Bitcoin Forum

Mike locked his original thread (https://bitcointalk.org/index.php?topic=157141.0) unfortunately, so I thought it would be good to continue the discussion about assurance contracts here. Specifically, how to make them work, as well as other possible mechanisms. Regardless of what happens with the blocksize it's important in the long term: without the block limit we can expect transaction fees to fall to the marginal costs of a transaction, which means the fees aren't paying for any security at all, on the other hand, with a small blocksize limit, as I've been arguing for, you still run the risk that off-chain transaction systems get 'too good' and so few transactions actually happen on-chain that security still isn't being paid for. Mitigating both issues is the fact that we've got until about 2033 until the inflation subsidy decreases to even 1% - if keeping Bitcoin secure costs a few % of the value of the Bitcoin market cap every year in the long run, maybe Bitcoin is just too expensive?

Funding network security (https://en.bitcoin.it/w/index.php?title=Funding_network_security&oldid=37005)

I wrote the above in the Wiki, and I think with the nLockTime + transaction templates fixes it's a workable approach that truly acts as a proper assurance contract, so technically speaking I think the idea works. Economicly and socially? I'm not really sure - at that point implementing proof-of-stake or even just signatures on blocks by trusted third parties might happen instead. It's hard to know, but what's important is the option is there.

I also really like Gregory Maxwell's Transaction checkpoints:

User:Gmaxwell/alt ideas (https://en.bitcoin.it/w/index.php?title=User:Gmaxwell/alt_ideas&oldid=36962)

Essentially they're acting as a really fine-grained way of saying which version of Bitcoin history you support, and thus which version of Bitcoin history your transaction fees can go to. If the blockchain is re-orged deeply enough that the version of history now does not agree with what you agreed with, the miner who did that doesn't get your fees at all. He proposed it in the context of my Discourage fee sniping with nLockTime (https://github.com/bitcoin/bitcoin/pull/2340) pull-request, it's essentially a much, much stronger version of it, albeit one that requires a hard-fork.

What's interesting is you can combine transaction checkpoints and assurance contracts to create a contract that miners can only collect if they follow the wishes of the people funding the contract. The way it would work is you would first commit some funds to a transaction that can only be spent by an assurance contract for some amount of time. Next you find a contract you agree with, including what transaction checkpoint the contract will have, and quickly (within 2-6 blocks) add your inputs to the contract transaction. If enough people commit, it goes through. If not, you can find another contract, or wait until your locked transaction ouput expire and send the money back to your wallet.

Now if the chain gets re-orged, the rules are that the new block can't collect the fees from the checkpointed transactions. Gregory Maxwell suggesting adding those fees to a pool given to all miners over time, but I think perhaps simpler, and easier to construct short proofs of, would be to just add a new rule that turns those fees into a transaction output that can be spent subject to some conditions. This could be done directly as a scriptPubKey/txout:


The overhead here might be too much given a limited blocksize, and again I'm not sure that socially or economically the idea works, but technically speaking I think it's feasible. Thoughts? I'll add the transaction checkpoints stuff, with and without assurance contracts, to the Funding Network Security wiki page as yet another future possibility if the idea withstands scrutiny.

Also, if someone wants to add a section to the wiki on non-proof-of-work forms of security that side-step the funding issue, proof-of-stake and trusted checkpoints for instance, that'd be good too. Strictly speaking, the result wouldn't be "Bitcoin" anymore, but at the same time, Bitcoin is a consensus and the economic majority can chose to change what Bitcoin is. You can start with what Gavin wrote on Neutralizing a 51% attack (http://gavintech.blogspot.ca/2012/05/neutralizing-51-attack.html). It'd be particularly good to think through how to make these alternate mechanisms work with SPV clients, yet remain low-overhead. With 1MB blocks it's feasible, if expensive and inconvenient, to switch everyone over to full clients, but with larger blocksizes that's no longer an option so solutions must still provide SPV clients security.

Remember that having alternatives can act as a strong disincentive to any attacker, simply because they'll know that all their hard work attacking Bitcoin will go to waste. Just creating some toy implementations of alternatives as alt-chains to explore the trade-offs is valuable even if you don't ever expect them to be added to Bitcoin itself.

The original thread (https://bitcointalk.org/index.php?topic=157141.0) is very interesting (most relevant content is on pages 1, 10, and 11), but is now extremely old.

Have there been any new ideas (since April 2013) about ways to make sure Bitcoin's security is adequately funded after block rewards decrease?

There was a particularly surprising quote from Gavin in the original thread, which Greg pointed out didn't seem justified by anything in the thread:


I'm curious if Gavin still feels that way.

Btw, the main disagreement of the original thread was: Mike Hearn argued that miners adding funds to assurance contracts that they'd later claim would still subsidize the network to the same extent as if all funds were contributed by non-miners. Greg Maxwell, Peter Todd, and TierNolan argued otherwise.

I think this is the clearest argument for why Peter/Greg/TierNolan are right: You can think of network security as being driven by the amount of money that is "up for grabs" for miners to claim by solving blocks and including transactions. Only money coming from outside of the miners themselves creates an incentive for miners to increase their hashing, by adding to the pot of potential profits that will be competed away with increased hashing.

Exactly.  If all miners have to add 40BTC to a 50BTC assurance transaction,  then the reward per block is really only 10BTC.

The amount of hashing per block would converge on 10BTC worth of hashing per block.  The assurance contact was supposed to push it to 50BTC per block (or more).

Having said that, what traders really want is hashing built on top of their own transaction(s).  If you have a 500BTC transaction, then 6 confirms isn't really enough.  Assuming 25BTC per block, you need at least 20 blocks before the value of the transaction matches the value of the hashing.  It would be recommended to have much more than that (perhaps 10X) so that you can be sure your transaction is "locked-in".

The ideal would be a fee system that allows you pay a certain amount per block and the rest is available for the next block.  The 500BTC guy wants to be able to pay fees for the next 200 ish blocks.

That is not critical though, since those transactions would be rare.  Most traders will want to be able to pay fees for the next 6 blocks, so that their transactions will be complete.

I still feel that way.

I believe that if people want a secure network, they will figure out a way of getting it. My justification is the same as my belief that if people want clean, cheap, safe drinking water they will figure out a way of getting it.

I don't claim to know how, and it is very possible the how will offend the sensibilities of either (or both) of the "PRIVACY AT ANY COST!!!!" or "DECENTRALIZATION AT ANY COST!!!!" factions. Just like government regulations and institutions around clean water offend the "INDIVIDUAL LIBERTY AT ANY COST!!!!" faction.

I can imagine a lot of possible futures, from big merchants and exchanges investing in mining to save themselves on transaction fees and ensure that their transactions are confirmed securely, to assurance contracts, to a cartel of miners regulated and funded and licensed as a global public utility.

I hope that last one doesn't happen...

Perhaps not a wholly satisfying solution as it breaks "rational" economic theory, but I still think it's quite possible that network security will be funded by altruism and/or -EV games.

I think there's a good chance miners are already mining at a loss as a whole. 

If X million people ran cheap USB ASIC sticks, solo(or close to) minig, at a loss, this would not only "fund" the network but make re-orgs vastly unprofitable outside of large fee sniping.

It is impossible.
Decentralized systems take more energy than centralized (per transaction)
Nobody will want pay more in decentralized bitcoin than in centralized fiat/government system.

OK, you have a cup of dirty water.
You can use 2 methods to clean it.
First method costs you 10000 kWh energy and gives you 99.99% clear water.
Second method costs you only 1 kWh and gives you 99.00% (safe for drinking)
Which method is preferable?
 

That is easy, the first. But that is a straw-man argument.

If the decision is:  costs 1.001 kWh and gives 99.99, versus 1kWh and gives 99%, I might decide the extra purity is worth it.

The "centralized is more efficient" might be theoretically true, but in practice the difference might be so slight it doesn't matter.

Theoretically, it would be more efficient if all of our computing happened in huge data centers located near cheap hydroelectric power.

Practically, though, only some of our computing happens that way (e.g. searching terabytes of data), because it is more convenient for us to carry around powerful little computers and we value that convenience.

Or slight enough that enough people who care about censorship resistant networks will patronize the system enough to keep it secure.

Lots of unknowns at this point. Like Peter said, there is quite a lot of time before this becomes a real concern. If it becomes a concern earlier, it means absolutely no one cares about the project and it's dead.

This is petra scandali and it does matter.
In decentralized systems every node have to check everything, so the cost for checking is O ( nodes * txs )

Why do we need bitcoin decentralization in such case? Let us put Visa/MC/Feds near the nuclear plant to reduce our expenses :)

Not so much as everyone here thinks. Months... May be weeks.

You seem to have a very narrow definition of "decentralized system."

In the future I imagine nodes might probabilistically check a random subset of transactions, and broadcast "this transaction is fraudulent" if they find anything wrong.  If you imagine a million nodes, each fully validating one-in-ten-thousand transactions then you get each transaction validated on average 100 times.

That's not so different from your 'treechains' idea (just simpler and easier to reason about, in my humble opinion).

If you think that hardware costs are going to dominate decentralized-versus-centralized payment network costs, then I think you're wrong. Hardware is cheap, people are expensive.

But all of this is really arguing angels-dancing-on-the-heads-of-pins; we've got years before we have to worry about how to fund network security, and a whole lot of things to work on before then.

Aaaaaaaand... The total work is O ( nodes * txs )
What are you arguing for?
Bitcoin system natively goes to centralization. Miners do not verify transactions at all.
And at current time we have a dozen of mining pool operated a dozen people.
And a lot of obsolete mining hardware which costs nothing ready to switch on for *any* person who will pay $10.

There is no security in bitcoin now just because there will be no security tomorrow.

If the number of transactions validated per node is inversely proportional to the number of nodes (even if it's a manually configured constant), we're at O ( txs ).

.....aaaaaaaaand total work for all nodes is O ( nodes * txs )

So, the community have to pay all expenses. And the simpliest way is reducing number of nodes... Down to one. And this is centralized system.

I think this analysis is exactly correct.  I foresee a consortium of miners and mining pools forming their own backbone network.  Transactions will, in general, be submitted directly to the miner backbone network.  The global mining collective will publish a transaction fee schedule, and will offer a service to guarantee unconfirmed transactions.  Since the collective will consist of almost all the hash power, they will have the ability to reject any block issued by a ‘rouge’ miner, and therefore could actively enforce their guarantee against an unconfirmed transaction being double spent.

The P2P network of full nodes will still have role to play, but it will primarily be in auditing the miners.  Miners have an economic interest in maintaining an audit-able network, since openness itself is a primary feature of bitcoin.  As Gavin suggested, nodes could cooperate in auditing the blockchain.

amaclin - the P2P node network could configure itself as a giant parallel processor, with each node auditing just a tiny fraction of the blockchain.  I am just restating what was already said.  The resulting work load of auditing the blockchain would be: TOTAL WORK = (TXS * NODES)/(NODES * “AUDIT REDUNDANCY”).  Audit Redundancy would be how many times a particular transaction would be checked.  It could be once, it could be 10,000 times.  As you can see, the number of nodes cancels out.  You are correct if you are assuming decentralized and 100% trustlessness, but trustlessness is inherently resource intensive, in computing, and in life in general.  Cooperating with others is a great way to cut down on resource usage.

Another audit function of a full node network would make use of the P2P architecture would be as an alternate channel through which to submit transactions to the mining backbone network.  This functionality would be important.  Suppose the mining network was excluding a particular transaction from their blocks, even though it was valid.  A user could submit a copy of the transaction to the P2P network, in essence publicly shaming the miners, and alerting other users to the problem.

A third audit function of the P2P node network would be as a channel for a wrongly excluded miner to submit a valid block.  A bedrock principle we should expect the mining backbone to adhere to would be to be welcoming and inclusive of any hashpower.  The P2P network could be configured to accept and verify any allegations that the mining backbone was engaging is exclusive activity.

This cannot be done with the design of Bitcoin today.  I've previously (incompletely) sketched out (https://en.bitcoin.it/wiki/User:Gmaxwell/features#Proofs) what would be required, but we're a fair ways away from that. And so far there has been virtually no interest in moving things in a direction to support things like that inside Bitcoin.

