My challenge

[Gareth Nelson]

I've noticed a few threads popping up here about how "wasteful" the mining process is, so to get to the point here's my challenge.

Describe a protocol in sufficient detail that it can be actually implemented (tiny details such as packet format etc don't matter, general operation does) and which has the following properties:

• No reliance on a central server
• An unchanging record of past transactions that can not be altered
• No double spending
• Ability to receive funds while your client is offline
• No proof of work requirement

I will pay 5BTC to whoever can solve this challenge - remember it must match all points.

[1715158614]

1715158614

[1715158614]

1715158614

[1715158614]

1715158614

[1715158614]

1715158614

[Gareth Nelson]

Oh, and no - bitcoin and other blockchain-based currencies forked from it do not count

[casascius]

Meanwhile, I will give 5 BTC to the first person who describes in sufficient detail how to make my SUV run on hope instead of gasoline.

(My point: proof of work is central to making this whole thing work.  To find a way to make it work without it, would be groundbreaking and far more valuable than 5 BTC.)

[Rejinx]

Meanwhile, I will give 5 BTC to the first person who describes in sufficient detail how to make my SUV run on hope instead of gasoline.

(My point: proof of work is central to making this whole thing work.  To find a way to make it work without it, would be groundbreaking and far more valuable than 5 BTC.)

Sorry for asking a dumb question, but what is "proof of work" in this context?

[wareen]

(My point: proof of work is central to making this whole thing work.  To find a way to make it work without it, would be groundbreaking and far more valuable than 5 BTC.)

Yeah, but it's creative thinking: post presumably unsolvable problems in the newbies section and offer a small reward. After all, some important math problems have been solved by a student thinking it was homework

[DeathAndTaxes]

I have an idea to reduce the amount of proof of work required for a given level of security.  Does that count?

[Gareth Nelson]

(My point: proof of work is central to making this whole thing work.  To find a way to make it work without it, would be groundbreaking and far more valuable than 5 BTC.)

Yeah, but it's creative thinking: post presumably unsolvable problems in the newbies section and offer a small reward. After all, some important math problems have been solved by a student thinking it was homework

My point is much the same as casascius had:

If anyone really does have a solution for this problem (in which case they can probably also solve the halting problem for me too), then let's see it! Otherwise, shut up.

Think of it like a mini randi prize.

[Gareth Nelson]

I have an idea to reduce the amount of proof of work required for a given level of security.  Does that count?

Unless you can reduce it to 0, no

[grue]

I have an idea to reduce the amount of proof of work required for a given level of security.  Does that count?

cpu mining?

[Gareth Nelson]

Let's up this a bit.

Anyone who can solve this problem I will pay 50BTC.

Due to the higher payout, here's some more precise criteria:

No proof of work - no calculations performed for the purpose of making forgery of the transaction record computationally infeasible or impossible - you must find another means of keeping the transaction record intact.

No centralised server - it must be 100% P2P, but i'll allow a solution that bootstraps by grabbing some existing node IP addresses so long as those nodes are not trusted

No double spending - it must not be possible to send the same funds to 2 separate destinations

It must be possible to receive funds while your client is offline without needing to connect to a central server



If you can solve this you can probably make an absolute fortune with your genius in other ways and this 50BTC reward is a tiny and pathetically small bonus.

I promise to be fair in judging any proposed solutions, but my word is final unless at least 1 core developer of the bitcoin client and 1 founder/co-founder at either MTGox or TradeHill overrules me (and for that reason they're not eligible for this reward - sorry).


There you go, a serious challenge - if you have a serious solution, take it up.

[casascius]

If the bottleneck for producing the proof of work weren't energy, then it wouldn't be so "wasteful".  For example, switching mining to FPGA's and ASIC's change the bottleneck to engineering resources instead of energy.  The problem is that a determined rogue government would have no problem acquiring a lot of either.

The ultimate resource that ought to go into creating proof of work would have to be individual human attention.

Anything that strives to minimize the amount of proof of work needed, would have be something along the lines of having blocks digitally signed, and network participants consciously giving more weight to blocks signed by trusted signers.  This way, someone creating disruptive blocks could have their blocks voted out more efficiently than just hoping they don't control most CPU.

If the adversary is a government with the capacity to acquire resources by commandeering them by force from others, such an adversary will always have an advantage.  The only way to level out that kind of advantage would be for there to be a democratic force to take it away.

[gmaxwell]

Describe a protocol in sufficient detail that it can be actually implemented (tiny details such as packet format etc don't matter, general operation does) and which has the following properties:

You've defined the requirements too weakly.   Take bitcoin, add a requirement that a valid block must be signed by both bob and I (hard code the keys).  Make the difficulty zero.  Change nothing else. (If you also totally screw up a bunch of extra things, you could call the result 'solidcoin').

This meets your criteria because there is no central server. There are distributed servers. The system is secure so long as you trust that bob and I won't conspire to screw everyone.

You can pay to the address in my sig, thanks!

[Gareth Nelson]

Describe a protocol in sufficient detail that it can be actually implemented (tiny details such as packet format etc don't matter, general operation does) and which has the following properties:

You've defined the requirements too weakly.   Take bitcoin, add a requirement that a valid block must be signed by both bob and I (hard code the keys).  Make the difficulty zero.  Change nothing else. (If you also totally screw up a bunch of extra things, you could call the result 'solidcoin').

This meets your criteria because there is no central server. There are distributed servers. The system is secure so long as you trust that bob and I won't conspire to screw everyone.

You can pay to the address in my sig, thanks!

Oh, and no - bitcoin and other blockchain-based currencies forked from it do not count

[bithobo]

Oxytocin

Of course, there's no way for it to be measured, especially from a distance, but one can hope

[Gareth Nelson]

Oxytocin

Of course, there's no way for it to be measured, especially from a distance, but one can hope

People always said money can't buy you love - what if love was money?

[Gareth Nelson]

It can be measured by the way - from CerebroSpinal Fluid - perhaps a bit messy

[bithobo]

Change nothing else.

How is that less wasteful? The idea is to depend less on electric power, or at least to use that power for creating something useful

[DeathAndTaxes]

If the bottleneck for producing the proof of work weren't energy, then it wouldn't be so "wasteful".  For example, switching mining to FPGA's and ASIC's change the bottleneck to engineering resources instead of energy.  The problem is that a determined rogue government would have no problem acquiring a lot of either.

The ultimate resource that ought to go into creating proof of work would have to be individual human attention.

Anything that strives to minimize the amount of proof of work needed, would have be something along the lines of having blocks digitally signed, and network participants consciously giving more weight to blocks signed by trusted signers.  This way, someone creating disruptive blocks could have their blocks voted out more efficiently than just hoping they don't control most CPU.

If the adversary is a government with the capacity to acquire resources by commandeering them by force from others, such an adversary will always have an advantage.  The only way to level out that kind of advantage would be for there to be a democratic force to take it away.

Which is why a proof of stake requirement could be used to directly increase the monetary cost without consuming anything.

Consider a protocol that required one have 30 days output to mine at a specific speed.  Speed could be tracked decentralized by a 1 difficulty share chain.  The details aren't important at this point just at this stage accept there is a method to ensure every miner has funds at risk when they mine.  Say that "proof of stake" was 30 days output.  A 1 GH miner will produce (at current difficulty) ~ 1 BTC per day so when they mine a block 30 BTC would be taken from an address they provide and added to the reward (50 BTC) and the entire thing "escrowed" by protocol rules which prohibit coinbase transactions from being spent for 120 blocks.

This in effect is making the up front capital costs HIGHER and as a result energy costs are smaller portion of the lifecyle costs.  Say a 1 GH rig costs about 200 BTC.  At 2 MH/W and 0.025 BTC per kwh over it's life cycle (say 3 years) it will consume about 330 BTC in power.   Total cost for 3 years of hashing power is 200 BTC + 330 BTC = 530 BTC.  A 30 BTC escrow raises the "cost" of the hardware by 15% (although miner gets it all back if there is no attack).   Prior to proof of stake energy makes up 62% of total network cost.  With 30 day proof of stake requirement energy makes up only 58%.

Another way to look at it is from attackers perspective.  1GH of hardware no longer costs 200 BTC.  It costs 230 BTC a 15% premium.  In essence a 30 day proof of stake raises the cost to attack the network by 15%.  The network is 15% "stronger" .  A larger proof of stake (say 90 days) would put a larger premium on capital costs (45%).  Using a method similar to difficulty the network could adapt the proof of stake based on how much funds miners have available.  Miners could make the network stronger simply by keeping funds available.

TL/DR version:
Today cost to attack network is:
Hardware Capital Costs <- equally shared by defenders and attackers
Electrical Costs <- since attack is short lived and hashing continues forever this costs is mostly borne by defenders

With a proof of stake it is:
(Hardware Capital Costs  + Proof of Stake Costs) <- equally shared by defenders and attackers
Electrical Costs <- since attack is short lived and hashing continues forever this costs is mostly borne by defenders

While it doesn't "solve" the OP problem nor does it "solve" the threat of nations it does make the network more efficient (less energy consumed for a given amount of security) and makes any attack by a rogue government (or other non-economic attack) more expensive.  It also has the effect of making economic double spends (double spending w/ intent to profit) a non-issue.   To have 51% of hashing power if Bitcoin has a 30 day "proof of stake" would require an attacker to put ~100K coins ($400K USD) at risk.  A 90 day proof of stake would raise the cost of a such an attack by $1.2M.  In any double spend those "proof of stake funds" would be locked for 120 blocks meaning the attacker is guaranteed to lose a significant portion as the value of Bitcoin crashes.

[Gareth Nelson]

I should add another rule: It must be feasible to actually implement and must support multiple untrusted users

Here's my solution:

Reduce the whole network to only 2 people who are best friends

[Hawkix]

I have a (maybe silly) idea .. replace proof of work with proof of time. Instead of mining, run some time consuming process, which cannot be done faster, after which the proof of time will be the lottery ticket to win the block reward and secure it, too.

For example, imagine a device which is natural random number generator - let say a radioactive decay material with a beta particle detector (classic may know that a sufficient hot cup of tea may work, too). The detector will try to search for a rare event in the incoming stream of detected decays, like special sequence of delays between each detected particle. Or, the device may wait for all 2048 molecules of argon to collect at left part of some volume (unlikely, but with the Maxwell's deamon help, possible). Or, waiting for the special mutation of bacteria with large prime number encoded in its protein. Or, those who really understand quantum mechanics (yeah, I mean those 10 people on Earth), can bring up something even better.

Of course, such a device must be self-contained, where the part of testing the work is integral part of the device, cannot be cheated on (like faking the generator). This is the hardest part of the idea to implement and I know it. Speaking in words of one-way functions, the device must somehow report found solution, and somehow prove it, to avoid faking. Simulating the process on any fast computer must not help to find it (nature and its atoms are faster).

Such a device will silently, with minimal energy, run its lottery and its user can only wait (or collect more devices) until a possible solution is found and block secured.

As I said, maybe silly idea.