I loved Itn and Cardano, but I may not love mainet because of a0!

@pparent76 You have clearly invested a HUGE amount of time in going through all the resources. I am impressed! I will also freely confess that your math skills are much better than mine. I can’t follow the the formal proofs in the papers. I have focused on the conclusions, and have taken it on faith that the math substantiates the arguments. So I very much welcome your challenges to the authors’ conclusions.

I will try to explain in my own words what I think the formula is trying to accomplish. If you have the time (and I wouldn’t at all blame you if you didn’t want to invest anything further at this point!!) I would welcome your feedback (or feedback from anyone else in the community) on a couple of questions:

• Do you agree that my conclusions accurately reflect the authors intentions?
• If not, I welcome your thoughts on where I went wrong.
• If so, is your issue with the theory? Or is your concern that the formula doesn’t actually support the intentions?

Allison’s Summary:

“Pledge” is the amount of ADA a Stake Pool Operator must leave in their own Pool.

The amount of the Pledge should be high enough to make it very expensive for anyone to create multiple pools (thus preventing Sibyl attacks).

If the rewards were distributed purely proportionally, someone with a large amount of ADA could create a Pool, fill it entirely with their own ADA, and capture all (or a lot) of the rewards based on their large amount of ADA. As a result, the rich would get richer.

So the problem is how to have a high enough Pledge to prevent Sibyl attacks, but not such a high pledge that small pool operators aren’t discouraged from participating, and that diversity is created amongst pools and within pools.

Rewards are therefore capped once the Pool reaches a certain amount of delegated stake (the saturation point). Purely for the sake of an example, I will assume a Pool’s reward is capped at 10 ADA. If only 1 ADA is staked in that pool, the reward will be 10 per ADA. If there are 2 ADA, the reward will be 5 per ADA. If there are 10 ADA, the reward for each ADA is 1. After that point, any additional Stake will reduce everyone’s reward.

But the above example is an oversimplification as the reward itself is a dynamic number. So it is not set at 10 regardless of the size of the stake in the pool. The reward will increase as the size of the stake in the pool increases, up to the point of the cap. So it is not in the Pool Operators best interest to keep the stake at 1 ADA (using the example above) but rather to encourage delegation to keep the total reward for the pool growing until reaching the point of the cap. Rational delegators will therefore delegate to an unsaturated pool, because that is the way to earn the most rewards as everyone’s reward increases with additional stake, up to the point of the cap.

But if the above mechanism were the end of the story, there would be no prevention against sybil attacks.

So a certain amount of pledge is required. The amount of the pledge works in tandem with the cost and the margin variables in the desirability rankings that wallets will publish. The higher the amount of pledge, the higher up in the rankings the pool will be.

However, the lower the costs and the lower the margin, the more desirable the pool will be, and the higher up in the wallet rankings it will appear. So a pool operator with high costs can compensate by having a higher pledge, and vice versa.

The “strange factor” changes the importance of pledge compared to cost in the calculations of reward. The higher the value of A0, the more important the amount of the pledge becomes. A higher A0 value means that pools with higher pledge amounts can earn higher returns, because the final capped value of rewards for that pool will be higher. That pool with a high pledge amount should therefore be more attractive to delegators and appear higher in the rankings. An A0 value of 0 means the amount of the pledge has no influence, and pools will have the same returns regardless of pledge amount.

While IOHK is doing everything possible to strike the right balance when setting the initial value of A0, if the community later sees that the value is pushing things too far in one direction, the community can decide to change the value.

At the risk of annoying you with one more suggestion of something to look at, I liked the graphs in this article: https://iohk.io/en/blog/posts/2018/10/29/preventing-sybil-attacks/ as I finally could see the impact of the A0 value.

Someone how my notifications were turned off previously. So if you do decide to respond, I should be able to reply immediately I have enjoyed these exchanges and hope that all is well with you!

Thank’s a lot, but I don’t want to pretend or imply what is not true. I’ve not followed either all the formal proofs especially the ones corresponding to what seemed to me as obvious or intuitively true. I’ve also read the paper focusing on finding the motivation for choosing their formula and the advantage in comparison to other possibilities, and I’ve skipped sections that seemed irrelevant to that like numerical simulations.

So the problem is how to have a high enough Pledge to prevent Sibyl attacks, but not such a high pledge that small pool operators aren’t discouraged from participating, and that diversity is created amongst pools and within pools.

Rewards are therefore capped once the Pool reaches a certain amount of delegated stake (the saturation point)

In their formula ( and mine as well ) saturation when reaching 1/k, is not to prevent Sybill attacks , but to avoid the natural tendency to centralization, in order to share operating costs across only one pool.

