Author

Topic: Coin days not a good measurement of stake (Critique of PPCoin) (Read 1289 times)

full member
Activity: 151
Merit: 100
There is talk of using the demurrage residue in Freicoin to make a proof-of-stake variant. Then someone who just keeps the a balance will have the same stake as the equivalent average amount in a high-turnover accounts.
legendary
Activity: 896
Merit: 1000
Wouldn't (2) and (3) not work because of pooled mining?

In any case, PPCoin has the reserve balance that generates stake while you can spend the rest of the coins.  Those coins generate stake, but only the coins not in reserve reset coin-age when spent (I may be off on the granular details).

I think your numbers need adjustment because I don't think a general economy spends and exchanges 90% of available funds.  (Just think of M_0 versus M_1 as a starting point.)
member
Activity: 77
Merit: 10
The longer the network runs, the more resistant it becomes to takeover, since the older miners become trusted, not based on how many coins they own, but how much mining they have done.

I think this argument is flawed. You assume that someone is more trustworthy if he has done more mining in the past. Actually, this makes an attack easier - the attacker needs less than 50% of the computing resources if he employs his resources for a longer time, thereby boosting his trustworthiness.
newbie
Activity: 56
Merit: 0
Thinking about proof-of-work-history (POWH) some more.  I think it could make the coin more efficient as well as more secure.

If a branch is characterized by higher scores, it is a more valid branch and not an attacker.  Likewise, if a block within the branch is characterized by a high score (because those mining the block have been mining the coin longer), then you can reduce the difficulty required to accept that block, because those producing the block are more trustworthy.  This reduces the energy needed to secure the coin over time.

Furthermore, stronger protection against 51% attack means that if mining happens to be reduced for whatever reason in the long run, the coin will still be reasonable secure.  That allows long-term energy efficiency with adequate security even for small coins.
legendary
Activity: 1386
Merit: 1009
Coin-days is a good measure IMO.
Because to generate a block you have to sacrifice some coins for some days instead of spending them e.g.
But in return you get a reward.

It's like when you deposit you money into the bank savings account. You can't come there and say "Hey these days make no sense to me, give me my interest income immediately".
newbie
Activity: 56
Merit: 0
Think of my suggestion #3 as "proof of history of work."  It is better than proof-of-work because it accumulates history over time of who has done all the work and thus is not subject to sudden takeover.  The longer the network runs, the more resistant it becomes to takeover, since the older miners become trusted, not based on how many coins they own, but how much mining they have done.

In Meni's implementation, weights are given for those who sign special signature blocks.  The weight varies from 0 to their number of coins based on his formulas.  However, his formula seems unnecessary to me.  Why not just base it on the number of coins?  There is almost no difference.  Having a hybrid system means a person would have to accumulate 51% of the coins and 51% of the hashrate.  It's only slightly stronger than the original.  Plus you can't tell when someone is about to combine their coin pile and start an attack.

However, my suggestion assigns a weight based on the number of blocks that miner has successfully helped mine in the past.  That is a different, stronger approach.

There have currently been 235,804 blocks mined in Bitcoin.  If I had been present from the beginning and had helped mine 10% of those blocks, I would have a weight of 23,580.  This is a strong proof of stake (actually, proof of history of work) that always increases over time.  It is a record of all the computer work that I have thrown at bitcoin.

When comparing two different branches, you add up the scores of everyone signing the branch, not just the branch length.  If I sign branch A, and it has 5 blocks, each block has my weight added to it, for a total weight of 23,580 * 5 = 117,900.

An attacker who wants to create branch B would have to create a branch with more weight.  If he is new on the network, he has a weight of 1.  He would have to create a branch that is 117,900 blocks long to overpower the valid branch!

This type of network offers far stronger protection than the 51% hashrate attack of Bitcoin or the 51% hashrate/51% stake combined approach.  The attacker would have to be someone who can override not just the present hashrate of the coin, but the sum of the the entire history of hashrate of the coin.  This is virtually impossible.
newbie
Activity: 56
Merit: 0
Coin days is not flawed. If you have 100 coins and let them age for 10 days, you have ten times as much stake as someone who has 10 coins and let them age for 10 days. Compare apple to apples, not oranges.

1. Then people can just keep reusing stake.
2. Cryptocurrencies needs to be decentralized. You can't identify who one "miner" is.
3. See 2.

Completely agree. I think stake should be linearly related to coin amount, and less than linearly related to age. EG: Stake = coins*(1-e^-(age in days))

That's an interesting variation.  However, the formula could use a little tweaking.  After only 10 days, your coins have already attained 99.99546% of their stake.  This system then is not very different than my suggestion #1, just using the amount of coins as the measurement of stake.  However, I think my suggested system #3 is stronger.  It is something like Meni's Implementation of a Proof of Stake system (https://en.bitcoin.it/wiki/Proof_of_Stake#Meni.27s_implementation).
newbie
Activity: 56
Merit: 0
Coin days is not flawed. If you have 100 coins and let them age for 10 days, you have ten times as much stake as someone who has 10 coins and let them age for 10 days. Compare apple to apples, not oranges.

1. Then people can just keep reusing stake.
2. Cryptocurrencies needs to be decentralized. You can't identify who one "miner" is.
3. See 2.

2. Couldn't you design the coin so they are identified by their public key in the blockchain?

Also, your example doesn't make sense to me.  The days are an unnecessary addition.  Throw the day measurement out entirely and you get the same results.  100 coins > 10 coins.  Age doesn't matter.
member
Activity: 182
Merit: 10
Coin days is not flawed. If you have 100 coins and let them age for 10 days, you have ten times as much stake as someone who has 10 coins and let them age for 10 days. Compare apple to apples, not oranges.