With the rest of your post you seem to be describing a closed cartel system for mining--  if we have that, why not dispense with the mining, trust it to keep the ledger... (and call it paypal?). Centralized systems are much more efficient and easier to make reliable. I think Bitcoin's (unique) value derives almost exclusively from not being centralized.

In that case, the miners' cartel back-bone would have an incentive to delay publishing full blocks for auditing.


How would merchants and users respond if a block was excluded?  In theory, they could blacklist one of the backbone's blocks, but that seems excessive.  Cancelling tx fees would be possible, but would likely just encourage fees to be moved off-chain.

All or nothing false dichotomies are boring.

There seems to be a misunderstanding that addressing the maximum block-size problem will also address the problem of centralization.

Network Costs
P = NCT₁

Node Costs
P = CT₂

P is the total price for transactions. A fee would be P divided by the size of transactions.
N is the number of nodes.
C is cost of accepting a transaction over time.
T is the time between blocks. (The time is different for the network as a whole versus a node.)

As you can clearly see the problem is actually not that a node doesn't bear the cost of the rest of the network, the problem is that the cost of running a node is higher the longer it takes to find a block, but the fee for a transaction is the average between all blocks. The problem is actually the inverse of what I thought when I started writing this post. The network doesn't tolerate the cost of the node, not the other way around.

In other words; The longer a node takes to get a block the higher his fee needs to be to cover his costs, but users will only pay the fee that the network average seeks in order to run. Because people like to pay less in fees, the price will trend toward the entities that collect blocks more often (And those same entities tend to have lower overhead per transaction.)

I would expect that once inflation stops, transaction fees will not be enough for the vast majority of nodes to stay in operation and even hash power in general could atrophy. The atrophy of hash power could occur because the network as a whole functions fine regardless of the difficulty, so hashing will only be high enough to sufficiently keep competitors away, which is less necessary as the blockchain grows in size. It might also occur because transaction fees must stay low enough to remain competitive in the broader currency market.

So the blocksize limit is necessary to keep the barrier to entry low, but ultimately the driver of centralization is actually the lower overhead of larger, rather than distributed, nodes. Crucially; Their overhead is lower per transaction precisely because they get blocks faster.

A "floor" to centralization is when users decide to start using other currencies due to the perceived threat to security. Since 67% of hashing power is currently controlled by 3 entities, it appears that this floor is very low.

The reason Bitcoin has been able to achieve as much decentralization as it has now is low interest, fairly low market value, and low barrier to entry.

Am I missing something? This post really surprised me as I was writing it out so I expect I may have lost my mind somewhere along the way.

A good indication that this (centralization) is not a Tragedy of the Commons problem, is that the problem of appropriate fee pricing disappears if you can guarantee every node has the same hash-power, and the block-size remains low (Regardless of the number of nodes.). Though the block-size issue itself is a Tragedy of the Commons problem.

Are you missing that the transaction load (and thus cost) is limited by the hard rules of the network, just as the supply of coins is... under the current rules there is no risk of nodes becoming too expensive to run. (I just ask because you used such absolute language in you message).

Hm. I'll think about this more before I answer, I don't want to waste anyone's time. I don't think that refutes what I'm saying though, basically because the point I'm making is that the higher hash-power node have lower-overhead per transaction due to the very fact that they are getting blocks faster. It's a kind of positive-feedback loop for the best miners.

I agree with that argument in general, and I think many other people have made it somewhat different forms as well...  But so long as the node operating cost is insignificant, I think it doesn't apply.

Well ok. I thought I had walked off the deep end because it certainly was not what I expected. Maybe the following walk-through example will illustrate to someone else as it did for me;


Do you think that the blocks can be kept small enough and enough people will choose to hash despite the disadvantage? I'm not asking sarcastically, I'm genuinely curious.

In other words... I totally agree that this wouldn't be a problem if running a node would be insignificant, but if that's required is it possible to keep that attribute while still having a useful currency?

I agree that people will figure out a way of getting a secure, relatively decentralized cryptocurrency with low fees. I just worry that it won't use Bitcoin's blockchain.

Here are my non-expert estimates for how the problem will get solved, with rough guesses as to the chance of each:

30% -- Bitcoin sustained through charitable mining / donations: The same spirit that causes people to work on Wikipedia or open source software projects will cause lots of individuals to either mine or make donations to sustain mining. Libertarians and anarchists will donate for political reasons. Companies may donate for the same reason they donate to charity now (PR, boost employee morale, etc)). Bitcoin businesses especially will donate or mine to be seen as a responsible member of the community. Bitcoin users may prefer to deal with businesses who can prove they're doing their party to support the network. Governments may allocate some relatively small amount of funds to miners if it proves popular among citizens.

20% -- Creation of an inflationary Bitcoin2: Once inflation runs out for all practical purposes, someone creates Bitcoin2 based on the Bitcoin blockchain at the time, and makes one change: 1% annual inflation forever. (Or the lowest % that would result in a reasonable amount of security). People who use Bitcoin a lot decide they're tired of the entire network's security freeloading off of just their transaction fees, so the people doing the actual transactions start migrating to Bitcoin2. This drives up the Bitcoin2 price and drives down the Bitcoin price. Soon because of the 1% mining subsidy and increasing use, Bitcoin2 has better security and lower transaction fees than Bitcoin, causing almost everyone except the most hardcore anti-inflationists to switch to Bitcoin2.

15% -- It doesn't get solved, some other blockchain with better economics eventually replaces Bitcoin. People talk a lot about Bitcoin's infrastructure and network effect making this unlikely, but the infrastructure being built for Bitcoin right now could almost all be reused by Bitcoin's replacement.

10% -- Things will work roughly as-is: It will turn out that a relatively uncontroversial block size change combined with a large increase in Bitcoin usage and perhaps a few other uncontraversial technical changes will result in Bitcoin actually having enough security with low enough fees. Perhaps sidechains or some form of off-chain transactions handle the cases where people need extremely low fees.

5% -- Assurance contracts: I doubt it will be in the rational interests of most organizations to partake in these, because it only makes sense to participate if your individual participation will be decisive in whether the contract gets funded. If assurance contracts do become a major mechanism to fund mining, I imagine most organizations will participate mostly for altruistic / PR reasons.

...this leaves 20% for something that I don't foresee.

100% The decentralization problem can not be solved.

I agree.  I meant a P2P network could be designed in such a way.  I didn’t mean to imply that the current software could somehow reconfigure itself, or only need slight modifications to perform in such a way.


I have a slightly different take on the roots of bitcoin’s value proposition, where decentralization is actually the means and not the ends.  I see Bitcoin’s true fundamental traits including: irreversible transactions, a predictable money supply, and no requirement to supply personal identity information to use the network.  Open access to any entity willing to pay the fees, as well as a fully transparent ledger are also important.  I accept that a decentralized network may be - practically speaking - the only way to currently meet those goals on a global scale.  Otherwise untrustworthy and primitive governments would interfere with Bitcoin if they could.

Lets imagine, in some fantasy world, that we could trust governments to always follow though on their promises and commitments.  Let us further imagine the U.S. Government committed to running a bitcoin-like network, one that espoused all the principles listed above.  If it was run with integrity and transparency, I doubt there would be the anything like the kind of grass-roots support Bitcoin has thus far enjoyed.  Bitcoin would be a solution in search of a problem.  It would still be a great solution to the Byzantine General’s problem, but it’s application as money system would be a minimal improvement over the centralized Bitcoin look-a-like.

I see Bitcoin as an expression of people’s desire to be part of a money system that has those certain traits.  We should fervently guard decentralization in general as it is currently the best way to achieve those traits in a world that is seemingly hostile to those principles.  Bitcoin has proved an important point, mainly that such a system can exist, and in doing so has challenged countless peoples’ assumptions about money, information, and control.  I am suggesting that such a demonstration of what is possible can permanently change peoples perspectives, and maybe in the future a bitcoin-like system, likely even Bitcoin itself, will have widespread support of people and governments the world over.  When the world becomes friendlier to the underlying concepts, I think some sets of design tradeoffs could be re-evaluated. 

Miners are already organized to an extent, the collaborative product being the blockchain.  A cartel would represent a greater degree of organization.  It is truly unstoppable phenomenon, as miners are free to associate and make agreements just like anyone else.  Most of us don’t live in fear of a 51% attack because we know it would not be in the miners’ self interest.  For exactly the same set of reasons I don’t worry about the actions of a miner cartel.  I assume they would use their power to uphold the traits that made Bitcoin valuable to begin with.  A well organized association of miners would actually be able to add additional value to the network, and that is why I see it as inevitable.  Guaranteeing unconfirmed transactions by actively rejecting any double-spend would be one way of adding value.  Such an association would also provide a convenient framework for implementing some version of Thaddeus Dryja’s proof-of-idle concept.  I would expect the association to be welcoming of any hash power that wanted to join.

Paypal, as a totally centralized service, could not look anything like Bitcoin even if they wanted to.  Governments would not allow it.  A global association of miners could and would be set up in a way to make government orders unenforceable.

The mining cartel would have a global monopoly on SHA256 hashing power, but thanks to proof-of-stake and other block signing systems, there are viable alternatives to SHA256 proof-of-work.  PoS has issues, and I remain big fan of PoW, but PoS would easily be better than centralized and exclusive PoW that did not uphold the core principles this community cares so much about.  I believe miners know this today and will not forget it in the future.  Hashing power allows miners to provide a great security service to the world in the form of PoW, but as a tool of oppression, it would be utterly impotent.


Only if they were being shortsighted would they confuse the incentives.  The miners should realized the network (and their mined BTC) would have maximum value if it remained easy to audit and make every effort to keep it that way.


I don’t know exactly, but it would in essence be a political crisis for the network.  I would imagine it would cause a fissure within the mining collective.  A steadfast policy of inclusiveness would result in more work being done on the chain than if some hash power was excluded.  I expect inclusiveness to be the policy of the collective, and it would be a problem if there was proof the policy was not being followed.

The ultimate power the Bitcoin community would have would be to fork and move away from SHA256 proof of work if the miners were abusing their position.

PoS either do not provide security on long time range.
https://download.wpsoftware.net/bitcoin/pos.pdf

I agree, for a sufficiently broad definition of "a way". I believe the way will be placing hardcoded block caps; and figuring it out is what we're doing right now.


Speaking of caps: I'd like to stress the point that there are two separate costs in the Bitcoin network, each should be addressed in its own way:
1. The marginal cost of propagating, verifying and storing transactions. Caps on the block data size and amount of ECDSA signatures help with funding this.
2. The amortized cost of hashing blocks to secure the network. This has nothing to do with data size, and using data size caps to fund this is misguided and creates perverse incentives.

Funding hashing is a pure bargaining game between miners and users; the miners can include a tx at no cost, but they are in a position to charge a fee for this because the user relies on them. Shapley value theory suggests the amount the user should pay is proportional to the value of the transaction for them. Knowing the value for the user is difficult; however, I believe a good proxy for this is the total number of coins transferred in the tx. Placing a cap on the total number of coins transferred in transactions in the block helps ensure that users pay fees proportional to the amount sent, which in turn is roughly proportional to the value of the tx to them.


I'm not convinced about the viability of assurance contracts as a solution. It works well when either:
1. You have a small number of players, each with a large stake in the outcome and a large influence on the chances of success (as in traditional infrastructure projects)
2. Players get perks for their pledges, and have additional complex motivation (as in Kickstarter)

Here, if there are players with a big stake, we have failed in creating a decentralized system. If there are a large number of small players, they don't get anything extra for pledging (and their chances of effecting the primary objective is low), and it doesn't seem like the kind of thing they'd do for personal satisfaction, so people will still prefer to hold off their pledges and wait for someone else to pledge.


I'd assign less weight to charity, more weight to a radical economic change (though I hope Bitcoin will itself morph into something new rather than being replaced).

Probably not, due to all the non-bitcoin overlay things people are interested in. (E.g. the altcoins, colored coins, etc).

I disagree with the claim that its unrelated. Scarcity of block space is what enables a market for it; absent complete miner collusion, with unlimited block sizes there is a defection problem (the rational move for the miner is to take very low fee paying transactions instead of turning their nose up at them in order to drive the market price for fees above zero).

That is indeed an issue. But for the current purpose I'm talking about Bitcoin as a currency, not a generic ledger.