Purely for the sake of an example, I will assume a Pool’s reward is capped at 10 ADA. If only 1 ADA is staked in that pool, the reward will be 10 per ADA. If there are 2 ADA, the reward will be 5 per ADA. If there are 10 ADA, the reward for each ADA is 1. After that point, any additional Stake will reduce everyone’s reward.

I’m not following you here, if we forget a0 and focus only on saturation point. It is stake that is limited not rewards. If Pool’s stake is capped at 10ADA and for 1ADA staked in that pool the reward is 10 per ADA, If there are 2 ADA it will also be 10 per ADA, If there are 10 ADA it will also be 10 per ADA, If there are 20 ADA it will also be 5 per ADA, If there are 100 ADA it will also be 1 per ADA.

But if the above mechanism were the end of the story, there would be no prevention against sybil attacks.

Yes indeed as mentioned above the saturation mechanism is not here to prevent Sybill attacks.

So a certain amount of pledge is required. The amount of the pledge works in tandem with the cost and the margin variables in the desirability rankings that wallets will publish. The higher the amount of pledge, the higher up in the rankings the pool will be.

However, the lower the costs and the lower the margin, the more desirable the pool will be, and the higher up in the wallet rankings it will appear. So a pool operator with high costs can compensate by having a higher pledge, and vice versa.

Yes to some extend a pool operator will be able to compensate low pledge with low costs. But only to some extend of course, if a0 is high enough, 0 fees may not be able to compensate for 0 pledge. But this is the purpose of all this, to force having some pledge.

The “strange factor” changes the importance of pledge compared to cost in the calculations of reward.

The strange factor removes any positive influence of pledge ratio for small pools. From what I understand, the authors did it intentional, for that purpose, because they feared a small pool ( or pools at “early stages” ) could very easily get a high pledge percentage and therefore get high RoS which would be an unfair advantage. Which as I said above I don’t think is an advantage at all. ( And on the contrary the strange factor does introduce actual unfair advantages )

A higher A0 value means that pools with higher pledge amounts can earn higher returns, because the final capped value of rewards for that pool will be higher. That pool with a high pledge amount should therefore be more attractive to delegators and appear higher in the rankings. An A0 value of 0 means the amount of the pledge has no influence, and pools will have the same returns regardless of pledge amount.

Yes.

While IOHK is doing everything possible to strike the right balance when setting the initial value of A0

Unfortunatly it would appear IOHK is not, for now, doing everything possible, to make an informed choice about the reward scheme, after reviewing and discussing all possibilities (even though I agree this topic comes a bit late). I hope this can change. Please IOHK team, come here and let’s discuss!

the community later sees that the value is pushing things too far in one direction, the community can decide to change the value.

Yes the community can change the value of a0 but can the community decide to change the formula? To my mind there is no good value of a0. Too high is too unfair, too low is too insecure against Sybill attacks. The authors admit it “With respect to Sibyl attacks and the ‘rich get richer’ problem, in our scheme, increasing Sibyl-resilience affects inverse proportionally egalitarianism.”. But it is possible, (until I’m proven wrong) to have a solution that is both strongly secured against Sybill attacks and fair (and also decentralized): f(σ,λ)= R* min ( σ , 1/k , b0 * λ )

At the risk of annoying you with one more suggestion of something to look at, I liked the graphs in this article: https://iohk.io/en/blog/posts/2018/10/29/preventing-sybil-attacks/ as I finally could see the impact of the A0 value.

I’ve allready read this article before I opened this thread.

Someone how my notifications were turned off previously. So if you do decide to respond, I should be able to reply immediately I have enjoyed these exchanges and hope that all is well with you!

Thank’s a lot for your kindness, I really do appreciate very much .

I have to admit that I’ve been some times a bit too much on the defensive, being a bit “alone against all of them” is never easy.

Just want to give a quick reply:
1- I’ve never seen a “representative democracy” where anyone would find it normal that people’s choice would at least partly depend on who pays them the most for their vote.
2- The very purpose of a0 is to steer people to delegate to pools who have high enough pledge and therefore high enough RoS. If you say RoS range will not differ too much anyway so people will not delegate according to RoS, it simply means that a0 has no impact, and therefore will not offer any protection against Sybill attacks.

I’m not following you here, if we forget a0 and focus only on saturation point. It is stake that is limited not rewards. If Pool’s stake is capped at 10ADA and for 1ADA staked in that pool the reward is 10 per ADA, If there are 2 ADA it will also be 10 per ADA, If there are 10 ADA it will also be 10 per ADA, If there are 20 ADA it will also be 5 per ADA, If there are 100 ADA it will also be 1 per ADA.

