Bitcoin Forum
January 18, 2021, 05:32:31 AM
 News: Latest Bitcoin Core release: 0.21.0 [Torrent]
 Home Help Search Login Register More
 Pages: 1 2 3 [4] 5 6 7 8  All
 Author Topic: Proof of Stake  (Read 16246 times)
Etlase2
Hero Member

Offline

Activity: 798
Merit: 1000

 March 13, 2012, 07:36:36 PM

Sorry, please ignore the formula for now. I screwed up bigtime. Meni pointed out a significant issue that I had overlooked. He is right that a modification of the difficulty formula will never generate constant returns to scale.
I plan to solve this, however.

Well can you at least give me an idea? It would make it much easier for me to point out the several fatal flaws I think exist in this system.

1610947951
Hero Member

Offline

Posts: 1610947951

Ignore
 1610947951

1610947951
 Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1610947951
Hero Member

Offline

Posts: 1610947951

Ignore
 1610947951

1610947951
 Report to moderator
DeathAndTaxes
Donator
Legendary

Offline

Activity: 1218
Merit: 1008

Gerald Davis

 March 13, 2012, 08:13:53 PM

Maybe instead of adding some kind of escrow system to hold miner's coins it would suffice to increase the number of blocks it takes for mined coins to mature? We could even tie that to the block number, so over time it will take longer and longer for newly mined blocks to mature?

-MarkM-

I imagine the evil miners would just sell their locked coins immediately.  They'd be like bitcoin futures.

Perhaps but it would be harder to sell them, less buyers and its still an huge improvement.
The miner would have to prove that he owned the coins.

What if it could be made really hard to prove and the coins should first be sent back to the miner.
Thus the there would be a issue of trust.

PRove what.

1) Miner has an address with x coins.
2) The coinbase instead of having no input requires an input of x coins.
3) The input (escrow) + block subsidy + transaction fees are all paid out to address Z.
4) The protocol enforces a "no spend" on coinbase outputs for 240 (or 800, 1200 blocks).

Nothing to escrow, nothing to prove.  By signing the transaction the miner obviously has the private key and thus has proved the coins are his.
SMTB1963
Member

Offline

Activity: 100
Merit: 10

 March 13, 2012, 08:54:51 PM

I also feel that my proposal has a side benefit, however. Most mining investment would be reallocated to purchasing currency under my system.

Huh?  I know this is off-topic, but why would "most" miners stop investing in mining and start investing in bitcoins under your system?  I always thought that the reason most folks mine is that their hardware + electricity costs (denominated in fiat) generate profit from converting their mined coins to fiat.  What is it about your system that will push investment out of mining and into bitcoin, instead of out of mining and into gold or FCOJ or Tbills or any other investment alternative?
cbeast
Donator
Legendary

Offline

Activity: 1736
Merit: 1002

Let's talk governance, lipstick, and pigs.

 March 14, 2012, 12:04:36 PM

Here's an experiment to try with your friends and family to see if PoS is viable. Play the game Monopoly by Parker Brothers with a few small rule changes. You would play with one die per turn because shaking two dice takes more energy (we can't have that) than one. We remove the rule about shaking doubles for extra turns because too much variance is just silly in a PoS game. Then, compare your real life net worth with them and you each get to take a proportional number of turns by ranking order. For instance, if you as a childless adult have five as much wealth as your poorest married competitor, you would get five turns at the start. After the first round you then get another roll each round for every property and house that you own. After playing one game, see who would play the game with you again. Most likely the winner of the game would be the same every time.

PoW does have a real threat that if someone gets too much control of the network they can reject transactions until that monopoly is broken, but it can be broken and then things go back to normal. With PoS, once a monopoly takes hold it would be nearly impossible to change the balance of power. As a monopolist, you could dictate who does business with whom. You can even choose who gets to buy food for their families and who shall starve to death. That would be fine for the people in the good graces (rhymes with races) of the monopoly holder, but it's more likely that everyone else will simply switch to another currency and not play with you anymore.

