Bitcoin Forum

I already announced this on two medium-long threads, but I figured why not announce it here as well.

Even if you don't agree with it, it's an interesting alternative/complement to Proof of Work, and worth reading about.

https://en.bitcoin.it/wiki/Proof_of_Stake (https://en.bitcoin.it/wiki/Proof_of_Stake)

Changes like this smell like chain fork... It's the way to much of the change for Bitcoin

Not necessarily. P2SH will work without a fork pretty soon.

Obviously PoS is a huge change, much larger than P2SH, but it could be implemented within the system if people are convinced it's the best for everyone involved.

Remember, the danger this tries to prevent is many years in the future ... it's not urgent to do it now. Building the consensus can even take a few years.

Rather than a fork, it could just be a fresh alt chain ... let the market forces decide if Bitcoin+PoS is better than Bitcoin. I prefer to see the evolution of core Bitcoin instead of a zillion different alt chains that fail to gain market share. If a new alt chain came out with Proof of Stake right now, I wouldn't buy it, because I think it's premature.

https://en.bitcoin.it/wiki/Hardfork_Wishlist

Put it there

No offense, but this is a pretty silly hack to fix the problem. Make it more centralized and concentrate even more power to the bitrich?

https://bitcointalk.org/index.php?topic=64637.0

Here I describe the early musings of a "heuristic" approach, although tied to an idea for a stable currency. Revalin brought up a good point that the bitcoin days destroyed concept would fit well. Essentially coins that have not been used recently will have a greater weight in which chain will prevail. There then needs to be a timer such as an hour ahead of each block where it may be replaced and anything ahead of it would be removed. Some balance between length of time to replace and block weight would have to be done so that a block with one more transaction can't come along 50 minutes later and replace a block from 50 minutes ago and such. But it allows for much less mining power necessary to secure the network. Theoretically, none at all is really required although that would certainly make for a lot of collisions. Instead of # of confirmations, time would simply be the indicator for how secure a historic transaction is.

But using bitcoin days destroyed, any potential attack would only be able to be carried out if the person had a lot of old coins and mining power, and once carried out, their power is removed for at least a very significant amount of time. No centralization of power, no signatures required, still requires a fork although this would be a much more acceptable compromise I think. It needs to be fleshed out more, but I think it solves the problem much more elegantly than proof of stake.

Done, thanks.


You provide a lot of technical details, but I'm not quite sure how the changes you propose contribute to the stated goal.

Blockchain Defense
Heuristics: All clients agree that competing blocks will have priority weight based on number of transactions, average age of coins in transactions, and other factors.

Would it not be possible to make proof of stake one of those factors?

Well we want to stop 51% attacks, right? As it is now, all this requires is computing hardware. With the approach I described, anyone can throw as much power in the universe at the blockchain, and all they will accomplish is spamming their local nodes who will ignore blocks that have less weight (number of transactions, number of old coins used, so on) than other blocks they have received. It basically means that the blocks with the most activity will win. Unless a malicious entity controls the majority of the hashing power, a large amount of coins, and a large amount of coins that have not been used recently, they can not affect the network. Even if they control those three factors, once they spend the coins to give weight to their block, the age counters on those coins are reset so they are no longer useful to attack the network. No 51% attack can be sustained because they would quickly burn through their old coins. They might delay transactions for a time, but that is far less damaging than being able to deny transactions and miners indefinitely. Rewriting history, as unlikely as an attack as that would be, would be impossible as the check-point would basically be built-in to the block chain, not a hack on the software.

This does allow for permanent forks if the network were actually physically split, but I think this is a pretty unlikely scenario. In that case, the user should be notified of competing blockchains instead of just assuming the longest chain wins. Most of the time it should be obvious where the problem is such as if an entire country was cut off from the external internet by government.

This adds importance to the actual transaction history, not just computing power. Sending a transaction is (essentially) free, and in this way it actually helps secure the network.

I don't like the idea of proof of stake because it puts the power into the hands of a few individuals. My approach is still completely decentralized and allows for much less mining power needed to secure the network. Plus proof of stake requires actual intervention by these powers that be. And, at least as it is now, there are few accounts that have a significant amount of money, yet there are many individuals that have a significant amount of money spread across many accounts. Each one of those accounts would be required to sign a block for that individual's stake to be measured. That is a lot of excessive data, not to mention CPU time in verifying all these signatures.

People with more BTC = people able to buy more mining power. It's quite equivalent.

If a person has a lot of mining power today, but not a lot of BTC, it's by his investment choice. Both are a form of property.

Yes we've established that proof of stake does nothing but trade one form of power for another. It still doesn't solve much in the way of keeping the currency decentralized. And proof of stake adds a ton of overhead. Have bitcoin proponents just given up on the whole decentralized aspect?

I guess stakeholder's don't want to prove their stake by holding it in the form of mining rigs, let alone also actually running those rigs, because then the larger their stake the more electricity they will burn until they get to be the monopolist who supposedly can turn off most of his rigs as long as he continues to visibly continue to aquire more and to keep up with the latest improvments in rig technology.

They would much rather offload the costs of being rich, since if it costs a rich person a larger percent of their riches to remain rich than it costs a borderline-poverty person to stay above the poverty-line well that is hardly fair is it? Rich people ought to be able to pay a lower percent, surely? Otherwise they might end up on an asymptotic climb instead of an exponential one and find they cannot afford to buy all the poor folk completely totally and finally or some such disaster.

-MarkM-

P.S. Quite likely the whole story about how the monopoly ends up taking control applies to any particular money too anyway, so that no matter what we use for money someday someone will "win" and we should then basically say okay that was fun, challenging game that was, now lets put that game away and start a new one. We all aknowledge the guy who owns 51% of the wealth as the winner, write them into the history books as the great winners of the that kind of currency period of history, and start over with some other convenient scorecard/scoreboard...

My idea does not add significant overhead, though Meni's idea might. My idea is basically the same as the current protocol except that difficulty is individual-specific. Difficulty would depend on the product of how many coins a miners has and how many blocks have been mined since these coins were last sent or used to mine a block. All the sending info is already in the blockchain, all you need to record is the identity of the stake which mined each block. This is like one additional txn per block worth of overhead. Overhead is pretty trivial.

Please make an effort to gather information before making random claims.

So you pick an address whose balance you want to use as stake for the block you are mining, and sign the block with that address's signature to prove it is your stake not someone else's?

-MarkM-

Yes, that works. Plus the confirmations on the coins get reset after they are used for a signature, just like when they are sent.

Okay well if coinbase transactions are allowed to have at least one input other than the coins that come from nowhere then a simple way to accomplish this "signing with a stake" would be to take inputs. Just like you can output to umpteen addresses, maybe you could also input from umpteen addresses. People could thus pool together to contribute a stake, and they could even each be returned their stake (their input) among the outputs.

In fact, the actual miner need not provide any of the stake at all, it could all be provided by stakeholders, the miner might not actually even own any coins at all. They could simply be some computation-for-hire service who neither knows nor cares what their computing power is actually being used for. (Like Eligius's miners, maybe, and those who gang up on proportional pools by way of proxy pools?)

If nefarious pools can so simply get miners to send them hashes, maybe they can also get miners to send them stakes? Make payouts proprtional not only to hashes sent but also stake sent?

-MarkM-

It amazes me how this forum in general will attack one detracting statement and ignore the rest and act as if the rest do not exist. Then give a holier-than-thou attitude on top of it.

So, in reading your thread, I can come up with about 20 things that seemed to be unaddressed:

One wallet signs a block, what does this mean?
When does a merchant know that this block is now somehow irreversible?
How many wallets/coins do you think it would take to be reasonably sure that the block is approved? Is this going to take more than 6 confirmations?
You say "one additional txn" but I totally fail to see how. Maybe I'm just stupid. Could you explain this further?
You also seem to interchange user/wallet/miner throughout your thread and I am unclear of who is actually doing the signing. If the miners are signing, how is this any different from them mining?
You propose additional proof-of-work to make a timer. How is this not wasteful? How do you plan on judging 5 minutes? Is it best signed mini-proof-of-work wins?
c/X doesn't take into account how old the coins are, only that they are older than a specific amount. What is to prevent someone malicious from waiting to grief the network over and over? Is MtGox going to have to wait eons before allowing any trades on fresh deposits? If c/X ends up being something like "bitcoin days destroyed" in what way does this system offer *any* advantage over the one I mentioned?
Assuming two c/X's are the same and sign two different blocks, how are the miners supposed to decide which chain to build from? Randomness? While the random approach might solve a complete take over, it still does nothing for double spend protection.
Wouldn't all reasonable c/X's be included for extra protection? If so, when do we start denying small amounts? When do we just say "let mtgox sign the blocks that it chooses, that is decentralized"? Where again does this boil down to 1 extra txn per block?
Does your proposal boil down to this: the only people that can mine are those that already have a lot of coins? I'm honestly not sure. Is this some kind of proposed system that would be switched to only after the actual mining reward is minimal?
Rather than worrying about taking down the network, most people around here worry more that the power of mining would be abused to double spend. I think the latter is far less important than the former, but what does your system accomplish in regards to double spend attempts? With the assumed relative low difficulty of the future, what is to prevent someone with a lot of old coins being paid off to reverse a lot of recent transactions? Is it check-pointed? If so, again how many coins/signatures/whatever do we need to be assured that history will not be changed? Half the coin base? You even mention "majority of signatures" in a later post. Please explain to me what you mean by this.

Such questions are why I ended up liking the simplicity of just counting the stake actually input into the coinbase transaction, combined with the "(coins * age)*0.8 + (hashes to some fractional power)*0.2" formula Cunicula mentioned in some thread somewhere (I haven't been able to find it again though so don't know where).

Compared to the vast majority of the material in the related or vaguely related threads, it seemed wonderfully simple.

-MarkM-

Part of the problem is that there are two distinct proposals and the answers depend on the proposal. Rather than go through all this here (and then explaining it badly and having to go through it over and over again), I'll edit the wiki progressively, please be patient.

