[ARTICLE] Decentralized Objective Consensus without Proof-of-Work

[alkan]

[Please forgive me my repost. I accidentally posted the thread in the wrong forum]
https://medium.com/@cv.alkan/decentralized-objective-consensus-without-proof-of-work-a983a0489f0a#.q30wcxthy

In my recent article, I propose a novel dual-token PoS model that aims to decouple rewards from resources (while preserving a sufficient incentive to build blocks).

The general idea is to have special accounts (minter accounts) as a second token. In contrast to regular accounts which can be created for free, a minter account pays out interests on its current balance. These accounts cannot be created at will, but are given to the minters who successfully build blocks. Such “child” accounts, having a market value, can then be sold to new owners. As the interests are paid to every minter account (not just the one that creates the block), a single entity has no incentive to own more than one account, while the trade with existing accounts is strongly disincentivized.

The blockchain is exclusively built by the owners of minter accounts whose number will grow over time. As a consequence, the consensus gets increasingly decentralized and secure. A 51% attacker would not only have to pay a lot of money to get enough accounts, but he would also need to spend a lot of time (in fact, he would have to keep buying child accounts for a period of time corresponding to the current age of the blockchain).

Furthermore, the economic value represented by the minter accounts allows for an effective punitive scheme to defend against the Nothing-at-Stake issue, without the need of locking up funds forever. Pre-committed hash chain are used for random selection of the next minter and at the same time provide DDoS-resilience.
And last but not least, the model makes use of “heartbeat” transactions which have to be issued by minter accounts from time to time. These transactions must include a TaPoS-like reference to a recent block of the chain which allows to detect long-range history attacks even if the attacker possesses more than 50% of old account keys.

[1713576668]

1713576668

[1713576668]

1713576668

[1713576668]

1713576668

[1713576668]

1713576668

[Spoetnik]

By attacker do you mean by doing damage or by exploiting it for profit ?
I have had some ideas before ..far more vague than what you proposed here though..
And i quickly seen major problems with exploit-ability.
At least in the sense of comparing a new project with past projects.

Unless there can be a substantial improvement over pat coin in fairness and initial distribution etc then i think we have a problem and maybe no need for another coin.

I am pretty shitty with block tech / concepts and math etc.
So i would rather see someone more knowledgeable in that area post judgments on this topic.
It's been probably 2 years since i even looked at any coin code for example.

I support looking into new things though.

[alkan]

By attacker do you mean by doing damage or by exploiting it for profit ?

The +50% attack scenarios (and the protective measures) are applicable to both kind of attackers, while the DDoS attacks are mostly used to do damage rather than profit. Of course, by weakening the current miner or delegates, an attacker may also increase his own chances of building blocks and thereby his profits. My proposal solves this issue by hiding the identities of the next minters until they release their blocks (just like Bitcoin does).

Unless there can be a substantial improvement over pat coin in fairness and initial distribution etc then i think we have a problem and maybe no need for another coin.

Initial distribution is a very important aspect of any cryptocurrency. I didn't elaborate on that in my post and might cover it in an upcoming article. My current idea is to perform some intelligent sampling of past and present Bitcoin owners/miners, and assign one account to each entity identified as such. I'm not sure if I should require Proof-of-Burn on top of that.

So i would rather see someone more knowledgeable in that area post judgments on this topic.

I support looking into new things though.

Thanks for your encouragement. It's hard to get noticed, even though my idea is quite novel I think. I'm still looking for qualified feedback and crititicism from users like smooth, iamnotback, monsterer, jl777 etc.

[iamnotback]

The general idea is to have special accounts (minter accounts) as a second token. In contrast to regular accounts which can be created for free, a minter account pays out interests on its current balance. These accounts cannot be created at will, but are given to the minters who successfully build blocks. Such “child” accounts, having a market value, can then be sold to new owners. As the interests are paid to every minter account (not just the one that creates the block), a single entity has no incentive to own more than one account, while the trade with existing accounts is strongly disincentivized.

The blockchain is exclusively built by the owners of minter accounts whose number will grow over time. As a consequence, the consensus gets increasingly decentralized and secure. A 51% attacker would not only have to pay a lot of money to get enough accounts, but he would also need to spend a lot of time (in fact, he would have to keep buying child accounts for a period of time corresponding to the current age of the blockchain).

Your assumptions about any second token not becoming centralized are incorrect.

Sorry you are wasting your time because of the inviolable bolded sentence below, otherwise stated as any resource will always become power-law or exponentially distributed:

The money supply will always be power-law or exponentially distributed for any resource. I document this claim with some references in my whitepaper.

What my design posits to do is maintain the consensus algorithm decentralized regardless. They key is finding a way to eliminate a Sybil attack without relying on a resource that becomes centralized. And to remove advantages due to economies-of-scale in the economics that impact the consensus algorithm and its long-term stability. I believe I have achieved it theoretically via separation-of-concerns. In other words, I slice-and-dice the responsibilities for achieving consensus such that no party has economy-of-scale incentives. I do this with a feedback mechanism, which I view as analogous to Byzantine fault detection. The design needs peer review, so assume a flaw may be found.

I'm still looking for qualified feedback and crititicism from users like smooth, iamnotback, monsterer, jl777 etc.

It appears those users other than myself, are no longer active on BCT except minimally in the threads for the projects they are currently working on or are invested in.

It appears that monsterer's account might have been hacked or sold.

