Topic: Proof of burn - a potential alternative to proof of work and proof of stake (Read 9073 times)

BARR burned, redeemed, and consolidated about 100BTC worth of altcoins in 2015 and 2016. 

It's still available to trade 24/7 on the NXT Asset Exchange, and can never be delisted as long as NXT exists.

Iain, if you are here still, there is a new coin "on the block" which is using exactly your idea but calling it "Hive Mining". It's Litecoin Cash.

The Whitepaper, in my opinion, does not add nothing substantial to the original concept, only that the coins "work" for a relatively short time in comparation to Slimcoin, the first coin that has used the concept.

However, Litecoin Cash does one thing terribly wrong: they combine PoB with a "community fund", which is very likely centrally managed - as alternative to "burn" the coins you can send them to the community fund. Thus, community members can do some kind of "circle mining": they ensure they qualify for a bounty and then send money to themselves via the community fund.

I'm just wondering, has there been any new PoB coins of note in the last 3 years?

So far on the list I have:

-Counterparty
-Slimcoin

Without PoW or some other external resource "wasted", having a totally objective blockchain security mechanism is is probably impossible. But as Vitalik Buterin points out in his well known article about Proof of Stake and Weak Subjectivity, that may not be a problem at all. Proof of Burn should have very similar properties to Proof of Stake.


My understanding is that the difference lies in the fact that burning in a PoB system is always risky because there is a probability that your earnings from rewards will be less than your burnt amount. So the double spend cost is not completely proportional to stake but to the risk the "burner" is wanting to take. (In fact, if you are more wealthy you will be able to burn more coins, but in Bitcoin occurs something similar, as if you're more wealthy you can buy more hashing power).

But that has (if I don't oversee something) no implications for security, only for the "fairness" of the distribution mechanism. That's why I consider Proof of Burn an interesting alternative to PoS.

The main POS chains have a deterministic block production order making producing more than one block at a time impossible. In my design, I wanted something as elegant and permissionless as POW, which only follows the longest chain rule, regardless of participants.

I wanted to get away from the situation in POS where the cost of producing a double spend is a simple constant proportional to your stake, which I don't believe is a tenable design for a world currency. On the limit, my POB design collapsed down to plain POS, which is where I stopped

It is true that the "expected" total reward (for a participant) must be higher than the burnt amount of coins. If the "total burnt amount" is very high, it can lead to a situation where it is not profitable to burn coins in this moment. In a mature market it can be expected that this will lead to an equilibrium where there will never be "too much" nor "too few" coins burnt.

This equilibrium should lead to a situation where burning it is not guaranteed to be profitable, but with a certain risk it can lead to profit - but in a certain amount of time, e.g. in some months. That means that a "burnt coin" can be considered a long-time investment in the coin. My theory is that this mechanism can stabilize the coin value a bit as these long term investors cannot sell their burnt coins (they can sell their private keys, but in a trustless environment this is very difficult).



This situation is unlikely to happen, as for this there must be a very even distribution of coins.


Yes, that is true and that is basically the same "problem" like in Proof of Stake, ("rich get richer") but with an important difference. Burnt coins can not be moved (and spent) inmediatly because they are destroyed when burnt; you only can spend your profit after the rewards have been paid. In the situation I describe above, it will last several months to get a profit when PoB mining. This means that a "burning miner" is locking coins for some months.

So the game is a little bit different compared to PoS: it's not wealth but risk what is rewarded, because the value of a PoB currency can drop during these months.


@monsterer: Thank you for your analysis. I will respond in your thread after I've read more material regarding the attacks you're mentioning. A quick question: Are the attacks you're describing also possible for a pure Proof of Stake system (and so comparable to the "nothing at stake" problem)?

In case you haven't heard about it, you might want to check out what we're doing with Multi-Proof-of-Burn as an ongoing and variable method of distribution.

