So this is basically a blockchain, but with transactions instead of blocks, and diverging-then-converging graph instead of a linear sequence of blocks (like a real family graph instead of just one-parent-one-child families common in blockchains). Looks nice, what are the problems with the approach? (the paper only lists the benefits).
There is no way to have a controlled release of new coins into the system. For that you need a blockchain that establishes a consensus on time transpired and on the total economic resources being contributed (which allows the share of the newly generated coins that each participant will receive in a unit of time to be proportional to the share of the total economic resources they are responsible for contributing).
There is no mechanism to link cost of proof of work generated to the value being transacted. With a blockchain, scarcity of space per block leads to a fee market forming, and fees paid increasing as the value contained per transaction increases. This leads to security (proof of work) increasing in proportion to value that needs to be protected.
I'd like to direct interested readers to a thread containing a link to a draft paper I wrote about addressing these issues in a blockless DAG based cryptocurrency:
>With a blockchain, scarcity of space per block leads to a fee market forming, and fees paid increasing as the value contained per transaction increases.
Note that this is not currently the case in bitcoin, transaction fees have gone up with the current scarcity due to the arbitrary block limit, but the fees are still a pittance compared with block reward - which is the real incentive for mining (but will not always be the case as block reward reduces in the future).
This is somewhat of a sore point for the bitcoin community as a large (probably not majority, but large) portion of the user base / miners / nodes does not think scarcity of space is a good idea at current levels of transactions.
Also Ethereum (which at the moment uses a blockchain and mining mechanism very similar to bitcoins) does not impose a block size limit, rather leaves it up to the miners to decide on the "gas" limit (they have a computational limit rather than a block size, but it can be viewed as a parallel).
0.9 is not insignificant, but compared with block reward, the true (current) incentive providing block security is not in question, and that is what was being discussed.
How is that a useless figure? You'd expect it to have the same ratio per block or per day, so they're comparable when talking about the ratio of fees to rewards
Because we are talking about security of blocks and block scarcity, there is no limit on the space "per day", its all per block, similarly people don't make race attacks on a day, they make race attacks on a block.
> There is no mechanism to link cost of proof of work generated to the value being transacted. With a blockchain, scarcity of space per block leads to a fee market forming, and fees paid increasing as the value contained per transaction increases. This leads to security (proof of work) increasing in proportion to value that needs to be protected.
My understanding of proof of work is that it's used to limit the number of new blocks which will get propagated through the network. Bitcoin automatically adjusts difficulty such that it approximately takes 10 minutes for a new block. If block creation intervals were lower it would compromise the security of the system and enable attacks with much less than 50% of the hash power.
> If block creation intervals were lower it would compromise the security of the system and enable attacks with much less than 50% of the hash power.
Not really. The odds of an attacker successfully generating a double-spending block remain the same with a lower block interval. Many alternative cryptocurrencies have far shorter blocktimes: Litecoin has 2.5min blocktimes, and ethereum is less than 30 seconds IIRC, and they don't have problems with rampant double spends.
The problem with shorter blocktimes is that latency has a greater impact on mining profitability. A miner with a 600ms ping will lose ~0.1% of their revenue with a 10 minute blocktime, but will lose 2% of their revenue with a 30s blocktime.
This gives miners an incentive to centralize geographically to reduce their latency. No bueno!
> Not really. The odds of an attacker successfully generating a double-spending block remain the same with a lower block interval. Many alternative cryptocurrencies have far shorter blocktimes: Litecoin has 2.5min blocktimes, and ethereum is less than 30 seconds IIRC, and they don't have problems with rampant double spends.
I based my statement on the following paper: Serialization of Proof-of-work Events: Confirming Transactions via Recursive Elections: https://eprint.iacr.org/2016/1159.pdf
Unfortunately, recent research has shown that the Nakamoto consensus has severe scalability
limitations [6], [25], [11], [18]. Increasing the system’s throughput (either via an increase in block
size or block creation rate) comes at the expense of security: Under high throughput, Nakamoto’s
original guarantee no longer holds, and attackers with less than 50% of the computational power
are able to disrupt the system. To avoid this, Bitcoin was set to operate at extremely low rates.
The protocol enforces a slow block creation rate, and small block sizes, extending the blockchain
only once every 10 minutes (in expectation) with a block containing up to 1 MB (roughly 2,000
transactions). Users must thus wait a long while to receive approval for their transfers.
Regarding litecoin: litecoin does have a lower block creation time of 2.5 minutes - however if you look at the average block size of litecoin it averages around 15kB, compared to ~950 kB of bitcoin (basically exhausting its 1MB limit): https://bitinfocharts.com/comparison/size-btc-ltc.html Considering the litecoin network operates way below its maximum capacity a double spending attack is indeed unlikely. However whether that security would hold up under full load remains to be seen.
Oh, I see what you mean now! The block propagation delay that larger/faster blocks would cause could allow attackers to double spend with less than 50% of the network because the blocks of honest miners will be occasionally orphaned while your secret chain won't. The longer the delay... the more orphans, and the bigger advantage you have. Is that the effect that you are describing?
If you're interested in how big the delay is you can check this out, it's cited to the paper you linked me and I found it helpful.
The last point is contentious IMO. Why wouldn't there be a fee market with an unlimited block size? The miners would still want to make a profit, and would set fees to a level they deem profitable.
Seems to be about someone creating massive amounts of privkeys and messing with verification (the fact that 51% attacks no longer exist in this approach make that irrelevant, however.) I'm not an expert on cryptocurrencies, but I don't see how that issue could be any more prevalent here than in "standard" (Bitcoin-style) blockchains.
To expand on that: The only way I can imagine a Sybil attack here is if someone created a massive amount of tiny transactions, and the fees required to get peers to validate them would make that approach infeasible.