[alkan]

Your assumptions about any second token not becoming centralized are incorrect.

Can you please be a bit more specific on that?

Interests are paid on account balance every time a block is built (by anyone), so in that regard it doesn't matter how many accounts you own.

As for the issue of buying & holding accounts in order to generate and sell child accounts later on, let me make the following gedankenexperiment.

Consider a situation where the market capitalization of the currency remains stable all the time. As money supply constantly increases by the interests, the exchange rate of the currency unit must inevitably decline. So, free accounts will make a loss, while the stake of minting accounts will be more worth over time. In other words, there will be a constant value transfer towards the minters.

Now, what will be the effect on the market price of the minting accounts? Well, still assuming a stable market capitalization of the currency (as the first token), the demand for new minter accounts cannot increase in the long run because the pool of total minters is growing as per protocol (note that existing accounts cannot be sold). An increasing demand for minter accounts would amount to a higher influx of new capital into the currency and thus increase its capitalization which is excluded in our gedankenexperiment. Therefore, if market capitalization must remain the same, it can only mean that the demand for new minter accounts will decrease or at most stay the same in the long run. As a result, the price of such accounts will either decrease or stay as the supply of new accounts is fixed by the protocol.

With that said, would it be rational for a new investor to buy minting accounts with the (sole) aim of selling their child accounts for profit? I doubt it. Depending on the age of the blockchain, an investor will have to wait years to sell its (first) child account and the price he gets will probably be lower than his purchase price. Of course, he could sell more than one child account over time, but for each additional child account he will need to wait even longer as the pool of minters gets bigger and bigger. Futhermore, the account generation intervals will also increase in absolute terms, since the average time needed to build the first block (and sell your first child account) mainly depends on the current age of the blockchain. The later you come, the longer you have to wait for your success.

In the long run, the discounted cash flow that can be generated by selling child accounts will tend to 0. And that is even true for scenarios of an increasing market capitalization since the latter cannot grow forever! On the other hand, by investing the purchase price into the currency itself instead of buying minting accounts, you will not only own a cash equivalent that can be sold anytime, but also receive interests on your stake. For this reason, buying multiple accounts will probably result in an economic loss, which should enforce decentralization of the second token (one man, one account, one vote) under the assumption that people are behaving rationally.

Of course, this assumption doesn't necessarily hold for irrational users who accumulate accounts for other reasons (e.g. to attack the blockchain). In that case, attackers with a lot of financial resources have an obvious advantage. However, their time will be limited just like the time of everybody else (as neither natural nor legal people are immortal), which lowers the risk of such attacks over time.

So, your statement that any resource will become power-law or exponentially distribute is not exact but too broad since time (in its absolute sense) is a good example for a resource that isn't power-law or exponentially distributed among people. Your statement only holds for resources that are negotiable. Time isn't.

[iamnotback]

Interests are paid on account balance every time a block is built (by anyone), so in that regard it doesn't matter how many accounts you own.

But there are other incentives to owning accounts, and specifically to centralize mining. A power vacuum will always be filled.

It is an inviolable fact of thermodynamics.

In my unpublished whitepaper, I have cited the research which has explained that economic control over fungible (i.e. low entropy) resources invariably become power-law or exponentially distributed. Try to find an exception in nature.

Of course for non-fungible (i.e. high entropy) resources, such economic control over for example female vaginas is not centralized. (But to the extent control over humans is fungible, e.g. via debt, religion/ideology, and mass media, then control is centralized)

Now I am giving you too many hints as to how I solved the dilemma in my design.

note that existing accounts cannot be sold

Impossible to prevent selling accounts.

With that said, would it be rational for a new investor to buy minting accounts with the (sole) aim of selling their child accounts for profit?

It certainly is possible to create an asset that no one wants to buy and thus there is no point in discussing a design that will have 0 investment and security.

Sorry you can't defeat thermodynamics. You need top understand why some things remain decentralized and others don't. The key word is obviously fungibility (or more abstractly and generatively the key fundamental is entropy).

[alkan]

But there are other incentives to owning accounts, and specifically to centralize mining. A power vacuum will always be filled.

What kind of incentives are you talking about?

In my unpublished whitepaper, I have cited the research which has explained that economic control over fungible resources invariably become power-law or exponentially distributed. Try to find an exception in nature.

I don't contest that tendency for fungible resources.

Of course for non-fungible resources, such economic control over female vaginas is not centralized. (But to the extent control over humans is fungible, e.g. via debt and mass media, then control is centralized)

Sex industry demonstrates that humans are also fungible (for the most part).

Impossible to prevent selling accounts.

It's impossible to prevent that completely but you can make it very risky for the buyer. In my model, an account must possess a certain minimum account balance for minting (the value must be chosen with care). As a result, the buyer of an existing account must fill it with some money to be entitled for building blocks, while the former owner will still know the private key (which is unchangeable) and could steal the coins back at will. Considering that the most probable reason why someone would purchase existing accounts is to attack the coin, the sellers of old accounts would have an additional (altruisitic) incentive to grab the coins since they could say they did it for the public good.

It certainly is possible to create an asset that no one wants to buy and thus there is not point in discussing a design that will have 0 investment and security.

The main idea of my concept is to create an asset (minting account) that people only buy for one specific reason, namely to get interest on their stakes in the underlying currency. In contrast, purchase for resale is disincentivized.

