) of smart contract data to prove the correct outcome, then the on-chain bandwidth, and the time cost are both log2(B)*log2(# users)
So it seems like there could be efficiency gains to be had by using 2 flavors of sortition chains.
If a sortition chain either has few users, or if it has few block rewards of value locked into it, then it can be extremely efficient. exponentially better than any alternative.
If it has both many users, and a lot of value locked in, then it will be only square_root(exponential) better than the alternatives.
Our expectation is that when sortition chains get settled, one person will be owning all the value in it.
so every batch will end up using the same smart contracts to prove that he won.
It would be nice if Amoveo could remember the result of the contracts when settling one batch, so the user don't need to re-publish the same contract for all the different batches.
This would bring down the expected case to log2(B).
23:41
Jon Snow
Are the community members still doing the Amoveo newsletter? Haven’t seen it for a while
00:00
ALGO
We have put the publication of the newsletter on hold at this time. For now, we are looking to publish newsworthy events and circulate them on social media when they occur as apposed to publishing a weekly newsletter. This may change in the future. We are considering a move forward to cover newsworthy events that are happening in decentralized finance blockchain projects in general.
00:01
Zack
It is good to try different strategies, that is how we learn.
04:32
Is anyone familiar with this website and have used it to make predictions?
11:52
Zack
If one person owns all the value in a sortition chain, then the smart contract will be incredibly simple. Just returns the winners address.
The cost will be that the winner will need to publish a bunch of proofs of where people had given up ownership of the same part of the probability space.
11:53
Each proof has a merkelized connection to a block height where the sortition root was committed, and it has a signature of whoever is giving up control.
20:28
Zack
So lets imagine a future where Ethereum is supporting 1000 transactions per second, and Amoveo is supporting 1 billion per second. Each of our tx fees is less than 1/1000000th of the tx fee on Ethereum.
Would this advantage still be significant?
I feel like with finance, being more scalable will always be better. If you can make financial contracts cheaper, people will always be able to find ways to extract more value from them.
20:37
I think that someday, every time you send or received a message, it will include a smart contract.
Every API request will include a smart contract to handle the financial side of the request.
And so your smart watch or car could be making dozens or hundreds of smart contracts per second, to do things like requesting traffic data, or your GPS coordinates, or to push your heart rate data to the people who bought it from your smart watch manufacturer.
The video game server will require payments based on the amount of content your request.
This will allow us to balance the financial cost of operating an API, so that the internet can rapidly respond to changes in demand for various services, allowing us to allocate resources more efficiently.
It would allow the internet to route around censorship more easily.
It means that any spamming attack can be easily prevented by making it financially infeasible.
But achieving all this, it requires a kind of scalability in our financial system that goes far beyond anything that has ever existed.
We would need millions of times more transactions per second than VISA or SWIFT.
20:39
SWIFT does 400 per second.
VISA does around 2000 per second.
Eth2.0 is aiming for 1000 per second.
20:44
Gatis Eglitis
VISA - not 20k / s ?
20:44
Zack
If we want every human to have a smart contract with every other human, that is like 2^70 contracts.
20:44
Gatis Eglitis
Visa does around 1,700 transactions per second on average (based on a calculation derived from the official claim of over 150 million transactions per day)
20:45
Gatis Eglitis
what about capacity - not average
20:46
Zack
capacity is probably a lot higher. I bet they get surges in usage at certain times of day.
20:46
that is less of an issue for blockchains, because we can make our channels slowly, and then use them for instant payments when we need them.
20:49
Zack
if we want every human to have a smart contract with every other human every day, that is around 1.37*10^16 txs per second.
20:49
13700000000000000 transactions per second
20:50
ALGO
I found the dispute section of this Wiki page quite interesting, it ties into the question of oracle resolution and gives some examples of difficult markets to find consensus on
20:53
Zack
log2(1.37*10^16) is 54.
So this sortition chain to allow every human to have a smart contract with every other human every day, it would cost as much as if we had put about 54 of those smart contracts on-chain.
20:54
10^16-fold scalability increase.
1000000000000000000% better scalability.
21:04
If the graph of our daily financial contracts is complete, that could have some serious social implications.
If every person can use a financial contract to accurately explain their needs to every other person, every single day. Maybe it would resolve all conflict.
All of our goals would become aligned, because helping anyone else would be equivalent to helping yourself.
You would never have to doubt if someone collecting socialized benefits is leeching off the system, or if they really need it.
Because we could use financial contracts to honestly and provably reveal our economic preferences to everyone.
21:07
==========
I think it doesn't work.
Sure, we can make a blockchain that is scalable enough to handle this many smart contracts.
But there is still only a finite amount of currency in the system. And each human only owns as much money as they actually own.
