Topics

http://bitcoinhivemind.com/blog/chance-of-success/

You claim to give "other altcoins" a 1/10000 chance of having a majority of domain experts agree that the concept is useful in 2020. My version of truthcoin is a 100% premine altcoin. I want to bet 10 grams of my gold against 50 kilograms of your gold, which is twice as good as the odds you claim to believe.

My software: https://github.com/BumblebeeBat/FlyingFox

https://groupgnosis.com/

This project is exciting. It is on ethereum like Augur. They are adding payment channels to reduce blockchain bloat.

How can truthcoin possibly be written on top of bitcoin source? The incompatibilities are big.

Bitcoin channels are NOT designed for betting. You can't bet at all yet. Space and time requirements increase exponentially as you hash-lock or bet on more things.

I had been imagining hubs in the network making a profit by taking part in bets for arbitrage.
If the cost of adding a bet to a channel is too high, then it wont be possible to do arbitrage as often.

Bets in channels will work like hash-locked transactions.
In the bitcoin lightning network, as far as I can tell, to make a hash-locked transaction, you create 2 nearly identical copies of a channel tx at different nonce-heights. Each tx needs to be valid, so it needs to be signed over and contain all the same pieces redundantly.
One tx is valid if the secret is never revealed.
The other tx is valid once the secret becomes revealed.

So what if there are 3 payments in progress, each with a different secret? Any of the secrets could end up staying un-revealed. So there are 2^3=8 different possible outcomes to prepare for. You and your partner need to make a channel-block for each of the 8 situations ahead of time, otherwise you would have to trust your partner.

Betting is a lot like hash-locks, except it takes longer for the outcome to be known, so you need to have many more of them in parallel. Each bitcoin transaction takes around 300 bytes. Assuming you had a gigabyte of space for storing bets, and you were willing to send a gigabyte to your partner back and forth over the wire, and you were willing to sign 33 million times to update, you could have 25 bets simultaneously per channel. Each signature takes 0.003 seconds on my machine, so it would take 29 hours for my computer to do my half of the signatures to update the channel once.

If I was limited to the more reasonable 10 bets per channel, it would take my computer 5 seconds to make the signatures to update the channel once, and it would only take 300 kilobytes of space.

The version of Truthcoin I am working on will have sane channels. You only need 2 copies of the channel at a time, even if you are betting on multiple things. https://github.com/BumblebeeBat/FlyingFox
In Flying Fox, adding an extra bet to your channel takes 32 bytes for the hash, plus ~2 more bytes of formatting.
You can update a channel of 300 bets by making a single signature in 0.003 seconds, and it would only take 20 kilobytes of space in total.

I agree POW is a good way to distribute coins. I think funding the answering of valuable questions is another good way to distribute coins. Selling coins in exchange for food to feed developers of the blockchain is another good way to distribute.

Besides creating coins, we also need to destroy some value to maintain consensus. If we don't destroy value, then a Sybil attack could be used to exclude some transactions from the history.

The consensus used in Flying Fox is a cheaper way to secure consensus than proof of work, but you have to understand channels, which allow off-chain transactions, to understand why. Putting your money into a channel reduces network liquidity, which destroys value. The value that gets destroyed for maintaining channels can simultaneously be used to secure blockchain consensus, so we don't have to destroy value twice. We can kill 2 birds with 1 stone.

If truthcoin is going to scale, eventually you have to put it into channels. Your current blockchain consensus cost estimates make POW look cheap because you aren't including the cost of the channels. The fiat banking system needs actors who behave like channels. When you spend money internationally, you are usually giving money to someone who professionally owns piles of money around the world, and earns a profit from moving value for customers. Moving small payments off-chain is how payment networks scale.

==Why proof of stake is more expensive than pow==
Usually, taking part in the consensus process for proof of stake means putting up a bond. The bond-holders work together to make the next block. A person with 10% of bonds has 10% control over what the next block will look like.

This is expensive because the money that is in bonds cannot be used for anything else. Value is destroyed based on the interest rate.

==Why delegated proof of stake is more expensive than pow==
When you vote for someone based on how much money you have, your money is still spendable. So money isn't destroyed base on the interest rate like in POS, but look at presidential elections to see how much money can be wasted on advertising candidates. The candidates don't have to have any investment in the blockchain to hold their position.  Candidates can pay for votes. Attackers can pay candidates to attack.

==About channels==

Channels transactions have some major limitation in comparison to normal transactions.
1) There is a finite amount of money in each channel. spending money in the channel changes what percentage of the money each of the 2 participants controls. The money on the customer's side of the channel is very liquid, he can spend it almost anywhere. The money on the validator's side can only spend to one person. It is nearly unusable, so value is destroyed based on the interest rate.
2) If your partner disappears, you have to wait a delay until you can get the money out.
3) If your partner closes the channel at the wrong point in history, then you have delay amount of time to provide counter-evidence and stop your money getting stolen. If there isn't enough space in any of the blocks for you to provide your evidence, then you lose.