We swap for burned altcoins, with the goal of burning/swapping the entire available supply of an altcoin;  then we move to a different altcoin.  We only launched 2 weeks ago, but we've burned almost a third of the supply of Keycoin, almost a third of Fractalcoin, and almost half of all Sapience coins.

https://bitcointalksearch.org/topic/ann-barr-the-only-cryptocurrency-where-no-ones-ever-lost-money-1219460

I did a bunch of analysis on Proof of Burn to asses whether it could cleanly (and as elegantly) replace POW as a way of achieving consensus, but I had to conclude that it couldn't principally because of the finney attack.

More details here:

https://bitcointalksearch.org/topic/m.12446394

It seems like the reward will always have to be > burn otherwise no one would do it so burning is always net-positive meaning everyone wants to do it as fast as possible to claim the rewards.

A mechanism would need to be made to fairly select who gets the reward among the set of all people trying to burn.  In the best case this would be evenly distributed among all the people trying to do a burn.

If everyone in the network was participating in burning equally, everyone is getting an equal reward at the expense of everyone else, do we need a reward system at all?  Everyone is getting the same reward.

If a subset of people in the network are participating in the burning then that subset is getting a reward at the expense of everyone not in that subset, is this desirable?  Since there's no physical limitation to burning it seems like in the end the person with the largest balance will get the largest reward in the long run.

I was now granted access as an editor to the Bitcoin wiki. I have updated the Proof of burn page (http://en.bitcoin.it/wiki/Proof_of_burn) with the following additions:

- the introduction was wrong, as it is not only a method to "bootstrap" a currency out of another, but the original author specifically conceived it as a descentralized consensus method and an alternative to Proof of work / Proof of Stake. I corrected this.
- I added the current implementations (Slimcoin, the now defunct TGCoin which uses pretty the same implementation and the bootstrapping used in Levelcoin and Counterparty). Because of the rules of the Bitcoin wiki, which restrict "altcoin" content, I limited these additions strictly to the technical side of the implementation.

I didn't touch Iain Stewart's original content, because it's of high historical significance and it should stay there unchanged.

Feedback / possible additions to the article are welcome! It would be interesting, above all, what people think if Proof of Burn could be implemented in Bitcoin itself in the future or if there are any "hard" protocol rules that forbid it.

Yes, Counterparty and Levelcoin (I don't know if it still exists) use PoB only for "bootstrapping a currency out of another".

In fact, with Slimcoin in operation, the wiki article http://en.bitcoin.it/wiki/Proof_of_burn should be updated. There, the first sentence is:


It should be something like:


Unfortunately I have no write permissions for the wiki (and my English is perhaps not good enough), someone here has and can update this?

Maybe it is or maybe it isn't ?

Still don't get it how it works and how is it better?

Interesting and need more time to learn more here.

CounterParty doesn't need another consensus mechanism, it's piggybacking off of Bitcoin's PoW. It would be silly to.

Hi d5000, I'm also quite interested in proof-of-burn after recently reading the wiki page linked in the OP.

When I first read that and started searching, I found Counterparty, but after reading it I discovered that they only used PoB for initial bootstrapping by burning BtC for a limited time. Sad face.  I haven't found any others yet except slimcoin.

I've downloaded slimcoin and started playing with it a bit, though. I'm just really interested in the potential for running a cryptocurrency without the "wasted" power (etc) of running mining rigs (well, wasted unless it's a chilly winter, I guess...  ) and what potential weaknesses it might have that a PoW system doesn't.

I am reanimating this olde thread because I'm really interested in the Proof-of-burn concept as an alternative to PoW and PoS.

There is actually an altcoin using it, Slimcoin (https://bitcointalksearch.org/topic/ann-slimcoin-proof-of-burn-new-block-gen-mineable-by-low-power-computer-613213). Unfortunately, the software is pretty unstable, with frequent forks ocurring, and the developer seems not able to fix the bugs of the client.

If there are any of the original inventors of Proof-of-burn left in this forum, I would be interested what they think of Slimcoin.

