Thanks for your detailed response.
Winner-takes-all: initially we assume that the linear so, for example, 10 random linear slots a VDF miner with a 50% (2x) advantage can outrun half of the slots or miners. So we have exponential slots. For example, with a 3x exponential, first slots mines 100ms, 2dn slot 300ms, 3rd slot 900ms, etc. in this example we can avoid winner-takes all for miners with hardware or optimization up to a 66% better than other miners.
So you mean if the miner mines too fast, his difficulty will increase quadratically or even exponentially? This seems to be a more harsh and fine-grained difficulty adjustment. The final objective is that, the mining speed of each account is equal, am I right?
Sybil Attacks : 1st attack. Given the fact that the pseudo-randomization of VDF steps is based on the stake it has on the account, is design to distribute rewards fairly with a low error, lets say ±2%. Then is always less expensive to consolidate the stake into one single account than splitting into many and do many VDF minings. If we account the extra electricity for extra VDF threads, we can say that it is superlinear because always
Do you have the concrete function between difficulty and {stake, mining speed}? You are right on the objective of making splitting coins into multiple accounts no more profitable than using a single account.
My point is that, given any stake-difficulty function, there exists a strategy of allocating stakes into multiple accounts such that the adversary can get more reward than using a single account.
Now the mining difficulty is related to two parameters, stake and mining speed.
The difficulty adjustment towards the mining speed delays at least for one block.
What the adversary can do is to: 1) have a powerful hardware, 2) have some stake on account A, 3) mine in the name of account A, 4) difficulty of account A rises, 5) transfer stake to another account B, 6) mine in the name of account B, …
Nothing-at-stake : 2dn Attack. The VRF seed that is used in combination with your private key and your stake to generate the pseudo-random slot is only based on the previous block hash that you don’t control. Then you can’t control the current seed and you can’t control the future seed because the VDF proof output (nonce on PoW) is also deterministic so you cannot run multiple VDF on the same block with the same stake and account. If you want to move the stake into a new account, even if you choose a specific account address, a specific stake you move, you include the Tx on the current block and know you can win because you have a big stake, the VDF proof you cannot control it and then you cannot control the next block hash depending on the VDF proof/nonce. If there is any doubt on miners moving stake around before mining, I don’t think it is needed, but we can include a lock mechanism so staked coins cannot be moved around for N blocks before they can be staked (like BFT blockchains have). So, is positive in our design, only one keypair/account can mine a single block because we use their stake also as input. I mean, the only way to be the proposer is to mine VDF in parallel on each account with positive stake, try to mine on account with zero stake and then moving stake will invalidate all the VDF mining done. Even if the attack a super computer (quantum?) and can cover a significant fraction of the VDFs mining for other possible accounts or futures, he cannot predict who is going to win because he doesn’t has the private keys of the competitors, and if he tries to affect the future by moving his stake then he will be changing his future outcomes.
I agree with that it’s hard to control the VDF output. What I mean is that, the merkle root is partly controllable. The memory pool is very big. The adversary can choose different sets of transactions to mine on, leading to different merkle root hashes. Then, he can enumerate lots of legal VDF inputs, and mine on these VDF instances concurrently.