I think this was a poorly chosen example on my part. But you said:

It is stake that is limited not rewards.

I don’t think stake is capped at the saturation point. The reward is capped. Theoretically more people could delegate to a saturated pool, but everyone’s individual reward would reduce as the total reward for the pool no longer increases passed the saturation point.

The strange factor removes any positive influence of pledge ratio for small pools.

Can you say more about this? I had always understood pledge to be measured in absolute terms. And pools were compared based on the total amount of ADA pledged. When you talk bout a “pledge ratio,” what is being compared?

Thanks for your insights - this conversation is helping to increase understanding of the rewards mechanism!

Yes the stake taken into acount is σ’=min( σ , 1/k). Which means that you will be able to have more than 1/k stake but it will not count for more than 1/k in the reward formula, that’s what I meant. (We could formulate it “the stake taken into account is limited”)

Can you say more about this?

We have demonstrated this in the technical post:

https://forum.cardano.org/t/understanding-shelley-reward-formula-and-k-a0-parameters/

Quick example from this post with 2 pools with 100% pledge ( s’=σ’ to simplify things), and let’s take a0=5 (So that we can streess the effect with high a0)

One big pool which is saturated (s’=σ’=z0) :
f= R * σ

One small pool saturated at 1% :
f~= R/6 * σ’

I.e RoS will be 6 times higher in the large pool than in the small one, even though all of them have 100% pledge.

I had always understood pledge to be measured in absolute terms. And pools were compared based on the total amount of ADA pledged.

In the formula f= R ( σ’ + a0* s’ ), before adding the strange factor, the impact of the pledge on RoS, is not in absolute terms but in relative terms: the optimal RoS= cste*( 1 + a0 * s/σ ).

When you talk bout a “pledge ratio,” what is being compared?

The pledge to the total amount of stake in the pool. I’m talking about s/σ. To prevent sybill attacks we need to keep this ratio above a certain threshold.

So first an apology - I now see that you had not only read that IOHK article about pledge and Sybil attacks but referenced it in the initial post!!

And I had the same thought that you did. The article makes at seem as the though the rewards function is linear, which is not what I understood from the paper explaining the formula.

And a second very sincere apology – I am only slowly getting a better understanding of the question you are asking. Are you questioning why A0 is providing an advantage to pools with larger pledges? And while the simple answer is that the larger pledge sizes prevent against Sybil attacks, you are seeing a way to prevent Sybil attacks while not disadvantaging pool operators with smaller pledge amounts?

I will need to drop out of this thread for a little while, but look forward to picking back up again tomorrow or in the near future.

I’m questioning why it advantages the operators with larger stake and pledge (“big pools”) in terms of RoS. What is needed to prevent Sybill attacks is that pools have a minimum pledge ratio (not absolute pledge). I think authors would agree on that, that’s what they have been attempting at first with initial formula f= R ( σ’ + a0* s’ ), that leads to a RoS= cste*( 1 + a0 * s/σ ).

So I’m questioning why the formula advantages the operators of big pools (and has other problems), when I do see a pretty obvious way to have a 100% fair formula, that is more secured against Sybill attacks than the proposed one, more simple, and that leads to decentrealization.
( f(σ,s)= R* min ( σ , 1/k , b0 * s ) )

The article makes at seem as the though the rewards function is linear, which is not what I understood from the paper explaining the formula.

An hypothesis it that they might not have yet introduced the strange factor at the time of this article.

I will need to drop out of this thread for a little while, but look forward to picking back up again tomorrow or in the near future.

Me too! Thank’s a lof for sincerely trying to understand my point! And no need to apologize!

Just a quick note as I’m still working through everything, but thought you might be interested in this article, if you haven’t already seen it:

@AllisonFromm

I’ve made this table, to make things more visual. (Because I’m not sure everyone sees my point, according to the post you wrote above)

(1) The author admits their formula is not 100% fair: "With respect to Sibyl attacks and the ‘rich get richer’ problem, in our scheme, increasing Sibyl-resilience affects inverse proportionally egalitarianism.”

