Pages:
Author

Topic: Proof of Stake - page 5. (Read 16439 times)

hero member
Activity: 798
Merit: 1000
March 13, 2012, 02:36:36 PM
#61
Sorry, please ignore the formula for now. I screwed up bigtime. Meni pointed out a significant issue that I had overlooked. He is right that a modification of the difficulty formula will never generate constant returns to scale.
I plan to solve this, however.

Well can you at least give me an idea? It would make it much easier for me to point out the several fatal flaws I think exist in this system.  Kiss
legendary
Activity: 2940
Merit: 1090
March 13, 2012, 02:30:53 PM
#60
To make miners even more of stake-holders, we could vary the maturity time of the mining rewards based on a modulus of the block hash.

Miners would thus have the choice of trying for a hash with a different modulus or settling for the first sufficiently difficult hash they happen across even if its modulus is one that means a very long maturity time.

For example we could use hash modulo 256 as multiplier of the maturity time so that some would take 128 times as long as the old unmultiplied maturity time to mature.

-MarkM-
legendary
Activity: 1050
Merit: 1003
March 13, 2012, 02:23:47 PM
#59
Maybe instead of adding some kind of escrow system to hold miner's coins it would suffice to increase the number of blocks it takes for mined coins to mature? We could even tie that to the block number, so over time it will take longer and longer for newly mined blocks to mature?

-MarkM-

I imagine the evil miners would just sell their locked coins immediately.  They'd be like bitcoin futures.

Perhaps but it would be harder to sell them, less buyers and its still an huge improvement.
The miner would have to prove that he owned the coins.

What if it could be made really hard to prove and the coins should first be sent back to the miner.
Thus the there would be a issue of trust.
 


Yes, return to the sending address is what I had in mind. Who knows who else holds a copy of that private key you bought? You'd just have to wait until the escrow time is up to find out...
legendary
Activity: 1050
Merit: 1003
March 13, 2012, 02:21:51 PM
#58
I think I am still confused about this formula. I assumed the max function would take the higher of the two values, but what the values are is still unclear. Maybe this was described later in the other thread, I don't know. An example would be nice, but I'll put one here and you can tell me if this is right.

Let's say difficulty = 1 million, p = 0.8, coin-confirmations = 500*100 blocks (if the coins are younger than 100 blocks, is the value exactly 100 or is it coins*100?)

(1 mil ^ 5 = 1 x 10^30)
/
(50,000 ^ 4 = 6.25 x 10^18)
=
160 million ?

if instead

1 mil ^ (5 / 6.25 x 10^18)
=
1.000000000000000000...

math isn't my strongest suit so please point me to where this is going wrong

edit: shit added an extra zero on 50*100 but whatever, assume it's 500*100 then


Sorry, please ignore the formula for now. I screwed up bigtime. Meni pointed out a significant issue that I had overlooked. He is right that a modification of the difficulty formula will never generate constant returns to scale.
I plan to solve this, however.
hero member
Activity: 523
Merit: 500
March 13, 2012, 02:19:50 PM
#57
Maybe instead of adding some kind of escrow system to hold miner's coins it would suffice to increase the number of blocks it takes for mined coins to mature? We could even tie that to the block number, so over time it will take longer and longer for newly mined blocks to mature?

-MarkM-

I imagine the evil miners would just sell their locked coins immediately.  They'd be like bitcoin futures.

Perhaps but it would be harder to sell them, less buyers and its still an huge improvement.
The miner would have to prove that he owned the coins.

What if it could be made really hard to prove and the coins should first be sent back to the miner.
Thus the there would be a issue of trust.
 

hero member
Activity: 523
Merit: 500
March 13, 2012, 02:07:49 PM
#56
Quote
I also feel that my proposal has a side benefit, however. Most mining investment would be reallocated to purchasing currency under my system. I feel like the current arrangement where bitcoin users spend a lot on GPUs, ASICs, FPGAs, and electricity instead of buying bitcoin is profoundly wasteful. The market capitalization of the currency would be higher under my system. Higher market cap should be associated with reduced price volatility. This seems like significant enough of an issue to merit consideration.

Cunicula

Thats a very good point.

