1. Sybil-resistance (faking strong consensus by deploying cheap replica nodes you control) in a protocol like this is crucial. All I could find is this:
To prevent Sybil attacks, it uses a mechanism like proof-of-stake that assigns weights to participants in committee selection based on the money in their accounts.
2. Every non-proof-of-work protocol I've seen, including Ripple Consensus Process and proof-of-stake creates a problem of initial coin distribution. PoW systems have a clean distribution mechanism based on external resource consumption. Non-PoW systems produce an airdrop situation. Players start with no funds, and so can't stake. The creator of the network manually assigns ownership, with important long-term political consequences (e.g., Ripple).
3. The lack of an incentive structure around fees in protocols like Ripple creates bizarre economic consequences. For example, Ripple is guaranteed to lose money stock because fees are simply burned, rather than given to the consensus leader as in Bitcoin.
4. So far, I haven't seen anything in the paper regarding denial of service attacks on nodes. In other words, I see no negative incentives levied on those who can sign transactions from flooding the network with useless spam, bogging everything down.
May deployed PoW implementations are provably worse than most modern proposals for Proof of Stake. PoW mining opens selfish mining strategies, whereas Proof of Stake fixes the set of actors opens to scrutiny the mechanism for "who gets to mine the next block."
This doesn't mean that proof-of-stake is magical, but it's certainly less prone to issues than Proof of Work. It's also less inundated by religious zeal; PoS proposals face healthy skepticism and more vetting BEFORE they tend to be deployed. PoW is the axiomatic and beloved sacred "nakamoto consensus" in (incorrectly, but to many in the space) a platonic form.
Unless the creators are the only ones mining for a time.
OTOH, consider the alternative. Satoshi gave himself all the money in the system, then divvied it up among his friends.
However, given the availability of multiple multi-billion dollar cryptocurrency economies, another option might be possible. Airdrop to the current holders of some other cryptocurrency. Or maybe a basket of cryptocurrencies. Key owners could then claim their money on the newly-created network. This idea really started to take off in 2018 with Bitcoin hard forks.
The problem is that the network creator will face intense pressure to withhold just a little currency to fund a war chest. Yielding to that pressure creates the very political problems I alluded to earlier (e.g., Ethereum).
Basically, PoW provides consensus by providing an absolute timestamp (we know that at the difficulty adjustment equilibrium, a certain block header must have taken 10 minutes to produce), but this does not imply that a consensus algorithm that all public ledger consensus algorithms must produce an absolute timestamp (the later claim is stronger).
Isn't this already implemented by STEEM ?
"Algorand [26] uses a verifiable random function to select a committee of nodes that participate in a novel Byzantine consensus protocol. It achieves over 360 tps with 50 second latency on an emulated network of 2000 committee nodes (500K users in total) distributed among 20 cities. To prevent Sybil attacks, it uses a mechanism like proof-of-stake that assigns weights to participants in committee selection based on the money in their accounts."
There are well known problems with DAGs: lack of incentive to run full nodes, tip choice attacks, flooding/spam attacks if there are no fees, and many and varied types of Sybil attacks.
For flooding or spam a transaction proof of work isn't enough. Not only does it "waste" a lot of energy (though at the edge nodes where it's less visible than mining farms) which negates part of the purported benefit of a DAG, but it's vulnerable to ASICs or botnets. If you can short a cryptocurrency on any major exchange that supports short selling then it will get attacked with the goal not of stealing coins or censoring transactions but of just destroying it.
Tip choice attacks combined with Sybil attacks can be very sophisticated. Tip choice is "random" but randomness cannot be verified. 3, 18, 593, 3, 3, now prove those were not random numbers modulus 1024. You can't of course. So I can non-randomly choose the transactions I link to. If I combine this with some sophisticated analysis of the network's transaction structure and physical topology I might be able to skew the network in some disastrous way over time in ways that would be completely undetectable since my apparently "random" tip/link choices were not in fact random. Then I can do something like short the coin and do something nasty to the network.
Attackers can be very very creative, and attacks only get better.
Last but not least: there is no mining mechanism in a DAG coin, or at least I've never heard of how one could be done. This means DAG coins are "Big Bang" coins that begin with all the money that will ever exist. This is problematic from an economic point of view and opens a huge can of worms around what is done with that money and how it is distributed to initial holders.
"We adopt what is commonly known as Bitcoin’s unspent transaction output (UTXO) model. In this model, clients are authenticated and issue cryptographically signed transactions that fully consume an existing UTXO and issue new UTXOs."
I also always like authors who are willing to acknowledge the limitations of their work. If this work described the limitations I didn't see it; maybe they think there are none :-)
> Specifically, the system operates by repeatedly sampling the network at random, and steering the correct nodes towards the same outcome.
Obviously random sampling could be trivially manipulated if anybody can spawn nodes very easily. I expected that the "fix" would be in the "Snowflake" algorithm but I don't see how it prevents that:
> When the protocol is correctly parameterized for a given threshold of Byzantine nodes and a desired guarantee, it can ensure both safety (P1) and liveness (P2).
But isn't that threshold effectively infinite? If you look at something like the bitcoin network there are very few incentives to maintain full nodes. Meanwhile if having a majority of nodes let you cheat and steer the network (which is not the case for BTC thanks to PoW) the incentive to spawn a huge amount of byzantine nodes would be very high.
After that the paper introduces the notion of "confidence" which might be the key to unraveling all that but I haven't yet fully understood that part. I don't have more time to look into it at the moment, hopefully somebody else will.
It seems thats the only problem in the crypto world, but I dont know if verification will ever be scalable.
PoW solves the problem by making it so that any node which receives two valid but conflicting versions of blockchain has an objective metric to decide which one is the "right" one. The answer being whichever has the most work put into it. Since you can't fake work you can't arbitrarily create a new chain that would take over the others (unless you manage to work harder than all the rest of the network combined, hence the 51% attacks).
Without PoW if you receive two valid but conflicting chains you need an other metric to decide which one you select. This paper describes such an approach.
One could read "Beyond Hellman's Time-Memory Trade-Offs with Applications to Proofs of Space" https://eprint.iacr.org/2017/893.pdf
