Bitcoin Forum

What do you think?

So blocks can only be generated by providing novel proofs to Millennium Prize Problems (http://en.wikipedia.org/wiki/Millennium_Prize_Problems)? I'm all for it.

My proposal is formulated as a sane alternative to Proof of Spoof, and the less technically sound Proof of Goof.

Disregard this, I am writing up an even better proposal called Proof of Metaproof.

I was wondering how long it would take before someone decided to mock all this 'Proof of X" bs.

I've got a novel one, that I think I'll call 'Proof of Work'.  Of course, it's not really new, and happens to be the only one that has any kind of track record.  It's also the only one that has a theoretical history that extends back to the 1990's.  But I'm sure all these other 'Proof of Whatever' methods will work just as well!

Can you distill it until it is 190-proof or at least 151-proof?

With all due respect, proof of stake is a real solution to a real problem. (Which I have discussed at length elsewhere.)

I have no idea what some implementation attempts have made, I'm talking about designs such as those suggested by cunicula and me.

Proof of stake has a practical history that extends back to the industrial revolution, or to ancient Greece, depending on interpretation. What's your point?

I've read your's and Cunicula's work on Proof of Stake.  It's not a solution to anything.  It's a security hazard.  As I've mentioned in those threads many times, and which tends to be ignored, is that PoS creates nodes with special 'trusted' status based on a prior proof of stake.  This moves the greatest of security risks from that of a 51% brute force attack in the case of PoW, to whatever security models are being used by the most trusted nodes.  Thus, the security of the blockchain is dependent upon the security of several different groups, any one of which could have a security flaw in their own systems that permits an attacker to gain access to their node, and thus turn a trusted node (with much PoS to be had) into a malicious node in an instant.  Furthermore, such trusted nodes cannot be audited for their own security by others.  PoW does not have such a problem, as it never elevates particular nodes into any form of trusted status, regardless of their past history.

While PoS has a long history in meatspace, it has nearly zero useful application in cyberspace.  Bitcoin's security model does not depend upon the security models of others.

1. The system is somewhat resilient against malicious stakeholders. You'd need to compromise a majority of voting coins to even think about an attack, and even then your power is limited. The existence of many different stakeholders is an advantage.

2. The stakeholders have no shortage of ways to secure their voting rights, such as multi-signature transactions. That would make them much harder to compromise.

3. Hashing is done on computers too, which can also be hacked. You might argue that a hashrate attack requires sustained control of the machines, but I think the same can be said about probabilistic proof of stake.

Put differently, PoW definitely elevates particular nodes to trusted status - those that are in control of large hashrate.

Somewhat resilient, in theory.  You make the assumption that compromising a majority of stakeholders would be difficult, but you cannot know if that is true.  I know exactly how difficult it is to defeat PoW, at any given point in time.  Knowledge of the issue is, in it's own way, a form of security.


Harder, perhaps.  Impossible, no.  Impossible for a third party cryptocurrency user to audit that difficulty, yes.  What if Bitcoin were to use PoS?  How would, say, the US federal government go about attacking or undermining the system?  I can think of several methods that a well helled and well organized group, such as a soverign government who doesn't like Bitcoin, or a group like Anonymous, might be able to employ to take over the blockchain that could not be employed against PoW, period.  PoW is a simple & elegant solution, your pet issue with it is that it requires energy to work.  The current financial system uses an order of magnitude more energy, but so what?  It's that very resource cost that makes a 51% attack not worth the effort.  If there is leverage employed int hte proof system, that same leverage can be used against the ssytem.  There is no way to avoid this possibility except to not employ leverage.


This isn't relevant.  Compromising a pool does not imply that said pool can do more than it already could, and is very likley to signal to the pool users to move to another pool.  While a PoS 'pool' retains the advantage simply by possession of the correct keypairs.  If I were to compromise your PoS miner, and take your keypairs, I might simply choose to wait to attack. i can wait for as long as you remain unaware that your keys have been compromised, and attack at will using your keys as well as those stolen from other major miners.  When the attack comes, it would be swift and without warning.  Another reason that the PoW system is not related to the account system.


Nonsense, because Trust in this context is persistant.  PoW has no persistant condition.  PoS most certainly does.  The leverage that such persistant trust modes present the trusted users with also presents an attack vector.

There's nothing special about energy. PoW requires money to work. Someone needs to pay for the amount of hashing required to protect the network, and it may mean Bitcoin is not as cheap to use as we would like.

And even that is only if we can find a technical way to collect this money - the way things are looking, due to tragedy of the commons on the part of both users and miners, this will be quite difficult once the coinbase is out of the picture.

I've seen this argument many times, but never were there any numbers to back it up.

Mining is just a signal to synchronize transactions. As long as the power to signal is in the hands of those with the most incentive not to abuse it it should work. I see no justification for a conservation law saying the signal must be the waste of resources.


That said you have made some valid points about practical issues that will need to be ironed out.

For all intents a purposes, energy and money are the same thing with regard to PoW.  This does not change my argument.


We don't need a technical way to collect this money, we only need a technical way to require the expenditure of resources in exchange for security of the blockchain. This is exactly what we have.


Mining is not a tragedy of the commons scenerio.  It's not even a commons, it's a competition.  As for users (I presume you mean transaction fees), it's arguablely a commons, but not necessarily a tragedy of the commons scenerio.  There are very real limits upon bitcoin transaction volumes, and these limts will create a market rate fee for timely transaction confirmations.  I've mentioned this many times in many threads in the past, but it's not reasonable to assume that in the future all or most bitcoin transactions will continue to utilize the blockchain.  This is almost certainly not going to be the case, any more than most fiat finacial transactions use the ACH or Swift banking networks.  Real & practical limits upon the transaction volumes will put upward pressure on the transaction fees, whileusers and groups of users will devise alternative networks to limit the number of their daily transactions that must use the blockchain.  Whole markets will spring up that share a Paypal-like wallet service.  Silk Road already does this to some degree.  Other markets will use networks more like MPesa, or Google Wallet.  Yet these alternativeswill olly occur if the fees grow too high.  Even teh current cost of a paid transaction, being roughly five cents, would total to well over the current block reward at any transaction volume approaching Paypal's transaction rate.


I've seen numbers to back them up, but I'm not going to go looking for them. Why should I?  I've never seen any credible logic to say that PoS is necessary.


You believe it should work, and I believe that you believe that.  However, I don't believe that, and furthermore I don't believe it's necessary in any case.  You guys are making recommendations for changes that could undermine or destroy bitcoin.  If you really want to try it, do it on an alt-coin.  I want to see evidence that it's superior to bitcoin before I would even consider joining your efforts to alter bitcoin itself.


Well, thank you for that, but I don't believe that you can iron them out, because your intentions to reduce resource consumption is what introduces the need for persistant forms of trust/authority that can be used by attackers to harm the system.  Sure, in most cases you would have the security of a PoW system at a fraction of the cost, but there are cases that will always exist that permit an attacker a much privilaged attack position, simply by identifying and compromising the right node with a 'trusted' status.  There is no way around this issue that PoW doesn't also do just as well for the same cost.

Yes, we do. If the security requires expenditure of resources and nobody pays for it, there will be no security. If the total transaction fees are low, mining will only be profitable at a very low difficulty in which the security is low.

You are confusing the cost of handling transactions with the cost of hashing.

I agree that most payments will be off the blockchain (not in the ways that you described, though). But this will just make it more difficult to collect the fees that are needed to sponsor hashing. In any case, relying on the scarcity of resources for handling transaction in order to guarantee the payment of fees required for the completely unrelated issue of hashing is not robust.

PS the current fee is half a cent, not 5 cents.

I didn't say we need to do it right now. I don't even know yet what "it" is. I'm saying this is a valid research issue that needs to be fleshed out and then experimented with, so that we're ready if it ever turns out necessary.

No we don't.  Your view of the reality is false.  You have an obligation to prove otherwise, and you cannot, because you don't understand it as well as you believe you do.  I'm not motivated to educate you, either.


Nope.  I'm not the one who is confused.


Also not the issue.  You don't even understand the system as well as I thought you did.  You entirely missed the point, and are so far off the path I don't even see the point in trying to lead you back.


Very well, still doesn't likely change my point.  Even minimum fees (unlikley under competition for blockspace) would pay as much in bitcoin towards a block as the current block reward.


Go do your valid research, then.  But do it elsewhere.  I say that I don't need such research to predict the outcome, if you say otherwise make it happen.  If you're right, you'll at least be famous, and likely wealthy enough have justified the efforts.  Don't ask us to contribute, though, and move your intentions to alt-chains section.  This does not belong in bitcoin>development & tech discussions.

On the contrary, I understand the system well enough to see through the popular myths and confusions. If you don't understand that transaction fees pay for two separate things - the marginal cost of processing it and the amortized cost of hashing - then you have some thinking to do. Likewise if you don't understand that the total network hashrate will be a function of the total fees paid (whatever they are).

Um... I didn't ask you to contribute anything. I asked you not to mock the idea. You turned it into a debate of its merits, which I'll be happy to discontinue if you are.

I'd say that since alternative branch selection mechanisms are developed with the intention to be included in Bitcoin, they belong in this subforum, though this is arguable. You are welcome not to read such threads.

Mockery is a valid form of criticism, and the original point of this thread.  If your idea cannot suffer a little good mockery, it's probably not a good idea anyway.

http://www.dilbert.com/blog/entry/mockability_test/

I understand these things, but you're still overlooking much.  First, that the issues that block rewards & fees pay for are inseperable.  Second, that the fees that are included in the actual blocks are simply one motivation among several for certain miners to mine.  There are a number of external motivations, that would (in a successful bitcoin future) motivate various economic players to continue to mine even at a loss.  I've covered this issue in depth in many past threads.  Feel free to engage the search function, or simply review all of my past posts.  I'm sure that would save you some time.

I distinguish mockery from satire. What the OP did is satire which I'm fine with, what you did is mockery with which I'm not. (And "this 'Proof of X" bs." isn't any kind of humor, just a direct attack.)

It looks to me that Scott is saying that unreasonable ideas can be mocked, reasonable ideas cannot (e.g. "There's nothing funny about that topic because it's unambiguously true."). Maybe he sarcastically means the opposite of what he ostensibly says, or maybe I completely missed the reason you linked to it... Whatever.

They are inseparable but they are still separate. When paying a fee you can't choose to which purpose it will go, but when analyzing the system there is a distinct cost to each, and the total fee required is the sum of these costs. The marginal part is classical economics with resource allocation, efficiency and competition. The amortized part is paying for an artificially difficult problem and it doesn't play by the same rules, and as I said - relying on the scarcity of tx resources in order to keep fees high enough to sponsor hashing is not robust and does not lead to any correspondence between the need for hashing and the amount of it that is actually done. Not that it can't work, but it's akin to tossing darts blindfolded.

Which brings me back to the point that lumping the two together, failing to distinguish them, their different dynamics and how they coexist is a popular misconception.

This is analogous to mining itself and its dual role as determining the initial distribution of coins and synchronizing transactions. The roles are "inseparable" in that they are tied together in the same system, but one cannot understand the system until he acknowledges the two distinct roles. The roles could have been in theory filled by different systems, which happens to be relevant to this discussion - I don't know of a robust replacement for hashing as a distribution mechanism, but the synchronization part I think can be improved.

I'm sure we've talked about this in Vandroiy's thread. I disagree about the magnitude of the effects, PoW is too expensive for this to meaningfully alter the dynamics.

Standard disclaimer first:  I am often wrong.

But I've got a nagging feeling that all of the pure Proof-Of-X (where X != Work) systems would set up a dynamic of "the rich and powerful get more rich and more powerful."

The more coins you have, the more you get, as far as I can see in all of the proposed schemes (another disclaimer: I only vaguely pay attention to all of the Proof-of-X schemes, so feel free to tell me how I'm wrong). Seems to me that would end up being a destructive feedback loop, where your decentralized currency naturally gets more and more centralized over time.

I should note that:

1. I don't think it's much different from proof of work - those with resources can buy hardware to mine more coins. Since what you can get is linear in what you put in, I think it will maintain the status quo rather than magnify any gaps.

2. The changes in some proposals relate (as far as monetization goes) just to the transaction fees, not the coinbase. And, since the premise is to make the total cost of securing the network cheap, there shouldn't be huge profits to be made here.

One minor note: if/when the block reward is too low and we risk a tragedy of the commons, we can pay for work using assurance contracts.

[detailed example]
So let's say I run a business that saves money by using Bitcoin, or at least hold some Bitcoins. I want a higher difficulty. I can buy "insurance" that the difficulty will be over X, so I get paid if difficulty is low. Miners would be on the other side of these contracts, getting paid if difficulty is high. And bear in mind that we could use PPCoin, Litecoin, or whatever for these contracts in case you're worried that a 51%-induced Bitcoin collapse would make your payout worthless.
[/detailed example]
I suspect (but can't back up) that this:
* Could recover from a 51% attack and re-establish a chain
* Would be cheaper for users than present-day coinbase inflation

We've got some time to develop these secondary markets as the subsidy decreases. IMHO the Coasian provision of public goods is the next big thing for cryptocurrency; it doesn't stop at currency-related problems.

I'd be very cautious of assuming that we can know who will be mining and for what reasons 10+ years from now.

I can easily imagine a future in which Walmart running a mining pool just to make sure the transactions of its customers and employees get processed quickly. A pool like that might or might not try to recover its costs via transaction fees.

