Author

Topic: Need reviewers for a consensus protocol proposal - Proof of Time-Ownership (Read 181 times)

jr. member
Activity: 33
Merit: 73
@tromp - Ok, after more thinking, you're right. Long-range revisions still need to be mitigated somehow, so how about this: Get rid of the commonProportion piece, start with pure PoW and after a significant amount of coins have been distributed (say 50% of the maximum or something like that), then introduce the PoS parts of the protocol. Also use hardcoded checkpoints in software to block long-range revisions. What dyou think? If this protocol were used in Bitcoin, we could basically just skip right into it, since Bitcoin has long since passed that point.
legendary
Activity: 990
Merit: 1108
@tromp - You know, that's a good point. I guess the ordering doesn't guarantee it mathematically, but the work put into building blocks practically guarantees it.

If you can't guarantee a total order, then it's possible to have chains like A > B > C > A
and your model simply fails to give consensus.
jr. member
Activity: 33
Merit: 73
@tromp - You know, that's a good point. I guess the ordering doesn't guarantee it mathematically, but the work put into building blocks practically guarantees it. Just like how it would be incredibly expensive to build a longer blockchain than bitcoin's blockchain, it would be very expensive to create any long range revision of a PoTO chain. If you're talking about a node comparing a set of shot-range revisions (a few blocks) the commonProportion won't be different enough to matter. If you're talking about long-range revisions, you're talking about incredibly expensive attacks, and I talk about ways to mitigate that in the section "Mitigating Long-range Revision Attacks". Is there a scenario you think might cause trouble for a system using this protocol as is?

@aleksej - Mining is not a practical way for anyone in "remote places without a proper banking infrastructure" to acquire coin. In fact, its not a practical way for most people to acquire coin beyond a certain point. You have to have good network connectivity in addition to a lot investment in mining hardware to mine, and people in remote places aren't likely to have that. If the people in a certain aren't able to earn or buy cryptocurrency, the ability to mine isn't going to solve the problems that causes. And if their government is preventing them from receiving bitcoin, what's stopping their government from preventing them from sending bitcoin? Earning coin by mining is useless unless you can spend it. So I have to disagree that the ability to mine the coin without having coin is very useful beyond an initial distribution phase (eg the phase bitcoin is largely out of at this point).
sr. member
Activity: 490
Merit: 389
Do not trust the government
@Aleksej - I wouldn't call requiring coin ownership a "permission" since anyone should be able to acquire and own some coin, otherwise your coin fails as an economic mechanism. Requiring that miners compete on coin ownership increases the cost of attacking the system potentially by an order of magnitude or more. But what is the importance of the "permissionlessness" you're talking about? Why is that a desirable property? Perhaps there are other ways to achieve the goals you have in mind. If your concern is about centralization in the initial coin distribution, its certainly an easy change to limit coinbase rewards only to miners, and to not implement the hash-stake extension until there's an established market for acquiring coin. I mention most of that in the section on "initial centralization and long-term centralization".

I understand that it adds to security and I agree. The problem is privacy.
As governments implement tougher and tougher regulations on exchanges, users find it more difficult to buy coins without providing personal identification for KYC laws.

There is only one definite private way of acquiring any PoW coin and that is with mining.
I am afraid that requiring coins to mine would stop people from getting into the system without their governments permission.

Providing a way for anyone to get into the system anywhere, as long as they can connect to the network is a very valuable feature.
You can't expect people in remote places without a proper banking infrastructure or tough cryptocurrency laws to buy their first coins.
legendary
Activity: 990
Merit: 1108
The important thing is that there will always be one chain will be greater than or equal to all other existing chains.

How do you guarantee that, if not by using a total order?
jr. member
Activity: 33
Merit: 73
@Aleksej - I wouldn't call requiring coin ownership a "permission" since anyone should be able to acquire and own some coin, otherwise your coin fails as an economic mechanism. Requiring that miners compete on coin ownership increases the cost of attacking the system potentially by an order of magnitude or more. But what is the importance of the "permissionlessness" you're talking about? Why is that a desirable property? Perhaps there are other ways to achieve the goals you have in mind. If your concern is about centralization in the initial coin distribution, its certainly an easy change to limit coinbase rewards only to miners, and to not implement the hash-stake extension until there's an established market for acquiring coin. I mention most of that in the section on "initial centralization and long-term centralization".
sr. member
Activity: 490
Merit: 389
Do not trust the government
Miners must also hold coins in order to mine.

