I was recently asked by Testz to address this topic:

https://bitcointalk.org/index.php?topic=1196533.msg12563741#msg12563741

ell seeing as Larimer himself said the solution is to "...keep everything in RAM..."  how much RAM to do think is required to keep up with a sustained 100,000 tps if it is indeed true?

You don't need to know anything about how that system works when these statements have been, 120 bytes per transaction * 100,000 transactions per second * 86400 seconds in a day = 1,036,800,000,000 bytes (almost 1TB) per day of data.  However you cut it that is a lot of data to manage efficiently in a vertically scaled system (which Bitshares is). 

If you have to go to disc even the fastest PCI SSDs will struggle to do 100,000 random reads per second after some moderate use, unless you are doing very aggressive and efficient disc management at a low level to ensure they are stored sequentially.  Even without considering transactions arriving out of order from the network, that in itself is no trivial task. 

Even batch writing large blocks of transactions to reduce the required IOPs might not cut it, as you have no guarantee that the SSD controller is going to (or even can) write them in one consecutive chunk.  If the controller wants to move data around so it can do this, that is additional overhead and your max IOPs will drop anyway.

If the RAM requirements are low, then you will be swapping out those transactions in RAM constantly, so then you are asking an already utilized IO stream to do 100,000 reads AND 100,000 writes each second on top of processing.

My issue isn't that 100,000 transactions can not be processed per second, my issue is that sustaining that processing capability with RAM and IO limitations is not as trivial as is being made out, and anyone with even a basic understanding of IO systems should be able to see it.

I believe this 100,000 tps relates to the systems ability to order match as he mentioned that specifically in the videos relating to this topic, and NOT a sustained network load of new transaction processing capability.

I want to address the MAJOR misconception and that is that we keep all transactions in RAM and that we need access to the full transaction history to process new transactions.

The default wallet has all transactions expiring just 15 seconds after they are signed which means that the network only has to consider 1,500,000 * 20 byte (trx id) => 3 MB of memory to protect against replay attacks of the same transaction.

The vast majority of all transactions simply modify EXISTING data structures (balances, orders, etc).   The only type of transaction that increases memory use permanently are account creation, asset creation, witness/worker/committee member creation. These particular operations COST much more than operations that modify existing data.  Their cost is derived from the need to keep them in memory for ever.   

So the system needs the ability to STREAM 11 MB per second of data to disk and over the network (assuming all transactions were 120 bytes). 

If there were 6 billion accounts and the average account had 1KB of data associated with it then the system would require 6000 GB or 6 TB of RAM... considering you can already buy motherboards supporting 2TB of ram and probably more if you look in the right places (http://www.eteknix.com/intels-new-serverboard-supports-dual-cpu-2tb-ram/)  I don't think it is unreasonable to require 1 TB per BILLION accounts. 

I seem to have lost my bitcointalk login password, so can someone please cross-post this for me.  Thanks.

http://bytemaster.github.io/update/2015/09/29/Bitcoin-is-100x-less-secure-than-commonly-believed/

Yesterday I started a discussion on Witness pay and the appropriate number of witnesses, but I fear that discussion actually missed the mark.  The number of witnesses can be changed in a day, and the pay within 2 weeks.

What is far more important than the number of witnesses is who gets to chose the witnesses and how quickly those decisions can be made.

I would like to take a moment to use an analogy on the difference between energy and power.    Power can be thought of as the amount of energy that can be applied in a fixed amount of time.   If you invented a battery that
contained infinite energy but that energy could only be drawn upon at 1 watt then you couldn't even power a household light bulb.   However, if you had a standard AA battery and were able to release all of the energy in that
battery instantaneously you could destroy the world.   

When it comes to proof of stake coins, a voting share can be thought of as raw energy.  The power of the network can be thought of in terms of how many votes can be brought to bare in a short period of time. 

The security of a network depends upon distribution of energy and the speed at which it can be applied to react to changing circumstances.   

So let's suppose that we had 1001 witnesses but all voting power was proxied through a single account.    The presence of 1001 witnesses is an illusion, they could be changed in a day down to the minimum of 11 if a single
individual was compromised.    It is unlikely that 50% of the stakeholders could change their vote in a day to counter the corrupt proxy.

