Decentralization of Power

[Troglodactyl]

...
The reality is that bytemaster controls enough stake to vote anyone in/out at will - getting elected as a delegate right now is pretty much impossible without his stake voting for you.
...

I don't think this is true anymore.

The biggest problem I see with Bitshares right now is Bytemaster doesn't seem to acknowledge his opponents as having valid critcism.  While it might sound harsh, Anonymint for instance says, Bytemaster is a Steve Jobs type control freak figure so he's not going to make anything remotely decentralized.  This criticism has some merit because I honestly believe Bytemaster is designing a system with the assumption that he + this website will always exist.  In reality, the system needs to be designed in a manner where it functions at maximum efficiency assuming neither this website or him exist at all.  The system also needs to be designed in a way that assumes mass voter apathy and ineffective or non-existent delegate campaigning to find suitable candidates for security that fit game theory motives.
...

I think this is legitimate criticism.  I think a lot of people around here (perhaps bytemaster included) are too comfortable with reliance on bytemaster continuing post October.

If witnesses are voted for based on collateral, then withness pay would have to compensate them by effectively paying interest on that collateral.  Is that expense really worth it?

I also suspect that we'll have less voter apathy (especially of large holders) once we have a better UI.  Better gateways so less BTS lives on centralized exchanges will also help.

[bytemaster]

  This makes me think he believes he's always going to be there annointing the delegates himself.  Afterwards, talking about trying to lower delegate count to 17 on top of that so you only need an amount of people you can fit in one car to collude is just getting outrageous.

The reality is that bytemaster controls enough stake to vote anyone in/out at will - getting elected as a delegate right now is pretty much impossible without his stake voting for you.

I actually like your collateral proposal; I think it would be better to remove the requirement to burn 50K BTS to register as a delegate, and instead have that posted as collateral. Having a least one game theoretical aspect to becoming a delegate is better than none.

Well I would definetely prefer a bidding war over burned funds than over collateral. Once it's burnt it's forever, collateral is just temporary. Would make people who burnt more funds to commit more seriously. An extra motivation for not letting their funds go to waste.

From an economic perspective, burned funds is a sunk cost and should be ignored by everyone.   

[monsterer]

Once it's burnt it's forever, collateral is just temporary.

The idea is that collateral acts as an incentive not to be evil - if you're evil, then BTS loses value and therefore so does your collateral. If you burn it, you don't care about the burnt BTS losing value, since it's gone anyway.

[Akado]

  This makes me think he believes he's always going to be there annointing the delegates himself.  Afterwards, talking about trying to lower delegate count to 17 on top of that so you only need an amount of people you can fit in one car to collude is just getting outrageous.

The reality is that bytemaster controls enough stake to vote anyone in/out at will - getting elected as a delegate right now is pretty much impossible without his stake voting for you.

I actually like your collateral proposal; I think it would be better to remove the requirement to burn 50K BTS to register as a delegate, and instead have that posted as collateral. Having a least one game theoretical aspect to becoming a delegate is better than none.

Well I would definetely prefer a bidding war over burned funds than over collateral. Once it's burnt it's forever, collateral is just temporary. Would make people who burnt more funds to commit more seriously. An extra motivation for not letting their funds go to waste.

[r0ach]

I actually like your collateral proposal

Requiring a non-trivial proof of burn to run for position of delegate which you might not be elected to disincentivizes anyone from running at all.  I'm not sure who thought that was a good idea.  A collateral bid system that just locks the funds but doesn't destroy them is far better.  Bytemaster is even the guy that at one point said something along the lines of proof of burn being useless and a stupid waste of capital.

[monsterer]

  This makes me think he believes he's always going to be there annointing the delegates himself.  Afterwards, talking about trying to lower delegate count to 17 on top of that so you only need an amount of people you can fit in one car to collude is just getting outrageous.

The reality is that bytemaster controls enough stake to vote anyone in/out at will - getting elected as a delegate right now is pretty much impossible without his stake voting for you.

I actually like your collateral proposal; I think it would be better to remove the requirement to burn 50K BTS to register as a delegate, and instead have that posted as collateral. Having a least one game theoretical aspect to becoming a delegate is better than none.

[Akado]

I thing the average Joe is happy if he gets security wise a 2FA option and he gives a shit if it's more or less centralized...
So whatever is your last decision about the number of witnesses make sure we have the 2FA future ready ASAP on all clients!
It will be crucial for mass adoption. Don't delay it to long! Is it possible to have it on launch ready?

https://github.com/cryptonomex/graphene/wiki/Wallet%202-Factor%20Authentication%20Protocol

  Well said!

[r0ach]

The biggest problem I see with Bitshares right now is Bytemaster doesn't seem to acknowledge his opponents as having valid critcism.  While it might sound harsh, Anonymint for instance says, Bytemaster is a Steve Jobs type control freak figure so he's not going to make anything remotely decentralized.  This criticism has some merit because I honestly believe Bytemaster is designing a system with the assumption that he + this website will always exist.  In reality, the system needs to be designed in a manner where it functions at maximum efficiency assuming neither this website or him exist at all.  The system also needs to be designed in a way that assumes mass voter apathy and ineffective or non-existent delegate campaigning to find suitable candidates for security that fit game theory motives.

