Topic: Is a more efficient coin possible (Ben Laurie)? (Read 2706 times)

From the arimaa whitepaper:
Right-- good luck with that! Any system that relies on Wise, Efficient and Effective Bureaucracies to decide hard questions like "are these 400 accounts really one scammer trying to get more than their fair share" are doomed to fail if they ever get large enough to attract the attention of scammers.

If you have a really good automated way of telling the scammers from real people that doesn't require them sending in a DNA sample or body part, please let me know. I could use a good solution for the Bitcoin Faucet.

The arimaa proposal is interesting and similar to something I posted recently: https://bitcointalksearch.org/topic/new-musings-for-a-stable-currency-64637

This newest design is light years simpler than encoin, so it is a near-future possibility. It hinges on whether or not the "block chain heuristics" part works. But if suitable, it would require much less energy to maintain than Bitcoin.

Yes, I'm aware, although I've never really understood how it works.
I remember a heated discussion with you on the feasibility of "self stabilizing" currencies. But no resentment from my part.
Another proposal that I haven't read yet is this one:

http://arimaa.com/money/

You may be interested.

I know you are aware of the encoin proposal: https://bitcointalksearch.org/topic/encoin-proposal-v40-scads-of-technical-details-now-with-a-wiki-49683

Without having read Laurie's "mintette" thing, I had come up with a similar idea. There is no authority that creates mintettes, only reputation that is gained by receiving transactions and paying fees (the receiver pays the fee--typically all merchants, as fees would be refunded in increasing amounts depending on reputation). At the very least, the system is as secure as bitcoin but without the need for energy being expended on proof of work to eternity. The chain keeps track of the maximum reputation ever seen, and at least >50% of this reputation is required to validate transactions. With the additive single-verify property of digital signatures, I don't believe this would be an insurmountable task. However, some of the security of bitcoin's hashed public keys is lost (though I believe this could be nullified by using keys only once, I didn't go that much further into it). If there were an intentional or unintentional network split, both sides would almost immediately be aware of it and no transactions would be approved.

But I am not a networking/cryptography guru so some of what I proposed may not be possible, or not possible yet, but it is a starting point at least.

One thing I would point out is that checkpoints aren't centrally controlled.  There are alternative clients and they can implement different checkpoints (or no checkpoints).  In time I would expect usage of the classic "satoshi" client to continue to decline.   For average user an e-wallet, light client, or smartphone client seems like a better fit.  For niche environments like POS, web storefront, gaming casino, mining pool, etc the satoshi client also less than ideal.  Custom niche wallets will be developed as the market becomes larger.

As the usage fragments into a variety of wallet formats there is no central authority to enforce checkpoints as ordered by the authority.  Yet another thing the author got wrong.

Thanks, Blue.

nothing new, nothing better.

They're defined in checkpoints.h and checkpoints.cpp and used in main.cpp.

Incidentally, where in the bitcoin source are the checkpoints checked?

I read the first paper ("Dencentralized currencies are probably impossible.")  His argument is basically that since the blockchain is checkpointed, bitcoin is not really a decentralised currency.  The checkpoints by the bitcoin developers constitute a form of centralization.   I suppose he has a point, but it would be extraordinarily expensive to abuse that centralization, at least at the moment.

I'll look at the rest of the response later, but I want to respond to this statement first. This is a misunderstanding due to me being sloppy and omitting details. Proof-of-stake or a mixed system can be arranged without creating increasing returns-to-scale in mining. Appropriate rule choices would allow for competitive small-scale mining operations. In fact, appropriate rules make independent, small-scale mining more viable than it currently is. I think a hybrid system would lead to a larger number of small pools and independent miners.

Here is my suggested rule choice which protects small-scale miners:

I would define coin votes in terms of 'coin-confirmations' rather than 'coins'. I define "coin-confirmations" as [coins associated with private key * confirmations associated with private key]. In words, coin-confirmations are the product of the number of coins in an account and the number of blocks found since these coins in this account were last sent (i.e. this is the number of confirmations on the coins). I would require coins to be sent every time they are used to mine a block, thus resetting the number of confirmations on the coins. These sends offer proof that the miner has access to the coins' private key. In this system, an account containing 1000 coins with 1 confirmation is equivalent in voting power to an account containing 1 coin with 1000 confirmations.

