Bitcoin Forum
December 07, 2016, 08:30:56 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 5 6 7 »  All
  Print  
Author Topic: Proof of Stake  (Read 13397 times)
ripper234
Legendary
*
Offline Offline

Activity: 1260


Ron Gross


View Profile WWW
March 11, 2012, 07:23:44 AM
 #1

I already announced this on two medium-long threads, but I figured why not announce it here as well.

Even if you don't agree with it, it's an interesting alternative/complement to Proof of Work, and worth reading about.

https://en.bitcoin.it/wiki/Proof_of_Stake

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
1481142656
Hero Member
*
Offline Offline

Posts: 1481142656

View Profile Personal Message (Offline)

Ignore
1481142656
Reply with quote  #2

1481142656
Report to moderator
1481142656
Hero Member
*
Offline Offline

Posts: 1481142656

View Profile Personal Message (Offline)

Ignore
1481142656
Reply with quote  #2

1481142656
Report to moderator
1481142656
Hero Member
*
Offline Offline

Posts: 1481142656

View Profile Personal Message (Offline)

Ignore
1481142656
Reply with quote  #2

1481142656
Report to moderator
Even in the event that an attacker gains more than 50% of the network's computational power, only transactions sent by the attacker could be reversed or double-spent. The network would not be destroyed.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Andrew Vorobyov
Hero Member
*****
Offline Offline

Activity: 565



View Profile
March 11, 2012, 04:44:28 PM
 #2

Changes like this smell like chain fork... It's the way to much of the change for Bitcoin

ripper234
Legendary
*
Offline Offline

Activity: 1260


Ron Gross


View Profile WWW
March 11, 2012, 04:51:34 PM
 #3

Changes like this smell like chain fork... It's the way to much of the change for Bitcoin

Not necessarily. P2SH will work without a fork pretty soon.

Obviously PoS is a huge change, much larger than P2SH, but it could be implemented within the system if people are convinced it's the best for everyone involved.

Remember, the danger this tries to prevent is many years in the future ... it's not urgent to do it now. Building the consensus can even take a few years.

Rather than a fork, it could just be a fresh alt chain ... let the market forces decide if Bitcoin+PoS is better than Bitcoin. I prefer to see the evolution of core Bitcoin instead of a zillion different alt chains that fail to gain market share. If a new alt chain came out with Proof of Stake right now, I wouldn't buy it, because I think it's premature.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
Andrew Vorobyov
Hero Member
*****
Offline Offline

Activity: 565



View Profile
March 11, 2012, 04:56:37 PM
 #4

https://en.bitcoin.it/wiki/Hardfork_Wishlist

Put it there

Etlase2
Hero Member
*****
Offline Offline

Activity: 798


View Profile
March 11, 2012, 05:19:12 PM
 #5

No offense, but this is a pretty silly hack to fix the problem. Make it more centralized and concentrate even more power to the bitrich?

https://bitcointalk.org/index.php?topic=64637.0

Here I describe the early musings of a "heuristic" approach, although tied to an idea for a stable currency. Revalin brought up a good point that the bitcoin days destroyed concept would fit well. Essentially coins that have not been used recently will have a greater weight in which chain will prevail. There then needs to be a timer such as an hour ahead of each block where it may be replaced and anything ahead of it would be removed. Some balance between length of time to replace and block weight would have to be done so that a block with one more transaction can't come along 50 minutes later and replace a block from 50 minutes ago and such. But it allows for much less mining power necessary to secure the network. Theoretically, none at all is really required although that would certainly make for a lot of collisions. Instead of # of confirmations, time would simply be the indicator for how secure a historic transaction is.

But using bitcoin days destroyed, any potential attack would only be able to be carried out if the person had a lot of old coins and mining power, and once carried out, their power is removed for at least a very significant amount of time. No centralization of power, no signatures required, still requires a fork although this would be a much more acceptable compromise I think. It needs to be fleshed out more, but I think it solves the problem much more elegantly than proof of stake.

ripper234
Legendary
*
Offline Offline

Activity: 1260


Ron Gross


View Profile WWW
March 11, 2012, 05:47:38 PM
 #6


Done, thanks.