I mentioned there's no automated fallback mechanism for voter Apathy, yet can easily be fixed by having clients automatically vote for delegates that put up the highest collateral bid if they don't vote manually, but Bytemaster doesn't even seem to believe voter apathy is a problem.  This makes me think he believes he's always going to be there annointing the delegates himself.  Afterwards, talking about trying to lower delegate count to 17 on top of that so you only need an amount of people you can fit in one car to collude is just getting outrageous.

Since those 9 people colluding require no substantial collateral to be delegates in the first place, they can just sell all BTS they own, accept a bribe from "Come-from-beyond" at NXT, all place shorts at the exchange then black swan attack the network all day to destroy it or at the very least all of it's credibility.  Bytemaster is unable to even envision this attack because he seems to think he's going to be there manually controlling everything forever.  Even if your goal was to straight up run a centrally controlled company, everyone on the outside believes that since you're operating under the Bitcoin banner, that attack vectors like this cannot be allowed or it's not a valid product.

If your goal is to operate a centrally controlled company, things like this still can't be allowed because in a centrally controlled company, the board of directors all have tons of stock in the company and million dollar salaries.  No substantial amount of collateral is even required to be a delegate in BTS, and nobody is making anything near a million dollars.  The only way this system can work with a low number of delegates (anything 100 or less is low) is if they're all required to lock up large amounts of shares to function as one to prevent themselves from attacking the network  (i.e. my collateral bid solution).  The minimum bid would need to be somewhat high, then you would need to bid against others on top of that.

[jakub]

Did I miss something? I thought in BTS 2.0 the number of wittnesses anyway depends on the amount of witnesses shareholders want AND can vote on (one can not choose more wittneses than once has selected to vote for).

I wondered the same.
My impression is that this discussion is only to help us make an informed decision when we vote in 2.0.
But I think that however this discussion ends, there is not going to be any hard-coded number of witnesses except the lower bound which I believe is going to be 10.

[santaclause102]

Did I miss something? I thought in BTS 2.0 the number of wittnesses anyway depends on the amount of witnesses shareholders want AND can vote on (one can not choose more wittneses than once has selected to vote for).

[Empirical1.2]

What anybody here thinks is technically the 'best' option is, is largely irrelevant.

The only relevant question imo is whether the 'best-selling' option, significantly adds to costs or security concerns.

Every business and product in the world is trying to find the 'best-selling' option.  They do extensive market research and modify their product and packaging so that it's presented in a way their market will like the most. This forum is almost unanimous, (even the people that agree with the 17 number here), that the perception among the current alt-coin market will be negative.  So we should shoot for a higher number of witnesses and also perhaps place limits on proxies imo.

 
Excerpt from Rich Dad, Poor Dad. One of best-selling book series of all time...

A few years ago, I granted an interview with a newspaper in Singapore.  The young female reporter was on time, and the interview  got under way immediately. 

"My work does not seem to go anywhere,” she said quietly. “Everyone says that my novels are excellent, but nothing happens." 

“Someday, I would like to be a best-selling author like you, Do you have any suggestions?”

“Yes, I do,” I said brightly. “A friend of mine here in Singapore runs a school that trains people to sell for many of the top corporations here in Singapore, and I think attending one of his courses would greatly enhance your career.”

She stiffened. “ “I have a master’s degree in English Literature. Why would I go to school to learn to be a salesperson?"

“Do you see this?” I said pointing to her notes.  On her pad she had written: “Robert Kiyosaki, best-selling author.”

“It says best-selling author, not best-writing author,” I said quietly. 

“I am a terrible writer,” I said. “You are a great writer. I went to sales school. You have a master’s degree."

The world is filled with smart, talented, educated, and gifted people. We meet them every day. They are all around us. I am constantly shocked at how little talented people earn. 

“They are one skill away from great wealth.”

[bytemaster]

Producing blocks is only one part of security.  Providing seed nodes is another.  Attacking the P2P protocol is a third.   Of the three of these, attacking the block producers is probably the most difficult because no one knows their IP address.   Attacking the seed nodes on the other hand could completely disable new connections.   More importantly, attacking the P2P protocol could temporarily completely disrupt all communication among witnesses. 

How would an attack on the P2P protocol and an attack on seed nodes work?

Attack on the seed nodes is simply a DDOS.
An attack on the P2P protocol would be similar to DDOS, create many connections to fill up the maximum allowed connections on all publicly available nodes.
To prevent these attacks from disrupting the CONSENSUS process the witnesses should form a PRIVATE (Invite Only) P2P network and then bridge to the public through several bridge nodes.    A witness could still operate on the PUBLIC P2P network but attacks on the public infrastructure could end up causing them to miss blocks.

[bytemaster]

Is cold storage an option somewhere in the new system?

Yes, simply update your account authority to a public key that has never touched an internet connected machine.

[santaclause102]

Producing blocks is only one part of security.  Providing seed nodes is another.  Attacking the P2P protocol is a third.   Of the three of these, attacking the block producers is probably the most difficult because no one knows their IP address.   Attacking the seed nodes on the other hand could completely disable new connections.   More importantly, attacking the P2P protocol could temporarily completely disrupt all communication among witnesses. 

How would an attack on the P2P protocol and an attack on seed nodes work?

[mf-tzo]

Is cold storage an option somewhere in the new system?

[bytemaster]

I thing the average Joe is happy if he gets security wise a 2FA option and he gives a shit if it's more or less centralized...
So whatever is your last decision about the number of witnesses make sure we have the 2FA future ready ASAP on all clients!
It will be crucial for mass adoption. Don't delay it to long! Is it possible to have it on launch ready?

https://github.com/cryptonomex/graphene/wiki/Wallet%202-Factor%20Authentication%20Protocol

I agree completely, that for 99% of people concerned with losing their funds have to worry about the following:

1. Forgetting their password
2. Losing their wallet file
3. Their computer getting hacked
4. Getting Attacked by a Shark
5. Losing money as a result of only having 17 witnesses

In other words the network can be made far more secure by focusing on password recovery and wallet backup, then two-factor, and lastly having more witnesses.

[xeroc]

I thing the average Joe is happy if he gets security wise a 2FA option and he gives a shit if it's more or less centralized...
So whatever is your last decision about the number of witnesses make sure we have the 2FA future ready ASAP on all clients!
It will be crucial for mass adoption. Don't delay it to long! Is it possible to have it on launch ready?

https://github.com/cryptonomex/graphene/wiki/Wallet%202-Factor%20Authentication%20Protocol

There will not be 2FA authentication ... but something WAY BETTER ... corporate accounts and proposed transactions.

Essentially you can split spending rights for your funds among arbitrarily many entities and flexibly define the conditions that have to be met in order to spend funds ..
If your money is in one of those secured accounts .. you can propose a transfer (or trade) and send a "halve-valid" transaction into the network (blockchain) ... then you ask your partners to verify (e.g. via mail, sms, 2fa, face recognition, fart smell,...) and sign the (proposed) transaction .. of the conditions are met, the transaction will be validated by the network automatically ..

[liondani]

I thing the average Joe is happy if he gets security wise a 2FA option and he gives a shit if it's more or less centralized...
So whatever is your last decision about the number of witnesses make sure we have the 2FA future ready ASAP on all clients!
It will be crucial for mass adoption. Don't delay it to long! Is it possible to have it on launch ready?

https://github.com/cryptonomex/graphene/wiki/Wallet%202-Factor%20Authentication%20Protocol

[monsterer]

The system you describe is what Nxt effectively uses... those with stake get to produce blocks.

Very unreliable and ultimately far less security than by voting.

I'd like to hear your reasoning here.

[Helikopterben]

I agree that too much decentralization is wasteful and can erode performance.  The question I would like to ask is:  What is the goal of security through decentralization?  As BM stated, there are many variables that factor into security and security means different things to different people, but IMO the most important part of this aspect of security is simple:  protect user assets from being stolen.  Whether through direct theft of assets, inflation of the native asset (bts), manipulation of price feeds, ect.  Most all attack vectors revolve around stealing user assets or making their assets worthless.  I would argue that much of this has been solved through cryptography and giving witnesses as little privileges as possible and giving delegates delayed privileges to give users a chance to vote out bad delegates. 

It would be nice to see, if possible, what percentage of votes cast are via unique proxy (slate) to determine true decentralization of the network.  If, for example, >50% of votes are cast via 17 unique proxies, then It may not be advantageous to have more than 17 geographically distributed witnesses at current adoption levels.  As long as the network is sufficiently decentralized to protect user assets, then it works, and perception should not be a concern for something that works just as efficiently or more efficiently than its competitors.

[mike623317]

Surely we can find 25 people willing to run witnesses. Although I'm not very technical at the moment, I feel if i can learn exactly what to do I would be willing to run a witness to validate blocks for either free or near free.

In my opinion we need 25 heroes to help get off the ground before it takes on a life of its own. I'll set up if needs be.

Let's roll.

[r0ach]

For starters I am not a fan of voting in general.

I just haven't found anything that has fewer downsides.

If you want to keep voting in, why do you think the system I originally described isn't better than how Bitshares currently functions?  If you had 100% voter apathy, the top 101 collateral bids are automatically elected delegates.  If you didn't have massive voter apathy, the system would function identically to the way it does now.  There has to be a fallback mechanism for voter apathy, don't you understand that point?  None exists right now.  There is no logical fallback metric besides collateral either.

All the system would do is come with a checkbox that says, "automatic voting based on collateral on/off".  It would be on by default.  If you turn it off, then you go manually vote.  It's basically just pre-sorting the vote list to make it easy for apathy voters.  If collateral bids do not auto-renew, it also solves the problem of having zombie delegates you need to vote out.

[bytemaster]

For starters I am not a fan of voting in general.

I just haven't found anything that has fewer downsides.   The system you describe is what Nxt effectively uses... those with stake get to produce blocks.

Very unreliable and ultimately far less security than by voting.  They even have leased forging which is like proxy voting.

