TaaC & P4Q Thread #2

Let's start over in this thread and stay focused with the discussion. As Colin pointed out in the other thread, too many posts were about alternate ideas.

For newcomers:

Notice: I will be deleting all off-topic posts in order to keep discussion focused. I welcome criticism and alternate proposals, but create new threads for them so that they may be discussed separately. This thread is about discussion of technical problems with the proposal and technical solutions to these problems. See my reply with @Zack below for an example of this kind of discussion. Thanks!

9 Likes

FIFO - Would turn the exploit you brought up (ultrapoor PQ spamming out NQ) into an attack that affects the PQ instead of NQ. Even adding PoW onto the ultrapoor PQ (as I suggested) would just turn the entire PQ back into a victim of a high PoW spammer. Could work if we indeed prevented PQ access to anyone below a threshold as you proposed.

Balance - Indeed this proposal

%MIN_GAP since last TX - Since timestamps are not trusted, an attacker could just date their last request as happening on Jan 1 1970 and thus their %MIN_GAP would be a huge number, allowing them to get priority over legitimate users. I.e., this idea cannot work if we don't trust timestamps.

TX amount - I fear it'd screw users like Binance, but maybe not. This idea was originally conceived in 2017-2018 and was about TX amount, and I moved to stake instead because I thought it'd be better. Still, I am not fully convinced it isn't a good solution.

TX_AS_% - This seems deadly. An attacker could easily use ultra-high %'s (1 raw out of 1 raw = 100%) or ultra-low %'s (1 raw out of 1 Nano = 10-28%), whereas most typical users would be somewhere far in the middle (e.g., 0.01% - 1%). No matter which direction we made faster (higher = better OR lower = better), the attacker could target it. Even if we just centered it (where 1% = sweet spot), the attacker could just spam at the 1% threshold (0.01 Nano from 1 Nano accounts) and the queue would turn into FIFO.

Overall, I like where your head is at Zack. I think that FIFO with "no PQ below 1 Nano" could work. I still like Account Balance the most. I also think that TX Amount is possible and might merit more discussion there if you see some huge underlying advantage. Either way, keep coming up with new ideas.

To be honest with you, P4Q was the idea that was made second (and was originally PoW-based, as in.. the closer you come to MIN_GAP the more PoW you must calculate, with attacker benefits scaling logarithmically such that an attacker would need something like 1032 more PoW generation to spam at a rate of 5x). TaaC was the first solution -- but is vulnerable to sybils -- while P4Q was the solution to protect us from sybils. FIFO can work is we put a minimum threshold on the PQ, because the minimum threshold protects us from sybils. Any other idea that also addresses sybils (while remembering that old timestamps are not trusted!).

So to clarify, I think the following are all possible solutions in conjunction with TaaC:

  • Account balance (AKA PoS4QoS, discussed)
  • TX amount (original permutation / undiscussed)
  • FIFO (if PQ cutoff at some low Nano, like 0.01 or higher, as @Zack proposed)
  • PoW4PoS4QoS (e.g., given a MIN_GAP based on PoS, you can go lower than MIN_GAP if you generate lots of PoW, scaling exponentially)
7 Likes

I don't think you can do anything to prevent that from happening.
@Rob already pointed it out here:

Say you have 104 TPS, an effective cap of 26M NANO and 106 accounts with 10-6 NANO each. So 1 NANO is split into 106 accounts, which could broadcast 106 blocks in close succession. That would create full load on the network for 102 seconds, until all blocks would've been processed. As you can expect some activity happening on the network without the spam, let's just say that this attack makes some trouble for the NQ for at least 102 seconds.
That's obviously not very long, but way more than a few seconds and can be had very cheaply.
On top it can be repeated each 5 hours.

If you need to have 0.13 NANO to get 1 T per 5 hours, the impact on the network would be the same, but it would require 106 * 0.13 NANO or 130,000 NANO.

If you don't cap at 0.13 NANO, the 10-6 NANO can only get into the PQ once each 2.6 * 109 seconds or once each 82 years (I'm ignoring the burst here)

It's important to note that the PQ is doing fine even during that attack.

I need to mull over this, but my initial impression is, that either a strict differentiation between PQ and NQ would be necessary, because an attacker creating blocks for the PQ then couldn't interfere with the NQ.
Or maybe it's necessary to not cap at 0.13 NANO, but at a different level depending on the situation (G_TPS, market cap, etc.). This wouldn't prevent the described attack, but it'd make the cost/effect ratio way worse.
With P4Q in place it will require some efforts to create 1 million accounts with little NANO on them. Apparently there's an entity currently attacking the NANO network currently with more accounts, but less NANO on them. It would be handy to have a different kind of cap: exclude account balances below a certain threshold from the PQ.