Usually, one of the channel participants is very rich and very well connected. He is hired for his ability to cheaply move your money to many places. He is also hired to give you extra liquidity in your channel so that you can receive payments. This person has their node running 24/7 to process payments.

The other channel participants is not well connected. He only logs on occasionally to spend money.

==Something cheaper than pow==
If we combine the channel relationship with the delegation vote, then we can be sure that the validator is well invested in the system.
The only way to receive a lot of votes is by providing lots of liquidity.

So for this POS, instead of making bonds, you make a channel. For each channel, one of the pair of participants is the validator. If the channel has twice as much money, then the validator participants has twice as much control over adding blocks to the blockchain.

This is similar to DPOS in that you can still spend your money. So, like DPOS, we aren't wasting very much value due to interest rate.

It is dis-similar from DPOS in that if you vote for someone, and they don't give you any liquidity in the channel, then you can't receive payments. So the candidate would have to pay more in order to buy votes in Flying Fox compared with DPOS.

There will be a market rate for the balance between liquidity and validating power. For example, say the rate is 1/6
If I as a customer wanted to put 1000 coins into a channel with a liquidity provider, then the liquidity provider would be willing to put 5000 coins on the other side of the channel, and neither of us pays the other.
If I needed the ability to receive more than 5000 coins, then I would have to pay the liquidity provider to provide a bigger limit.
If I didn't need to receive money, and was only planning on spending, then I would set the limit to 0, and they would pay me for giving them more validating power.

So long as the validators own more than X of the coins, then the market rate between liquidity and validating power should stay below 1/X.

http://smbc-comics.com/comics/1441547707-20150906.png

betting in channels: https://github.com/BumblebeeBat/FlyingFox/blob/development/docs/channels.md

Any suggestions or questions are much appreciated.

I think it is a bad idea to pay oracles trading fees since the oracles don't participate in the trading process. Instead, we should pay them a judging fee when they do their judging.
Each oracle should have a flat-rate for how much it costs to do a judgement, regardless of how popular the topic is.

In FlyingFox the oracle is paid how I recommend.
If the gamblers agree on the outcome, then the oracle never finds out that gambling took place. If the gamblers disagree on the outcome, then one of the gamblers pays the oracle to write down the outcome on his channel-block and sign it. FlyingFox oracles do their judging off-chain.

If multiple pairs of people gamble on the same thing, as soon as the oracle judges on one pair's channel, the oracle has sort-of judge over all the channels that were gambling on the same thing. The same oracle-signature can be applied over and over to each pair of gamblers. The oracle doesn't know how many people are gambling.

47 minutes since the crowdsale started.
179.65974282 BTC
2686.35487879 ETH
https://sale.augur.net/?locale=en

Looks like people want to invest in prediction markets.

in the comments of this article Paul says he might do a debate with Vitalik who is in China.
https://www.coingecko.com/buzz/augur-conceptual-godfather-thinks-project-will-fail
Is the debate still going to happen?

I describe linked channels here: https://github.com/BumblebeeBat/FlyingFox/blob/development/docs/linked_channels.md

This means FlyingFox is will not just be Truthcoin-like, it will be a full implementation of Truthcoin.

It is possible to put the oracle into channels, just like all the bets!!!

This means that 2 people can make a bet with each other, and have their bet secured by the blockchain, without ever publishing the bet onto the blockchain.

This will be very useful in employment relationships where the employer and employee don't know each other and are doing something secretive. Truthcoin will be best at funding public goods, and super-secret private goods too.

Warren Buffett gave the earliest description of the P+epsilon attack that I know about http://www.gametheory.net/News/Items/013.html
This attack is the reason that truthcoin consensus on the outcome of events wont work, and it is the reason that bitcoin consensus does not work.

He is a money wizard.

One computer is the leader. It creates all the blocks.
If each user's software is written to ignore invalid blocks, then the leader will be unable to influence the network with invalid blocks. If he creates 2 blocks at the same height, then the blockchain freezes.
The worst he could do is censor transactions, which would reduce his own income.

If the leader is hidden in a gossip network, it can be very hard to find him among all his users.

If the leader disappears, it should be easy for others to fork a moment in history, and launch a cryptocurrency with the same distribution. Forking a cryptocurrency like this should be expensive in either POW or in burn, otherwise there will be too many forks to deal with.

Advantages:
*no complex consensus algorithms like POW or POS
*Minimize redundancy

When the leader dies and 100+ alternatives show up to replace him, it can be difficult for the network to decide which blockchain to use. It is possible that people will split onto different blockchains. The same transactions will be spendable across all those competing chains, so they will all have nearly identical state. One way competing chains differ is in the order of the transactions, which changes user's balances slightly.

Another way they can be different is by who is collecting the transaction fees. If a block leader tries to spend the tx fees he gathered, it only works on his own chain.  The transaction-fee money will be traded at a much lower value than regular money, until there is consensus on which chain to use. At least one of the potential leaders will be an altruist, and will delete all his transaction fees. The community will prefer his blockchain.

