Bitcoin Forum
November 14, 2024, 11:57:07 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Proof of stake instead of proof of work  (Read 32496 times)
QuantumMechanic (OP)
Member
**
Offline Offline

Activity: 110
Merit: 19


View Profile
July 11, 2011, 04:12:45 AM
Last edit: July 11, 2011, 06:48:00 AM by QuantumMechanic
Merited by ABCbits (3), Vod (2), webtricks (2), d5000 (1), drays (1)
 #1

I've got an idea, and I'm wondering if it's been discussed/ripped apart here yet:

I'm wondering if as bitcoins become more widely distributed, whether a transition from a proof of work based system to a proof of stake one might happen.  What I mean by proof of stake is that instead of your "vote" on the accepted transaction history being weighted by the share of computing resources you bring to the network, it's weighted by the number of bitcoins you can prove you own, using your private keys.

For those that don't want to be actively verifying transactions, and so that not all private keys need to be facing the network, votes could be delegated to other addresses via some kind of nonstandard Bitcoin transaction.  In this way, voting power would accumulate with trusted delegates instead of miners.  New bitcoins and transaction fees could be randomly and periodically distributed to delgates, weighted by the number of votes they've accumulated, thereby incentivising diversity of the delegates and direct voters.

If the implementation could be done, it proved to maintain at least a similar level of privacy and trustworthiness, and it only minimally complicated the UX, I'm thinking that a proof of stake based fork could out-compete a proof of work one due to much lower transaction fees, since its network wouldn't need to support the cost of the miners' computing resources.  (Note that the vote delegation scheme has bandwith/storage overhead that would offset these savings by some amount which would hopefully be relatively small.)

Some other potential improvements this system could offer:
  • Possibly quicker, more definite confirmation of transactions, depending on how it can be implemented.
  • The "voting power" may be more trustworty, since it would accumulate in a bottom-up fashion via a network of trust, instead of in the somewhat arbitrary way it accumulates now.  (Note the potential problem of vote-buying here.)
  • It would remove the physical point of failure of bitcoin mining equipment, which can be confiscated or made illegal to run.
  • It could be used to provide stakeholders a means of making their voices heard (via the delegated voting system it establishes) when it comes to proposals for software updates and protocol changes.

Anyway, I just wanted to throw the idea out here to see if there are any obvious reasons why it couldn't be implemented, and to hopefully spark a discussion amongst those better qualified than me.

Cheers.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
July 11, 2011, 04:15:30 AM
Merited by ABCbits (1)
 #2

The idea has a huge amount of merit, not necessarily for Bitcoins.

Suppose I start a company and decide to issue its shares as a block chain.  Instead of miners getting 50 shares each, the block chain would be programmed where I just issue all the shares up front to the proper shareholders, etc.  The block chain is used as a means to buy and sell the shares on the peer-to-peer stock market (which doesn't exist yet).  Miners maybe get transaction fees.

In such a case, proof-of-stake voting might be fantastic.

But I don't see what relevance it would have to Bitcoins as they are now known.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
eastendtech
Newbie
*
Offline Offline

Activity: 23
Merit: 1



View Profile
July 11, 2011, 04:37:14 AM
Merited by ABCbits (1)
 #3

It would save a lot of computing power, but it doesn't solve the core problems of defeating double spending and attracting more compute power to the network to check against that spending. Even if there were random elements, I think peer-to-peer voting(even if done by the software itself) would be too easy to game and unduly favor dishonesty and cheating. It would make trust = wealth, which is a fallacy because what if all those private keys contained stolen bitcoins, etc?
QuantumMechanic (OP)
Member
**
Offline Offline

Activity: 110
Merit: 19


View Profile
July 11, 2011, 04:40:13 AM
Last edit: July 11, 2011, 06:53:01 AM by QuantumMechanic
 #4

The idea has a huge amount of merit, not necessarily for Bitcoins.

Suppose I start a company and decide to issue its shares as a block chain.  Instead of miners getting 50 shares each, the block chain would be programmed where I just issue all the shares up front to the proper shareholders, etc.  The block chain is used as a means to buy and sell the shares on the peer-to-peer stock market (which doesn't exist yet).  Miners maybe get transaction fees.

In such a case, proof-of-stake voting might be fantastic.

But I don't see what relevance it would have to Bitcoins as they are now known.
Company shares sounds like a great application, too.  The proof-of-stake alternative seems like it could be a good way to prevent unwarranted outside influence from messing with smaller scale public ledgers like they can with proof-of-work.

