Should Elders Be Required to Post SNT Bond?

I’ve been thinking about the Byzantine General’s Problem. I watched this clip of Vitalik Buterin talking about how Satoshi’s solution was to limit the number of identities (in the Byzantine General’s Problem) one could obtain by imposing an economic cost (proof of work).

If 5/7 elders are needed to allow an attacker to create or steal DBCs, and elders are randomly distributed among sections, an attacker probably needs a relatively small fraction of the total elders for there to be enough variance for the attacker to have 5/7 elders in one section.

I think there needs to be an economic cost imposed on elders. My preference would be to require elders to stake a nontrivial amount of SNT. Perhaps an alternative (or to be used in conjunction) could be to impose on elders certain hardware requirements. Frankly, I don’t think node age is sufficient.

Am I missing something? Has this been considered?

It’s interesting, but bitcoin or Ethereum don’t solve the byzantine generals problem. Their solution would be one general send up smoke signals to the other general and that does not work as the enemy can see them.

So encrypting those smoke signals might work if both generals can encrypt/decrypt etc.

Anyway, this is a deeper thing in many ways. POW forces people to buy in (via equipment and electricity) and it’s so expensive that nobody can theoretically own >50%. (or colludes)

POS is similar but uses currency directly to buy in, hoping that nobody buys >50% (or colludes)

In our system atm the “cost” of becoming an elder is linked to the behaviour of a node over time. A well-behaved very long-lived node might become an elder. The section it can become and elder is unknown to it and not calculable up front.

All of these depend on non colluding to various degrees. For us maybe elders colude, but the keys they use (consensus keys) are not persistent. So to collude you first need to be running a crooked version of the software. That sounds doable, but would you, if you were a crook, run code given to you by another crook?

It’s a long deep area for sure. Ideally, we look to a solution where Elders cannot steal, I,e. they cannot create money. There is work happening there and it looks promising, but politically an issue in some ways.

So our elders can only agree to a DBC spend to not, but they cannot manipulate a dbc transfer, they can only deny it. There are easy fixes for that, such as allowing any section to validate any spend, but we don’t need that right now. I feel there are better, simpler ways to do this.

Staking some rewards is an option that is floated around a lot and is likely a good idea to penalise bad behaviour. In our system, that would mean denying spends for the elder’s dbc until a certain point, possible where the elder cashes in and leaves the network.

The problem with this is there is little economic cost to running a well-behaving node for a while. An attacker could fire up 1000 (or more) nodes on virtual private servers and wait for the opportunity to strike.

In addition, it seems to me that requiring elders to post an SNT bond would be easier than determining (and creating the code to determine): (a) what is a “long-lived node” (e.g., is a node that went offline for 1 hour an infant again?) and (b) what is “well-behaved.”

EDIT: Even if elders must post a bond, there may still be utility to imposing node age requirements and “behavioral” requirements. But a bond requirement may help simplify the criteria for determining what is a “well-behaved long-lived node.”

This sounds like another reason to impose an SNT bond requirement.

That would be great. I’m not understanding how that would be political, but that’s okay.

I’ll keep my eyes peeled for a solution. My understanding was that, at least the way the network is constructed at the moment, 5/7 elders can manipulate transactions or perhaps even create DBCs out of thin air.

I’m not sure I’m understanding what you’re saying. If you mean that the system could deny spends for fraudulently obtained DBC, I think that would be difficult to implement (the system would have to catch the bad actor in time and who would have authority to determine whether the DBCs were fraudulently obtained and to deny the spend?).

If you’re saying they should stake some SNT in order to become, and to stay, an elder, I agree. And if they commit some bad act on the network, the staked SNT could go toward compensating the victims. Or if there is no particular victim, like if SNT is fraudulently created, the SNT could be burned to compensate the token holders for some of the dilution.

But my idea is moreso to make an attack uneconomical than to create a victims’ relief fund.

With the network up and running, the time period for becoming an elder will be years. That is a cost, a time cost and a £ cost.

Keep in mind Ethereum took 8 years to get there

Without node age then, you can just buy yourself an elder. I feel node age is a solid sybil defence. We have modelled it and with sections of >60 then it takes centuries to become an elder majority (i.e. >2/3) assuming random churn every 5 mins.

Bonds don’t stop collusion though.

This part is OK as the currency is auditable, Elders cannot manipulate the transactions as they are owner signed. They can just agree to the re-issue/spend.

If elders created DBCs then they would not go back to genesis and not be valid.

No, that would be horrific IMO.

Kinda, what I am saying Elders get paid continually as folk store data. That payment would be to their wallet. As wallets are one time keys (Stealth addresses), then the elder (or adult) can only spend it once. However if the elder misbehaves and is killed then that DBC can likely also be killed in some form of elder blacklist.

Agreed

Sounds good, cheers

There is a protection for that, network takes new nodes only when it needs them, you cannot add large amount of nodes when you want.

Problem with bond/stake is it leads to centralization (look at ETH for example). It is either so low it doesn’t stop rich attacker or so high it will exclude most people from poor countries, or probably both at the same time considering global wealth disparity.

I am not against the idea, only trying to explain reasons for the current state of things.

Isnt that idea just stopping common folk from becoming elders and centralising elders to monied folk who are interested earlier on?
I think that could well increase the chances of an entity trying to gain a position where they could try to abuse the network through that centalisation.
If the bond were high enough we possibly wouldnt have many to choose from to promote to elders to stsrt with.

I don’t think it is a high enough cost, if 5/7 elders can indeed steal.

How will elders be determined at the genesis of the network? There won’t be any nodes with years of age at that time, right? Maybe the network needs a bond for elders for a period of time?

No, but they impose an economic cost to each colluder.

I’m not a fan of that idea. I would prefer DBC transactions to be final.

I don’t think that’s a protection. My whole point is that time is not good enough. Crooks are patient. Unless the economic costs of an attack outweigh the economic benefits of an attack (and assuming an attack is possible), an attack WILL occur.

Frankly, I don’t care if someone from a poor country cannot become an elder if that is what must happen for the system to be resistant to attack.

As to the centralization point, how does a bond centralize the network any more than it already is? In any event, I think a better analogy than ethereum’s proof of stake would be to a DASH masternode that must post a DASH bond.

The whole point of the bond is to prevent centralization in the hands of a single person or a small group of attackers. It imposes an economic cost to creating identities. I suggest you listen to Vitalik’s comments that I linked in the OP.

We would need to find a happy medium between the cost of an attack v. the potential reward from an attack as well as the size of the bond v. the need for more elders.

It is. It dilutes the attack, even if you can afford unlimited amount of nodes, you will only get few in the network and that will be mixed with other joining nodes because you cannot keep others from joining.

It limits the number of people willing to run such a node.

This may be the critical point. They cannot steal, instead, they can just refuse service.

What I mean is if >50% collude, then there may be no cost detriment.

I think we all do, they have to be. The process would be the coins are held in some way the elders can claim, but in any case, these are rewards, so we do have scope.

This is true, but the costs will likely outway any reward. It’s not having dumb nodes running, they need to work for extended periods of time. I suppose you can write off any cost, but it would not be true to do so. There is certainly a cost.

If you place a bond, then collude and take control of a section, then what have you done? It is arguable the bond allows a fast takeover.

As ever the devil is in the detail and I am certain as POW was not the answer to everything then POS is also not the answer to everything. They all offer something as does node age.

Not trying to be pessismistic, but i just dont think we could have it high enough to stop an attack while still having enough prospective elders.

Our comminity is not that large, and i imagine we will mainly be the initial supporters of the network.

Not that i know others financials.

Edit.
Personally i wouldnt front even £100k to be an elder.
£100k is not really enough to prevent attacks either IMO.

What sort of figures are you imagining?

Same, also how many billionaires are there from bitcoin profits and many of them are the ones playing the markets with many millions at a time. I can imagine they could buy up all the elders and cause havoc to destroy the network. A few million to them is chump change that they can recover amny times over with a pump and dump

Perhaps. There may still be a vector of attack during periods of network growth or, more importantly, at the genesis of the network.

Which would only be a problem if we need more elders and there are no willing participants.

I’m not sure I understand. That is how it is or that is the hope? If elders cannot steal, why do we impose a supermajority requirement rather than a simple majority? I thought from your comment here that it was a work in progress and something that may or may not ultimately happen:

In any event, (again, assuming elders can steal) node age may be sufficient once the network has aged a bit. When the network is young, however, it may not require years and years of running a node to become an elder.

A few thousand. Since you’d need about 30-40% of all elders to have a good shot of getting 5/7 elders in any one section, a few thousand would impose a significant cost.

I’m not saying to get rid of node aging. I’m moreso exploring the idea of imposing an additional requirement. The more we talk about it, the more I think it may only be necessary at the genesis of the network (again, assuming a supermajority of section elders can steal).