I don't think you understood my point. Yes, absent any limits you'll have tragedy of the commons. Limits on block size have an effect on this problem, but only in a distorted way, which creates perverse incentives (an incentive for the user to give up on a beneficial tx to conserve a resource which is, in absolute terms, cheap). This is because the cost of hashing has nothing to do with block sizes - a bigger size doesn't make it more expensive to hash to secure the network.

I disagree here. Network capacity is not very cheap... It is cheap marginally to miners but thats because the trust cost of a transaction is largely an externality to miners. It's also cheap in a highly centralized network where there is only one or a few verifiers, but in a highly decentralized network much less so. Security does not come exclusively from miners, it comes _primarily_ from verification. Miners serve to provide ordering, an essential part of the system, but miners incentive are aligned by all the other parties verifying (otherwise, a rational thing for all miners to do would be to just agree to inflate the currency forever).

Verification is more important, yes. But I expect that the total cost of hashing will be much, much higher than the total cost of tx processing (this is of course the case now - there's a $500M / yr market of mining hardware, but no similar market of network nodes). Hence, when talking about hashing, I consider the capacity cheap.

The reason for this is simple - mining is deliberately made artificially difficult. Tx processing is not.

Ah, but mining is not made artificially difficult in any absolute sense. It's whatever it needs to be to keep the target pace. The system operates fine, though its insecure with the difficulty at 1.  The hardware investments are one time, they amortize, energy usage is what is actually interesting. I know I'm not saying anything you don't know,  but I don't know why you expect a particular cost for hashing without first starting with an income (e.g. transaction fees) which would sustain it.

The primary quantity is the amount of hashing power an attacker (who wishes to commit hashrate-based attacks) is expected to amass.
(And in this respect, I do believe hardware capex is more significant than power costs. At least for SHA-256, hardware is extremely specialized, so obtaining a high burst rate is difficult. The opex costs of an attack greatly depend on the available % of network hashrate).

From this we derive what the total cost of mining should be to keep the network secure from hashrate-based attacks (it is proportional to the attacker's hashrate).

And from this, we derive how we should fund this cost using tx fees. We want to keep tx fees artificially high, so that the total cost of mining is high, so that the network is secure.

Network security is a very broad term. What are we actually talking about here?
Maybe it would be useful to talk about different levels of security.

Is the network secure if all other current global computing power was turned against the current total hashing power?

Is the network secure if all current available hashing power not being used on the network was turned against it?

Is the network secure against a rational actor (homo economicus) trying to exploit it for gain by buying hashing power?

Is the network secure against a government trying to destroy it, not necessarily caring about the cost?

Different networks would achieve different levels of security.

I see an opportunity for lots more acronyms. TGC security, HE security ...... :)

How do you imagine you will be able to keep transaction fees artificially high?

I can imagine a future with 1MB blocks full of zero-transaction-fee transactions (all fees paid off-blockchain through special cozy relationships between big merchants/exchanges and big miners. Or simply big merchants/exchanges mining their own transactions).

I think network security CAN be funded through transaction fees-- that is easy, if you want to buy some security just attach a larger-than-strictly-necessary-to-get-confirmed fee to your transactions.

I don't think we know yet whether network security WILL be funded through transaction fees; there might be a free-rider problem that keeps people who want a secure network from actually paying for a secure network.

This is where it would be lovely for some academic economists who have studied the free-rider problem to chime in and predict what is likely to happen, and how other markets have solved (or not) the problem.

It's fine if miners will be funded out-of-band. But I think it will be difficult to do this while keeping the market decentralized and competitive.

My suggestion for keeping tx fees artificially high is to place a hardcoded cap on the total amount of coins transferred in each block.

I think tragedy of the commons is inevitable if no cap of any sort is placed on blocks. Hence my cap suggestion above.

Agreed.

I couldn't resist peeking at the literature; the first hit on a google search for "experimental economics free rider" turns up this 1984 paper: (https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CB4QFjAA&url=http%3A%2F%2Flink.springer.com%2Farticle%2F10.1007%252FBF00137902&ei=dDZWVMPtC82NyAT3voLAAw&usg=AFQjCNFNDbCCEevbSdLRrot2mYYd2OLHiA&sig2=9LQRpRU8VYm4TQfoPI0b_Q)

The tragedy of the commons relates to unregulated use of common resources.

I don’t think this is any way relevant. Mining resources are not under common ownership and there is no common right to use these resources. They are generally owned by private entities trying to make a commercial profit and you have no right to make them mine your transaction. Miners can choose what transactions they mine so the use of this resource is regulated by the miners.

Miners will simply set prices at what it is worth for them to mine and make a reasonable profit. With no block size limit they will be able to set the fee at which they can turn a profit at a lower level. (Gavin’s blog)

Maybe a small percentage of mining will be paid for by community organisations or charity (but this still has to be paid for somehow) and people who are willing to wait longer can move coins for free but if you want a quicker service you pay a fee. So maybe these community miners will mine huge blocks (and be at a disadvantage due to block propagation) but they will be mining everybody’s transactions. So the choice is a free transaction that is only mined by 5% of miners or the higher fee you pay the more miners try to mine it. You get a better service if you pay.

 There are valid arguments for block size limits, such as, spamming and blockchain growth but I don’t think tragedy of the commons is one of them.

 The real danger is tragedy of the anticommons.
(wikipedia)

As suggested previously a large wallet might team with a large (say 30%) mining pool and charge their wallet users fixed transaction fees and pay the miners out of band. The mining pool is contracted to refuse to mine anyone else’s transactions. Another competing wallet buys a large portion of the remaining hash power (say 25%) and now nobody has access to all of the hashing power for their transactions.

Meni

Thanks for this interesting comment.  I guess you are correct that the amortised cost of hashing blocks has nothing to do with the data size.  However as you say, knowing the value for the user is difficult.  I am not sure of the value of bitcoins sent is a good proxy, because of additional layers like colored coins and who is to say that a transaction for one person buying medical care has less value to the other than a millionaire pointlessly moving money between wallets?  Why not assume all transactions are equal?  The number of transactions may be the best proxy.

Therefore I would alter my “transaction fee targeting”, mentioned https://bitcointalk.org/index.php?topic=813324.msg9208935#msg9208935 (https://bitcointalk.org/index.php?topic=813324.msg9208935#msg9208935) to be the following:

I propose the following rule to determine the number of transactions in a block limit, once the block reward is low
The number of transactions in a block limit would increase (or decrease), by X%, if total transaction fees in the last N blocks is Y Bitcoin or more (or less).  

For example, if in the last 100,000 blocks, the average transaction fee per block is greater than 1 BTC, then the system increases the maximum number of transactions allowed in a block.

Advantages of this methodology include:
•   The system ensures sufficient fees are paid to secure the network in a direct way, with minimal changes to the protocol
•   If 1 BTC per block was chosen, this would represent c0.25% of the market capitalization being spent on security a year
•   This algorithm would be relatively simple
•   The transaction per block limit is determined algorithmically from historic blockchain data and therefore there will be a high level of agreement and little scope for attack
•   It would be difficult and expensive to manipulate this data, especially if mining is competitive and decentralized
•   The limit would relate well to demand for Bitcoin usage and real demand based on transaction fees, not just volume

The word artificial is tricky.  It can mean insincere, false and fake in one set of more negative meanings.  It can also mean made by people, as with an artificial lake.  That is not a negative concept;  I love artificial light when I trying to read at night.  In this instance we seem to be talking about how to avoid a race to the bottom at the expense of network security, with the race to the bottom being a 'natural' economic concept.  Thus, avoiding such a 'natural' outcome would entail the use of some 'artificial' constraints.



There could be a cartel of miners that wasn't regulated, licensed, or funded by governments.

Bitcoin has no monopoly on blockchain technology.  Competing chains have and will continue to place competitive pressure on the Bitcoin system.  Keeping that in mind, I see no problem with Bitcoin miners organizing to decide what security level they want to provide, and how much that security will cost.  Offer too little security and people might prefer to use some other system they perceive as safer.  Charge to much and people will use a cheaper system.  I think a group of people, analyzing risks and making active judgements, will do a better job striking a good security balance than some fixed algorithm.  That group of people would be some form of miner association, or cartel, or decentralized company, or whatever you want to call it.  It could have many possible forms.  If you are worried about this group abusing their power, let me recall my first point, that Bitcoin does not have a monopoly on this technology.  Miners do have the network effect, as described by Metcalfe's law, working in their favor.  A mining cartel would be able to extract some additional profit thanks to the barrier cost of forking bitcoin, or switching to an alt coin.  But if the Bitcoin miners are too far off the optimum mix, alternatives will fill the gap.

A cartel would also be able to solve the free rider problem, as it would stop a race to bottom.  Minimum fees would be established so that network security would remain adequately funded.  

I view this thread as discussion on the merits of whether proof-of-work alone is going to give us the network we want, or if we need some additional parameters to have PoW function as desired.  The follow is a short list of some pro’s and con’s for PoW that I could think of.  I am interested to know if there is agreement on these.  Also, the lists are not complete, so please add!


PoW - Advantages

•A very fair method for initial distribution
•No risk that critical signing keys will be stolen since the system is not based on such keys
•Easy for any person in the world to verify that a particular transaction has been vouched for by a massive, and calculable, quantity of electricity and computational power.
•Absolute certainty that the work done was committed to a single version of history
•Some built-in degree of global geographic distribution since the cheapest power is globally distributed.  Why?  The cheapest power is going to be interruptible, surplus power, and there is a finite quantity at every generation station.
•Some degree of local distribution do to heat buildup, possible uses for waste heat, and the square-cube law
•Can be physically trackable to the extent that a visitable number of major data centers, together, perform a majority of the hashing.  This can be a benefit once world at large accepts Bitcoin as a ‘good thing’ to be supported and encouraged.  In the Bitcoin-at-war scenario, which is currently still a possibility, identifiable physical locations are a weakness.


PoW - Disadvantages

•Expensive (yet this is inextricably tied to the cost to attack, which is a benefit.  Paradoxical!)
•Potential for a government to carry out a massive ASIC mega-farm attack (economically and politically unlikely, but absolutely possible.  1% chance?)
•SHA256 almost certainly will be broken at some point.  Not really a problem as long as a viable transition process happens first.

Most of the conversation seems to have been about ensuring sufficient transaction fees are paid to miners. But what about the verifiers? Currently, all tx validation is done by volunteers. I think Satoshi initially intended for validators to double as miners, but in a world where the two are largely mutually distinct, how do we support the verifiers? And if we can't, isn't the network doomed anyway?

Related to this is something I have not seen considered: the upper limit on hash speed per device.

A naiive calculation would go like this. Take the universe's maximum bit-operations/second (assuming it exists) as the speed of light in nanometers/second, or 3x10^17 (ie. 300 peta(nm/s)). Suppose a SHA256 takes 1000 bit operations. So we can say ASICs will top out at 0.3 PH/S or 300 TH/S (from what I can tell, they are currently around 1-10 TH/s, so this would be order of 10-100 times speed up). I know very little about hardware, but given the incentives and the acceleration of knowledge, this may not be unreasonable within say the next 20 years, to pull a number out of my ass. All this assuming of course there is an upper bound set by the cosmos on computations per second, which may or may not be reasonable, depending on your approach to modern physics. Of course my estimate of SHA256 bit ops may be wildly off and obviously depends on the size of the input, but it doesn't matter - what does matter is ASIC manufacturers reach the limit in the next couple (maybe even five?!) decades. Suppose its a graphene based breakthrough, if you're hung up on transistors and the end of Moore's Law.

(As an aside, note that it takes ~40ms to get from New York to Hong Kong at the speed of light. So unless we break that barrier, high performance large scale distributed systems are kind of screwed anyways. In other words, the speed of light is too slow for our needs ;) ).

Supposing ASICs do reach this limit (and will probably be the first devices in our corner of the cosmos to do so), then some point afterward we will be seemingly back to the kind of thing Satoshi originally envisioned. A 300TH/s ASIC cheap as a modern CPU today. One 300 TH/s ASIC, 1 vote. Of course there is still the centralization incentive, so let's assume we have solved that by transitioning to something like Hashimoto or another such hashing scheme that requires the entire blockchain to be available to the miner. The next step, driven by market demand of regular people mining again, will then be ASIC EC verification. Give it a couple decades or so to also become "cheap as a cpu".