Quote
I'm also concerned about sudden flight from the currency and the possibility that it would enable mining stakeholders to escape some of the consequences of potential misbehavior. Therefore in the past I have suggested escrowing the coins of actively mining stakeholders for a long period. In a case of wrong doing, they would be the last ones able to sell off their bitcoin. In this scheme, mining stakeholders would have to commit not to sell until months after they exited mining. They would be willing to do this in exchange for fees and currency generation.

Cunicula

Those are two great points.

Miners leaving Bitcoin last, is like the captain being the last to leave a ship.
Hence its really in their interest to keep the ship from not sinking until the end.

I had been thinking along the same lines but did not come up with such a "easy" solution.

One thing to consider is that in some countries, starting to mine could be the only or easiest way to get Bitcoins, if its not possible to send money to an exchange.

A mix of Proof of work and Proof of stake, if possible would probably be the best.

And a note.
If a Pos only would had been the rule from the start, there would had been no coins thus no possibility to mine Wink




sr. member
Activity: 461
Merit: 251
March 13, 2012, 01:49:59 PM
#55
Maybe instead of adding some kind of escrow system to hold miner's coins it would suffice to increase the number of blocks it takes for mined coins to mature? We could even tie that to the block number, so over time it will take longer and longer for newly mined blocks to mature?

-MarkM-

I imagine the evil miners would just sell their locked coins immediately.  They'd be like bitcoin futures.
hero member
Activity: 798
Merit: 1000
March 13, 2012, 01:25:37 PM
#54
I think I am still confused about this formula. I assumed the max function would take the higher of the two values, but what the values are is still unclear. Maybe this was described later in the other thread, I don't know. An example would be nice, but I'll put one here and you can tell me if this is right.

Let's say difficulty = 1 million, p = 0.8, coin-confirmations = 500*100 blocks (if the coins are younger than 100 blocks, is the value exactly 100 or is it coins*100?)

(1 mil ^ 5 = 1 x 10^30)
/
(50,000 ^ 4 = 6.25 x 10^18)
=
160 million ?

if instead

1 mil ^ (5 / 6.25 x 10^18)
=
1.000000000000000000...

math isn't my strongest suit so please point me to where this is going wrong

edit: shit added an extra zero on 50*100 but whatever, assume it's 500*100 then
legendary
Activity: 1050
Merit: 1003
March 13, 2012, 01:25:33 PM
#53
[
In Cunicula's system, voting power is determined by combining (multiplicatively) your hashrate and stake. To be effective you need both to be high (which IMO is very problematic because small players cannot contribute effectively. It's not linear.)

I will re-examine this when I have time. What you want is constant returns to scale (aka homotheticity of degree one). If there is a function f determining how s (stake) and w (work) affect the  mining rate, we both are looking for the following property:

f(as,aw)=a(f(s,w)

That is, if we double our coin holdings and our hashing power, then our generation rate also doubles. If this condition holds, then efficient mining can take place at any scale.
Right.

I am using the well-known Cobb-Douglas function which would certainly have this property if s and w were deterministic.

q = (s^0.Cool(w^0.2)

However, I need to think more carefully about it because w is a poisson random variable, so I need to make sure that the constant returns property is preserved in expectation. I'll probably just simulate it, but I have too much to do over the next few days. Please postpone this question.
I think you're not clearly thinking about the dynamics of this. A target which goes by difficulty^0.2 is not the same as scaling effectiveness with work^0.2. If you have twice the hashrate (with fixed stake), you generate twice as many hashes, and since each hash independently has a given probability to be a valid block, you have twice as much chance to have the next block yours - thus, you have as much weight as 2 players each with the same stake as you and the undoubled hashrate. If you have 2s and 2w, you are much more effective than 2 players with s,w each.

Doing what you want would require a more fundamental change than just a formula for the target.

Aye, you are right. I will think more about it.
legendary
Activity: 2940
Merit: 1090
March 13, 2012, 01:22:40 PM
#52
Maybe instead of adding some kind of escrow system to hold miner's coins it would suffice to increase the number of blocks it takes for mined coins to mature? We could even tie that to the block number, so over time it will take longer and longer for newly mined blocks to mature?

-MarkM-
donator
Activity: 2058
Merit: 1054
March 13, 2012, 01:20:37 PM
#51
a) lack of incentives for stakeholders to contribute signatures in Meni's system (perhaps only a small minority will contribute and therefore small, but active stakeholders could be too powerful.)
There can be signature fees. Since signing is cheap, there needn't be very big incentives.

b) whether disruptive attacks are possible between stakeholding checkpoints (txn fees will still be quite low, so double spends may be easy to pull off and simple attacks like messing with difficulty are possible)
Double-spending will be relatively easy between checkpoints, but still too hard for everyday transactions. Large transactions will wait a day or so for a checkpoint.

c) how signatures are collected from stakeholders (which stakeholders sign the checkpoint, can anyone sign?)
Basically anyone can sign, their weight depends not only on the number of coins in the address but on its recent history. Signatures are broadcast and probably included in a block like transactions.

d) if there is a fork, how do stakeholders coordinate on which branch to sign
They don't. You could do sanity checks like waiting to see that the block looks undisputed (eg, 6 confirmations with no alternative branch), to make conflicts an exception rather than the rule. But in the end everyone just picks one. The safety is then a function of the difference in signatures between the two blocks - if a receiver considers the current block not safe enough, he will wait for the next signature block. This could be an opening for DoS, but I think that's also solvable.

I also feel that my proposal has a side benefit, however. Most mining investment would be reallocated to purchasing currency under my system. I feel like the current arrangement where bitcoin users spend a lot on GPUs, ASICs, FPGAs, and electricity instead of buying bitcoin is profoundly wasteful. The market capitalization of the currency would be higher under my system. Higher market cap should be associated with reduced price volatility. This seems like significant enough of an issue to merit consideration.
I think any PoS design would greatly limit the focus on mining hardware.


Right now, I am looking for a proof-of-concept implementation and therefore I am trying to make things as simple as possible to prevent confusion/intimidation among would-be implementers.
I think it will be counterproductive to have a proof of concept which is not thoroughly thought out. This is difficult to get right and if it's not carefully designed it will not work, and then you'll have to face all the people saying "see, PoS doesn't work!".
legendary
Activity: 1050
Merit: 1003
March 13, 2012, 01:13:26 PM
#50

Why would I trust a large speculator holding a lot of BTC to act in the best interest of BTC?
They will sell as soon as they think there's nothing more to gain.



I'm also concerned about sudden flight from the currency and the possibility that it would enable mining stakeholders to escape some of the consequences of potential misbehavior. Therefore in the past I have suggested escrowing the coins of actively mining stakeholders for a long period. In a case of wrong doing, they would be the last ones able to sell off their bitcoin. In this scheme, mining stakeholders would have to commit not to sell until months after they exited mining. They would be willing to do this in exchange for fees and currency generation.

Right now, I am looking for a proof-of-concept implementation and therefore I am trying to make things as simple as possible to prevent confusion/intimidation among would-be implementers.
legendary
Activity: 1050
Merit: 1003
March 13, 2012, 01:05:03 PM
#49
Also, can someone please add a tl;dr on what are the key differences between the PoS systems proposed by Meni & Cunicula? I haven't followed this entire discussion. I did place a small placeholder in the wiki for this.
In Cunicula's system, voting power is determined by combining (multiplicatively) your hashrate and stake. To be effective you need both to be high (which IMO is very problematic because small players cannot contribute effectively. It's not linear.)

In my system, there's a skeleton based purely on hashrate, and superposed on it are occasional checkpoints set by stakeholders. You can contribute PoW without having stake, and you can contribute PoS without having work, and in both cases your voting power and reward is linearly proportional to the resources you have.

Excellent, I put it in the wiki.
I remembered reading earlier about your suggestion, and it makes perfect sense.

Cunicula - any definitive argument why your proposal is better than Meni's?
Sorry about the excess name in the wiki. I will fix it.

I don't have a definitive argument yet, but I am thinking about the following issues:

a) lack of incentives for stakeholders to contribute signatures in Meni's system (perhaps only a small minority will contribute and therefore small, but active stakeholders could be too powerful.)
b) whether disruptive attacks are possible between stakeholding checkpoints (txn fees will still be quite low, so double spends may be easy to pull off and simple attacks like messing with difficulty are possible)
c) how signatures are collected from stakeholders (which stakeholders sign the checkpoint, can anyone sign?)
d) if there is a fork, how do stakeholders coordinate on which branch to sign

If I can get past this stuff, then I will be happy with it. Security, dominance of stakeholders, and low fees are the main important things for me. Whatever satisfies these criteria should be good enough.

I also feel that my proposal has a side benefit, however. Most mining investment would be reallocated to purchasing currency under my system. I feel like the current arrangement where bitcoin users spend a lot on GPUs, ASICs, FPGAs, and electricity instead of buying bitcoin is profoundly wasteful. The market capitalization of the currency would be higher under my system. Higher market cap should be associated with reduced price volatility. This seems like significant enough of an issue to merit consideration.
donator
Activity: 2058
Merit: 1054
March 13, 2012, 12:57:32 PM
#48
[
In Cunicula's system, voting power is determined by combining (multiplicatively) your hashrate and stake. To be effective you need both to be high (which IMO is very problematic because small players cannot contribute effectively. It's not linear.)

I will re-examine this when I have time. What you want is constant returns to scale (aka homotheticity of degree one). If there is a function f determining how s (stake) and w (work) affect the  mining rate, we both are looking for the following property:

f(as,aw)=a(f(s,w)

That is, if we double our coin holdings and our hashing power, then our generation rate also doubles. If this condition holds, then efficient mining can take place at any scale.
Right.

I am using the well-known Cobb-Douglas function which would certainly have this property if s and w were deterministic.

q = (s^0.Cool(w^0.2)

However, I need to think more carefully about it because w is a poisson random variable, so I need to make sure that the constant returns property is preserved in expectation. I'll probably just simulate it, but I have too much to do over the next few days. Please postpone this question.
I think you're not clearly thinking about the dynamics of this. A target which goes by difficulty^0.2 is not the same as scaling effectiveness with work^0.2. If you have twice the hashrate (with fixed stake), you generate twice as many hashes, and since each hash independently has a given probability to be a valid block, you have twice as much chance to have the next block yours - thus, you have as much weight as 2 players each with the same stake as you and the undoubled hashrate. If you have 2s and 2w, you are much more effective than 2 players with s,w each.

Doing what you want would require a more fundamental change than just a formula for the target.
sr. member
Activity: 461
Merit: 251
March 13, 2012, 12:49:43 PM
#47
I'm thinking along the lines of a combination of all three of the ideas here:

Take the existing system, but allow stakeholders to vote on blockchain branches by optionally including the hash of a prior block in a particular branch in one of their signed txns.  The share of votes cast by that txn on that block would then be proportional to the total days destroyed by all the outputs spent in that txn so that votes are proportional to stake held, and voters can't "vote repeatedly" on a branch.  (Edit: For fairness, I think you'll want competing branches to be able to use these days destroyed up to the block they branch from.  Also, "days destroyed" = coin*confirmations, if that's clearer.)

The main branch would then be defined to be the one with the highest total weighted difficulty, where the difficulty of each block is weighted by the total votes cast on it.  A particular weighting could be chosen to give any desired relative importance between difficulty and total votes, like Cunicula is doing with his formula.

This system could be run in parallel to bitcoin.  A good test would be whether or not it could maintain the same main branch as bitcoin by being able to sufficiently mobilize voters to thwart off purposeful fork attempts.

In this way, the relative weighting between PoW and PoS could be tuned empirically.

And perhaps legitimate forks in the parallel system could provide a strong enough recommendation to the majority of bitcoin miners to get them to switch the branch they're working on.

If this works, I'd hope stakeholders would feel sufficiently motivated to participate in hardening the parallel system, as it would provide an immediate fallback in the event of failure of the pure PoW system, as well as a much cheaper alternative down the road when the block reward alone becomes insufficient.
legendary
Activity: 1050
Merit: 1003
March 13, 2012, 12:29:22 PM
#46
[
In Cunicula's system, voting power is determined by combining (multiplicatively) your hashrate and stake. To be effective you need both to be high (which IMO is very problematic because small players cannot contribute effectively. It's not linear.)



I will re-examine this when I have time. What you want is constant returns to scale (aka homotheticity of degree one). If there is a function f determining how s (stake) and w (work) affect the  mining rate, we both are looking for the following property:

f(as,aw)=a(f(s,w)

That is, if we double our coin holdings and our hashing power, then our generation rate also doubles. If this condition holds, then efficient mining can take place at any scale.

I am using the well-known Cobb-Douglas function which would certainly have this property if s and w were deterministic.

q = (s^0.Cool(w^0.2)

However, I need to think more carefully about it because w is a poisson random variable, so I need to make sure that the constant returns property is preserved in expectation. I'll probably just simulate it, but I have too much to do over the next few days. Please postpone this question.
donator
Activity: 2058
Merit: 1054
March 13, 2012, 11:14:10 AM
#45
But for sure I would not trust the wealthiest people on this planet (in $$$) to care much for my interests, so why should I trust the persons who hold the most BTC more than that?
Oh, no need to trust them to care for your interests. You should trust them to care for their own interests, that usually works. And it is to your advantage to have your interests aligned with theirs - for example, if you both care about the health of Bitcoin at large.

And as you already hinted in your statement (at least it can be deducted from it), "being able to invest in huge mining operations" and having the "most stake in the current financial system" can easily produce players that have large stakes in Bitcoin too.
So these two don't exclude each other, just one takes more time than the other.
Yes, one of my points is that obtaining a majority of bitcoins should be significantly harder than a majority of mining. It's not supposed to be bullet-proof, just significantly better than the current solution, and it should at all times maintain the invariant that the cost to launch an attack will be higher than the incentive to do so.

Why would I trust a large miner to act in the best interest of BTC as a currency?
Large miners are in it for the profit, their support of the currency ends where their profit ends (the whole discussion here https://bitcointalksearch.org/topic/what-will-you-do-when-the-gold-rush-ends-67913 is centered at that thought.
If they're using Bitcoin-dedicated hardware, they're interested in the health of Bitcoin to maintain the value of their investment.

Why would I trust a large speculator holding a lot of BTC to act in the best interest of BTC?
They will sell as soon as they think there's nothing more to gain.
As long as they're holding bitcoins, they'll want them to have a high exchange rate (a product of ecosystem health), at least short-term. If and when they cash out, they no longer have a say in voting.

I'd rather trust a single individual with an average number of Bitcoins, and a few GPUs in their gaming computer that are trying to sell and buy stuff on BitMit.net using BTC. Or an enthusiast with a few FPGAs or spending hours writing code for BTC , or the economist who went broke to promote hist interest-free currency http://realcurrencies.wordpress.com/2012/01/10/bitcoin-a-positive-step-in-monetary-reform/ or Matt https://bitcointalksearch.org/topic/m.797433 who almost made it to the top of the ignore list for his affection, strong opinions and free spirit.
Sure, that's why weight should be linear.

Addendum: The concept that someone has a stake in BTC because they hold a lot of it, becomes even less important when BTC will approach it's goal of being a competitive currency to currently established currencies. Because then according to free market principles anyone who is out for profit would just choose the currency that provides the most profit. Having a lot of bitcoins, even if correlated now, is not an effective gauge for loyalty of an individual to that currency .
By that time it will be that much harder to obtain a majority of bitcoins. Also, once again, as long as they're holding bitcoins, they'll want them not to drop in value. Long-term loyalty isn't really required.
donator
Activity: 448
Merit: 250
March 13, 2012, 10:49:17 AM
#44
1. Under a PoS system like my own, stakeholders will not have ultimate power to control the universe (at least, not any more than in Bitcoin currently). Stakeholders cannot conjure new coins or confiscate coins. Their abilities are very limited and very technical - they can mark a block to signify that transactions in it can be safely assumed not to be double-spent. Attacks that are now possible with a majority of hashrate (such as rejecting transactions), will only be possible with a majority of hashrate and bitcoins (maybe not even that, depending on the system).

That's what I called "intruiging" in my last message.

Quote
2. Who would you rather have some limited ability to mess things up - those who have the most stake in the Bitcoin system, and thus have the most to lose from doing so, or those who have the most stake in the current financial system and can afford to invest in huge mining operations?

That's what I called 'dialectic' and I have no final answer to that yet.
But for sure I would not trust the wealthiest people on this planet (in $$$) to care much for my interests, so why should I trust the persons who hold the most BTC more than that? And as you already hinted in your statement (at least it can be deducted from it), "being able to invest in huge mining operations" and having the "most stake in the current financial system" can easily produce players that have large stakes in Bitcoin too.
So these two don't exclude each other, just one takes more time than the other.