If you wanted to make a smart contract with everyone on earth at the same time, probably each contract is worth so much less than $0.01, that you aren't communicating almost any information.
21:13
============
if every human does 1 payment per day, that would be around 100 000 per second.
I think it is not unreasonable to imaging that every person will want to do 1000 per day, for all the web services that smart contracts could be integrated with.
so that would be 100 million transactions per second.
21:15
Instinct
So it’s not feasible due to the low $ amount of each transaction?
21:23
The complexity of managing sortion chains on a mass scale seems unrealistic to me unless the process would be automated for end users. I guess it would be a huge new industry if successful with large organisations managing chains with hundreds of millions of dollars of subcontracts underneath
21:24
I might be misunderstanding how it would work
21:24
Zack
I can't imagine a future where every person is making a contract with every other person every day.
21:25
The wallet interface for sortition chains is excessively simpler in comparison to the current state channel interface.
21:25
and state channel smart contracts are simpler than on-chain smart contracts.
21:26
and on-chain smart contracts are simpler than legal contracts.
21:29
Instinct
What about the contract owner of a sortition chain that has 10 layers underneath. Does he/she need to constantly monitor the underlying contracts?
21:33
Zack
You could split it up into 10 parts. Sell the 10 parts to 10 people who want to run sub-sortition chains, and then stop caring entirely.
Since you sold all your stake in the sortition chain, you don't have to maintain any data related to it, or be involved in any way. You could go offline.
Those 10 people running sub-sortition chains, they could do the same thing as you. they could split it up into 10 parts each, sell them to other people, and then stop caring. because they have no more stake. they can go offline.
21:34
If you have a contract, you need to keep a copy of the contract's most recent state. And you need to keep a list of signatures from everyone who previously owned this part of the probability space. When they give up ownership, they sign something saying that they gave up ownership.
21:39
So, no one is ever monitoring anything.
If you own a contract, then you need to save some data, and if you win the lottery then you need to come online when it is time for the sortition chain to settle.
21:42
Instinct
In your example on GitHub - “Example: You lock $10 into a sortition contract to bet at 50:50 odds on the outcome of a football game. At the end, you have $20 in the contract. But the total value of the sortition chain is $1000. Since you have $20, what that means is that you have a 2% chance of winning the entire sortition chain of $1000. Typically, after the end of the football game you would sell your stake in the sortition contract for $20, instead of holding such a high-risk asset.”
The person who won $20 or 2% chance are relying on the sortition chain owner to buy their stake?
21:43
Zack
no. they can sell their contract to anyone, and they do not need anyone's permission to sell it.
21:44
Instinct
But if no one is willing to buy they will be stuck with the 2% chance of winning $1000
21:45
Also wouldn’t it mean the operator of the $1000 chain will want to monitor all underlying contracts like that one so that they don’t allow 2% of losing all their stake?
21:46
Zack
well, we are adding a feature so you can pay to split the sortition chain into parts.
So you could divide it into 1 sortition chain with $20 where you would win everything, and 1 sortition chain with $980, where you have zero probability to win.
The fee to pay for this is a limit on how much you can lose.
In practice, a specialist will buy up a lot of value in the sortition chain to settle it all together, so he only pays a fee once and can settle a large amount of value without risk.
21:46
I don't understand this question.
21:47
Instinct
Ok this is good
21:53
In your example If I operate the $1000 sortition contract, how do I mitigate the risk of losing it all if the person with the 2% chance decides not to sell his place in the lottery?
21:55
Zack
you have options.
1) you could sell your entire stake in the sortition chain before then.
2) you could pay the fee to split the sortition chain into two parts, and you own 100% of the value on one of the parts, and 0% on the other, so now you don't have risk.
21:55
Instinct
I realised splitting the contract would be a solution as soon as I posted haha
22:08
Who is the fee paid to?
22:09
also when you setup a sortition chain you decide when the lottery takes place & the contract ends?
22:41
Zack
Burned. Like how gov fees work on all tx types.
22:42
That way everyone knows what block to check if they won
22:47
Instinct
👍 thanks for your answers
cryptodek invited cryptodek
11:17
Zack
In order to close a sortition chain using batches that increase in size by a factor of 2, does that mean each individual batch needs to be a fixed length of time long?
11:20
Even if we can fit trillions of accounts into a sortition chain, it seems like we still have a linear limitation in how much history each part of the probability space can experience.
If you win, you need to be able to publish evidence of everyone who had given up ownership of that part of the probability space.
So if this bit of the money had been spent 1000 times, you would need to write 1000 signatures to the blockchain.
We can put state channels inside of the sortition chain, and individual payments inside the channel don't need to get recorded on the main chain.
11:21
So I am wondering if there is some models about the velocity of currency.
How frequently does the currency change hands on average?
11:26
https://fred.stlouisfed.org/series/M2V Does this say that US dollars are spent on average about 6 times per year?