My reluctance to go in to detail here is related to my belief that you don't care care much about the answers. I believe that your core objection is that proof-of-stake will help the rich get richer. My system does indeed strongly favor early adopters. In fact, early adopters reap much larger financial rewards in my design than they do under the current proof-of-work system. I don't have any problem with that. I don't find large rewards for early adopters morally objectionable. I just want them the reward system to be an efficient mechanism for securing the currency. My focus is on a robust, secure, and transparent mechanism for transmitting pseudonymous money. Proof-of-stake would be more robust and secure. It would lead to much lower long-run equilibrium txn fees. I don't care who profits from operating the payments system. Whether it is just one guy, a government, or the 99% doesn't matter to me. I think attempts to keep gov't and monopolists out permanently are laughable at best. There is just no credible mechanism for doing this. The main thing for me is that a new techonologies exist and make people's lives more convenient. If it is Apple-branded, then so what.

Gee thanks, MarkM. I am regretting being a dick to you in the past.

Well, I specifically referred to your proposal. It was you, after all, that gave me lip for not following each of the 8 or so threads on this topic.


I do care about the answers because I have for a long time worked on alternative solutions to all of bitcoins problems. I spent several hundred hours thought-processing the ideas behind encoin.
To be honest, I wasn't aware that your proposal would help the rich get richer. I was not able to understand it enough to get to that point. And certainly I would object if the end result is that the rich get richer. However, if the system was rock-solid and I could not think of a better way, I would approve because I think the complete DoS that the 51% attack provides is absolutely paramount in its need to be fixed. I think the wiki is atrocious in its description of this DoS being "not much power."


You realize you're begging someone to say, "why would you, you're an early adopter?" regardless of the balance of your BTC account.


Why not even try digesting what I posted? I have no need to lie in saying the answer to this problem came to me rather quickly when I tried to design a stable currency idea around the bitcoin code. It would be far less disruptive and in fact could be done without changing the protocol itself, only how clients react--although it will still create a fork so that point is rather moot (but perhaps only temporarily? not sure).


Well, forgive me for looking too far to the future, but this opens up the possibility of things like white-listing accounts. Haven't registered your bitcoin address with the Bitcoin Regulatory Commission? Then this monopoly is not approving your transaction. So not only is decentralization gone, but so is pseudonymity. You claim there is no credible mechanism, but the only basis I see for that is because you haven't thought one up. If you want to attack my idea, have at it. I haven't gone far in fleshing it out, but it certainly is a lot simpler than proof-of-stake so problems should be easier to bring to light.

Etlase2's idea seems to me to be basically an improvement on Cunicula's forumla, where instead of the "days destroyed" (coins*age) in a single transaction included by the miner contributing to the "work", Etlase2 suggests that the "days destroyed" in all transactions included in the block should be.  Seems like a good idea to me, as it incentivises the inclusion of transactions (there is no such incentive at all in the current proof of work system), while disadvantaging DoS attackers.

Why must we compromise the democratic liberties of PoW for the security of PoS? Don't close your mind to the possibility that you may have overlooked better solutions to the 51% attack. To dismiss PoW out of fear of a 51% attack is to end the experiment of Bitcoin.

I'm sure there are things that can be done with transaction fees that we have overlooked that will not compromise PoW entirely. Fee demurrage, processing auctions, tax supported miners, agents (https://en.bitcoin.it/wiki/Agents), etc. There are many, many other ways to look at future money issues. I will stop before I go into a rant about the long history of monopolies holding power through violence.

Huh? I am proposing an alternative to both PoW and PoS. I believe I gave what is probably the best solution possible to the 51% attack. I almost held back from even mentioning it in one of these threads because frankly I don't like bitcoin very much. But to have so much effort wasted on designing PoS when I think there is a much better, much simpler way, the altruistic part of me couldn't remain silent.


This is tangential to the discussion. Increasing fees or making it harder to get your transactions into blocks isn't the answer. Encouraging more and more electricity and hardware resources devoted to securing the network isn't a very good answer either. Why should value be wasted on electric companies when it isn't necessary? Why should the possibility of a sustained 51% attack be left open?

I agree with the above statement completely.

I also agree with the above. However, I do not think your solutions have much relevance to Bitcoin. I like the idea of energy based currency and have written extensively about it in other forums over the years. I do think that Bitcoin will evolve into something like that eventually when energy is no longer a scarcity based commodity.

for once we can agree. :D

I have updated the wiki with a very brief discussion of my proposal. You will see that it is very simple and basically amounts to changing the difficulty criterion for block validity.

https://en.bitcoin.it/wiki/Proof_of_Stake

If you have comments or questions, I will try to answer them in this thread (and also update the proposal regarding if big issues come up).

Can you clear up your formula bro?

(Aggregate difficulty)^{1/((1-p)}

an error right off the bat, and it is unclear if the rest of the formula is all in the power or if there are two halves that are divided, although on running 1,000 coins*100 confirms both come up with asinine difficulties

Proof of Stake?

Is this SolidCoin ?

No, the ideas under discussion here have nothing to do with stupid nonsense done by SolidCoin.

Thanks for checking the formula. I cleared up the hanging parentheses. If you see any additional errors let me know.

Remember that difficulty is just an arbitrary constant that controls the block generation rate. There is no reason to expect a difficulty number that generates 6 blocks per hour in my system to look similar in magnitude to a difficulty number that generates 6 blocks per hour under the current proof-of-work arrangement.


Meni, you might want to consider describing your own system in this wiki as well.

Naw, this would be more likely nicknamed Serfcoin.

There is nothing "democratic" about proof of work.  If i am rich enough to buy 10% of the hardware I get 10% of the "vote".  If you are so poor you can't buy 0.1% of the hardware you don't even get 0.1% of the vote.  I doubt proof of stake enhancement is possible in Bitcoin (difficult to make even modest changes) but they both use invested wealth to ensure the dominant chain is supported by the majority of the invested wealth (wealth with conviction).

Not much difference between:
a) I take $100K and buy 1% of the network hashing power
b) I take $100K and buy a combination of (less) hashing power and large enough stake to have 1% of the effective (stake weighted) hashing power

In both cases I am putting $100K at risk and gaining 1% of the network revenue and having 1% of the "vote".  To think one is the Roman Republic and the other is serfdom is naive.


Proof of stake doesn't necessarily mean monopoly or cartel.  Proof of work is no guarantee that there won't be a monopoly or cartel.

If tomorrow Deepbit, Slush, and BTC Guild decided they would only build on their own blocks they would have 100% of the network doubling their revenue overnight.  Since they no longer need any more hashing power they could close the doors to new hashing power and new miners.  If the merged they could gain higher profits by having members turn off hashing power (but having it be hot idle under control of the cartel).  They could operate a modest 1TH/s or so with the ability to engage up to 5TH/s+ if someone tried to break the cartel.  Members could be issued shares and paid dividends from this entity.  In time hardware could be moved to warehouses controlled by the cartel and replaced with more efficient equipment.  As long as they have the ability to deploy more hashing power than any "upstart" they could leave most of it idle further boosting profits.  Their idle hashing power is in effect an indirect form of proof of stake.   On a long enough timeline they would form the basis for the "Bitcoin Regulatory Commission" you fear.   Eventually datacenters full of ASIC processors providing tens of TH/s of on demand hashing power would be the method of control.  As long as their potential hashing power is large enough there is no need to keep it online.   Far more efficient to have it in "reserve" (thus producing no cost) and monitor the network.  Members would simply be shareholders (with shares openly traded anyone could buy a stake) and Bitcoin would be a controlled centralized network.

I am not saying the top 3 WILL do that but the belief that somehow PoW is democratic, free, and open and PoS is closed, centralized, and monopolistic is just naive.  

With Bitcoin's Pow, at any given time a new enterprise can come online and threaten the integrity of the network. This is a good thing. This will require dillegence to maintain a "balance of power." Collectivist institutions like democracies can choose to forge a coalition to counter-attack anyone that monopolizes the network. If that coalition itself manages to take 51% as well, then political seperation of powers can be installed to mitigate this threat through bicameral legislation. Whenever a dictator or oligarchy upsets the balance, things tend to get noisy.

Thanks for the cogent argument, d&t. You explained things quite well. I agree with you, though I am somewhat more optimistic about the possibility for change within bitcoin. The first step is a proof of concept alt chain. I am hoping to attract coder interest in this.

Sure, as soon as I have the time.

P.S.

I did another minor cleanup.
Cunicula, please try not to paste your name that much in the article ... three times within 2 paragraphs is a bit too much IMO, can be interpreted as vanity by some (not saying it is, but the style is not so great IMO). Also, no need to reserve space for questions / critisicim, it's a wiki, let it evolve naturally. Questions are not appropriate within the article itself, they can be asked in the discussion.

Also, can someone please add a tl;dr on what are the key differences between the PoS systems proposed by Meni & Cunicula? I haven't followed this entire discussion. I did place a small placeholder in the wiki for this.

In Cunicula's system, voting power is determined by combining (multiplicatively) your hashrate and stake. To be effective you need both to be high (which IMO is very problematic because small players cannot contribute effectively. It's not linear.)

In my system, there's a skeleton based purely on hashrate, and superposed on it are occasional checkpoints set by stakeholders. You can contribute PoW without having stake, and you can contribute PoS without having work, and in both cases your voting power and reward is linearly proportional to the resources you have.

Excellent, I put it in the wiki.
I remembered reading earlier about your suggestion, and it makes perfect sense.

Cunicula - any definitive argument why your proposal is better than Meni's?

In theory this sounds intriguing, but to me the "Proof of Stake" concept is just another way to introduce the ShitCoin (aka SolidCoin) concept into Bitcoin and attempt to establish a BTC version of the Money Power (like a BTC Rothschild or so). It seems one only has to find the right dialectic to talk people into something that doesn't fully agree with the original mission. Even if you don't immediately go as far as SC and trust the nodes with more coins more than anyone else, that is another logical consequence of the concept, and in the end: Hurray, we took monetary control away from feds and establishment and give it to someone we can trust.

People who own a large amount of BTC will most likely agree with the concept, others that like the dialectic will be sold into it without owning a large stake, and we are back to yet another Money Power controlled currency.

That's like the end of the "Animal Farm" by George Orwell.

A pure proof of stake could possibly suffer from low "voter turnout" so even if someone doesn't own the majority of bitcoins he could control the majority of confirmations.

That's why I like the idea of a mixed PoW/PoS system. 

1. Under a PoS system like my own, stakeholders will not have ultimate power to control the universe (at least, not any more than in Bitcoin currently). Stakeholders cannot conjure new coins or confiscate coins. Their abilities are very limited and very technical - they can mark a block to signify that transactions in it can be safely assumed not to be double-spent. Attacks that are now possible with a majority of hashrate (such as rejecting transactions), will only be possible with a majority of hashrate and bitcoins (maybe not even that, depending on the system).