This looks like a valid attack vector too. This assuming the network treats send and receive blocks with the same difficulty multiplier equally, although the difficulty thresholds for send and receive blocks are different.

I should've read the second post in this thread, but I was typing this post here in the now closed thread before it had been closed and copied it just over here. My bad.

Maybe a mix of both is fine - FIFO with "no PQ below x NANO" (x to be determined) based account balance. Risks of not having a lower bound for NANO to enter the PQ is in the paragraph above.

I don't see the benefits of replacing account balance with tx amount. In my eyes it would work very similarly.
But I can think of a potential drawback: delegating stake (vouching, as @M00N_R1D3R called it) to other accounts isn't possible with it. I'm not sure, whether that's a a significant drawback, though.
Delegating stake should be treated account wise like choosing representatives (just like @M00N_R1D3R explained it). This would lead to the awkward situation that an account with huge balance had no stake. Yet that could still be nice for cold wallets, where the stake were then available for faucets, tipbots or alike. Not very granular and with some overhead,but potentially useful.
Delegating stake similar to sending NANO is an option that wouldn't remove all your stake, but I don't see how it could possibly work. Blocks would require an additional field stake, a way to send stake, which makes blocks bigger. Those blocks wouldn't deal with the transfer of value and all gets more complex to a point I doubt it could even work.
Implemented this way, you wouldn't be able to get your stake back at will. If the stake is on a block of an account you don't hold the private key. A kind of revoke scheme would be required.
All in all delegating stake is a can of worms, especially when you plan to delegate less than the account balance.

1 Like

Instead, say we have 1500 tps. An attacker won't need much to attack the PQ of 1 Nano holders right?. How do you solve it?

I addressed your concern here:

Finally, eliminate the idea of guaranteed transactions per 5 hours for lower Nano levels. I've said it a few times, but Colin isn't in favor of it and -- as I thought more about it -- I realized that it leads to attacks against the NQ in the way that @Zack mentioned.

There is no guarantee of disproportionate TPS as you get less and less stake. If you own 0.0000000000001% of the currency, you get 0.0000000000001% of the PQ.

2 Likes

Understood. But, How is it a solution to a mass account attack?

Instead it's like saying, here '99%', take the spam-key. I know as long as you are feel safe, I have nothing to fear.

One argument is, what better do we have right now? At least we haven't handed the spam key to a small pool of people rn, right?

network resources: tps of the network

My issue is this:

The OP's model is a pyramid of network resources allocated. At the bottom of the pyramid are the people with the highest stake, and at the top are the people with the lowest. Follow me here and lets get into why securing the network by stake is bad?

I won't get into the slippery slope of rich vs poor argument.

OP is essentially proposing to allocate the network resource by stake. Allocate.

And everything I have seen discussed here is what will be the right way to do it.

Is Nano a resource to be allocated? It's a currency right?

And all this to prevent spams...

By OP's definition, a spam is prevented as long as the whole pyramid hasn't fallen. It's in fact a damn good pyramid and it won't fall, because by design spammers can not topple anything at or below his level. So, by design the base of the pyramid will always exist.

And most of the people are thinking that this indestructibility of the pyramid model, makes it a spam resistant.

Well, it does. As long as you define spam to fit this model.

Sorry to say this, but it seems that you haven't understood the proposal... Like at all.

No one is talking about preventing/ eliminating spam. In fact no proposal no matter how perfect it is can prevent spam from happening.

What we can do is mitigate the effects of spam to as much users as possible and this proposal does this. It doesn't mitigate spam effects for all users but a big portion of users while the status quo doesn't.

In the current situation all the users are susceptible to spam, no matter how nano rich or nano poor you are and no matter how much you improve the PoW algo, if and when spammer finds away to spam, all the users will suffer. This proposal ensures network stays usable for a portion of users no matter how bad the spam gets.

So much of the discussion is about spam when that's not the main problem PoS4QoS is solving.

The problem is transaction ordering/prioritization at saturation and beyond. PoS4QoS is an elegant fee-less solution to that problem. It addresses spam indirectly — by setting an upper bound to the impacts of spam intended to congest the network. In other words, it makes that type of spam, the worst kind IMO, pointless.

The focus on spam is missing that PoS4QoS is a truly fee-less solution to transaction ordering. The network will eventually get saturated by real use and transactions will be prioritzed based on a PoW fee. It has its benefits but it provides less protection from attackers than a native fee because the cost is denominated in USD — thus the attacker does not need to buy in.

