Bitcoin Forum

As you know many people don't like the idea of using CPU power in order to make so-called "useless" computations.

I suspect it is possible to rigorously prove that any cryptocurrencies, providing it fulfills a few conditions, has to be based on proof-of-work, and thus on CPU.

So far I can't prove it seriously, so it is just a conjecture.    I'd be glad if someone with a solid maths and IT background could bring a demonstration.

So it would look like:



Obviously this relies on a theoretical, more general definition of "cryptocurrency".  I won't give such a definition here but I guess you get the idea.

Not sure if it's even possible, but it would be REALLY nice if somehow we can integrate bitcoin's proof-of-work with seti@home's computation.  http://boinc.berkeley.edu/
then I'll feel much better about the energy I consumed on my mining rigs.
EDIT: Never mind, apparently this has been discussed: http://bitcointalk.org/index.php?topic=203.0 http://bitcointalk.org/index.php?topic=335.0  I need to clarify that I think bitcoin-mining is like gold-mining, the energy is NOT "wasted", it's a necessary evil dealing with the weakness of humanity.

Perhaps in the future, as bitcoin becomes used extensively and the transaction volume becomes much greater, there will be plenty of "work" just growing the block chain, and the difficulty factor can be reduced accordingly.  This way, more energy is put into supporting commerce and less into finding a hash with an arbitrary number of zeros.

Money is power to buy other people's labor. There are many ways to gain this power, by force, cheat or voluntary exchange.

I think using proof-of-work is more a sociological choice than science. In modern democratic societies, labor-for-labor exchange is most acceptable to the majority of people. If bitcoin were invented 200 years ago, the issuance of new coins might be decided differently, say by how much King George pooped in any given day. 

The intrinsic value of a bitcoin is the total energy and computational/informational content that went into creating it (incl. energy to produce computing resource materials, silicon, etc, human labour, brainpower, encryption difficulty). The market value will tend toward the intrinsic value in the long term. I expect bitcoin values to become strongly correlated with the underlying kiloWatt-hour electrical energy price and oil, gas, coal (fossil fuels while they are still around) or fissile nuclear materials, etc. Depending on the independent circumstances of the markets in each of these energy generating fuels they correlate with gold, silver and other metal ratios over long periods. Metals are correlated with energy because that's what it takes to prospect for them and dig them up (it is not rocket science just economics).

In the short and medium terms premiums will probably be placed on bitcoins for various reasons; uniqueness, scarcity, anonymity, security. Also possible market manias or euphoric bubbles could erupt to distort values temporarily.

Money and energy have been joined at the hip since the beginning. Money is simply stored energy in some instances. Bitcoin is moving up the evolutionary ladder like atomic energy is to burning wood in caves.

It can't be quite that straightforward, because in the early days bitcoins were created using much less energy than the most recent bitcoins. Even though we can distinguish them, we don't value them any differently.

As discussed in many other places Bitcoin does not have intrinsic value, it just has the value people are willing to pay for it, for an easier faster, cleaner way to transfer money.

Mining has to be seen as the act of securing the future value of the Bitcoins in your wallet. Getting additional Coins in exchange for computation power is a nice extra, but it's just that, an extra. Additionally the gain from mining will decrease, since the mining reward is set to half at certain stages in the network development.

Hum...    I think I shouldn't have talked about the generationn process, but instead I should have talked about the "election" process.

My point is that CPU power has to be used in order to determ which node in the network will be in charge of validating transactions.  The reward for this task is not really relevant for my point.

Sounds better, thanks ^^

Anyway, I agree that right now the "work" done by the client to elect a tie-breaker is quite useless. It would be nice if we could leverage other, more useful, computation tasks to let the time tick in the Bitcoin universe.