2. Who would you rather have some limited ability to mess things up - those who have the most stake in the Bitcoin system, and thus have the most to lose from doing so, or those who have the most stake in the current financial system and can afford to invest in huge mining operations?

3. Stakeholder's weight is linear in their stake. A small player is not cut out.

4. As far as I can tell, the idea of introducing PoS to Bitcoin predated the creation of Solidcoin and its trusted nodes.

5. Just because SolidCoin did something doesn't mean anything that is remotely reminiscent of it must be banned forever.

That's what I called "intruiging" in my last message.


That's what I called 'dialectic' and I have no final answer to that yet.
But for sure I would not trust the wealthiest people on this planet (in $$$) to care much for my interests, so why should I trust the persons who hold the most BTC more than that? And as you already hinted in your statement (at least it can be deducted from it), "being able to invest in huge mining operations" and having the "most stake in the current financial system" can easily produce players that have large stakes in Bitcoin too.
So these two don't exclude each other, just one takes more time than the other.


Would you think of a BTC exchange or trading platform as a large stake holder? I would, even though the coins they hold are mostly not theirs. But the system wouldn't know the difference. Just like large mining pools would currently be the most successful targets for a 51% attack.


Maybe so.


Never said that. Also I have no interest in banning SC. They can work that out among themselves (oh wait, just among trusted nodes).

Final thoughts:

Why would I trust a large miner to act in the best interest of BTC as a currency?
Large miners are in it for the profit, their support of the currency ends where their profit ends (the whole discussion here https://bitcointalk.org/index.php?topic=67913.0 (https://bitcointalk.org/index.php?topic=67913.0) is centered at that thought.

Why would I trust a large speculator holding a lot of BTC to act in the best interest of BTC?
They will sell as soon as they think there's nothing more to gain.

I'd rather trust a single individual with an average number of Bitcoins, and a few GPUs in their gaming computer that are trying to sell and buy stuff on BitMit.net using BTC. Or an enthusiast with a few FPGAs or spending hours writing code for BTC , or the economist who went broke to promote hist interest-free currency http://realcurrencies.wordpress.com/2012/01/10/bitcoin-a-positive-step-in-monetary-reform/ (http://realcurrencies.wordpress.com/2012/01/10/bitcoin-a-positive-step-in-monetary-reform/) or Matt https://bitcointalk.org/index.php?topic=68329.msg797433#msg797433 (https://bitcointalk.org/index.php?topic=68329.msg797433#msg797433) who almost made it to the top of the ignore list for his affection, strong opinions and free spirit.

Addendum: The concept that someone has a stake in BTC because they hold a lot of it, becomes even less important when BTC will approach it's goal of being a competitive currency to currently established currencies. Because then according to free market principles anyone who is out for profit would just choose the currency that provides the most profit. Having a lot of bitcoins, even if correlated now, is not an effective gauge for loyalty of an individual to that currency. Taking both hashing power and the stake into account reduces the pool of such individuals somewhat, but eventually has the same issues.

Oh, no need to trust them to care for your interests. You should trust them to care for their own interests, that usually works. And it is to your advantage to have your interests aligned with theirs - for example, if you both care about the health of Bitcoin at large.

Yes, one of my points is that obtaining a majority of bitcoins should be significantly harder than a majority of mining. It's not supposed to be bullet-proof, just significantly better than the current solution, and it should at all times maintain the invariant that the cost to launch an attack will be higher than the incentive to do so.

If they're using Bitcoin-dedicated hardware, they're interested in the health of Bitcoin to maintain the value of their investment.

As long as they're holding bitcoins, they'll want them to have a high exchange rate (a product of ecosystem health), at least short-term. If and when they cash out, they no longer have a say in voting.

Sure, that's why weight should be linear.

By that time it will be that much harder to obtain a majority of bitcoins. Also, once again, as long as they're holding bitcoins, they'll want them not to drop in value. Long-term loyalty isn't really required.

I will re-examine this when I have time. What you want is constant returns to scale (aka homotheticity of degree one). If there is a function f determining how s (stake) and w (work) affect the  mining rate, we both are looking for the following property:

f(as,aw)=a(f(s,w)

That is, if we double our coin holdings and our hashing power, then our generation rate also doubles. If this condition holds, then efficient mining can take place at any scale.

I am using the well-known Cobb-Douglas function which would certainly have this property if s and w were deterministic.

q = (s^0.8)(w^0.2)

However, I need to think more carefully about it because w is a poisson random variable, so I need to make sure that the constant returns property is preserved in expectation. I'll probably just simulate it, but I have too much to do over the next few days. Please postpone this question.

I'm thinking along the lines of a combination of all three of the ideas here:

Take the existing system, but allow stakeholders to vote on blockchain branches by optionally including the hash of a prior block in a particular branch in one of their signed txns.  The share of votes cast by that txn on that block would then be proportional to the total days destroyed by all the outputs spent in that txn so that votes are proportional to stake held, and voters can't "vote repeatedly" on a branch.  (Edit: For fairness, I think you'll want competing branches to be able to use these days destroyed up to the block they branch from.  Also, "days destroyed" = coin*confirmations, if that's clearer.)

The main branch would then be defined to be the one with the highest total weighted difficulty, where the difficulty of each block is weighted by the total votes cast on it.  A particular weighting could be chosen to give any desired relative importance between difficulty and total votes, like Cunicula is doing with his formula.

This system could be run in parallel to bitcoin.  A good test would be whether or not it could maintain the same main branch as bitcoin by being able to sufficiently mobilize voters to thwart off purposeful fork attempts.

In this way, the relative weighting between PoW and PoS could be tuned empirically.

And perhaps legitimate forks in the parallel system could provide a strong enough recommendation to the majority of bitcoin miners to get them to switch the branch they're working on.

If this works, I'd hope stakeholders would feel sufficiently motivated to participate in hardening the parallel system, as it would provide an immediate fallback in the event of failure of the pure PoW system, as well as a much cheaper alternative down the road when the block reward alone becomes insufficient.

Right.

I think you're not clearly thinking about the dynamics of this. A target which goes by difficulty^0.2 is not the same as scaling effectiveness with work^0.2. If you have twice the hashrate (with fixed stake), you generate twice as many hashes, and since each hash independently has a given probability to be a valid block, you have twice as much chance to have the next block yours - thus, you have as much weight as 2 players each with the same stake as you and the undoubled hashrate. If you have 2s and 2w, you are much more effective than 2 players with s,w each.

Doing what you want would require a more fundamental change than just a formula for the target.

Sorry about the excess name in the wiki. I will fix it.

I don't have a definitive argument yet, but I am thinking about the following issues:

a) lack of incentives for stakeholders to contribute signatures in Meni's system (perhaps only a small minority will contribute and therefore small, but active stakeholders could be too powerful.)
b) whether disruptive attacks are possible between stakeholding checkpoints (txn fees will still be quite low, so double spends may be easy to pull off and simple attacks like messing with difficulty are possible)
c) how signatures are collected from stakeholders (which stakeholders sign the checkpoint, can anyone sign?)
d) if there is a fork, how do stakeholders coordinate on which branch to sign

If I can get past this stuff, then I will be happy with it. Security, dominance of stakeholders, and low fees are the main important things for me. Whatever satisfies these criteria should be good enough.

I also feel that my proposal has a side benefit, however. Most mining investment would be reallocated to purchasing currency under my system. I feel like the current arrangement where bitcoin users spend a lot on GPUs, ASICs, FPGAs, and electricity instead of buying bitcoin is profoundly wasteful. The market capitalization of the currency would be higher under my system. Higher market cap should be associated with reduced price volatility. This seems like significant enough of an issue to merit consideration.

I'm also concerned about sudden flight from the currency and the possibility that it would enable mining stakeholders to escape some of the consequences of potential misbehavior. Therefore in the past I have suggested escrowing the coins of actively mining stakeholders for a long period. In a case of wrong doing, they would be the last ones able to sell off their bitcoin. In this scheme, mining stakeholders would have to commit not to sell until months after they exited mining. They would be willing to do this in exchange for fees and currency generation.

Right now, I am looking for a proof-of-concept implementation and therefore I am trying to make things as simple as possible to prevent confusion/intimidation among would-be implementers.

There can be signature fees. Since signing is cheap, there needn't be very big incentives.

Double-spending will be relatively easy between checkpoints, but still too hard for everyday transactions. Large transactions will wait a day or so for a checkpoint.

Basically anyone can sign, their weight depends not only on the number of coins in the address but on its recent history. Signatures are broadcast and probably included in a block like transactions.

They don't. You could do sanity checks like waiting to see that the block looks undisputed (eg, 6 confirmations with no alternative branch), to make conflicts an exception rather than the rule. But in the end everyone just picks one. The safety is then a function of the difference in signatures between the two blocks - if a receiver considers the current block not safe enough, he will wait for the next signature block. This could be an opening for DoS, but I think that's also solvable.

I think any PoS design would greatly limit the focus on mining hardware.


I think it will be counterproductive to have a proof of concept which is not thoroughly thought out. This is difficult to get right and if it's not carefully designed it will not work, and then you'll have to face all the people saying "see, PoS doesn't work!".

Maybe instead of adding some kind of escrow system to hold miner's coins it would suffice to increase the number of blocks it takes for mined coins to mature? We could even tie that to the block number, so over time it will take longer and longer for newly mined blocks to mature?

-MarkM-

Aye, you are right. I will think more about it.

I think I am still confused about this formula. I assumed the max function would take the higher of the two values, but what the values are is still unclear. Maybe this was described later in the other thread, I don't know. An example would be nice, but I'll put one here and you can tell me if this is right.

Let's say difficulty = 1 million, p = 0.8, coin-confirmations = 500*100 blocks (if the coins are younger than 100 blocks, is the value exactly 100 or is it coins*100?)

(1 mil ^ 5 = 1 x 10^30)
/
(50,000 ^ 4 = 6.25 x 10^18)
=
160 million ?

if instead

1 mil ^ (5 / 6.25 x 10^18)
=
1.000000000000000000...

math isn't my strongest suit so please point me to where this is going wrong

edit: shit added an extra zero on 50*100 but whatever, assume it's 500*100 then

I imagine the evil miners would just sell their locked coins immediately.  They'd be like bitcoin futures.

Thats a very good point.