Now we're in a situation again where full nodes validate and mine, just like the good ole days, supporting the system for the same reasons bittorrent is supported - it's useful, it provides for us, it sticks it to the man, whatever.

And they lived happily ever after?

It is in users' self interest to validate.  If you don't want to run your own full node, there are plenty of companies that will do the validation for you and charge you a fee.  One reason to have a block-size limit is to make sure it always stays reasonable for a hobbyist, with a relatively modest expenditure or resources, to perform full validation at home.  So I would say no, the network is not doomed in the absence of financial support for nodes.


No one has seriously considered it because the concept is a non-starter.  Even if you could devise some way to enforce the rule on a per-device basis, there is no known and accepted way to stop a single entity from controlling multiple devices.  People would figure out a way to control multiple hashing devices, and in such case your idea would introduce only added complexity and possible attack vectors and, I think, nothing positive.

Hm I think maybe you misunderstood my point (did you read the whole post?). I'm talking about ASICs achieving the limit set by the universe on hashes per second. No enforcing necessary, physics takes care of that. So I have not actually "proposed" anything complexifying. Simply wondering how the economics change when ASICs hit such a limit (assuming the limit exists - hello physicists?) and become "cheap as cpus", motivating EC verification to achieve a similar limit, also become "cheap as cpus", and finally have both integrated into modern (being X decades into the future) personal devices. Sure, anyone can buy more devices, but the idea is that speedup in a given device may saturate, so the advantage is only linear (rather than exponential) in cost. By that point tx fees may be tiny, or even nil, but it will be relatively cheap for an average user to participate, just like in bittorrent. So indeed, as Gavin keeps saying, the market may figure out how to pay for security, in this case by saturating ASIC capacity and making it feasible for the average user to once again play.

Yes, I did misunderstand.  I though you were advocating for a network imposed limit, but I see better now what you are thinking. You are describing 100% thermodynamic efficiency, right?  It think that is theoretically impossible to attain, but it is widely expected that as the rate of efficiency improvement in SHA256 hashing slows down, mining costs will come to be dominated by operational expenditures (electricity). Currently  capital expenditures (buying more efficient ASIC's) are still the major factor.

The importance of cheap electricity will become ever more important as hashing tech matures.

Exactly. I think the proper analyses is to look at hashing vs cost. In the beginning, it was essentially linear. For the last couple and probably the next 10 or so years at least, it will be exponential as better ASICs offer exponential speedups over CPUs. Eventually, as their capacity saturates, the curve will be linear again, based on number of devices (rather than capacity per device) and as you say on electricity.

A linear situation is much more amenable to the volunteer. If bitcoin becomes important enough, for example, Apple and the rest will throw ASIC miners and EC verifiers into their products, and the network security will be funded by its usefulness in maintaining society all together.

A bit too romantic, maybe, but I'm an optimist ;)

The common resource here is abstract. It is the willingness of users to pay tx fees. By accepting low-fee txs, a miner consumes this resource (that is, makes users less willing to pay tx fees) for his own benefit, at the expense of the total benefit of all miners. And, since Bitcoin needs miners, this is a problem for all Bitcoin users.

Nobody suggested that the mining devices themselves are a common good.

Quoting this theory blindly is failing to acknowledge some specific characteristics of Bitcoin mining. Most importantly, that we want to keep mining costs artificially high. Absent any limiting mechanism, sure, the market will reach an equilibrium... An equilibrium where tx fees are low, total hashrate is low, and the network is vulnerable to hashrate attacks.

In a healthy network with a high hashrate, the main cost of a tx is amortized, and the marginal cost is negligible. Hence, having the price equal to the marginal cost (as in the quote) is a disaster.

Thought of another way: Mining has a positive externality which is difficult to monetize, due to "race to the bottom" effects. Left to the market's own devices, no mining will be done. Hence we need some way to coordinate players into providing this externality.


Additional layers are an issue to consider, but even so I believe value sent is a better proxy than all transactions being equal.

Regarding your other point:
1. I hope you realize that my suggestion makes things easier for the person paying medical care. The quantity sent is lower for him, so he is expected to pay less fees.
2. I'm talking about value in the economic sense, not in the emotional, personal sense. Someone who is rich and is sending large amounts is generally willing to pay higher fees. The willingness is an advantage, and should be used to fund the network.
3. If the moving of money between wallets is "pointless", I see no harm in a policy that discourages it. If it's not pointless (security concerns etc.), then the sender is willing to pay for it, and we should use that.

This kind of dynamic rules can have very unstable, unpredictable behavior. They should be approached with great care.


This is true, and I believe research such as the Red Balloons paper (http://research.microsoft.com/apps/pubs/?id=156072) is a step towards resolving this issue.

Anyway, I expect the cost of verifying to be much lower than of hashing, so finding a way to fund that should be easier.

There is no known physical limit on computation. (There are some erroneous limits occasionally quoted, based on the physical limits of erasing information; but in truth, it is not known that computation requires erasing information proportionally).

And even if there is:
1. We're decades away from being anywhere near it
2. I'm not sure why the rest of your scenario would follow.


AFAICT, this paper discusses the methodological errors in those research papers that dismissed the free rider problem, and itself did not find evidence against the free rider problem.

Anyway, in the real world the free rider problem obviously exists.

The demand curve for a product or service shows the relationship between the price of a product and the willingness and ability of consumers to pay.
In traditional economics willingness to pay for a product is not an abstract resource it is a variable in the demand calculation.

As I pointed out, if a certain percentage of miners offer lower fees (such as the charity miners) then this will mean that consumers will have the choice of how fast their transaction is likely to be processed. The fees charged by commercial miners will probably reflect the amount of discounted transaction mining available. Although all of this discounted mining will have to be paid for one way or another.

A miner consuming a ‘willingness to pay’ resource for his own benefit makes no sense to me.


I didn’t quote blindly. I read it and thought it was relevant to the point I was making. The point I was making was regarding particular economic arguments that used the tragedy of the commons as their premise. I was not making any argument as to whether the equilibrium reached by free market economics would ‘secure’ a network.

We do not necessarily want to keep mining costs artificially high. What we actually want is to have a network that is secure against hash rate attacks. These are different things.
For example if the network reaches an equilibrium where it is secure then we don’t need to manipulate mining costs in any way. Transaction costs might, in the future sustain this. We don’t know.

 As my other post mentioned there are different hash rate attacks to consider and some might be done to try and profit but some might be done for political reasons with no regard to cost.
 Guarding against an attack with no regard to cost is more difficult.

 Anyway, I don’t want to seem too argumentative because I agree with most of what you have to say. I just don’t agree with the economic argument based on the tragedy of the commons.

 The subject of mechanisms to manipulate the market in order to provide security is quite a big subject that I haven’t really got time to offer a considered opinion on. I did spend some time trying to build a mathematical model of the different variables in a decentralised network and how they affected each other. I might try and finish this project and post it to see if anyone would be interested in building a simulation (maybe as an open source project) that might be an interesting way of envisioning future effects of applying these mechanisms.

Suppose all the miners form a cartel. They will have no problem funding themselves; they can all agree not to include any tx that doesn't pay high fees. The users would pay this fee because they have no other choice.

Some users will try to pay a fee lower than the cartel's threshold. One miner decides to defect from the cartel; he includes in his block all these low-fee transactions. This costs him nothing, so this is a net profit for him (he benefits).

Seeing this, users will know that even if they don't pay the cartel's high fees, they can still get their tx included eventually. Thus, their willingness to pay high fees is lower (that is, the miner consumed their willingness). Thus, more users will try to pay low fees, and the total revenue of all miners decreases.

But it's not just the one miner. Every miner will, individually, have an incentive to include low-fee txs. This means that even with a low fee, it's easy to get a tx to the block. Thus, no user will want to pay high fees, and the total revenue of miners will be low (this is the tragedy - for the miners, and due to the effect on network health, for all Bitcoin users).

This is completely analogous to the classical instance of tragedy of the commons, where all herders would benefit if they all grazed just their fair share, but everyone is incentivized to defect and overgraze, depleting the resource and causing everyone to suffer.

If we agree there is a problem (do we?), and we understand its moving parts, it doesn't really matter whether we call it "tragedy of the commons" or not. Though, I do believe that calling it that helps us gain insights from existing knowledge regarding tragedy of the commons problems.

Sure, but unless we find a better way to keep the network secure, keeping mining costs artificially high is a subgoal.

There appears to be a degree of consensus that when the block reward falls to a low level, we need an artificial scarcity of something in order to ensure aggregate transaction fees are high enough to provide sufficient security.  I have tried to analyse the available options of things to make artificially scarce with some kind of maximum:

1.      Block Size (Currently implemented for different reasons)

Advantages
o   This is already implemented for spam protection and bandwidth capacity issues, there could therefore be more of a seamless transition, with the reason for the blocksize limit shifting, rather than the rules
o   Bandwidth, propagation or storage issues could remain for many years to come and therefore a blocksize rule may be relevant for a while.  Having two limits may be too complicated
o   All data to is available in the blockchain
Disadvantages
o   Transaction size may have no relationship to the amortised cost of hashing nor the value of the transaction to the user.

2.      Value of transactions per block (Meni’s preferred option)
Advantages
o   The value of a transaction may relate to the value to the user, therefore it could make more sense for higher value transactions to have higher fees
o   This is reasonably consistent with many other financial systems, which often have a percentage transaction fee
o   All data to is available in the blockchain
Disadvantages
o   What if you have a transaction output higher than the limit, then would that output become unspendable?
o   There is no relationship between the cost of hashing and the value of transactions
o   There may be a limited relationship between the transaction value and the economic value to the user, for example coloured coins, proof of existence, sending large amounts of money between wallets or a large amount of change in a transaction.
o   This may cause administrative difficulties, with people reluctant to consolidate balances into the same transaction outputs, for fear of spending higher fees
o   Transaction outputs with a lower balance could trade at a higher price, since the fee to send money from these outputs will be lower, challenging fungibility
o   This arbitrary limit could be seen as aggressive and challenge the claim that there are no limits on your transactions

3.      Number of transactions per block (My preferred option)
Advantages
o   The transaction fee is paid per transaction, therefore limiting the number of transactions is the most simple option and most direct option in attempting to manipulate the value of the transaction fees.
o   Less of a value judgement is involved in this more neutral policy
o   All transactions are treated equal, regardless of the size involved or value, this supports the systems use as a general case distributed ledger and not just a currency.
o   All data to is available in the blockchain
Disadvantages
o   There is no relationship between the cost of hashing and the number of transactions
o   No account is made for the economic value of the transaction to the user

4.      Hybrid between some of the above
Disadvantages
o   This may be too complex

Does anyone have any other potential ideas?

OK, I understand that explanation a bit better.
The key factor is that it doesn’t cost any more to produce a block with the extra low fee paying transactions in as well than to just include the high fee transactions.

Even if the miners didn’t collude to form a cartel I think that some form of natural cartel would form and the transaction fee would reflect the cost of mining.

 There would be a certain percentage of miners that would try and include any low fee paying transactions in their blocks (and maybe the community miners too, who want to provide this service) but for anybody with a reasonable share of the total hashing power it would definitely be against their long term self interest to move too far away from a cartel price (whether the cartel was natural or not) and I think that miners with a large share of hashing power would act according to these long term interests.

The market for digital products is similar in that once you have built the software for a computer game it doesn’t cost you any more no matter how many games you produce. However we don’t see the market price being driven down to the actual costs of production and below even though there is a willingness to pay a lower price. Perhaps this isn't a perfect analogy either, but it has some similarities.

 I tend to think that the market would still reach an equilibrium with the major miners sticking to a certain price level to protect their long term interests and the result would be the consumer choice of how quickly their transactions will be processed.


 I would probably still argue that there is a difference in the analogy that might make any insights gained potentially misleading. In your case it would be the suppliers of the resource that are cheating the system by defying the cartel and reducing the price of the resource, rather than the consumers that are over using and depleting a finite resource, but I agree that what we decide to call the problem isn’t too important.


There is definitely a potential problem. At the moment I wouldn’t like to guess how it will develop or what is the best solution if/when the problem does appear.
 

A few thoughts:



The people who are most likely to care about security are the people with a ton of stake in the system. The average person, having a few thousand dollars worth of coins (or less), is unlikely to want to fund miner security if they know that there are already tens of thousands of dollars of hashing being done every day. They will probably be a collective deadweight, simply because of a diffused sense of responsibility. (10 million people each having $1000 stake will not fund as much mining collectively as a single person with $10 billion stake). Enough of the heavy hitters though will care to fund the network to a reasonable amount of security. I think this will happen at any value. If a bitcoin is $25, the heavy hitters will have a realistic sense of what the hash rate needs to be to protect them. If a bitcoin is $250,000, the heavy hitters are now probably governments and corporations, but they will still have a realistic sense of what is needed to properly protect their stake into the currency.

I think that altchains and altcoins will be able to play a big role in this. If permanent inflation ends up being required to encourage large amounts of hashing power, the heavy hitters will switch to a chain that has permanent inflation built in. If % fees on transactions end up being the most attractive choice, then the heavy hitters will switch to the chain that has % fees, because though they may not like the fee, they value the security and the heavy hitters will care enough to stomach the fees. If a really restrictive block size ends up being the correct choice... and so on. Sidechains could let all of these experiments happen on the Bitcoin currency directly.

My personal guess is that a permanently inflationary currency is going to be the long term solution. I don't see assurance contracts panning out, I don't see the value in restricting the amount of transactions (beyond enabling the average home connection to keep up), and I don't think people will voluntarily pay higher than necessary fees.

The problem that remains with many of these proposals is that it will always be cheaper to transact off-blockchain and it is free to hold bitcoins once the inflation rate falls. Depending on people's desire for on-blockchain vs. off-blockchain transactions, this can be a serious problem.

Regardless, Meni's suggestion seems clearly better than limiting the blocksize by data.

I think your analysis regarding keeping Bitcoin fees "artificially high" would work in a world where there is a high switching cost to competing cryptocurrencies (ccys). However, it won't work if users have an easy alternative to paying these artificially high fees. Assume that in the future the switching cost between ccys is negligible. Then people who actually use Bitcoin as a medium of exchange will migrate to ccys that are designed for low transaction fees by having a greater share of network security paid for by inflation/demurrage. Because the value of a ccy is driven by its use as a medium of exchange, Bitcoin would basically fade away and be replaced by this more medium of exchange friendly ccy. Robert Sams has an amazing post about this at http://cryptonomics.org/2014/01/15/the-marginal-cost-of-cryptocurrency/, which is the most serious treatment of Bitcoin economics I've ever seen.

So the question becomes: in the future will the switching cost between ccys be so high that people who want to use ccys as a medium of exchange can be forced to pay the entire cost of securing a ccy network? As a software developer I'm skeptical of this because I can envision how simple it would be for payment software to be able to accept multiple ccys and convert between them.

You could just as easily say that in the classic tragedy of the commons scenario, anyone with a reasonable number of cows would limit their grazing voluntarily because otherwise they'd be acting against their long term interest, so we don't have to worry about the tragedy of the commons. I think your argument fails for the same reason.


This is a very dissimilar situation, because the game producer has a monopoly on the right to sell the game. If anyone off the street had a right to sell the game, you would see the price fall to almost zero.


Unfortunately, sidechains could probably not be used to switch to a cryptocurrency (ccy) with permanent inflation. The reason is that if a new ccy had permanent inflation, no holder of of that ccy could escape it, and everyone would be forced to pay for network security in proportion to their holdings. If you create a Bitcoin sidechain with permanent inflation, everyone has a choice as to whether to move their coins to that sidechain. So the only people paying for network security will be the people who choose to do so. You still have a free rider problem.

I saw "probably" above because there might be some clever solution where you'd make it extremely costly and difficult to move one's coins back from the sidechain to Bitcoin which somehow encourages everyone to just move their coins there and keep them there, or you might be able to come up with some crazy rules on the sidechain that I haven't thought of. But as far as I know, no one has proposed a viable way that sidechains could be used to solve the future network security problem.

As long as the cartel has more than 50% of the hash power, it can dictate the terms and ensure any blocks not conforming to the cartel's fee policy would be orphaned.  A cartel operating in such a fashion can prevent the tragedy of the commons you describe.  I prefer to think of it as a race-to-the-bottom issue, with the bottom being inadequate network security.  Realistically I would expect the 'willing' participants in the cartel to have somewhere between 70% and 90% of the hash power.  The remaining fraction of hash power would also contribute hashing to the cartel because it would NOT be in their best interest to have their blocks constantly orphaned.  Those miners might not like the cartel policies, but they would have little choice.

I wrote about this concept extensively in my earlier posts on this same thread.

Ok, my main argument was that the tragedy of the commons wasn't a suitable analogy because the economic factors are different and you can' t really make a square peg fit a round hole by saying that the consumers are selling a 'willingness to pay resource' to the suppliers.
 The fact of the matter is that in reality the tragedy of the commons often doesn't occur and in these situations people will self-regulate and act in their long term self interests and common grazing actually has happened historically very successfully. So even though it isn' t a suitable analogy in economic terms it might help in supporting my prediction of what would actually happen.

Well you didn't quote me completely because I acknowledged that it wasn't a perfect analogy. The way in which this would support my argument is if, let's say, three spread sheet software suppliers were selling similar types of software to the same market. People might choose any one of the three products and there will always be a willingness to pay a lower price. However we don't necessarily see a 'race to the bottom' where the three suppliers continuously discount to grab these people who are only willing to pay the lower price. Even though in theory it doesn't cost them anything to get the extra income from these other customers since their production costs are fixed.

Miners who have invested a lot in hardware who's only income is from transaction fees would keep their fees at, maybe not exactly, but roughly the same prices. Most wallets would calculate fees  at a price that would mean that transactions were mined by the majority or all of miners. i.e. A fee slightly higher than the current highest miner fee. This way all of the miners would actually get most of the transactions.
 The smaller miners who were taking all the lower fee transactions might benefit but the bigger they became there would be more incentive to only accept higher fees as it would have more of an effect on the market.
 These smaller miners also don't have the economy of scale and have higher block propagation times so their gains might be offset by other things.

 Anyway this is just what I think would probably happen, I could be wrong.

The sidechain is still a completely different blockchain, which means that the security extended to the holders of the coins on the sidechain does not need to apply to the coins on the Bitcoin main chain. Even if you use merge mining, there is still more security in being on the chain that is the primary financial backer of the mining - IE Bitcoin is substantially safer from a 51% than Namecoin, even though Namecoin technically has ~50% of the hashrate of Bitcoin. The amount of financial loss a miner will accept when switching away from Namecoin, or mining a specific fork of Namecoin, is much less than if the miner were to do the same to Bitcoin. Tactics like bribery could be much more effective in attacking Namecoin because most Namecoin miners mostly only care about the Bitcoin chain. They aren't invested in the long term health of Namecoin. Similarly, if in the distant future some sidechain has 10x the funds going into mining than the Bitcoin mainchain, paranoid entities are likely to strongly prefer holding their funds in that chain, even at the cost of some dilution to their holdings (as long as the dilution is minimal enough - obviously there's a gradient).

+1 Meni. Great point well made.  I think this is a good analysis and description.  Of course it could be wrong, but I think its definitely a good framework to think about these issues.

This is not as simple as the classic tragedy of the commons problem, because we also need to consider the impact of faster conformation times on the system.  If one miner defects and includes transactions with lower fees, then users with low fee transactions will still need to wait longer for conformations, therefore many users could maintain the high fee level.  If a cartel is large enough, it is not clear to me at this stage, if this race to the bottom will occur or not.  However I think Meni’s comments are a very useful illustrative example of a framework to think about the problem, with some sensible assumptions and conclusions, even if some people don’t completely agree with the mining cartel logic.

Remember a competitive mining market with many miners is desirable any way, for other reasons.  The more competitive mining is the more likely a defection from the cartel is.

This. A topic often overlooked when discussing Bitcoin economics is called "free entry".

Free Entry can be defined as being able to bring a good or service to a marketplace as soon as they establish production of the good or service, impeded only by the costs of the capital.

Decentralization is a function of free entry and low capital requirements. Torrents are highly decentralized, for example, because participants can freely enter the market and the capital requirements are trivial.

Unarguably, there is actually a Natural Monopoly condition that exists in mining, because centralized mining is always economically superior than decentralized mining even when all of the competitors have equivalent overhead per hash/s, as I mentioned earlier.

RaisingRemoving the block size limit causes a race toward maximum transactions, and lowest fees necessary to run the network. In this way, raising capital requirements and damaging decentralization.

Hash-power atrophy, which would occur regardless of the block-size problem (And which is the topic at hand), actually helps with decentralization because it also lowers capital requirements. Is it really a safe assumption that bidding for block-space will "sufficiently" cover hashing costs?

So if the goal is to keep running nodes a trivial endeavor, then maybe this is a problem we don't want to fix? Maybe we want to be running a million USB miners rather than a handful of mining facilities?

Since the block-chain size is already not trivial (By some definitions), perhaps the block size is not too low, it's actually too high.

I don't know. It seems like to really address the problem, there would have to be a clear objective about what Bitcoin wants to achieve and what sacrifices it's willing to make to get there. If the Bitcoin protocol is going to compete with Visa credit cards, then we can simply throw the decentralization idea out the window in favor of Free Entry, and then the developers need to contend with the Natural Monopoly problem.

I didn't notice this thread was resurrected.

Miners who want to complete an assurance contract with their own funds can only reliably do that if they keep their own pledge private. But then they're not getting all the money for the mining, they only get 10 BTC instead of the 50 BTC others are targeting or whatever. So they can't hash as fast, because they have less money to do it, so they're less likely to find a block and those other pledges they were trying to claim for themselves end up being taken by other miners. They end up with nothing.

Still, if it doesn't work out like that, there are other ways to set things up as pointed out up thread: you can delay the ability to claim the raised funds by a number of blocks using a kind of height-relative lock time and then you can't keep pledges private any more or control who gets to claim them. I would worry more about the nature of trying to raise funds for a continuous good - I'm not aware of any other examples of assurance contracts being used in such a way, and that feels like a more fundamental open problem than people playing games with the protocol.

Anyway, by the time this is a real issue, perhaps nobody will care about PoW based block chains. I'd be disappointed if this was the last idea humanity ever had for solutions to the byzantine generals problem.  So it's fun to speculate about but I'm in Gavin's camp - when the time comes to jump this hurdle, people will find a way.

If the security in the main chain is much weaker than on the sidechain, 51% attackers on the main chain can steal "frozen" coins, causing even more dilution on the sidechain whenever they do so. So people would want the main chain to be roughly as secure as the sidechain.

Please correct me if I'm wrong, but isn't this an issue right now? Assuming that mining is profitable (i.e. mining revenue is greater than cost), a 51% attack would essentially cost nothing because the attacker would receive all the mining revenue (which exceeds his cost because we assume that mining is profitable). This is independent of subsidy in relation to transaction fees.

51% attacks will always be a problem for consensus systems of any sort.

You are wrong.

Example that should make it clear:

Honest miner with 50% hash power:  will mine 6 blocks every two hours (on average). Rest of the network will mine the other 6 blocks.

Attacking miner with 50% hash power: will mine 6 blocks every four hours (on average), because they refuse to build on anybody else's blocks.

Result: if the attacker is the longest chain, they'll get half as many BTC as honest mining (if they are unlucky and are not the longest chain, they'll get zero).

If they could keep up the attack for a full month until difficulty adjusts then they'll start making what they would have been making if they were honest.

If the attacker had 51% of the hash power, they could get 100% of the mining rewards though right? Because whenever anyone else mined a block, the attacker can always overtake that chain with one in which they mine every block.

odolvlobo seems to be asking about a strange sort of 51% attack. The typical kind that gets talked about is that you have some pre-existing coins and you use your large hashrate to double spend those coins. The attack being suggested is to simply grab all the mining rewards and spend those.

On its surface this sounds like a good "attack" because you basically can mine coins at half the cost that honest miners were paying to mine. If I had 51% of all hashpower and was wondering whether to carry out this kind of attack, I'd worry that my actions would tank the BTC price once people realized that one miner controlled all mining, and that I would have to settle for a much lower price for my mining rewards.