There is a reason that Satoshi created variance for block rewards. The element of chance (like playing the game Monopoly with an equal amount of dice) adds enough chaos to make the balance of power unpredictable. Some may not agree, but most people believe that everybody deserves a chance in life to thrive. When the block rewards are sufficiently depleted to remove variance, there should still be a mechanism to add variance to fee rewards. Just like the game Monopoly (one of the most popular in history), people will continue to play a PoW game as long as they have a chance of winning. I wholeheartedly disagree that downtrodden people will succumb to a monopolist or we would all still be speaking Latin. There must always be a fighting chance.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
DeathAndTaxes
Donator
Legendary

Offline

Activity: 1218
Merit: 1008

Gerald Davis

 March 14, 2012, 01:00:48 PMLast edit: March 14, 2012, 04:02:44 PM by DeathAndTaxes

Here's an experiment to try with your friends and family to see if PoS is viable. Play the game Monopoly by Parker Brothers with a few small rule changes. You would play with one die per turn because shaking two dice takes more energy (we can't have that) than one. We remove the rule about shaking doubles for extra turns because too much variance is just silly in a PoS game. Then, compare your real life net worth with them and you each get to take a proportional number of turns by ranking order. For instance, if you as a childless adult have five as much wealth as your poorest married competitor, you would get five turns at the start. After the first round you then get another roll each round for every property and house that you own. After playing one game, see who would play the game with you again. Most likely the winner of the game would be the same every time.

Foolish analogy.
Wealth =/= stake.
Wealth PUT AT RISK PROTECTING THE NETWORK = stake.
In proof of work your "stake" is in the form of computing power.
In proof of stake your "stake" is in the form of escrowed funds.
In hybrid your stake takes both forms.

Any PoS model should require escrowing (via protocol directly) funds thus those funds become linked to the survivability of Bitcoin.  Simply make the stake the input for coinbase and the output stake + reward.  Output is undependable for x blocks.  One could make x relatively large.  Bitcoin uses 120 blocks but that is to avoid orphaned double spends reversed transactions.  X could be 2016 blocks (2 weeks of escrow), or even 12960 blocks (90 days).  Thus the amount of the stake isn't your wealth it is the amount of wealth you have put at risk.  If Bitcoin fails during the escrow period you LOSE the stake.  An entity like Deepbit operating in a hybrid model would have a huge amount of funds "locked up" in the success of Bitcoin.  It would be in their best interest to no just maximize revenue but to maximize the long term strength of Bitcoin.  That may mean funding development, funding attack testing, innovating new security features, etc.  It aligns the interests of the "network" with the interests of the miner.

\$1 mil in hashing hardware buys you a "stake" in a pure proof of work model.
\$1 mil in escrowed funds buys you a "stake" in a pure proof of stake model.
\$500K in hashing hardware & \$500K in escrowed funds (or the optimal split) buys you a "stake" in a hybrid model

Quote
PoW does have a real threat that if someone gets too much control of the network they can reject transactions until that monopoly is broken, but it can be broken and then things go back to normal.

That is of little value.  There is no economic value to disrupting the network.  In a non-economic attack it is naive to think an attacker would spend an amount of funds which makes "breaking" the attack feasible.  Say \$20M buys 51% of the network.  If citibank wanted to destroy Bitcoin they wouldn't be stupid enough to spend \$20M.  They would budget \$80M.  They would spend \$40M to gain 70%+ hashing power and deploy only enough as needed.  This would be horribly bad for "defenders" because despite adding hashing power citi would simply add more and defenders would keep falling behind (and racking up operating costs).  They could keep another \$20M ready to buy additional off the shelf hardware to deploy if necessary and use another \$20M to fund proxies (120% PPS pools) to gain the "marginal" hashing power without any long term investment/cost.

Sure \$80M > \$20M but if an entity wishes Bitcoin destroyed spending \$50M to \$80M for a guaranteed destruction vs \$20M on a roll of the dice is far more likely.

Quote
With PoS, once a monopoly takes hold it would be nearly impossible to change the balance of power. As a monopolist, you could dictate who does business with whom. You can even choose who gets to buy food for their families and who shall starve to death.

There is no economic value in that and proof of work can easily be outspent if the intent is non-economic.  Like you said anyone trying to do that for economic gain would simply see people move to an alternative.

Quote
There is a reason that Satoshi created variance for block rewards. The element of chance (like playing the game Monopoly with an equal amount of dice) adds enough chaos to make the balance of power unpredictable.