This unwarranted outside influence also seems to be why alternative Bitcoin implementations don't seem feasible now - you need enough miners to be on board to secure the network against outside attackers, whereas attackers can only come from within using the proof-of-stake alternative.  All it needs is a sufficiently diverse userbase.

This is relevant to Bitcoin as an alternative means of forming consensus on the valid transaction history, or the public ledger at least.  But all it would necessarily borrow from Bitcoin is the public ledger contained in the block chain, in order to co-opt its userbase.
QuantumMechanic (OP)
Member
**
Offline Offline

Activity: 110
Merit: 19


View Profile
July 11, 2011, 04:52:44 AM
 #5

Its not a good idea. It would make Bitcoins follow an unfair distribution. By proving you have stake, which means, many bitcoins, you would simply be proving that you're rich and then the system would be only rewarding the already wealthy to validate transactions, and there would be little incentive to add computer power to the network, which is what the 50 btc block awards are designed for, to be a reward and a stimulus to add robustness and block validation to the network. It would create a rich-get-richer scenario, and bitcoin distribution is already following a power law.
This alternative wouldn't need computing power - that's the point.

Furthermore, if you want more influence in the current system, all you have to do is buy yourself more computing resources.  Morally not much different than buying yourself more bitcoins AFAICT.

Lastly, if the bitcoin-rich (as opposed to the computing power-rich) started "voting" themselves more new bitcoins than the allowed amount, then people would lose confidence in the currency, and the bitcoin-rich would no longer be rich in any meaningful sense.  They have more incentive to maintain the currency's value than the current miners do, it seems.
Meni Rosenfeld
Donator
Legendary
*
expert
Offline Offline

Activity: 2058
Merit: 1054



View Profile WWW
July 11, 2011, 04:54:29 AM
Last edit: November 28, 2013, 09:54:05 AM by Meni Rosenfeld
Merited by ABCbits (1)
 #6

This is brilliant. Of course there's still a lot of work to figure out if it's technically feasible and resistant to manipulation, concentration of power etc. But it could solve a lot of the problems Bitcoin will face going forward.

This change is significant enough to warrant a new genesis block rather than forking the current chain. This leaves the problem of initial distribution. Mining serves the purposes of both transaction validation and initial distribution, so if validation rights depend on current possession it will obviously be problematic.

I think this will work best together with, rather than instead of, hash-based mining. Blocks are confirmed with hashing as normal; this is enough for casual double-spend attempts. When a block is old enough, stakeholders can sign it. If a major attacker tries to build an alternative branch, clients will reject it because it conflicts with a branch already signed by stakeholders. This will create a much lower mining requirements for a given level of security.


I'll go as far as saying that if this pans out and is indeed novel, you deserve a place right next to Satoshi in the annals of Bitcoin.
(Edit Nov 28 2013: I retract that last statement... Sure, it's a great idea and all, but a place in the hall of fame requires a bit more than that. Also I'm not sure how novel the idea really is.)

1EofoZNBhWQ3kxfKnvWkhtMns4AivZArhr   |   Who am I?   |   bitcoin-otc WoT
Bitcoil - Exchange bitcoins for ILS (thread)   |   Israel Bitcoin community homepage (thread)
Analysis of Bitcoin Pooled Mining Reward Systems (thread, summary)  |   PureMining - Infinite-term, deterministic mining bond
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4284
Merit: 8808



View Profile WWW
July 11, 2011, 05:09:47 AM
Merited by ABCbits (1)
 #7

I think this will work best together, rather than instead of, hash-based mining. Blocks are confirmed with hashing as normal; this is enough for casual double-spend attempts. When a block is old enough, stakeholders can sign it. If a major attacker tries to build an alternative branch, clients will reject it because it

We already have this in the form of checkpoints in the client software.  You don't need voting for it, because there is no ambiguity or controversy about the identity of the block hundreds of steps ago.    Better to have a check performed by _everyone_ than just people that happen to have a lot of bitcoin already.

Meni Rosenfeld
Donator
Legendary
*
expert
Offline Offline

Activity: 2058
Merit: 1054



View Profile WWW
July 11, 2011, 05:15:42 AM
 #8

I think this will work best together, rather than instead of, hash-based mining. Blocks are confirmed with hashing as normal; this is enough for casual double-spend attempts. When a block is old enough, stakeholders can sign it. If a major attacker tries to build an alternative branch, clients will reject it because it
We already have this in the form of checkpoints in the client software.  You don't need voting for it, because there is no ambiguity or controversy about the identity of the block hundreds of steps ago.    Better to have a check performed by _everyone_ than just people that happen to have a lot of bitcoin already.
This is vulnerable to attacks on the network topology. You can "fake" a Bitcoin node, you can't fake having bitcoins.

I need to look more closely into the current implementation though.

1EofoZNBhWQ3kxfKnvWkhtMns4AivZArhr   |   Who am I?   |   bitcoin-otc WoT
Bitcoil - Exchange bitcoins for ILS (thread)   |   Israel Bitcoin community homepage (thread)
Analysis of Bitcoin Pooled Mining Reward Systems (thread, summary)  |   PureMining - Infinite-term, deterministic mining bond
QuantumMechanic (OP)
Member
**
Offline Offline

Activity: 110
Merit: 19


View Profile
July 11, 2011, 05:22:35 AM
Last edit: July 12, 2011, 02:02:57 AM by QuantumMechanic
 #9

This change is significant enough to warrant a new genesis block rather than forking the current chain.
I think a fork is more appropriate, since it incentivises the existing userbase to participate and avoids alienating them, and it solves the initial distribution problem, allowing for a very diverse voting group from the start.  I see Bitcoin as having made some progress at solving the social problems (bootstrapping a new currency) just as much as it has solved the technical ones.  No need to throw this progress away IMHO.

I think this will work best together, rather than instead of, hash-based mining. Blocks are confirmed with hashing as normal; this is enough for casual double-spend attempts. When a block is old enough, stakeholders can sign it. If a major attacker tries to build an alternative branch, clients will reject it because it
We already have this in the form of checkpoints in the client software.  You don't need voting for it, because there is no ambiguity or controversy about the identity of the block hundreds of steps ago.    Better to have a check performed by _everyone_ than just people that happen to have a lot of bitcoin already.
But Ben Laurie would be much happier Wink
Meni Rosenfeld
Donator
Legendary
*
expert
Offline Offline

Activity: 2058
Merit: 1054



View Profile WWW
July 11, 2011, 06:55:01 AM
 #10

Another thought: Currently there's a problem with very large transfers, since guarding them against double-spending can take days (at least) of confirmations. Paying transaction fees won't help because it can only get it in a block faster, it can't significantly affect block generation rate afterwards.

With the new system (work/stake hybrid approach), senders of large amounts can include a signature fee in addition to the regular miner fee, which goes proportionally to stakeholders who sign the block in which the transaction appears. This will incentivize stakeholders to sign, making the transaction secure without having to wait for more confirmations.

1EofoZNBhWQ3kxfKnvWkhtMns4AivZArhr   |   Who am I?   |   bitcoin-otc WoT
Bitcoil - Exchange bitcoins for ILS (thread)   |   Israel Bitcoin community homepage (thread)
Analysis of Bitcoin Pooled Mining Reward Systems (thread, summary)  |   PureMining - Infinite-term, deterministic mining bond
hashcoin
Full Member
***
Offline Offline

Activity: 372
Merit: 114


View Profile
July 11, 2011, 07:09:06 AM
 #11

This is the obvious way to do consensus, that doesn't work because of the massive amount of bandwidth needed to have a vote for every bitcoin address in existence.  Keep in mind everyone needs to do this checking too.  The entire point, and clever part, of bitcoin, is the idea that one can trade bandwidth/digital signatures for CPU-intensive "hash signatures" that are very small and easy to verify.

In other words, if you asked someone to design a system like bitcoin before bitcoin came out, what you propose is what most would have said...
QuantumMechanic (OP)
Member
**
Offline Offline

Activity: 110
Merit: 19


View Profile
July 11, 2011, 07:13:11 AM
Last edit: July 11, 2011, 08:02:30 AM by QuantumMechanic
 #12

Another thought: Currently there's a problem with very large transfers, since guarding them against double-spending can take days (at least) of confirmations. Paying transaction fees won't help because it can only get it in a block faster, it can't significantly affect block generation rate afterwards.

With the new system (work/stake hybrid approach), senders of large amounts can include a signature fee in addition to the regular miner fee, which goes proportionally to stakeholders who sign the block in which the transaction appears. This will incentivize stakeholders to sign, making the transaction secure without having to wait for more confirmations.
I think a hybrid approach would only allow stakeholders to sign whole blocks that have already been found.  And then miners could defer authority to the stakeholders when they do, and work forward from that block.  This would decrease the confirmation time to 10 minutes on average.  And it would remove the need for checkpoints, making Ben Laurie a happier camper.
QuantumMechanic (OP)
Member
**
Offline Offline

Activity: 110
Merit: 19


View Profile
July 11, 2011, 07:50:58 AM
Last edit: July 11, 2011, 09:29:59 AM by QuantumMechanic
 #13

This is the obvious way to do consensus, that doesn't work because of the massive amount of bandwidth needed to have a vote for every bitcoin address in existence.  Keep in mind everyone needs to do this checking too.  The entire point, and clever part, of bitcoin, is the idea that one can trade bandwidth/digital signatures for CPU-intensive "hash signatures" that are very small and easy to verify.