This situation is basically the "mining cartel" that Cubic Earth was posting about. Right now Discus Fish, GHash.IO, KnCMiner, and BTCGuild have over 51% of hashrate. Suppose they have 55% so they could form a private agreement to only build on each other's blocks. Now they are getting 100% of block rewards instead of 55%, almost doubling their revenue and maybe increasing their profits by 10x. Miners in other pools will then want to switch to one of these pools, because they are the only pools that make any money. These pools will not want to let in more people (technically, more hash power) though, because they don't need more people to control the network. Why split the mining rewards with more people when you don't have to? The cartel would want to stay just big enough to not jeopardize their control of the network.

As miners outside of the cartel realized the futility of competing with the cartel, they'd stop mining, meaning the cartel would be free to lower their own hash rate to further increase their profits.

Eventually, the cartel may be able to lower their hash rate to almost nothing (and therefore earn huge profits). In this case network security would not be provided by actual hashing, but by the knowledge that if anyone tried to attack the network, the cartel would then turn on their full hash rate capability until the attacking chain was overtaken. Maybe the cartel would mine at 100% for brief spurts just to assure the community of their power. In this situation people would realize it was futile to attack the network, so they wouldn't try.

Note that merchants would know to not trust any non-cartel-mined block, so an attacker couldn't even get a temporary window of opportunity to profit.

Anyone know if this cartel situation has been analyzed in more depth anywhere?

I did a brief analysis over 2 years ago in my long-term mining prognosis post (from the signature):

https://bitcointalk.org/index.php?topic=91101.0

Because it is effectively a reductio ad absurdum of the whole^* Bitcoin concept you are not likely to get much response or discussion about the idea.

Edit: ^(*) Not really the whole, but mostly the might-makes-right aspect of the current proof-of-work.

Wait... no... that example is only valid for the "attacker takes over existing mining pools" case, where formerly honest miners are co-opted to be evil (or gang up in a cartel to be evil).

If somebody collects as much hashing power as the rest of the network combined and then suddenly attacks, then yes, indeed, difficulty stays the same, the attacker gets all the mining rewards, and there are twice as many stale blocks as before.  Attacker gets 6 block rewards per hour.

If they were to mine honestly, blocks would be created twice as fast until difficulty adjusted, so they'd get 6 block rewards per hour for a week (same as if they decide to attack). Then difficulty would double, and they'd get only 3 per hour.

As the hashing power drops, the cartel has an incentive to kick members.  That means that the smallest member has an incentive to not join in the first place.

One of the issues is that mining pools don't actually control all of their hashing power.  If they annoy the community, they could lose support.


The 6 block confirm system would pretty much eliminate that anyway.  The cartel's chain is unlikely to fall 6 blocks behind.

My point is not to point out the particular attack that was described. The point is that as long as mining is profitable there are attacks or exploits that are not protected by the cost of mining, now or in the future.

Mining isn't even profitable right now. Competition drives down profit margins as it increases efficiency. I wouldn't worry too much about that. There's no way for mining to be perpetually profitable.

As long as you're referring to profits and not revenue, that is...

Usually the smallest member's actions won't be decisive though, so I think a small miner would always want to join the cartel if possible even if they worried about being kicked out, because it's very profitable and their alternative is 0 profit.

The cartel might kick miners out, although it carries a risk that an outside coalition could become stronger than them. Let's say the coalition started with 55% of all hashpower. Outside miners stop mining, the cartel reduces their hashing to 8% of capacity, and they kick some people out until they control only 50% of total hashpower instead of 55%. So now 50% of total hashpower is outside the cartel and making no money, but this 50% knows that if they could just organize themselves and either make an investment in more mining equipment or recruit some miners away from the existing cartel, they could take control and earn 100% of mining rewards. This would be a disaster for the cartel, so I don't think they'd want to kick too many people out.

The "new cartel" could also set a policy of never kicking anyone out. Maybe miners wouldn't believe them, but if they did it'd give small miners in the existing cartel who worried about being kicked out an incentive to switch.

I think the fact that pools don't control their hash power makes the cartel situation better for the Bitcoin community -- by ensuring that the cartel policy is roughly what the majority of miners want (otherwise they'd form a new cartel).


What I mean is that an attacker might have an idea to do a double spend by mining just one block, putting a transaction to a merchant only in their block (not broadcasting it to anyone else) and taking advantage of merchants who wait for only one confirmation. When this block gets orphaned, their transaction to the merchant will be rolled back, assuming the cartel doesn't harvest transactions from orphaned blocks even if they have no fees.


Consider the case where someone wants to pull off an attack but they have no hashpower now. So they buy enough hashpower so they have 30% of total hashpower. Then they do their attack. Mining is only barely profitable in the long run -- mining equipment is priced at a level where you likely need to mine for a super long time to make back your investment. So after the attack the attacker needs to mine honestly for a year or so to be truly costless (and still, there's a lot of risk that their forecast of the future hashrate was off, and they'll lose a lot of money).

I think the traditional argument against this is that such attacks would undermine faith in the network and lower the BTC price, so if an attacker had enough hashpower to pull off a 51% attack, then by causing the BTC price to drop they'd be significantly reducing their future revenue, likely more than offsetting any benefit from their attack.



Correct -- all mining profits will be competed away to 0 in the long run (absent a cartel), since mining is close to perfect competition. But odolvlobo's argument can be recast to say that an attack would be "costless" instead of profitable, since if an attacker could use his mining investment to mine he at least would come out somewhat near breaking even (again assuming his attack didn't wreak too much havoc).

So the competitors in mining would lose nothing by colluding, but could significantly gain, absent consumer boycotting.
Perhaps instead of fighting market forces, mining collusion should be encouraged. If the collusion is detrimental to it's consumers, then the consumers have plenty of other places to go.
Instead of decentralization of Bitcoin, we could think of decentralization in the broader sense of a currency marketplace.
That's pretty much the same as throwing in the towel, but at least it can be recognized that the death of individually decentralized currency isn't the death of decentralized currency marketplaces.

It's depressing to think about mining companies getting together to try to decide what the appropriate transaction fee should be. That's certainly not the vision I bet most of us had when we first learned about Bitcoin.

Random thought with no regard to the technicalities, a percentage demurrage, deferred by contributing hashpower. Using a spitball of current figures, seems like it "costs" about 20GH to maintain 1 coin, divvying up total hash by coins issued. However, we'd then get a problem that you'd maybe have to mine direct to the wallet where all your coins are to validate the lack of demurrage for those coins. Unless it could work on a sort of merged or sidechained antidemurrage credit, so mine how you like and xfer the credits to where your coins are. Haven't done full evaluation and not sure what the calc will look like 25 years hence or whenever the real problem starts, but something of the order of 5% demurrage per annum seems to fit. Then if coin owner does not mine, or possibly buy credits off those that mine and sell instantly, that demurred coin gets tacked onto block reward.

I don't know if it will need to be as high as 5% by that time maybe not even necessary until much later, presuming cost to maintain giver %age of network hash (constant share of blocks) remains roughly consistant, then mining a single coin block with a $25000 coin value makes it look a lot more profitable than todays ~$10,000 block value.... and I've seen blocks now that have almost an extra coin in tx fees.

This may of course have an effect, seen as either desirable or undesirable, that it eventually returns all "lost" coins to circulation. Okay, most of all of them, damn Xeno.


edit: derp, I realise I more or less looped the calc there, turns out "cost to maintain current level of service" as it were is pretty close to current block reward, when calculated with current typical ASIC efficiencies, current price, current hashrate etc.... we will be expecting that to self tune for many years yet.

I've been thinking about "weak subjectivity" lately as a method of securing blockchains, after Vitalik started advocating it as a good form of consensus. It embraces a different security model than Bitcoin, requiring more trust. The Bitcoin wizards are very skeptical of this, saying the security model basically boils down to "just ask coinbase which chain is the real one." However it seems to me that in practice, weak subjectivity might end up approximating full trustlessness very closely. My argument is below. I'm very interested in getting critiques about how specifically this model is likely to be attacked.

For anyone not familiar with weak subjectivity, see Vitalik's explanation at https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/

The tl:dr version is that in this system, if you're not online for some period of time, say 4 months, you need to get a blockchain checkpoint from other people, because you won't be able to tell which one is valid on your own. For anyone who has been online since the genesis block, they don't need to trust anyone. Also, once you do get a checkpoint, you don't need to trust people further going forward (beyond your continued trust that you got the right checkpoint), unless you go offline for > 4 months in the future and come back. Given this, all new nodes need to use trust to get an initial checkpoint.

So the obvious argument against this is: "if new or returning nodes have to ask coinbase what the correct chain is, why don't we just use a fully centralized system operated by coinbase?"

However, it seems that no one who actually cares about security would put their trust in one entity, instead you'd want to ask a lot of entities which chain is correct. Let's imagine in the future Bitcoin has switched to a weak subjective security model, and I'm coming online after 4 months away. Here's who I would ask about the correct chain:

Peter Todd, Gavin Andressen, the Darkwallet guys, Coinbase, my friend who I used to work with who operates a full Bitcoin node, Bitstamp, the Electronic Frontier Foundation, Julian Assange, Greg Maxwell, Mike Hearn, Bram Cohen, Paul Sztorc, Nick Szabo, Robert Sams, Adam Back,  Matthew Green, Andrew Miller, Richard Gendal Brown, Bilaji Srinivasan, Naval Ravikant.

So that's 20 entities who I think would (a) have an opinion on which chain is real, and (b) be fairly likely to give me an honest answer.

Let's assume I ask all of these 20 sources, and they all tell me the same chain is the legit one. In that case, what should I think is the probability that they are all giving me the same wrong information? Since I have to trust them, there's some chance that they're all wrong. But under what realistic circumstances could this happen? And is that really significantly more likely than some hacker having taken over my computer in the current Bitcoin world, and feeding me info about about a false chain?

The general idea is that similar to how zero-knowledge proofs work (where you can keep asking questions until the probability that the proover doesn't have a real solution is arbitrarily small), in a world of weak subjectivity I can keep asking different sources and investigating their trustworthiness until the probability that they're all lying to me is extremely small (The analogy isn't perfect because people lying to me about checkpoints aren't fully independent events). Because anyone can run a full node, there's not some easy set of people for governments or other censors to go after if they want to suppress info about the real chain.

My intuition though is that asking the 20 sources above is millions of times less likely to result in me getting a wrong checkpoint than asking just Coinbase, and that this probability is so close to 0 as to be negligible.

Can someone who is more skeptical of weak subjectivity describe a concrete scenario in which someone like me taking steps like I outline above would fail to get the right chain?
 

The "right" chain is the chain that is supported by the exchange that is willing to swap your coins for other things of value. Any discrepancies between the exchanges are decided by the arbitrageurs with capital, not by eggheads with propaganda position papers.

That is the difference between the real financial systems and the long-cons trading baloney.

Seems to have worked out great for all those buying into MTGOX's view of the world.

Vitalik summarizes the problem with "Weak Subjectivity" here;


He then fails to rephrase the problem and addresses that incorrect rephrasing of the problem. This is called a "Straw man".


He rephrases the problem as fundamentally a computational problem, that the only reason trusting X is not usually ok is because we don't have computation to help us understand X and appropriately trust X.
This is not the problem with "Weak Subjectivity", this is not the reason why trusting X is a problem, and it begs the question by presuming that doing this "Weak Subjectivity" is better than simply trusting in X via any kind of system X wants to implement.

Or in other words;

The exchanges get their power from offering services to the people who want to trade. If an exchange wanted to adopt an illegitimate chain, people would clearly see they were using an illegitimate chain, using the method I described above, so demand for its services would plummet and it would be overtaken by competitors using the right chain. If you think people wouldn't be able to tell which chain was real on their own, without being told by the exchanges, you should give some argument why you think the method I describe above wouldn't work.


I agree that Vitalik's rephrasing of the issue isn't great. Are you claiming that weak subjectivity offers no more security than full subjectivity (aka, just coming to a consensus by trusting various people without any underlying rules as described in the weak subjective system)? If so I'll try to give a better argument than Vitalik in my next reply.

I'm still curious to hear how people specifically think my method of discovering the true chain would fail.

Well, who's going to be mining if not exchanges, when the general mining becomes continuously non-profitable?
I don't think that MtGox was postulating the existence of different blockchains.

The way I understood the blockchain discrepancy in May of 2013 was that Bitcoin Foundation and/or core developer team evaluated transactions on both of the competing chains, choose one branch and then reimbursed the affected exchange (OKcoin?) or the affected user (macbook_air?). Edit: Apparently I misremembered things. A double spend was successful, but not reimbursed by the Bitcoin Foundation nor the core development team. https://github.com/bitcoin/bips/blob/master/bip-0050.mediawiki End of edit.