- Is the algorithm it uses for the PoB section sound?
- Would you design a PoB coin this way or differently?
- Are there chances for another PoB coin as a proof-of-concept?

(Disclaimer: I am not really invested in Slimcoin, bought only a few coins for cheap at BTER to try out the burn mechanism, but it's for now the only coin that uses PoB for blockchain maintenance and so I am following it.)

Yes


How would you calculate total reward? you mean - total monetary supply of M? or M used to receive N ? sry half asleep.

with counterparty it doesn't use PoW function so there would be no miners, the proof of burn (ie sending to a provably unspendable address) as distribution mechanism just ensures no single party receives a massive initial payout before anything is done, in that sense it's trustless- the developers have to have faith in the project by backing with their own funds the same as joe public

How is burning N coin to mine a total of (coinbase + fees) M coin per block any different than mining a coin with no proof of burn required but with total reward (M-N) ? 

 

Couldn't we use this to transfer from bitcoin to a stronger protocol should the need arise?

The concept was proposed in 2012, then the Counterparty team put the PoB to reality now.

https://bitcointalksearch.org/topic/annxcp-counterparty-pioneering-peer-to-peer-finance-official-thread-395761

But why it showed that 'Unable to decode input address' in the block chain? It is strange!

It allows for voluntary transition to a new system, but isn't it a waste of BTC?
I.e. if you have 2 new systems with incompatible rules, one requires PoB and the other just "Proof of Ownership",
otherwise they are identical, I don't see the reason why the PoB version would have higher market value, except "people
made sacrifices for it, therefore it must be valuable".

Thanks for the link the the ANN.

These are the burns (POB) for Counterparty

See https://bitcointalksearch.org/topic/annxcp-counterparty-pioneering-peer-to-peer-finance-official-thread-395761

Cheers

I'm trying to understand this transaction.

https://blockchain.info/tx/8e08bfdf208f0e2659615ab035523c792d41d808c698d25eb12489c74c78fc80

Why do you need the external randomness?

Couldn't you just have the "simulated rig" generate a lowest hash each second of

Hash(, new block-id, t) / (number of burnt coins)

where t is the timestamp in the header.

The Rig-Id would be selected by the buyer when burning the coins/buying the rig.  There would be a rule that duplicate seeds are not allowed.

If there are 2 chains with the same psuedo-proof of work, the one with the earliest timestamp at the fork would win.

The decay in power of the rigs is a good plan.  However, if the currency deflates, then buying later would effectively be cheaper, so maybe not necessary.

I wonder if it using the number of coins burned over time could be used to measure deflation.

Question: Are the "simulated GPUs permanent?", i.e. once I create one and wait the two months can it continue mining bitcoins forever (with hashing power proportional to its initial burn)?

If not, then I think this proposal is going to be extremely insecure relative to PoS and/or PoW. If the burn is transient, then the security device is equivalent to GPUs that self-destruct after a certain amount of time has gone by. That is bad. If the lifespan of the simulated rigs is short, then double-spending attacks will be exceptionally cheap.

If the burn is permanent, then you are essentially selling something like dilutable shares in the discounted present value of all future txn fees. To attack this, you would need to burn more than the sum total of all past burns. That would like be a significant proportion of all total coins. There is also the nice property here that attack costs increase monotonically over time (ignoring careless loss of simulated rigs by participants). I don't think this will be as secure as PoS, but it seems secure enough and there appear to be general benefits in terms of accelerated deflation. The permanent burn seems like a good approach to me.

I am not happy with your solution to the randomness problem. I don't think there should be any external dependencies. Just ask anyone who mines a block to submit 1 byte of randomness. I think that will work fine. It is impossible to manipulate the future any meaningful degree with just one byte of randomness. However, block sequences generate a very large amount of randomness, so future behavior over a time scale longer than a few hours is completely unpredictable.

Can you use Bitcoin block hashes as a source of randomness ?
If Bitcoin is secure, then Burncoin will be, without the need for merged mining.