In other words, if you asked someone to design a system like bitcoin before bitcoin came out, what you propose is what most would have said...
Haha, I thought it felt a bit too obvious.  Well at least I have a greater, more justified, appreciation for Bitcoin now.

This whole thing actually came from thinking of a way to solve the checkpoint problem Ben Laurie wrote about.  If votes don't need to occur very often, then would the bandwidth/checking cost be such a big deal?  Is his issue even really a problem?
Meni Rosenfeld
Donator
Legendary
*
expert
Offline Offline

Activity: 2058
Merit: 1054



View Profile WWW
July 11, 2011, 08:50:59 AM
 #14

This is the obvious way to do consensus, that doesn't work because of the massive amount of bandwidth needed to have a vote for every bitcoin address in existence.  Keep in mind everyone needs to do this checking too.  The entire point, and clever part, of bitcoin, is the idea that one can trade bandwidth/digital signatures for CPU-intensive "hash signatures" that are very small and easy to verify.
Not every Bitcoin address in existence. Just those with a large number of bitcoins. And it needn't be for every block.

This is exactly why I say this should be used in conjunction with hashing. A small amount of proof-of-work provides the skeleton and protection against casual double-spends, while proof-of-stake provides an occasional rock-solid confirmation against massive attacks.


Nobody knows exactly how to prevent miners from including low-fee transactions, and hence, making sure people pay fees. Even if we figure it out, if we want transaction fees to remain low enough, there will be little incentive to mine, making the overall hashing capacity low. Thus the network will be vulnerable to attack, and people will not be able to safely send large amounts.

I see this as a major problem, which the inclusion of proof-of-stake, done correctly, can solve.

1EofoZNBhWQ3kxfKnvWkhtMns4AivZArhr   |   Who am I?   |   bitcoin-otc WoT
Bitcoil - Exchange bitcoins for ILS (thread)   |   Israel Bitcoin community homepage (thread)
Analysis of Bitcoin Pooled Mining Reward Systems (thread, summary)  |   PureMining - Infinite-term, deterministic mining bond
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1134


View Profile
July 11, 2011, 09:46:48 AM
Merited by ABCbits (1)
 #15

You need to run some simulations to prove out your theories first. I agree with hashcoin, this idea is one that is intuitively "obvious" but I think it will fail when you run the numbers.

Consider that there are people today who have some non-trivial fraction of the entire chains value under their control (like MtGox). So to have any confidence in a chain you really need a lot of value to sign over it. That means huge numbers of keys.

An ECDSA verification takes around 2-3 msec today:

  https://en.bitcoin.it/wiki/Scalability

Assuming 2msec you can check 500 signatures per second. 500 keys is obviously not enough to accumulate enough value to have much trust in that block. You'd probably need hundreds of thousands of keys. That's a problem because if we assume a block every ten minutes then we can check at max:

  10 * 60 * 500 = 300,000 keys

before we are spending ALL our cycles doing nothing but figuring out how many people signed the  block and can no longer keep up with the chain.

This isn't even taking into account signing time, storage or bandwidth.
QuantumMechanic (OP)
Member
**
Offline Offline

Activity: 110
Merit: 19


View Profile
July 11, 2011, 09:55:56 AM
Last edit: July 11, 2011, 11:00:07 AM by QuantumMechanic
 #16

If there are relatively few delegates, and if they could each store their votes in single addresses, this could save a significant amount overhead for the network as a whole during voting/checking.

I suppose stakeholders by definition have an incentive to delegate their votes in such a way as to minimize the overhead in the network, but could this alone lead to some stable equilibrium?

Maybe you could also cull some necessary amount of the least influential addresses in the vote in order to help to reduce overhead to a workable amount?

I'm not sure if there's a transaction signing scheme to deal with retracted votes though, so I don't know if such a delegated voting scheme can even work.
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1134


View Profile
July 11, 2011, 11:31:23 AM
 #17

If there are relatively few delegates then what you have is effectively similar to todays payment networks, in which a few big players with pre-established trust relationships come to a consensus on who owns what between themselves. You'd have invented an open source SWIFT.