1. Then people can just keep reusing stake.
2. Cryptocurrencies needs to be decentralized. You can't identify who one "miner" is.
3. See 2.

Completely agree. I think stake should be linearly related to coin amount, and less than linearly related to age. EG: Stake = coins*(1-e^-(age in days))

Err, maybe I'm hazy atm, but wouldn't that function always result in negative stake Tongue
vip
Activity: 1316
Merit: 1043
👻
Coin days is not flawed. If you have 100 coins and let them age for 10 days, you have ten times as much stake as someone who has 10 coins and let them age for 10 days. Compare apple to apples, not oranges.

1. Then people can just keep reusing stake.
2. Cryptocurrencies needs to be decentralized. You can't identify who one "miner" is.
3. See 2.

Completely agree. I think stake should be linearly related to coin amount, and less than linearly related to age. EG: Stake = coins*(1-e^-(age in days))

That will never work, think of it like this:

Normal user:
10 coins every 5 days: 9.93

20 days: 39.72 stake

Attacker:
5 coins every day: 3.16

20 days: 63.2 stake with half the amount of coins

Ultimately you're going to end up turning proof of stake to proof of processing, as people will scramble to generate stake literally seconds after each other with a large enough of coins. It MUST be linear.
full member
Activity: 185
Merit: 100
Coin days is not flawed. If you have 100 coins and let them age for 10 days, you have ten times as much stake as someone who has 10 coins and let them age for 10 days. Compare apple to apples, not oranges.

1. Then people can just keep reusing stake.
2. Cryptocurrencies needs to be decentralized. You can't identify who one "miner" is.
3. See 2.

Completely agree. I think stake should be linearly related to coin amount, and less than linearly related to age. EG: Stake = coins*(1-e^-(age in days))
vip
Activity: 1316
Merit: 1043
👻
Coin days is not flawed. If you have 100 coins and let them age for 10 days, you have ten times as much stake as someone who has 10 coins and let them age for 10 days. Compare apple to apples, not oranges.

1. Then people can just keep reusing stake.
2. Cryptocurrencies needs to be decentralized. You can't identify who one "miner" is.
3. See 2.
newbie
Activity: 42
Merit: 0
do you have any yacoins for sell
newbie
Activity: 56
Merit: 0
I've been thinking about PPCoin.  While I like the idea of combining Proof-of-Work with Proof-of-Stake to save energy, I think maybe PPCoin is doing it wrong.

The measurement of stake that PPCoin uses is "coin-days", the age of your coin since it was last spent.  That is not actually measuring stake.  If I have 100 coins and let them mellow for 10 days, I don't have 10 times as much stake as I did on the first day.  I still just have 100 coins, exactly the same stake as on the first day.  Letting coins age requires no effort or energy to be expended.  Thus, rewarding someone for the age of their coin is nonsense.

Imagine if we treated currency that way.  "I have two $100 bills in my wallet.  I've kept the first one for 100 days, but I've received the second one only yesterday.  Obviously, the fact that the first $100 has been sitting there makes it more trustworthy."  The age of the bills in my wallet does not measure their validity.

As an experiment, imagine that the average age of a PPCoin is 10 days (this experiment assumes coin age is unlimited, although I think it may be limited in practice).  Assume that there are a total of 1,000 PPCoins coins in the whole world as a simplified example.  As an attacker, I acquire 1/10 of the available coins (in this example, 100 coins) and let them age 100 days.  My coin age = 100 days * 100 coins = 10,000 coin-days.  The rest of the network has 900 coins * 10 days = 9,000 coin days.  It looks like my ageing the coins just gives me free leverage to take over the network.  Since it doesn't reflect any actual additional stake being invested in the coin, it actually weakens it rather than strengthening it.

Furthermore, spending the coins arbitrarily destroys their coin age, which doesn't make sense either.  Both the buyer and seller of a pile of coins value them equally -- why does one have a lot more stake than the other?  This also reduces the incentive to spend the coins.

A proof-of-stake coin should actually measure stake!  Age of a coin is not an investment because it costs them nothing, and it is not a stake.  Just because you can measure something, like coin age, does not make it important.

How to fix, if this is indeed a problem?  Don't know, cause I'm not a coin designer.  My guesses:
1. Use amount of coins as a measurement of stake rather than coin-days.  That way, a person would have to acquire 51% of the coins to execute an attack, without the free leverage added by coin age.
2. Use amount of coins times the age of the person in the network not the age of the coin.  That is, measure the number of blocks they have helped mine and weight their amount of coins by that as a measure of their trustworthiness.  Not sure if or how to accomplish this.  However, it has the benefit that they can buy and sell coins freely without diminishing their stake in the network.
3. Ignore amount of coins and use the number of blocks the person has helped mine as a measure of their trustworthiness.  This would reward durability of mining, which unlike coin age is actually a measurement of stake.  Call it mining-days rather than coin-days.

Imagine that 1,000 people have equal computer power and mine the coin every day for one year.  That is 1,000 mining-years.  A new person who wanted to overtake the network would not just have to muster 51% of the network, but would have to do so until his total contribution was more than the rest of them put together.  To exceed the rest of them in the second year, the attacker would have to provide 2,000 mining years in one year all by himself just to exceed their combined, growing stake.  Since he only has 1 year to do it in, he has to muster 2,000 times the capacity of the rest of the network combined.  At least that is how I imagine it.

Well, comments?
Jump to: