
Snowflake to Avalanche: A Novel Metastable Consensus Protocol Family for Crypto - pors
https://ipfs.io/ipfs/QmUy4jh5mGNZvLkjies1RWM4YuvJh5o2FYopNPVYwrRVGV
======
apo
Initial reactions:

1\. Sybil-resistance (faking strong consensus by deploying cheap replica nodes
you control) in a protocol like this is crucial. All I could find is this:

 _To prevent Sybil attacks, it uses a mechanism like proof-of-stake that
assigns weights to participants in committee selection based on the money in
their accounts._

2\. Every non-proof-of-work protocol I've seen, including Ripple Consensus
Process and proof-of-stake creates a problem of initial coin distribution. PoW
systems have a clean distribution mechanism based on external resource
consumption. Non-PoW systems produce an airdrop situation. Players start with
no funds, and so can't stake. The creator of the network manually assigns
ownership, with important long-term political consequences (e.g., Ripple).

3\. The lack of an incentive structure around fees in protocols like Ripple
creates bizarre economic consequences. For example, Ripple is guaranteed to
lose money stock because fees are simply burned, rather than given to the
consensus leader as in Bitcoin.

4\. So far, I haven't seen anything in the paper regarding denial of service
attacks on nodes. In other words, I see no negative incentives levied on those
who can sign transactions from flooding the network with useless spam, bogging
everything down.

~~~
shepardrtc
> PoW systems have a clean distribution mechanism based on external resource
> consumption.

Unless the creators are the only ones mining for a time.

~~~
Shoue
Even without that it's still not fair because of ASICs not being widely
available to consumers. It's not as fair as simply selling tokens/coins which
grows linearly with how much money you have, which is what you'd be spending
on electricity and hardware anyway, you're just taking the shortcut of not
using them and is one of the more popular arguments for PoS.

------
api
This seems like a thoroughly thought out version of a DAG (directed acyclic
graph) based currency. I don't have time to go through it with a fine toothed
comb, but I'm curious about others' reactions.

There are well known problems with DAGs: lack of incentive to run full nodes,
tip choice attacks, flooding/spam attacks if there are no fees, and many and
varied types of Sybil attacks.

For flooding or spam a transaction proof of work isn't enough. Not only does
it "waste" a lot of energy (though at the edge nodes where it's less visible
than mining farms) which negates part of the purported benefit of a DAG, but
it's vulnerable to ASICs or botnets. If you can short a cryptocurrency on any
major exchange that supports short selling then it will get attacked with the
goal not of stealing coins or censoring transactions but of just destroying
it.

Tip choice attacks combined with Sybil attacks can be very sophisticated. Tip
choice is "random" but randomness cannot be verified. 3, 18, 593, 3, 3, now
prove those were not random numbers modulus 1024. You can't of course. So I
can non-randomly choose the transactions I link to. If I combine this with
some sophisticated analysis of the network's transaction structure and
physical topology I might be able to skew the network in some disastrous way
over time in ways that would be completely undetectable since my apparently
"random" tip/link choices were not in fact random. Then I can do something
like short the coin and do something nasty to the network.

Attackers can be very _very_ creative, and attacks only get better.

Last but not least: there is no mining mechanism in a DAG coin, or at least
I've never heard of how one could be done. This means DAG coins are "Big Bang"
coins that begin with all the money that will ever exist. This is problematic
from an economic point of view and opens a huge can of worms around what is
done with that money and how it is distributed to initial holders.

------
aepiepaey
Please update the submission title to match the title of the linked paper,
i.e. "Cryptocurrencies" and not just "Crypto".

~~~
jjallen
It's probably too long with the entire word.

~~~
nathell
Then maybe trim the initial catchphrase, or the word "novel."

------
leijurv
This sounds an awful lot like each transaction can consume exactly one UTXO,
but can have multiple UTXO outputs. This would cause progressive "shattering"
of the UTXO set into millions of low-value "dust" UTXOs, a problem that
Bitcoin is struggling with (specifically, how best to incentivize "cleaning
up" the UTXO set by making transactions with multiple inputs, even though that
increases the overall transaction size).