I don't think that Bitcoin Foundation would have enough capital to do all future reimbursement in case of chain discrepancies.

The regular accounting behaviors when the "books don't close" is to halt or suspend trading until the mutually agreeable resolution could be achieved. In my opinion no large capital entities will risk Bitcoin trading when they have no say in the decisions made when the discrepancy occurs.

One could argue that the May 2013 event was resolved in favor of those running buggy software and to the detriment of those running the software free of the bug that causes fork. That bug could be easily fixed with simple 2 line DB_CONFIG file and restart of the Bitcoin client, which would take much less than 10 minutes.

On the other hand I understand the pressure that was put on the core development team to issue a "patch" and "new compiled executables", especially from the people unfamiliar with operational issues of the database systems.

Finally the core development team is always torn between the needs of two vastly different subgroups of the Bitcoin milieu: the anarchists and the statists (or etatists, meaning those who are OK with the existing state's governments, not anti-dynamists). In the future I could envision a chain split between a monetary exchange (Bitcoin<->FIAT, subject to KYC and other regulations) and e.g. ammunition exchange or survivalist gear exchange patronized by the anarchists. This is the situation where I think you wouldn't ask the Bitcoin elders about the chain correctness, but you'll simpy synchronize to the chain that will allow you to trade your Bitcoins for USD or bullets, depending on your particular needs.

Not sure why you think mining would not be profitable. In case it wasn't clear, this weak subjectivity system is a variant of proof of stake (https://download.wpsoftware.net/bitcoin/pos.pdf). The classic critique of PoS is that the costs of "mining" are too low, not too high.

Anyway, I don't want to turn this thread into a rehash of various issues with proof of stake. I'm just interested in whether forbidding long range attacks using a "weak subjective" system offers some advantage over a fully subjective system, and how much advantage that would translate into in practice. Sadly I imagine that most Bitcoin wizards have PoS-fatigue because lots of uninformed people like to talk about it and make claims about how great it is. So hopefully I've narrowed the topic enough that this particular question is worth answering for them.

Proof-of-stake does nothing to prevent vertical integration where the large stakeholders (who can keep their stakes semi-cold for a long continuous time and have cross-subsidizing income from the other side of the transactions) can easily outcompete others who can only stake their short-term revolving capital. It is the same problem, only the first initial step to the capital concentration is different.

Sort of. Look, if I'm going to trust a handful of people that have, or once had, control of the block-chain by virtue of having a bunch of the currency units, then why not make that an explicit assumption and build the currency around it?
PoS tries to reach a middle ground between a trusted centralized currency and an un-trusted decentralized cryptocurrency and it ends up in a kind of no-man's land where you take all the disadvantages of both systems without any of the benefits.

I would much rather trust public entities in a centralized system rather than anonymous entities in a pseudo-distributed system.

With a PoS system you are literally putting into the hands of the 1% the ability to reverse any transaction that they like while remaining anonymous. "Weak Subjectivity" obfuscates this problem by layering on a stewardship of "trustworthy" individuals. Everyday users are expected to accurately audit the trustworthiness of these people distributing the blockchain, but even when they find those whom they are "supposed" to trust, we have no guarantees that those people are actually trustworthy and have no way of ascertaining it. By what algorithm can you verify the intentions of people?

What guarantees does a PoS currency offer when financial institutions are subject to a large theft? How about in a financial crises like the dot-com bust or innumerable other financial meltdowns? Who knows what kind of other shenanigans the clever (devious?) people in institutions like Goldman Sachs could come up with. What will the algorithm do when there is maybe a legitimate dispute that arises among the wealthy elite? By design, the safeguards breakdown when the largest stakeholders want them to.

"Subjective Systems" work pretty well. Visa handles many orders of magnitude more transactions than Bitcoin or any PoS coin and yet un-resolvable thefts and hacks are relatively uncommon. As it turns out, maybe there's actually plenty of information about "Subjective Systems" in order to make pretty good decisions about whether or not you want to use them. That is despite Vitalik's insistence that they don't work because of a lack of computational ability.

Not sure if this is a claim you're making, but you refer to a "handful" of people controlling the PoS chain. I assume you mean this handful has over 51% of coins. One could also posit a handful of people who has control over 51% of hashpower of a PoW chain. Do you believe that it's much more likely for coin ownership to be concentrated and therefore for a PoS system to evolve into a cartel, as opposed to hash power being concentrated enough to lead to a 51% cartel?


I don't understand why you're saying PoS requires more trust than PoW. In PoS you only need to trust a group if they've formed some sort of 51% cartel right? Same as with PoW?


You're claiming 1% of the people owns over 50% of Bitcoins? I could believe that. But this 1% is still probably 1000 people. Don't you think the top 1000 individual mining entities control more than 51% of hashpower? Wouldn't the same thing that makes you comfortable with 1000 people owning > 51% of mining power also make you comfortable with 1000 people owning > 51% of coins? What's the difference?


"Everyday users" will always rely on trust. How many users fully validate the blockchain on their own? Among those that do, how many of those users are sophisticated enough to detect if the core devs maintaining the Satoshi client make some malicious code change? Almost no one would know that the software they were relying on to validate the blockchain was tampered with. These people are implicitly trusting both the core developers, and also trusting the small minority of experts who would actually notice something wrong with the Bitcoin project on github and talk about it in the media.

I run Bitcoin-QT, but I haven't read the code yet. I don't really know that Bitcoin-QT is validating things correctly and not tricking me. I'm just trusting that if it weren't, I would have heard about it. I claim that this is not meaningfully different than relying on weak subjectivity.

To be explicit:

This is why I trust the chain that Bitcoin-QT gives me: I know that anyone who wants to do the actual verification that the chain you get from Bitcoin-QT is the real chain can do so. I know that lots of people have read the code and verified everything, and I don't know of any credible people raising an alarm in the media.

This is why I'd trust the chain that I got from the 20 people I listed above, assuming Bitcoin had switched to a weak subjective system: I'd know that anyone who wanted to verify the chain objectively (by being online at least one a year) could do so if they wanted. I'd know that lots of other people had done that, and I'd know whether credible people were sounding any alarms in the media.

The level of trust required doesn't seem to change significantly for the average user. For the hardcore power user who doesn't want to trust anyone, they can simply be online at least once per year and they won't have to trust anyone.

Btw, I gave a list of 20 entities above who I would ask if I ever wanted to know whether a chain was valid. If I asked them tomorrow, what do you think the probability is that all those people would give me a fake chain?


I'm not sure what you mean here..

What you are talking of is the basic PoS version. As it evolves, those particular problems can be mitigated. In particular, the Co-operative Proof of Stake which is being looked into doesnt have any use of coin age.

I'm having trouble picturing a universe in which Bitcoin mining doesn't downright centralize to one major mining entity, but even in that scenario PoW is preferable to PoS.

I was just saying that it's preferable to give power to entities that have to work for it rather than people that have or had enormous wealth due to natural market activities.


I don't think I'm saying anything outrageous there. The premise of this "Weak Subjectivity" is that some trust is required in order to rebuild the chain in the event that the node is offline for more than 4 months or whatever.


Not Bitcoins in particular, it's common for 40%+ of wealth to be in the hands of the top 1%. The mechanism of PoW makes the coin tremendously more secure even in the event of a 51% attack. PoW means that trying to do anything in the network is costly.

PoS, by contrast, can be attacked with little to no cost by around 1% of the stakeholders or any entity that can get control of that much stake at any point in the past. There's no way to algorithmically find and verify the correct blockchain, that's why "Weak Subjectivity" was proposed. It discards the idea of replacing trust with cryptography and instead explicitly states that we should go back to trusting certain figureheads when push comes to shove.

Proof of Work gives us proof about the current state of the blockchain, Proof of Stake is not really proof of anything.
I would go so far as to say the difference is that PoS is not a cryptocurrency, PoS doesn't replace the desirable features of PoW, and that's what makes me less comfortable with it in the event of an attack.


You can rationalize it all you like. The bottom line is that mathematical proofs can't be replaced by socializing. What are the odds? Greater than 0%. What are the odds that the Bitcoin code doesn't do what the Bitcoin code does? 0%.

I also don't really know what you mean when you say "fake chain". If someone builds a chain following all of the rules of the protocol, can you really call it "fake"? Doesn't it bother you that it's even possible for a blockchain to have multiple valid states?


When the largest stakeholders want to reverse transactions they can.

"Weak Subjectivity" tries to fix this by encouraging users to find trusted users that will prevent them from downloading the "wrong" chain. (Which is the "right" chain according to it's own rules.)

It's kind of like if the core Bitcoin devs came forward and said, "We've decided Proof of Work doesn't actually work, even when miners have the most work that doesn't necessarily mean the chain is correct, so in order to fix this problem, we're encouraging you to make a list of 20 or so people that you trust, and then only download the blockchain from those people. Kthxbai."

More than just the lack of rigorous security standards, I'm not sure what Proof of Stake accomplishes exactly. What does it offer that is better than both Bitcoin and average run-of-the-mill financial datacenter?

I don't think the cost is that different.

In PoW, mining in the long run has roughly zero profits. That means that if the 51% of miners are doing anything which lets them still keep the mining rewards (like perhaps censoring transactions they don't like), then their costs are canceled out from mining rewards. If a 51% cartel in PoW did something to shake people's faith in them and cause the coin value to tank, then their costs would not be recouped, but they'd have already cashed out most of their mining rewards until that point, so the main cost is the loss of future revenue.

In PoS, if the major coin holders start double spending or do something to cause the coin's value to tank, they are harming themselves immensely because they had to lock up their coins in order to sign blocks, so they won't be able to cash out before they destroy the coin's value.


I'm unfamiliar with the "1% attack" in PoS. Do you have a link describing how it'd work? (EDIT: if you're talking about "stake grinding", then I understand. I don't have a good argument against this, so it might doom PoS systems, but I'm still curious about the weak subjectivity issue separately).


It's supposed to be proof that the signers of a block have locked up a certain amount of coins, which will be lost if anyone catches them signing other blocks. If there is some attack where these people can create another fork without losing their deposits, it'd be pretty bad for PoS. My impression is that the only way to do that was via a "long range attack", which is what weak subjectivity disallows at the cost of requiring some trust.


The point was that perhaps 99% or more of Bitcoin users are relying on trust/socializing when they use Bitcoin already, and it works well for them because the system is set up in a way where anyone who wants to do the work of objective verification can do so. That 1% of people who read the code and verify everything themselves and refuse to trust anyone could also refuse to trust anyone by being online once a year in a weak subjective system. You can call it "rationalization", but I'm trying to evaluate the practical security implications of both systems and I don't see any argument why the practical differences would be significant.

Also, the chance of being wrong when a person tries to objectively verify the longest Bitcoin chain is not 0%. That is the relevant probability to compare to the chance of being wrong when asking trusted parties. If a person tried to objectively verify the longest Bitcoin chain now, they could make some technical error, be tricked into using corrupted software, be isolated from the rest of the network by some hacker, or be tricked by a hacker that has complete control over their machine. Maybe the probability of any of those things happening is less than 0.0001%, but what if the probability of being wrong using my method above is also less than 0.0001%? No one has attempted to address this. It's just "but trust is worse than not having to trust!" without any effort to measure and compare risks.


I was using "fake chain" above in the context of Bitcoin, using PoW as it does today. I meant, when I ask Greg Maxwell and the 19 other people I listed above which chain is the longest chain, what's the probability that they would all tell me some other chain is the longest, when this other chain isn't actually the longest?

For PoS, a fake/invalid chain would be a fork from longer than a year ago which is disallowed by the rules of the system but which I couldn't objectively determine if I hadn't been online in a year.


My motivation for bringing it up is that I'm worried about the long term security / required transaction fees of Bitcoin, when mining rewards run out. I'm trying to evaluate PoS + disallowing long range forks + weak subjectivity as a method of ensuring we have adequate security and low transaction fees in the future. The specific claim I'm trying to evaluate is that this type of PoS system I'm referring to might have better long run security economics than Bitcoin as it exists now, and in practice it might be equally decentralized as what we have now. In other words, the "but you have to trust someone!" point may just be academic, and in practice the difference between this and current-Bitcoin may be negligible.