Those are two great points.

Miners leaving Bitcoin last, is like the captain being the last to leave a ship.
Hence its really in their interest to keep the ship from not sinking until the end.

I had been thinking along the same lines but did not come up with such a "easy" solution.

One thing to consider is that in some countries, starting to mine could be the only or easiest way to get Bitcoins, if its not possible to send money to an exchange.

A mix of Proof of work and Proof of stake, if possible would probably be the best.

And a note.
If a Pos only would had been the rule from the start, there would had been no coins thus no possibility to mine ;)

Perhaps but it would be harder to sell them, less buyers and its still an huge improvement.
The miner would have to prove that he owned the coins.

What if it could be made really hard to prove and the coins should first be sent back to the miner.
Thus the there would be a issue of trust.
 

Sorry, please ignore the formula for now. I screwed up bigtime. Meni pointed out a significant issue that I had overlooked. He is right that a modification of the difficulty formula will never generate constant returns to scale.
I plan to solve this, however.

Yes, return to the sending address is what I had in mind. Who knows who else holds a copy of that private key you bought? You'd just have to wait until the escrow time is up to find out...

To make miners even more of stake-holders, we could vary the maturity time of the mining rewards based on a modulus of the block hash.

Miners would thus have the choice of trying for a hash with a different modulus or settling for the first sufficiently difficult hash they happen across even if its modulus is one that means a very long maturity time.

For example we could use hash modulo 256 as multiplier of the maturity time so that some would take 128 times as long as the old unmultiplied maturity time to mature.

-MarkM-

Well can you at least give me an idea? It would make it much easier for me to point out the several fatal flaws I think exist in this system.  :-*

PRove what.

1) Miner has an address with x coins. 
2) The coinbase instead of having no input requires an input of x coins.
3) The input (escrow) + block subsidy + transaction fees are all paid out to address Z.
4) The protocol enforces a "no spend" on coinbase outputs for 240 (or 800, 1200 blocks).

Nothing to escrow, nothing to prove.  By signing the transaction the miner obviously has the private key and thus has proved the coins are his. 

Huh?  I know this is off-topic, but why would "most" miners stop investing in mining and start investing in bitcoins under your system?  I always thought that the reason most folks mine is that their hardware + electricity costs (denominated in fiat) generate profit from converting their mined coins to fiat.  What is it about your system that will push investment out of mining and into bitcoin, instead of out of mining and into gold or FCOJ or Tbills or any other investment alternative? 

Here's an experiment to try with your friends and family to see if PoS is viable. Play the game Monopoly by Parker Brothers with a few small rule changes. You would play with one die per turn because shaking two dice takes more energy (we can't have that) than one. We remove the rule about shaking doubles for extra turns because too much variance is just silly in a PoS game. Then, compare your real life net worth with them and you each get to take a proportional number of turns by ranking order. For instance, if you as a childless adult have five as much wealth as your poorest married competitor, you would get five turns at the start. After the first round you then get another roll each round for every property and house that you own. After playing one game, see who would play the game with you again. Most likely the winner of the game would be the same every time.

PoW does have a real threat that if someone gets too much control of the network they can reject transactions until that monopoly is broken, but it can be broken and then things go back to normal. With PoS, once a monopoly takes hold it would be nearly impossible to change the balance of power. As a monopolist, you could dictate who does business with whom. You can even choose who gets to buy food for their families and who shall starve to death. That would be fine for the people in the good graces (rhymes with races) of the monopoly holder, but it's more likely that everyone else will simply switch to another currency and not play with you anymore.

There is a reason that Satoshi created variance for block rewards. The element of chance (like playing the game Monopoly with an equal amount of dice) adds enough chaos to make the balance of power unpredictable. Some may not agree, but most people believe that everybody deserves a chance in life to thrive. When the block rewards are sufficiently depleted to remove variance, there should still be a mechanism to add variance to fee rewards. Just like the game Monopoly (one of the most popular in history), people will continue to play a PoW game as long as they have a chance of winning. I wholeheartedly disagree that downtrodden people will succumb to a monopolist or we would all still be speaking Latin. There must always be a fighting chance.

Foolish analogy.  
Wealth =/= stake.
Wealth PUT AT RISK PROTECTING THE NETWORK = stake.
In proof of work your "stake" is in the form of computing power.
In proof of stake your "stake" is in the form of escrowed funds.
In hybrid your stake takes both forms.

Any PoS model should require escrowing (via protocol directly) funds thus those funds become linked to the survivability of Bitcoin.  Simply make the stake the input for coinbase and the output stake + reward.  Output is undependable for x blocks.  One could make x relatively large.  Bitcoin uses 120 blocks but that is to avoid orphaned double spends reversed transactions.  X could be 2016 blocks (2 weeks of escrow), or even 12960 blocks (90 days).  Thus the amount of the stake isn't your wealth it is the amount of wealth you have put at risk.  If Bitcoin fails during the escrow period you LOSE the stake.  An entity like Deepbit operating in a hybrid model would have a huge amount of funds "locked up" in the success of Bitcoin.  It would be in their best interest to no just maximize revenue but to maximize the long term strength of Bitcoin.  That may mean funding development, funding attack testing, innovating new security features, etc.  It aligns the interests of the "network" with the interests of the miner.

$1 mil in hashing hardware buys you a "stake" in a pure proof of work model.
$1 mil in escrowed funds buys you a "stake" in a pure proof of stake model.
$500K in hashing hardware & $500K in escrowed funds (or the optimal split) buys you a "stake" in a hybrid model


That is of little value.  There is no economic value to disrupting the network.  In a non-economic attack it is naive to think an attacker would spend an amount of funds which makes "breaking" the attack feasible.  Say $20M buys 51% of the network.  If citibank wanted to destroy Bitcoin they wouldn't be stupid enough to spend $20M.  They would budget $80M.  They would spend $40M to gain 70%+ hashing power and deploy only enough as needed.  This would be horribly bad for "defenders" because despite adding hashing power citi would simply add more and defenders would keep falling behind (and racking up operating costs).  They could keep another $20M ready to buy additional off the shelf hardware to deploy if necessary and use another $20M to fund proxies (120% PPS pools) to gain the "marginal" hashing power without any long term investment/cost.

Sure $80M > $20M but if an entity wishes Bitcoin destroyed spending $50M to $80M for a guaranteed destruction vs $20M on a roll of the dice is far more likely.



There is no economic value in that and proof of work can easily be outspent if the intent is non-economic.  Like you said anyone trying to do that for economic gain would simply see people move to an alternative.


Cite?  The variance is a by product of the mechanisms used in proof of work not a desired attribute.  On a large scale over a long period of time variance is mostly meaningless.  Check with Tycho how much the variance for Deepbit is over 90 days, 180 days, 365 days?  Rapidly approaching 0%.

It isn't off-topic. I don't want to speak for C but as I understand it in a hybrid model (proof of work + proof of stake) it is more efficient to acquire and grow a proof of stake alongside your proof of work (hashing power).

Proof of work:
All cost is in hardware, electricity, and labor.
For heavily leveraged miners this necessitates SELLING Bitcoins to pay for fiat expenses.

Hybrid.
Some of the costs are still in hardware, electricity, and labor.
However some of the "costs" are in the "stake".
Miners are less likely to be heavily leveraged.  Also there is an optimal balance between stake and raw hashing power so a miner with 20GH/s (as an example) may find a higher ROI% increasing stake size rather than adding another 1 GH/s of hashing power.  

Once again as an example:
Revenue from 20GH/s w/ 10% MORE stake > 21GH/s w/ same stake

This means miners not only don't need to sell all their coins but they can expand their operation by holding/escrowing more coins.

Can you explain what these sentences mean?

In Bitcoin if you solve a block the coins that are part of the reward (transaction fee + block subsidy) are unspendable for 120 blocks.  If you try to spend it the client will stop you. If you hack the client then the transaction will be seen as invalid by rest of network until the inputs are at least 120 blocks old.  (technically it is 100 blocks but that is another story).  This is done to prevent orphaned double spends.  If you could spend generated coins (coins produced from thin air in coinbase) right after generation then you could "pawn" that risk off on someone else.

I solve a block #177,777 = 50 BTC.  Sweet.
I buy something from you for 20 BTC.  You ship it.  I pay you the 20 BTC from my block reward.
A different fork of the block chain ends up longer.
All nodes replace "my" block #177,777 with the version solved in the replacing chain.
My block becomes orphaned.
My/now your coins disappear.  They never exited because as far as I never solved the block #177,777.  

Either way the coins are "lost".  Bitcoin limits that lost to the miner by making the coins unspendable.  If a re-org occurs it likely will be within 120 blocks after generation (forks greater than even 6 blocks are extremely rare outside of an attack) thus my coins disapear before I can spend them.

Given this already existings in Bitcoin it can be adapted to form a built in "stake escrow".  Lets say for a proof of stake you wanted the "staked" coins held in escrow for 2016 blocks.

Bitcoin Coinbase:
Input = 0 BTC
Output = Reward + transaction fees (currently ~50 BTC).
Coins can't be spent for 120 blocks.

Proof of work/stake hybrid Coinbase:
Input = stake
Output = Stake + Reward + transaction fees (~50 BTC + stake amount)
Coins can't be spent for x blocks thus forming an automatic and irreversible escrow (x=2016 in this example).

this.

what a great analogy and well said.  i wholeheartedly agree.

I'm with D&T.

[tl;dr] While it is true that I am a bit careless sometimes, it looks like I didn't make an error after all.
 
Meni pointed out that doubling hashing power doubles the immediate probability of mining a block. This is true. However, my system is dynamic. In my system, finding a block today tremendously decreases the probability of finding a block tomorrow. Due to this factor, returns to scale can only be evaluated as the average rate of finding blocks over a longer time period, not the one-off opportunity of finding a block now. If you mine a block, then you use up all of your coin-confirmations and the timing of your next block is delayed. Because of this effect, increasing hashing power exhibits decreasing returns. Once you mine a block you have to wait for your coin-confirmations to gradually recover before you can effectively mine again. There is a downside to hashing the block now because it decreases expected output in future periods.

In simulations, I actually find that my system exhibits constant returns to scale (though some small deviation is possible. I tried to run larger trials, but matlab ran out of memory). If you double both your hashing power and your wallet balance simultaneously, then your rate of finding blocks doubles.  I played around with a parameter alpha. Alpha is a parameter in (0,infinity) which determines the importance of stake relative to work, as alpha approaches infinity work become irrelevant, as alpha approaches 0 stake becomes irrelevant, if alpha equals one then they are equally important.