No offense, but this is a pretty silly hack to fix the problem. Make it more centralized and concentrate even more power to the bitrich?

https://bitcointalk.org/index.php?topic=64637.0

Here I describe the early musings of a "heuristic" approach, although tied to an idea for a stable currency. Revalin brought up a good point that the bitcoin days destroyed concept would fit well. Essentially coins that have not been used recently will have a greater weight in which chain will prevail. There then needs to be a timer such as an hour ahead of each block where it may be replaced and anything ahead of it would be removed. Some balance between length of time to replace and block weight would have to be done so that a block with one more transaction can't come along 50 minutes later and replace a block from 50 minutes ago and such. But it allows for much less mining power necessary to secure the network. Theoretically, none at all is really required although that would certainly make for a lot of collisions. Instead of # of confirmations, time would simply be the indicator for how secure a historic transaction is.

But using bitcoin days destroyed, any potential attack would only be able to be carried out if the person had a lot of old coins and mining power, and once carried out, their power is removed for at least a very significant amount of time. No centralization of power, no signatures required, still requires a fork although this would be a much more acceptable compromise I think. It needs to be fleshed out more, but I think it solves the problem much more elegantly than proof of stake.

You provide a lot of technical details, but I'm not quite sure how the changes you propose contribute to the stated goal.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
istar
Hero Member
*****
Offline Offline

Activity: 524


View Profile
March 11, 2012, 06:10:19 PM
 #7

No offense, but this is a pretty silly hack to fix the problem. Make it more centralized and concentrate even more power to the bitrich?

https://bitcointalk.org/index.php?topic=64637.0

Here I describe the early musings of a "heuristic" approach...


Blockchain Defense
Heuristics: All clients agree that competing blocks will have priority weight based on number of transactions, average age of coins in transactions, and other factors.

Would it not be possible to make proof of stake one of those factors?




Bitcoins - Because we should not pay to use our money
Etlase2
Hero Member
*****
Offline Offline

Activity: 798


View Profile
March 11, 2012, 06:10:36 PM
 #8

You provide a lot of technical details, but I'm not quite sure how the changes you propose contribute to the stated goal.

Well we want to stop 51% attacks, right? As it is now, all this requires is computing hardware. With the approach I described, anyone can throw as much power in the universe at the blockchain, and all they will accomplish is spamming their local nodes who will ignore blocks that have less weight (number of transactions, number of old coins used, so on) than other blocks they have received. It basically means that the blocks with the most activity will win. Unless a malicious entity controls the majority of the hashing power, a large amount of coins, and a large amount of coins that have not been used recently, they can not affect the network. Even if they control those three factors, once they spend the coins to give weight to their block, the age counters on those coins are reset so they are no longer useful to attack the network. No 51% attack can be sustained because they would quickly burn through their old coins. They might delay transactions for a time, but that is far less damaging than being able to deny transactions and miners indefinitely. Rewriting history, as unlikely as an attack as that would be, would be impossible as the check-point would basically be built-in to the block chain, not a hack on the software.

This does allow for permanent forks if the network were actually physically split, but I think this is a pretty unlikely scenario. In that case, the user should be notified of competing blockchains instead of just assuming the longest chain wins. Most of the time it should be obvious where the problem is such as if an entire country was cut off from the external internet by government.

This adds importance to the actual transaction history, not just computing power. Sending a transaction is (essentially) free, and in this way it actually helps secure the network.

Etlase2
Hero Member
*****
Offline Offline

Activity: 798


View Profile
March 11, 2012, 06:18:27 PM
 #9

Would it not be possible to make proof of stake one of those factors?

