Q: When 2 or more blue "brother" blocks are accepted, what protocol determines the order of those blocks? And if there are collision txs in them, is the tx in question just left out in the block that is ordered later?
A: They are ordered by blue work (from low to high), and tiebreaked by hash. And yes, if there's a conflict, the first one wins. Blue work has the property of respecting topology because of the ghostdag max operator. So we use blue work a lot for getting a topological sort.
Q: The main ordering is detemine by the virtual chain though, no? Like two levels determine the order: a partial order induced by virtual chain, and between virtual chain blocks, by bluework?
A: Between blocks in the mergeset we sort by blue work, but the selected parent precedes the mergeset. So there's actually a nuance there.
Q: And the block with conflict tx is discarded fully or only the conflict tx?
A: Only the tx is discarded (it simply has missing utxo inputs in the current on-the-fly utxo set), because they were just spent.
Q: Well, secondly, if I understand correctly, this type of consensus is claimed more MEV resistant because small peripheral nodes can mine a significant amount of blocks. So is that because they could directly publish their own tx and not rely on mempool where it can be frontran? Or because there is simply a faster throughput of the mempool?
A: Here is the devs discussion about that: Stealth transactions via DAG · Issue #1
Q: Ok, I read it. It's a clever idea but with some assumptions (no miner collusion, also what happens if Charlie in the example decides to hold back dec()? You'd have to send dec() to multiple miners).
But that said, I had an idea that might add to preventing MEV.
Most of the MEV works by a miner finding a big tx, and inserting a tx of their own within his mined block, frontrunning that tx
So what if there was a way to order the tx of a block randomly? The first response to this is: the miner would just arrange the txs in a way would benefit them after the ordering system is applied. But what if the ordering depends on the hash of the block itself? The miner would have to mine a new block if the ordering didn't suit them, and someone else would probably mine the big tx first.
So by doing that, you already reduce MEV by 50% if miners try to gamble it. With the amount of MEV that gets extracted, 50% is a lot. Just an idea, don't know how viable it is.
A1: (@msutton) It's rather interesting. Bcs actually in Kaspa the transactions are accepted by following blocks. So it's kind of straightforward to implement.
A2: (@hashdag) When there exists an exteranl source of randomness, MEV indeed can be heavily mitigated by randomizing the ordering. Ext. source of randomness can be the POW nonce, or VDF. This is another aspect where POW>POS. There's a tradeoff though, since some orderings are more beneficial to the users (as a cumulative, aka social welfare), and so randomizing "blindly" comes at the cost of economic efficiency. This is my current topic of research.
Discussion continued here.
Courtesy of @msutton, @hashdag, @themistocles, @jwj in Discord.
Q: I came across this research paper: https://arxiv.org/pdf/2109.01102.pdf describing a potential attack on the GHOSTDAG protocol which would allow bad miners to manipulate their block rewards. Has this issue been addressed in Kaspas current network?
A: I actually ran into this article a few weeks ago and skimmed it.
tl;dr: this is not an "attack on GHOSTDAG" but a known property of all inclusive protocols which was already noted in the literature. This paper does nothing more than to provide some empiric data backing insights which were already published in 2014 in https://www.researchgate.net/publication/280036163_Inclusive_Block_Chain_Protocols (two of the authors thereof are coincidentally @hashdag and Aviv Zohar).
The "attack" they present could be more fittingly described as the insight that the "include random transaction rule" is a weak Nash equilibrium but it fails to be a strict Nash equilibrium. This is nothing new and has noted to hold for all "Inclusive" protocols (that is, all algorithms which allow parallel blocks to coexist and in particular all DAG based protocols).
The important fact is that the Nash equilibrium might be weak, but it is still there. That is, if a small fraction of miners takes this route they might increase their yield, but as the fraction of "dishonest" miners grow the expected yield converges back to the equilibria strategy yield (also, the analysis of how the yield of the "honest" miner changes as the fraction of "dishonest" miners increases reveals surprising properties). So in practice, this strategy might not prove itself at all beneficial.
You can read more about the game theory of inclusive transaction markets here: https://ancapalex.medium.com/transaction-selection-games-in-blockdags-602177f0f726
If in practice we see a higher than expected collision rate (which indicates miners are not including random transactions), there are various possible approaches to mitigate this, e.g.:
Academically speaking, the trade off is that it is impossible to prioritize high fees without increasing collision rate. You might consider prioritizing higher fees (that is, being able to "buy" precedence for inclusion) a feature or you might consider it a bug. If you opt for the former, then this is the inevitable tradeoff.
Courtesy of @hashdag and @Titorelli
Q: Is Kaspa private key is long enough to be quantum computing resistance? Even for recycled address?
A1.0: Virtually no coin is quantum resistant these days. ECDSA is completely broken against quantum computers. There are no good alternatives which are actually implemented. Lamport signatures are very space inefficient. Current PQDS NIST finalists are far from having withstood enough cryptanalysis (and the fact that some runner ups were found to be exploitable demonstrates how much of an issue this actually is). They also require about x10 storage in the best case.
A1.1: Actually, I should be more careful. I was measuring difficulty to reverse a txn in terms of relative hashrate. In terms of absolute hashrate the question becomes easier to gauge because on one hand the BTC hashrate is larger than ours by about ten orders if magnitude, and on the other hand, pretty much all hashes are computed on ASICs to which we are resistant.
I am actually in a late stage of writing an academic paper (with Or Sattath) about how quantum vulnerable all current blockchains are (besides ones who employ unreasonably inefficient OTS schemes such as qBTC), and what could be done about this. Hopefully we'll manage to upload it to ArXiV by August.
Q: Have you heard of QANX? They are quantum resistant blockchain. What are your thoughts on Qanx?
A: I skimmed over their site and there are many reasons for concern
Within the QAN public blockchain (MainNet), block proposers are not selected based on the value of the stakes they committed. They are elected amongst themselves in a verifiably random manner, all without the possibility of tampering and manipulation. All validators have an equal opportunity to validate a block at any given point, based on a deposit paid in the QANX Token.
My final conclusion: ****.
Courtesy of @deshe, @badger47623, @Promethean
Search also our Discord server for a "Quantum" word to see some more discussions.