It should be clear that coin-based voting under this arrangement has constant returns to scale. Aside from reduced variance of payouts, there is no advantage associated with membership in a large pool. Moreover, payout variance is decreased across the board because random hashing outcomes determine only 20% of voting power. The across-the-board reduction in payout variance makes large pools less attractive. One would expect smaller-scale operations to emerge under these rules.

The major issue I see with such a system is that it makes mining pools even more important.  Also larger pools (or at least pools holding more coins in their reward address) are actually MORE efficient.  We already see a massive migration to the largest pools (bigger get bigger) and the only advantage they have is lower variance.  If Deepbit for example actually could generate more revenue per share than smaller pools in pretty short time we would have 1 pool.  

A variant of that which could work is a shared reward system.  Essentially there would be no reason for pools to even exist.  A currency w/ a built in p2pool type mechanism would simply distribute global rewards (subsidies and fees) based on work performed in the prior 144 blocks (24 hours) based on shares submitted to the network.  So who solved the block would be irrelevant from a payout perspective.  If the currency produced 50 coins per block and you contributed 0.1% of global hashrate you would earn 0.05 coins per block regardless of who solves the block (~7.2 coins per day assuming same block time as Bitcoin).  It would significantly reduce "solo miner" variance as the only variance that would occur would be in GLOBAL (not individual) block generate times.  On a week long basis that number is very stable.  Optionally a finders fee could be given to the block solver as a personal reward to avoid block withholding.

On edit:  I just realized pools would still exist.  People would be pooling money to increase stake (and thus effective hashing power) just like right now they pool hashing power to reduce variance.   If raw hashing power is weighted by coins held (proof of stake) then people would form pools to increase their effective proof of stake.  A coin w/ a built in p2pool mechanism and rewards auto distributed based on hashing power would still be an interesting concept.

On edit 2:  A variant on the proof of stake increasing effective hashing power would be to simply require a mining "fee" to be held in escrow in order to sign a block.  Thus having more coins doesn't improve hashing performance but to mine you must be holding a stake.  Obviously the relationship would need to be linear in an anonymous network.  As an example the proof of stake could be 30 days of generation.  Today 1 GH produces roughly 1 BTC per day so to mine @ 1 GH would require holding 30 BTC in the reward address.  To mine @ 3 TH (DeepBit) would require holding 30,000 BTC.   To achieve 51% of network hashing power would require 51% of hashing power plus 108,000 BTC.  One could make the proof of stake larger but that would make starting mining more difficult even for smaller miners.  One option would be to adjust the proof of stake requirement dynamically just as difficulty is done.  For example each block would record the value of the reward address at block signing.   The network could compare the reward address actual amount to required amount.  If it is significantly larger (miner indicated a higher proof of stake is desired) then the proof of stake increases x%.  Say from 30 days to 31.5 days.  Miners who are overcapacity (more hashing power than stake) could also be accounted for and if the network is understaked reduce the proof of stake requirement.

I also agree that some sort of escrow mechanism would be necessary to increase the damage done in any attack.  This could simply be part of the network much like newly minted coins can't be spent the coinbase transaction would make the reward + proof of stake be newly minted (and thus unspendable for 120 blocks).  

For example today the coinbase transaction looks like this
* input address: null (0 BTC)
* output address:  reward address (reward BTC)  <- locked for 120 blocks

Proof of stake chain would have a coinbase like this:
* input address: address holding stake (xxx BTC)
* output address:  reward address (reward + proof of stake requirement) <- locked for 120 blocks
* change address: change address (balance of input - proof of stake)

This is a nice way of putting it.

My preferred 'most secure' system is different from the above: (requires X, but X is augmented by Y):

votes = (1+coins)^p*(hashes)^(1-p)   where 0 < p < 1 [I would suggest p = 0.8 as a good value]

You don't need coins to vote in this system. Coins just give your votes more weight. By contrast, you do need hashes to vote.

