Topic: A Non-Outsourceable Puzzle to Prevent Hosted Mining (and Mining Pools) - page 3. (Read 25696 times)

Both of these are reasonable points, at least for the time being. But think of this as a long term idea. It's hard to project how people will behave in the future, as Bitcoin becomes more widespread and familiar. I'm pointing out a potential concern, and if it eventually becomes the case that hosted mining catches on, and clients demand proof-of-honesty from these services, then here's a solution ready to go.

I care.  I use p2pool and avoid central mining pools.  just sayin.

Arguably the reduction in 1 block commitment security might have useful benefits in security practices.

I've wondered before if some kind of chameleon hash couldn't be used for anti-censorship.  E.g. miner thinks he's mining transaction A but no no no there really exists a transaction B that he equally mined... but I've never found a way to make it work. Maybe I should think about using a proof of knoweldge.

I guess the biggest problems I can see with your idea are that:

(1) No one currently cares.  Pools, for example, can rob their miners undetectably... they _could_ do things to prove that they were not cheating, but none do.  Miners could use P2Pool which can't rob miners, but most do not. I imagine the story will be the same for cloud mining services, and they'll be able to use even more arguments about reputation and such to claim their honesty.

(2) The standard Mike Hearn argument: Part of the reason that Bitcoin is viable is that its very comprehensible (at least in broad strokes, if not for the subtle details) to basically any technically minded person, invoking some kind of zero knoweldge thing to _enable_ a specific kind of cheating is far more complex than anything currently in Bitcoin, even if it is a neat idea.

I guess the counter argument to (2) is that a lot of people initially believe its possible for miners (e.g. mining in a pool) to steal work, and it takes some effort to convince them that they can't.  Your idea would, in some ways, make mining more intuitive. I suspect its not possible to avoid breaking pooling, even in its most harmless forms, since anything that preserved pooling for payment would by definition be proving that the right parties were getting paid.

“Hosted mining” poses a systemic threat to Bitcoin’s decentralization. Due to economies of scale, it can be more cost effective to hire someone to mine for you than it is to operate a miner yourself. An example of hosted mining is alydian.co.

The design of Bitcoin currently *encourages* hosted mining. This is a design flaw. It makes it easy to run a secure hosted mining protocol, where a Server proves it’s performing work that only benefits the Client. It does so by transmitting “shares”, where a share is a “near-miss” that commits to a coinbase transaction rewarding the Client. (This is exactly the opposite of a mining pool, where the Client does work for the Server (pool operator), but the protocol is the same.) The underlying problem is that the entity doing the work (guessing nonces and checking the hash) doesn’t necessarily get to spend the reward.

What I propose is modifying the proof-of-work protocol so that if the Server does the work, the Server can *steal* the reward for itself, in such a way that it is *undetectable* to the Client. If such a puzzle were used, then no reasonable Client would hire a hosted miner, since the hosted miner would take rewards as necessary and the Client would just seem unlucky.

There’s a way to do this that doesn’t require changing how existing mining works. It would require, however, a hard-fork that supports an additional zero-knowledge form of valid block. Ordinarily, a valid block reveals the nonce and merkleroot such that For the zero-knowledge option, the same nonce would be a solution, but you would not reveal the nonce, or the original merkleroot, to claim the block. Instead you would prove in zero-knowledge that you know a valid solution, and at the same time commit to a possibly different merkleroot’.


Then the block would consist of this proof, and the transactions underlying merkleroot’. This does not reveal nonce or merkleroot. However, this acts as a non-malleable signature on merkleroot’ in the sense that someone who does not know merkleroot (or m) cannot create use the proof to take their reward.

General purpose ZK proofs like this could be done using Pinocchio or SCIP. I estimate that it would take around 20 seconds for an ordinary computer to construct such a proof. Verification would take as little as 15ms, according to the Pinocchio paper (they implemented SHA1, SHA2 is marginally slower). Note that it is not necessary for every miner to construct this zero knowledge proof - in ordinary use you can still just publish the nonce and merkleroot, like normal. But the point of this proposal is to additionally support an alternate zero-knowledge verification method, so that there is a clear temptation for hosted miners to steal the reward.

There is not currently a complete open source implementation of Pinocchio, but one could probably be made from the paper using the Pairing Based Crypto library.

This relies on an assumption that there is no effective way to 'obfuscate' SHA2, in the sense that the only way for a Server to efficiently mine is to actually know the nonce, which would let it steal the reward.

It seems like discouraging outsourcing this way would *also* discourage pooled mining. This is perhaps an unintended casualty, since pooled mining is not necessarily a systemic threat to decentralization, at least not in the same way. But maybe there's a way to support lower-variance mining while still preventing outsourcing.

Since the merkleroot' is not committed to while mining, it makes it trivial to create hundreds of 1-block forks. This doesn't affect consensus overall, since the blockhash (used as prev in the next block) *will* contain a commitment to a single merkleroot'.


***Update***: I've published a preprint of a research paper which presents improved versions of this scheme in more detail: Nonoutsourceable Scratch-off Puzzles to Discourage Bitcoin Mining Coalitions