PARSEC and 99% Fault Tolerance

More of a philosophical question but what does 99% faulty look like in reality? I feel there are some epistemological questions to ponder here.

Additionally, why is it 99%, rather than 99.1%? 1/3 BFT is clear, 99% is not.

There are some nice off topic components to address in this topic:

Only up to the point that the cpu / ram / network can support more vaults. Eventually the vaults get in each others way and they’ll stop being competitive / viable on the network. This is really interesting to consider, since it might start being almost like bitcoin mining where ‘computation speed matters’. Typically we’ve intuitively considered only bandwidth as the primary bottleneck, but the ‘many small vaults’ concept may lead to other ones. More thought on an extremely large network with ‘one chunk per vault’ is warranted, and would have implications to the less extreme idea of ‘many vms and many vaults per machine’.

The size of the network should be balanced, not pushing too small, not too large, but where’s the balance? How is it decided? How can it evolve and change in a useful way? Such a difficult and interesting question…

This is a question I’ve spent a lot of thinking time on and I think it’s possible to build a probabilistic model of the geographic distribution. But so far the overall answer seems to be a resounding ‘no’ for a lot of really practical (rather than theoretical) reasons.

It’s a good one to address since it’s essentially the main (only?) complaint Peter Todd has put forth about this (and other) networks dealing with redundant decentralized storage.

Solving it without trust is a really interesting question.

Not if all 12 are in the same datacenter and all apply clever misdirection with latency adjustments. If you know one of those nodes is on the other side of the world, then sure this would work, but how do you convince anyone else that the knowledge is true? It can only be done on a probability basis.

I am super excited to see these results! I’ve done a lot of testing myself and am excited to gnaw away at these future holes in the fabric of consistency. Please post them on the forum, people love reading about these things even if they seem ‘trivial’ or don’t confirm the initial hypothesis.

It’s hard to imagine ipv6 not being the standard for this network…

Whoever does the segmenting sounds like an authority to me.

Only if you trust the ping. Which you can’t. It might be artificially delayed.

This is a good point. There will be an extremely high frequency of events on the network, so even a low probability means it will happen reasonably often. It’s not enough to hand-wave it away, these things need to be engineered (see @oetyng above). Maybe the probability is low enough, but what’s the cost when it inevitibly does happen (maybe just by bad luck). The cost shouldn’t be outright ignored.

9 Likes

It depends on the size of the network how often it would happen.
If everyone was using many vaults per machine, then in the very beginning of the network, when very small (say about less than 100k vaults), then it could happen now and then. This is accounting for the high frequency of data traffic. So up to this is where it is problematic for real, with regards to costs and public adoption.
But as network grows the chances decrease so much, to such extremely low figures that it will be a practical impossibility, just as we consider it a practical impossibility to brute force SHA256 (even though it is of course not impossible, you just need something along the line of 4 billion galaxies each with 4 billion earths, each earth with 4 billion people each running a thousand times Google’s worth of servers, during roughly 37 times the age of universe. So, yeah.).

In general I think you can always only consider a systems reliability in terms of probability to maintain integrity over a given timespan. Same is done for probability that earth will be wiped by meteors.

Actually the risk and cost ratio for this thing is so low that the humanity risks being extinct to so much higher extent that we could almost call it a certainty, and in such a closer timeframe that we could almost call it right now, if comparing, which gives some perspective to the relevance (for an established network, the infant one is still vulnerable).

3 Likes

Lets define this a little better, you have (minimum) 8 nodes in each of these 8 sections (I guess maidsafe would have to do some initial boot strapping to get this online). Then 8 random nodes of a section are chosen, they ping the new machine (maybe 4 times? each). They vote an average based on response times and write this to a MD. All 8 section do this same process, once the last section has completed, it votes again and assigns the node to the one with the smallest average.

  • Security, if the the results for the 8 nodes pings are inconsistent / can’t be determined with any accuracy. This means the node either has a flaky connection, or is trying to bypass the geo-protection of the network. The node is assigned to section 9. In this section your node can be used for caching or other activities where data already exists on 8 other nodes.
  • A node being pinged won’t know which section the node pinging them is from.