"We adopt what is commonly known as Bitcoin’s unspent transaction output
(UTXO) model. In this model, clients are authenticated and issue
cryptographically signed transactions that fully consume an existing UTXO and
issue new UTXOs."

~~~
wyas
Seems like ambiguous wording on that part. However, they do not seem to
require single-UTXO-inputs, but can consume multiple.

------
blattimwind
Either "using crypto" or "for cryptocurrencies"

------
chrispeel
It would be good if the authors would have extended figures 20, 21, and 22 out
to networks of size 20,000 or more nodes. Or at least described what they
expect to happen. I.e. if you have many more nodes, does the throughput remain
above 1k tps?

I also always like authors who are willing to acknowledge the limitations of
their work. If this work described the limitations I didn't see it; maybe they
think there are none :-)

~~~
wyas
Cursory reading, they do seem to discuss limitations. They say that the system
is not guaranteed to provide liveness for double-spends.

------
baby
We’re a technical community. Can we not shorten cryptocurrencies to crypto?
Admin can you change the title?

------
woah
Is this Sybil resistant though?

~~~
simias
That's my question as well, the introduction says:

> Specifically, the system operates by repeatedly sampling the network at
> random, and steering the correct nodes towards the same outcome.

Obviously random sampling could be trivially manipulated if anybody can spawn
nodes very easily. I expected that the "fix" would be in the "Snowflake"
algorithm but I don't see how it prevents that:

> When the protocol is correctly parameterized for a given threshold of
> Byzantine nodes and a desired guarantee, it can ensure both safety (P1) and
> liveness (P2).

But isn't that threshold effectively infinite? If you look at something like
the bitcoin network there are very few incentives to maintain full nodes.
Meanwhile if having a majority of nodes let you cheat and steer the network
(which is not the case for BTC thanks to PoW) the incentive to spawn a huge
amount of byzantine nodes would be very high.

After that the paper introduces the notion of "confidence" which might be the
key to unraveling all that but I haven't yet fully understood that part. I
don't have more time to look into it at the moment, hopefully somebody else
will.

------
mkirklions
At this point, are these papers simply to reduce the cost of verification?

It seems thats the only problem in the crypto world, but I dont know if
verification will ever be scalable.

~~~
simias
What do you mean about "cost of verification"? Verification is not too
difficult, it's reaching a consensus among trust-less nodes that is.

PoW solves the problem by making it so that any node which receives two valid
but conflicting versions of blockchain has an objective metric to decide which
one is the "right" one. The answer being whichever has the most work put into
it. Since you can't fake work you can't arbitrarily create a new chain that
would take over the others (unless you manage to work harder than all the rest
of the network combined, hence the 51% attacks).

Without PoW if you receive two valid but conflicting chains you need an other
metric to decide which one you select. This paper describes such an approach.

~~~
stri8ed
Verification becomes difficult, when the system gains adoption and processes
thousands of TX per second. Then the issue becomes about the trade-off between
node resource requirements, and decentralization. Fundamentally, every node
having to process/verify every single transaction in the network,is not
scalable.

~~~
SkyMarshal
Hence the ongoing debate around whether verification should be less
computationally costly than computation (BTC) or whether a system can be
architected to successfully scale even when verification == computation (ETH).

------
3721
Much like hashgraph [https://hederahashgraph.com](https://hederahashgraph.com)

------
douglaswlance
Do you think it would be possible to build a consensus algorithm for
scientific consensus?

------
jchook
Perhaps this is the technology behind [https://chia.net](https://chia.net) ?

~~~
paulsutter
Chia is bitcoin but with farming (storage) instead of mining (compute), plus a
whole host of cleanups to do it right. So no DAG or any such thing.

One could read "Beyond Hellman's Time-Memory Trade-Offs with Applications to
Proofs of Space"
[https://eprint.iacr.org/2017/893.pdf](https://eprint.iacr.org/2017/893.pdf)

~~~
api
Is proof of space actually "greener" than proof of work? Memory and hard
drives consume power, and querying them consumes power. Seems like it could be
just another kind of work. It would be more ASIC resistant though.

~~~
paulsutter
yes. vastly.

~~~
api
I'm curious about this. Are you saying that relying on storage latency and
volume is energetically cheaper than relying on compute?

I see a few flaws in this. First of all: all fast storage media consume energy
even when idle. Secondly I think this neglects the embodied energy (energy to
manufacture) of storage media. Lastly if a proof of storage mining scheme
became popular you'd probably see ASICs that incorporate onboard fast memory
controllers with huge caches and other approaches that would improve
performance to the point that this would just become another proof of work.

Comparing full life cycle energy of different approaches to securing a
cryptocurrency is actually pretty tough. It's also pretty hard to compare it
to the energy requirements of more conventional approaches to currency since
the energy cost of those is so spread out across society.