Sorry you can't defeat thermodynamics. You need top understand why some things remain decentralized and others don't. The key word is obviously fungibility.

Obviously, my design leverages the concept of fungibility to maximize decentralization (via interests for every minting account owner and the minimum account balance required for minting) and security (via the extensive time needed to buy the majority of accounts whose creation rate is limited).

[iamnotback]

What kind of incentives are you talking about?

Understanding the abstract generative essence is more important than searching for specific failure modes. You'll find those specific failure modes eventually, because the generative essence says you will.

Impossible to prevent selling accounts.

It's impossible to prevent that completely but you can make it very risky for the buyer.

Every risk becomes a cost and lowers the ROI. You really need to understand economics.

http://www.truthcoin.info/blog/pow-cheapest/#agenda

while the former owner will still know the private key (which is unchangeable) and could steal the coins back at will

So your coin becomes centralized via hacking and there is no resilience for the coin to recover from it. (The hackers drain the hacked accounts, so those accounts become permanently unfunded and inactive, so the remaining active minting accounts are centralized.)

Also your mechanism does not prevent renting an account whereby the owner proxies the desired activity of the renter. It also doesn't prevent collusion.

You can't defeat thermodynamics. There will always be a flaw when you attempt to tell nature that a fungible resource is not fungible. The low entropy of the resource is not obscured from nature.

It certainly is possible to create an asset that no one wants to buy and thus there is not point in discussing a design that will have 0 investment and security.

The main idea of my concept is to create an asset (minting account) that people only buy for one specific reason, namely to get interest on their stakes in the underlying currency.

For there to exist no power vacuum, then the value of mining (I didn't write just minting) must always be much lower than the value of interest even for someone who centralizes control over mining. Which obviously can't be true. Logic fail.

Obviously, my design leverages the concept of fungibility to maximize decentralization (via interests for every minting account owner and the minimum account balance required for minting) and security (via the extensive time needed to buy the majority of accounts whose creation rate is limited).

Obviously I have shown that it does not.

[iamnotback]

For there to exist no power vacuum, then the value of mining (I didn't write just minting) must always be much lower than the value of interest even for someone who centralizes control over mining. Which obviously can't be true. Logic fail.

I found that the only way to solve this problem was to make it implausible (nearly impossible) to do the bad things that control over mining can do by incorporating Byzantine fault detection and combine this with unprofitable mining, so only those who have an incentive to maintain the Nash equilibrium actually mine (so that the risk cost of attempting attacks is far too high because it isn't cost-free to try over and over as it is in the nothing-at-stake of PoS[1] and the chance of succeeding is very low due to the Byzantine fault detection).

So that in a nutshell is my design solution. The technological challenge is in the details of accomplishing it.

Note PoW transfers the security cost to the environment as waste heat, electric utility companies (and to a smaller extent the ASIC hardware and infrastructure providers). My design transfers the security cost as a gain to the investors of the coin, i.e. a form of interest gain. If we assume that in both cases those gains ultimately percolate up to TPTB, then they are equivalent in that respect other than the losses to waste heat in PoW.

[1] When PoS doesn't become PoW due to the stake grinding competition.

[alkan]

Every risk becomes a cost and lowers the ROI. You really need to understand economics.

That's true, but there's more to it in my design. The fact that the seller could steal any deposit made by the buyer makes existing accounts a non-negotiable resource which cannot be traded on exchanges like the currency itself.

To beat the consensus, you'd have to make a special deal (providing the required security guarantees) with the majority of currently active account owners whose number will be increasing over time. Such a scenario is much more unrealistic than just buying (old) private keys of a handful of stakeholders who had majority power over consensus at any point in the past. Please refer to the chapter "Heartbeat transactions to achieve objective consensus" where I explain this crucial difference to traditional PoS currencies.

So your coin becomes centralized via hacking and there is no resilience for the coin to recover from it. (The hackers drain the hacked accounts, so those accounts become permanently unfunded and inactive, so the remaining active minting accounts are centralized.)

No cryptocurrency can exist in a threat model where an attacker can simply hack the majority (or a significant number) of users to steal their private keys and do any kind of evil things. There's no point in developing a Bitcoin killer based on that assumption IMHO.

Also your mechanism does not prevent renting an account whereby the owner proxies the desired activity of the renter. It also doesn't prevent collusion.

Granted, but my consideration to your first statement applies here as well. Furthermore, if you assume that the majority of users engage in collusion, then it's pretty certain that every user will get to know about it, which enables them to create an honest fork of the chain, leaving the bad guys behind.

You can't defeat thermodynamics. There will always be a flaw when you attempt to tell nature that a fungible resource is not fungible. The low entropy of the resource is not obscured from nature.

No. Fungibility is nothing more than the economical property of a good or a commodity, that any unit of is equivalent to any other unit. Existing accounts (with a non-zero balance) pose a financial risk to the buyer. This risk depends on the person of the seller and requires individual arrangements between the parties to be mitigated. Therefore, any account must be considered an individual good which contradicts the definition of fungibility. I don't see how the laws of thermodynamics should affect this.

It certainly is possible to create an asset that no one wants to buy and thus there is not point in discussing a design that will have 0 investment and security.

For there to exist no power vacuum, then the value of mining (I didn't write just minting) must always be much lower than the value of interest even for someone who centralizes control over mining. Which obviously can't be true. Logic fail.