Bitcoin is somewhat like that as well today due to the (unforeseen) power of the pools. But there are workable proposals for breaking that power and restoring Bitcoin to many thousands of voters again instead of just a few. They haven't been implemented but that's because talk is cheap, whereas working C++ isn't.

By the way, I'm not trying to pour cold water on your idea. Proof of stake doesn't seem like an inherently bad idea to me, and I think everyone agrees proof of work seems wasteful, even if in the end it's less wasteful than the current financial systems. But there's a huge gulf between "how about this?" and a working system that scales.
QuantumMechanic (OP)
Member
**
Offline Offline

Activity: 110
Merit: 19


View Profile
July 11, 2011, 06:54:28 PM
Last edit: July 11, 2011, 07:51:58 PM by QuantumMechanic
 #18

If there are relatively few delegates then what you have is effectively similar to todays payment networks, in which a few big players with pre-established trust relationships come to a consensus on who owns what between themselves. You'd have invented an open source SWIFT.
It sounds like it could scale to more than just a few.  And the voting power might flow much more easily away from corrupted players than with SWIFT due to the almost zero barriers to retracting votes, and to enter into the market to supplant the established delegates.  Remember, with delegated voting you don't necessarily give your vote directly to who will eventually cast it - you can just pass it on to someone you trust, hopefully solving the problem of rational ignorance/apathy.  That or the bad guys will just buy up all the votes Tongue  Or maybe the good guys will?

I guess the relevant question is if this would do a good enough job of decentralizing the "voting power" and making it accountable?  If so, the benefits listed above (that have survived) seem pretty significant.  It might at least be a good approach to smaller blockchains that don't expect to attract enough outside computing power to keep them secure.

But there are workable proposals for breaking that power and restoring Bitcoin to many thousands of voters again instead of just a few. They haven't been implemented but that's because talk is cheap, whereas working C++ isn't.
That is good to hear!  I understand that proposals from people who obviously aren't qualified to program the shit they propose, not to mention that most of what they propose is indeed shit, probably gets pretty annoying.

By the way, I'm not trying to pour cold water on your idea.
Not at all!  I quite appreciate your thoughtful responses!
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1134


View Profile
July 11, 2011, 07:53:28 PM
Merited by ABCbits (2)
 #19

By the way, if you're interested in delegated voting, I wrote a paper on using it in a democracy some time ago:

  https://docs.google.com/document/pub?id=1jidmNJHWAtsPLCUD7EPPm8jOEV93kSXbZOMycqCWOyA

I think delegating voting is a great idea. I'm less convinced that it would work for replacing hashing in the block chain, but it might.

Some more problems for you to consider:

  • If I control a key with 10 delegators, then I spend that key to 10 new keys, what happens to the delegations? Does it make sense for a key to have fan-out (ie 1 key to delegate to 10 other keys)? Do you split the value evenly or not?
  • How do you efficiently detect and resolve delegation loops? ie, key A delegates to B, B delegates to C and C then delegates to A? You have to do this efficiently because otherwise setting up new delegations is a way to DoS the system. Note that detecting cycles in a large graph is slow, Tarjans algorithm is O(number of edges). If each key in the system takes part then every new address in the system potentially makes setting up new delegations harder. As the number of keys in the system grows without bound over time, that could be an issue
  • Keys are owned by end users who may or may not know/care about the inner workings of their currency. How do you get new users to delegate appropriately?

It should be possible to run a parallel block chain based on proof-by-stake, but using the same transactions. It could be done with an adapted Bitcoin software. Once such a chain was up and running you could compare the results vs the existing chain.

I don't have the time/energy to do this myself.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
July 11, 2011, 10:48:44 PM
 #20

I was thinking a future Bitcoin client would need a screen of trusted certificates - sort of how your web browser already has one for SSL (well hidden), that helps it decide whose signatures are trusted, and can ultimately be controlled by the user.

Today, it is already a major pain in the ass to redownload the block chain, which takes hours, presumably while every single signature for every transaction is checked.  Yet, if I trusted a certificate from Gavin Andresen, and Gavin published a checkpoint certificate vouching for the correct hash of block 130,000 (for example), and this was relayed in a future version of the p2p protocol, then my client could just accept all blocks before that as valid without checking every bloody signature in every block.  And if I as a user didn't like or trust that behavior, I would merely remove Gavin's public key from my trusted certs list, or add a key of someone I trust more, the same way I can do this with SSL CA certs in my browser.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!