Cite?  The variance is a by product of the mechanisms used in proof of work not a desired attribute.  On a large scale over a long period of time variance is mostly meaningless.  Check with Tycho how much the variance for Deepbit is over 90 days, 180 days, 365 days?  Rapidly approaching 0%.
DeathAndTaxes
Donator
Legendary

Offline

Activity: 1218
Merit: 1008

Gerald Davis

 March 14, 2012, 01:05:46 PM

Huh?  I know this is off-topic, but why would "most" miners stop investing in mining and start investing in bitcoins under your system?  I always thought that the reason most folks mine is that their hardware + electricity costs (denominated in fiat) generate profit from converting their mined coins to fiat.  What is it about your system that will push investment out of mining and into bitcoin, instead of out of mining and into gold or FCOJ or Tbills or any other investment alternative?

It isn't off-topic. I don't want to speak for C but as I understand it in a hybrid model (proof of work + proof of stake) it is more efficient to acquire and grow a proof of stake alongside your proof of work (hashing power).

Proof of work:
All cost is in hardware, electricity, and labor.
For heavily leveraged miners this necessitates SELLING Bitcoins to pay for fiat expenses.

Hybrid.
Some of the costs are still in hardware, electricity, and labor.
However some of the "costs" are in the "stake".
Miners are less likely to be heavily leveraged.  Also there is an optimal balance between stake and raw hashing power so a miner with 20GH/s (as an example) may find a higher ROI% increasing stake size rather than adding another 1 GH/s of hashing power.

Once again as an example:
Revenue from 20GH/s w/ 10% MORE stake > 21GH/s w/ same stake

This means miners not only don't need to sell all their coins but they can expand their operation by holding/escrowing more coins.
ripper234
Legendary

Offline

Activity: 1358
Merit: 1002

Ron Gross

 March 14, 2012, 01:30:03 PM

The output of coinbase is now unspendable for x blocks.  One could make x relatively large.  Bitcoin uses 120 blocks but that is to avoid orphaned double spends.

Can you explain what these sentences mean?

Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
DeathAndTaxes
Donator
Legendary

Offline

Activity: 1218
Merit: 1008

Gerald Davis

 March 14, 2012, 01:36:44 PMLast edit: March 14, 2012, 03:42:22 PM by DeathAndTaxes

The output of coinbase is now unspendable for x blocks.  One could make x relatively large.  Bitcoin uses 120 blocks but that is to avoid orphaned double spends.

Can you explain what these sentences mean?

In Bitcoin if you solve a block the coins that are part of the reward (transaction fee + block subsidy) are unspendable for 120 blocks.  If you try to spend it the client will stop you. If you hack the client then the transaction will be seen as invalid by rest of network until the inputs are at least 120 blocks old.  (technically it is 100 blocks but that is another story).  This is done to prevent orphaned double spends.  If you could spend generated coins (coins produced from thin air in coinbase) right after generation then you could "pawn" that risk off on someone else.

I solve a block #177,777 = 50 BTC.  Sweet.
I buy something from you for 20 BTC.  You ship it.  I pay you the 20 BTC from my block reward.
A different fork of the block chain ends up longer.
All nodes replace "my" block #177,777 with the version solved in the replacing chain.
My block becomes orphaned.
My/now your coins disappear.  They never exited because as far as I never solved the block #177,777.

Either way the coins are "lost".  Bitcoin limits that lost to the miner by making the coins unspendable.  If a re-org occurs it likely will be within 120 blocks after generation (forks greater than even 6 blocks are extremely rare outside of an attack) thus my coins disapear before I can spend them.

Given this already existings in Bitcoin it can be adapted to form a built in "stake escrow".  Lets say for a proof of stake you wanted the "staked" coins held in escrow for 2016 blocks.

Bitcoin Coinbase:
Input = 0 BTC
Output = Reward + transaction fees (currently ~50 BTC).
Coins can't be spent for 120 blocks.

Proof of work/stake hybrid Coinbase:
Input = stake
Output = Stake + Reward + transaction fees (~50 BTC + stake amount)
Coins can't be spent for x blocks thus forming an automatic and irreversible escrow (x=2016 in this example).
cypherdoc
Legendary

Offline

Activity: 1764
Merit: 1002

 March 14, 2012, 02:03:20 PM

Here's an experiment to try with your friends and family to see if PoS is viable. Play the game Monopoly by Parker Brothers with a few small rule changes. You would play with one die per turn because shaking two dice takes more energy (we can't have that) than one. We remove the rule about shaking doubles for extra turns because too much variance is just silly in a PoS game. Then, compare your real life net worth with them and you each get to take a proportional number of turns by ranking order. For instance, if you as a childless adult have five as much wealth as your poorest married competitor, you would get five turns at the start. After the first round you then get another roll each round for every property and house that you own. After playing one game, see who would play the game with you again. Most likely the winner of the game would be the same every time.

PoW does have a real threat that if someone gets too much control of the network they can reject transactions until that monopoly is broken, but it can be broken and then things go back to normal. With PoS, once a monopoly takes hold it would be nearly impossible to change the balance of power. As a monopolist, you could dictate who does business with whom. You can even choose who gets to buy food for their families and who shall starve to death. That would be fine for the people in the good graces (rhymes with races) of the monopoly holder, but it's more likely that everyone else will simply switch to another currency and not play with you anymore.

There is a reason that Satoshi created variance for block rewards. The element of chance (like playing the game Monopoly with an equal amount of dice) adds enough chaos to make the balance of power unpredictable. Some may not agree, but most people believe that everybody deserves a chance in life to thrive. When the block rewards are sufficiently depleted to remove variance, there should still be a mechanism to add variance to fee rewards. Just like the game Monopoly (one of the most popular in history), people will continue to play a PoW game as long as they have a chance of winning. I wholeheartedly disagree that downtrodden people will succumb to a monopolist or we would all still be speaking Latin. There must always be a fighting chance.

this.

what a great analogy and well said.  i wholeheartedly agree.
ripper234
Legendary

Offline

Activity: 1358
Merit: 1002

Ron Gross

 March 14, 2012, 03:28:15 PM

Here's an experiment to try with your friends and family to see if PoS is viable. Play the game Monopoly by Parker Brothers with a few small rule changes. You would play with one die per turn because shaking two dice takes more energy (we can't have that) than one. We remove the rule about shaking doubles for extra turns because too much variance is just silly in a PoS game. Then, compare your real life net worth with them and you each get to take a proportional number of turns by ranking order. For instance, if you as a childless adult have five as much wealth as your poorest married competitor, you would get five turns at the start. After the first round you then get another roll each round for every property and house that you own. After playing one game, see who would play the game with you again. Most likely the winner of the game would be the same every time.

PoW does have a real threat that if someone gets too much control of the network they can reject transactions until that monopoly is broken, but it can be broken and then things go back to normal. With PoS, once a monopoly takes hold it would be nearly impossible to change the balance of power. As a monopolist, you could dictate who does business with whom. You can even choose who gets to buy food for their families and who shall starve to death. That would be fine for the people in the good graces (rhymes with races) of the monopoly holder, but it's more likely that everyone else will simply switch to another currency and not play with you anymore.

There is a reason that Satoshi created variance for block rewards. The element of chance (like playing the game Monopoly with an equal amount of dice) adds enough chaos to make the balance of power unpredictable. Some may not agree, but most people believe that everybody deserves a chance in life to thrive. When the block rewards are sufficiently depleted to remove variance, there should still be a mechanism to add variance to fee rewards. Just like the game Monopoly (one of the most popular in history), people will continue to play a PoW game as long as they have a chance of winning. I wholeheartedly disagree that downtrodden people will succumb to a monopolist or we would all still be speaking Latin. There must always be a fighting chance.

this.

what a great analogy and well said.  i wholeheartedly agree.

I'm with D&T.

Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
cunicula
Legendary

Offline

Activity: 1064
Merit: 1003

 March 14, 2012, 03:53:51 PMLast edit: March 14, 2012, 05:06:23 PM by cunicula

I think you're not clearly thinking about the dynamics of this. A target which goes by difficulty^0.2 is not the same as scaling effectiveness with work^0.2. If you have twice the hashrate (with fixed stake), you generate twice as many hashes, and since each hash independently has a given probability to be a valid block, you have twice as much chance to have the next block yours - thus, you have as much weight as 2 players each with the same stake as you and the undoubled hashrate. If you have 2s and 2w, you are much more effective than 2 players with s,w each.

[tl;dr] While it is true that I am a bit careless sometimes, it looks like I didn't make an error after all.