The goal is not to create an asset that no one wants to buy, but to create an asset with limited use cases. You (mainly) buy an account because you want to invest your money and receive interests. Once you have an account, you will also have an incentive to use it for minting as you could finally sell its children, while your minting costs would be very low without PoW. However, as shown above, you don't have an economic incentive to buy and use multiple accounts for the sole purpose of minting since the discounted cash flow from selling child accounts would be (at least asymptotically) lower than the acquisition costs which must be regarded as sunk costs as no market for existing accounts will exist.

If you think that this reasoning is flawed, then please point it out in a precise way.

[iamnotback]

The fact that the seller could steal any deposit made by the buyer makes existing accounts a non-negotiable resource which cannot be traded on exchanges like the currency itself.

The large scale powerbrokers don't need liquid markets to offer to buy up the supply of mining accounts, because they are the market makers. They simply publish an offer and the sellers come to them.

You are simply forcing renting instead of outright sales, but you can't stop sellers and buyers from pursuing that which generates the most value for both of them. Again I urged you to study the economics.

To beat the consensus, you'd have to make a special deal (providing the required security guarantees) with the majority of currently active account owners whose number will be increasing over time.
 Such a scenario is much more unrealistic than just buying (old) private keys of a handful of stakeholders who had majority power over consensus at any point in the past.

If new accounts are growing fast enough to render old accounts irrelevant, then the power-law superior "investor" buys more new accounts than everyone else.

Perhaps they can even devise a way to buy new accounts that have their chosen private key which the seller has never seen? Do you cryptographically force the creator of a new account (minter) to sign the private key (and can this be done without revealing the private key)?

No cryptocurrency can exist in a threat model where an attacker can simply hack the majority (or a significant number) of users to steal their private keys and do any kind of evil things.

There is usually assumed to be an orders-of-magnitude difference between the number of users of a system and the number of mining accounts.

I don't know how you plan to gain billions of adoption from users and also expect then all to invest in interest bearing tokens and perform mining duties. There seems to be a mismatch in incentives between what would entice billions of people to use a coin and investing. Most people aren't investors, else we would not have a power-law distribution of wealth.

Also with PoW, the miner isn't locked to one private key. His mining equipment is orthogonal to any cryptographic key. And this hacking issue is one of the security problems for PoS in fact (especially when most of the coins might be stored on an exchange).

Granted, but my consideration to your first statement applies here as well.

What?

Furthermore, if you assume that the majority of users engage in collusion, then it's pretty certain that every user will get to know about it, which enables them to create an honest fork of the chain, leaving the bad guys behind.

Investors do what is rational. Investors are not users because most people can't be investors (they don't save enough).

Fungibility is nothing more than the economical property of a good or a commodity, that any unit of is equivalent to any other unit. Existing accounts (with a non-zero balance) pose a financial risk to the buyer. This risk depends on the person of the seller and requires individual arrangements between the parties to be mitigated. Therefore, any account must be considered an individual good which contradicts the definition of fungibility.

Renting eliminates that fungibility barrier.

The goal is not to create an asset that no one wants to buy, but to create an asset with limited use cases. You (mainly) buy an account because you want to invest your money and receive interests. Once you have an account, you will also have an incentive to use it for minting as you could finally sell its children, while your minting costs would be very low without PoW. However, as shown above, you don't have an economic incentive to buy and use multiple accounts for the sole purpose of minting since the discounted cash flow from selling child accounts would be (at least asymptotically) lower than the acquisition costs which must be regarded as sunk costs as no market for existing accounts will exist.

If you think that this reasoning is flawed, then please point it out in a precise way.

If ROI from minting is so much lower than interest, then why will anyone bother to mint and mine? Vitalik pointed out that altruistic prime is not stable for an undersupplied public good.

And since you've made the return from honestly minting and mining so low, i.e. you have created a power vacuum, why wouldn't it be an incentive to rent or collude to earn more from that aspect of the assets, such as for example if the TPTB want to blacklist some transactions (some dissidents or enemies) without destroying the value of the ecosystem.

[alkan]

You are simply forcing renting instead of outright sales, but you can't stop sellers and buyers from pursuing that which generates the most value for both of them. Again I urged you to study the economics.

I'm aware of the economics of bribe attacks (Chapter 3.8.1, http://bitfury.com/content/5-white-papers-research/pos-vs-pow-1.0.2.pdf). But these attacks rely on an different security model than shorting or buying enough stake/accounts for attacking. As you say, the large scale powerbrokers could publish an offer and they would be successful only if they could convince more than 50% of the account owners. However, by doing so, their plot would be public and might result in counter measures taken by the "honest" minority of the community and eventually lead to a fork.

If new accounts are growing fast enough to render old accounts irrelevant, then the power-law superior "investor" buys more new accounts than everyone else.

New accounts are created at the same rate as blocks, therefore even a power-law superior investor would need a very long time to build up the required impact, assuming that the current owners use their accounts (for which they had to pay) for minting for long periods.

Perhaps they can even devise a way to buy new accounts that have their chosen private key which the seller has never seen? Do you cryptographically force the creator of a new account (minter) to sign the private key (and can this be done without revealing the private key)?

Yes, that's the way it works. The seller won't get knowledge of the buyer's private key.

There is usually assumed to be an orders-of-magnitude difference between the number of users of a system and the number of mining accounts.