As I mentioned before, I seem to be trying to evaluate PoS very late, such that almost all smart people involved in Bitcoin have already convinced themselves that PoS is worse than PoW are sick of the topic. I'm willing to believe they're right that PoS is unworkable because they have a lot more knowledge than me, but I'd like to understand the reasons why, and weak subjectivity seems plausible to me.

So far, the best critques of PoS I've seen are:
http://www.truthcoin.info/blog/pow-and-mining/
https://download.wpsoftware.net/bitcoin/pos.pdf

...sadly neither directly address the attempt to use weak subjectivity to get around the nothing at stake problem.

If anyone has other anti-PoS links that you think I'd find useful, please share them.

Perhaps there is a different way of explaining my position.

I see most of the posters in this thread interested mostly in relatively short-term, startup behavior of their chosen blockchain-validity algorithm.

I'm taking an opposite view. I assume already reaching an equilibrium or steady state. Every proof-of-something algorithm postulates existence of some society where a monetary system with that algorithm is dominant.

Lets give a two very simplified examples:

1) Pure proof-of-work society expends all otherwise unallocated electricity defending their monetary system against an attack. Every power station is always running full-tilt strengthening the defenses against the attackers.

2) Pure proof-of-stake society always keeps maximum amount of money in a semi-cold storage as a guard/moat against an attack. Every spent or circulated monetary unit is weakening their defense against the ever-present attackers, so it is always good thing to avoid spending money.

To me those examples look like dystopias, but at the same time I understand that they are intellectually very attractive to some people. (1) is an utopia for people with bunker mentality and paranoiacs. (2) is an utopia for compulsive tightwads.

I'm more interested in societies that are open and participatory and defend themselves only when really attacked, not under perpetual state of self-imposed war on drugs, terror, counter-revolution or other bogeymen. Doing sort of the reverse-engineering process I want to ponder which algorithms would be stable in the society I would like to be a member.

The above leads me to the observation that the actual owners and users of the capital will have to have a say in the design and operation of the proof-of-whatever algorithm. All the paper algorithms designed by outsiders and operated in a social vacuum will be either unstable or lead to a societies that is much worse that the current ones.

What's the point of that hypothetical? Miners will spend an amount up to the value of the block reward to get the block reward. If one million dollars per day is available in block rewards, it'd be foolish for miners to spend more than that to get them.

IMO, small scale miners will apparently pay more than apparent block value. For one thing, overheads and staffing costs are not a concern, for another, cooling may not be a significant cost, it being relatively easy to exhaust/disperse a kilowatt or two of heat compared to 15 kW per rack.

Then also, there is alternative cost of acquisition of small amounts of bitcoin. When small scale miner enthusiasts are taking a long term view, and want to accumulate coin, they may have the option of paying $20 in transfer fees to get fiat credit into exchange, possibly paying taxes on top of that, as had been case in UK and seems to be becoming case in Australia, or using LocalBitcoins and paying the markup above market there, plus possibly a couple of bucks in ATM fees depending on banking arrangements. Anyway, while insignificant as a percentage when transacting several hundreds to thousands of dollars, the guy who only has a couple of hundred bucks a month to invest may be willing to pay more than "spot" to mine coins to offset these fees. In the heating season, it is also possible to defray heating costs for a hobbyist miner, if no natural gas, fuel oil, propane etc options are available and electric heat is the only option, then electric heat is a total loss in comparison against running even 1st generation Avalon machines for heat (Which is probably about a 20% offset these days). In my market I have calculated the heat to be worth about 3 cents a kilowatt, being approx what it costs in natural gas to get a kilowatt of heat.

I don't know if this is too old to post in, but I was thinking about this issue and I think I have an idea.

It was bothering me that we were trying to find a solution to intentionally break normal market behavior in order to decentralize the system and make it more inefficient. Whenever central planners get together and try to do such a thing* my instinct is to push against it and so my idea is to simply let the majority of Bitcoin centralize and separate the mechanism that actually needs to be decentralized; Hashing.

A marketplace for Proof of Work should be created with API's that allow any particular program to acquire work from, and any particular device to provide work to.

All that would be required is that this PoW exchange build a blockchain of arbitrary hashes that don't particularly matter to the system itself.

I imagine that it would work in this way;

If I was a miner, I would download this software onto my computer and search for hashes just like I would do on Bitcoin today except that I do not hash transactions, but I'd hash any hashes (within some size constraint) that are provided to me. In remuneration I am paid however I like, decided on receipt of the hashes I am to inject into the blockchain. This could be Bitcoin, USD, gold deposits, stocks, whatever, and could be automatically paid out when the block is mined (Or more likely paid when the block has confirmed a number of times).

If I was cryptocurrency programmer, my currency could be highly centralized, but it's behavior would have to conform to the hashes that are provided to the PoW Exchange. I would provide block headers to the PoW Exchange to be included with the block and provide a fee that could be my cryptocurrency, if a miner will accept it, or any other form of payment.

There are numerous advantages and disadvantages to this kind of system, but it seems to solve the problem of "funding network security" as it creates a market for it. I expect that there would be multiple PoW Exchanges that compete with each-other, as there are a variety of "magic numbers" that I don't think could be distilled to an absolutely correct form.

Would this work?

*http://mises.org/library/do-antitrust-laws-preserve-competition

I am not sure what problem this solves.

In the current world, miners are paid via some combination of inflation and tx fees. In your system, miners on the PoW exchange are paid by the entity who wants something hashed. But why does this entity want to pay you to hash exactly? And what is the source of value this entity is using to pay you?

Surely as a ccy creator I don't want to pay for security out of my own pocket. If I create my ccy in such a way that it somehow automatically sends its block rewards and tx fees to the PoW exchange, then it doesn't solve the fundamental problem that it's hard to ensure these block rewards and tx fees will result in an appropriate level of security. If in the future Bitcoin used this PoW exchange, the fact that block rewards were 0 could still lead to very little money being paid to the PoW exchange on behalf of Bitcoin, no?

It seems that the fundamental problem is that it's hard to create a decentralized source of value (like block rewards or tx fees) which matches security requirements in the far future, because decentralized rules tend to be less flexible. I don't see how a PoW exchange addresses that.

A PoW Exchange like I described provides most of the benefits that the current PoW system does; Orders transactions, prevents double spends; ensures the present state a cryptocurrency. A PoW Exchange is valuable proportional to how much work it can provide, and how much demand there is for that work.

What a cryptocurrency pays in exchange for what the PoW Exchange provides is between the miner and the cryptocurrency. Just like in Bitcoin, you could decide to mine for Bitcoins because you value them, but in an Exchange you could also choose any other form of payment. As far as I can tell, there's no reason to tie any form of payment into the PoW Exchange directly. All the Exchange cares about is which chain has the most work.


Fundamentally, I don't think it's possible to ever make any kind of algorithm that ensures the "right" amount of work. If that's true, then markets will handle it and the best that could be done is provide the right tools to allow cryptocurrencies to compete while still retaining the benefits of a strong Proof of Work backbone.

I think when I wrote that the fee's could be "automatic" I was being confusing. I only meant that the fees could be automatically paid out at a later date based on some predetermined rate decided between the cryptocurrency and potential miners. That "rate" is by no means automatic.

This addresses the funding problem not by trying to make some algorithm that imposes a fee or inflation, but by allowing markets to find equilibrium.

I'm sure I haven't thought through all of the implications that this would have but I can think of a few advantages over the current system;

1.) Because PoW can be provided to any kind of service; colored coins, side chains, and so on are supported by default.

2.) PoW nodes could require less resources to maintain.

3.) The price of Work would could find its market clearing price; As there would no longer be any price fixing in the form of fees or inflation.

4.) Cryptocurrencies can leverage a more centralized architecture to allow greater throughput at a lower price per transaction, while not running the risk of any kind of 51% attack.


I stress that this doesn't mean that I could create a cryptocurrency that just relies on a PoW Exchange to charge my currency the "right" fee to provide Proof of Work.

Lets pretend that we have a PoW Exchange that exists. It has 100+ different cryptocurrencies that all use the system. They all have different security requirements; Some will pay for inclusion in every block, some might just do it every 300 blocks. Some might provide their own miners and just rely on them to include what they need in a block.
How a cryptocurrency decides its fees or inflation to pay for the Work is entirely up to the developers of that cryptocurrency; Maybe a democratic vote based on stake, maybe entirely controlled by a committee, or maybe it's just a flat fee that accumulates until a miner accepts it and includes them in a block.
Crucially, an informed decision can be made because they know the market clearing price of a particular form of Proof of Work.

Because they are all using the same blockchain, despite having very different architectures themselves, they all help fund a robust mining environment.

I still don't see how the PoW exchange adds tools that help with the long term security problem.

Scenario 1: there's no PoW exchange. Things are as they are now. In the future, Bitcoin's mining rewards and transaction fees aren't enough to secure the network. Someone invents Bitcoin2 which uses a fork of the Bitcoin blockchain but has 1% inflation per year going forward. The market settles things by everyone moving over to Bitcoin2.

Scenario 2: there's a PoW exchange. Wouldn't the same thing happen? How is it better?


But the funding for the security still has to come from somewhere. What are you imagining there? If it were possible to create a funding source in a decentralized way that adjusts to the security needs of the network, why couldn't you just bake that into the ccy itself?


But if someone wanted to pay miners to put some PoW behind their colored coins, they could do it now right? Again I don't see where the money that pays for security is coming from in your scenario. You say the market will handle it. That implies someone will be paying for security. Who?


Why is this not equivalent to all existing ccys not having any mining rewards or tx fees and having the policy that mining must be paid for only by direct contributions (again, from who?)?


If a ccy wanted to decide mining rewards by "a democratic vote based on stake" they could do that now, directly, without the PoW exchange, right? The ccy holders would also know how much various types of work cost without the PoW exchange and could vote accordingly.

Scenario 3:

Consider miner fee as a rewarding currency. It's actually a reward given to the miner. If it has higher price value than the original currency value, we get more network nodes. The price must be put as much as higher and more than 10 times of the ccy value.

Separate address for miner fee, blockchain, and ofc exchange too.

I'm a bit frustrated because I'm having difficulty describing how this works. I think a demonstration would be necessary, though I don't think I have the time for it.

Answering the "who is paying into the PoW Exchange"; Doesn't matter. PoW providers only care that they get paid at the market clearing price in the medium that they prefer. It could be the cryptocurrency protocol itself through some algorithm, or an arbitrary group of people managing the cryptocurrency. It could even be an agency entirely separate from the cryptocurrency.
If one were to convert the current Bitcoin protocol to using a PoW Exchange, it could be strikingly similar to how it currently works. Bitcoins could still be inflated into existence and paid to the miners in the same exact amount, even 1% indefinitely or whatever, the difference is that this fee would be presented as a bid to PoW Exchange that increases the longer the hash has not been included in the PoW Exchange blockchain.
As more services use the PoW Exchange, the price of including a hash on the blockchain will increase, thereby lengthening the time between Bitcoin confirmations.
Once the bid reaches the market clearing price, a miner will accept it into the next block that they mine.

In this way, miners are not guaranteed any kind of fee for any block they mine, like they currently do in Bitcoin, and neither is there any kind of incentive to include every transaction in a block; The PoW Exchange doesn't even care about the transactions that are occurring in the Bitcoin ledger.

In the end the PoW Exchange guarantees that the cost of providing PoW on a useful chain is always the market clearing price. If a cryptocurrency has a fee model that is too low, it would be reflected by very long confirmation times on the PoW Exchange, if it is too high, then confirmation times would be excessively short.

Obviously the PoW Exchange would have to have limited resources imposed on it, or any kind of pricing mechanism would be impossible. Time between blocks and block size would still be magic numbers.

There's still a problem of how the Cryptocurrency pays for it's other costs; Bandwidth and storage of transactions, but that's comparatively easy issue compared to paying for hashpower. Calculating the appropriate cost of transactions for a given redundancy is perfectly manageable, and held in check through competition; In the same way we don't fret too much about how banks are going to pay their bills. I would imagine Cryptocurrencies would be much more centralized, but I see that as a added benefit so long as the auditing process through PoW can be accomplished by any arbitrary third party at a reasonable cost. This would allow scaling up to thousands of transactions per second without needing a copy of every single transaction on every miner.