Also more reorgs means it's easier for Mallory to cause a reorg whenever it suits his nefarious purposes.  Want to double spend your coins?  Spend them, cause a reorg, spend them again, done. 

Have you invented a protocol in which it does? If so I'd be genuinely interested in how it works. Remember, the primary point of block chain protocol is to swiftly and impartially come to a shared consensus of what version of history we believe.  If someone says "all of them" then by any methodology we understand now, it doesn't help much. 

Base256 is 256 values per byte - binary is two values per bit.  Same basic encoding, just interpreted at different unit width.

Sorry.  Scripting error.  My fault.

I'm seeing some possibly unstable behavior when the unconfirmed tx pool gets very large.  Right now there are 4000 unconfirmed tx showing on block explorer, and bitcoin-qt seems to be using up a whole lot of CPU.  If the unconfirmed tx pool gets too large, does it do something which doesn't scale?

Edit:  That must be it.  We just got a block that packed up over a thousand of them (block 350476) and my CPU load is back down to something near normal.

PoS as usually implemented means "Piece of Shit."  Excuse my language, but it's simply bad protocol design.  Those guys who have a brief mining period, or an IPO, or whatever, aren't distributing it to enough people for any kind of PoS to be stable, let alone the broken kind of PoS they're implementing where people just lock up coins for the ability to form blocks and get paid for that.  

One person's locked-up coins do not matter when you're deciding security for ALL of the users.  If you're going to measure stake you have to do it in a way that counts everybody's or you'll have someone preparing an attack chain in secret.  And you have to have a very wide distribution before the law of large numbers statistically smooths out the amount of stake observed per block. And you have to pay the people who are providing security (that is to say, everybody who makes transactions).  The people doing PoW are doing security for PoW block chains so the block subsidy to them is appropriate.  But if you're counting everybody's stake, you have to distribute payments to people according to how much security everybody contributes to the chain. 

Finally, and most crucially, you have to have a limited finite resource (in TaPoS, the transactions committed to one side of the fork or the other) that cannot go to both branches of a fork, or else you have the nothing-at-stake problem.  

Proof of stake doesn't have to be anywhere near that bad.  

If you know where the fuse box or breaker box in your home is, take out one fuse or trip one breaker.  Now find an outlet that doesn't work without it, put the fuse back or turn the breaker back on, and take out a different fuse or trip a different breaker.  Then find an outlet that doesn't work without *THAT* one. 

There you have two outlets that are on different circuits.  And while you're at it, you can  make sure that each is good for the 2500 watts.  (you have 110v power?  Look for at least a 30A fuse or breaker switch, more depending on what else you want to put on that circuit.)

I don't think you can possibly add anything that counts without making the thing that counts for EVERYTHING at the moment count for less than everything.

From my notes on how this is supposed to work:  

txSpend = total txouts that existed before fork, used in tx staked after fork

hashes = proof of work since fork
stake payments counted for security = the amount of the txSpend set times the interest rate for the full age of the txOuts or the *MEDIAN* age of the txOuts whichever is less. 

Priority = Hashes * (Block subsidy awarded + stake payments)

So while there are no tx, priority is exactly like Proof-of-work.  When there are a few, TaPoS becomes essentially a tie-breaker deciding which of two recent blocks gets orphaned.  But as block subsidies gradually get smaller and the stake awards gradually get proportionally bigger, TaPoS becomes the dominant consideration in resolving forks.  

It's an interesting experiment that I think I'm going to do in an altcoin, and which I think somebody *HAS* to do in an altcoin before it would be responsible to even propose it for Bitcoin.   Assuming stake payments at some economically sane rate like ten percent annually, and a constant mining award, it would be about eight years before transactions counted for as much as mining.  Or you could think of that as a "reward halving time" of eight years for the miners if you'd rather - relative to the entire money supply that would be equivalent.

Yes, I am a mad scientist.  I propose running an experiment on human beings.  Would you like to be a test subject?

Oh, crap.  I made a mistake in the 'tickler script.  It scans 'largest recent transactions' page at https://blockchain.info/largest-recent-transactions  and I thought that 'recent' meant something different than what I suppose it does.

Okay the april-foolish timing is apropos, but this was an honest mistake.  I thought they had moved today.

Not an April fool, dude.  This is straight from Blockchain.info.

 I dunno, but if I'm right, that's about the same number of bitcoin that are still missing from the MtGox implosion.  

I set a 'tickler on that, and my phone lit up with the message when I turned it on a few minutes ago.

Wonder if this has anything to do with the Karpeles trial going on in Japan right now?  Suppose maybe he cut a deal with the prosecution?  

https://blockchain.info/tx/0b711c067492f2b8b5a86daae997ab9319c99375da3cec3626cf0767a0552e12
https://blockchain.info/tx/b269bf1b82dae8a61f7f91dbf7a9d807e30963c1ae00ddd95a8faebea6d0a007
You folks who got goxxed might be interested in this....

It looks like this is part of a long chain of transactions, but this is particularly interesting...

Right.  An attacker can play all sorts of silly-buggers with a TaPoS system in the short run; that's why I can't recommend it on its own.  So, yes, I'm envisioning a system with PoW mining as well, and the people making transactions getting paid for block chain security in the same ratio against the block subsidy that their transactions are counted relative to PoW mining for purposes of resolving blocks.  That's why "almost" as good as PoW.  

A TaPoS system becomes secure only when the "law of large numbers" means that the number of tx per block gets huge and starts to be a fairly constant amount -- the way mining effort is in a PoW system.

Staking a certain block means that when Alice sends Bob 5 coins, she gets paid a "stake security payment" amounting to interest on those 5 coins if she specifies ("stakes") a  very recent block that the transaction then depends on. The transaction has that block ID recorded in it, and isn't valid in any block chain that doesn't include the block Alice staked.

In the case of a block chain fork, TaPoS counts in favor of the fork that has the most coins spent - specifically in txOuts created before the fork and used in transactions staked after the fork.  If more than half the coins that were in existence as of a certain block have been spent - even once - in transactions staked after that block, then no reorg can EVER dislodge that block.  

That's a stronger guarantee than PoW can really make.  Although the combined hashing effort that's gone into the chain makes it impossible in practice that a reorg could ever undo more than ten or fifteen blocks, there's no mathematical guarantee.  In theory, a new block chain could emerge tomorrow that undoes every transaction back to the beginning.  It'll never happen, but there isn't a mathematical guarantee the way there is with a TaPoS system.  

In the short run, if there's a reorg that goes back before the staked block, Alice's payment to Bob disappears.  Bob is looking for (or waiting for) the stake block to be at least 6 blocks in the past to protect him from a reorg that reaches back past the transaction's stake block, the same way that in a PoW system it's wise to wait at least 6 blocks after the payment to protect you from a reorg that happens after the transaction.  

So if Bob wants to be extra-sure he gets paid, he protects himself from a reorg that goes back six blocks by demanding that Alice stake earlier.  He might just check some monitor to make sure there's no known fork in progress and that'll be it.  If Alice is just paying for coffee, he may let her stake the very last block, the same way coffee shops in a PoW system don't wait for the next block for confirmation.  

One nice thing about a TaPoS system is that miners are motivated to include all the tx they can; that makes their block the 'best block' if two are found and prevents it from getting orphaned.

I had (and still have) pretty much the same opinion as Meni Rosenfield about BCNext.  So if he's a FUD spreader, then so am I.

Anyway, the security of a PoW block chain is largely a matter of the miners expending a resource to support exactly one version of the block chain, which they cannot also use to support a different version of the block chain.  That is, they're committing a finite resource and, at the same time, showing that it is not also being used elsewhere.

That's really hard to match with a PoS system.  Locking up coins for a given number of rounds doesn't really provide security for the chain.

The only finite "stake flavored" resource I can come up with is transactions - and that's true only if the transactions cannot be played into both forks by an attacker.  If the transactions have to "stake" a recent block and are not valid in any chain that does not include that block, then they become a finite resource that can't also be used in support of a different branch.  An attacker could still try spending the same coins in both branches of the fork, and waiting for confirmation would be a lot more important because the tx you get won't be valid unless the branch it's staked in becomes the accepted branch.

Anyway, given all that -- the TxOuts that were created before the fork and used in transactions staked in blocks after the fork, can be counted as a resource spent in support of that branch.

The major advantage is that if an attacker tries to build an attack chain in secret, with everybody else in the world staking their tx in the visible block chain, he literally has to have a greater stake than everybody who makes a transaction while he's working or it's not going to work.  That's a guarantee ALMOST as good as PoW.  

But the tx being valid only in one branch of the fork opens up all kinds of games that attackers can play.  And while mining effort is very stable because miners mine at about the same rate whenever they've got their stuff turned on, Transactions as Proof of Stake is very sensitive to the timing of large spends, and a big spend in a fork that's nine blocks behind can force a reorg.  

So, although I think it's secure against VERY long forks, it's pretty horrible for deciding forks in a very short time the way PoW mining does.  So you'd have to use it in combination with something else.  

One thing about this is that it's the people making transactions who secure the block chain, so they deserve their part of the payment for securing the block chain.  The people who actually form blocks?  They can continue to form blocks by PoW or something, also contributing to the security of the block chain. They'll be needed until transaction volume gets high enough that it starts to be at least a little bit "steady" for purposes of short-term resolving stuff.  Thing is, that makes PoW necessary for YEARS, not weeks, and it only makes sense if the coin actually gets used.  It might work for Bitcoin at this point; but no alt that isn't seeing widespread actual use could sustain it.

We used to play a game in college called "Beer hunter."  Although, if you were a nerd like me, root beer worked just as well.   

The way it worked, you shake the hell out of one bottle so it'll pretty much explode and go all over when it's opened.  Then you put that bottle into a six-pack with five unshaken.  One guy turned his back and the other guy swapped the bottles around, then the other guy turned his back and the one guy swapped the bottles around.  End result: neither of them knows where the shaken bottle is.  Then both of them take a bottle and open it. 

Why was this entertaining?  I dunno.  I think it was mostly entertaining to people who were already drunk.

But it could be adapted to a real mixer protocol.

If you have a few people who each take a couple of turns permuting the outputs, where nobody else can see what permutations they're making, then none of them - and nobody else - will know which output went where unless they all collude.

I dunno.  I was there at the very beginning, and I reviewed the code but I figured it was just another electronic-cash idea, and cryptographers had been watching those FAIL for years and years and years.  The digital graveyard is littered with their corpses.

So...  I didn't even buy in.  I could have just put up a node in those early days and CPU mined thousands of bitcoins.  I didn't even get involved.  Hal Finney went for broke, I just went "hmm, looks okay." 

A couple years later I had a look...  The price was up around $30 at the time, and that was encouraging, but as far as I could see the value was 100% due to criminal use.  That would be the same kind of DOOMED as all the previous digital-cash and e-gold and so on that came out of the cypherpunks and all that crew, and had mostly ended in messy takedowns and prosecutions and SEC investigation for securities fraud, money laundering, corruption, etc... As I said, cryptocurrencies are not a new idea and if you're in crypto for any length of time you've seen dozens of them.  And as long as it was looking just as DOOMED as all the others, even though it had lasted longer, I continued to stay the hell away.  But I started watching, and from time to time, I went "hmmm, not dead yet."  But the community tended to be mainly Anarchist/Rebel/Anti-Banking/Anti-Legitimacy, and I felt pretty strongly that unless it got better it had no genuine future outside of criminal enterprises and an eventual law-enforcement takedown.  Let's face it; you're not going to build genuine value in criminal enterprises and you're not going off by yourself where the government is going to leave you alone.

I didn't buy in, in fact, until the community started showing signs of a will to go legit.  When there started to be voices on the forum that answered setting-up-a-market questions with "you need to lawyer up and be careful" rather than "FUCK THE GOVERNMENT! WE'RE ABOVE THE LAW!  DO WHAT THE HELL YOU WANT BECAUSE THE AUTHORITIES ARE ALL CORRUPT ANYWAY!"