I don't know how you plan to gain billions of adoption from users and also expect then all to invest in interest bearing tokens and perform mining duties. There seems to be a mismatch in incentives between what would entice billions of people to use a coin and investing. Most people aren't investors, else we would not have a power-law distribution of wealth.

My model offers two different types of accounts: free accounts that everyone can create by generating a key pair and minting accounts which are rate-limited. Only the latter are eligible for minting. People who don't have enough money can use free accounts for their transactions.

Also with PoW, the miner isn't locked to one private key. His mining equipment is orthogonal to any cryptographic key.

Yes, hacking the private key of a PoW coin wouldn't
And this hacking issue is one of the security problems for PoS in fact (especially when most of the coins might be stored on an exchange).

Agreed, hacking is certainly an issue for a PoS coin in some cases but assuming that the keys are stored at a lot of different places, I doubt that any hacker could grab the majority of them.

Investors do what is rational. Investors are not users because most people can't be investors (they don't save enough).

Sure. Some investors might also think that they'd be better off by participating in a counter-collusion in order to create an honest fork (without blacklisting the transactions) and split the coin. It's even possible that the new currency would be more worth than the old one.

If ROI from minting is so much lower than interest, then why will anyone bother to mint and mine? Vitalik pointed out that altruistic prime is not stable for an undersupplied public good.

And since you've made the return from honestly minting and mining so low, i.e. you have created a power vacuum, why wouldn't it be an incentive to rent or collude to earn more from that aspect of the assets, such as for example if the TPTB want to blacklist some transactions (some dissidents or enemies) without destroying the value of the ecosystem.

I agree that it's a bad idea to rely on altruistic prime. However, as for low ROI of minting, the devil lies in the details. The ROI consist of two parts: The interest on your stake and the payments received for selling child accounts. While the first part mainly depends on the amount of your stake and differs from person to person, the second part is actually low because you rarely get the chance to create blocks. Once you have built a block, you have a clear incentive to sell it for the market price.

Of course, if an attacker is able to bribe the majority of the investors, the currency could be attacked. But for effective blacklisting of transactions, it's not enough to just discard the banned transactions from your blocks since the remaining nodes could put them into their blocks later on. You would also have to orphane every block that contains such transactions, which means that you would actually refrain from creating a block and selling the child account attached to it. That's why the attacker would have to pay a higher bribe than the market price of the accounts to every minter that provides evidence of orphaning a block (that he could have built otherwise).

Ultimately, the attacker would have to keep paying the market price for at least 50% of the ongoing production of blocks/accounts as long as he wants to maintain his attack.

[alkan]

I found that the only way to solve this problem was to make it implausible (nearly impossible) to do the bad things that control over mining can do by incorporating Byzantine fault detection and combine this with unprofitable mining, so only those who have an incentive to maintain the Nash equilibrium actually mine (so that the risk cost of attempting attacks is far too high because it isn't cost-free to try over and over as it is in the nothing-at-stake of PoS[1] and the chance of succeeding is very low due to the Byzantine fault detection).

So that in a nutshell is my design solution. The technological challenge is in the details of accomplishing it.

Thanks for these interesting hints. It seems that in your model there is an explicit or implicit penalty for not mining as there's no positive reward for mining (in that case mining would be profitable).

[iamnotback]

You are simply forcing renting instead of outright sales, but you can't stop sellers and buyers from pursuing that which generates the most value for both of them. Again I urged you to study the economics.

I'm aware of the economics of bribe attacks (Chapter 3.8.1, http://bitfury.com/content/5-white-papers-research/pos-vs-pow-1.0.2.pdf). But these attacks rely on an different security model than shorting or buying enough stake/accounts for attacking. As you say, the large scale powerbrokers could publish an offer and they would be successful only if they could convince more than 50% of the account owners. However, by doing so, their plot would be public and might result in counter measures taken by the "honest" minority of the community and eventually lead to a fork.

They can Sybil attack the offerings to buy accounts.

If new accounts are growing fast enough to render old accounts irrelevant, then the power-law superior "investor" buys more new accounts than everyone else.

New accounts are created at the same rate as blocks, therefore even a power-law superior investor would need a very long time to build up the required impact, assuming that the current owners use their accounts (for which they had to pay) for minting for long periods.

I mean as new blocks and accounts are minted/created, the investors can buy this supply the private key they want for them perhaps. So they own them outright. Buying them from the various minters.

Perhaps they can even devise a way to buy new accounts that have their chosen private key which the seller has never seen? Do you cryptographically force the creator of a new account (minter) to sign the private key (and can this be done without revealing the private key)?

Yes, that's the way it works. The seller won't get knowledge of the buyer's private key.

How can you prove in zero knowledge that the private key for the new account has been signed by the key of the minter and not the buyer of the new account?

There is usually assumed to be an orders-of-magnitude difference between the number of users of a system and the number of mining accounts.

I don't know how you plan to gain billions of adoption from users and also expect then all to invest in interest bearing tokens and perform mining duties. There seems to be a mismatch in incentives between what would entice billions of people to use a coin and investing. Most people aren't investors, else we would not have a power-law distribution of wealth.

My model offers two different types of accounts: free accounts that everyone can create by generating a key pair and minting accounts which are rate-limited. Only the latter are eligible for minting. People who don't have enough money can use free accounts for their transactions.

But you aren't addressing the reason I mentioned that. Refer back to the prior discussion.

Also with PoW, the miner isn't locked to one private key. His mining equipment is orthogonal to any cryptographic key.

Yes, hacking the private key of a PoW coin wouldn't
And this hacking issue is one of the security problems for PoS in fact (especially when most of the coins might be stored on an exchange).

Agreed, hacking is certainly an issue for a PoS coin in some cases but assuming that the keys are stored at a lot of different places, I doubt that any hacker could grab the majority of them.

It can be a statistically relevant concern as the mining becomes more and more centralized for other reasons.

Investors do what is rational. Investors are not users because most people can't be investors (they don't save enough).

Sure. Some investors might also think that they'd be better off by participating in a counter-collusion in order to create an honest fork (without blacklisting the transactions) and split the coin. It's even possible that the new currency would be more worth than the old one.

It is not what they think is better off, but what is actually better off. Economies-of-scale are more efficient at manipulating centralized FUNGIBLE value. Here is that key term fungible again.

Hint: IMO you can't achieve real decentralization until you actually employ a "resource" (an effect actually) that can't be made fungible due to its natural attributes, not some artificial barrier that you try to construct which nature will route around.

For example the act of sexual intercourse is very difficult to centralize or make fungible. No, my design is not Proof-of-I(ntercourse) ... that's NEM.

If ROI from minting is so much lower than interest, then why will anyone bother to mint and mine? Vitalik pointed out that altruistic prime is not stable for an undersupplied public good.

And since you've made the return from honestly minting and mining so low, i.e. you have created a power vacuum, why wouldn't it be an incentive to rent or collude to earn more from that aspect of the assets, such as for example if the TPTB want to blacklist some transactions (some dissidents or enemies) without destroying the value of the ecosystem.

I agree that it's a bad idea to rely on altruistic prime. However, as for low ROI of minting, the devil lies in the details. The ROI consist of two parts: The interest on your stake and the payments received for selling child accounts. While the first part mainly depends on the amount of your stake and differs from person to person, the second part is actually low because you rarely get the chance to create blocks. Once you have built a block, you have a clear incentive to sell it for the market price.

Now you are telling me new accounts can be sold? So why do you think these won't be power-law distributed? They always are.

Ultimately, the attacker would have to keep paying the market price for at least 50% of the ongoing production of blocks/accounts as long as he wants to maintain his attack.

If mining is profitable why wouldn't the "attacker" (or natural power-law effect) do this? If mining is not profitable, why would anyone buy new accounts?

[alkan]

I mean as new blocks and accounts are minted/created, the investors can buy this supply the private key they want for them perhaps. So they own them outright. Buying them from the various minters.

Yes, that's possible and legitimate. New accounts will be a fungible good that can be bought by anybody.

How can you prove in zero knowledge that the private key for the new account has been signed by the key of the minter and not the buyer of the new account?

It seems that I misread your initial statement, sorry. The minter signs the new account's public key as depicted in the diagram. So, of course, the new buyer will get full control over his account and can henceforth contribute to consensus. So, there's no need for a zero knowledge proof for the new account's private key.

But you aren't addressing the reason I mentioned that. Refer back to the prior discussion.

I don't expect everybody to become an investor and take part in mining. The majority of users will probably only use free accounts. But given the fact that the number of accounts will correspond to the number of blocks, there will be a considerable supply of new accounts at all times. (I'm not sure if I got your point though.)

It is not what they think is better off, but what is actually better off. Economies-of-scale are more efficient at manipulating centralized FUNGIBLE value. Here is that key term fungible again.

I think we both agree on the importance of fungibility when it comes to centralization. On the other hand, I'm not sure if we are on the same page with regard to the notion of centralization/decentralization. In my opinion, a blockchain is set to stay decentralized if regular users are, regardless of their wealth, disincentivized to get a higher influence on consensus than "one man, one vote".

Regular users a) act rationally and b) don't have the (financial) means and the political power to beat the consensus as such by colluding or bribing/extorting the majority of their peers. If someone is able do that, then I consider the currency as being corrupted as it could show any arbitrary behaviour. The important question is if decentralization of regular users makes it more difficult to corrupt the coin. I think yes, even though the Bitfury paper argues otherwise:

As there is a relatively small number of miners in the Bitcoin ecosystem, participating in the attack would damage their reputation. In case of a PoS system, there is no reputation to speak of because most stakeholders are likely anonymous.

Hint: IMO you can't achieve real decentralization until you actually employ a "resource" (an effect actually) that can't be made fungible due to its natural attributes, not some artificial barrier that you try to construct which nature will route around.

The question if people can circumvent the artificial barrier is not binary but of degree. All you need to attack a traditional cryptocurrency is the financial means to acquire the necessary stake (PoS) or +25/33% of the hashrate (PoW). Whereas, in my design, you also need plenty of time (years, even decades) or the necessary power/creditibility to control 50% of the active miners without buying accounts.

For example the act of sexual intercourse is very difficult to centralize or make fungible. No, my design is not Proof-of-I(ntercourse) ... that's NEM.

LOL! What non-fungible resource other than sexual intercourse are you using to secure your coin? (Btw, ShagCoin would be a nice name...  )

Now you are telling me new accounts can be sold? So why do you think these won't be power-law distributed? They always are.

New accounts can be sold on the market just like the currency itself. They won't get centralized because it simply doesn't make sense for an investor to have more than one account since he gets the same interests on his stake, while the profits from selling child accounts will get neglibile over time.

Ultimately, the attacker would have to keep paying the market price for at least 50% of the ongoing production of blocks/accounts as long as he wants to maintain his attack.

If mining is profitable why wouldn't the "attacker" (or natural power-law effect) do this? If mining is not profitable, why would anyone buy new accounts?

Investors will buy the accounts because they get regular interests on their stake with every block attached to the blockchain, even if they never mine a single block.
However, everybody who owns an account has an incentive to mine since mining is profitable and the costs are very low without PoW.

The profitability of mining will decrease over time due to the growing competition. If you buy your first account 10 years after the genesis block, you will have to wait another 10 years on average to get your first child account (provided that every investor is actually mining). Now, you can decide if you want to sell your child account or keep it and retain your relative mining power. If you opt for the latter, you will have to you wait another 10 years to get your first grand child account. If you sell it, you can cash out with the current account price and will only have half the minting power as of now, which means that you would have to wait 20 more years for your first grand child account.

Accounts that haven't been sold at their birth, will be practically unsalable for the future due to the buyer's risk I already mentioned. That's a fundamendal difference to traditional PoS where you can grow your stake just by keeping it mining and sell it any time you want. In my design, the price you pay for an account will be sunk costs. So, it's only profitable to mine once you own an account (which you have bought in order to get interest on your coins). Whenever you get the chance to build a block, it will be more profitable to sell the child account and invest the price back into the underlying currency, rather than keeping the account in the hope of selling grand-child accounts later on.

[iamnotback]

Please try to wrap up this discussion between you and I (which I'm feel was worthwhile for me). Because I don't have free time to expend on this.

But you aren't addressing the reason I mentioned that. Refer back to the prior discussion.

I don't expect everybody to become an investor and take part in mining. The majority of users will probably only use free accounts. But given the fact that the number of accounts will correspond to the number of blocks, there will be a considerable supply of new accounts at all times. (I'm not sure if I got your point though.)

The point remains that accounts will become power-law or exponentially distributed (if not relative to themselves then at least relative to free accounts) and thus be much fewer to attack to steal private keys than the number of freemium users.

Whereas, in my design, you also need plenty of time (years, even decades) or the necessary power/creditibility to control 50% of the active miners without buying accounts.

Now you are telling me new accounts can be sold? So why do you think these won't be power-law distributed? They always are.

New accounts can be sold on the market just like the currency itself. They won't get centralized because it simply doesn't make sense for an investor to have more than one account since he gets the same interests on his stake, while the profits from selling child accounts will get neglibile over time.

Ultimately, the attacker would have to keep paying the market price for at least 50% of the ongoing production of blocks/accounts as long as he wants to maintain his attack.

If mining is profitable why wouldn't the "attacker" (or natural power-law effect) do this? If mining is not profitable, why would anyone buy new accounts?

Investors will buy the accounts because they get regular interests on their stake with every block attached to the blockchain, even if they never mine a single block.
However, everybody who owns an account has an incentive to mine since mining is profitable and the costs are very low without PoW.

The profitability of mining will decrease over time due to the growing competition. If you buy your first account 10 years after the genesis block, you will have to wait another 10 years on average to get your first child account (provided that every investor is actually mining). Now, you can decide if you want to sell your child account or keep it and retain your relative mining power. If you opt for the latter, you will have to you wait another 10 years to get your first grand child account. If you sell it, you can cash out with the current account price and will only have half the minting power as of now, which means that you would have to wait 20 more years for your first grand child account.

Accounts that haven't been sold at their birth, will be practically unsalable for the future due to the buyer's risk I already mentioned. That's a fundamendal difference to traditional PoS where you can grow your stake just by keeping it mining and sell it any time you want. In my design, the price you pay for an account will be sunk costs. So, it's only profitable to mine once you own an account (which you have bought in order to get interest on your coins). Whenever you get the chance to build a block, it will be more profitable to sell the child account and invest the price back into the underlying currency, rather than keeping the account in the hope of selling grand-child accounts later on.

You've clarified a key detail just now highlighted in bold above. So you are saying that users need one mining account to enable earning interest on their non-mining tokens (your prior descriptions led me to assume interest was per mining account and had nothing to do with tokens owned)? So you are saying that there is no reason to own more than one mining account, because mining does not return enough to recoup the cost of buying an account. So you are implying mining is not profitable in the sense of total ROI, but it does produce profitable operating income. You did not make that distinction clear in your description and terminology before.

That was not at all clear to me from your original summary of your system. I suggest you improve your abstract.

So you are claiming that as long as the starting distribution of mining accounts is nearly uniformly distributed (i.e. one person, one account), then it would be too costly to buy new accounts to maintain a 50% control on total supply of mining accounts, because the cost of buying them can never be recouped from mining alone (only from interests on tokens).

So now that I properly understand your design, I can more easily identify the flaws.

The flaw should be obvious to you! If the supply of new mining accounts is insufficient to match the number of new users who are buying tokens (which you state decline exponentially in order to make the mining account a sunk cost relative to mining profits), then it means competition in pricing for mining accounts means that only some tokens owners earn interest. So in order to earn interest, there will be competition to consolidate token ownership ever and ever more concentrated. So that the price of new accounts keep rising until the supply of tokens is owned by a very individuals. This will also drive the price of the token down and down, because eventually only a very few large token holders can justify buying new accounts. Even they can justify buying more than one new account, because their interest earned per mining account purchased is higher than their competition.