The use of random computing outcomes as a voting determinant causes blocks to have a Poisson arrival rate. A mixed system with 0 < p < 1 preserves this Poisson arrival rate. With a pure coin system [where p=1], depending on design, people might be able to 'save up' voting power and intentionally mine several blocks in a row. This makes temporary double spends too easy. Thus, a random arrival rate seems essential. An alternative, pure-coin design with a random arrival rate is a positive expected value lottery (use coins to buy lottery tickets, and win a vote in the lottery).

A lottery is advantageous if the mining community is risk-loving and detrimental if the mining community is risk-averse. My guess is that risk-aversion is more common, so that avoiding a lottery is desirable. Thus, using hashing is a good alternative.

Hashing has other advantages. A mixed coin-hashing voting system provides a transparent mechanism for initial coin distribution. Initially, coins can be mined through pure hashing. By contrast, any pure coin system requires a nonrandom initial coin allocation. This generates some fairness concerns.

Note 1: To give you guys some sense of what these rules would mean... the system with p=0.8 leads to a competitive equilibrium, where miners spend approximately 80% of their capital expenditure on coins and approximately 20% of  their capital expenditure on computing power.

Note 2: The case for coin voting seems crystal clear to me. Currently, we have a system where attack costs are measured in electricity and video card depreciation. These costs are incurred even if an attack fails to happen. Ideally, miners should incur costs iff an attack occurs. Resources that are used even if no attack occurs are simply being wasted. Inexplicably, people have act as if resource destruction is necessary and desirable. There is no logical foundation behind this fatalistic attitude. With coin voting, miners hold lots of coins. Attacks negatively affect coin prices and wipe out miner assets. [If necessary, any possible time lag between an attack event and a price change can be handled via a time-lock escrow mechanism.] The key advantage is that miners incur costs only in the event of an actual attack. This generates tremendous resource savings. Resource savings are passed on to users through lower txn costs, lower inflation, AND/OR higher security.


Okay, I'm returning to my burrow now.

To make it a little more meta (and understand Bitcoin better) I would abstract it this way.

All consensus systems are based on votes.  So your two examples are

1. Majority of vote (1 person = 1 vote)
2. Majority of vote (1 hash = 1 vote)
also you could include
3. Majority of vote (1 coin = 1 vote)
4. Majority of vote (1 transaction log of x transactions = 1 vote)  <- voted weighted by age of entity (older more active entities are given more weight)
5. Majority of vote (hybrid system included 2+ of the above  x OR y )
6. Majority of vote (layered system which requires 2+ of the above x AND y)

He "kinda" explains it if you look at his first "paper" where he proves Bitcoin (and other decentralized currencies are impossible )

My summary of his logic process:
1) With 51% of hashing power attacker can completely steal every single Bitcoin (a falsehood BTW) thus Bitcoin protocol isn't viable.
2) To protect against that checkpoints are written into the client.
3) Those checkpoints can't be decided by proof of work because 51% could force a false checkpoint too.
4) Those checkpoints are written by a central authority (another falsehood as anyone can write a client w/ any checkpoint).
5) Thus Bitcoin is indirectly controlled by a central authority.
6) Since Bitcoin is controlled by a central authority simple be transparent and have that central authority nominate 500 or so nodes instead of creating checkpoints.
7) Those nodes no longer have need for proof of work and can use a simple ledger system
The value of the network is based on the consensus of the 500 nodes.

In essence between the two papers he writes off not just Bitcoin as impossible but all decentralized currencies as impossible and thus one should "settle" for a distributed currency.  Think eGold except instead of 1 central eGold server there would be 500 or so semi-independent eGold servers.  While I agree it is better than eGold it is far far inferior to Bitcoin.

TL/DR version.

All consensus requires votes.
In a public election you care about individuals.  1 person = 1 vote.  Central authority controls # of people so vote is fair.
In a corporation you don't care who the individuals are you vote the shares. 1 share = 1 vote.  Exchange controls # of shares so vote is fair.
In Bitcoin we accept that we can't control entities in an anonymous network thus we make 1 hash = 1 vote.  Anyone can "vote" even attackers however as long as the # of good votes = good hashes > # of bad votes = bad hashes the network will continue to operate.