Edit: @Rob feel free to highlight this point elsewhere and delete this comment (people seem to gloss over it in the original thread)

1 Like

Np, and sorry to say it too that you must not have understood what I was trying to say.

What the model does is create a new status quo, in the name of mitigating the effects of spam. I am not being bitter here, but solve this:

Say you have 100k Nanos, and 1 Nano = $1000. You can use Nano almost everywhere -- from buying coffee to a car. And there is Bob. Bob has been hearing about Nano, so he decides to buy $50 worth of Nanos every week. He plans on spending them on whatever he used to spend $50 on. Tell me how 100k nanos can not be used to spam Bob. Is 200k Nanos required?

OP says:

Isn't that some la la land that Bob will have enough TPS to spend his Nanos.

It's a currency after all. But what OP's proposal essentially does is give Nano a value by stake, taking it to a whole different direction. Tell me if I am wrong, or have me elaborate.

TaaC is a solution to a rich actor spamming the PQ. P4Q is a solution to poor actors spamming the PQ.

Neither solution protects the NQ. Equihash/dPoW/etc do. The belief is that equihash/dpow/etc is beatable but costs a lot of money, and the belief is that the NQ would be pivotal to such a relatively few (or relatively poor) group of people that the attack would not be profitable, the concept being herd immunity.

So to clarify from the top-down. What defends the PQ?

TaaC

  • Throttles the rich
  • Promotes spreading wealth across accounts
  • Promotes the poor
  • Vulnerable to Sybil
  • Prevents against rich attackers spamming (PQ)

P4Q

  • Benefits the rich
  • Promotes putting all funds in one account
  • Vulnerable to rich spammers
  • Defends against Sybil attackers (PQ)

==> TaaC & PoS combined give defense against both rich and Sybil spam in the PQ

So what defends the NQ?

dPoW/Equihash/etc & existence of PQ

  • Greatly lowers value of NQ & thus protects currency pricetag when attacked (less money to earn from shorting currency)
  • Places a high minimum price on attacking the NQ

==> attacking NQ is costly + attacking NQ is not profitable

If NQ is costly to attack and it is not profitable to attack, who would attack it? A bored billionaire who has no qualms about throwing away billions to filibuster the currency on a whim? It is neither prudent nor possible to defend the currency against such an irrational attacker.

If the fear is that a sybil attack in PQ can be used to attack NQ, this was highlighted above and there are solutions for this (apply PoW generation to sub-0.1-Nano-PQ or only allow people with at least 0.1 Nano to participate in PQ, for example).

6 Likes

How do we know the future to quantitatively define the relatively few?

We have to initialize it, right? Or, will the network assign it dynamically? Say the network can assign it dynamically. What algorithm will be used? How can the PQ levels be designed without acting like a central authority?

Do you mean Jeremy Powel is not an irrational attacker?

If the adoption of 'crypto' goes mainstream, like Bob putting $50 in Nano every week, or Alice getting paid 1 Nano a week, the OP's model will only fit in the world where Bob and Alice are putting their Nano in a custody wallet.

There has to be some sort of Priority Queue besides PoW. This just is not one. That being said, adios.

I believe this was covered in the last thread, but is a PoW still required for PQ transactions? My thought is, if you don't have it, you open the door for "rich" accounts to use the Nano network for all sorts of auxiliary functions (i.e. the lower their cost to use the network the more uses cases they can find, taking more TPS away from the NQ or poorer accounts). On the opposite end, if the idea of the proposal is to offer accounts a priority queue with quick confirmation, immune from small balance spam accounts, I don't see why anyone would produce more PoW than the minimum.

In the end, if this proposal is to work, I think you have to have a min account balance threshold for PQ access. Ignoring potential issues with that for now, if you then order blocks by TX amount it would seem to only harm honest actors. I wouldn't consider TX amount any further.

The idea being that NQ transactions may or may not have valid time stamps? Agreed and this approach never seemed to have many upsides.

Unless you can guarantee that cutoff is high enough to deter any spammer (I don't know how you could) this method only seems to help a bad actor.

Isn't this the current system? Where higher PoW means greater access to transactions? But in this case, being in the PQ, it doesn't help deter spam since most any TX (based on acct balance) would likely already be placed ahead of spam transactions. If you mean that otherwise NQ TXs get into the PQ by a certain amount of PoW, doesn't this just mean a spammer could spam the PQ with higher PoW capacity and less accounts and/or stake?