If that is the case, the sortition chains should be easy. In a 2 month period, the average money only gets spent once.
11:32
So I guess sortition chains will only be exponentially better until we get to the point where everyone is making and receiving so many financial contracts every day, that in a 2 month period the volume of smart contracts they have participated in is >1000x greater than how much value they own in that sortition chain.
At that point, sortition chains would start scaling linearly.
In 2019, is there anyone who uses the same $1 to make more than 500 different financial contracts in the same month?
I guess high frequency traders are the only ones.
11:39
oh, how about if someone is running a casino application, with slot machines. So they want the customer to have a small chance to win a large amount of money.
So we keep locking up a large amount of money into different state channels inside the sortition chain.
Every time we take it out of one of the channels, at least one of the channel participants needs to make a signature giving up ownership of this part of the probability space.
Practically speaking, for the slot machine application we could build the app without using state channels. just with cryptographic coin flips and sortition binary contracts. That way no one would need to add a signature to the history on each slot machine round.
But this example hints that there might be some real usecase today where sortition chain are only a linear improvement.
It would be nice if we could model that failure mode better, to be sure it wont be a problem for us.
11:45
I guess it is going to be easier to have non-fixed time periods for each batch.
That way if one batch needs more time to recite a longer history, they can have the extra time they need.
11:47
Do we really need to publish all the history for that part of the probability space on-chain?
It might be simpler to have a database that can store multiple people's attempts to provide evidence for closing the sortition chain.
That way we can have challenge response rounds, with a reward for anyone who can provide evidence.
So we can have guarantees about who won, without needing to recite the entire history.
11:48
I guess it is about time to start designing the transaction types for the next iteration of the sortition chain.
11:51
so for each sortition chain being closed, we will need to remember a list of potential winners. and anyone is able to provide evidence to show that one of the potential winners could not have actually won.
When the timer runs out, whichever potential winner has the merkel proof connecting to the earliest block height, they win it.
12:04
I think reviewing those other sidechain designs was actually helpful.
Because this challenge-response process is a huge benefit.
it means that each batch isnt O(log(number of txs)) it is O(1). the optimal solution.
12:05
But, we need log2((# of block rewards of value in the sortition chain)/(# of blocks of time we use to gather entropy)) batches to completely get the winnings out of the sortition chain.
Deleted invited Deleted Account
Md Mizan invited Md Mizan
20:01
Zack
So, how long till a nation state decides to use one of the crazy stablecoin cryptocurrency designs to power their national currency?
20:11
Sy
Ive already read about the "digital Euro"
20:11
not sure if thats just banning physical money, some of the usual bullshit or actual blockhain
20:14
Zack
Government love printing money. But people are catching on to the quantitative easing, and the overnight lending rate shenanigans.
So next they could come up with a stablecoin smart contract that automatically prints more of itself in response to certain conditions.
Like DAI and bonding curves.
20:24
Sy
next step will just be the ban of physical money so there is no more upkeep, just update the table if you need more money
20:24
why bother with any stablecoin or even blockchain...
20:26
Zack
Yes, they don't want to unnecessarily give up control.
20:33
giving up some control can be a way to achieve more legitimacy though
Deleted invited Deleted Account
22:57
Zack
I found a big optimization in the sortition chain design.
Currently we build a tree of sortition chains. This tree is fine.
The problem is that we are using the same tree to organize all the proofs of when people give up ownership of a part of the probability space.
Re-using the same tree structure for both meant that a sortition chain operator had to basically do 2 unrelated jobs.
By using a different tree for both things, we can allow nodes to specialize.
So we will have
* sortition chain operators
* spent-proof collectors
The sortition chain operator doesn't need any reputation. They can go offline and it doesn't matter.
When a new sortition chain is made, you need to choose a list of spent-proof collectors to be associated to this sortition chain.
In order to receive a payment in the sortition chain, you need to download a merkel proof for every block height that any of the spent-proof collectors had made a commitment.
So this means any one of the spent-proof collectors can cause the sortition chain to freeze, by refusing to reveal some information that they have embedded in the spent-proof tree.
22:58
I wonder if we can make the spent-proof collector relationship into an N of M sort of thing, so they can't make it freeze so easily.
23:00
maybe we can reuse some erasure coding trick that ethereum is looking at combining with optimistic roll up.
23:13
oh, I think this optimization is a mistake.
There are 2 ways to transfer value in sortition chains.
You can spend your coins to someone else inside the same sortition chain.
Doing this requires downloading proofs of this part of the probabilistic value for every part of the history, and it requires the cooperation of the sortition chain operator, because they need to make the contract so that when you give up ownership, it gets transferred to the target recipient.
The sortition chain operator can freeze this kind of transfer in many ways.