(2) I’ve set this in orange because even though a0 introduces some incentives to have pledge which lessens the possibility of Sybil attacks, there are serious drawbacks:

a-“Sibyl-resilience affects inverse proportionally egalitarianism”, so there is a need for a compromise, we cannot push unfairness too far off, so we cannot push Sibyl-resilience too far-off
b-We can only guess that the chosen value of a0 will give sufficient incentives to prevent someone creating many large pools without sufficient pledge level, but we cannot be sure of it (contrary to the formula I propose).
c-At the same time Introduction of a0 and variable RoS also impact negatively Sybill-resilience on an other side, because it incentize users to delegate according to RoS, so it discourages the natural tendency of users to delegate to someone or some organization they know directly and trust. This latter behavior is a very powerfull brakes on Sybill attacks.

(3) I mean by cartel attacks, a situation where a certain number of pools take a dominant position, and where a newcomer willing to replace one of them, would need to invest way more than any of the pool in the cartel did in the past in order to have a chance to replace them. Having such a cartel implies high risks of corruption. I’ve shown the proposed formula leads almost certainly to this cartel problem.

See Here
and And Here

(4) The formula I propose is simple to understand because it can be summed up in one short sentence: “The reward and ability to create blocks of your pool is proportional to the stake of your pool, but the stake taken into account is limited to 10 times your pledge, and the stake taken into account cannot exceed 1/100th of the global stake”. You’re welcome to try and do the same thing with the other formula. (Values b0=10 and k=100 have been chosen randomly).

I think Cardano should hire him.
Great @pparent76

@nhragon Haha thanks!

Though at the point we’re at, It’s been more than one month that @KevinH has pointed this topic to his IOHK colleagues, it almost seems it would already be a crazy twist if the authors decided to come here to discuss their reward scheme, which is all I asked!

I’m waiting as well. I hope some IOHK engineers join this very useful discussion here. @IOHK_Tim @IOHK_Laurie

Just to encourage discussion here are my 2 questions to the authors to begin with:

1°) Do you think the table I’ve made here is incorrect or misleading in some way? If so can you explain why?

2°) Do you see any major, not easily solvable, drawback to the formula I propose, that does not appear in my table, or that I did not mention so far, but that your reward scheme solves?

IOHK is aware and will respond once they have a little bit of time

@pparent76 Hey man, i too would like to see your question answered . Thanks for spending your precious time to dig so deep into this, even i don’t know a thing about what you have been discussing about. I have a feeling that if you satisfy then the cardano network will be WHOLE .

2°) Do you see any major, not easily solvable, drawback to the formula I propose, that does not appear in my table, or that I did not mention so far, but that your reward scheme solves?

Also concerning this question, I wanted to mention I’m aware of an attack vector that we could call “DDoS on a pool”, that affects both schemes (mine and the currently official one). And I do see a rather simple work around solution in my scheme, but see no possible work around in the official scheme. I do not develop for now because that’s not the first thing we need to discuss about, but just wanted to mention it, so that it is clear I’m aware of it, should this be part of the discussion later on.

IOHK is aware and will respond once they have a little bit of time

Waiting then…

Any chance you are attending the Summit? The authors of the paper are presenting it right now in the Science Track and there is the opportunity to ask questions.

No I was not attending, I was working on something completely different today and yesterday as well!

Now apparently IOHK is “aware” of the situation here and they plan to answer this topic when they’ve had time for that, so I don’t want to kind of extort an answer from them, when they are not prepared for that. I let them time to give a cold-headed, constructed answer here. And also I think it’s best discussed in the written form, with time to think and deepen things if needed. So let’s just wait and relax!

@AllisonFromm Thank’s for caring!

Thank you for your thoughts, questions and suggestions!

First, let me clarify that bigger pools do not have an advantage regarding “validating blocks”: Your chances in the lottery are always proportional to your stake, no matter how high or low your stake is.

1/k is also not a hard limit. Pools can grow larger than that, and they will be able to generate more blocks accordingly. There are no hard limits anywhere in the reward system. You can run a small pool with 100K ada stake just fine, and you will be elected to produce a block as often as you were in the ITN. You can also run a pool with insanely high stake. All the reward system does is gently steer delegators away from very small or very large pools, but that has nothing whatsoever to do with a pool’s chances of producing blocks.

It is true that bools with a higher pledge will get more rewards than pools with lower pledge if all other parameters are equal, but cost, margin and performance play an important role as well. As you noted yourself, this is necessary in order to prevent Sybil attacks.

Your specific suggestion of limiting delegation in terms of pledge is interesting, but I can immediately see at least one big flaw with it: Pool costs are (roughly) independent of pools size, because costs for hardware, server time etc. are. That means that costs is relatively higher for small pools, so relatice rewards will be higher for large pools: If a pool has a yearly cost of $3000 and if we have a small and a large pool, where the small one gets $5000 rewards and the large one gets $50000, Then costs eat up more than 50% of the small pool’s rewards, but less than 5% of the large pool’s rewards. So with your scheme, you would again make pools with lower pledge less attractive to delegators - exactly what you set out to avoid.