So transaction fees only get spent if there is a very small number of people interested in being leader. Even without transaction fees, the leader has some advantages. He looks at every block first.

It is possible for the leader to censor, but if everyone is pseudo-anonymous, it isn't much of a problem.

http://lightning.network/lightning-network.pdf

The oracles have to stay on-chain, but the LMSR markets can go off-chain.
Instead of having to wait the blocktime for trading, they will be able to trade instantly.
Instead of paying a fee for every trade, each user only pays one fee upon signing up.

Instead of putting every trade into the blockchain, only the net result of the off-chain market on each person's balance is recorded.

The advantage of a SMPC-enabled oracle is that is impossible to tell how the participants voted. So you cannot bribe the participants conditionally on how they participated. This attack works because it bribes either everyone or no-one.

An attacker credibly commits to pay every participant in the oracle dependent upon the outcome being wrong.
The reward for being in majority is R, and the attacker's bribe is b.
                              |vote honest |lie
wrong outcome  | b                  | R+b
correct outcome| R                   |  0

I am building off of Paul's idea explained on page 25: http://www.truthcoin.info/papers/truthcoin-whitepaper.pdf

trade_shares needs to be split into 2 transactions: commit_trade, reveal_trade

commit_trade ex:  {pubkey, sig, hash}
this transaction costs a safety deposit. If you don't reveal within the next 10 blocks, then you lose your deposit.

reveal_trade ex: {pubkey, sig, market, shares}
This transaction reclaims the safety deposit you lost. sha256(reveal_trade) must equal the hash from the commit_trade.

The order that the trades are fed into the market maker is the order of the commit_trades rather than the reveal_trades.

Vitalik talks about an effective attack against POW starting at 52:27 in this video https://www.youtube.com/watch?v=S47iWiKKvLA
This family of attacks can also be used against the truthcoin consensus mechanism.
I will attempt outline an example scenario below:
Lets say that there is a prediction market for a presidential election that Obama won. The attacker bets the wrong way (on McCain), and attempt to convince the votecoin-holders to claim that McCain won.
The attacker makes a contract which gives a bunch of money to votecoin-holders who choose McCain.
If the prediction says McCain wins, then the contract gives 0.01 of the attacker's money units to the owner of every 1 money unit worth of votecoins that chose McCain.
If the prediction says Obama wins, then the contract gives  1.00 of the attackr's money units to the owner of  every 1 money unit worth of votecoins that chose McCain.  Since the market ends on McCain, the attacker only has to pay the smaller amount, which is worth as much as 0.5% of the votecoins.The attacker needs to be able to afford to purchase 50% of the votecoins.

If we use Paul's smoothing constant of 0.9, it is 10x worse. The attacker only needs to afford 5% of the votecoins, and he only has spend as much as 0.05% of the votecoins is worth.This problem only effects Paul's version of rep. My version, which is like colored-coins is immune to this attack.

Moderator Note: Changed title to include "P + e Attack"

The idea of vol-coin/stable-coin was recently re-invented by someone else in the crypto community, but I first read the idea in Paul's docs. The idea is that the blockchain should have at least 2 types of coins, and all the volatility is pushed into one of the two types. That way the users who dislike volatility can use the coins without having volatility.

Paul's way of solving the problem goes like this. Say you want to make an cryptographic asset that stays equal in value to a marmot. The current exchange rate is 100 truthcoin to buy a marmot.
I would make a bet at every price between 50 truthcoin per marmot to 200 truthcoin per marmot.
The bets are made so that if the price of truthcoin should change relative to marmots, I will still be able to afford the same number of marmots as I started with.

What is beautiful about truthcoin is that anyone can make stablecoins which maintain value with respect to anything. A ton of rice, a pound of gold, whatever. Each prediction market can only accept one type of money, and it pays out in the same type that you make bets in. If you bet in USD-linked coins, then the payout will be in USD-linked coins.

https://blog.ethereum.org/2014/05/24/on-long-term-cryptocurrency-distribution-models/

Useful proof of work in ethereum is a very exciting idea to computer scientists. Using functions in EVM code as the proof of work is so recursive,.
1) The POW helps fund software and hardware research to run EVM code faster, which makes all other parts of ethereum work better too. Whereas asics for bitcoin only made the hash function fast, and everything else stayed slow.
2) This is a convenient and fair way to distribute initial coins.

This is a very complex process for ethereum, but truthcoin can have this advanced behavior with no modification to Paul's design.
By simply wording the predictions for an assurance contract correctly, we can crowd-fund the creation of any sort of cryptographic artifacts. We could pay people to repeatedly execute the python code that runs truthcoin. Someone would re-write all the python in C, and optimize it to an extreme. They would do this to mine more coins and get a reward.

I am starting to think Paul might be right about this: everything valuable ethereum could do, truthcoin could do even better.

If we make bets on what our representatives will do, it is very similar to bribing them to do what we want them to do.
Representatives will not have any legitimacy after truthcoin exists.