I want to run my simulation by Meni to see if I'm doing something wrong. I use discrete time which is indexed by 100 million draws.

1) Take one hundred million draws from a uniform distribution on support of [0,1]; denote these as rand(i) where i indexes draws
2) Assume agent uses k unit of hashing power and c coins (each coin starts with 1 confirmation)
3) denote the conf(i) as the number of coin-confirmations in the account at time i; note that conf(1)=c
3) Assume that difficult is such that the probability of mining a block in one unit of time with 1 unit of hashing power and 1 coin-confirmation is 10^-8
4) Go through these draws sequentially as follows:
4a) If rand(1) < (10^-8)/(k*conf(1)^alpha), then a block is mined
4ai) Add one block to count of mining payoff
4aii) conf(2)=c
4b) If rand(1) > (10^-8)/(k*conf(1)^alpha), then the hash isn't good enough to mine a block
4bi) Assume someone else mines this block, so conf(2)=conf(1)+c
5) iterate this procedure through all 100 million draws

Here are some simulation results:

Looking at decreasing marginal products of stake and work:
Alpha = 1 ; k = 1; c = 1   -> 7959 mined blocks
Alpha = 1 ; k = 2; c = 1   -> 11227 mined blocks
Alpha = 1 ; k = 1; c = 2   -> 11259 mined blocks 

Conclusion: Factors have diminishing marginal returns. [hmm; alpha corresponds to equal factor shares; actually this looks exactly like a deterministic cobb-douglass function with equal factor shares, e.g.
alpha=beta/1-beta, so alpha = 1 -> beta =0.5
e.g. CRS Cobb-Douglas is Q= A*c^beta*k^(1-beta) with equal factor shares beta =0.5 and A =7959 is a normalization. Prediction would be 7979*(2)^0.5*1^0.5=11225.7257 .... pretty damned close.


Looking at returns to scale:
Alpha = 1 ; k = 1; c = 1   -> 7959 mined blocks
Alpha = 1 ; k = 2; c = 2   -> 15999 mined blocks
Alpha = 1 ; k = 100; c = 100 -> 800733 mined blocks  

Conclusion: Either constant returns or exceptionally close to it.

Playing around with big alpha which makes stake much more important than work (Here I re normalized the base chance of finding a block on trial one to 10^-40)

Alpha = 10 ; k = 1; c = 1   -> 19455 mined blocks  [ignore the increase difficulty would have to be renormalized]
Alpha = 10 ; k = 2; c = 1   -> 20719 mined blocks  [doubling hashing power doesn't get you very far now]
Alpha = 10 ; k = 1; c = 2   -> 36530 mined blocks  [but now doubling stake almost doubles output]
Alpha = 10 ; k = 2; c = 2   -> 38912 mined blocks  [still looks like constant returns to me]
Alpha = 10 ; k = 100; c = 100 -> 1954898            [yup, either I screwed up the simulation (possible please critique) or my system has constant returns]
 
Let's test if Cobb-Douglas predictions are still holding up strong. To convert Alpha to the stake share we have

alpha=beta/1-beta, so alpha = 10 -> beta = 10/11. The normalization is A=19455

With k=2 and c = 1, we have 19455*(2)^(1/11)*(1)^(10/11)= 20720
With k=1 and c = 2, we have 19455*(1)^(1/11)*(2)^(10/11)= 36534

Okay, either my simulation is fucked, or my system behaves exactly like a constant returns to scale cobb-douglass production function. Please explain how it is fucked because it seems to work exactly like I expected it too which is actually really surprising to me.

Here is a wikipedia link for the interested reader:

http://en.wikipedia.org/wiki/Cobb%E2%80%93Douglas_production_function (http://en.wikipedia.org/wiki/Cobb%E2%80%93Douglas_production_function)

I particularly direct your attention to: the property that expenditure on any given input is a constant fraction of total cost

This constant fraction is determined by the parameter beta which is equal to the amount of expenditure an efficient miner would invest in stake. He would spend the residual percentage of 1-beta on a combination of electricity and hashing equipment. What percentage of mining funds for should be devoted to stake and what percentage should be devoted to computer equipment and electricity?
As currency designer, you get to pick this! This is like some kind of economics wet dream.

Very eloquently said.
Agree.
Thank you.

D&T. I agree with you about escrowing coins, but I think we need to take things one step at a time. I get confused relatively easily and we have very little consensus about anything here. Once we have a good proof-of-stake algorithm, then we can think about working escrow into it. Escrow is conceptually extremely simple. It just means waiting for your block reward instead of getting it now.

Your argument is that wealth "PUT AT RISK PROTECTING THE NETWORK" is stake, then if "Bitcoin fails during the escrow period you LOSE the stake." In that we agree, but it won't happen right away. Fiat currency works the same way. All is well and good while the flow of money is free, but with PoS, a monopolist can choose to support a society. The monopolist can then slowly and quietly chose to eliminate competitors insidiously.

You are talking about $80M like it's real money. You are thinking far too small, my friend. Add several more zeroes and we'll start talking. If Bitcoin is that small a game for you, then you are not long. For every Citibank there will be someone else playing king-of-the-hill. Citibank isn't anywhere near the wealthiest or most powerful entity in the world. Not even close. Citibank is no threat at all. In a game where the rules are fair and honest, corporations built by litigation lawyers and scam artist will lose against honest, hard working people willing to sacrifice their lives for the security of their families.

Their non-economic intent would not be so overt. "First they came..." (http://en.wikipedia.org/wiki/First_they_came%E2%80%A6#The_text) Again, absolute power is insidious.


Mining pools mitigate variance, but also puts faith in potential monopolists that may or may not act with bad intent. The Tychos of today could be the Joseph Stalins of tomorrow. As far as a cite for the introduction of variance instead of a time based block release mechanism, I'm not sure if the intent was to promote random fairness or it is simply serendipitous. If he didn't want variance, he would have chosen a SolidCoinish model like PoS.

Thanks for your explanation, D&T.  You've certainly shed some light on the subject for me.  I've been trying to read through the major threads on PoS/"Tragedy of the Commons"/"Disturbingly low future difficulty equilibrium"/etc. to get up to speed on what folks are thinking; it's truly a fascinating discussion.  But I guess I'm still having trouble understanding why cunicula's system necessarily leads to miners purchasing more bitcoin.

If I'm a "rich" miner (in terms of hashing power, BTC holdings, or both) why would I buy more BTC when I could simply band together with other rich miners for free?  In the end, doesn't this accomplish the same thing for me?  Poor miners won't be buying a lot of BTC to protect their mining ROI because, well...they're poor.  So I still don't see how cunicula's system leads to more BTC purchases (except temporarily by a few "middle-class" miners who want to buy into a "rich miner" pool).

I'm also a little unclear about another aspect of cunicula's system.  In effect, it removes BTC from circulation in order to add security the network, does it not?  I can certainly see how this would cause upward pressure on BTC prices, but doesn't this upward pressure further limit the ability of miners (both rich and poor) to increase their stake through BTC purchases?

Finally, I realize there's no guarantee against a mining monopoly forming in the current system - but won't cunicula's system make a mining monopoly damn near inevitable?

[edit for spelling]

[2nd edit: Upon further thought, I believe I was seeing an incentive (for rich miners to form an exclusionary pool) in cunicula's system that's simply not there.  That's what I get for PWI lol]

A way stakeholders can vote on block checkpoints right now is to include in a txn, an output of zero coins to the bitcoin address derived from the hash of the checkpoint block.  All of the inputs in that transaction would then be understood to contribute to the vote.

Is there a better way to do this?

Does anybody who knows how merged mining works know if miners can merged mine side branches off the main branch?

If that's the case, then this PoS experiment https://bitcointalk.org/index.php?topic=68213.msg799588#msg799588 (https://bitcointalk.org/index.php?topic=68213.msg799588#msg799588) can be done right now, without any changes to bitcoin.  Just gotta find enough stakeholders and miners to participate in testing, which I suspect will be the hardest problem of all  ::)

Also, all of these ideas for miners to lock up a stake in coinbase txns seem to break once a market for locked coins opens up.  I'm sure any trust issues you (istar) hope might prevent this can be easily overcome with multisig txns and mutually trusted escrows.

Yes, I believe so, this is whats appears so great about it. In order to gain a massive advantage, you would have to buy up lots of coins, while doing so you would drive the price up. Making it much more expensive than today to make an attack because it would take time and during that time you would have to support the network. However the downside might be that once you do have it, it would be very hard for anyone to regain control. Though that is somewhat true of a 80% attack.

Yup.  There certainly seems to be some benefits to these PoS proposals - as long as you're convinced of the inevitability of low hashrate resulting from miner's reliance on tx fees in the future.  But from my own (admittedly naive) perspective, I'm not convinced there's a problem with the current PoW system that needs fixing.  I guess I'll quit typing and go back to reading for a while longer.   ;D

(edited my previous post above)

I believe some coder should implement my mixed proof-of-work / proof-of-stake solution with an accelerated block reward so that all block rewards occur within the span of a few months.
Then we could see the system operating under the harsh conditions of no block reward, which it is designed to solve. We would also find out what sort of long-run equilibrium fees would obtain under the system.
It seems like a relatively simple modification, so the coding labor should be relatively modest.

I may turn out to be wrong of course, but I feel pretty confident that it will work well.

Not sure what such an experiment will prove. As a POC, it's unlikely to attract of lot of people, especially with no block reward.
The whole PoS system is meant to work when there is a lot of real transaction volume. Without a good volume of tx fees, there is no incentive to mine this alt chain, and the experiment will not tell us much about what will happen with Bitcoin in years to come.

I don't think this is a very urgent problem. It's good to have discussions and simulations, but I wouldn't personally invest in this alt chain for now.

Do you think bitcoin would ever adopt an unproven technology? I highly doubt it. A proof of concept is necessary.

Due to the unambiguous superiority of the technology, it could grow and potentially replace bitcoin (despite being inherently disadvantaged like facebook was compared to myspace).

It will start with very few users so it should be easy to attack. People will want to attack it potentially out of spite. If it can't be attacked successfully, then that represents a novel and important innovation. The current alt chains don't have this property and bitcoin doesn't either. It will be the first innovative alt chain. Moreover, to drive the point home, a proof-of-work version can be forked off the main chain after all coins are mined. The obvious vulnerability of the proof-of-work fork will provide an indication of what will happen to bitcoin eventually if it doesn't adopt proof-of-stake.