I haven't read your proposal, but I don't like that you say that miners need to have coins in order to mine.
It takes away from permissionless nature of the blockchain.
I think everyone should have a permissionless alternative to get into the system.
jr. member
Activity: 33
Merit: 73
@AdSkull - Read the protocol and you'll find out : ) That's why I wrote it.


@ tromp - Its not a total order because of the "commonProportion" term. Is there a reason you'd want chain-length to be totally ordered among all possible chains? The important thing is that there will always be one chain will be greater than or equal to all other existing chains.
legendary
Activity: 990
Merit: 1108
Is your longer-than relation, as defined for pairs of chains, a total order?


newbie
Activity: 28
Merit: 0
Quote
minters compete with miners to create blocks.

How does consensus algo decides who gets to write a block?
jr. member
Activity: 33
Merit: 73
I've written a hybrid PoW/PoS cryptocurrency consensus protocol called Proof of Time Ownership (PoTO) that's intended to be more secure than pure Proof of Work for a given amount of hashpower, and just as secure as pure PoW with a substantially less amount of hashpower (1/2 to 1/10th). I've also detailed and analyzed a number of attacks on PoTO, other hybrid protocols, and pure PoW.

A link to the proposal: https://github.com/fresheneesz/proofOfTimeOwnership

The protocol hinges on a few key design aspects:

  • Proof of Work - The protocol still has miners that compete on hashpower to mine transactions into blocks as well as to provide the randomness needed for determining who is allowed to mint PoS blocks
  • Time-bound Proof of Stake - PoS minters compete with miners to create blocks. A PoS minter is allowed to mint transactions into a block if one of their addresses comes up in a time-release progression.
  • Limiting Miners by held stake - Miners must also hold coins in order to mine, and the proportion of blocks they mine can't exceed the proportion of miner-stake they own. Note that this is detailed as the "Hash-Stake Extension" at the moment - but will likely be incorporated into the protocol as a key (non-extension) component.

In spending a lot of time thinking about this, I believe I've come up with a couple novel attacks not only on hybrid systems, but also on pure PoW itself. I called them "Mining Monopoly Attacks" and I'm curious if anyone has come up with them or discussed them before. The Orphan-based Mining Monopoly Attack is applicable only to hybrid systems that aim to reduce the hashpower needed for a given level of security (like PoTO), but the Economic Mining Monopoly Attack is applicable to both hybrid systems and pure PoW systems, and substantially reduces the theoretical cost of an attack on PoW at equilibrium (ie the cost of acquiring half the hashpower) to half the current amount invested rather than the full current amount invested. For PoW this means the security is half of what you might think, but for hybrid systems, this has more substantial security implications.

I take particular care to compare PoTO to the Proof of Activity proposal by Charlie Lee et al (https://www.decred.org/research/bentov2014.pdf) for which I found a number of security problems not discussed in its paper (or anywhere I've been able to find in my research).

I'm looking for a mathematician to help me analyze the minimum cost of attack for PoTO, since the Hash-stake Extension requires ugly and/or complex math for N>0.

Even at N=0, the introduction of a coin-ownership requirement to mine could substantially increase Bitcoin's security or substantially decrease the required hashpower to maintain Bitcoin's level of security (ie cost of attack), depending on how much staked-coin miners choose to use. Since owning locked-in coins costs much less than depreciation of mining hardware and electricity usage, its likely miners will stake a lot more bitcoins than it would cost them to purchase and run mining equipment. As an example, if 2/3 more bitcoins were staked by miners than currently costs to obtain and run mining hardware, the mining hashpower (and thus on-chain fees) could be reduced to 1/3 of its current amount while still retaining the same security. A second example: if 40% more bitcoins were staked by miners than it would cost to purchase and run mining equipment, the mining hashpower could be reduced to 60% of its current amount while still retaining the same security.

For N>0, the hashpower can be reduced even more while retaining the same security, tho I'm still looking for someone to help me calculate numbers for those (as I mentioned above).

So I'm looking for people to poke holes in this protocol, discuss potential issues and effects, and analyze other effects that haven't yet been explored. But please read the whole proposal before coming to conclusions.
Jump to: