Well for starters total bitcoin days destroyed is something whose supply isn't limited in a very useful way.
<clip>
Ultimately, the only 'finite resource' for PoS that I've come up with so far that is finite
in the way we want it to be, is the TxOuts that exist at the fork point. Whichever chain has had more of those coins spent in it is the chain created by the majority of the stake that existed at that time.
<clip>
Well, my point is that if we're serious about proof-of-stake, "doing the work"
means doing transactions that prove your stake supported a particular chain. In a Proof-of-stake universe that, and not hashing, is what keeps the chain secure. And by paying 'interest' on coins transacted in a chain, we
would be paying exactly the people who did the work to secure the chain.
Are you increasing security in one area by decreasing it in another? Could SPV clients could work with either technique? Does some alt-coin already do something like this?
"Decreasing security in some other way" seems quite likely, unfortunately. While I'm reasonably confident in the above as a general measure of chain goodness that isn't vulnerable to the nothing-at-stake issue, I don't know if it can really function as the *only* measure of chain goodness. I haven't provided for any real control over who gets to build the next block and when. And if the attacker can find any way to control that - building N blocks in a row at a time of his own choosing - he is quite likely to find a new way to mount an attack.
In all, no, this measure of chain goodness isn't a solution to the whole problem. As I said at the outset it's still awfully sensitive to large transactions. It's an important part of a solution but it isn't a solution of itself.
<clip>
When I finish working out its kinks it'll probably be one of my 'Cryptocurrency 101' blog posts. But I don't consider it to be quite unkinked just yet.
Okay, I unkinked it. I finally know the
RIGHT way to do a PoW/PoS hybrid coin. I haven't made the blog post yet, but my thoughts drifted back to it in the context of another discussion and I thought about how to get the people who provide security paid in proportion to the security they provide, and I sat down and did math and eventually came up with something that will definitely work. The coin remains a PoW/PoS hybrid forever - but proof-of-stake becomes more important (because the coin supply is increasing) so proof-of-work becomes proportionally less important as time goes on.
First of all, there's a mining subsidy for hashing. It could decline over time - that's up to whoever sets the coin parameters - but it need not. For purposes of the example, I'm going to say the miner gets one 'dirt' every time he mines a block, forever, but this becomes less important as time goes on because the stake portion of the system starts dominating security - and eventually provides the bulk of the awards generated by the coin.
When a transaction is made, it has to be 'staked' - that is, it has to commit to a past block and can be included only in block chains generated from that block. This means that if an attacker is mining a chain that he has not revealed, transactions made by other people cannot be included in his attack chain. Transactions once staked, have become a finite resource that can be counted in support of one side of a fork and CANNOT be used to support the other. So the only txIns that can count for both chains are the ones that are explicitly double spent by their owners. If you stake your transaction on the losing side of a block chain fork, the transaction 'Never Happened' and cannot be replayed into the new block chain.
The owner of each txIn gets "Head Stake" (calculating as compounding interest) for the interval between the generation of the txOut and the block where it gets staked as a txIn. The miner gets "Tail Stake" - the same rate of interest, but for the interval between the block the transaction is staked and the block the miner puts the transaction in.
Where "Split Stake Awards" is defined as the amount of stake interest awarded for a single block for all txouts created before the fork and used as txIns in transactions staked after the fork, and the Mining Subsidy is the subsidy for a single block, the priority of any chain as compared to another is calculated as
(Hashes since fork) X (Split Stake Awards + Mining Subsidy)
Which is to say, the miners and the stakers are counted as amplifying the security of the total hashes by exactly the same proportion in which they get paid on a single block when they commit resources
that can be used only once to one chain and not the other.
This starts out as straight proof-of-work, because there is NO split stake award for the first block, but after a while, depending on the staking interest rate, split stake awards get bigger than mining subsidies. By the time we're talking about a block chain that carries a significant transaction volume, split stake awards would be the main reason why one fork is accepted over the other given remotely comparable amounts of hashing. The odds of forking the chain with a block chain that you've prepared in secret would rapidly approach nil unless you have more than half of the (dirt X hashing power), and the importance of the dirt would far exceed the importance of hashing power.
Mining remains permissionless, and even if somebody with more wealth might be able to produce a higher-priority block because they stake their own coins, it won't matter if their block comes out more than a few seconds after yours.
Cryddit