Indeed, this 'Walmart' scenario was one of those that I brought up in many previous threads.  If Wal-Mart wanted to provide their customers with a fee-less payment option, while still granting themselves relatively quick access to those funds, they are going to have to sponsor a mining operation that favors transactions into and out of their own address set.  Any major retailer that competes with Walmart would have the exact same motivations, while also desiring to exclude the fee-less transactions of their competitors.  While this is a form of competition for those retailers, each of those mining operations still contribute to the security of the blockchain as a whole, and their support for their chosen mining operations would not (primarily) be connected to the amount of fees that could be collected by the act of mining itself.  This is not a tragedy-of-the-commons scenario.  However, time will tell whether or not this kind of external competition is a significant portion of mining or not.  I imagine that bank-like institutions would also form mining cartels in order to offer fee-less transaction processing to their members; as well as international trade institutions would sponsor mining contracts to protect the value of their 'letters-of-credit' operations using bitcoins, much like a bank invests & maintains a physical bank vault at a loss.

The long point is, PoW is working and we can see that it does work.  There is no evidence, at the present, that it would not continue to work well.  Whereas there is a lack of evidence that PoX methods offered can actually live up to their promises.  Don't fix what ain't broke.

We can see that if we sponsor PoW with 25% annual monetary inflation it works, yes. Hypothetical scenarios for how it can work in the future are hypothetical.

Anyway, we'll do just what you suggested - research new solutions and try them out in alts, so if it ever is broken we'll be ready with a fix.

Edit: Actually quite a few things are wrong with this Walmart thing, but the main issue is - even if it does make strategic sense for them to mine, this will incur a cost, and to maintain the same level of profitability they will have to increase the prices. So the customers still pay indirect transaction fees as a result of the need to sponsor mining, TANSTAAFL. How much exactly is a subject for a different debate.

The motivation for finding an alternative makes perfect sense; with PoW miners are expending value to the aether, so if this value leak in the bitcoin economy can be plugged by making mining a zero sum game (non-miners included as players), then great.

Edit: not actually zero sum, since the non-miners win by having a cool currency, but you get my drift.

You are correct, however what other solutions (besides some kind of cementing) can you produce that can mitigate the risk of 51% attack ?

Also, i have sent you a PM.

Preparing in the event that an alternative to PoW were to be required, is both wise and rational.  If your methods work out in the alt-chains, and none of the concerns that I have materialize, I'll be one of the first to advocate altering the mainline protocol.

Another way to look at it: the service that the stakeholders provide is even more useful to the health of the network than the service that the miners provide, because the stakeholders have to maintain a full node and therefore they help in preventing network attacks, and they decentralize the power that generates the blocks (the power that synchronizes the txns). Because it costs less to provide this service than it costs to provide the PoW mining service, it might be reasonable to expect that the stakeholders will demand lower fees than the miners (due to the competition among stakeholders), while providing an even more valuable service.

It's true that a stakeholder who never spends his coins will continuously accumulate more coins, but coins are worthless if you never use them. That's also true with fiat currencies that aren't too inflationary, you can have the money sit in the bank and continuously earn interest, without ever using it.

We also have proposals where stakeholders are penalized when they don't help to secure the network, rather than rewarded when they do help.

I'm glad that my mocking has stimulated an actual discussion. If anything, we now have some new terminology:

PoW "Proof of Work"
PoX" "Proof of {something other than work}"

If this is the wrong thread to ask this please point me in the right place but how on earth can "Proof of Stake" work in an automated way? Or does it require that the stakeholder (a human) go through all the recent blocks and make sure there's no double spending attacks?

You don't need proof of anything to tell if there were double-spends - if there are two transactions spending the same output there's a double spend. (And a computer would be much better than a human in finding that out.)

Proof of work/stake/X exists to signal "this set of transactions is valid and any transaction that is a double-spend on any of them is invalid" in a way that guarantees that everyone agrees on the same set of transactions. As to how this is achieved you'll have to read the specific proposals (e.g. at https://en.bitcoin.it/wiki/Proof_of_Stake), the point is that the stakeholder's computer signs messages that affirm his support of a specific block, and the collection of such signatures is the signal.

I'd like to point out that in the thread https://bitcointalk.org/index.php?topic=131230.0 (Proof of Bets) we are analyzing a system where Miners have an incentive to cooperate to achieve greater profits, rather than to compete. I don't know if it can be done, but we're trying...

Yeah, I guess the part that I don't quite understand is what is the incentive for a proof of stake signer to verify the correctness of a series of blocks that he didn't participate in?

Signature fees. Like the transaction fees we know, but payable to stakeholders providing signatures. Also, signing should be fairly cheap.