The bitcoin developers don't understand economics very well. They will need an object lesson to help them understand some important concepts.

Finally, the proof-of-stake system has some ponzi-like properties which may attract interest from gamblers.

It's quite possible that the fact that finding a block, as opposed to looking for one, requires consuming the coin-confirmations resource, was lost on me.

Are you sure that's your simulation? The line rand(1) < (10^-8)/(k*conf(1)^alpha) suggests that increasing k and conf(1) decreases the probability of finding a block. So either it's really (10^-8)*(k*conf(1)^alpha) and then it's ok (for now, see below), or it's rand(1) > (10^-8)/(k*conf(1)^alpha) and then it's wrong, or something weird is going on.

Also, when you determine the probability to find a block, the value of k should not be raised to any power (this was my earlier point - twice the hashrate, twice the probability to find a block with a given number of coin-confirms). conf should be raised to the power beta since that's how you determine the target.

In 4bi you're assuming one block is found in this time unit. This assumption probably does not affect the results, but It's safer to let X be a Poisson random variable with mean 1 and conf(2)=conf(1)+cX.

I think you guys totally underestimate the desire of the marketplace to disintermediate the banks:

 http://www.telegraph.co.uk/finance/economics/9143581/Technology-could-take-the-bankers-out-of-banking-says-BoE-policmaker-Andy-Haldane.html

Any proof of this statement? I don't know about the current developers, but Satoshi had quite a good grip on economics. Bitcoin is a brilliant innovation that relies on economics principles.


As do all crypto-currencies. Still, I don't see it attracting a large enough audience right now, but ... go ahead, prove me wrong.

Yet Another Proof of Stake Analogy (YAPSA)
As if the unbreakable monopoly of PoS isn't bad enough, it is also anonymous. With a PoW 51% monopoly, it is held by traceable physical mining rigs. If a monopolist started to threaten to reject all transactions from blue-eyed people named Meni or cunicula for example, it is no doubt that GLOBAL OUTRAGE would ensue. World Governments would rush to the aid of blue-eyed people named Meni or cunicula by cutting those mining rigs operators off from their Twinkies and Mountain Dew. Such dire consequences would surely deter any such egregious action from happening again.

If a PoS monopolist were to form a cabal against blue-eyed people named Meni or cunicula, they could anonymously hire unwitting mining rig operators to do their dirty work for them. Those mining rig operators would then likely be dragged before the World Courts and publicly denied Twinkies and Mountain Dew for life despite cries of innocence. The PoS cabal would then move on to their next stooge to wage war against blue-eyed people named Meni or canicula. I don't know about anyone else, but I will fight for the rights of blue-eyed people named Meni or cunicula and their God-given right to Twinkies and Mountain Dew.

[edit] You can dress it up all you want, but it's at best making a silk purse from a sow's ear, and at worse a wolf in sheep's clothing.

A Pos would also be part of a sollution to another "problem" Bot mining?

Actually when i think about it why only miners?


There is a good reason to not have a Pos only system.
There are many potential problems.
One is that there is no way for others to take back control over the mining as soon as someone once
owns most of the coins.

Once that would happen there will be no competition among the miners.
The competition makes sure transaction fees are kept low and that the hardware is upgraded.
Processing transactions at an ever increasing speed.

Thus I think a Pos only would fail.


And some brainstorm.
For an Altcoin there could be a Pos even for users ;)

What if you could not transfer (sell) more than 50% or x% of your coins at once.
That would mean that a panic would not cause people to be able sell all their coins at once.

Also that if you are out to Pump and Dump.
Your other coins will decrease in value, removing the incentive to panic.

If you panic your own resources will decrease in value.

This would mean that every user would have sort of a Proof of stake.

This could be optional by giving users enough advantage so that they want to lock up their coins.
Such as coins locked would get an interest rate or lower the transaction fee on the users other coins.

Anyway this would ofcourse be impossible to design?
But it would be interesting to see this tested in a Alt-coin.

Thanks, I transcribed it wrong, though it is correct in the simulation.  The condition for mining a valid block should be rand(1)/(k*[conf(1)^alpha]) < 10^-8

.I added the extra bracket to clarify that I'm not taking hashing power to an exponent.


You are also right. The length of hashing rounds should be a Poisson random variable, whereas I made them deterministic. However, this should be coded differently from what you suggest. If you write it as conf(2)=conf(1)+cX, then this implies that the miner randomly misses the opportunity to participate in mining for a sequence of blocks. Instead, it should be that the miner can get multiple hashing opportunities before accumulating another confirmation. I will fix it when I get the chance.

I was assuming each iteration corresponds to a time unit. If each iteration corresponds to a block being found somewhere then your simulation seems to be fine as it is.

The start-up of such a chain could be interesting. First person has no stake. Each new person has no stake unless they buy it from an earlier person...

-MarkM-

Yes, each iteration corresponds to a block mined. The probability you draw is the probability of you being the miner of that block and (all else equal) it doubles when you double your hashing power.
I think you are right that it is okay as is, but i will still play around to see if anything changes if I convert from [one iteration = one block] to [one iteration = one minute]. It should yield the same answers.

Yes, this is what I mean by the Ponzi-like properties.

Yes, PoS would reduce the attractiveness of bot mining in at least one way:

1) [primary] PoS would simply decrease the advantages associated with control of computing resources such as botnets.
2) [marginal] Bots would need to communicate with an account holding the bitcoin in order to hash effectively. This might make bots slightly easier to detect/trace, but the owners of victimized computers probably wouldn't know how to do this, so I doubt this has any practical relevance.

If indeed "advantages associated with control of computing resources" is decreased with PoS, then oligopolist conspirators using botnets would certainly be able to create a very large shell game. They would be thoroughly decentralized.

Question...let's say 10 miners initially participate in this start-up, they all have identical hardware, they all start mining at the exact same instant, and PoS is weighted at 80%. When the first block reward is collected by one of the ten, what has happened to his percentage of the network?

(yes, I'm computationally challenged)   :-\

The lucky miner's percentage of the network is approaching 100%.
 
I'll calculate it for you:

Long-run hashing power of individual holding 50 BTC and x units of hashing power
(50)^0.8*(x)^0.2= 22.87x^0.2

Long-run hashing power of individual holding 0 BTC and x units of hashing power. In this case the individual has hashing power of 100-satoshis or 0.000001 BTC-confirmations.

1.58489319*10^-5*x^0.2

Adding up these 9 miners and rounding, they have
9* 1.58489319*10^-5*x^0.2 = 1.4*10^-4*x^0.2

The share of the lucky miner is thus
22.87/ (22.87+1.4*10^-4) = 99.9993878%

If you don't like this extreme lottery style distribution arrangement, then you could set it up with some constraints on the use of recently minted coins. Essentially you would require that newly generated coins have y confirmations on them before they can be sent or used to mine blocks. This would give the other 9 guys a time span of y blocks to establish a stake too. The initial lucky miner still has an advantage, but it is much, much smaller.

I think that the y confirmation limit on use of newly minted coins is definitely a better arrangement, but I am not proposing stuff like this now because I want to focus on the core issues (which are long-run issues not initial distribution issues). I don't think initial distribution matters much.

I also am curious about what would happen in the extreme lottery scenario.

The guy who has 99.9999% of hashing power has a strong incentive to sell off or give away almost all of his coins until he has say 10 or 20%. His 99.9999% of hashing power is not going to be worth anything if the other speculators drop out of the game. Instead, he would want to ponzi up the currency. First giving away coins to one group of speculators (most likely giving away more than half at this stage), charging the next group a very very low price, the third group a very low price, the fourth group a low price, ... until he has a small amount left like 10%.  He will have to be willing to use some of his initial revenue to buy back coins if price fails to rise. If the downward price pressure is really strong, then he should let the bubble pop and sell on the way down.

Initially, the speculators perceive that the value of the currency has steadily risen, so they want to invest in the bubble. Sale to new investors gives the initial miner his profit. The early stage miners who bought in low profit too. I'm not sure how long the ponzi would continue until the bubble collapsed. However after the bubble collapses, ownership in the currency would be quite widely distributed.

An instant monopoly?  Faith and begorrah!   ;D


What about setting the PoS weight (your "p" value?) very very low at first, and growing it over time?  Couldn't you make it behave like the current system's growth of the BTC money supply, where it approaches some arbitrary value (80%) as the system matures?  Would this not address the initial distribution problem in the hypothetcal start-up chain?  Might growing p over time offer a solution to a different problem you're facing with implementing PoS in the current system? (adoption)

Now I realize I'm coming from a position of ignorance on these matters, so I'm not advocating anything...just asking questions.   :)

First off, a more immediate problem than adoption is that no one with appropriate skills has volunteered to modify the bitcoin code to make a proof-of-stake altchain or minority fork possible. The modifications should be very simple, but I cannot do them because I am an economist with no programming skills.
 
Secondly, your idea works and sounds good. Let's consider the starting result where p starts out at 0.01 and increases by some small fixed amount or percentage with every block until it reaches some long-term target.

The initial block finder would have mining power at block 2 equal to:
50^0.01/(50^0.01+9*0.000001^0.01)=11.7% of the network. The other 9 miners would each control 9.8% of the network.

Thus we no longer have a winner take all lottery. I agree that this is probably a better system than a winner take all lottery (though I still find the winner take all situation amusing). Moreover, it should be extremely simple to code this.

An offset introduces decreasing returns to scale (DRS).  With DRS, output per unit time increases when you subdivide accounts. Fixing hashing power, mining with 100 accounts with 0.01 bitcoins in each has a higher output rate than mining in 1 account with 1 bitcoin. Nevertheless, an offset works too. It just needs to be phased out completely after the initial distrubition period is over because DRS allows gaming of the system.

There is a form of PoS that could work if it is possible. What if you could choose the mining pool you want to authorize your transaction through the P2SH script?

We would also need a demurrage tax for the fees earned by the pools. While the pools can auction their service competetively, they will still lose a percentage of their fee profits back into minable blocks. The tax would keep mining desirable, the auction would keep fees low, and the stake would be controlled by the people spending their Bitcoin. It would be less attractive for a monopolist to make a lot of transactions and pay the demurrage tax.

