Topic: MC2: A cryptocurrency based on a hybrid PoW/PoS system - page 60. (Read 195188 times)

The hash type used is determined from a pseudorandomly generated table for the first 200k or so blocks and then is simply derived from the Pearson hash of the 1st, 2nd, ... , nth block after reaching this predefined block height.

In the case of both this and N, they are (eventually) both chosen from the blockchain itself, but through previous blocks, never current blocks.

Note: N values are calculated from the last 8 blocks in a block cycle, but also not current blocks.  The N value is calculated from a much harder scrypt hash of the merkle root.  I think the merkle root is able to be gamed though (by manipulating coinbase transaction) so in the next draft this should change to to the block hash rather than the merkle root.  We might also need to do another scrypt hash instead of the Pearson hash for secure hash algorithm order and then use that to determine the order of SHAs -- this could afford more security and is easy to implement.

We verify that the correct hash is chosen the same way we do in bitcoin: We require that the hash has a number of leading zeroes (difficulty).  Because the type of hash in also in the block header, you could never use one of the other hashes too (the network clients would reject it even if it satisfied the correct number of leading zeroes).

Edit: If we use the block hash though, we need to contend with the fact that we have essentially a truncated input because of leading zeroes.  This might be make it a little less secure (though I doubt it).  In this case, we can just use the last 256-bits (which will likely never be 0's) of the block header hash for use in the hard hash to calculate N.

Okay, I have another question.

The hash type used for the block is calculated and added for the block header.  The hash type that is supposed to be used is used is shown through the block header.  Because we know what hash type is used it is easier to verify the legitimacy of the block.  But, how do we verify that the correct hash is chosen?  We would need to calculate that.  But, then that would defeat the whole point.  In the whitepaper it says the hash type is given so that you don't need to calculate it.  Who would be calculating and verifying the hash type?

But what if the insecurity or disaster comes from the governments in charge? Let's say Bitcoin is wonderful and takes off but governments like how it's set up and wont let us make changes? It has to be easy enough to make changes and thus it has to be very modular.

I think the moment we get AGI everything changes and all rules of economics will be screwed. There will be no reason to hire human beings to do labor so how would human beings earn Bitcoin or any other cryptocurrency?

At some point human beings will have to earn by taxing their machines somehow. Today in 2013 AI isn't able to design things, but in 2031 this may be different and AI may be able to design everything. When that happens it will impact cryptocurrencies as well and if we can plan for that possibility in the design early on then perhaps we can mitigate any potential existential threat which could come.

It sounds baseless, but many people are concerned that all their jobs will be replaced by machines, robots and AI. A more energy efficient currency might only speed that up and what good is a cryptocurrency in that environment?

Overall though I value your currency. I just hope when it's being programmed it has a very modular design so that it can continuously and easily be updated even if the politics make it hostile to do so.

The quantities of N for each 8 block cycle are pseudorandom because they are based on the hard hashes of the merkle roots of the last 8 blocks.  I say pseudorandom because something is determining them.  The reason this can't likely be gamed is because the hard hashes from which these are based on take a long time and a lot of memory to compute (N = 262144; I think they take about 500 msec each to compute on a CPU).  In order to game them, you would have to both select for the blocks you put into the hash chain (very hard, because PoW is competitive) and also calculate millions of these extremely hard hashes.

Pearson hashes are non-secure, but they are exactly 8-bits.  The gap for all subranges in N' (Nmax - Nmin) is 256, and 2^(8 bits) = 256.  Because we calculate the pearson hash from the hard hash we've already generated, it shouldn't pose a security issue (as before, the hard hashes are really, really hard to game).

Edit: Sorry, realized this was about the block ordering, not N-ordering and value generation.  I figured that it would be unlikely that people game values in the chain for the ordering of the SHAs years in advance, because that's a massive expenditure of energy (throwing away millions of blocks) in order to do so.  There are other ways to do so, but this was easy and there shouldn't be any major security qualms about it I would think (but if you can think of some, I am all ears).  I should note in the next update of the paper that these will be based on the PoW blocks only, not PoS blocks (which can easily be gamed).


The miraculous thing about Bitcoin is that the protocol can change over time; the clients just need to download new versions they agree upon.  Right now the BTC protocol is good enough, but in 10 years? 20 years? 30 years?  The democratic system is in place as an eventuality -- you might be surprised as to what doesn't change in 30 years, too.  But if AI is designing things, well, I think it'll probably look quite a lot different than this.

The worst thing that can happen with a secure hash algorithm is that any given input's output hash can be predicted more easily than actually hashing it.  In the event this happens, we only lose 1/4 of the security of the chain (1/4 of the blocks can be solved more quickly than the others) because we are still using all the other secure hash algorithms, whereas with bitcoin if SHA2 fails the entire chain will trainwreck.  If there is a collision attack or something of this nature for one of the hash algorithms, we can just replace it in an update -- the effect on the currency overall is minimal.


This is a (good) possibility too -- we can use PoW block height as a consistent metric for network time.  I will think about this some more and may use it.

How about Omegacoin?
Better than Memcoin.

