Necessary protocol improvement; dissent on future mining configuration

[Vandroiy]

We currently have no consensus on future system parameters controlling transaction fees, and thus also the amount of miners. In another thread, I concluded that in transaction fees are determined mainly by market size and the maximum block size. If you disagree, please discuss in the linked thread. In this thread, we assume the conclusion correct.

Here's the thread: http://bitcointalk.org/index.php?topic=6284.0

In this thread, I want to ask a simple question that apparently has no generally accepted answer. What is the desired future system configuration? How many miners do we want, how many do we need? How do we face the times ahead?

First, please let me share a personal feeling of mine, which drives my urge to write this thread. Please bear with this paragraph, I think this is really important. In my opinion, we should turn Bitcoin into a rock-solid set of rules that will not be broken or altered unless the technical circumstances change. Altering rules later on might run the system into a crisis, especially when things like miner income are concerned. No doubt lobbies would form, trying to push parameters one way or another. In my imagination, this has a huge impact on the psychological image of Bitcoin. That's not rock-solid, that's the mud we already have in other democracy-controlled currencies! Now, I know big things don't break easily, but I really don't want things to come down to this. Let us solve problems we find early and completely.



Now, to the situation. We have a set of jobs that must be done at all times.

• The block chain must be stored reliably, or at least all parts of it required for transaction and security against attacks.
• Transactions must be verified and processed
• The block chain must be kept consistent and sufficiently secure against attacks

Currently, miners solve all three points, and get paid with newly generated coins. As concluded from the earlier discussion, if no changes to the protocol are made, we have a problem at least with the third point, securing against attacks, once coin generation no longer pays miners. We have to find a compromise between a high transaction limit and a high vulnerability -- or a low transaction limit and high fees. A situation with high fees sounds very bad to me. A limit on transactions, expensive fees, all so that hardware can waste energy? It's better than a breakdown, but is it truly our best option? Plus the discussion on the limit, potentially segmenting the network in a cyber war. This makes me shudder.

Then again, we have another "tragedy of the commons" with storage. We cannot have arbitrarily high block sizes, for we can afford to generate, but not to store blocks of arbitrary size. I really hope the Bitcoin designers have made good models on memory requirement if the transaction count increases by a factor of 10,000 or the likes. And, last but not least, the trouble of an attacker with a lot of processing power remains.


But are the latter two really unsolvable? I doubt it. Let us try finding a way to survive without a large amount of miners. There should be methods for the network to agree on a block chain that do not involve absurd amounts of processing power. It could try punishing block chain branches that look like attacks for timing reasons. This could be done by raising difficulty on such chains. (Thanks to the one who suggested this on IRC, I forgot who it was though. ) This is much better than relying on having more processing power than any attacker! If this can be achieved, we'd only have the storage problem remaining. That somewhat also sounds doable, since we don't need to lift limits completely, and ancient parts of the block chain might not be all too important. We already have checkpoints, there might be ways for the network to agree on who has which coins without everyone storing that enormous history.

Think about it. We have to solve two problems, and we get a cheap and long-term sustainable state if we do. The Shangri-La of Bitcoin, so to say: we get gains on transaction amount, transaction cost and system security.


Can this be done? If so, I call to anybody into Bitcoin development: what are you waiting for? In either case, we should analyze the problem; the current configuration is likely to cause trouble.

[1714778635]

1714778635

[MoonShadow]

I think your conclusion is incorrect, but am still posting here to be able to follow this thread.

[pusle]

Ok I'm a computer geek, but even regular people here seem to have their comp on 24/7 now.
Most have 2 or more cores and terrabyte drives.

What if the standard client nodes also generated hashes/blocks?
Let's say 50% of 1 core and 10Gbyte space was default "donation" to the network, adjustable by the user.
"donate and help keep your money safe!" 

By the time bitcoins converge the computing power and storage capacity should have increased maybe 10x or more? And all systems have GPU's or hybrid CPU architectures for even more hashing speed.

[Mike Hearn]

What you propose is:

a) Not BitCoin. "One CPU one vote" is pretty core to the whole idea. A system with substantially different voting rules would be an entirely different currency and network.

b) Not robust against future improvements in computational power. Nobody can decide up front what the "right" difficulty is because 100 years from now children will be assembling SHA256 capable ASICs out of lego bricks.

That's why a system which provides as much security as its users needs is required and that's what the model I've proposed does (more fees == more work). I know you don't believe in it, but if you want an alternative you'll need to actually design it and convince people it's correct. The voting rules are the most complex and subtle part of BitCoin so that will take some work.

Storage is not really a concern. You can already prune buried transactions from a stored copy of the block chain, though it isn't implemented today. This is covered in Satoshis paper.

[Vandroiy]

pulse: we can't proove a donation network is stronger than, say, a botnet. Relying on processing power will always have us in an arms race.

[mike]: Ah, I did not mean a total difficulty. Just a relative factor, or a time limit for attackers, as already achieved with the checkpoints, just shorter? I'm still brainstorming here for an optimal solution. I don't know whether it can be done without constructing a full Web of Trust, but basically, most nodes can tell when a blatant attack happens from the timing when the blocks are published. An attacker always has to wait for confirmations of the first transaction, then publish the second. Anything that behaves even remotely like a Web of Trust will be able to collectively determine which branch was there first, and try to enforce that this one be valid. Not using this information at all is a huge waste.

By the way, I don't care about the computation power voting system once coin generation is done with. In fact, I don't like it, it's a massive waste of energy on a known outcome: the block chain is supposed to be valid and follow the official timing.

Now, are you people really saying there's no better option to enforce a set of rules than building the world's largest supercomputer? I can't prove it false, but still. That's one hell of an expensive decision. There has to be a better way!

[FooDSt4mP]

pulse: we can't proove a donation network is stronger than, say, a botnet. Relying on processing power will always have us in an arms race.

[mike]: Ah, I did not mean a total difficulty. Just a relative factor, or a time limit for attackers, as already achieved with the checkpoints, just shorter? I'm still brainstorming here for an optimal solution. I don't know whether it can be done without constructing a full Web of Trust, but basically, most nodes can tell when a blatant attack happens from the timing when the blocks are published. An attacker always has to wait for confirmations of the first transaction, then publish the second. Anything that behaves even remotely like a Web of Trust will be able to collectively determine which branch was there first, and try to enforce that this one be valid. Not using this information at all is a huge waste.

By the way, I don't care about the computation power voting system once coin generation is done with. In fact, I don't like it, it's a massive waste of energy on a known outcome: the block chain is supposed to be valid and follow the official timing.

Now, are you people really saying there's no better option to enforce a set of rules than building the world's largest supercomputer? I can't prove it false, but still. That's one hell of an expensive decision. There has to be a better way!

What is the better way?  How do you eliminate double spending?

[Vandroiy]

What is the better way?  How do you eliminate double spending?

The block chain is already the solution to that, as long as it follows the rules and no branches are added somewhere in the past. And that's the thing. Just like with checkpoints, clients can frequently agree à la "okay, nobody coming up with a different block? then it's settled, this one is the real one for all eternity."

Implementing this agreement is all we need! It looks more like a Web of Trust problem to me, yet we hit it with brute force.

Say the current system goes down to a fairly low difficulty, but a Web of Trust sits on top of it, setup to come to an agreement on the question "when was this block published", to then strongly prefer branches of the block chain created earlier.

Not my idea, but I kind of like it. Go, attack this puny network with so little processing power. What'cha got?

[MoonShadow]

What is the better way?  How do you eliminate double spending?

The block chain is already the solution to that, as long as it follows the rules and no branches are added somewhere in the past. And that's the thing. Just like with checkpoints, clients can frequently agree à la "okay, nobody coming up with a different block? then it's settled, this one is the real one for all eternity."

That's pretty much how the proof-of-work system works now.  Feel free to fork the Bitcoin code to attempt what you are advocating.  And after a little while, I'll come help break your web of trust system.

Oh, yes.  I can.

[pusle]

pulse: we can't proove a donation network is stronger than, say, a botnet. Relying on processing power will always have us in an arms race.

[mike]: Ah, I did not mean a total difficulty. Just a relative factor, or a time limit for attackers, as already achieved with the checkpoints, just shorter? I'm still brainstorming here for an optimal solution. I don't know whether it can be done without constructing a full Web of Trust, but basically, most nodes can tell when a blatant attack happens from the timing when the blocks are published. An attacker always has to wait for confirmations of the first transaction, then publish the second. Anything that behaves even remotely like a Web of Trust will be able to collectively determine which branch was there first, and try to enforce that this one be valid. Not using this information at all is a huge waste.

By the way, I don't care about the computation power voting system once coin generation is done with. In fact, I don't like it, it's a massive waste of energy on a known outcome: the block chain is supposed to be valid and follow the official timing.

Now, are you people really saying there's no better option to enforce a set of rules than building the world's largest supercomputer? I can't prove it false, but still. That's one hell of an expensive decision. There has to be a better way!

I can't prove it but if all nodes help out + hero nodes and bank super nodes etc  I don't think botnets or anyone  can compete when bitcoin becomes an established currency.

I do agree this is the same as building the worlds biggest supercomputer  and wasting lots of resources.

Maybe there is a way to utilize the collective majority in a different way than proof of work.

The problem is proving this new methods safety vs the very plausible "you can't cheat on the crypto exam" concept we have now

[asdf]

There will be no block size limit in the future. It's only there to stop spammers at the moment and will be lifted when the network it bigger.

Did you read Gavins post (#4) in the thread you linked? I believe he resolved the issue.

Transactions aren't free for a miner to include. If people pay no fees, they probably won't get included at all. If miners charge too much, they leave a gap in the market for cheaper fees, new miners will enter the market and accept those slightly-less-profitable-transactions bringing fees back down. This will crowd out less efficient miners.

"whole system will optimize itself to be wonderfully efficient." - Gavin

[db]

It's too late to do that kind of changes. We'll just have to go along and hope it will be possible to raise enough donations. How much enough is no one knows.

If Bitcoin grows to the size of Paypal there will be about a million dollars worth moved with each block. If users can be convinced to pay just a 0.1% fee on average (and they have to pay some fee, however small) that's more than ten times the current block reward. The current block reward has already made Bitcoin the world's biggest computing project.

Hopefully most people won't care if they pay 0.1% or 0.0001% when they buy a pair of shoes. Particularly if 0.1% labels you a Good Guy and 0.0001% takes an active effort and makes you a Freeriding Bastard.

[Vandroiy]

db:
this will give some arbitrary network size and power.

Want to make a bet of the kind "the biggest supercomputer in the world in 10 years will be Bitcoin and not run on cloud clusters that might suddenly have orders changed" as your statement? That is very risky. Many computation clouds are coming up, the net is growing huge.

asdf:
aren't inclusion costs independent of difficulty? Are you saying, Moore's Law will stop AND people won't build dedicated hardware AND pooled mining won't dump the problem into oblivion AND processing power will not be spread to bigger parts of the population?

You call the issue of a disturbingly low difficulty equilibrium "resolved" when the global cost of a transaction approximates a single verification? Sorry, are you serious, or have I misunderstood something about the verification cost scaling? Also, the discussion at hand would fit better in the other thread.

[db]

this will give some arbitrary network size and power.

Not quite. The power will be determined by the default fee settings in peoples payment applications. (Provided those fees are small enough it's not worth the effort to change the setting.) The default fees will be set by the application developers to a level they feel reasonable; likely something that makes Bitcoin big enough to withstand attacks but not big enough to be very wasteful.

I'm not ready to bet on it yet, but think it seems promising.

[Vandroiy]

If you want a default fee, better hard-code it into the protocol, that's at least reliable.

But this thread still has the open question: isn't there a much better solution, that can work on the very small power required to check transactions?

Feel free to fork the Bitcoin code to attempt what you are advocating.  And after a little while, I'll come help break your web of trust system.

Oh, yes.  I can.

Could you please explain the problem instead of... writing that kind of message? Also, please estimate damage -- the current solution also subdues to attacks, the question is how likely and expensive the attack is. If fees are not held up by volunteers, it will be of the order of confirming all transactions. That sounds small to me, one might call it "broken by design", so if the WoT system breaks under less problematic conditions, the trade-off might be worth it.