Yeah, it was when I saw that there were, in fact, a few sane people who were interested, who might actually build legit businesses and make Bitcoin into something valuable and real rather than just a way for crooks to hide money movements that would be doomed to fail -- That was when I bought in.  So I didn't make nearly as much money as those early whales.  But I think I feel better about it than if I'd done otherwise.

FWIW, I'm personally convinced Ulbricht is guilty.  I bet he's going to get a retrial, but I'd bet on him going to jail anyway.  Bitcoin angle aside, Ulbricht is just another crook.  There is absolutely nothing special about him.  He did what crooks do, he got caught like crooks get caught, he's going to jail like crooks go to jail.  

Force and Bridges on the other hand are special.  They are corrupt Lions, and they are the people who are supposed to be taking crooks down.  Police corruption is not merely bad, it's WORSE than anything an ordinary crook can do.  Those guys?  I want them to rot in jail.  Not just for stealing or extortion or bribe-taking or money laundering or all those other ordinary-crook kinds of things that they could and should do time for - although they deserve jail time for that too.  But the horrible thing, the poisonous thing, the thing that absolutely cannot be tolerated in a nation that aspires to be free, is this: I want them to rot in jail for betrayal of the public trust.

Aaaand, props to smolen for coming up with the idea that would in fact put that task in reach of a regular GPU. 

If you start with an exemplar given string of bits, make a hash table, and then every time you have a collision you evict whichever one is furthest in Hamming distance from your example string, then after a while you will collect a bunch of strings clustered very closely in Hamming space and stop updating your table very often - erasing the memory contention constraint and allowing all those parallel processors to hunt, without even needing to consult the table, for strings within a given Hamming distance of the original example.  And when they find one, they light it up; the table of things clustered in Hamming space around that original example string will yield dozens, or even hundreds, of near-triplets that include the new string.

With the parallelism and memory bandwidth advantages, they'd rapidly reach a state where they're able to find near-triplets very efficiently indeed. 

If you do the same trick with the 64G memory structure, you'll be able to collect a much larger Hamming radius and light it up with a much greater fraction of new inputs, but you can't parallelize the search to more than the 8 cores or whatever on your CPU and, because the searching threads don't even need to consult the table if they're looking for things within a small Hamming radius of an example, the GPU can.

So now I get to try to come up with some weird variation on the Cuckoo cycle. 

As I said, I haven't done much programming on GPUs so I don't know in great detail yet what their capabilities are.  Right now I'm just working from the conventional knowledge that they're highly parallel and have 2Gbytes or so of memory - and memory bandwidth that's about 10x as fast as CPU memory bandwidth. 

Right now the "Big Honkin' Server" task looks like searching for triplet subnonces whose hashes match - EXCEPT for one bit - for the first fifty bits.  Because of the way the triple is represented, the nonces have to be within a 45-bit range of each other, but that's not really an issue because you can spend all day searching inside a 45-bit range. 

You can compute them in parallel, but you're going to need a lot of data structure to store them in. For every one you compute you have fifty different places to look for a matching nonce.  The more previous results you can store, the better the odds that you'll have a couple of matching nonces in that set of places and be able to make a triplet.  In fact if you find more than two you can make more than one triplet.

That's a pretty brutal task.  I have been trying to think of every possible way for a GPU program to "cheat" at it using its 10x memory bandwidth advantage in a 2Gbyte data structure - and then  applying the same compression techniques to a 64G data structure to make the task even more brutal.  This one is supposed to be for big-memory servers only, and GPUs will find a far more profitable use of their time chewing on the SHA256D stuff that the big-memory servers (which don't usually have any use for high-end graphics cards and aren't built with them) can't do nearly as fast as they can.

It's actually kind of fun - I haven't done this kind of "use every trick in the book to absolutely maximize performance given a particular set of resources" programming in years. 

I like to see that.  Thanks for the link.

Does anybody have a similar link that shows what block versions the miners are advertising?  I remember that there is one, I just don't remember where it is.