In the end, I'd be surprised if there's a better method for ordering PQ transactions than Account Balance. The whole premise of this idea is that those with large account balances are less likely to spam the network.

1 Like

I'll repost the calculator in the link below so people can see this for themselves but if you don't create some sort of cutoff, below which accts don't have access to the PQ, then for a spam attack of equal duration you just end up with a sliding scale of cost vs frequency. It may cost an attacker half as much to get the required accts & stake but the interval between attacks will be twice as long.

If you take it to the extreme, it will cost a minimal amount for an attack that you can only release (with the same account/stake) years apart, but at that point it becomes a one time thing. This, IMO, is a real problem and any workable version of this proposal has to have a hard cutoff at some account balance.

1 Like

I don't mean to pick on this particular comment, but if we're going to have a fair discussion on this proposal I think we need to agree on a few things.

The recent network problems were not the result of DPoW failing. I don't know (does anybody?) what ability the spammer had to produce high PoW blocks, but inevitably it had a limit. He was having to produce (or pre-compute) 100s of PoW per second. Given an ideal version of the current Nano system, any honest user could have then produced a n+1 difficulty PoW and had their transaction processed.

The current set-up, and the proposed NQ is a battle ground of PoW. It's dishonest IMO to be fatalistic about honest users being unable to use the network during a spam attack.

I don't think this thread is the place to get really into the weeds about DPoW, but to evaluate this proposal I think it's fair we view the current system (at least a bug free version of it) truthfully.

1 Like

Exactly. And it has ramifications. It could use "A Rouge Whale Attack" as an attack vector.

Your analogy of a "pyramid" got me thinking. I have tons of data on Nano. I know how little wealth there actually is at the top of this pyramid. I've made a to-scale pyramid for you to demonstrate this, and it's packed with actual data from the ledger to boot.

When people say that that "oh, people with < 10 Nano might not get enough out of the PQ!!!" or suggest that we need ridiculous NQ measures to protect them from spam attacks, let it be known that they are talking about 0.012% of the total Nano by wealth in these tiers.

We simply cannot afford to give this absurdly tiny amount of people some gargatuan amount of the global TPS.

When I say that I'd like to "destake" people who have over, say, 0.01% of the total Nano and limit their TPS as if they had that much Nano, what I'm saying is this. The following numbers are hypothetical and for the sake of the example:

Binance's 2 cold wallets, making up ~21.26% of all Nano, would be reserved 0.02% of the total PQ TPS.
The 6 exchange wallets, making up ~16.35% of all Nano, would be reserved 0.06% of the total PQ TPS.
The 108 investor cold wallets, making up ~26.17% of all Nano, would be reserved ~1.08% of the total PQ TPS.
The 816 investor wallets, making up ~18.42% of all Nano, would be reserved ~8.16% of the total PQ TPS.

And this difference (21.26 - 0.02 + 16.35 - 0.06 + 26.17 - 1.08 + 18.42 - 8.16 =) 72.88% of the global TPS is being directly given, spread equally, to everyone who owns under 0.01% of the total Nano.

And as I've said, this is the naive destaking approach. A more aggressive cap could be set. Polynomial or more aggressive ideas (such as default destaking) could be implemented. As long as we aren't throttling rich actors so much that it becomes an undue burden on their part to split their accounts to get more TPS, we can pull the vast majority of the PQ TPS from the rich for the poor.

And I am continuing to try to optimize this system so that Binance et al get what they need while we siphon the unused TPS away from all of the cold wallets / burnt wallets.

This is absolutely not an elitist system that caters to the rich. The vast majority of Nano sits in the hands of those who won't use it but have every right to. It is my goal to move that TPS into the hands of the poor who need it most, as long as they aren't using so much beyond their fair share that other poor people suffer.

4 Likes

Who sets it? What method will be used? How often will it be set?

We can do better than differentiating the users as rich and poor.

These arguments are extremely unfairly one-sided. You're envisioning a world where Nano is so ubiquitous that the vast commonwealth are literally given their paychecks in it, but you're applying the logic that Nano is still a 100 TPS network.

If you want to posit that this is a worldwide system that billions of people use everyday, then you need to first accept that we are guaranteed to fail in that world unless we're putting out like 100k TPS. And if you simulate the proposal I've presented with those kinds of numbers, you will find that Nano is very usable in the PQ even for people with 0.1-1 Nano.

I'm so tired of people saying like "What if an attacker owns 50% of the network and...!!!" while simultaneously saying "In a world where Nano has a 3T market cap and has surpassed Bitcoin!!!" -- dude, if Nano has a 3T market cap, an attacker can't own 50% of the network.

You can't craft your arguments both ways. EITHER we are a shitty low TPS network with a tiny market cap, where we need to worry about rich attackers but don't need to worry about Alice being paid in Nano, OR we are a high TPS network with a big market cap, where Alice will be paid in Nano but we're going to have the TPS to justify it. I assure you that if Nano someday has a 1T market cap and can only support 100 TPS, limited PQ usage will be the least of Nano's problems.

PQ could be PoW free or tiny PoW. Something easy for cell phones, for example.

I think that worrying that rich actors might start using their phat stacks for frivilous stuff and thus robbing the NQ of possible tx is a bit of a pre-emptive optimization that comes with a real cost: with 0 PoW, we can let cell phones just use the service without any computation whatsoever, and that's a beautiful thing.

But I have no qualms about setting some bare minimum PoW, making it dynamic, or anything of that nature. I'm more inclined to say "no PoW" and then up it in the future if it became a problem.

Correct. NQ transactions either have no timestamps at all or invalid ones. If an attacker puts their timestamp as Jan 1 1970, that's an NQ transaction. But their next transaction (as long as it's dated to the present) can be a PQ transaction. This is by design.

We could implement things like a MAX_GAP on the previous transaction, or just implement a cap on the "bonus" one would get. I wouldn't write the idea off altogether as possibly a useful component, but definitely not a good primary metric compared to Account Balance (PoS).

I agree. FIFO appears to help a bad actor, and the only upside is that people will "feel" better about the fact that Nano doesn't prioritize the rich.

It is not the current system. The current system is one where if I do 2*PoW (or even PoW+1) over you, I will get priority.

This is one where I can send transactions more frequently if I include more PoW. If you have more PoS, you will still go first. It's all about lowering my MIN_GAP.

For example, if I normally have a MIN_GAP of 30 minutes, I can send one request at 5:00, one at 5:30, one at 6:00, etc. This gives me a SUSTAINED_TPS = 1 / 18000. However, if I REALLY want to make a request in 15 minutes, I can do so if I am willing to calculate PoW of 104 difficulty. If I REALLY want to make a request in 10 minutes, I can do so if I am willing to calculate PoW of 108 difficulty. If I want to make a request in 7.5 minutes, that would be 1016 difficulty. Finally, if I want to make a request in 6 minutes, that would be 1032 difficulty.

This scaling of PoW is extremely strong -- so strong that a user might be able to use it on occasion to get a slightly faster PQ request, but there's no way that an attacker could possibly exploit it to meaningfully spam out the PQ. Even if they owned 10% of the global Nano (an expensive feat unto itself), they would then need to consistently calculate PoW at a complexity rate of 101024 more than some baseline. This isn't possible, even with literally quadrillions of dollars in custom equipment. In fact, I doubt that it is possible using all of the materials in the known universe with humanity's current understanding of technology.

It's a way of inviting some PoW into the PQ to allow some users to get a bit of an extra boost while putting a realistic cap onto it, basically. It is the origins of this idea, before I scrapped the PoW component altogether and focused purely on PoS.

Me, too. That game theory aspect can't be understated. Additionally, I ran through some permutation of all of these ideas in the past before coming to PoS as my ultimate proposal, so I implicitly agree here that I've already (to one degree or another) painstakingly vetted many alternatives, and I've consistently found PoS to be superior.

I understand the sentiment. When you first proposed the attack, I consider the scenario where an attacker splits 1 Nano into 1030 accounts and just launches 1 request per account in the PQ. Their MIN_GAP might be the lifetime of the universe, but they only actually need to send 1 request each in their lifetimes so it's OK. This would be sufficient to DoS the NQ altogether, even though the PQ would be unphased due to P4Q.

However, while you say "putting a cutoff for the PQ is the only solution" (and don't get me wrong, I agree it is a solution and possibly even the best solution), we could also just force ultra-low stake users in the PQ to obey the PoW rules of the NQ (PoW, equihash, etc). The argument here is simple: their target is the NQ, and if they can already produce sufficient PoW to spam the NQ, then us letting them do it from the ultra-ultra-low PQ gives them no additional power. Meanwhile, it has a use in protecting the ultrapoor -- they can perform NQ-style PoW but still use the PQ within their MIN_GAP, which would protect them (albeit infrequently) from NQ spam (if such a thing were happening).

3 Likes

Developers. Used unless/until we come up with a better formula. Hard coded into the source code.

Dunno what this means. Some kind of dogwhistle, I would assume.

2 Likes