Sure, db is right, voluntary micro-donations can make quite something on a big network. But those could be used for a different good purpose, so we better make sure the enormous waste of processing power is necessary. Also, there might still exist an even bigger supercomputer, and Bitcoin gets vulnerable again. We have no viable model of how much fees people pay voluntarily.

I see how we need large-scale mining now, for fair initial BTC distribution. But in the future? There exists no other solution than trying to be the world's #1? A very bold claim, and a destructive one if it is false.

[MoonShadow]

If you want a default fee, better hard-code it into the protocol, that's at least reliable.

There already is, but it's sort of a sliding scale.  Free transactions can only be so large individually, and take up so much of the blockspace in total.  Beyond that there is a hardcoded fee schedule, the more transactions in a given block, the higher the transaction fee included must be in order to qualify to be added to that block.  This fee schedule is enforced by the network because if a block's size is over any of those 'soft' limits, there must be at least one transaction within it that pays at least the minimum for that tier, or it's rejected as an invalid block.  So even without the hard blocksize limit, there are mechanisms in play to strongly encourage senders to add a transaction fee if they desire their transaction to be processed quickly.  It is this mechanism that has delayed free transactions in the past, not the hard blocksize limit.  We have never come anywhere near the blocksize limit.

But this thread still has the open question: isn't there a much better solution, that can work on the very small power required to check transactions?

There could be, but I doubt that either of us can come up with one.  If someone does come up with one that is significantly better than the proof-of-work system of Bitcoin, a better cryptocurrency will come into being.

Could you please explain the problem instead of... writing that kind of message? Also, please estimate damage -- the current solution also subdues to attacks, the question is how likely and expensive the attack is. If fees are not held up by volunteers, it will be of the order of confirming all transactions. That sounds small to me, one might call it "broken by design", so if the WoT system breaks under less problematic conditions, the trade-off might be worth it.

The whole point of the proof-of-work system is that any direct attack on the system is expensive relative to the expected gain, so that crime doesn't pay.  Perhaps this still leaves Bitcoin open to an attack intended to outright destroy it by some malicious entity with vast resources, but even though I can acknowledge that such an attack is possible; it's far from cetain that it would be successful.  There are simply too many unknowns.  In the same vein, China could have long ago destroyed the American monetary system by the simple act of dumping US currency reserves and US treasury bonds upon the market, for they have more of both than the whole of the US public does.  This would probably cause massive inflation of the US FRN, if the US government does nothing, but this is not a certainty either; and would be expensive for the Chinese economy as well.

Attacks upon a WoT system are more subtle, and potentially much less costly.  One is simply the act of 'node identity spoofing', faking the identity of a trusted node.  Another is the 'scorched earth' event, wherein a node develops honest trust, and then turns bad once the opprotunity is presented.  You can make both of these attacks difficult technically, but you cannot make them impossible, nor particularly expensive since I do not need any great resources for either attack.  Other attacks requiring coordination are possible as well.  This does not include the basic network attacks upon the hosting servers themselves, the security of which is importan in a web of trust.  Bitcoin's collective security is not dependent upon the level of security of any given node.

I see how we need large-scale mining now, for fair initial BTC distribution. But in the future? There exists no other solution than trying to be the world's #1? A very bold claim, and a destructive one if it is false.

I suppose we can address that issue when it comes up.  If Bitcoin is still the cryptocurrency of the Internet in 2130, feel free to bring it up again.

[asdf]

asdf:
aren't inclusion costs independent of difficulty? Are you saying, Moore's Law will stop AND people won't build dedicated hardware AND pooled mining won't dump the problem into oblivion AND processing power will not be spread to bigger parts of the population?

You call the issue of a disturbingly low difficulty equilibrium "resolved" when the global cost of a transaction approximates a single verification? Sorry, are you serious, or have I misunderstood something about the verification cost scaling? Also, the discussion at hand would fit better in the other thread.

Hmmm... I see, inclusion costs are independent of difficulty and will converge to zero with time. I confess that I didn't really read all of the relevant threads.

This is indeed a mathematical/game theory problem. There are too many free variables that need to be tied together. This is a deep problem.

I'll put more thought into this before posting again.

[db]

If you want a default fee, better hard-code it into the protocol, that's at least reliable.

But not very flexible. The required fee level will likely vary greatly over time in response to many unpredictable events.

[asdf]

It's too late to do that kind of changes. We'll just have to go along and hope it will be possible to raise enough donations. How much enough is no one knows.

If Bitcoin grows to the size of Paypal there will be about a million dollars worth moved with each block. If users can be convinced to pay just a 0.1% fee on average (and they have to pay some fee, however small) that's more than ten times the current block reward. The current block reward has already made Bitcoin the world's biggest computing project.

Hopefully most people won't care if they pay 0.1% or 0.0001% when they buy a pair of shoes. Particularly if 0.1% labels you a Good Guy and 0.0001% takes an active effort and makes you a Freeriding Bastard.

It's true that if users voluntarily paid 1/100 of the typical fees paid in todays systems, we'd have no problem. If they didn't and we lost this gift of bitcoin, it would be truly a tragedy of the commons.

I don't think it's too late to make changes. If the "change" is clearly awesome and infallible, then I don't see anyone currently mining objecting to the change.

The problem with putting some protocol based restriction on fees is that there is no way to algorithmically determine the value of a bitcoin and the restriction must be a function of value.

If yield from fees is too high, we'll have a ridiculous number of miners and it will cost too much. Too low, we have a weak network. But how much many miners is the right amount? This is the kind of equilibrium which can only be achieved by market forces. Any protocol change will need to introduce market forces which balance the number of miners.

We need more debate on this.

[da2ce7]

If I was a miner, I would be planing to make my own rules... The question is if the other miners will accept my blocks or not.  It comes down to at some point the miners adjusting their rules for maximum profit, while not getting rejected by the rest of the network.

What we need is a proper game theory analysis of Bitcoin fees, the rules that miners can set, and the risk of getting your block rejected.

If Bitcoin becomes the dominant monetary system, then very very low fees might still be very safe.  We just don't know yet.

Edit:
I put 10 BTC down for a game theory analysis of the Bitcoin fee system as it stands v.s. a system where there is no 'fixed' block limit.  Only what the other miners choose to accept.  Must be peer reviewed.

[Vandroiy]

The whole point of the proof-of-work system is that any direct attack on the system is expensive relative to the expected gain, so that crime doesn't pay.

Your argument relies on this statement, but I have not seen it proven. I did not manage to construct a substantial link between fees and the cost to attack the network on the current code. The problem is that your argument needs further assumptions on how much Bitcoins are moved, and how many rich people exist who would find doing an attack worthwhile. A simple block size limit or partially enforced transaction fee is linked to the quotient "BTC value in attacker's hand / difficulty" in a very nontrivial way.


Edit: I don't see your attacks against the Web of Trust problematic in a real-world situation. Let me take them on one-by-one.

Attacks upon a WoT system are more subtle, and potentially much less costly.  One is simply the act of 'node identity spoofing', faking the identity of a trusted node.  Another is the 'scorched earth' event, wherein a node develops honest trust, and then turns bad once the opprotunity is presented.  You can make both of these attacks difficult technically, but you cannot make them impossible, nor particularly expensive since I do not need any great resources for either attack.  Other attacks requiring coordination are possible as well.  This does not include the basic network attacks upon the hosting servers themselves, the security of which is importan in a web of trust.

• Node identity spoofing is the same as Bitcoin target address spoofing. If this is possible, Bitcoin is already broken.
• 'scorched earth' only works as long as the Web of Trust is small and holds only few connections. Otherwise, the risk falls exponentially with the number of connections. Say the chance of a node following the single, world-wide long-planned attack is P < 0.5, and N are connected. Well, do Bernoulli, or Gauß approximation, whatever, it's exponential. Fails hard if the attacker has less than half the network.
• We can keep a certain amount of "proof of work" up, to construct a starting point limiting the amount of enemy nodes. Then use any reasonable probability for a node planning to turn evil in the future, and from what I know about math, it'll turn out we're fine as long as the remaining amount of miners or connections aren't absurdly small. And connections are VERY cheap.

I see no problem. Your attacks can apparently be thwarted neatly.