So you can see mining becomes centralized.

Really there is no way to stop nature from routing around your Coasian barrier applied to a fungible resource. Your attempt to make it not fungible plays right into why the concentration still wins the economy-of-scale as I explained.

I had stated before that if mining income is very small relative to interests earned, then no one will bother to do it. Thus that is another reason the mining will become centralized.

I am intuitively confident we will discover numerous ways this fails. But I don't have time to think about this too much.

[alkan]

Please try to wrap up this discussion between you and I (which I'm feel was worthwhile for me). Because I don't have free time to expend on this.

Thank you for your time and your insightful comments which were worthwile for me as well. Please let me some final comments for further clarification.
You don't need to answer them if you don't have enough free time (or prefer to work on your own coin design).

You've clarified a key detail just now highlighted in bold above. So you are saying that users need one mining account to enable earning interest on their non-mining tokens (your prior descriptions led me to assume interest was per mining account and had nothing to do with tokens owned)? So you are saying that there is no reason to own more than one mining account, because mining does not return enough to recoup the cost of buying an account. So you are implying mining is not profitable in the sense of total ROI, but it does produce profitable operating income. You did not make that distinction clear in your description and terminology before.

That was not at all clear to me from your original summary of your system. I suggest you improve your abstract.

Yes, you're right. I really should improve the abstract...

So now that I properly understand your design, I can more easily identify the flaws.

I think were are on the same page now, maybe with the exception of one very important aspect: Interests on coins are credited to every account every time a block is built (by anybody).
So, interest alone cannot be an incentive factor to buy more than one account since you get the very same interests (at the same pace), no matter how you split up your coins
between your accounts.

If the supply of new mining accounts is insufficient to match the number of new users who are buying tokens (which you state decline exponentially in order to make the mining account a sunk cost relative to mining profits), then it means competition in pricing for mining accounts means that only some tokens owners earn interest.

The supply of new accounts is linear: One new block = one new account.
Coin supply will depend on the percentage of stake held by minter accounts (since free accounts don't receive interests) and the interest rate set by the protocol.

Neither token will decline exponentially. What will decline (in theory) is the chance of successfully minting a new block as the competition will grow.
If we assume that investors actually use their accounts to mine, then for someome who is only using 1 account to mine, the expected intervals between mining your first, second, third... child account should increase exponentially.
(Of course, it's not realistic to assume that every investor will mint all the time, so that the intervals will be sub-exponential)

So in order to earn interest, there will be competition to consolidate token ownership ever and ever more concentrated. So that the price of new accounts keep rising until the supply of tokens is owned by a very individuals. This will also drive the price of the token down and down, because eventually only a very few large token holders can justify buying new accounts.

It's clear that the price of new account will be determined by those who have most stake. But assuming 10 minute block time, there will be 144 new accounts every day.

Even they can justify buying more than one new account, because their interest earned per mining account purchased is higher than their competition.

Their interests will be the same regardless of the number of accounts they own. Buying two accounts instead of one means that you get half the yield (w.r.t. interest).

[iamnotback]

So now that I properly understand your design, I can more easily identify the flaws.

I think were are on the same page now, maybe with the exception of one very important aspect: Interests on coins are credited to every account every time a block is built (by anybody).
So, interest alone cannot be an incentive factor to buy more than one account since you get the very same interests (at the same pace), no matter how you split up your coins
between your accounts.

But those with more stake can afford to buy more mining accounts, even though they don't have to. And thus if denying others interest is relatively more profitable for them... ______________ (fill in the blank yourself)

Thanks also. 

[alkan]

But those with more stake can afford to buy more mining accounts, even though they don't have to. And thus if denying others interest is relatively more profitable for them... ______________ (fill in the blank yourself)

This is a good point though I'm not sure if denying others interest could be a profitable strategy. By doing so you would most probably deter other investors from buying the currency whatsoever which would negatively impact the price of your own stake.

I just had the idea that one could completely change the incentives in my dual-token blockchain model. Instead of paying interests to minter accounts, one could simply give them the right to make transactions with lower transaction fees than free accounts. Alternatively, one could set a minimum transaction amount for free accounts and no limit for minter accounts (which would then be suitable for microtransactions). In the latter case, minting would be done by small users rather than by big investors. Though this would make minter accounts cheaper and more susceptible for attack scenarios.

You are simply forcing renting instead of outright sales, but you can't stop sellers and buyers from pursuing that which generates the most value for both of them. Again I urged you to study the economics.

It appears that one could use a GHOST-like protocol to protect a PoS/PoW blockchain from colluding minters and bribing attacks. Such attacks normally result in orphaned blocks, so a special reward for including them into the blocks of the main chain would make collusion more difficult/expensive. The more orphans are referenced, the higher would be the new block's score and thus the likelihood that it will become part of the main chain. In addition to GHOST, transactions of the orphaned blocks referenced in the main chain would be considered as issued at the time when the referring block is created. Nodes censoring certain transactions (and blocks that contain them) would have a hard time.

As a minimal alternative, one could just reference orphaned blocks in the chain to achieve consensus over the orphan rate (as a moving average calculated over the last k blocks). That would allow to set the minining reward (interest rate) according to the orphan rate. With higher the rate, the higher would be the mining reward and thus the incentive not to take part in the censorship/collusion.