I don't like the idea of proof of stake because it puts the power into the hands of a few individuals. My approach is still completely decentralized and allows for much less mining power needed to secure the network. Plus proof of stake requires actual intervention by these powers that be. And, at least as it is now, there are few accounts that have a significant amount of money, yet there are many individuals that have a significant amount of money spread across many accounts. Each one of those accounts would be required to sign a block for that individual's stake to be measured. That is a lot of excessive data, not to mention CPU time in verifying all these signatures.

ripper234
Legendary
*
Offline Offline

Activity: 1260


Ron Gross


View Profile WWW
March 11, 2012, 06:53:12 PM
 #10

Would it not be possible to make proof of stake one of those factors?

I don't like the idea of proof of stake because it puts the power into the hands of a few individuals. My approach is still completely decentralized and allows for much less mining power needed to secure the network. Plus proof of stake requires actual intervention by these powers that be. And, at least as it is now, there are few accounts that have a significant amount of money, yet there are many individuals that have a significant amount of money spread across many accounts. Each one of those accounts would be required to sign a block for that individual's stake to be measured. That is a lot of excessive data, not to mention CPU time in verifying all these signatures.

People with more BTC = people able to buy more mining power. It's quite equivalent.

If a person has a lot of mining power today, but not a lot of BTC, it's by his investment choice. Both are a form of property.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
Etlase2
Hero Member
*****
Offline Offline

Activity: 798


View Profile
March 11, 2012, 07:05:08 PM
 #11

People with more BTC = people able to buy more mining power. It's quite equivalent.

If a person has a lot of mining power today, but not a lot of BTC, it's by his investment choice. Both are a form of property.

Yes we've established that proof of stake does nothing but trade one form of power for another. It still doesn't solve much in the way of keeping the currency decentralized. And proof of stake adds a ton of overhead. Have bitcoin proponents just given up on the whole decentralized aspect?

markm
Legendary
*
Offline Offline

Activity: 1792



View Profile WWW
March 12, 2012, 02:59:13 AM
 #12

I guess stakeholder's don't want to prove their stake by holding it in the form of mining rigs, let alone also actually running those rigs, because then the larger their stake the more electricity they will burn until they get to be the monopolist who supposedly can turn off most of his rigs as long as he continues to visibly continue to aquire more and to keep up with the latest improvments in rig technology.

They would much rather offload the costs of being rich, since if it costs a rich person a larger percent of their riches to remain rich than it costs a borderline-poverty person to stay above the poverty-line well that is hardly fair is it? Rich people ought to be able to pay a lower percent, surely? Otherwise they might end up on an asymptotic climb instead of an exponential one and find they cannot afford to buy all the poor folk completely totally and finally or some such disaster.

-MarkM-

P.S. Quite likely the whole story about how the monopoly ends up taking control applies to any particular money too anyway, so that no matter what we use for money someday someone will "win" and we should then basically say okay that was fun, challenging game that was, now lets put that game away and start a new one. We all aknowledge the guy who owns 51% of the wealth as the winner, write them into the history books as the great winners of the that kind of currency period of history, and start over with some other convenient scorecard/scoreboard...

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
cunicula
Hero Member
*****
Offline Offline

Activity: 756


Stack-overflow Guru


View Profile WWW
March 12, 2012, 04:08:30 AM
 #13

People with more BTC = people able to buy more mining power. It's quite equivalent.

If a person has a lot of mining power today, but not a lot of BTC, it's by his investment choice. Both are a form of property.

Yes we've established that proof of stake does nothing but trade one form of power for another. It still doesn't solve much in the way of keeping the currency decentralized. And proof of stake adds a ton of overhead. Have bitcoin proponents just given up on the whole decentralized aspect?

My idea does not add significant overhead, though Meni's idea might. My idea is basically the same as the current protocol except that difficulty is individual-specific. Difficulty would depend on the product of how many coins a miners has and how many blocks have been mined since these coins were last sent or used to mine a block. All the sending info is already in the blockchain, all you need to record is the identity of the stake which mined each block. This is like one additional txn per block worth of overhead. Overhead is pretty trivial.

Please make an effort to gather information before making random claims.

▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁
        AltCoinInternalExperts                Get Your Altcoin Promoted On Social Media       
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
markm
Legendary
*
Offline Offline

Activity: 1792



View Profile WWW
March 12, 2012, 04:22:40 AM
 #14

So you pick an address whose balance you want to use as stake for the block you are mining, and sign the block with that address's signature to prove it is your stake not someone else's?

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
cunicula
Hero Member
*****
Offline Offline

Activity: 756


Stack-overflow Guru


View Profile WWW
March 12, 2012, 04:36:54 AM
 #15

So you pick an address whose balance you want to use as stake for the block you are mining, and sign the block with that address's signature to prove it is your stake not someone else's?

-MarkM-

Yes, that works. Plus the confirmations on the coins get reset after they are used for a signature, just like when they are sent.

▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁
        AltCoinInternalExperts                Get Your Altcoin Promoted On Social Media       
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
markm
Legendary
*
Offline Offline

Activity: 1792



View Profile WWW
March 12, 2012, 05:05:46 AM
 #16

Okay well if coinbase transactions are allowed to have at least one input other than the coins that come from nowhere then a simple way to accomplish this "signing with a stake" would be to take inputs. Just like you can output to umpteen addresses, maybe you could also input from umpteen addresses. People could thus pool together to contribute a stake, and they could even each be returned their stake (their input) among the outputs.

In fact, the actual miner need not provide any of the stake at all, it could all be provided by stakeholders, the miner might not actually even own any coins at all. They could simply be some computation-for-hire service who neither knows nor cares what their computing power is actually being used for. (Like Eligius's miners, maybe, and those who gang up on proportional pools by way of proxy pools?)

If nefarious pools can so simply get miners to send them hashes, maybe they can also get miners to send them stakes? Make payouts proprtional not only to hashes sent but also stake sent?

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
Etlase2
Hero Member
*****
Offline Offline

Activity: 798


View Profile
March 12, 2012, 05:34:24 AM
 #17

Yes we've established that proof of stake does nothing but trade one form of power for another. It still doesn't solve much in the way of keeping the currency decentralized. And proof of stake adds a ton of overhead. Have bitcoin proponents just given up on the whole decentralized aspect?

My idea does not add significant overhead, though Meni's idea might. My idea is basically the same as the current protocol except that difficulty is individual-specific. Difficulty would depend on the product of how many coins a miners has and how many blocks have been mined since these coins were last sent or used to mine a block. All the sending info is already in the blockchain, all you need to record is the identity of the stake which mined each block. This is like one additional txn per block worth of overhead. Overhead is pretty trivial.

Please make an effort to gather information before making random claims.

It amazes me how this forum in general will attack one detracting statement and ignore the rest and act as if the rest do not exist. Then give a holier-than-thou attitude on top of it.

So, in reading your thread, I can come up with about 20 things that seemed to be unaddressed:

One wallet signs a block, what does this mean?
When does a merchant know that this block is now somehow irreversible?
How many wallets/coins do you think it would take to be reasonably sure that the block is approved? Is this going to take more than 6 confirmations?
You say "one additional txn" but I totally fail to see how. Maybe I'm just stupid. Could you explain this further?
You also seem to interchange user/wallet/miner throughout your thread and I am unclear of who is actually doing the signing. If the miners are signing, how is this any different from them mining?
You propose additional proof-of-work to make a timer. How is this not wasteful? How do you plan on judging 5 minutes? Is it best signed mini-proof-of-work wins?
c/X doesn't take into account how old the coins are, only that they are older than a specific amount. What is to prevent someone malicious from waiting to grief the network over and over? Is MtGox going to have to wait eons before allowing any trades on fresh deposits? If c/X ends up being something like "bitcoin days destroyed" in what way does this system offer *any* advantage over the one I mentioned?
Assuming two c/X's are the same and sign two different blocks, how are the miners supposed to decide which chain to build from? Randomness? While the random approach might solve a complete take over, it still does nothing for double spend protection.
Wouldn't all reasonable c/X's be included for extra protection? If so, when do we start denying small amounts? When do we just say "let mtgox sign the blocks that it chooses, that is decentralized"? Where again does this boil down to 1 extra txn per block?
Does your proposal boil down to this: the only people that can mine are those that already have a lot of coins? I'm honestly not sure. Is this some kind of proposed system that would be switched to only after the actual mining reward is minimal?
Rather than worrying about taking down the network, most people around here worry more that the power of mining would be abused to double spend. I think the latter is far less important than the former, but what does your system accomplish in regards to double spend attempts? With the assumed relative low difficulty of the future, what is to prevent someone with a lot of old coins being paid off to reverse a lot of recent transactions? Is it check-pointed? If so, again how many coins/signatures/whatever do we need to be assured that history will not be changed? Half the coin base? You even mention "majority of signatures" in a later post. Please explain to me what you mean by this.

markm
Legendary
*
Offline Offline

Activity: 1792



View Profile WWW
March 12, 2012, 06:51:05 AM
 #18

Such questions are why I ended up liking the simplicity of just counting the stake actually input into the coinbase transaction, combined with the "(coins * age)*0.8 + (hashes to some fractional power)*0.2" formula Cunicula mentioned in some thread somewhere (I haven't been able to find it again though so don't know where).

Compared to the vast majority of the material in the related or vaguely related threads, it seemed wonderfully simple.

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
cunicula
Hero Member
*****
Offline Offline

Activity: 756


Stack-overflow Guru


View Profile WWW
March 12, 2012, 06:54:02 AM
 #19

Part of the problem is that there are two distinct proposals and the answers depend on the proposal. Rather than go through all this here (and then explaining it badly and having to go through it over and over again), I'll edit the wiki progressively, please be patient.

My reluctance to go in to detail here is related to my belief that you don't care care much about the answers. I believe that your core objection is that proof-of-stake will help the rich get richer. My system does indeed strongly favor early adopters. In fact, early adopters reap much larger financial rewards in my design than they do under the current proof-of-work system. I don't have any problem with that. I don't find large rewards for early adopters morally objectionable. I just want them the reward system to be an efficient mechanism for securing the currency. My focus is on a robust, secure, and transparent mechanism for transmitting pseudonymous money. Proof-of-stake would be more robust and secure. It would lead to much lower long-run equilibrium txn fees. I don't care who profits from operating the payments system. Whether it is just one guy, a government, or the 99% doesn't matter to me. I think attempts to keep gov't and monopolists out permanently are laughable at best. There is just no credible mechanism for doing this. The main thing for me is that a new techonologies exist and make people's lives more convenient. If it is Apple-branded, then so what.

▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁
        AltCoinInternalExperts                Get Your Altcoin Promoted On Social Media       
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
cunicula
Hero Member
*****
Offline Offline

Activity: 756


Stack-overflow Guru


View Profile WWW
March 12, 2012, 06:54:55 AM
 #20

Such questions are why I ended up liking the simplicity of just counting the stake actually input into the coinbase transaction, combined with the "(coins * age)*0.8 + (hashes to some fractional power)*0.2" formula Cunicula mentioned in some thread somewhere (I haven't been able to find it again though so don't know where).

Compared to the vast majority of the material in the related or vaguely related threads, it seemed wonderfully simple.

-MarkM-


Gee thanks, MarkM. I am regretting being a dick to you in the past.

▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁
        AltCoinInternalExperts                Get Your Altcoin Promoted On Social Media       
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Pages: [1] 2 3 4 5 6 7 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!