The second way to transfer value is by converting your account in a sortition chain into a new baby sortition chain. So now you are the sortition chain operator for this new chain, and you can spend the veo to who you want.
The operator of your sortition chain can't stop you from doing this no matter what, because your proof of ownership is connected to an earlier block height, so your contract has higher priority.
23:40
Zack
It looks like the IDEX team will be operating a trusted sidechain to store all the trades in their decentralized exchange.
The problem with this strategy is that the IDEX team can choose the order to do the trades. They can front run everyone.
The fact that they refer to this as "optimistic roll up" makes me consider it a scam.
In optimistic roll up as defined by this paper
https://arxiv.org/pdf/1904.06441.pdf anyone who mines a main chain block can include some data to add a block to the sidechain.
There is a safety deposit paid when you add a block to the sidechain.
The IDEX plan in this blog post is completely different. Their team is the only ones who can add blocks to the sidechain. This creates a centralized failure mode.
03:13
Can update it to include the argument that the lead dev of NXT, Ardor and Ignis made
06:40
Zack
ok, I added it.
I am noticing a clear pattern in this paper.
The higher the status of the reviewer, the lower the quality of the review.
I think being high-status causes people to become less intelligent.
06:48
Or maybe high status people feel pressured to respond even when they don't completely understand, and low status people respond because they feel like they can add something to the discussion.
06:49
K
maybe they're just more busy. If I was running a business I wouldn't want to enter hour long arguments with random people on twitter
06:51
Zack
If you were running a business, it seems to me that the most important skill you could have is the ability to understand and communicate why your product or service has value.
06:52
K
Yeah but imagine how many randoms respond or tag him in tweets talking about stuff similar to this and how much work he is doing developing 3 projects
06:52
You should put Co-founder of Aeternity and Augur, or ex-lead dev or smth on ur twitter bio about those two projects
06:54
People might put more effort into replying if they see you were a lot of the brains behind big projects/more credible
07:05
Zack
ok, I updated the twitter bio
07:06
Currently working on $VEO
ex-co-founder of $REP and $AE
invented: state channels, trustless oracles, scalable side-chains.
08:30
only mining pools and exchanges need to run a full node.
The light node has cryptographic proofs of security, and it is easier to use than a full node, because you just open a file with your browser.
The full node is also fairly easy to install, but you need to use linux.
08:32
Even though I run a full node, I still use the light node as my wallet and to make smart contracts and to do all the stuff users do.
I just run a full node so that I can be aware of the user experience for exchanges and mining pools.
08:35
Satoshi wrote about SPV nodes in the bitcoin white paper. today we call them "light clients".
In bitcoin, and all PoW blockchains, they don't mine directly on the block. instead they use the block to generate a header, and then mine on the header.
The headers are much smaller than the blocks.
The advantage of this technique is that you can verify the PoW with just the headers, and you don't need to download the rest of the block.
08:36
erlang is not a compiled language.
I expect them to install the erlang VM and run the erlang scripts that make up Amoveo.
08:37
the headers have the PoW on them.
this is how bitcoin works.
the bitcoin full node starts by downloading the headers, and then it gets any blocks or txs you need afterwards based on the PoW in the headers.
08:38
If you think headers and PoW are not secure, then I guess you think the bitcoin full node is not secure?
16:20
K
👍 good marketing, thanks!
20:30
Eliminating phishing attempts for popular projects is infeasible, if phishing attempts become an issue then we can issue warnings to users to help prevent them from accessing phony websites or alternative phishing attempts. Amoveo has a number of options for users to access their funds with in a secure fashion and users should naturally maintain a sense of accountability for their holdings.
20:42
ok, I see your point.
it could be useful in some cases but currently the node daemon requires many dependencies that are generally hard to build and run by a user.
I think such distributoin will be available in the future, but at the moment the best solution is to use desktop wallet, which gives you the most security as it runs fully on your machine, and as Amoveo node doesn't need to be trusted it's still secure to use any available one.
we tried to create simple node distribution inside docker image but it's on hold at the moment, since it has some stability issues.
for example, using ethereum you barely set up your own geth/parity instance and just use some node from ConsenSys through Metamask or Mist. I think the same approach would be fine for Amoveo.
21:22
Denis Voskvitsov
that's true. can't disagree with that.
21:27
if the user opens an app and it just works — what's wrong with having the wallet without the integrated node?
21:36
I believe that end user shouldn't think of blockchain arhictecture internals. from that point of view it would be 10x better to have a nice browser extension wallet like Metamask allowing to make pure js applications using amoveo, than distribute a full node to any user.
ofc robust core infrastracture is a key, but even now with so small community there are like 20 working full nodes in different places which won't be blacked out at once.
anyway, if you're interested in this you would consider to make that docker image finally working (or employ someone for that).