Right from the start I can think of the entire Boinc stack which is (kinda) useful, but we have to consider certain problems:

• Blocks have to be generate at regular intervals
• Difficulty has therefor to be adjustible
• Proof-of-work dictates that once a result if found it has to be easily verified

So SETI does not really qualify (too unpredictable, ...), maybe the prime number sieve might be a good candidate (find a prime number of a certain length), but it destroys the chainability (I can start calculating any length number without knowing the predecessor).

I'd be more general than that and say that there is no way a currency can, all at once

• be issuable by anyone (decentralized issuing)
• be easy/cheap to issue
• have limited inflation

You can at most pick two. Both bitcoins and precious metals for ex. satisfy first and third criteria, but they are hard to obtain. A centralized electronic currency would satisfy the second and third, but not the first.
I don't think it's "mathematically provable", but it's probably "praxeologically provable", what's practically the same thing since math and praxeology, despite their (great) differences, follow the same scientific method.

Whatever it is, bitcoin is absolutely not a fiat currency.

Fiat means by decree, dictate, statute, law, legal tender, etc ... http://www.thefreedictionary.com/fiat

But they are fungible, each currently circulating bitcoin is indistinguishable from any other (unless the block chain ever gets unravelled ;)), so in that sense they are worth the average energy needed to create a bitcoin. Take total hash power spent to date creating them divided by the number of bitcoins created to get average hash power per bitcoin .... intrinsic value due energy spent anonymisation/securing.

Anonymity is the key to making digital currencies fungible. A trace of transactions attributed to digital currency makes each unit distinguishable from another. E.g: I do not want that dirty terrorists, money-launderer, paedophiles (pick one) digital units in my account.

The cost of operating the system does not determine the value of that system.  The cost of producing a bitcoin does not determine the value of that bitcoin.  Cost and value are two different concepts.  A bitcoin's value is that which a person will give up to acquire a bitcoin.

Here's some reading material for you:

The Subjective Theory of Value - http://mises.org/austecon/chap4.asp

http://en.wikipedia.org/wiki/Subjective_theory_of_value

Heh thanks, I was well aware of that and your recommended reading but you must have missed (misunderstood?) what I was saying two posts above.

The premium captures the difference between cost and value of an object I believe.

Unless there is some enduring quality that demands a premium upon any item it will tend to its cost of production in the long term ... it is a thoroughly "Austrian" concept also, demonstrated by the observation that all fiat paper money has eventually been valued at around the cost of paper and printing involved in its production. Gold has never been far from its cost of production plus some premium for its utility as money, although this premium can vary by several multiples of cost of production depending on economic circumstances. Bitcoins are unique right now in that they serve all the historic roles of money; fungibility, divisibility, scarcity, store-of-value (we'll see) in a market where most flavours competing fiat currencies (paper and digital) fall down on one or several of these roles.

In any case, I'm sure that the free market will eventually give us price discovery in the long term for the value of bitcoins. Other crypto-currency P2P networks that spring up in competition to bitcoins will ensure it.

It seems to me this discussion has drifted pretty far from the initial topic. 
I'm pretty new here, but one thing I read early on was that the main point of the generation of new bitcoins is to be an incentive to get people to participate in the network.  And that eventually, the tap will run dry, and then the incentive is supposed to switch to some kind of transaction cost scheme, right?
Well, wouldn't it have been possible to start with a digital currency that had a fixed, unchanging number of units, and used a transaction cost scheme as the incentive structure from the start?  I don't know, this has undoubtedly been discussed before, but I'm just wondering.  It seems like something closer to the way bittorrent works, where the reward for participating is faster download times.  In this kind of scheme, the reward for participating would be a greater share in the (hopefully very small) total transaction cost pie.

Sure, we'll call it GavinCoin and I get all the coins to start.

If you want some, you just send me some of that worthless fiat currency that you have laying around.

Sound good?

@moa: the cost to generate is of course dependent on how many people are trying to do it, and that in turn depends on the perceived sale price, so it's not clear how the theory of value you're proposing doesn't suffer from a feedback loop.

@grondilu: computational proof of work isn't the only choice, even for a technology with similar constraints and threat models to bitcoin. for example, you could use ip addresses or bandwidth, but satoshi decided that those would lead to a less reliable allocation. (at least, he considered ip addresses specifically. i'm not sure he considered bandwidth, probably because its use in this context would pose very complex problems. consider that in a bittorrent or emule 'economy', however, bandwidth is the key resource that 'buys' you what you want.)

it's all a practical judgment call, not a theoretical limitation. think through how generation might work with ip addresses or other features of network topology as the basis of generation, and i think you'll find it's not obviously horrible and may even pose some advantages to hashing.

other methods for distributed timestamping have been explored in past literature, but they depend on different models of trust and threats.

Not sure if this is true.

I can think of an untamperable distributed timpestamp method that doesn't rely on proof-of-work or  CPU:

Cosmic Radiation

Every node agrees to point a radio dish at predefined sector of the sky and measure the random fluctuations in cosmic radiation in some standardised way.

These measurements are translated into a linear data stream that is permanetly recorded by every node.

Then use the block chain concept, except that the nonce in each block isn't incremented, it's the latest chunk from above data stream.

Distributing newly minted money is harder, but can also be performed with a cosmic radiation proof-of-work.   The target isn't a hash but a set of stars/galaxies in a certain configuration (for example). Nodes scan the sky with high powered telescopes and the first node to find such a configuration digitally signs its exact coordinates.   It is then easy for other nodes to verify the stars on those coordinates.

Somebody could of course open thousands of nodes with a forged data stream, but those blocks would be rejected by the nodes that physically have a dish pointing at the sky.


Maybe I have missed something? Could this type of block chain be forged in some other way?

Even if you use some kind of a source of verifiable random numbers from cosmic radiation or whatever, as long as the system is anonymous, it will fallback into CPU power or hardware ressource.

Basically if the right to receive bitcoins is based on some sky event, then everyone will try to post as many sky predictions as possible, just in order to increase their probability of winning.  And the amount of predictions you can post would be proportionnal to your CPU.

You think this is a rebuttal, but in fact it's all the same to me, and others like me, who are coming late to bitcoin, and with no intention of buying hardware and doing my own mining. I've nonetheless forked over some fiat currency for these bitcoins, just because they seem to have acquired some value.  Why wouldn't it {have been / be} possible to start with a fixed number of coins distributed among some community of hackers and get it started that way?  The vast majority of bitcoins, presumably, were generated when the system was very young, and so are already in the hands of the early adopters.

If your definition of "very young" is "before I learned about it", then sure, of course the majority of bitcoins were generated when it was "very young". But the number of bitcoins generated per hour is no different today than it was a year ago. It is just distributed among a much larger pool of people.

The majority of bitcoins have yet to be generated. We're not even halfway there yet.

You are totally free to create your KlorthoCoin.   Go for it, really.   At some point anyway this kind of stuffs will happen.  Just don't be offended if I don't value your klorthocoin much.

I agree with this assertion.

I've been consider an alternative to bitcoin which has no computational proof-of-work, but simply a central timestamping server - which determines in which order transactions will appear in the chain. Whenever a double spending occurs, nodes consult the timestamping server as to which transaction should be in the chain, and discard the other one.

This version of Bitcoin will also be censorship resistant, because the central timestamping server has a very simply job (simply to order transactions), and can be easily replaced if disabled by a central authority.

In this version, all the coins will be issued in the beginning, and then the software will be distributed across all nodes. No subsequent increases in the number of coins will be allowed. An increase would require modification of the software, and that will be rejected by most nodes as it will devalue their currency.

So while in this version coins will not be issuable by anyone, they will be very cheap to issue, and the system will have no inflation. More importantly, no resources will be wasted in proof-of-work. The only drawback is the centralized nature of the timestamping server, but it can be easily replaced if it gets banned.

Alkor, I think you missed the point of Bitcoin.  Its biggest advantage is that it is decentralized.  Having expensive proof-of-works is simply a side-effect of having a distributed system.  No one's interested in yet another centralized system; there are already hundreds of those, many of which have much larger backing and more trust than your idea ever will.

CydeWeys, I haven't missed the point of Bitcoin. Even though it may appear that bitcoin is a decentralized system, in the long term it will converge to the centralized system I described as miners become more specialized and control most of the computational power. With the recent case of one of the mining pools surpassing the 50% hashing power, we are already close to having a centralized proof of work system anyway.  So eventually there is little doubt that select few highly-efficient miners will control what transactions get verified and what don't.

Besides, a system based on a centralized time-stamping server would not be yet another centralized system.  All centralized monetary systems are currently able to  inflate their currency, whereas with the centralized time-stamping system the central entity will not be able to create new money. That will be it's only advantage.

It's not a totally bad idea.  Whom would new money be given to, though?

Also, even if the time-stamping server could not steal money or create new one, it would still have the power to double spend.  So it would be difficult to obtain a consensus about who is trustworthy enough to get this power.

So to speak bitcoin IS a system with centralized time server.  But the server changes every ten minutes or so.  So somehow, bitcoin is already an extreme version of what you are suggesting.

The system could be bootstrapped from Bitcoin by assigning balances to each address in accordance with the current wealth distribution of Bitcoin users. The new system will use the same private/public key architecture as Bitcoin, and since users control their private keys, they will be able to spend their coins on both systems. The first (genesis) transaction in the new system will be one that assigns to all current Bitcoin public addresses in existence their respective Bitcoin balance.

The job of the time-stamping server would be to assign order to transactions that is final and immutable. Instead of the current block-chain there will be a chain of transactions signed by the time-stamping server. A copy of the chain of transactions will be stored on every node. If the time-stamping server attempts to double-spend, then it will have to modify the immutable chain of transactions, and that attempt will be rejected by the network of nodes, since each node will be able to see that the server is trying to assign a different order number to a transaction it has previously signed. Once that happens, the community has to choose a new time-stamping server that is trustworthy. Since the job of the time-stamping server is easy, it would be trivial to set one up.

Another problem with a central time-stamping server would be that it will have the power to selectively not include transactions into the chain based on their addresses. But the same problem exists in the current bitcoin implementation. And the solution again would be to chose a new server if the current one starts behaving badly.

No.  A double-spending would not work this way.  The timestamp server would sign two transactions but will just wait a bit to publish the oldest one.  It will do as if there had been some network latency.  There is no way the other nodes can prove it was not honnest.


setting one up is easy, sure.  But the tricky part is to chose one and to convince everyone to use the same.


Bitcoin choses a new server every ten minutes or so, without having to wait for it to behave badly.  This is much better.

I'm not sure if this applies, but in nature, timestamping is distributed. That's how your heart works, for instance -- no one cell sets the pulse. Crickets do the same thing.

I think I didn't make myself clear. The chain of transactions must always be in a consistent state, i.e. no address can have a negative balance. Every node can verify the chain is in a consistent state. If the time-stamping server signs a transaction that puts the chain in an inconsistent state, then the server is rejected by the network. So a double-spend isn't really possible without invalidating the chain a copy of which is stored on every node.

Sure, that's a valid criticism. Maybe one could build a hierarchical structure where one could easily reach a consensus of a new time-stamping server across the network once the old one behaves badly.  

Hum... sounds interesting.  Any source/documentation about that?

Well, I don't know.  Maybe it's possible.  But it is surely trickier than what you seem to think.   For instance, say indeed some node sees an inconsistent entry in the table.  It has to tell every one.  They all have to check the accusation is true and then they all have to decide to ban the bad timestamp server, revoke its previous transactions (how many??), chose a new one and so on.   An ugly mess for sure.

You are right it's messy. But the only messy part is how to choose a new time-stamp server.
Revoking transactions will be easy. Only transactions that were placed after the invalid transaction will be revoked - but they should never have been placed in the chain by honest nodes anyway. Once a new time-stamp server is chosen - valid transaction will be placed back into the chain by that server. Even the originally invalid transaction may be placed into the chain eventually if the balance of the account to which it refers becomes sufficiently large.

grondilu, I remember reading all about that stuff in this book:

http://www.amazon.com/Sync-Order-Emerges-Universe-Nature/dp/0786887214/ref=sr_1_1?ie=UTF8&qid=1306525959&sr=8-1

Nice observation, circadian rhythms, beat frequencies for clocks.

Thanks! I started reading Strogatz's book again. I wouldn't be surprised if his work on this stuff could be used in a really cool way:

http://epubs.siam.org/siap/resource/1/smjmap/v50/i6/p1645_s1?isAuthorized=no

Yeah, I think one of the craziest demonstrations from this was the experiments where the sleep-wake cycle was identified to result from two harmonic oscillators (24.XX hour core body temperature oscillation and another 24.XX oscillator that I can't remember ... melatonin level due to light exposure?) ... anyway they put these lab rat students into a confined room for several weeks and started twiddling temperature and light on-offs and tricked the subjects body's into a 48 hour sleep-wake cycle ... they would be awake for 24 hours and sleep for 24 hours ....

Another way to get a similar result is to have the lab rat student spend some time on this forum  :D

Anything based on the Network Time Protocol or astronomical observation won't work. What is the recourse if the "time" server says you didn't make any transactions? Elect a new server? The beauty of the the Bitcoin protocol is that a new server is chosen by lottery every time a new block chain is made. The "time stamp" is a time stamp in terms of entropy and proof of work. To falsify a past transaction takes an increasing amount of resources as time goes on. To falsify the newest block chain you have to prove your version is "better" (I have to read-read what the protocol does for competing block-chains).

Keep in mind that transactions don't have to be synchronous. For smaller transactions, people may be trusted not to double-spend even in the absence of a constant network connection.

Largest proof-of-work wins. In case of ties, miners start working on the first one they saw.

A block with a higher difficulty is considered "larger" for this purpose, so creating your own chain from block 1 at difficulty 1 won't work.

Every node that wishes to mine proposes a new block-candidate (chained into previous blocks but with no difficulty so that you're not burning CPU power). Say n nodes participate.

They run a protocol to choose a definitive block-candidate. This is not competitive since no one is declared the winner yet. Simple majority vote for a well formed block-candidate is sufficient. All n participants share a hash of the blessed block-candidate.

Then the step I don't know how to do  :( : Run a cooperative cryptographic protocol that that simulates a fair dice toss, somehow involves the hash of the blessed block-candidate, and ends up randomly selecting 1 of n. This is the next BLOCK and the selected number indicated the owner of the reward for mining the BLOCK.

Rinse and repeat every 10 minutes.

------------------

Now I don't have such a protocol but here's an example of n nodes randomly selecting one of their numbers.

Each secretly chooses a number between 0 and n-1. Each hashes that with a public key he wishes to use to receive the reward. This is his commitment. When he reveals his chosen number later anyone can check that he didn't cheat and change the number.

After all are committed, all reveal their chosen number and check the others for honesty. The sum of the honest revealed numbers modulo the number of honest participants is a random number. Call it the selector.

Sort all the honest keys that were revealed. The selector tells us which key in the sorted list gets the reward.

n nodes cooperated and a new block is generated and one of the nodes randomly received the reward. Low CPU nodes have an equal chance. They just have to have enough power to keep up with the protocol.

-------------------

Useless of course, now that I review this. A newly started node would not know who to trust if the block chain had split recently.   Oh well.

 

Also, there's nothing keeping me from running thousands of nodes. Or generating my own blockchain that purports to be longer than yours.

Good luck with that.

I agree.  Too bad.