The value n is
again used to determine the cycle size of the polymorphic hash chain, where
each of the 8 possibilities of a sequential memory-hard hash function are
incorporated into the hash chain once and only once; as before, in MC2 n =
8. These are also ordered in a pseudorandom fashion every cycle.


Are there details on the pseudo-random mechanism and why it is done this way? Is it secure to do it pseudo-random rather than truly random?

Sorry but I'd like more information because whenever I see pseudo-random I usually perceive it as a negative red-flag.


the order will be determined by the integer ordering of the Pearson hashes
of the the Merkle root of blocks {(current block 259,200) ... (current block 259,192) – – }
such that


Huh? Okay why was this decision chosen unless it's the only way?

Anyway I'm digesting your paper and I think a lot of it is brilliant so you've won me over as a long term supporter. I think these sorts of currencies need more democratic processes built in because this way they can adapt better to social conditions. The one problem I see with cryptocurrencies is that they all assume that not a lot will change from now to 100 years from now. It's almost certain that Bitcoin cannot last 100 years by design. The birth of AGI or superintelligence will change everything and that hasn't really been factored into this enough.

Theoretical question, if AI or a robot does some work should that AI or robot have to be paid in some sort of cryptocurrency as well? That would potentially be an advance because it would make balance the value of human labor and robot or AI labor for instance if even robot or AI labor is accounted for. It would also provide a mechanism to potentially fund building robots and AI if the creators would be able to tax the profits of their robots.

This would mean there would be no free labor, not even if bots. This is philosophical but I figured I'd add it to the discussion because if cryptocurrency becomes more energy efficient and AI reaches artificial general intelligence and eventually super intelligence then there will be less a need for human labor at all. Why not consider that when designing cryptocurrency?

I like the idea, but have a couple of comments

whitepaper: "BLAKE512, SKEIN512, SHA3-512 (KECCAK512), and SHA2-512 are incorporated with both Salsa20 and Chacha20 stream ciphers."

I like how this makes fpga's and asics harder, but it also means that if there is a flaw in any one of these hashes or stream ciphers then the coin fails.  Is there any other way to achieve this goal?



whitepaper:  "Transactions will largely stay the same as in BTC; coin age will be calculated from the the timestamp of the block in which it appears."

Why calculate from the timestamp and not the block height?  timestamps can be incorrect, the block height can't be. They both give estimates since the block height to time calculation is based on the target block time that isn't always met, but it is good to base as much as possible on truths inherent to the blockchain.

I'd be willing to invest my spare hours of programming into this. I'm mostly into android backend and c++ programming.

This sounds quite good. I'm going to keep a close eye on this coin as it looks very interesting. I especially like the democratic element.

That's my favorite also.

This coin is meta all over the place.

+1 for Metacoin

They are competitively mined as in BTC/LTC/PPC.  PoS blocks are not competitively mined, you can simply grab them once you have enough coins of a certain age (which is why you need to put heavy restrictions on the timing of PoS blocks; otherwise a double spend is really, really easy).


The reward for MC2 is 12.5 coins per clock (vs. 25 coins per block initially for PoW), and it decreases 8% per coin year the same as for the PoW blocks.  I think it's ideal for PoW to have a doubly higher reward, as PoW takes more computational effort.

So the PoW blocks aren't competitively mined? Does the miner get nothing from a PoW block?

Sorry if these are answers already written.. I should probably read your initial stuff more closely..


I also kinda like this idea, but it also poses the difficulty of deciding what level interest should be.

No -- it still affords enhanced security for no real net gain in electricity used.  You get some extra resistance to 51% attacks and extra confirmations through this system.

Aside from that, I'd really like to have an alt. chain where you are rewarded for saving coins in a fashion that is disconnected from the market.

I'm pretty new to PoS designs, but wouldn't this kinda defeat any long-term energy efficiency purposes of using PoS? Why bother with PoS at all then?

Haha I first thought the MC2 stood for mc^2 as in e=mc^2, Einstein's energy equation. So it would be 'Energy' coin 

Megacoin (MGC)
Perfectcoin (PTN) (PTC)
Metacoin (MTC)
TheCoin (TCN)

I've been thinking about the PoS system a lot, and this is what I'm concluding as the most simple mechanism to use for their general generation:

1) Require that every single PoS block be followed by a PoW block and succeeded by a PoW block, limiting the maximum block rate of the network to PoW and preventing PoS blocks from easily making forks so they can double spend.
2) For confirmations, six blocks of any type should be used.  Because of 1), this makes a maximum of 3 stake blocks for any six confirmations (which I think should be safe; PoW durations are twice that of Litecoin and most vendors are okay accepting 6 LTC blocks).
3) Stake blocks will be accepted based on their cumulative coin age as calculated by the sum of the products of (coin quantity from input transaction * coin age aka transaction age).  When faced with two or more PoS blocks at nearly the same time, all will be orphaned except the one with the largest cumulative coin age.

I will work this into the next draft of the whitepaper unless someone thinks it's a terrible idea for whatever reason.

I'm also happy this is garnering so much interest.  I'll create BTC and LTC donation addresses tomorrow, and I'll report what people have given.  I don't really want any money for it myself, so I'll hold it in reserve here and distribute it to any developers who hop onto the project.  What I really need are programmers at this point.

It's a working title, I'm open to suggestions.