Thanks for linking me to the Peter Todd post. I feel like we both have exactly the same concern about the way the rewards are currently set up and reducing redundancy.

The network at the beginning at some point will only have 100, 1k, 5k, or 25k vaults. The network will grow organically. (How many hardcore users for this forum are there? these vaults could be held by a small amount of users) If we lose data at the beginning of the network, it’s still damage to the networks reputation.

Satoshi didn’t think people would join mining pools. We don’t know in the future how many cores a machine will have. Can I somehow run a vault on a gpu core? or intel phi. With new technology being created to connect whole continents like Africa, bandwidth limits could become a thing of the past. If virtualising a machine into many vaults could reduce redundancy of the network now. Then in the future it could have even bigger consequences. It’s a real problem that should be solved in my opinion.

1 Like

If no fudging is occurring then you are going to create sections that are close to each other geographically. This is not good for the network to have the nodes in a section generally close to each other. Outages, country cut off, one data centre. Also increases the chance for badactor to get their nodes located in a single section.

2 Likes

Probably out of context in this discussion and not possible or very difficult to apply, but really short ‘round-trip times (RTT’s)’/latencies are of course not possible from every part of the world. Maybe there is a way to use that.
If you can ping from ‘source’ devices from different parts of the world to the same target, there should be some who give shorter RTT’s than others. If the RTT is e.g. never lower than a certain value (from any source), you could reject the target. And if there are RTT’s short enough that it has to be in the ‘neighborhood’ of the source device(s) who pinged, you have an rough idea where the target is located. Do that for all 12 targets and check if they are not all in the same ‘neighborhood’.

If a bad actor has all his nodes in the same geo partition section, they can only get a maximum of one copy of all of the data. Which is better for redundancy not worse.

I thought 99% fault tolerance meant 1% of honest actors can defeat 99% dishonest actors. Even if you’re unlucky enough to find yourself surrounded by 99 crooks and just a single honest one, you would still be okay.

1 Like

This is quite aligned with what I was saying, maybe you didn’t read (or wanted to reiterate).

It’s the same question as for so many other parts:

An infant network will be vulnerable like … an infant.
It is pertinent to ask what kind of support wheels the network should have in the beginning.
Some purists frown and shudder at the thought that it wouldn’t be 100% decentralised and autonomous from node one, but hey, it’s a quite “natural” thing that an infant needs protection(which can later be shed as it grows), and only using allegories and references to elders and nature and ants when it is convenient would make that concept seem a bit hollow.

(Actually, that’s a reason why I think it is a little bit problematic with the biology-light often referenced, because only a very few similarities are chosen, and it’s hard to do more than that, so it will always just be a few phenomenons that happen to be alike, while the larger picture can be quite different. Many more exist, which are brutal, cruel and quite the opposite to what the goal of the network is. But that’s very much a side note).

4 Likes

This is the post by Vitalik that prompted the ‘99%’ headlines:
“In the case where one node is honest, can we guarantee that passive observers (ie. non-consensus-participating nodes that care about knowing the outcome) can also see the outcome”?

Yeah an infant needs protection agreed, but I also think the network needs protection from economies of scale going forward. Otherwise, all of our data could end up in 8 data centres around the world. To avoid this, once a geo partition gets big enough, it can divide like mitosis. Promoting decentralisation of a geo section further. (The geo-sections chunks will be spread 50/50 between these new sections)

This way the cost to run a single global safe farm gets increasing more expensive as those resources are required to be further distributed to earn the same amount of safecoin. Improving protection against sybil attacks while increasing robustness of data redunduncy, making early farmers be rewarded for distributing their farms across the world i.e biggest rewards will be places with no coverage because you’ll earn more safecoin. While spinning up extra AWS EC2 nodes won’t earn you much reward because the network already has plenty of them.

I would happily help contribute this feature to the safenetwork if core developers where happy enough with the idea and would like to collaborate in producing a design specification.

I think the point is, if 51% (the majority) of people think something should happen, then the other 49% are arguably the crooks. Taken to 99% and 1% respectively, then even more so. It becomes a question of ethics, the further you get towards a minority dictating what is right and honest.

The situation I described is about the case when the crooks have a local majority. Most of the network would still disagree with them, but poor me doesn’t know about that because I’m surrounded by bad actors.

Those bad actors could be new releases changing core network functionality. The point is, what resolves to a good or bad actor largely reflects majority opinion. Suggesting that we can have 1% of honest nodes defining behaviour seem a rather undemocratic in this light and may not even be desirable.

1 Like

You walk into a shady bar. A group of good-for-nothing thugs surround you and demand your wallet. They have an absolute majority at that place. Should we question they are in the wrong and, though in the minority, at least locally, the one dude who stands up for you is what we’d call an honest actor?

I don’t think it’s such a difficult concept. We can have unfortunate situations when we find ourselves at a place where most people are trying to mislead us. It’s real good if we have a mechanism to help us recognize such cases.

I’ll repeat, because it seems to have got lost on you twice already. It’s not that we should support the minority view, but that we should see when the local majority is not aligned with the global majority. It’s about the times when the majority opinion, that you hold in such high regard, and rightly so, needs protection from a directed organized attack.

See taxes vs theft, wolves and lambs deciding who is for lunch, etc. There are plenty of times where majority dictates what is defined as right or wrong.

While I am not a huge fan of statism, then right of the majority to over turn a tyrannical minority is perfectly healthy.

Wind your neck in! The local decision is what counts. The clue is in the name - distributed autonomous network.

There is no concept of global consensus, just an emergent consensus which grows out from local consensus. This isn’t a blockchain and the local decisions are final.

Now, you can add more centralisation, watchers/observers/adjudicators etc, but all these steps start to strip consensus groups of their independence. These will add latency and work against the core philosophy of the network.

6 Likes

I see what you mean. If I get it right, the situation I described should never be able to happen on the Safe Network because of how it’s designed (something which I, ironically, argued for on another thread against @neo) and that means we’re already covered.

2 Likes

This makes me wonder (there are a few assumptions because maybe I’m not sure how everything in this network works) what happens in the following secenario. If a chunk has been distributed to 1 good actor and 7 bad actors. The 7 bad actors can’t make the good guy delete or mutate the chunk because that request signature hasn’t been made by the client. Therefore, would when the client requests the chunk, they would get 7 bad replies and finally 1 good reply they agree is there data. Does the network now punish the bad actors and redistribute the data? Because the client is boss and has made an accusation 7 nodes are bad?

Not enough info on the makeup of the section to sure. Let me describe something that might answer you

7 bad actors. How many are Elders? How many other Elders? Remember Adults and maybe children will be running vaults and only Elders get to decide what happens with consensus and data retrieval.

  • When a chunk is requested the section decides which vault sends the chunk.
  • The chunk being served up by the vaults must have their hash match what the hash should be. Immutable data is stored using the Hash as the XOR address, so thats easy.
  • Now if there are 7 bad actors and 3 are Elders and there are 20 good elders then the bad actors will have to act good or be discovered and punished somehow.
  • Now if there are 7 bad actors and all Elders and there are 13 good Elders then the bad actors can only disrupt section operations. But in any case the client code can tell if the chunk is received correctly by the hash. So no the bad actors still cannot force bad data onto the user.
  • Now if there are 7 bad actors and all Elders and only 3 good elders then the bad actors can do as they please and destroy data. But the client will still know if the chunk received is good or bad because the hash still has to match

Disclaimer: I am unsure about data integrity of MDs in the above scenarios

4 Likes

Just a quick reminder, MD’s are signed by the client, so worst that can happen is

  • It is not provided
  • An “old” copy is provided.

So if a client knows the version, the second instance is not an issue as it would be ignored. The first problem is also able to be penalised if the client or neighbors (who will have) can access the data chain showing the data should be there. Its a bit deeper, but 10,000-mile view is this.

5 Likes