Meni pointed out that doubling hashing power doubles the immediate probability of mining a block. This is true. However, my system is dynamic. In my system, finding a block today tremendously decreases the probability of finding a block tomorrow. Due to this factor, returns to scale can only be evaluated as the average rate of finding blocks over a longer time period, not the one-off opportunity of finding a block now. If you mine a block, then you use up all of your coin-confirmations and the timing of your next block is delayed. Because of this effect, increasing hashing power exhibits decreasing returns. Once you mine a block you have to wait for your coin-confirmations to gradually recover before you can effectively mine again. There is a downside to hashing the block now because it decreases expected output in future periods.

In simulations, I actually find that my system exhibits constant returns to scale (though some small deviation is possible. I tried to run larger trials, but matlab ran out of memory). If you double both your hashing power and your wallet balance simultaneously, then your rate of finding blocks doubles.  I played around with a parameter alpha. Alpha is a parameter in (0,infinity) which determines the importance of stake relative to work, as alpha approaches infinity work become irrelevant, as alpha approaches 0 stake becomes irrelevant, if alpha equals one then they are equally important.

I want to run my simulation by Meni to see if I'm doing something wrong. I use discrete time which is indexed by 100 million draws.

1) Take one hundred million draws from a uniform distribution on support of [0,1]; denote these as rand(i) where i indexes draws
2) Assume agent uses k unit of hashing power and c coins (each coin starts with 1 confirmation)
3) denote the conf(i) as the number of coin-confirmations in the account at time i; note that conf(1)=c
3) Assume that difficult is such that the probability of mining a block in one unit of time with 1 unit of hashing power and 1 coin-confirmation is 10^-8
4) Go through these draws sequentially as follows:
4a) If rand(1) < (10^-8)/(k*conf(1)^alpha), then a block is mined
4ai) Add one block to count of mining payoff
4aii) conf(2)=c
4b) If rand(1) > (10^-8)/(k*conf(1)^alpha), then the hash isn't good enough to mine a block
4bi) Assume someone else mines this block, so conf(2)=conf(1)+c
5) iterate this procedure through all 100 million draws

Here are some simulation results:

Looking at decreasing marginal products of stake and work:
Alpha = 1 ; k = 1; c = 1   -> 7959 mined blocks
Alpha = 1 ; k = 2; c = 1   -> 11227 mined blocks
Alpha = 1 ; k = 1; c = 2   -> 11259 mined blocks

Conclusion: Factors have diminishing marginal returns. [hmm; alpha corresponds to equal factor shares; actually this looks exactly like a deterministic cobb-douglass function with equal factor shares, e.g.
alpha=beta/1-beta, so alpha = 1 -> beta =0.5
e.g. CRS Cobb-Douglas is Q= A*c^beta*k^(1-beta) with equal factor shares beta =0.5 and A =7959 is a normalization. Prediction would be 7979*(2)^0.5*1^0.5=11225.7257 .... pretty damned close.

Looking at returns to scale:
Alpha = 1 ; k = 1; c = 1   -> 7959 mined blocks
Alpha = 1 ; k = 2; c = 2   -> 15999 mined blocks
Alpha = 1 ; k = 100; c = 100 -> 800733 mined blocks

Conclusion: Either constant returns or exceptionally close to it.

Playing around with big alpha which makes stake much more important than work (Here I re normalized the base chance of finding a block on trial one to 10^-40)

Alpha = 10 ; k = 1; c = 1   -> 19455 mined blocks  [ignore the increase difficulty would have to be renormalized]
Alpha = 10 ; k = 2; c = 1   -> 20719 mined blocks  [doubling hashing power doesn't get you very far now]
Alpha = 10 ; k = 1; c = 2   -> 36530 mined blocks  [but now doubling stake almost doubles output]
Alpha = 10 ; k = 2; c = 2   -> 38912 mined blocks  [still looks like constant returns to me]
Alpha = 10 ; k = 100; c = 100 -> 1954898            [yup, either I screwed up the simulation (possible please critique) or my system has constant returns]

Let's test if Cobb-Douglas predictions are still holding up strong. To convert Alpha to the stake share we have

alpha=beta/1-beta, so alpha = 10 -> beta = 10/11. The normalization is A=19455

With k=2 and c = 1, we have 19455*(2)^(1/11)*(1)^(10/11)= 20720
With k=1 and c = 2, we have 19455*(1)^(1/11)*(2)^(10/11)= 36534

Okay, either my simulation is fucked, or my system behaves exactly like a constant returns to scale cobb-douglass production function. Please explain how it is fucked because it seems to work exactly like I expected it too which is actually really surprising to me.

http://en.wikipedia.org/wiki/Cobb%E2%80%93Douglas_production_function

I particularly direct your attention to: the property that expenditure on any given input is a constant fraction of total cost

This constant fraction is determined by the parameter beta which is equal to the amount of expenditure an efficient miner would invest in stake. He would spend the residual percentage of 1-beta on a combination of electricity and hashing equipment. What percentage of mining funds for should be devoted to stake and what percentage should be devoted to computer equipment and electricity?
As currency designer, you get to pick this! This is like some kind of economics wet dream.

wogaut
Donator
Sr. Member

Offline

Activity: 448
Merit: 250

 March 14, 2012, 03:57:43 PM

Foolish analogy.
Wealth =/= stake.
Wealth PUT AT RISK PROTECTING THE NETWORK = stake.

Very eloquently said.
Agree.
Thank you.

cunicula
Legendary

Offline

Activity: 1064
Merit: 1003

 March 14, 2012, 04:01:16 PM

D&T. I agree with you about escrowing coins, but I think we need to take things one step at a time. I get confused relatively easily and we have very little consensus about anything here. Once we have a good proof-of-stake algorithm, then we can think about working escrow into it. Escrow is conceptually extremely simple. It just means waiting for your block reward instead of getting it now.
cbeast
Donator
Legendary

Offline

Activity: 1736
Merit: 1002

Let's talk governance, lipstick, and pigs.

 March 14, 2012, 04:30:39 PM

Here's an experiment to try with your friends and family to see if PoS is viable. Play the game Monopoly by Parker Brothers with a few small rule changes. You would play with one die per turn because shaking two dice takes more energy (we can't have that) than one. We remove the rule about shaking doubles for extra turns because too much variance is just silly in a PoS game. Then, compare your real life net worth with them and you each get to take a proportional number of turns by ranking order. For instance, if you as a childless adult have five as much wealth as your poorest married competitor, you would get five turns at the start. After the first round you then get another roll each round for every property and house that you own. After playing one game, see who would play the game with you again. Most likely the winner of the game would be the same every time.

Foolish analogy.
Wealth =/= stake.
Wealth PUT AT RISK PROTECTING THE NETWORK = stake.

Any PoS model should require escrowing (via protocol directly) funds thus those funds become linked to the survivability of Bitcoin.

An example:
Currently coinbase is 0 BTC IN.  50 BTC + transactions Out.

In a hybrid model coinbase could be.
Stake IN.  50 BTC + transactions + stake OUT.
The output of coinbase is now unspendable for x blocks.  One could make x relatively large.  Bitcoin uses 120 blocks but that is to avoid orphaned double spends.  X could be 2016 blocks (2 weeks of escrow), or even 12960 blocks (90 days).  Thus the amount of the stake isn't your wealth it is the amount of wealth you have put at risk.  If Bitcoin fails during the escrow period you LOSE the stake.  An entity like Deepbit operating in a hybrid model would have a huge amount of funds "locked up" in the success of Bitcoin.  It would be in their best interest to no just maximize revenue but to maximize the long term strength of Bitcoin.  That may mean funding development, funding attack testing, innovating new security features, etc.  It aligns the interests of the "network" with the interests of the miner.

\$1 mil in hashing hardware buys you a "stake" in a pure proof of work model.
\$1 mil in escrowed funds buys you a "stake" in a pure proof of stake model.
\$500K in hashing hardware & \$500K in escrowed funds (or the optimal split) buys you a "stake" in a hybrid model
Your argument is that wealth "PUT AT RISK PROTECTING THE NETWORK" is stake, then if "Bitcoin fails during the escrow period you LOSE the stake." In that we agree, but it won't happen right away. Fiat currency works the same way. All is well and good while the flow of money is free, but with PoS, a monopolist can choose to support a society. The monopolist can then slowly and quietly chose to eliminate competitors insidiously.

Quote
PoW does have a real threat that if someone gets too much control of the network they can reject transactions until that monopoly is broken, but it can be broken and then things go back to normal.

That is of little value.  There is no economic value to disrupting the network.  In a non-economic attack it is naive to think an attacker would spend an amount of funds which makes "breaking" the attack feasible.  Say \$20M buys 51% of the network.  If citibank wanted to destroy Bitcoin they wouldn't be stupid enough to spend \$20M.  They would budget \$80M.  They would spend \$40M to gain 70%+ hashing power and deploy only enough as needed.  This would be horribly bad for "defenders" because despite adding hashing power citi would simply add more and defenders would keep falling behind (and racking up operating costs).  They could keep another \$20M ready to buy additional off the shelf hardware to deploy if necessary and use another \$20M to fund proxies (120% PPS pools) to gain the "marginal" hashing power without any long term investment/cost.

Sure \$80M > \$20M but if an entity wishes Bitcoin destroyed spending \$50M to \$80M for a guaranteed destruction vs \$20M on a roll of the dice is far more likely.
You are talking about \$80M like it's real money. You are thinking far too small, my friend. Add several more zeroes and we'll start talking. If Bitcoin is that small a game for you, then you are not long. For every Citibank there will be someone else playing king-of-the-hill. Citibank isn't anywhere near the wealthiest or most powerful entity in the world. Not even close. Citibank is no threat at all. In a game where the rules are fair and honest, corporations built by litigation lawyers and scam artist will lose against honest, hard working people willing to sacrifice their lives for the security of their families.

Quote
With PoS, once a monopoly takes hold it would be nearly impossible to change the balance of power. As a monopolist, you could dictate who does business with whom. You can even choose who gets to buy food for their families and who shall starve to death.

There is no economic value in that and proof of work can easily be outspent if the intent is non-economic.  Like you said anyone trying to do that for economic gain would simply see people move to an alternative.
Their non-economic intent would not be so overt. "First they came..." Again, absolute power is insidious.

Quote
There is a reason that Satoshi created variance for block rewards. The element of chance (like playing the game Monopoly with an equal amount of dice) adds enough chaos to make the balance of power unpredictable.

Cite?  The variance is a by product of the mechanisms used in proof of work not a desired attribute.  On a large scale over a long period of time variance is mostly meaningless.  Check with Tycho how much the variance for Deepbit is over 90 days, 180 days, 365 days?  Rapidly approaching 0%.
Mining pools mitigate variance, but also puts faith in potential monopolists that may or may not act with bad intent. The Tychos of today could be the Joseph Stalins of tomorrow. As far as a cite for the introduction of variance instead of a time based block release mechanism, I'm not sure if the intent was to promote random fairness or it is simply serendipitous. If he didn't want variance, he would have chosen a SolidCoinish model like PoS.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
SMTB1963
Member

Offline

Activity: 100
Merit: 10

 March 14, 2012, 05:15:30 PMLast edit: March 15, 2012, 04:31:42 AM by SMTB1963

[...]

This means miners not only don't need to sell all their coins but they can expand their operation by holding/escrowing more coins.

Thanks for your explanation, D&T.  You've certainly shed some light on the subject for me.  I've been trying to read through the major threads on PoS/"Tragedy of the Commons"/"Disturbingly low future difficulty equilibrium"/etc. to get up to speed on what folks are thinking; it's truly a fascinating discussion.  But I guess I'm still having trouble understanding why cunicula's system necessarily leads to miners purchasing more bitcoin.

If I'm a "rich" miner (in terms of hashing power, BTC holdings, or both) why would I buy more BTC when I could simply band together with other rich miners for free?  In the end, doesn't this accomplish the same thing for me?  Poor miners won't be buying a lot of BTC to protect their mining ROI because, well...they're poor.  So I still don't see how cunicula's system leads to more BTC purchases (except temporarily by a few "middle-class" miners who want to buy into a "rich miner" pool).

I'm also a little unclear about another aspect of cunicula's system.  In effect, it removes BTC from circulation in order to add security the network, does it not?  I can certainly see how this would cause upward pressure on BTC prices, but doesn't this upward pressure further limit the ability of miners (both rich and poor) to increase their stake through BTC purchases?

Finally, I realize there's no guarantee against a mining monopoly forming in the current system - but won't cunicula's system make a mining monopoly damn near inevitable?

[edit for spelling]

[2nd edit: Upon further thought, I believe I was seeing an incentive (for rich miners to form an exclusionary pool) in cunicula's system that's simply not there.  That's what I get for PWI lol]
d'aniel
Sr. Member

Offline

Activity: 461
Merit: 250

 March 14, 2012, 05:23:23 PM

A way stakeholders can vote on block checkpoints right now is to include in a txn, an output of zero coins to the bitcoin address derived from the hash of the checkpoint block.  All of the inputs in that transaction would then be understood to contribute to the vote.