From this perspective we see that witnesses are only necessary for short-term security and are powerless to maintain their position. 

The question becomes not about bribing a witness, or performing a DDOS on a witness, but on choosing the witness. 

For a given set of witnesses they can choose to censor transactions which change votes.  This is their only vector of attack.  If they choose this route then the network goes down for a hardfork where the proxies vote on a fresh set of witnesses.

Think of the witnesses as the IT staff and the proxies as the Board of Directors of a company.   If the IT staff decided to go rogue they would be fired and the BOD would simply replace them.   

All that is necessary is to have a contingency plan in place in the event that the witnesses go rogue.  A plan that is decided in advance and whose execution can be independently validated by everyone.

Imagine if at any time a block can be produced that is a consensus in itself and this block can build off of any block after the last checkpoint.   Imagine that this block has the power to completely change the blockchain parameters including the elected witnesses.    Imagine if a block containing the signatures of accounts that collectively vote for more than 50% of the stakeholders could overwrite a block produced by witnesses. 

What we need for security is a DECISION MAKING PROCESS more than anything else.  We need an adaptive and responsive system.  We need a diverse set of unpaid decision makers that the majority trust with their proxy votes.   

If we had 101 accounts that collectively controlled 2/3 of all voting power (via proxy) then the power structure of the network would effectively be:

1. Witnesses are the Executive Branch
2. Committee members are the Senate (1 vote per seat)
3. Proxy members are the House (weight proportional to population)

In the event the executive branch goes rogue we merely need to "hold an election" which can be done via the Senate (easiest), via Proxy Members (next easiest) or via direct voting.  Once the votes are cast a new set of witnesses are elected and the network can proceed as always.

What does all of this mean?  It means that we should be focused more on defining a solid set of representatives to serve as active proxy voters that are in the best position to evaluate how many witnesses and committee members are necessary to secure the network.    Having effective and timely voting will do more to improve network security than a 5x or 10x increase in the number of witnesses.

Remember that in evolution, it isn't the strongest that survive but the most adaptable.   Create a system that cannot adapt and it will easily be taken down. 

Consider Bitcoin, it cannot even reach consensus on block size, so how would the network recover if all publically available mining pools were shutdown or compromised?  All of a sudden it isn't profitable to solo-mine and there is no recourse. 

View witnesses as mining pools that are easily changed and hard to shutdown. 

Every day there is a new debate about decentralization, and every time that debate quickly loses sight of all perspective.   Everyone wants a system that is "secure", whatever that means.   Everyone wants a system that is "cheap", "fast", and "reliable" as well.   

The problem is that everyone has different definitions of terms and different threats they are concerned about.     There are as many variables to security as there are types of security and vectors of attack.   If we are not careful then we spend millions of dollars building a moat and castle wall so we can feel secure only to have the castel taken down from the air, by siege, or some other attack vector.

The debate about how many witnesses a network has is meaningless without a proper discussion of the *type* of security witnesses provide and how they provide it.  Collectively witnesses exist to establish a consensus on an irreversible transaction history and testify about the relative value of assets in the system.    Technically the witnesses are not where the consensus lies.  Technically every other node on the network is also participating in the consensus by recording the real time broadcast of blocks by the official witnesses.    Each and every one of these nodes also processes and validates all transactions.   

Producing blocks is only one part of security.  Providing seed nodes is another.  Attacking the P2P protocol is a third.   Of the three of these, attacking the block producers is probably the most difficult because no one knows their IP address.   Attacking the seed nodes on the other hand could completely disable new connections.   More importantly, attacking the P2P protocol could temporarily completely disrupt all communication among witnesses. 

The more witnesses you have the more difficult it becomes to coordinate in the event that communication is disrupted.   As a result increasing the number of witnesses beyond a certain point makes the network less secure.
The more witnesses you have the more difficult it becomes to vet the witnesses and hold them accountable.  Once again increasing the number of witnesses has the paradoxical effect of reducing security.