This whole topic is really complicated, and ideas that look good at first glance turn out to be flawed after careful analysis. We arrived at our formula, one for which we can mathematically prove that it has the desired properties, after much trial and error, and it was certainly a long process.

This is not to say that there are no improvements to be made. Especially your idea to use some sort of “reputation score” to (partially) replace the importance of pledge is an interesting one. It is certainly possible that we will adopt such a scheme in future, once we have solid theoretical foundations to base it on.

Thank you again for your thoughtful comments. We care very much about our Community’s opinions and contributions and will always be happy to change if better alternatives are suggested.

Thank you for answering!

First, let me clarify that bigger pools do not have an advantage regarding “validating blocks”: Your chances in the lottery are always proportional to your stake, >no matter how high or low your stake is.

Thank’s a lot for clarifying that, I indeed thought that that in your proposal, the formula determined both the rewards, and probability to validate blocks. (Although I’m not sure that I would make the same choice)

1/k is also not a hard limit. Pools can grow larger than that,

Yes I do understand that, as I think I mentioned above.

It is true that bools with a higher pledge will get more rewards than pools with lower pledge if all other parameters are equal, but cost, margin and performance play an important role as well. As you noted yourself, this is necessary in order to prevent Sybil attacks.

Just to make sure we understand ourselves, I noted that higher pledge ratio ( s/σ ) was necessary in order to prevent Sybil attacks, not absolute value. Do you agree on that?

Your specific suggestion of limiting delegation in terms of pledge is interesting, but I can immediately see at least one big flaw with it: Pool costs are (roughly) independent of pools size, because costs for hardware, server time etc. are. That means that costs is relatively higher for small pools, so relatice rewards will be higher for large pools: If a pool has a yearly cost of $3000 and if we have a small and a large pool, where the small one gets $5000 rewards and the large one gets $50000, Then costs eat up more than 50% of the small pool’s rewards, but less than 5% of the large pool’s rewards. So with your scheme, you would again make pools with lower pledge less attractive to delegators - exactly what you set out to avoid.

Yes I do agree with you, as I’ve mentioned above in the topic “There are incentives to have a larger pool whenever possible in my proposal: similar operating costs and marketing costs, but way higher returns.”. Whatever the reward scheme is, small pools have similar operating costs, for smaller amounts of rewards. This is unavoidable and to some extent normal. But I don’t see at all how this is a flaw of my proposal, or how this is relative to my proposal at all, and even less how this justifies to further disadvantage small pools in the official scheme. Note that if the price of ADA increases, in my scheme it will make some pools profitable even if they where previously too small to be profitable. If we find ways to operate pools at cheaper prices as well. In the proposed scheme it is made artificially hard for more than k pools to be profitable AND to attract delegates.

Note that the motivations of a small pool may not only be short term profitability. Some will want to start small and grow progressively, some might want to take a position foreseeing ADA price increases, and some might simply want to participate in securing the network, not trusting it if they don’t participate to it directly.

This whole topic is really complicated, and ideas that look good at first glance turn out to be flawed after careful analysis.

I do agree with that. But we can discuss it in details and deepen things, and paying attention the flaws we did not see at first. That’s what I’m proposing you here. And I’m showing you important flaws I think I see in your scheme, and propose you to think about that and answer that. And I also invite you to show flaws relative to the scheme I propose.

and it was certainly a long process.

I do understand, and I do understand that after such a large amount of work, it can be hard to reconsider, although It might be best to do, at least to think about it.

we can mathematically prove that it has the desired properties, after much trial and error, and it was certainly a long process.

It has the properties that you saw as the desired properties at that time, but it might not have all the desired properties that we did not necessarily think about yet. For example the cartel problem I showed above could not be analyzed with game theory and Nash equilibrium (on the contrary), and yet is obviously a very big problem.

Overall I feel that you did not yet answer my questions for now, especially it could be usefull for everyone to have an answer point by point to the flaws I saw in your scheme ( Cartel attack, partial protection against Sybill Attacks, unnecessary unfairness and complicated), and to show me any flaw really specific to the reward scheme I propose.

So we can deepen things if you wish. (Or, because I don’t want to be a burden leading an endless discussion, if you wish I can also leave you alone, and leave the community, while benevolently alerting you that from my point of view, I don’t see how keeping this rewards scheme will not lead to severe problems in the future.)