Step-by-step: the road to Fleming, 2: Sybil resilience



Well personally I think this needs to be viewed in the context of wanting to balance the lowest possible rejection rate for normal users (“honest nodes”) with rejecting as many malicious ones as possible

Yep these simulations add valuable data and crucial pieces to the puzzle :slight_smile:
In general I’m a big fan of all the simulations done by the community!


I mentioned the issue of network partition in another post (How good is SAFE Network really for anonymity?) and people kindly replied to me on how Safe could address it (was glad to see people welcoming new questions!). Unfortunately I was not completely convinced at the time (need more reading); and now seeing some relevant discussion here it has come back to my mind that network partition combined with some other techniques could still stand a fair chance to subvert the network.

First of all partitioning-based attack has been explored in the past for bitcoin (, and I haven’t seen convincing proposals on solutions. One possibility might be to sacrifice liveness in case of partition to avoid further damage (which indeed was suggested in my other post); however someone raised a good point on this topic that ability to stall or refuse local chain is only viable if partition is not complete. That is to say a lot of what we try to rely on for security in a decentralized setting is having knowledge of the decentralized topology, and that knowledge itself is not localizable - in the sense that it requires exchange of information with the wider network where ‘the wider network’ needs to have a defined and consistent meaning across.

Say the attacker realizes it’s too expensive to control sections - what he can do instead is to build a walled garden with potential users inside such that he’ll have a partitioned network where he always has the main share, regardless of the resistance we build into the network by decentralization. He can do that by for example, using middleman rogue servers in front of the bootstrap servers controlling a few bootstrap servers and blocking others - so a new user by default is likely to enter his network, and of course he can also tweak his own network by making it corrupt as well. Only nodes which manage to exchange information with those outside the partition in the past can escape the fate of being walled - for new nodes any attempt of knowing the ‘true picture’ could be prevented by complete partitioning.


The whole point of my post was precisely to point out was that those kind of abstractions “in general sense” really doesn’t help, and we are getting too meta already.

Another example could be, humans are also animals “in general sense”, but you wouldn’t go to a veterinarian for a health check, would you?

To go from “PoW shares the same problems with PoS” to “PoW is basically PoS” to your extreme statement of “Everything is PoS, essentially”. This deformation is precisely what I fear to happen when others read this, each level of abstraction makes it more and more inaccurate to the point of becoming ridiculous and meaningless.

Another example of abstraction is that the SafeNetwork is an open systems that maintain homeostasis, are composed of cells, can grow, adapt to their environment, respond to stimuli, reproduce and evolve… therefore, in a sense, the SafeNetwork is a new lifeform.
Which is a valid deduction based on the premise but not really true, is it?
Does this kind of statements really help to move the technical discussions forward? Does that mean that the Maidsafe team need to hire an exobiologist now?

I hope to have made my point across now…

How Safe is the SAFE Network

Any info about how the queue to join will be managed? Could the queue could also be subject to sybil attacks? If the queue can be controlled that could be quite valuable in itself. (Seemed like this would be part of RFC Node Ageing but I couldn’t find any details on disallow rules other than the section Starting A Node which says only one node age 0 allowed).

A bit of a philosophical point on this: the network can control the supply very well (knowing how much spare storage there is, then slowing supply via disallow rules or increasing supply via farm rate). But the network can not control the demand very well (demand ‘just happens’, both read and write demand, although write demand can be slightly controlled by PUT price). So how does this supply demand asymmetry affect the design of the disallow rules? I think if demand is unavoidably chaotic then supply should very minimally constrained or effectively not constrained at all. Open to being convinced otherwise!

Is this relocation verifiably random? Any more info on this mechanism? The latest I can find is from 2015 RFC Address Relocation which uses a hash of current member names.

Looking forward to seeing some economic modelling of this. I’ve tried it myself but seeing it from elsewhere will be really cool.

This is an interesting idea (but not one that I know of any plans to implement).

There’s a good list of malic detection for malicious peers. I wonder what malice could be detected at the section level and what action could be taken.

Is detecting malicious peers good enough?

I have to admit I got a bit of a chuckle out of the name Proof-of-Importance. All this proof-of-this and proof-of-that, what even is proof?! The term is definitely becoming diluted and imo SAFE should stay away from proof-of-x naming.

In general I agree. More inclusion is usually a better result (my politics speaking). But the cost can be quite high, especially for performance. So to my mind there needs to be some conscious deliberate balancing going on (not necessarily hardcoded, but the joining rules should be made with a degree of predictable intention). Not easy!

But what’s the benefit? Why would an attacker do this? I’m not sure I understand the motivation for partitioning the network.

To take this slightly out of context, I agree and think proof-of-x also does not help the technical discussion and should be dropped completely at all levels from beginners to wizards. The SAFE network has consensus and it has event ordering, they work together to secure the network. There’s no proof of anything. Just consensus and event ordering.

But ‘telling people how to talk’ is pretty ugly so I’ll leave it at that!