To understand this from a metaphor perspective, building the great wall around all of China to protect a single house is pointless unless you are able to watch every square inch of that wall all of the time.  Building a similar wall around 1 acre would be far more effective.    Walls only slow down attacks, they don't prevent them.   Having 1 million witnesses means that no one will notice when 500,001 of them fall under control of one entity.   There is simply too much to track.

There are several different kinds of attacks that must be specifically addressed:

1. Censorship
2. Changing History
3. Denial of Service
4. Denial of Connection

All blockchains can be completely shutdown by IP/PORT filtering of all public nodes.   If the network was attacked by a botnet that connected 100K nodes it would dwarf the size of even the bitcoin network.   These nodes could then perform all kind of attacks.    A 100K botnet is cheaper than mining power. 

In conclusion I would like to suggest that having an abundance of witnesses is like wearing a gas mask every day just incase your home gets raided with tear gas.   Instead what we do is keep a gas mask handy, "just in case", but we don't wear it everyday.   Likewise, we keep the ability to increase the number of witnesses "just in case", but it is pointless to obsess over this.

This leaves only ONE argument that holds any water:  perception matters more than reality.   

Just because we recognize the futility of hiding under our desks in the event of a nuclear attack does not mean that millions of kids don't feel more comfortable.   

So my counter-argument that the perceived importance of attracting the more-is-better audience is likely overestimated.   Most people simply don't care so long as the system appears to work and is reliable. 

Mac users now have a test full node with gui available: https://github.com/cryptonomex/graphene/releases/download/test3/Graphene-Sept18-Testnet.dmg

Note that the web GUI included is in progress and has known issues (such as exchange tab missing and menu bar display issues). 

This is really more of a proof of concept full node release for the curious. 

Would like to introduce a new network protocol that should help keep witnesses in sync even during high traffic periods.   It is implemented entirely in JavaScript using Node.js

First step is to set up a witness node like normal, only without giving it any P2P seed nodes. 

./witness_node --rpc-endpoint "0.0.0.0:8090"  --genesis-json aug-31-testnet-genesis.json
Checkout this repository:
https://github.com/cryptonomex/graphene-ui

cd dl; npm install
cd ../relay; npm install
./nodejs ./bootstrap.js config.js


Edit config.js to look like:

module.exports = {
  api_host: 'localhost',
  api_port: 8090,
  upstream : 'ws://104.236.51.238:1778',
  listen_port: 1779
}

The code is relatively simple and could probably be easily improved upon by any members on this forum who would like to take a stab at it. 

I would like to see all witnesses on the test network use this code to connect rather than the P2P code we currently have. 

There are known bugs in the Javascript code, but hopefully there are MANY more people around who are able to fix them and it is much easier to understand what is happening.

Thanks!

Everyone in the crypto currency space presumes that Bitcoin and other P2P protocols create a censorship resistant finanical platform.

It is my opinion, that any PUBLIC P2P network can easily be censored by ISPs.  If you can join the network, then you can discover the IP and PORT of every publicly accessible node and then block all packets to/from those nodes on those ports.

Furthermore, every website that hosts content (binaries, source, and seed node IPs) can be shut down in a similar manner.

Even MaidSafe and Tor are not able to prevent this kind of censorship. 

Now clearly, it would be difficult to engage in this kind of censorship on a global scale.   The end result would be for people to move to VPN systems, which would in turn come under attack because they are "publicly known".   

At the end of the day, the great Firewall of China can be applied to any country at any time. 

If that were to happen then consensus would have to move to dark networks, on an invite-only basis and the utility of crypto-currencies in general would be dramatically undercut. 

In other words, crypto-currencies currently depend upon free speech. 

We live in a world where despite the government's best efforts illegal music, movies, and other content manages to survive.   What does this tell us?   How can centralized services provide us magnet links to torrents with public IPs and those hosts are not shut down?

https://graphene.bitshares.org  is now up to date with the latest test network.

 We are working on a bug with voting by proxy... don't enter text into that field at this time it will lockup your browser window.

I have been able to import everything from my BTS wallet successfully.    Still a lot of work to do on the GUI, but it is coming together at a consistent rate. 

For those of you who thought voting was confusing in 1.0, I hope this new UI will make it much easier to understand how you are voting.