An alternative being discussed would be a proof of share.  1 coin = 1 vote.  That opens new kinds of issues but still you are always voting.  You just need to decide what is a vote.  In theory you could make a hybrid system where 1 hash or 1 coin or 1 verified identity = 1 vote.  Or a layered system where to sign a block you need certain amount of hashing power, certain amount of coins, certain # of verified identities.  Not sure how pratical those are but the concept hasn't changed:  1 x = 1 vote, 51% forms a consensus.

I already knew his critique to bitcoin wasn't accurate, so you didn't need to defend it. But I wasn't sure I was actually understanding his proposal and I thought it may work.


This is key I think. If you need an authority to create mintettes, we already have central and commercial banks.
On the other hand, if you allow anyone to become a mintette, I alone could create current_size_of_the_network + 1 new minettes and control the network.

As I suspected, this cannot work. Not needing the proof of work was to good to be true.

Thank you guys.

No. The paper does not give any solution. It leaves out the most important part of how to choose the group of "trusted" people.

Centralization is always the most efficient system. However, corruption always occur due to human nature. Spreading the authority to a hundreds of people may not solve problem. It is just like politician in communist country always vote the same which is essential put power on the same authority.



If one day Bitcoin user base grow, the mining must become a very specialized industry and this core group should still consist of more or less 40,000 people. This group owns the equipment as investment and look for profit so we can assume they behavoir economically rational. It is much much better than a small group of hundred people. 

However, what we need is competition between all those people but not cooperating between them. The pool mining promote cooperation in which pool are acting like "mintettes" in the paper. There is no real solution yet and will hinder Bitcoin. Other problems in the paper are also real, and neither Bitcoin nor his solution solve them.



The combined of these two systems as a two phase confirmations might work better. All currency holders vote periodically the "hard" checkpoint. Two phase confirmations may be needed for very large amount transaction for more trust. It is more complex and may have conflicts but it depends on implementation.

There will be other more systems in the future.

The real question is not if a more efficient system is possible.

The real question is:

What is the most secure system possible ?

So far I have seen two systems:

1. Majority of vote. (suggested alternative coin system).
2. Majority of computational power (bitcoin).

Now you have to ask yourself a question which system do I trust more ?

Do I trust in "votes of the people/systems" ?

or

Do I trust in "computational power of the people/systems" ?

Both can probably be "gamed"... so...

My reaction to Ben Laurie's papers:

Incentives matter.


Yes, it is true that we cannot be absolutely, positively safe against a 51% attack unless we are absolutely certain 50% or more of the world's entire computing resources are dedicated to Bitcoin mining.

So what?

The natural incentive for somebody with lots of hashing power is to profit by playing by the rules, NOT to cheat.

And if you assume that your attacker is Rich and Powerful but Economically Irrational, then any alternative system that you propose will almost certainly be at least as vulnerable as Bitcoin. Create a system that requires 500 semi-trusted "mintettes" that all agree on a transaction log and then imagine 251 Special Agents infiltrating and corrupting the organizations that run those mintettes.

Increase the number to 40,000 mintettes to make it harder... and you've just re-invented Bitcoin.

Given he doesn't even understand Bitcoin enough to know that statement is false I don't really see the merit in reading further.  The author later makes the claim that the only way Bitcoin can work is if 51% of computing power in the world is used for "good" into perpetuity however that fails to take into account opportunity cost.

If the goal of Bitcoin was to make a coin that had a mathematical proof that fraud was simply impossible, not improbable, or more expensive than the benefit of the fraud then he would be right.  The only way Bitcoin could work is by having 51% of all computing power in the world doing "good" blockchain work.

Of course that isn't the goal of the proof of work.  No currency is immune to all forms of fraud.  The bar for Bitcoin shouldn't be higher than other currencies.  The purpose of the proof of work:
a) is to eliminate the economic value of an attack. If it costs you $2M to steal $1M then it isn't worth it.
b) to raise the cost of an attack where the intent isn't economic gain to act as a deterrent for any attack.  "Chase CEO: I would love to destroy Bitcoin but it isn't worth the $30M it would cost"

The author blunders on from there making incorrect assumptions extending from his invalid assessment as to the purpose of the proof of work.


In the opening paragraph of the second link.


Done.  I have no interest in a central authority distributed or not.  The fed is a distributed central authority its power is distributed across the 12 federal reserve banks.