A couple of hopefully helpful points.

Not yet, but we will for sure have an RFC for this and I expect a lot of really informed debate here, I think we all have ideas and feelings, so great to get to hard facts on this one.

Now we can use the hash of a PARSEC Block that causes the relocation, so “random” or perhaps better to say non deterministic, or difficult to know this value beforehand. Still needs checked for edge cases, just to be certain.

Agree, this part is very intresting and can couple a lot of the network functions, it is an area where the feeling can certainly be simpler will be better, even though it seems lacking at first. So potentially not limiting too much (already it is a single Infant per section) or none at all (allow an attacker to flood the network with new nodes) are great to consider from an attack perspective. Or we have the full limit where the network calculates if it needs new nodes/workers and only then accepts them. As you say we cannot control Gets so much, we have some control over Put and Add etc. and can throttle Gets so there is decent scope here to figure out the most appropriate mechanism. So we can make the network go read-only then “stalled” (basically reduce or stop Get requests for a period), so using these options and thinking about swarm / botnet attacks and balanced with join in, do work, get paid easily is a great place for thought experiments.


I meant any node that passes the initial PoR test shouldn’t be rejected just because there is enough free space. I agree that the network should reject nodes that are not capable enough, otherwise the network might under-perform. I will edit my post accordingly.


Made me think of this


Well there is a practical difference. With the SAFE network you can invest even a small amount of computer resources over time. This means those who do not have cash and can only buy tech on occasion can still participte in the network. Some people just don’t have a disposable income to spend on PoS or even more on PoW which requires extreme computing power these days. SAFE is essentially more flexible and therefore allows for those in poverty to enter.


I think you guys have it, we have a stake as such, but mostly time. This is something we all have varying degrees of. I would hope the time and dedication of farmers is what pays off as opposed to a single huge cash influx being able to affect the picture. This time is great here as the poorer folks with some time and small compute devices can be rewarded.

So shift from wealth buying immediate influence to also requiring time means anyone with that time, stands an equal chance, per computer of course. the wealthy may have millions of computers and millions more chance, but the time will be fair across all devices. I am certain we can do more, but lets see, step 1 seems the right direction.


I’m also not a big fan of all these proof of… But I can’t help myself: I hear farmers and I hear proof of stake…
With proof of steak it certainly takes time and effort: raise the cattle on the farm etc…



I get me steak from the butchers. Doesn’t all meat come from the meat shops? Whats a cattle?

The shop assistant has plenty of proof its steak

Yes I lived rural and know


The comparison has its problems, but are other “proof of”-comparisons that much better?


As a vegetarian I’m strictly against proof of steak. But proof of tofu burger isn’t more appealing. How about proof of organically grown salad? (POOGS)

O no, if you combine this (tofu under salad), you get POTUS.


If you’re not an ovo-lacto vegetarian, maybe proof of cake? You can’t have and eat it too anyways :wink:


I don’t know who said it, but “time is money”.


I am not quite understanding why older nodes should be more trustworthy… What happens if an attacker is setting up lots of vaults right when the network goes live? I mean there doesn’t seem to be a mechanism to make sure these “king nodes” are really good people, they are just the ones that got there first. It sounds to me like once you had the king nodes you could even use them to reject all new vaults that aren’t yours and actually gain even more influence over time.


When a node joins it gets moved around the network a few times (its XOR address is changed). If it is shown to be unreliable in any of these sections its node age won’t increase and it may be ejected from the network. So older nodes will have proved themselves to be more trustworthy. However it’s not impossible for them to feign trustworthyness until it’s time to launch an attack, but it would be hard to co-ordinate such an attack because nodes can’t control which group they are in. Also the malice detection being built into PARSEC adds a further layer of protection by constantly checking that nodes are gossiping like they should. I don’t think a load of king nodes could alter that (could be wrong). So such an attack would not be very hard to pull off except when the network is very small, even then it would be difficult.


You should also consider the other incentives here. They will have had to maintained a fair node during this period, which had a cost (a stake). They will also have been given rewards for doing so, which will likely have got better as their node gained influence.

While it doesn’t mean that sleeper nodes could not cause damage, making it undesirable for them to do so is a big part of the equation. It will never be impossible, no matter what technical solution is put in place. It can be made highly undesirable by incentivising good behaviour though, which is also the case with proof of work and proof of stake in blockchains.


I thought it was the oldest nodes that decide what group new nodes go in. They are basically supposed to do this randomly, but what stops malicious old nodes from not being random and choosing allocations that would help them in an attack? I do think you maybe answered this, in that the agreed on rules of PARSEC makes sure even old nodes are being random somehow (and although I don’t fully understand HOW with my limited technical knowledge I can accept this might be true.)


I do see your point here and it has worked with blockchains in the past. Why destroy a network when you are already getting such a large share of the legit rewards even if you have 51%? I guess I am just talking about internet terrorists that just destroy things even at cost to them. Or perhaps the government of China decides we just can’t have this much freedom be and initiates cyber war against it.