This wouldn't technically be a PoS, but would allow consumers to choose to avoid pools that threaten to reorganize the blockchain. I'm just not sure how to implement and verify a mandatory transaction tax. I suppose it would be visible in the blockchain if it was paid.

Right, seems like I still haven't got the hang of your system.

Starting p at 0 and letting it gradually grow to the target value seems like it could work, but there's still a nontrivial bootstrapping problem. I guess that a faucet to get a small stake to start could mitigate it. p should remain very small until there's a somewhat decent exchange.

mmm...I thought you were still identifying requirements and refining/vetting a design to meet those requirements for your PoS altchain.  If I was a programmer (I'm not), I wouldn't be inclined to begin coding anything until a design phase is complete (especially on a volunteer basis).  I've read through this thread and the wiki entry a couple of times, and I still don't see a workable design for an altchain yet...am I missing something?

If you're saying the altchain design is complete, and it's represented by:

Hash Difficulty >= Difficulty Target / ( max(Coin-confirmations used to sign block, 100 satoshi-confirmations) )^( p / (1-p)) with p = .8

the design clearly leads to a mining monopoly under any likely startup scenario.  Why would such a design attract interest from volunteer programmers?  After the very first roll of the die, isn't the new altchain reduced to an academic exercise in monopolist behavior?

Seems to me that until a mechanism is designed into the new protocol to prevent the "instant monopoly" problem, you're not going to attract interest from volunteer programmers (or anyone else for that matter) in an altchain.  Whether the mechanism is based on a y confirmation limit, an escrow scheme, growing p over time, or some other option, don't you think the issue has to be addressed before it's handed off to a programmer?

If you're saying that your formula above constitutes a sufficient design for implementation in the current network, then your ONLY problem is adoption.  Not trying to be a dick here, but since the bitcoin developers are among the first ones you'll need to convince of the merits of your proposal, you may want to refrain from posting things like "The bitcoin developers don't understand economics very well" going forward.

This is a relatively easy problem to fix if we want to go forward.

But in case there is any doubt, I oppose creating this altchain anytime soon. Unless it is very well thought out (preferably with some additional improvements over the original Bitcoin. There are quite a few issues in need of fixing) and has several supporters willing to dedicate effort to making it succeed, it will do more harm than good.

Easy?  Well, I'll take your word on that.  My point is that since you can't ask a programmer to implement anything based on an incomplete design, I don't see how the current lack of a coding volunteer is a pressing problem right now - as cunicula seems to suggest.  Worrying about a coding resource at this stage is putting the cart before the horse, no?  Maybe I misunderstood cunicula's post, though.   :-\


Agreed.  No need to worry about programming/deploying an altchain until a design is developed and a consensus achieved (particularly if you're increasing the scope of the project beyond PoS and including other improvements).

BTW, have you got any further details on the nature of your PoS proposal?  As I mentioned earlier, I find these ideas fascinating...even though I might not fully understand them.   ;D

Okay, I got you. Part of the problem is that I am not at all familiar with coding. I think this seriously limits my ability to make any complete design without substantial help. It also means that I don't even understand the process of making a design very well. I imagined that it was something like scrape together a prototype, find out where it is broken, fix it, find out where it is broken,..., continuing until you are satisfied with the prototype and ready to release it. Apparently more thought goes into the pre-prototyping process than I had imagined.

One thing that would help is if I knew everything that a complete pre-prototype design needs to contain.

Anyone care to make a list for me? I can make a new wiki and gradually try to fill in the necessary details (hopefully with a lot of help).

I completely agree about the possibility for many additional improvements completely unrelated to proof of stake. I focused on the proof of stake issue because it seems more important to me than any other single issue.

To put together a new project, there has to be a consensus among the design participants about its desired functionality. Obtaining consensus is hard, especially among people who haven't developed mutual trust and understanding. Thus, it seems to me that formation of a plausible groups of core contributors has to begin fairly early on in any group project. Once a group of people can agree on one core goal, there is a basis for negotiation over additional goals.

I've added a description of my PoS system to the wiki. But I'm beginning to like cunicula's system, it seems more robust against DoS attacks.

Thanks...reading....bump thread for further input...

(Copied, with minor edits, from my recent contribution to https://en.bitcoin.it/wiki/Talk:Proof_of_Stake (https://en.bitcoin.it/wiki/Talk:Proof_of_Stake).)

Proof of stake - done right - is maybe, just maybe, the way to eliminate 51% (even 90%!) attack worries altogether!

The vigorous debate about which of various systems, on a spectrum from pure proof of work to pure proof of stake via hybrids in between, is very enjoyable and thought-provoking. But when all is said and done, the evaluation process always boils down to "which system is least likely to allow the horror of a 51% attacker getting total control?". It's just assumed, by everybody as far as I can tell reading through the forums etc, that a 51% attack is a sure-fire route to total control, and that there's nothing anyone can ever do about that.

(And make no mistake, total control will not stay benevolent, even if it starts off that way. The temptation of the total controller to start acting exactly like the banking system as we know it today - inventing ever more elaborate rules for what sort of transactions it will deign to process, how much it feels like "knowing" about its "customers", and so on - and, beyond that, the temptation of the political system to put unstoppable pressure on the controlling entity to do all these things and more - will be huge, permanent and irresistible. "Decentralisation" will become worthy only of a hollow laugh.)

But, I would like to ask: are we thinking imaginatively enough about this? What about seeking a protocol where even a much more than 50% attack still fails? (Where the "%" figure refers to whatever the scarce resource is - work, stake, an optimum Cobb-Douglas mix of the two in a hybrid system... whatever.)

It's been taken as "obvious" that a 51% attack will succeed. One unit of the scarce resource is the same as another, and 51% beats 49%, and that's all there is to it! But proof of stake means the scarce resource is not the fungible "stuff" we're used to from proof of work. Stakeholders (unlike proof-of-work miners) are pseudonymously trackable. (They sign with a pseudonymous identity when they supply bitcoin days destroyed into a coinbase transaction, or whatever similar thing they have to do to establish they're a stakeholder.) And they can't cheaply change their pseudonymous identity (sloshing bitcoins around before landing them on a coinbase throws away all those lovely bitcoin days that could have been destroyed into the coinbase).

This opens up wonderful new possibilities. We no longer have to compute the "height" of a candidate blockchain as just the sum of atomistic contributions from each block (like the sum of their difficulties, in the case of the current Bitcoin). We can reward preferred structures and patterns in the way the pseudonymously-trackable stakeholders are interleaved in the chain.

In particular: we can reward "closeness", in some mathematical sense yet to be pinned down, to a sort of proportionality or "fair sharing" pattern. So, for example, a miner or set of miners with 10% of the deployable stake, who so far has less than 10% occupation fraction of the blockchain (maybe they've barely started mining at all), can have each block they mine (and help bring their share closer to the "ideal" 10%) be deemed to contribute more incremental height to the chain than an atomistic sum formula would have given. And conversely, if they overshoot and already have 15%, a structure-aware chain height formula can allocate less incremental chain height for the overshooting fraction than an atomistic formula would have given.

I believe that if we choose such a formula cleverly, we may well be able to protect against attacks that have been considered an obvious lost cause - 51%, 80%, 90%. For note that the attacker(s), say with 90% of the stake resource, and the honest miners, with the remaining 10%, have asymmetrically different goals.

The attacker, or attacker cartel, wants (in the scenario we're traditionally most worried about) to either bring down Bitcoin, or keep it going but with control over what transactions are "acceptable" - e.g. to act like a know-your-customer bank, or to harass targeted persons or economic sectors by rejecting their transactions. To achieve this, the attacker has to keep all blocks generated by the honest 10% out of the winning blockchain. (If even an occasional one got through, in a way the attacker couldn't reverse, it would of course include all the accumulated pool of "ordinary, reasonable" transactions the attacker is trying to reject - the 10% just want to earn an honest profit by collecting all those fees.)

By contrast, the honest 10% do not have to aim for the symmetrically opposite goal (of excluding the malicious 90%). They merely have to aim for achieving a reasonable interleaving of their honest blocks into the winning blockchain. Then ordinary users will get their transactions handled (albeit more slowly than they might have got used to); and the honest miners will collect their fees.

The challenge, then, is to design the structure-aware chain height formula so that the attacker's would-be chain loses (even though, of course, a mere sum of stake-achievements block by block would allow a 90% attacker to effortlessly win). The idea is that, if closeness to fair share interleaving is being especially highly rewarded, then the attacker's chain gets penalized for being far away from fairness: the 90% have 100% occupancy, and the 10% have 0%. The competing chain with some honest blocks here and there gets strongly rewarded by comparison (say for example the 90% have 93% and the 10% have 7% - that's closer to fair shares than the attacker-only chain). It wins!

The exasperated attacker fumes, "Why the hell can't I reverse these pesky honest blocks? I'm deploying 90% of the network's entire power! My chain without them should be the winner!" Ah, but structure-awareness is rewarding their presence and penalizing their absence. And with a strong enough such effect, who knows, perhaps any percentage level of such a style of attack can be thwarted!

I've created a draft page, https://en.bitcoin.it/wiki/Proof_of_blockchain_fair_sharing (https://en.bitcoin.it/wiki/Proof_of_blockchain_fair_sharing), for ideas fitting into this general milieu. At the moment it just has a teaser description of the general idea (pretty much similar to what you've just finished reading here). I had hoped to spring a polished structure-aware height formula on the world; sadly, my first effort I believe has subtle economies and diseconomies of scale (giving stakeholders perverse incentives to either club together, cartel-like, or disaggregate, taking on multiple pseudonymous identities each). That's not the end of the world perhaps - especially since the whole point of this revolutionary new approach is that a cartel (even going above 50%) is no longer something to be terrified of - but I'd prefer long-run scale-neutrality if possible. More importantly, I now also believe my first effort doesn't achieve a strong enough bias in favour of fair-shares chains to make much difference (it maybe means a 67% attack is needed to gain total power, rather than 51%... mildly helpful I suppose, but I still aspire to the dream case where no finite attack succeeds in the long run).

Naturally, I'm hoping to invent a formula that achieves the miracle of letting any honest minority, no matter how small, achieve a non-zero occupation fraction of the winning chain. (Their achieved occupation fraction might not be exactly the "fair" one; but any non-zero fraction would let Bitcoin continue, albeit slowly and creakily, and with luck the attacker eventually concedes defeat.) To speed up progress, I thought it only fair to throw open this challenge to all mathematically-minded Bitcoin folk - after all, there are doubtless others far more talented than me!

I applaud your creativity, but don't see how this could work. Presumably a monopolist can choose not to contribute blocks to a chain he doesn't like. This would make the disfavored chain highly nonrepresentative (more so than the monopolist's chain). Isn't that a serious (fatal?) problem for this design.

Note: i prefer the term monopolist to attacker because i don't accept the claim that a monopolized chain will always lead to abuses of power. This depends on the monopolists incentives. proof of stake provides very strong incentives to behave responsibly.

Ah, but remember the asymmetry of the two communities' goals. Imagine the 90% attacker (I'll use the word "attacker" because we can live with a benevolent monopolist - it's when they stop being benevolent that we have to start caring, so to speak...) has already built a tall contiguous chain run, perhaps tens or hundreds of blocks tall, which is purely theirs - the attacker has (so far!) kept successfully reversing and excluding the blocks offered up by the 10% of honest miners. Thus, so far the attacker's chain has kept out the transactions the honest miners are including as a matter of course (to earn the fees), and has let in only those transactions (if any) the attacker wants to deign to permit.

At this point, because the honest 10% aren't trying to build an honest-10%-only chain - a goal they would indeed have no hope of achieving - but merely to get an honest block into the chain here and there, we have the interesting situation that both communities are trying to build on the attacker's proudly built tall chain.

This is where "proof of blockchain fair sharing" - a suitably cleverly chosen structure-aware chain height formula - could swing into action. The attacker's would-be (n+1)th block is keeping things as skewed as ever - the 90% having 100%, the 10% having 0%; whereas the honest miner's would-be block is at last moving things incrementally towards proportionality - the 90%'s share down a little to 99% or whatever, the 10%'s share up from 0% to 1% or whatever. So, with the right formula, we can hope that the candidate chain we're rooting for, i.e. the one with n attacker blocks followed by 1 honest miner's block, will win over the "pure evil" one (with n+1 attacker blocks)! - And so on up from there, giving the reasonable interspersal the honest miners crave.

OK, I freely admit that this is all talk until I, or someone else, actually comes up with a structure-aware formula with that property. But I think the omens are good - there's such rich pseudonymous structure in a proof-of-stake chain (compared with a proof-of-work chain) that some formula can maybe do the job! (It doesn't have to be literally a "formula" in the traditional mathematical sense - "algorithm" would be a better word really.)

It's precisely to get as large a talent pool as possible thinking about these possibilities that has motivated me to go ahead and publish the broad framework right now, without having come up with a formula myself. Better that, I think, than to have just me working silently away on a formula, and, uh, perhaps not having the talent to find one that someone else could find quickly!

If it takes so long to explain, it probably won't work. Give me your elevator pitch, no more than one paragraph and 3 or 4 sentences. Tell me exactly how to implement it in the current system, and tell me exactly how it won't be materially different then what we are used to, so that users don't get scared. If you can't, you have failed, and it isn't worthy of consideration.

I created a bounty (https://bitcointalk.org/index.php?topic=96854.0) for the first Proof-Of-Stake coin AKA StakeCoin.

The 90% attacker can also feign an attack upon itself, and create confusion as to which blockchain is the real one, for an extended period of time, though I do not know how for how long.

POS would mean keeping your coins in an unlocked wallet like by PPcoin and I wouldn't say that is a security improvement.

You can have separate private keys for voting and spending.

lol

hmmm
I think the POS technology is still not so developed and proved to make a hard fork on it. But PPCoin and Novacoin also are good experiments and maybe some day could be so far.
Some occasions could also accelerate this process, for example if governments would begin seizing mining hardware.

So, apart from the guys shouting "rich will get richer" (if I have invested several thousands dollars in mining hardware, I would have been shouting that too), the only problem for having a PoS-only currency is the initial distribution of the stake (correct?). And the current solution is the hybrid PoW/PoS implemented in PPCoin. Ah, and the other problem is that noone is willing to write the code.
Let's put this another way: the stake shows how much each participant has invested in the currency. If someone owns 99% of the stake, the last thing he will want is to destroy the currency (keeping the coins for himself will effectively destroy the currency because every payment method is meant to be used for payments). That being said, I cannot see another party who deserves more the initial stake than the guys who actually wrote the code (since they are the only ones who invested something in this currency). Then, let The Free Market decide how much is each coin worthed.

It's not that. It's the rich will have untouchable anonymous power. There is no way to stop a cabal of people from taking permanent control and reversing transactions discretely.

I think you were already answered:
As soon as the cabal that holds 51% of the stake in PetkoCoin starts cheating, the trust in PetkoCoin will fall, a new currency - CBeastCoin - will appear (probably with same source code), and the cabal will lose the real-life wealth they have invested in PetkoCoin. This is what guarantees that the cabal (if any) will not be malicious. Of course, it is out of question that the currency software should be open-source (IMO).

First of all, there is no way to prove a secret cabal exists because they would use darknets and other layers of obscurity. Second, they would not just start reversing transactions randomly, they would target their victims very selectively, such as corporations they wish to destroy or buy. Finally, PoS has no way to show evidence that an attack is happening. There are no mining pools to monitor their hashrate. The attack can come out of the blue without warning and leave no trace except the devastation is causes. They will have plausible deniability because the victim will have no evidence that they didn't try to double spend fraudulently. It's the perfect crime.

+1

I am surprised that more people can't see this. 

But with PoS they need 51% of the entire wealth of the currency, to do so, and at that point why would they do it? they will only undermine themselves when discovered because the value of the currency will plummet.

With PoW, they only need about 10% of the wealth to overwhelm the mining hashrate, because the current Bitcoin mining operations are worth about 10% of the Bitcoin marketcap.

They would never allow themselves to be discovered. There is no method of tracing controlling shares to individuals. Everything would be done in secrecy using TOR or other darknets and disinformation campaigns would be waged.

There are many countermeasures against PoW attacks precisely because the hashrates are known. There are still vulnerabilities with Bitcoin, but because the transactions are more transparent, there will be better engineering solutions.

What are you talking about "they will never allow themselves to be discovered"? I can assure you, they will be discovered once they start reversing transactions. The identity doesn't matter. This particular crypto-currency will crash and burn over night, the attackers will be only hurting themselves since they hold over 51% of the currency.

On the other hand, attacking a PoW currency only need about 10% of the marketcap in cost. How does "hash rate is known" make it any harder to attack?? I don't understand, I would think it only makes it easier to plan the attack. In a PoS currency, the "unknown" part is really a safety mechanism, since the attacker can't easily figure out if he could ever obtain 51%, because he don't know who's holding what, and 51% may never be achieved simply because they are not available for sale.

I don't think you will even get PoS supporters to back you up here. All currencies (including crypto) have weaknesses. If you claim that someone reversed your PoS transaction, how would you prove it? Everyone would call you a scammer. At least with PoW you can see orphaned blocks on hundreds if not thousands of nodes to show what happened. You may or may not get the network to help you, but at least they will watch for bad agents. In fact, major nodes are working diligently to prevent these types of problems.

It appears that Nxt (http://www.nxtcommunity.org/) already implement my idea - proof of stake only, open source (since 1st of March 2014) and of course the developers are the initial stake holders as it should be. It is a good idea to include that in the wiki (https://en.bitcoin.it/wiki/Proof_of_Stake), in order to prevent newbies like me causing unnecessary floods like the one I caused (apologies for that)

I guess the word "decentralized" means nothing to you.

As it should be.. Nope nope nope, it shouldnt be that way.. as with bitcoinexcept for satoshi.

Keep in mind the cost parameters are quite different for a pure PoS block chain.  There are little computation requirements, and thus negligible capital requirements.  The notion of 'initial stakeholders' takes on quite a different meaning in this context.  As long as the code is open source[1] then there is little barrier to entry, and disagreeable initial disbursements are not likely to be adopted(due to higher competition).

[1] and observationally NXT is not open source.  Have a look at Reddcoin though, that's a bit more in the realm of what your considering.

anyone could explain the proof of stake velocity of reddcoin? honestly their paper is a bit foggy and i can't find anything detailed about it on their thread so if someone could enlight me it would be cool ^^.

No, it means something for me but there is apparently difference in the meaning for you and me.

Long story short, at day one, the developers are the only ones who invested real-life efforts in this system, consequently they are the only ones interested in not destroying it.
More details about my point of view - here (http://petko-petkov.blogspot.com/2014/05/the-coins-and-trust.html)

I see a bitbucket project (https://bitbucket.org/JeanLucPicard/nxt/overview). But honestly I haven't fully examined this currency yet.

I have to admit your writing made me laugh.

I do agree, the trust model of Bitcoin is flawed and it's worth examining.

I invented a chain model that uses predefined trust.  http://altchain.org

-bm

with nxt you would need to hold 91% of the coins to do a "91% attack" against the network

your all guna get a big shock from nxt in the next few weeks lol

Hi guys, I'm struggling to grasp the block reward concept in Proof of stake algorithm. Does the lock reward remain consistent inside every block like say Bitcoin(25) because it's seems like they give off a percentage reward. So how does the block know how to reward according to percentage?

"Proof of Stake" is a concept, it's not a specific method. The answer to your question will depend on the system implemented.

But generally, you have to distinguish minting new coins from transaction fees. In a PoS system, minting should be based on normal PoW just like in Bitcoin. But transaction fees will be replaced partially or wholly with fees paid out to stakeholders who sign blocks. The block knows how much to reward based on who signed the block(s), those who don't sign don't get paid.

The block knows how much to reward based on who signed the block(s), those who don't sign don't get paid.
[/quote]

Can u explain more about this? How does the block "know" how much to reward?

Can u explain more about this? How does the block "know" how much to reward?
[/quote]

Because POS coins have what is known as weight and this weight is how the block rewards are distributed. There is a formula for it like the amount of weight x X x (365)/*pos percentage* = Reward.

So you get rewarded based on weight and time. More weight = quicker stakes. So If you don't have enough weight you might not stake very well.

sorry i am newbie, mastercoin is omilayer now?

i have seen so many POS coin and i know that many projects are into PoS which you can earn good coins by running or wallet in our computer. I found a good project named Staker token and its a PoS token. Its a Proofofstake in ETH Platform that can be stake using MEW or Imtoken. and also new because their airdrop is still going on and many investor find it also promising due to these feature.