[monsterer]

Due to voter apathy, the system would most likely always run solely by collateral bids.  At that point you have to think, why leave voting in at all? 

I feel Bytemaster is too attached to voting so I had to make the suggestion the way I did as a compromise solution.  I would personally probably remove manual voting.

Either way, the cost is still a constant. You post collateral X to become a delegate, then users vote with stake Y. Total cost X+Y, which is a constant... In fairness, you have introduced a game theoretical cost to become an evil delegate which did not exist before, which is an overall positive.

[Method-X]

As I understand your proposal, this only makes a difference in terms of the visibility of delegates to vote for, rather than eligibility thereof?

Given that, I can't see how attack cost is exponential, or even linear - it seems to be just a plain old constant

My original proposal was that the system would be automated to vote for highest collateral bids by default setting.  It would only revert to the current system if users exercised the ability to manually vote.  If you wanted that increased cost of attack, you would have to remove the ability to manually vote.  I made the proposal the way I did because I'm not sure of everyone's consensus on removing manual voting, even though manual voting is probably a negative to leave in.  Due to voter apathy, the system would most likely always run solely by collateral bids.  At that point you have to think, why leave voting in at all? 

I feel Bytemaster is too attached to voting so I had to make the suggestion the way I did as a compromise solution.  I would personally probably remove manual voting.

Manual voting has a psychological impact. It's like how our current "democracy" is mostly illusory but people will support and spread it because of the "democracy is good" meme.

[r0ach]

As I understand your proposal, this only makes a difference in terms of the visibility of delegates to vote for, rather than eligibility thereof?

Given that, I can't see how attack cost is exponential, or even linear - it seems to be just a plain old constant

My original proposal was that the system would be automated to vote for highest collateral bids by default setting.  It would only revert to the current system if users exercised the ability to manually vote.  If you wanted that increased cost of attack, you would have to remove the ability to manually vote.  I made the proposal the way I did because I'm not sure of everyone's consensus on removing manual voting, even though manual voting is probably a negative to leave in.  Due to voter apathy, the system would most likely always run solely by collateral bids.  At that point you have to think, why leave voting in at all? 

I feel Bytemaster is too attached to voting so I had to make the suggestion the way I did as a compromise solution.  I would personally probably remove manual voting.

[monsterer]

You still have a deterministic number of delegates.  A flat rate collateral system only puts an upper limit on number of sybil nodes, while a bid system vastly increases the potential cost.  If there were 101 delegates, I would need to perform a sybil and impersonate 51 units then outbid everyone else with all of them.  Cost to attack becomes somewhat exponential instead of linear.  If scaled to 500 delegates, even more so.  My capital is also locked while running as a delegate, unusable for voting, so that locked capital can't be used to vote for each other either.

As I understand your proposal, this only makes a difference in terms of the visibility of delegates to vote for, rather than eligibility thereof?

Given that, I can't see how attack cost is exponential, or even linear - it seems to be just a plain old constant, like any other POS system. Even if you made delegates eligible via this system, the attack cost is still a constant proportional to stake, isn't it?

[r0ach]

I think the collateral bid system I suggested is far superior than the current system for dealing with that:

https://bitsharestalk.org/index.php/topic,18584.0.html

What makes your proposal any different from standard POS from an attack perspective?

I knew that question was going to come up.

You still have a deterministic number of delegates.  A flat rate collateral system only puts an upper limit on number of sybil nodes, while a bid system vastly increases the potential cost.  If there were 101 delegates, I would need to perform a sybil and impersonate 51 units then outbid everyone else with all of them.  Cost to attack becomes somewhat exponential instead of linear.  If scaled to 500 delegates, even more so.  My capital is also locked while running as a delegate, unusable for voting, so that locked capital can't be used to vote for each other either.

[monsterer]

I think the collateral bid system I suggested is far superior than the current system for dealing with that:

https://bitsharestalk.org/index.php/topic,18584.0.html

What makes your proposal any different from standard POS from an attack perspective?

[r0ach]

I think we need to strike the right balance between these two:
(1) our ability to prevent an attack
(2) our ability to recover once the attack happens

I think the collateral bid system I suggested is far superior than the current system for dealing with that:

https://bitsharestalk.org/index.php/topic,18584.0.html

[jakub]

I think we need to strike the right balance between these two:
(1) our ability to prevent an attack
(2) our ability to recover once the attack happens

It's like going for a winter sailing trip. You can choose to wear very warm clothes and feel safe from the cold.
But once the boat capsizes and you are in the water those very clothes will immediately turn against you and hamper your rescue efforts.

[monsterer]

https://github.com/d11e9/poi

How is that anonymous? I'd say your face was a personally identifying feature.

[r0ach]

https://www.reddit.com/r/ethereum/comments/3kscue/antisybil_protocol_under_development/

That will never work.  It's voter apathy^3

[luckybit]

Imagine a Chatroulette style app, where everyone in Bitshares can sign up and get paid some initial incentive to take part in the visual signing parties?

Random chats would be created with randomly shuffled newcomers. Human beings would then visually confirm that each person is real and not a video or loop. They would then take their phone, take a picture of the person, it goes into facial recognition, becomes some encrypted hash, and that is it.

If anyone is wrong then they get immediately fired, just like with witnesses. So people would be encouraged to always want to be 100% accurate. If it scales up to enough people then it will be anonymous yet it would still allow people to verify each other not that much unlike the PGP key signing parties.

That would provide sufficient security and anonymity because no one would know the names of the faces they see. Bytemaster and team themselves could initiate it. The real problem would be the fact that even if you know a unique person controls a certain key of a certain witness you don't know if the person controlling that key is an independent or coerced person.

If they are a coerced person they might hold onto the key on behalf of a group of individuals which would put the group in control of the witness. I don't see that there is any way to prevent that though.

[luckybit]

You can have proof of unique person while also keeping the identities anonymous.

All we need is proof that someone unique is behind the digital signature. We don't need to know exactly who that someone is.

No, you can't. This is an unsolved problem.

https://github.com/d11e9/poi

Yes you can, and it's solved in theory. Once you're confirmed to be a unique person you're always confirmed and it doesn't matter who or what confirms you as long as whatever does confirm you has a 100% accuracy rate. A complete stranger can confirm you without knowing your name if they have a smart phone with some facial recognition software.

I don't have to know who anyone is if I know their digital signature is verified. Twitter verifies accounts of celebrities for example. In the case of Bitshares Identabit or something more decentralized can be used but as long as someone or something has confirmed you in the past then that is enough.

Over time I would expect some protocol such as POI to become mainstream. When that happens eventually people will simply be able to take a hash or digital signature into any app they choose, remain pseudo-anonymous, but have the digital signature confirm them as unique.

https://www.reddit.com/r/ethereum/comments/3kscue/antisybil_protocol_under_development/

[btswildpig]

Just a survey .

How much money would you guys expect to get at least as labor for running the witness node with responsive maintenance ?

[Ben Mason]

I agree with CLains.  Perception based on flawed logic is not what we should be basing technical decisions on.

BM's arguments are well reasoned so perhaps we should give them more weight than the idea that people will not understand that Bitshares is/will be as decentralized as it needs to be.  Let's work on how we get the message across, rather than waste resources because people might not understand.

Paying for development via dilution, testing that mechanism, was the right thing to do at the time, irrespective of BTS price movements (the causes of which cannot be stated with any certainty.)  Regardless, now we have Graphene and are in a stronger position than ever.....

[CLains]

Some practical observations: In practice we're in a specific circumstance, with specific people like xeroc, liondani, etc. actually planning to run a witnesses. If we can't dig up 60 decent witnesses then we're out of luck, no matter the arguments. In practice we have some total amount that we're spending that can vary by several hundred percent from one month to the next. If our market-cap goes down to 5 mill we can only afford one third of what we're paying for now. In practice the narrative is important. If we start low and go higher and higher, people will expect and be interested in this positive development. In practice perception is important. If people don't get that having less than 30 witnesses can be decentralized, we're out of luck, no matter the arguments.

[jakub]

For me the main message in OP boils down to this:
- it's not true that the more witnesses we have the more secure we are
- we can't really prevent an attack, what we can do instead is retain the utmost ability to be adaptive and responsive when it happens

Therefore we must find a sweet spot between:
- users' ability to keep witnesses accountable
- our adaptability, i.e. how quickly decisions can be made
- our ability to coordinate when communication is disrupted
- costs of witnesses' pay
- risk of witnesses' collusion
- risk of one person pretending to be multiple people
- and last but not least: the perception of outside world
All these need to be considered when the optimal number of witnesses is proposed.

[monsterer]

You can have proof of unique person while also keeping the identities anonymous.

All we need is proof that someone unique is behind the digital signature. We don't need to know exactly who that someone is.

No, you can't. This is an unsolved problem.

[r0ach]

I'm going to make this conversation very simple.  I can't think of one off-hand, but there's many websites you can visit where it shows a world map of where all connections are coming from.  Given the fact that you're already going to have a large number of dots on the map occur from the US and Europe, you need a high enough count of dots to where the odds of the smaller places being hit increases.  Something like this will never happen with 17 total units for example.  I don't know what the magic number is where you start to see any noticeable distribution outside of the US and Europe, but it's probably 100 units or more.  It would probably take you 50 total before you even saw Australia being hit.

Even though you're voting in people, this still has to be used somewhat as a guide.  17 is too low for both perception and redundancy.  33 is too low because collusion is still too easy.  51 with the option to vote to expand once bigger is the lowest I can really see.  As BTS expands, you would end up with exchanges and other businesses operating as delegates and voting people in/out isn't something that needs to be constantly done.  Delegate pay isn't so much important as it is for how much they have to lose if the thing goes south.

[luckybit]

https://en.wikipedia.org/wiki/Petri_net

[btswildpig]

Perception is everything.  Bitshares will be seen as centralized with only 17 witnesses, no matter how you cook up the narrative.  Same how Bitshares had less dilution than Bitcoin, but the fear of it drove down the price more than the dilution rate itself.

I have some new thoughts on this .
Bitcoin's dilution is fixed schedule .  It has no value in the beginning . If the market does not value Bitcoin , it wouldn't form a highly liquid market to accept the dilution in terms of fiat .  So it translated into "Bitcoin's dilution cost is a result of market acceptance" .  Simply put , the market choose to accept Bitcoin's dilution knowing all the terms after five years .

While BitShares stood on Bitcoin's bubble without going through 5 years of hardship , struggle , acceptance , it come out with a high marketcap only because Bitcoin has pumped up PTS and all the crypto price in 2013 and 2014 . It's not a result of natural market selection but heat of the moment thing . So as a result , the market gave BitShares too much value than it can bear at its very early stage .

While BTS couldn't even justify this high market cap even with fixed supply schedule , it started to dilute to the market only accelerates the bubble to pop. It's not a matter of what percentage is , but the market already disagree with the actual value the system can offer in terms of fiat , so the fiat marketcap can no longer grow easily .

People all think BitShares has too much value , so it should not be under Dogecoin , NXT , etc . But Dogecoin and NXT's market cap are the result of speculative drive , if we were to argue that we can produce actual value , we shouldn't even compare ourselves to a bubble to beginning with . And here we are , trying to consume the speculative bubble to grow the actual value of the system  in hope of market cap rising exactly beyond the existing speculative bubble as a baseline but not below simply because our IPO price and purchase price is determined during the speculative bubble . So the way of thinking becomes "now the price is x , if I dilute a tiny percentage to grow the system , the price should be x+1 , it makes perfect sense , right ?  " . Except it does not work that way . Just like during the PE , you can easily get say 0.1 million USD loans from a bank with even half-ass credit .  After the PE ended , you've found a new job with higher income and only ask for 0.01 million more loans , you think that " make sense , my value has increased , so the bank should loan me more , it's not that much , it already gave me 0.1 million to beginning with , I'm simply asking for 10% more . "  Except that the bank is considering even take back the 0.1 million that already gave you , let along giving you more .

The market cap is only a vague number . Liquidity is what the market actually allows you to take .
Diluting on the marketcap and daily volume was not the same thing as diluting on the buy orders . And buy orders don't come in easily even with you value increased because it takes risks to buy a speculative object ,  buy order won't coming because you wallet added a nice feature  . Buy order would only come in if they think they will benefit from it .

Dilution percentage on the market cap and daily volume (large portion generated by trading bots instead of real need ) is like the bank telling you "I'm giving you a line of credit" , but when you come to cash in , the bank would tell you "oops , I can only give 20% of it because I didn't know you're actually gonna withdraw it from our precious cash flow "

And if we're aiming to go beyond speculative needs , we have to prepare ourselves for a low market cap to beginning with , that's how a thing without a bubble works , it grows slow and steady and will not worth million of dollars only after a year .

I hope this can shed some light on "why the hell did the market cap shrink with only that little dilution" . I haven't been able to put it into understandable words until now because I just rejected from adding another line of credit with my value increased significantly .

[wuyanren]

Too few witnesses, the public will doubt the authenticity of the witness. If there is only one witness, then the man said, they are skeptical.

[wuyanren]

Why is 17, not 51?

[monsterer]

One NODE does not have the power to rewrite the chain,  one BLOCK signed by 50%+ of the stake at a given point in time has the power.   Coordinating everyone to sign such a block is the real challenge.

Who produces the block?

This just sounds like it's opening the door to more attack vectors; if there is no consensus due to hung, or disabled witnesses, how will you verify the validity of the signatures? What's to stop the stake from being moved around by colluding witnesses to make it appear as if 50% of all stake has signed the magic block?

[topcandle]

Perception is everything.  Bitshares will be seen as centralized with only 17 witnesses, no matter how you cook up the narrative.  Same how Bitshares had less dilution than Bitcoin, but the fear of it drove down the price more than the dilution rate itself. 

[Empirical1.2]

Yesterday I started a discussion on Witness pay and the appropriate number of witnesses, but I fear that discussion actually
This leaves only ONE argument that holds any water:  perception matters more than reality.   

Just because we recognize the futility of hiding under our desks in the event of a nuclear attack does not mean that millions of kids don't feel more comfortable.   

So my counter-argument that the perceived importance of attracting the more-is-better audience is likely overestimated.   Most people simply don't care so long as the system appears to work and is reliable.

You thought a few % dilution was a relatively insignificant change that added value to the network and compared favourably to Bitcoin's dilution. But I would argue dilution yielded negligible additional funds (vs. fees at a higher CAP) but cost the DAC a lot in terms of valuation & support. 

Here you think reducing the witnesses is more optimal, doesn't make the network any less secure and compares favourably to Bitcoin's level of decentralisation. But I would argue 17 witnesses will yield negligible additional funds & additional performance but could cost the DAC a lot in terms of valuation & support.

It's simply not worth the risk for the gain, of having another year where inferior but more popular competitors achieve higher valuations and greater network effect imo.

Even with proxied voting, if a few proxies gain too much control, it will be viewed as too centralised and potentially limit growth. I personally think the poor initial distribution of NXT gave it a centralised perception which limited it's growth and popularity.

5. It is similar to the number of validators Ripple has:  https://validators.ripple.com/#/validators 

Ripple is definitely viewed by the market as too centralised, which definitely hampers them in some ways and they are aware of the problem. 

http://cointelegraph.com/news/115177/stefan-thomas-one-day-we-will-decentralize-ripple

[bytemaster]

Imagine if at any time a block can be produced that is a consensus in itself and this block can build off of any block after the last checkpoint.   Imagine that this block has the power to completely change the blockchain parameters including the elected witnesses.    Imagine if a block containing the signatures of accounts that collectively vote for more than 50% of the stakeholders could overwrite a block produced by witnesses. 

Why bother with having more than 1 block producing node if one node has the power to completely rewrite the chain?

One NODE does not have the power to rewrite the chain,  one BLOCK signed by 50%+ of the stake at a given point in time has the power.   Coordinating everyone to sign such a block is the real challenge.

[monsterer]

Imagine if at any time a block can be produced that is a consensus in itself and this block can build off of any block after the last checkpoint.   Imagine that this block has the power to completely change the blockchain parameters including the elected witnesses.    Imagine if a block containing the signatures of accounts that collectively vote for more than 50% of the stakeholders could overwrite a block produced by witnesses. 

Why bother with having more than 1 block producing node if one node has the power to completely rewrite the chain?

[luckybit]

Wouldn't the network have the most security if witnesses are absolutely anonymous? You can't bribe or corrupt who you can't find and don't know.

Known witnesses can be influenced over time.  If the source of power is camouflaged then you have greater security than if it is obvious and easy to find.

Its a double edged sword.  You need to be relatively certain that they are not all the same person.

You can have proof of unique person while also keeping the identities anonymous.

All we need is proof that someone unique is behind the digital signature. We don't need to know exactly who that someone is.

[bytemaster]

“  Consider Bitcoin, it cannot even reach consensus on block size, so how would the network recover if all publically available mining pools were shutdown or compromised?  All of a sudden it isn't profitable to solo-mine and there is no recourse.   ”
----------------------------------------------------------------------

What if all the meth lab are shut down by police ? Would the drug addicts run out of meth ? No , bad chemists would build more to fill in the gaps .

Mining pool are low cost , high reward business . If there is need for a mining pool , other people will build it up soon .

1.  You cannot set them up over night
2.  New services wouldn't be hardened against DDOS
3.  It would require a large amount of time to "regroup" due to manual intervention being required.

In other words, you only need as many witnesses as there are mining pools to have identical security. 

[puppies]

Wouldn't the network have the most security if witnesses are absolutely anonymous? You can't bribe or corrupt who you can't find and don't know.

Known witnesses can be influenced over time.  If the source of power is camouflaged then you have greater security than if it is obvious and easy to find.

Its a double edged sword.  You need to be relatively certain that they are not all the same person. 

[luckybit]

Wouldn't the network have the most security if witnesses are absolutely anonymous? You can't bribe or corrupt who you can't find and don't know.

Known witnesses can be influenced over time.  If the source of power is camouflaged then you have greater security than if it is obvious and easy to find.

[btswildpig]

“  Consider Bitcoin, it cannot even reach consensus on block size, so how would the network recover if all publically available mining pools were shutdown or compromised?  All of a sudden it isn't profitable to solo-mine and there is no recourse.   ”
----------------------------------------------------------------------

What if all the meth lab are shut down by police ? Would the drug addicts run out of meth ? No , bad chemists would build more to fill in the gaps .

Mining pool are low cost , high reward business . If there is need for a mining pool , other people will build it up soon .

[bytemaster]

Yesterday I started a discussion on Witness pay and the appropriate number of witnesses, but I fear that discussion actually missed the mark.  The number of witnesses can be changed in a day, and the pay within 2 weeks.

What is far more important than the number of witnesses is who gets to chose the witnesses and how quickly those decisions can be made.

I would like to take a moment to use an analogy on the difference between energy and power.    Power can be thought of as the amount of energy that can be applied in a fixed amount of time.   If you invented a battery that
contained infinite energy but that energy could only be drawn upon at 1 watt then you couldn't even power a household light bulb.   However, if you had a standard AA battery and were able to release all of the energy in that
battery instantaneously you could destroy the world.   

When it comes to proof of stake coins, a voting share can be thought of as raw energy.  The power of the network can be thought of in terms of how many votes can be brought to bare in a short period of time. 

The security of a network depends upon distribution of energy and the speed at which it can be applied to react to changing circumstances.   

So let's suppose that we had 1001 witnesses but all voting power was proxied through a single account.    The presence of 1001 witnesses is an illusion, they could be changed in a day down to the minimum of 11 if a single
individual was compromised.    It is unlikely that 50% of the stakeholders could change their vote in a day to counter the corrupt proxy.

From this perspective we see that witnesses are only necessary for short-term security and are powerless to maintain their position. 

The question becomes not about bribing a witness, or performing a DDOS on a witness, but on choosing the witness. 

For a given set of witnesses they can choose to censor transactions which change votes.  This is their only vector of attack.  If they choose this route then the network goes down for a hardfork where the proxies vote on a fresh set of witnesses.

Think of the witnesses as the IT staff and the proxies as the Board of Directors of a company.   If the IT staff decided to go rogue they would be fired and the BOD would simply replace them.   

All that is necessary is to have a contingency plan in place in the event that the witnesses go rogue.  A plan that is decided in advance and whose execution can be independently validated by everyone.

Imagine if at any time a block can be produced that is a consensus in itself and this block can build off of any block after the last checkpoint.   Imagine that this block has the power to completely change the blockchain parameters including the elected witnesses.    Imagine if a block containing the signatures of accounts that collectively vote for more than 50% of the stakeholders could overwrite a block produced by witnesses. 

What we need for security is a DECISION MAKING PROCESS more than anything else.  We need an adaptive and responsive system.  We need a diverse set of unpaid decision makers that the majority trust with their proxy votes.   

If we had 101 accounts that collectively controlled 2/3 of all voting power (via proxy) then the power structure of the network would effectively be:

1. Witnesses are the Executive Branch
2. Committee members are the Senate (1 vote per seat)
3. Proxy members are the House (weight proportional to population)

In the event the executive branch goes rogue we merely need to "hold an election" which can be done via the Senate (easiest), via Proxy Members (next easiest) or via direct voting.  Once the votes are cast a new set of witnesses are elected and the network can proceed as always.

What does all of this mean?  It means that we should be focused more on defining a solid set of representatives to serve as active proxy voters that are in the best position to evaluate how many witnesses and committee members are necessary to secure the network.    Having effective and timely voting will do more to improve network security than a 5x or 10x increase in the number of witnesses.

Remember that in evolution, it isn't the strongest that survive but the most adaptable.   Create a system that cannot adapt and it will easily be taken down. 

Consider Bitcoin, it cannot even reach consensus on block size, so how would the network recover if all publically available mining pools were shutdown or compromised?  All of a sudden it isn't profitable to solo-mine and there is no recourse. 

View witnesses as mining pools that are easily changed and hard to shutdown. 

Every day there is a new debate about decentralization, and every time that debate quickly loses sight of all perspective.   Everyone wants a system that is "secure", whatever that means.   Everyone wants a system that is "cheap", "fast", and "reliable" as well.   

The problem is that everyone has different definitions of terms and different threats they are concerned about.     There are as many variables to security as there are types of security and vectors of attack.   If we are not careful then we spend millions of dollars building a moat and castle wall so we can feel secure only to have the castel taken down from the air, by siege, or some other attack vector.

The debate about how many witnesses a network has is meaningless without a proper discussion of the *type* of security witnesses provide and how they provide it.  Collectively witnesses exist to establish a consensus on an irreversible transaction history and testify about the relative value of assets in the system.    Technically the witnesses are not where the consensus lies.  Technically every other node on the network is also participating in the consensus by recording the real time broadcast of blocks by the official witnesses.    Each and every one of these nodes also processes and validates all transactions.   

Producing blocks is only one part of security.  Providing seed nodes is another.  Attacking the P2P protocol is a third.   Of the three of these, attacking the block producers is probably the most difficult because no one knows their IP address.   Attacking the seed nodes on the other hand could completely disable new connections.   More importantly, attacking the P2P protocol could temporarily completely disrupt all communication among witnesses. 

The more witnesses you have the more difficult it becomes to coordinate in the event that communication is disrupted.   As a result increasing the number of witnesses beyond a certain point makes the network less secure.
The more witnesses you have the more difficult it becomes to vet the witnesses and hold them accountable.  Once again increasing the number of witnesses has the paradoxical effect of reducing security.

To understand this from a metaphor perspective, building the great wall around all of China to protect a single house is pointless unless you are able to watch every square inch of that wall all of the time.  Building a similar wall around 1 acre would be far more effective.    Walls only slow down attacks, they don't prevent them.   Having 1 million witnesses means that no one will notice when 500,001 of them fall under control of one entity.   There is simply too much to track.

There are several different kinds of attacks that must be specifically addressed:

1. Censorship
2. Changing History
3. Denial of Service
4. Denial of Connection

All blockchains can be completely shutdown by IP/PORT filtering of all public nodes.   If the network was attacked by a botnet that connected 100K nodes it would dwarf the size of even the bitcoin network.   These nodes could then perform all kind of attacks.    A 100K botnet is cheaper than mining power. 

In conclusion I would like to suggest that having an abundance of witnesses is like wearing a gas mask every day just incase your home gets raided with tear gas.   Instead what we do is keep a gas mask handy, "just in case", but we don't wear it everyday.   Likewise, we keep the ability to increase the number of witnesses "just in case", but it is pointless to obsess over this.

This leaves only ONE argument that holds any water:  perception matters more than reality.   

Just because we recognize the futility of hiding under our desks in the event of a nuclear attack does not mean that millions of kids don't feel more comfortable.   

So my counter-argument that the perceived importance of attracting the more-is-better audience is likely overestimated.   Most people simply don't care so long as the system appears to work and is reliable.