21:46
Zack
Now I think the optimization would be good.
So let's call the 2 types of transfers horizontal and vertical. Vertical is the one that makes a new sortition chain.
The cost of horizontal transfers is proportional to the number of sortition commits that have occurred.
So if we have specialist who build up trees of when users give up control of part of the probabilistic value space, then some of those specialists can commit on chain with lower frequency. So the confirmation time is slower, but the amount of data you need to download to spend money is less.
I think a sortition chain can have baby sortition chains that each use a different spend-commit-tree-service.
So both Merkel trees are completely independent.
22:02
Zack
The light node does come included with a full node install
07:55
Zack
Sortition chains has a lot in common with some plans from Eth 2.0: optimistic roll-up and zk-roll-up.
So I am thinking we should rename sortition chains to "fruit roll-up".
Because sortition chains is like lottery, and gambling and lottery and slot machines often have pictures of fruit.
Other options are:
"cinnamon roll-up"
"tootsie roll-up"
"honor roll-up"
"casserole-up"
"spicy tuna roll-up"
or "egg roll-up"
08:00
"spring roll-up" could be a good one. we could have a picture of a bouncy spring.
08:00
"california roll-up"
Deleted invited Deleted Account
Deleted invited Deleted Account
Deleted invited Deleted Account
10:11
Zack
So the current design, you can choose N different nodes to do the spend-commitment-merkel-tree.
The off-chain data cost of a horizontal spend is (size of a merkel proof)*N*(how many blocks the spend-commitment-merkel-trees have existed for)/(the period of how much time passes between commitments in each tree)
and it has zero on-chain cost.
The strength is that you only need one of the N nodes to be available to enable horizontal payments. So it is N of N security.
The weakness is that if any one of the N nodes decides to refuse to reveal some data, they can prevent horizontal transfers. So it is 1 of N to be frozen.
It would be nice if we could use some erasure coding or something to make it harder to block horizontal transfers.
I have a feeling that no matter what strategy we go with, it will be the case that (the minimum number of nodes from the set needed to freeze horizontal transfers) = (the minimum number of nodes from the set you need to interact with to make a horizontal payment)
11:13
Zack
Cryptokitties is a lottery based on the block hash.
So, based on the stuff we learned about RNG for sortition chains, cryptokitties is not secure at all.
13:39
Zack
If the expected value of a kitten is below the block reward. Then it is secure.
13:40
Too bad no one knows how to calculate the expected value of a kitten. Haha
13:49
Deleted Account
I was thinking about a distributed Twitter today and came up with an idea. To accomodate for POW for sending messages, why not use mining hashes/solutions as a currency. Ie: to pay for sending a message, mine a share (eg in Amoveo) and then give that share to the server along with the message to be sent. Instant currency without the hassle of registering private keys and transfer of money...
13:59
Zack
I think you are describing bitmessage
23:46
Denis Voskvitsov
Denis Voskvitsov 15.11.2019 23:45:59
Hi!
While we're still waiting for Ledger HQ to review Amoveo app and include it into their official catalog, we decided to publish current beta release to let anyone interested in secure yet convenient cold storage use it.
Setting up the app on your Nano S will require few steps as described at
https://github.com/amoveo-project/veo-ledger-app-loader/Currently, the app is tested on Nano S (fw 1.5.5), and we're working on support of Nano X.
Nano S FW 1.6.0 was released recently, but it isn't available to all customers and the app wasn't fully tested on it yet.
Once installed, the Amoveo Ledger app can be used with
https://myveowallet.com or Amoveo Wallet desktop (select
use hardware wallet on the main page).
Please note, that you can only perform spending transactions when using Ledger device as a key. To use oracles, for instance, send required amount from the Ledger account to any newly created one.
The app requires 23kb of Ledger device memory (Bitcoin app is 50kb, Ethereum is 33kb).
Nano S has approx. 130kb of storage available, so it's possible that you'll need to remove some unused app to install Amoveo on your device.
23:48
Zack
That's great. Lots of people like hardware wallets.
00:43
Jon Snow
This is exciting news!
00:49
Nikita Voloshenko
Superb!
00:52
Denis Voskvitsov
thank you guys
please note, it's unofficial release, so device will warn you every time you run the app, but it's ok by now.
Deleted invited Deleted Account
02:25
Jon Snow
Not sure if Amoveo is one of the projects those guys looked at
02:39
Zack
bitfinex is a centralized exchange, right?
So this is a centralized prediction market?
02:40
the audio quality is pretty bad. I don't know what they are saying.
03:57
Denis Voskvitsov
they have dex-like exchange
https://www.deversifi.com/ at least (former ethfinex)
so I think they can consider to use decentralized prediction markets
Deleted invited Deleted Account
07:31
Jon Snow
Maybe Exantech can make a pitch to them?