I proposing an alternative to PoBurn that does not require a random source.
I'm posting it in a new thread. Check https://bitcointalksearch.org/topic/proof-of-bet-an-alternative-to-everything-else-131230

Instead of putting in lottery data, why not ask the miner's to submit the randomness, i.e. the miners submit a 0 or 1 with each block? The aggregation of these 0s and 1s is a source of "randomness". I don't think you could do much to help yourself with just a 0 or a 1. On the other hand, the aggregation of a long series of 0s and 1s will be unpredictable unless the chain is already under the control of a single agent.

Interesting...

What if the coin get stuck in a time where nobody has burn enough coins in the past two months?

No new block will appear, and there will be no re-calculation of the target price. Also there will be no more coins burnt since no new block is holding the transaction where coins are burnt.

Wouldn't that be kind of deadlock ?

The angle I like on this is not a PoB system exactly, but a PoB method of transfer to a new crypto-currency. It allows for gradual and voluntary transition to a system with incompatible rules. I think if a better system than bitcoin was devised a PoB bridge could save it years of bootstrapping.

I have a few problems with this proposal

1)  I'm not convinced that producing a script that is always false, that hashes out to a previously used address, qualifies as proof that said address doesn't also have an honest private key.  What is to prevent any miner who has successfully mined a block in the past, to brute force a false script that produces the same hash address?  This would certainly be easier than trying to force a key-pair collision, as the script doesn't have to fit into a pre-determined key length, and just about any false script should qualify, would it not?  Brute forcing all the txout's in the block that you have already found, and finding even one match, gives that miner unearned advantages while not preventing said txout from being respent anyway.

2)  Assuming this does work as well as intended, the net result is that the block reward is simply lower, so isn't it just an auction for the cheapest miner willing to do the work?

3)  The precise number of coins in present circulation cannot be determined, but this might also be true with PoW if we consider the unknown number of lost private keys.

4)  The very real expenditure of resources prohibits the attacker who is otherwise willing to deliberately accumulate coins in order to destroy the currency.  Basicly, methods such as PoS and PoB create a potential attack vector that PoW doesn't suffer from; the case of a long trustworthy node turning to the dark side, for whatever reason.  A 51% brute force attack is just as costly for any attacker, no matter who, when or why they choose to attack.  The other methods elevate certain players into a 'trusted node' status, by different methods, and could provide an attacker leverage by only compromising the security model of a major trusted node first.

Re comparison with proof of stake: I've posted a brief overview of the economic implications of switching to proof of burn on Peter Šurda's "Economics of Bitcoin" blog. Basically it turns coin-holders into de facto shareholders in the future stream of fees (minus miners' supporting costs) - just like proof of stake does - but with the interesting extra feature that the coin-holders don't have to become miners to realise their share of these "de facto dividends". (Of course, that could be argued to have its downside - less incentive to become a miner perhaps? - but the potential upside is a really solid strengthening of the coin's value, helping make various attacks more expensive all round.)

Re the earlier work: no, I hadn't come across that, thanks for the reference to it! I've added a link to it on the Wiki page - though I do warn readers that the earlier work is of a centralised nature (the "trusted entity" business), and not directly comparable to decentralised proof-of-burn mining. But yes, it's still interesting that coin-burning was "in the ideasphere" already!

1. Interesting

2. Should be moved to the alt currencies forum.

3. Can you tl;dr the benefits over proof of stake?

4. The idea of "Coin-burning as a tool for transition between cryptocurrencies" first appeared, I believe, in the so called "Dacoinminster' Second Bitcoin Whitepaper". If you borrowed the idea from there, credit and reference is due. In fact, I think you should refer to it regardless.

Readers of this section of the forum may be interested in my proposal for a new core mining protocol for cryptocurrency, "proof of burn" - a potential alternative to proof of work and proof of stake (though perhaps closer in spirit to the latter), with many interesting properties and economic consequences.

        https://en.bitcoin.it/wiki/Proof_of_burn

Comments and feedback welcome.