I didn't say it's a novel idea. I said it's something Mtgox would need to do; and to spare customers from inconvenience they will need to find out an optimal solution which is secure but with as little hassle as possible. To do that they need to know what "secure" is. Not sure if sarcastic and if so, what your hostility is about.

That's the point - we need to choose the number of confirmations so that it will not be economical for an attacker to attack. Analysis of the probabilities helps with that.

How many confirmations is that depends on the availability of spending options and many other factors, and is touched on the economic analysis section. For example, if Mtgox accepts deposits of 100K BTC after 6 confirmations and then allows withdrawing this in other coins, trying to double-spend suddenly starts to look lucrative. Which is a reason for Mtgox to have other security measures to prevent that (delay withdrawals of large amounts, withdraw with the customer's deposited coins...).

Not quite. The chance of success is continuous, if your hashrate is slightly below 50% your chance is only slightly below 100%. That chance can be lowered by waiting for more confirmations, but that can be countered by making the hashrate even closer to 50%. With 50% and up it's always 100%. Really, graphs explain this better than words.

I should note that:

1. I don't think it's much different from proof of work - those with resources can buy hardware to mine more coins. Since what you can get is linear in what you put in, I think it will maintain the status quo rather than magnify any gaps.

2. The changes in some proposals relate (as far as monetization goes) just to the transaction fees, not the coinbase. And, since the premise is to make the total cost of securing the network cheap, there shouldn't be huge profits to be made here.

Interesting choice, the variance will still be infinite but just barely so.

If you reduce a further maybe 3% fee can be enough.

I think once you figure out the highest value of a you're safe with (maybe 0.5), allowing the user to choose any a up to this value will be safe.

I distinguish mockery from satire. What the OP did is satire which I'm fine with, what you did is mockery with which I'm not. (And "this 'Proof of X" bs." isn't any kind of humor, just a direct attack.)

It looks to me that Scott is saying that unreasonable ideas can be mocked, reasonable ideas cannot (e.g. "There's nothing funny about that topic because it's unambiguously true."). Maybe he sarcastically means the opposite of what he ostensibly says, or maybe I completely missed the reason you linked to it... Whatever.

They are inseparable but they are still separate. When paying a fee you can't choose to which purpose it will go, but when analyzing the system there is a distinct cost to each, and the total fee required is the sum of these costs. The marginal part is classical economics with resource allocation, efficiency and competition. The amortized part is paying for an artificially difficult problem and it doesn't play by the same rules, and as I said - relying on the scarcity of tx resources in order to keep fees high enough to sponsor hashing is not robust and does not lead to any correspondence between the need for hashing and the amount of it that is actually done. Not that it can't work, but it's akin to tossing darts blindfolded.

Which brings me back to the point that lumping the two together, failing to distinguish them, their different dynamics and how they coexist is a popular misconception.

This is analogous to mining itself and its dual role as determining the initial distribution of coins and synchronizing transactions. The roles are "inseparable" in that they are tied together in the same system, but one cannot understand the system until he acknowledges the two distinct roles. The roles could have been in theory filled by different systems, which happens to be relevant to this discussion - I don't know of a robust replacement for hashing as a distribution mechanism, but the synchronization part I think can be improved.

I'm sure we've talked about this in Vandroiy's thread. I disagree about the magnitude of the effects, PoW is too expensive for this to meaningfully alter the dynamics.

It's not plus, it's instead. Note the (1-a) term in the payout formula; it means that for a share that is just barely valid (share_difficulty = work_difficulty) you would get just 20% of the normal payout (with a=0.8 ), and you'd need the share to be much more difficult than that to get near the normal payment. On the flip side, if your share happens to be very difficult, you could get for it more than the entire block reward.

This poses high variance for the pool, not just the miners. I don't think 3% fee will cut it. Maybe a=0.4 will be better.

That is an understatement. With a=0.8 (or any a>0.5) the variance is infinite. Greater than the variance of solo mining. The distribution will be quite different though, you'll have a high chance to get moderate rewards, and a small chance to get very high rewards.

The variance quickly goes down when decreasing a past 0.5, though. To get the variance to be less than solo variance, you need a < D / (2D + work_difficulty). Edit: should be a < 1/2 - wd/(8D) (approximately).

The goals should be clarified because this is a very ineffective way to solve these problems. You could do the standard method of block finding fee, but it greatly increases the variance.

On the contrary, I understand the system well enough to see through the popular myths and confusions. If you don't understand that transaction fees pay for two separate things - the marginal cost of processing it and the amortized cost of hashing - then you have some thinking to do. Likewise if you don't understand that the total network hashrate will be a function of the total fees paid (whatever they are).

Um... I didn't ask you to contribute anything. I asked you not to mock the idea. You turned it into a debate of its merits, which I'll be happy to discontinue if you are.

I'd say that since alternative branch selection mechanisms are developed with the intention to be included in Bitcoin, they belong in this subforum, though this is arguable. You are welcome not to read such threads.

Yes, we do. If the security requires expenditure of resources and nobody pays for it, there will be no security. If the total transaction fees are low, mining will only be profitable at a very low difficulty in which the security is low.

You are confusing the cost of handling transactions with the cost of hashing.

I agree that most payments will be off the blockchain (not in the ways that you described, though). But this will just make it more difficult to collect the fees that are needed to sponsor hashing. In any case, relying on the scarcity of resources for handling transaction in order to guarantee the payment of fees required for the completely unrelated issue of hashing is not robust.

PS the current fee is half a cent, not 5 cents.

I didn't say we need to do it right now. I don't even know yet what "it" is. I'm saying this is a valid research issue that needs to be fleshed out and then experimented with, so that we're ready if it ever turns out necessary.

It's not "after a few decades". It's when the signature algorithm becomes so weak that your coins will be taken anyway by crackers if you don't move them. Again - the new version will cause you to lose your coins in exactly the same situation where you will lose them in the current version too.

The proposal was in the OP. It was more of an example than a proposal, but still.

This is almost universally agreed to be mutable.

Bitcoin can't make such a guarantee. It can try, though.

So you agree with the proposal to keep lost coins lost by deleting them when the algorithm is weakened?

I meant difficulty = 10xoriginal after a few months, and = 20xoriginal after a year.
This is all speculation, of course.

There's nothing special about energy. PoW requires money to work. Someone needs to pay for the amount of hashing required to protect the network, and it may mean Bitcoin is not as cheap to use as we would like.

And even that is only if we can find a technical way to collect this money - the way things are looking, due to tragedy of the commons on the part of both users and miners, this will be quite difficult once the coinbase is out of the picture.

I've seen this argument many times, but never were there any numbers to back it up.

Mining is just a signal to synchronize transactions. As long as the power to signal is in the hands of those with the most incentive not to abuse it it should work. I see no justification for a conservation law saying the signal must be the waste of resources.


That said you have made some valid points about practical issues that will need to be ironed out.

The growth factor will be more. It will probably be rapid, fairly linear growth for a few months (up to x10 maybe?) and then for the rest of the year it will grow to about x20 of the original amount. This assumes constant rate, a changing rate will cause the difficulty to adjust proportionally with some delay.

Try contacting him again, he's been around about a week ago, and not only have I received pretty good lists, I finally got some of the coins I had deposited.

1. The system is somewhat resilient against malicious stakeholders. You'd need to compromise a majority of voting coins to even think about an attack, and even then your power is limited. The existence of many different stakeholders is an advantage.

2. The stakeholders have no shortage of ways to secure their voting rights, such as multi-signature transactions. That would make them much harder to compromise.

3. Hashing is done on computers too, which can also be hacked. You might argue that a hashrate attack requires sustained control of the machines, but I think the same can be said about probabilistic proof of stake.

Put differently, PoW definitely elevates particular nodes to trusted status - those that are in control of large hashrate.

I don't want infinite deflation. I'd be a happy man indeed in nobody lost coins. But lost coins should remain lost.

You're trying to make it sound like a bad thing. People who have invested their time and money on Bitcoin have every right to want it to live up to what it promised, and prevent devaluation of their bitcoins or the shock to the economy that would be caused by a sudden resurfacing of lost coins.

That said: The solution proposed to this problem has potential issues (as some have pointed out), which is why we might have no choice but to allow crackers to steal the lost coins.

With all due respect, proof of stake is a real solution to a real problem. (Which I have discussed at length elsewhere.)

I have no idea what some implementation attempts have made, I'm talking about designs such as those suggested by cunicula and me.

Proof of stake has a practical history that extends back to the industrial revolution, or to ancient Greece, depending on interpretation. What's your point?

You're grasping at straws. Demurrage has absolutely no similarity to what we've discussed - which is a technical solution aspiring (with debatable prospect of success) to make Bitcoin closer to its idealized design in the face of the harsh practical realities.


Is discussion of particular items that could go into the design contract on-topic for this thread? Or is it meant to be more meta?

So blocks can only be generated by providing novel proofs to Millennium Prize Problems? I'm all for it.