Topic: Proof of Stake - page 5. (Read 16423 times)

Well can you at least give me an idea? It would make it much easier for me to point out the several fatal flaws I think exist in this system. 

To make miners even more of stake-holders, we could vary the maturity time of the mining rewards based on a modulus of the block hash.

Miners would thus have the choice of trying for a hash with a different modulus or settling for the first sufficiently difficult hash they happen across even if its modulus is one that means a very long maturity time.

For example we could use hash modulo 256 as multiplier of the maturity time so that some would take 128 times as long as the old unmultiplied maturity time to mature.

-MarkM-

Yes, return to the sending address is what I had in mind. Who knows who else holds a copy of that private key you bought? You'd just have to wait until the escrow time is up to find out...

Sorry, please ignore the formula for now. I screwed up bigtime. Meni pointed out a significant issue that I had overlooked. He is right that a modification of the difficulty formula will never generate constant returns to scale.
I plan to solve this, however.

Perhaps but it would be harder to sell them, less buyers and its still an huge improvement.
The miner would have to prove that he owned the coins.

What if it could be made really hard to prove and the coins should first be sent back to the miner.
Thus the there would be a issue of trust.
 

Thats a very good point.


Those are two great points.

Miners leaving Bitcoin last, is like the captain being the last to leave a ship.
Hence its really in their interest to keep the ship from not sinking until the end.

I had been thinking along the same lines but did not come up with such a "easy" solution.

One thing to consider is that in some countries, starting to mine could be the only or easiest way to get Bitcoins, if its not possible to send money to an exchange.

A mix of Proof of work and Proof of stake, if possible would probably be the best.

And a note.
If a Pos only would had been the rule from the start, there would had been no coins thus no possibility to mine

I imagine the evil miners would just sell their locked coins immediately.  They'd be like bitcoin futures.

I think I am still confused about this formula. I assumed the max function would take the higher of the two values, but what the values are is still unclear. Maybe this was described later in the other thread, I don't know. An example would be nice, but I'll put one here and you can tell me if this is right.

Let's say difficulty = 1 million, p = 0.8, coin-confirmations = 500*100 blocks (if the coins are younger than 100 blocks, is the value exactly 100 or is it coins*100?)

(1 mil ^ 5 = 1 x 10^30)
/
(50,000 ^ 4 = 6.25 x 10^18)
=
160 million ?

if instead

1 mil ^ (5 / 6.25 x 10^18)
=
1.000000000000000000...

math isn't my strongest suit so please point me to where this is going wrong

edit: shit added an extra zero on 50*100 but whatever, assume it's 500*100 then

Aye, you are right. I will think more about it.

Maybe instead of adding some kind of escrow system to hold miner's coins it would suffice to increase the number of blocks it takes for mined coins to mature? We could even tie that to the block number, so over time it will take longer and longer for newly mined blocks to mature?

-MarkM-

There can be signature fees. Since signing is cheap, there needn't be very big incentives.

Double-spending will be relatively easy between checkpoints, but still too hard for everyday transactions. Large transactions will wait a day or so for a checkpoint.

Basically anyone can sign, their weight depends not only on the number of coins in the address but on its recent history. Signatures are broadcast and probably included in a block like transactions.

They don't. You could do sanity checks like waiting to see that the block looks undisputed (eg, 6 confirmations with no alternative branch), to make conflicts an exception rather than the rule. But in the end everyone just picks one. The safety is then a function of the difference in signatures between the two blocks - if a receiver considers the current block not safe enough, he will wait for the next signature block. This could be an opening for DoS, but I think that's also solvable.

I think any PoS design would greatly limit the focus on mining hardware.


I think it will be counterproductive to have a proof of concept which is not thoroughly thought out. This is difficult to get right and if it's not carefully designed it will not work, and then you'll have to face all the people saying "see, PoS doesn't work!".

I'm also concerned about sudden flight from the currency and the possibility that it would enable mining stakeholders to escape some of the consequences of potential misbehavior. Therefore in the past I have suggested escrowing the coins of actively mining stakeholders for a long period. In a case of wrong doing, they would be the last ones able to sell off their bitcoin. In this scheme, mining stakeholders would have to commit not to sell until months after they exited mining. They would be willing to do this in exchange for fees and currency generation.

Right now, I am looking for a proof-of-concept implementation and therefore I am trying to make things as simple as possible to prevent confusion/intimidation among would-be implementers.

Sorry about the excess name in the wiki. I will fix it.

I don't have a definitive argument yet, but I am thinking about the following issues:

a) lack of incentives for stakeholders to contribute signatures in Meni's system (perhaps only a small minority will contribute and therefore small, but active stakeholders could be too powerful.)
b) whether disruptive attacks are possible between stakeholding checkpoints (txn fees will still be quite low, so double spends may be easy to pull off and simple attacks like messing with difficulty are possible)
c) how signatures are collected from stakeholders (which stakeholders sign the checkpoint, can anyone sign?)
d) if there is a fork, how do stakeholders coordinate on which branch to sign

If I can get past this stuff, then I will be happy with it. Security, dominance of stakeholders, and low fees are the main important things for me. Whatever satisfies these criteria should be good enough.

I also feel that my proposal has a side benefit, however. Most mining investment would be reallocated to purchasing currency under my system. I feel like the current arrangement where bitcoin users spend a lot on GPUs, ASICs, FPGAs, and electricity instead of buying bitcoin is profoundly wasteful. The market capitalization of the currency would be higher under my system. Higher market cap should be associated with reduced price volatility. This seems like significant enough of an issue to merit consideration.

Right.

I think you're not clearly thinking about the dynamics of this. A target which goes by difficulty^0.2 is not the same as scaling effectiveness with work^0.2. If you have twice the hashrate (with fixed stake), you generate twice as many hashes, and since each hash independently has a given probability to be a valid block, you have twice as much chance to have the next block yours - thus, you have as much weight as 2 players each with the same stake as you and the undoubled hashrate. If you have 2s and 2w, you are much more effective than 2 players with s,w each.

Doing what you want would require a more fundamental change than just a formula for the target.

I'm thinking along the lines of a combination of all three of the ideas here:

Take the existing system, but allow stakeholders to vote on blockchain branches by optionally including the hash of a prior block in a particular branch in one of their signed txns.  The share of votes cast by that txn on that block would then be proportional to the total days destroyed by all the outputs spent in that txn so that votes are proportional to stake held, and voters can't "vote repeatedly" on a branch.  (Edit: For fairness, I think you'll want competing branches to be able to use these days destroyed up to the block they branch from.  Also, "days destroyed" = coin*confirmations, if that's clearer.)

The main branch would then be defined to be the one with the highest total weighted difficulty, where the difficulty of each block is weighted by the total votes cast on it.  A particular weighting could be chosen to give any desired relative importance between difficulty and total votes, like Cunicula is doing with his formula.

This system could be run in parallel to bitcoin.  A good test would be whether or not it could maintain the same main branch as bitcoin by being able to sufficiently mobilize voters to thwart off purposeful fork attempts.

In this way, the relative weighting between PoW and PoS could be tuned empirically.

And perhaps legitimate forks in the parallel system could provide a strong enough recommendation to the majority of bitcoin miners to get them to switch the branch they're working on.

If this works, I'd hope stakeholders would feel sufficiently motivated to participate in hardening the parallel system, as it would provide an immediate fallback in the event of failure of the pure PoW system, as well as a much cheaper alternative down the road when the block reward alone becomes insufficient.

I will re-examine this when I have time. What you want is constant returns to scale (aka homotheticity of degree one). If there is a function f determining how s (stake) and w (work) affect the  mining rate, we both are looking for the following property:

f(as,aw)=a(f(s,w)

That is, if we double our coin holdings and our hashing power, then our generation rate also doubles. If this condition holds, then efficient mining can take place at any scale.

I am using the well-known Cobb-Douglas function which would certainly have this property if s and w were deterministic.

q = (s^0.(w^0.2)

However, I need to think more carefully about it because w is a poisson random variable, so I need to make sure that the constant returns property is preserved in expectation. I'll probably just simulate it, but I have too much to do over the next few days. Please postpone this question.

Oh, no need to trust them to care for your interests. You should trust them to care for their own interests, that usually works. And it is to your advantage to have your interests aligned with theirs - for example, if you both care about the health of Bitcoin at large.

Yes, one of my points is that obtaining a majority of bitcoins should be significantly harder than a majority of mining. It's not supposed to be bullet-proof, just significantly better than the current solution, and it should at all times maintain the invariant that the cost to launch an attack will be higher than the incentive to do so.

If they're using Bitcoin-dedicated hardware, they're interested in the health of Bitcoin to maintain the value of their investment.

As long as they're holding bitcoins, they'll want them to have a high exchange rate (a product of ecosystem health), at least short-term. If and when they cash out, they no longer have a say in voting.

Sure, that's why weight should be linear.

By that time it will be that much harder to obtain a majority of bitcoins. Also, once again, as long as they're holding bitcoins, they'll want them not to drop in value. Long-term loyalty isn't really required.

That's what I called "intruiging" in my last message.


That's what I called 'dialectic' and I have no final answer to that yet.
But for sure I would not trust the wealthiest people on this planet (in $$$) to care much for my interests, so why should I trust the persons who hold the most BTC more than that? And as you already hinted in your statement (at least it can be deducted from it), "being able to invest in huge mining operations" and having the "most stake in the current financial system" can easily produce players that have large stakes in Bitcoin too.
So these two don't exclude each other, just one takes more time than the other.


Would you think of a BTC exchange or trading platform as a large stake holder? I would, even though the coins they hold are mostly not theirs. But the system wouldn't know the difference. Just like large mining pools would currently be the most successful targets for a 51% attack.


Maybe so.


Never said that. Also I have no interest in banning SC. They can work that out among themselves (oh wait, just among trusted nodes).

Final thoughts:

Why would I trust a large miner to act in the best interest of BTC as a currency?
Large miners are in it for the profit, their support of the currency ends where their profit ends (the whole discussion here https://bitcointalksearch.org/topic/what-will-you-do-when-the-gold-rush-ends-67913 is centered at that thought.

Why would I trust a large speculator holding a lot of BTC to act in the best interest of BTC?
They will sell as soon as they think there's nothing more to gain.

I'd rather trust a single individual with an average number of Bitcoins, and a few GPUs in their gaming computer that are trying to sell and buy stuff on BitMit.net using BTC. Or an enthusiast with a few FPGAs or spending hours writing code for BTC , or the economist who went broke to promote hist interest-free currency http://realcurrencies.wordpress.com/2012/01/10/bitcoin-a-positive-step-in-monetary-reform/ or Matt https://bitcointalksearch.org/topic/m.797433 who almost made it to the top of the ignore list for his affection, strong opinions and free spirit.

Addendum: The concept that someone has a stake in BTC because they hold a lot of it, becomes even less important when BTC will approach it's goal of being a competitive currency to currently established currencies. Because then according to free market principles anyone who is out for profit would just choose the currency that provides the most profit. Having a lot of bitcoins, even if correlated now, is not an effective gauge for loyalty of an individual to that currency. Taking both hashing power and the stake into account reduces the pool of such individuals somewhat, but eventually has the same issues.

1. Under a PoS system like my own, stakeholders will not have ultimate power to control the universe (at least, not any more than in Bitcoin currently). Stakeholders cannot conjure new coins or confiscate coins. Their abilities are very limited and very technical - they can mark a block to signify that transactions in it can be safely assumed not to be double-spent. Attacks that are now possible with a majority of hashrate (such as rejecting transactions), will only be possible with a majority of hashrate and bitcoins (maybe not even that, depending on the system).

2. Who would you rather have some limited ability to mess things up - those who have the most stake in the Bitcoin system, and thus have the most to lose from doing so, or those who have the most stake in the current financial system and can afford to invest in huge mining operations?

3. Stakeholder's weight is linear in their stake. A small player is not cut out.

4. As far as I can tell, the idea of introducing PoS to Bitcoin predated the creation of Solidcoin and its trusted nodes.

5. Just because SolidCoin did something doesn't mean anything that is remotely reminiscent of it must be banned forever.

A pure proof of stake could possibly suffer from low "voter turnout" so even if someone doesn't own the majority of bitcoins he could control the majority of confirmations.

That's why I like the idea of a mixed PoW/PoS system.