07:35
Gregory
Deversifi is not bitfinex. It's a split of ethfinex. With nec tokens.
07:40
Denis Voskvitsov
wasn't ethfinex related to bitfinex? I was on their event in Lugano last year and it seemed they were connected somehow
07:41
ah, I see. you mean now deversifi is separated entity
07:49
Zack
I am not finding any documentation online to explain how deversifi/ethfinex is decentralized.
It seems like they require you to use a wallet to sign every request. It makes the web interface more annoying, but it makes some people feel safer.
If they actually had a decentralized exchange, they would need some kind of oracle mechanism to determine the price at which trades execute, and they would need some kind of trade matching smart contract to match trades in the right order to prevent front running.
07:58
oh, it looks like instead of using an oracle to know the prices of things, it is a dex limited to only swapping pairs of ERC20 tokens.
So, assuming that there exists an ERC20 that is linked to USD, then it is possible to swap it for ETH trustlessly.
08:00
Gregory
It's called dai
08:01
I guess I should review why DAI doesn't work. I thought I already had.
08:10
So, they don't have a solution to the oracle problem.
And I am not finding an exaplanation of how they exchange contract works. ExchangeEFX.
But it is generally accepted that single-price-batch contracts on-chain in ethereum are prohibitively expensive.
And we know that those are the only kinds of exchange contracts that can prevent the miners from front running.
So it seems like Bitfinex "dex" couldn't possibly have a trustless exchange smart contract.
11:36
I am sharing evidence that a murder might have happened.
11:51
whatever, I shared it.
12:04
J Bluebs
Seems like a stretch
12:05
Zack
yeah, I am expecting someone to say that the Tessr foundation canceled the ICO, or that they gave refunds to investors. But I haven't seen evidence for that yet.
12:05
J Bluebs
No, I just mean, he doesn’t have to be dead!
12:06
Zack
well, they found a skeleton with his wallet in the pocket. so a lot of people think he is dead.
12:06
the police say he died. His mom says he died.
12:07
the fact that he is dead isn't really controversial. Everyone seems to agree on that much.
12:07
J Bluebs
Ah oh you didn’t mention that
12:10
J Bluebs
Strange. Well, you’re right, definitely a motive
12:20
Zack
It would be nice if you have me review these kinds of things before publishing. There are lots of mistakes.
12:20
Augur is a voting type oracle, not a betting type oracle.
12:21
It doesn't make sense to distinguish between the robot-oracles and the centralized social oracles.
They are the same thing.
12:21
Nikita Voloshenko
I did about ~30 editions
12:21
Zack
Voting oracles are very different from betting oracles because the total volume of bets needs to be less than the market cap of votcoins. It puts a limit on how many bets can exist at once.
12:23
Gnosis does have a betting type oracle, but they lack the ability to escalate to a consensus level fork. So it is a game of chicken, not an oracle.
12:24
J Bluebs
Zack have you done a Link review
12:26
J Bluebs
Perfect, I hope it confirms my belief it’s a shitcoin lol. The twitter shilling is at all time cringe levels
12:27
Nayan Savla
Wow... interesting work you have done...
12:32
Zack
haha, almost no one cares.
Maybe the evidence isn't as strong as it seems to me.
Or maybe no one cares when drug addicts get killed.
I wish I could email his mom. It sounds like she thinks it was a murder.
12:45
I found his mom's email.
18:13
Baudoin Collard
This raises an interesting question
Zack : what happens to Amoveo should you die? Is it mature enough to survive you?
Otherwise it is not as decentralised as it should ;-)
18:18
Sorry for the crude remark, I don't want to distress you for the sake of discussion... Of course I wish you all the best!
20:20
Zack
Amoveo is a very high risk project.
Even if I manage to stay alive, we probably will not succeed.
If I die, keep using futarchy to make decisions. Listen to Mr Flinstone, he is really knowledgeable.
20:22
Beer
what if you both die
20:24
Zack
keep using futarchy to make decisions.
20:25
if I die, all my VEO will become burned.
I am not leaving my coins to family or anything like that.
It might even be good for the price.
22:30
Jon Snow
If Zack dies, it’s game over for Amoveo.
22:35
Zack
Augur is committed to the Rep holders now, so they can't upgrade from a voting type oracle to a betting type oracle.
So I think it is not possible for Augur to win.
22:35
voting type oracles are prohibitively expensive in comparison to betting type oracles.
22:36
Deleted Account
Look at these fiat plebs
22:51
Augur is adding the ability to report "bad-question".
Something that Amoveo has had all along.
22:52
K
There is no hard coded list of validators. You can choose what validators to trust yourself
22:54
Zack
If you change the hard-coded list of centralized Ripple leaders, then you will end up on a fork of Ripple.
It is like how if you change the software for a bitcoin full node, then your mining pool will mine blocks on a fork and your block rewards wont have any value.
22:54
you are free to choose what validators to trust. but if your validators end up disagreeing with the centralized Ripple leaders, then you will end up on a fork.
22:55
K
Yeah, how does that make it a level four? If the ripple servers do something wrong and get forked then they get forked off
22:57
Zack
If you are on a fork all by yourself, then the coins on your fork have no value.
No exchange will accept deposits of your fork.
22:58
K
fork will have all the validators that disagree with ripple which is a lot. There are like 400 validators in total
22:59
it's up to the people who use XRP as to how much power they give ripple's validators
23:01
Zack
So, lets look at a concrete example.
Lets say that the centralized XRP leadership decided to delay certain transactions slightly so that their own transactions get in earlier and they can trade at better prices.
What steps should I take to prevent them from front-running me?
23:02
Do I modify the ripple source code? Do I launch some full nodes? what steps do I take?
23:05
my fork will magically have all the validators that disagree with ripple? How does that work?
Do I launch modified full node software, and then just tell everyone it is time to update?
23:06
Assuming most users are off-line most of the time, there wont be any evidence that front-running has occured. So how am I supposed to convince everyone that the ripple servers are bad and they should use my updated code instead?
23:07
If there are 100+ traders who all got front runned at the same time, and we are all modifying the ripple source code and publishing new versions, how can we decide which of our 100+ new versions of ripple should be the new official version?
23:07
How can we agree on what height the fork should occur at?
Deleted invited Deleted Account
22:15
Zack
It seems like if I report the exact opposite of the truth for every question, I would end up getting paid the same reward as someone who was honest for every question?
since they are using the mutual information.
22:18
I think this tool is not useful for blockchain oracles for the same reason that Augur and Bitcoin Hivemind don't work.
It is a voting type oracle, and if you vote the same as the majority, then you win.
So an attacker just needs to bribe a majority of the voters.
This means that it can only be secure as long as the expected long-term profits of being a voter are bigger than the expected short term profits of cheating.
So, there would need to be high trading fees to pay the oracle voters.
This makes it prohibitively expensive in comparison to other designs.
22:48
Zack
Thinking about sortition chains.
Before we were talking about how we want to split up the merkel tree into the 2 trees. one to divide up the probabilistic value space, and one to keep a record of who gave up control of which parts of the space.
So, which one of the trees should contain what kinds of smart contracts?
Do we want complicated conditions for how the probability space is divided up, or complicated conditions for when the coins are actually spent, or both?
22:48
are they equivalent?
23:18
Zack
I guess we would prefer to do computation in the spend proof if possible.
Because the winning probability space proof always ends up on-chain, and the spend proof only goes on-chain if someone challenges the result.
We want the default case to take up as few bytes on-chain as possible.
23:20
having less data on-chain by default also increases our privacy.
Ashley Rosa invited Ashley Rosa
04:54
Deleted Account
Not you
SUPPORT@FFS invited SUPPORT@FFS
01:02
I added details about the changes to the merkel trees. since we are splitting up the sortition chain merkel tree up into different specialized merkel trees.
01:03
I think I am not going to bother implementing harmonic RNG or uncertain RNG.
I will just have the first round of settlement be 1/2 of a block reward.
That way it is a simpler design and will be ready sooner.
01:03
and there are less places for bugs to hide.
04:33
Gatis Eglitis
Cool - how to get exposure?
04:33
The fund will be launched on the EXANTE platform this Fall.
04:34
ALGO
The fund is doing quite well it may be good to circulate its 30 day returns and see if any news agencies may be interested in following up on the release of the fund.
04:49
X | NPC
Already launched
04:59
Mr Flintstone
I thought the launch that happened was just for the index?
05:00
X | NPC
Maybe I’m wrong... probably it’s the index
05:37
K
If you successfully attack proof of stake chains and move their users onto Amoveo I think that'll take a shit ton of the risk away. Amoveo will have amazing marketing because of that ( I can't even imagine all the news articles and videos that would be created because of such an event ) and will be competing against only a few other PoW chains capable of smart contracts
06:05
K
The Ripple validators could not 'delay certain transactions'. As all validators do is order the transactions in the set of recently arrived transactions
06:06
True, they could decide that a certain transaction did not arrive in time and so should not be included. But:
1) Ripple validators are in the minority, so would be overruled by all the others that are playing honestly
2) rippled contains code to detect repeated ignored txns
06:06
and so every node on the network would throw up a warning message that they suspect that some kind of censorship is going on.
06:07
In XRP you don't have a single node (the miner that finds the block) deciding what order txns go in, so there is no chance of front running. The transactions are ordered in an unpredicable way.
06:11
Zack
if there is a market being powered by XRP, then re-ordering txs inside a single block is enough to commit front running attacks.
06:11
An attacker can create lots of txs sending money to themselves, if they need an excuse to delay someone else's txs by more than a block
06:14
Every blockchain, you can calculate a cost to re-write some history. So we can calculate how much security we have.
Like in bitcoin, you would need to have a ton of hashpower, but you could rewrite some history. And the cost of that hash power is something calculable.
How much does it cost to re-write some Ripple history?
06:15
K
But you can't re-order transactions inside a block unless you get 80% of the validators on the network to agree to your ordering, and there is not incentive for them to do so.
06:16
Zack
if creating a block requires consensus of 80% of nodes, then that means if I rent enough servers to control more than 20% of the nodes, I can cause ripple to freeze?
06:16
running a ripple server doesn't require owning any ripple coins, as far as I know. so I could launch a ton of servers very cheaply.
06:17
so if I can bribe any 20% of the ripple nodes, I can make the entire network freeze?
06:19
having warning messages appear isn't a real security measure. An attacker could use bribes to purposefully cause the warning messages to appear frequently enough that we just ignore the warnings.
06:23
and warnings could only appear on full nodes.
Most users are off-line.
A real security plan would protect all of the users, not just the users running full nodes and staring at their screens waiting for warning messages.
06:34
K
You can't rewrite XRPL history. It is final as soon as the each ledger is closed (3-4 seconds).
06:35
If you could bribe 20% of the nodes, then yes you could cause the network to temporarily halt but:
1) You don't know which nodes they are, as you don't know what nodes are on each validator's UNL
2) As soon as it halts, operators would just remove the malicious nodes and go on.
06:36
Zack
A financial guarantee is measured in dollars, or some units of value.
06:37
if we don't all simultaneously remove them from the UNL, we could all end up on different forks.
06:38
people who are off-line don't have any evidence about which on-line nodes were or were not participating in consensus.
So if the network decides to reject 20% of the nodes while I am offline, how am I supposed to verify that the network had proper justification to reject those nodes? How am I supposed to know which side of a fork is legitimate, if I was offline when it happened?
06:40
K
There is no such thing as 'full' nodes. All nodes are 'full' nodes.
06:41
Zack
so, everyone who owns ripple is required to rent a server and have it online 24/7 in order to maintain ownership of their ripple?
06:41
regardless of whether you call it "full nodes" or anything else. There is a difference between people who are online and participating in consensus vs people who go offline.
06:42
K
I'm not quite sure what you are trying to say here. If a node is offline then it isn't participating in consensus... so what?
06:42
Zack
people who are offline should have security guarantees as well.
06:43
K
There wouldn't be a 'fork' as such, just two different groups with different versions of what is 'true'. Up to you which you deem the 'true' XRP.
06:43
Zack
like, what if 90% of the nodes that are online decided to rewrite some history, and I was offline while it happened.
When I come back online, how am I supposed to verify that cheating occured?
06:44
if there are thousands of forks of ripple, and no way for me to know which one is going to be considered the "true" version, then how am I supposed to know that coins I receive have any value?
06:44
How can I know that they will be accepted on exchanges?
06:46
K
You are trying to compare PoW to XRP... they are different. XRP has deterministic finality. You don't need to add up some value of blocks and effort to guess when you think your transaction is 'final enough' like with PoW.
06:47
As soon as some of the honest validators remove the bad actors from their UNL they will start to make forward progress again, as will the validators that have them on their UNL.
06:49
Zack
All cryptographic security can be measured in the cost to commit an attack. Even making a fake ECDSA signature has a calculable cost in terms of CPU cycles.
06:50
K
No. But just like Bitcoin you either trust another node or you run your own node. Up to you.
06:52
Zack
bitcoin is trust-free technology. you never have to trust someone to run a node.
You can have cryptoeconomic guarantees even if you do not run a full node, because a SPV light node can verify the POW in the block headers.
06:57
with PoW there is always exactly one fork that has the most work done, and I can verify which fork has the most work, even if that work was done while I was offline.
With Ripple, which fork is legitimate is based off of information that is only available to people who were online during the entire history. That way you can know which nodes did censorship and should be removed from the list.
06:58
K
No such thing as 'trust free'. Just a matter of how that trust is distributed. When you use bitcoin you trust the network as a whole not to defraud you. Same with XRP. Only with XRP that trust is less centralised.
07:01
Ripple is about as secure as a centralized server.
09:08
Zack
with sortition chains the expected fee for having money in a sortition chain decreases with the portion of money that you have.
So for example, if you have 0.001 veo instead of 1 veo, then the fee is 1000x lower, because it is 1000x less likely that the contract will end up on-chain.
It is possible to own fractions of a satoshi inside of a sortition chain. You could have a contract worth 10^(-30)th of a veo.