Quote
3. Stakeholder's weight is linear in their stake. A small player is not cut out.

Would you think of a BTC exchange or trading platform as a large stake holder? I would, even though the coins they hold are mostly not theirs. But the system wouldn't know the difference. Just like large mining pools would currently be the most successful targets for a 51% attack.

Quote
4. As far as I can tell, the idea of introducing PoS to Bitcoin predated the creation of Solidcoin and its trusted nodes.

Maybe so.

Quote
5. Just because SolidCoin did something doesn't mean anything that is remotely reminiscent of it must be banned forever.

Never said that. Also I have no interest in banning SC. They can work that out among themselves (oh wait, just among trusted nodes).

Final thoughts:

Why would I trust a large miner to act in the best interest of BTC as a currency?
Large miners are in it for the profit, their support of the currency ends where their profit ends (the whole discussion here https://bitcointalksearch.org/topic/what-will-you-do-when-the-gold-rush-ends-67913 is centered at that thought.

Why would I trust a large speculator holding a lot of BTC to act in the best interest of BTC?
They will sell as soon as they think there's nothing more to gain.

I'd rather trust a single individual with an average number of Bitcoins, and a few GPUs in their gaming computer that are trying to sell and buy stuff on BitMit.net using BTC. Or an enthusiast with a few FPGAs or spending hours writing code for BTC , or the economist who went broke to promote hist interest-free currency http://realcurrencies.wordpress.com/2012/01/10/bitcoin-a-positive-step-in-monetary-reform/ or Matt https://bitcointalksearch.org/topic/m.797433 who almost made it to the top of the ignore list for his affection, strong opinions and free spirit.

Addendum: The concept that someone has a stake in BTC because they hold a lot of it, becomes even less important when BTC will approach it's goal of being a competitive currency to currently established currencies. Because then according to free market principles anyone who is out for profit would just choose the currency that provides the most profit. Having a lot of bitcoins, even if correlated now, is not an effective gauge for loyalty of an individual to that currency. Taking both hashing power and the stake into account reduces the pool of such individuals somewhat, but eventually has the same issues.



donator
Activity: 2058
Merit: 1054
March 13, 2012, 10:07:31 AM
#43
In theory this sounds intriguing, but to me the "Proof of Stake" concept is just another way to introduce the ShitCoin (aka SolidCoin) concept into Bitcoin and attempt to establish a BTC version of the Money Power (like a BTC Rothschild or so). It seems one only has to find the right dialectic to talk people into something that doesn't fully agree with the original mission. Even if you don't immediately go as far as SC and trust the nodes with more coins more than anyone else, that is another logical consequence of the concept, and in the end: Hurray, we took monetary control away from feds and establishment and give it to someone we can trust.

People who own a large amount of BTC will most likely agree with the concept, others that like the dialectic will be sold into it without owning a large stake, and we are back to yet another Money Power controlled currency.

That's like the end of the "Animal Farm" by George Orwell.
1. Under a PoS system like my own, stakeholders will not have ultimate power to control the universe (at least, not any more than in Bitcoin currently). Stakeholders cannot conjure new coins or confiscate coins. Their abilities are very limited and very technical - they can mark a block to signify that transactions in it can be safely assumed not to be double-spent. Attacks that are now possible with a majority of hashrate (such as rejecting transactions), will only be possible with a majority of hashrate and bitcoins (maybe not even that, depending on the system).

2. Who would you rather have some limited ability to mess things up - those who have the most stake in the Bitcoin system, and thus have the most to lose from doing so, or those who have the most stake in the current financial system and can afford to invest in huge mining operations?

3. Stakeholder's weight is linear in their stake. A small player is not cut out.

4. As far as I can tell, the idea of introducing PoS to Bitcoin predated the creation of Solidcoin and its trusted nodes.

5. Just because SolidCoin did something doesn't mean anything that is remotely reminiscent of it must be banned forever.
legendary
Activity: 938
Merit: 1001
bitcoin - the aerogel of money
March 13, 2012, 10:04:04 AM
#42
A pure proof of stake could possibly suffer from low "voter turnout" so even if someone doesn't own the majority of bitcoins he could control the majority of confirmations.

That's why I like the idea of a mixed PoW/PoS system. 
Pages:
Jump to: