Of course, the Internet doesn’t remember that he worked on cryptocurrency almost 20 years ago (with Zooko of ZCash) before he started BitTorrent. Pepperidge Farm remembers.
Actually the primary source - at least for this article - is the latest episode of STEAL THIS SHOW: https://stealthisshow.com/s02e14. The interview has some detail on when he'll start the enterprise et cetera.
We also go into the pre-history of BitTorrent at Mojo Nation.
Good show. In response to something Bram mentions offhand I do have to retort that when Bram suggested changing the MN architecture to be more like what was eventually to become BitTorrent the response, which in hindsight I will admit was short-sighted and incredibly dumb, was due to having too little runway left to completely rewrite an already over-engineered codebase and not any sort of crypto-libertarian ideals. (And yes, I keep a copy of his email message suggesting this change to our internal list posted above my desk as a constant reminder...)
Does anyone have more details on slide 9 "Proof of time: Modular roots"?
> In group of order 2^k, square k-1 times to find a square root
I don't want to say anything stupid, but I don't know if this is trivially true, for instance in [the multiplicative group of] a field of char 2, square is linear and so it's square root.
Edit: to clarify, in a field of char 2 the multiplicative group has order 2^q-1, which can't be 2^k. I'm just giving this as an example of a group where square root is fast.
From the video, it sounds like the claim is that sqrt(x) = x^(2^(k-1)), which you verify by checking that x=x^(2^k) [0]. However, since the order of the group is 2^k, it is an elementary result of group theory that x^(2^k)=1 [1]
[0] That is, you square the claimed root which should be x^(2^(k-1)).
EDIT: watching the video some more for clues, he does mention that he uses a particular kind of group, so the claimed property does not need to hold for any group of order 2^k. However, as I argue above, I still don't see how it is possible for any group of order 2^k.
getting the square root of x from k-1 squarings means
(x^(2^(k-1))) ^ 2 = x, or x^(2^k) = x.
so x has multiplicative order (2^k)-1, which is the
order of GF(2^k) under multiplication.
But the group has order 2^k. Since the powers of x (for any group element x) form a group themselves, Lagrange's theorme tells us that the order of x must divide 2^k. This should mean that it is impossible for x to have order (2^k)-1. If fact, it means that x^(2^k)=1.
Further, if you are given the value y=x^2, then no power of y will give you x.
The finite field GF(2^k) has order (number of elements) 2^k, but its multiplicative group has the (2^k)-1 nonzero elements, and thus order (2^k)-1, which squares [pun intended] with the fact that x^(2^k-1) = 1.
“Sometimes people have this misapprehension that Bitcoin is a democracy. No Bitcoin is not a democracy; it’s called a 51% attack for a reason. That’s not a majority of the vote, that’s not how Bitcoin works.”
So I get that he's trying to get at the fact that it's not a large majority, but 51% is a majority.
The charitable reading is that it's not democratic because processors, not people "vote". The point of a 51% attack is that one person (more or less) controls 51% of the "vote".
I mean, we joke about how corrupt American politics are, but it's not like the Kochs or George Soros or whoever can actually control 51% of the vote directly.
>No Bitcoin is not a democracy; it’s called a 51% attack for a reason
This quote is quite reductive of all the game theory involved with Bitcoin and I'd argue against Bram on his statement. In fact, Bitcoin is a democratic protocol. Nodes organize around which miners meet their protocol's consensus settings. All that a miner with >50% of the hashrate can do is attempt to reorg a chain of blocks to double spend or DoS the chain by not including certain transaction. A miner with >50% of hashrate cannot force me to accept blocks bigger than my consensus rules state or accept some new ScriptSig with different OP codes.
You can define your consensus requirements when designing your system. The default is simply majority rules, though in degenerate cases (e.g. two nodes) you can have conflict.
If instead it'd been defined as requiring a two-thirds majority then that's how consensus would be achieved. The system would simply halt until that came about.
The 51% attack works because you can use the majority of CPU hash power to write a longer chain faster than the rest of the network.
I don't quite follow what you mean here: longest chain wins is a central tenet of cryptocurrency design, and even if you did something with consensus in the product a majority could still hardfork away from that design. Am I missing something here?
I guess you could just require that, in the case of competing chains that have n linearized entries in common, the winner has to build a chain n+2m long as the next-best contender of n+m length, rather than just a constant n+6 as long as in current chains. So if there were two active pluralities with 33% of the hashing power each, both trying to rewrite history, you'd just have two active chains forever and never end up linearizing (which might be a good state to end up in; sort of a "SybilAttackException raised; hard-fork with added policy rule choosing a winner to continue.")
the value of 51% is something I failed to understand , wouldn't the attack also works even the attacker has less than 50%, but bigger than any other individual miner? for example if there are 3 miners in total, A has 40%, B and C has 30% each, wouldn't A still able to write a longer chain faster than B or C?
It would be in B and C's best interests to hash together to avoid A's attack. A well designed cryptocurrency takes these game theory scenarios into accounts and properly incentivizes mining wherein it should be more profitable for miners to accurately represent transaction history over destabilization.
A in your scenario would likely be malicious to the network would have to be a state actor looking to kill the network. Luckily, in a sufficiently large network even governments are bound by CPU/GPU supply. It gets even harder for this kind of state maliciousness to take place in tech like ethereum: whose PoW function is both CPU and memory bound (I.e. You cannot use custom ASICs)
I casually enjoy cryptocurrency, so anyone who knows better please correct me if you find me incorrect.
"A is working on one chain but B and C are working together on another chain, so the A chain has 40% and the B/C chain has 60%."
but if B and C are working together, it implies there is some sort of relationship between them so they could be coordinated together(e.g. owned by same org), this not the case I am trying to use here;
my case is really 3 independent miners
That stops it from reaching a "false" consensus, but makes it easier to stalemate the network.
With a 60% consensus, 41% can deadlock the network. A deadlock of a financial transaction system is de facto control (if we believe Dune).
With a 50% consensus, 51% can deadlock the network, but have no need to, as they're already capable of voting their agenda in.
Any increase of consensus past 50% gives an increasingly small minority group the power to deadlock the network. Further, 50% is the magic point at which a minority can neither overrule a majority on consensus nor deadlock the network.
Deviation from that middle increases one of those two failure modes.
It would be interesting to know more about how to make mining dependent on space and not cpu. Seems like you could use cpu to compress and create more space, thus pinning it back to cpu?
There is such a thing as a Memory Hard Function (MHF). cperciva's scrypt was designed to be one, and was subsequently proven to be maximally memory hard.
You can only compress to a certain level. For example, you can't compress a sufficiently random bitstream because there are no patterns. See also information theory.
I wrote a game for programmers about 5 years ago that used a toy proof-of-storage system. It gave as many 1GB blobs to players as requested, picked random chunks and stored checksums of those. The player doesn't know which chunks have been picked.
Some hours later you could start the challenge that you still have the file and the system challenged you to send the checksum of the chunks it picked. If you could answer this, you obviously still have the file and got points.
This allowed the system to force a player to store 1GB of data while the verification only needed some bytes of storage.
Scrypt (the version that cryptocurrencies use) is broken, but if you compare memory-hard PoW such as Cuckoo Cycle against proof of space we can assume that most people have more unused storage space than unused RAM and thus space is a cheaper resource, possibly leading to more decentralization.
Proof of Work demands cheap verification, but Hashcash with scrypt requires as much memory and time for verification as a single solution attempt.
So while scrypt itself is not broken, its feasibility in a proof of work system with a serious memory footprint (e.g. exceeding a single DRAM chip) is.
Forgive my ignorance here, but it seems like everyone and their grandmother has been starting their own cryptocurrency lately... Why is this noteworthy? I'll admit that I'm still largely ignorant as to why so many people consider cryptocurrencies to be such a big deal.
Because our society is stuck on a finite planet, using a debt-based monetary system in which counter-party obligations expand exponentially. Without an alternative monetary system, the disruptions which occur when the exponential growth stops may be of a scale on par with an extinction level event, in the most extreme scenarios.
All of the transparent block chains create another problem, however: Pervasive surveillance, and chilling effects. For that reason, I like the singular cryptocurrency which offers the anonymity and fungibility of cash, without a pre-mine scam or a graft tax, Monero. I think it is the only exemplar which offers all of the features required to serve as both a store of wealth and a medium of exchange. (Privacy being a requirement for fungibility.)
But then you have to trust a middleman to convert it into something that's actually usable. It's like gold, I can send it anywhere with DHL or UPS, but my recipient is going to have to find someone to convert it to local currency before they can actually use it. As a result, not many people send gold back and forth.
That's not why your grocery store doesn't accept gold for a pack of gum, though. If you could have an unforgeable, standard-sized, $0.01 nugget of gold, you wouldn't have to convert it, you'd just pay with that.
Pump and dump. Coins with a higher market cap feed the buying of coins with a lower market cap. As the founder of a coin you have all the initial coins since you were the only one mining (if your coin is premined, even better). Once your coin starts gaining traction, you pump up the price and then dump. Cha-ching.
This is the answer. Everyone wanted to make "... but on the Internet" because there was money in it. Then everyone wanted to make "Facebook, but for..." because they could get money. Now everyone wants to make cryptocurrency or do blockchain stuff because people are still willing to spend money on it.
It's the hot new thing, there's a frontrunner but not an established winner, and investors are still willing to give people money for it.
This is addressed in the Youtube page's comment section by Bram Cohen
"Burstcoin is busted. For proofs of work you can throw any random bullshit together and it will be a functioning proof of work. Proofs of space aren't like that."
Of course, the Internet doesn’t remember that he worked on cryptocurrency almost 20 years ago (with Zooko of ZCash) before he started BitTorrent. Pepperidge Farm remembers.