The first natural but often unstated assumption is that a majority of players follow the correctness rules of the protocol.
...
Equally important is the assumption of rational participants (whether they are cheating or not), and we likewise assume that majority of the computing power is held by rational players.
From the analysis I did of Iota's DAG, it seems impossible to presume the majority players obey any Nash equilibrium in a blockless DAG design. It appears to be a fundamentally insoluble issue. In other words, it is not sufficient to analyze the security and convergence game theory (properties) from a holistic systemic perspective and instead per DAG
branch partial order strategies arise.
We must differentiate Iota's design because afair it has no reward for doing proof-of-work other than the
"altruism-prime" motivation and afaics Iota does not have the localized incentive of Theorem 2 mentioned below.
Just because there's a PoW component (initially at least), which produces new coins. You might not like mining, but it's established enough that few would seriously object to using it for distribution. (Though it's of course always preferable if the PoW is GPU/ASIC resistant.)
Why would you extend my branches if by invalidating them you would earn more coins?
Afaics Iota's convergence depends on all payers and payees adopting the same strategy
¹ with no incentive present to choose one strategy over another (which is why I never thought Iota could maintain a Nash equilibrium without centralized servers enforcing a strategy).
The above quote from the white paper is the normal resistance up to well known "51% attack" assumption. Theorem 2 in section 3.2 of
page 19 explains that the honest, rational participant has (presuming a Nash equilibrium) a probabilistic and opportunity cost incentive to apply proof-of-work (i.e. append) on the "leading edge" analogous to the
longest chain rule incentive in Bitcoin.
Yet a Nash equilibrium requires that there are no other plausible strategies in conflict with each other. So we must consider:
Even with or without direct monetary rewards (e.g. minted coins or non-burned txn fees), selfish mining can be conceptualized more generally as the asymmetry (for different proof-of-work participants, aka miners in Bitcoin) of the cost of effective PoW (or burned txn fees), for whatever PoW (or burned txn fees) accomplishes in the consensus system. So even for Iota or DagCoin which afair don't monetarily reward the PoW (i.e. afaik the PoW is simply burned), the asymmetry still exists in terms of the value of what PoW can effect in the system. Thus as CfB wrote, "a more sophisticated strategy may be more profitable" given some externalities such as achieving a double-spend and shorting the token's exchange value.
And afaics, this is where the paper errs just below the proof of Theorem 2:
A stronger property can be made for those transactions that further
satisfy property #3
namely that the prize of the new transaction be larger still than the prize of its parents before
the new transaction came into existence. As long as this property is true, not only will honest
verifiers have an incentive to prefer the new transaction over its parents, but even
dishonestclientswho might think of actively denying certain valid transactionswill still find it advan-
tageous to prefer the new transaction.
The possibility of non-Nash equilibrium attacks are acknowledged but in a dismissive tone (and afaics an incorrect presumption of "convergence" being final unless "convergence" means probabilistic assurance of some multiple "as confirmations" of 50% of all proof-of-work of all branches as descendants of our branch):
We note that
partially verified transactions have temporary exposure to a concerted attack, since a powerful
attacker may have the temporary local ability to overpower the honest majority by focusing
all of its efforts against a specific target. We note that once a transaction nears or reaches
convergence, it will be as strongly affirmed as it would be in a Blockchain system of equivalent
total verification power.
There is little value in using energy to remove a previous transaction, outside of attacks that
focus on transactions one may wish to remove, such as in a double spend scenario, see Theorem
1.
What I wrote previously is afaics true when
either minting rewards are present
or for transactions can earn some fees because they don't "
satisfy property #3":
2. There is no total order in the described system [insert: unless we reach probabilistic "convergence" as I described it above], thus any partial order DAG only exists from the perspective of those partial orders which reference it. Thus the reward for any DAG is always subject to being retaken by an entity which can apply more PoW than was originally applied. Thus the selfish-mining flaw appears to apply. A miner with 1/4 or 1/3 of the a DAG partial orders's hashrate lie in wait to allow others to waste their PoW on a DAG while building a hidden parallel DAG claiming the same rewards. Then release the hidden DAG later orphaning all those said transactions and rewards, thus increasing their share of the rewards (including minted coins) relatively speaking higher than the proportion of their hashrate would otherwise provide without the selfish mining strategy. And it appears to me to be catastrophically worse than for Satoshi's design, in that there will likely be multiple unmerged DAGs branches at any moment, so the attacker probably needs much less than 1/4 of the network hashrate to selfish mine any one of those coexistent DAG branches.
However, if the quoted selfish mining doesn't require 1/4 to 1/3 of total systemic hashrate because the network hashrate is split amongst several coexistent branches of the DAG (which at any moment have not yet been converged), then it also means the selfish miner is only becoming relatively wealthier than the participants on the attacked branch and not w.r.t. to transactions in other branches of the systemic DAG. Yet I also posit it means multiple selfish miners probabilistically on different branches don't need to be coordinated, so the threshold-of-attack is lower and thus economically there should be more such attackers (than for Satoshi's design).
Even if we remove minting from described system and require that all transactions "
satisfy property #3" so that the only incentive to converge on leading edges is an "altruism-prime" to have one's transaction confirmed (which is
in theory qualitatively an undersupplied public good and empirically weaker than an individualized for-profit incentive), then afaics the potential attack becomes a combination of a selfish mining attack in the sense of causing others on the same branch to waste proof-of-work resources (thus of course the others becoming relatively less profitable than the attacker) combined with a double-spend attack on the lie-in-wait branch and noting that for the honest participants the cumulative proof-of-work (in this constrained design variant) would necessarily need to cost significantly less than the value of the transactions in the branch (since given there is no reward then the proof-of-work is effectively a transaction fee). Thus I posit the double-spend attack becomes quite plausible because the security is so low. The vulnerability is ostensibly much greater than (as quoted below) for Bitcoin, because of only being secured by the said commensurate value of proof-of-work as "transaction fees" and because as adapted from the above quote, "
there will likely be multiple unmerged DAGs branches at any moment, so the attacker probably needs much less than 51% of the network hashrate to lie-in-wait on any one of those coexistent DAG branches".
@TomHolden, I agree that Satoshi's PoW has the same potential vulnerability in that if double-spends exceed the value of what was burned to provide security, then a 51% lie-in-wait attack is possible funded by the value of the double-spends (possibly also shorting the exchange value in case the successful attack craters the price).
Thus, @tonych's concern applies to every consensus design (including Satoshi's) which is based on burning some resources as the metric of the longest-chain-rule (regardless whether multiple branches are merged to form the longest-chain, e.g. a DAG).