Is there a better way to do this?

Does anybody who knows how merged mining works know if miners can merged mine side branches off the main branch?

If that's the case, then this PoS experiment https://bitcointalk.org/index.php?topic=68213.msg799588#msg799588 can be done right now, without any changes to bitcoin.  Just gotta find enough stakeholders and miners to participate in testing, which I suspect will be the hardest problem of all

Also, all of these ideas for miners to lock up a stake in coinbase txns seem to break once a market for locked coins opens up.  I'm sure any trust issues you (istar) hope might prevent this can be easily overcome with multisig txns and mutually trusted escrows.
istar
Hero Member

Offline

Activity: 523
Merit: 500

 March 14, 2012, 10:18:41 PM

I'm also a little unclear about another aspect of cunicula's system.  In effect, it removes BTC from circulation in order to add security the network, does it not?  I can certainly see how this would cause upward pressure on BTC prices, but doesn't this upward pressure further limit the ability of miners (both rich and poor) to increase their stake through BTC purchases?

Yes, I believe so, this is whats appears so great about it. In order to gain a massive advantage, you would have to buy up lots of coins, while doing so you would drive the price up. Making it much more expensive than today to make an attack because it would take time and during that time you would have to support the network. However the downside might be that once you do have it, it would be very hard for anyone to regain control. Though that is somewhat true of a 80% attack.

Bitcoins - Because we should not pay to use our money
SMTB1963
Member

Offline

Activity: 100
Merit: 10

 March 15, 2012, 04:45:04 AM

I'm also a little unclear about another aspect of cunicula's system.  In effect, it removes BTC from circulation in order to add security the network, does it not?  I can certainly see how this would cause upward pressure on BTC prices, but doesn't this upward pressure further limit the ability of miners (both rich and poor) to increase their stake through BTC purchases?

Yes, I believe so, this is whats appears so great about it. In order to gain a massive advantage, you would have to buy up lots of coins, while doing so you would drive the price up. Making it much more expensive than today to make an attack because it would take time and during that time you would have to support the network. However the downside might be that once you do have it, it would be very hard for anyone to regain control. Though that is somewhat true of a 80% attack.

Yup.  There certainly seems to be some benefits to these PoS proposals - as long as you're convinced of the inevitability of low hashrate resulting from miner's reliance on tx fees in the future.  But from my own (admittedly naive) perspective, I'm not convinced there's a problem with the current PoW system that needs fixing.  I guess I'll quit typing and go back to reading for a while longer.

(edited my previous post above)
cunicula
Legendary

Offline

Activity: 1064
Merit: 1003

 March 15, 2012, 08:52:03 AM

I believe some coder should implement my mixed proof-of-work / proof-of-stake solution with an accelerated block reward so that all block rewards occur within the span of a few months.
Then we could see the system operating under the harsh conditions of no block reward, which it is designed to solve. We would also find out what sort of long-run equilibrium fees would obtain under the system.
It seems like a relatively simple modification, so the coding labor should be relatively modest.

I may turn out to be wrong of course, but I feel pretty confident that it will work well.
ripper234
Legendary

Offline

Activity: 1358
Merit: 1002

Ron Gross

 March 15, 2012, 08:58:58 AM

I believe some coder should implement my mixed proof-of-work / proof-of-stake solution with an accelerated block reward so that all block rewards occur within the span of a few months.
Then we could see the system operating under the harsh conditions of no block reward, which it is designed to solve. We would also find out what sort of long-run equilibrium fees would obtain under the system.
It seems like a relatively simple modification, so the coding labor should be relatively modest.

I may turn out to be wrong of course, but I feel pretty confident that it will work well.

Not sure what such an experiment will prove. As a POC, it's unlikely to attract of lot of people, especially with no block reward.
The whole PoS system is meant to work when there is a lot of real transaction volume. Without a good volume of tx fees, there is no incentive to mine this alt chain, and the experiment will not tell us much about what will happen with Bitcoin in years to come.

I don't think this is a very urgent problem. It's good to have discussions and simulations, but I wouldn't personally invest in this alt chain for now.