Topic: Proof of Stake - page 7. (Read 16408 times)

Well, I specifically referred to your proposal. It was you, after all, that gave me lip for not following each of the 8 or so threads on this topic.


I do care about the answers because I have for a long time worked on alternative solutions to all of bitcoins problems. I spent several hundred hours thought-processing the ideas behind encoin.
To be honest, I wasn't aware that your proposal would help the rich get richer. I was not able to understand it enough to get to that point. And certainly I would object if the end result is that the rich get richer. However, if the system was rock-solid and I could not think of a better way, I would approve because I think the complete DoS that the 51% attack provides is absolutely paramount in its need to be fixed. I think the wiki is atrocious in its description of this DoS being "not much power."


You realize you're begging someone to say, "why would you, you're an early adopter?" regardless of the balance of your BTC account.


Why not even try digesting what I posted? I have no need to lie in saying the answer to this problem came to me rather quickly when I tried to design a stable currency idea around the bitcoin code. It would be far less disruptive and in fact could be done without changing the protocol itself, only how clients react--although it will still create a fork so that point is rather moot (but perhaps only temporarily? not sure).


Well, forgive me for looking too far to the future, but this opens up the possibility of things like white-listing accounts. Haven't registered your bitcoin address with the Bitcoin Regulatory Commission? Then this monopoly is not approving your transaction. So not only is decentralization gone, but so is pseudonymity. You claim there is no credible mechanism, but the only basis I see for that is because you haven't thought one up. If you want to attack my idea, have at it. I haven't gone far in fleshing it out, but it certainly is a lot simpler than proof-of-stake so problems should be easier to bring to light.

Gee thanks, MarkM. I am regretting being a dick to you in the past.

Part of the problem is that there are two distinct proposals and the answers depend on the proposal. Rather than go through all this here (and then explaining it badly and having to go through it over and over again), I'll edit the wiki progressively, please be patient.

My reluctance to go in to detail here is related to my belief that you don't care care much about the answers. I believe that your core objection is that proof-of-stake will help the rich get richer. My system does indeed strongly favor early adopters. In fact, early adopters reap much larger financial rewards in my design than they do under the current proof-of-work system. I don't have any problem with that. I don't find large rewards for early adopters morally objectionable. I just want them the reward system to be an efficient mechanism for securing the currency. My focus is on a robust, secure, and transparent mechanism for transmitting pseudonymous money. Proof-of-stake would be more robust and secure. It would lead to much lower long-run equilibrium txn fees. I don't care who profits from operating the payments system. Whether it is just one guy, a government, or the 99% doesn't matter to me. I think attempts to keep gov't and monopolists out permanently are laughable at best. There is just no credible mechanism for doing this. The main thing for me is that a new techonologies exist and make people's lives more convenient. If it is Apple-branded, then so what.

Such questions are why I ended up liking the simplicity of just counting the stake actually input into the coinbase transaction, combined with the "(coins * age)*0.8 + (hashes to some fractional power)*0.2" formula Cunicula mentioned in some thread somewhere (I haven't been able to find it again though so don't know where).

Compared to the vast majority of the material in the related or vaguely related threads, it seemed wonderfully simple.

-MarkM-

It amazes me how this forum in general will attack one detracting statement and ignore the rest and act as if the rest do not exist. Then give a holier-than-thou attitude on top of it.

So, in reading your thread, I can come up with about 20 things that seemed to be unaddressed:

One wallet signs a block, what does this mean?
When does a merchant know that this block is now somehow irreversible?
How many wallets/coins do you think it would take to be reasonably sure that the block is approved? Is this going to take more than 6 confirmations?
You say "one additional txn" but I totally fail to see how. Maybe I'm just stupid. Could you explain this further?
You also seem to interchange user/wallet/miner throughout your thread and I am unclear of who is actually doing the signing. If the miners are signing, how is this any different from them mining?
You propose additional proof-of-work to make a timer. How is this not wasteful? How do you plan on judging 5 minutes? Is it best signed mini-proof-of-work wins?
c/X doesn't take into account how old the coins are, only that they are older than a specific amount. What is to prevent someone malicious from waiting to grief the network over and over? Is MtGox going to have to wait eons before allowing any trades on fresh deposits? If c/X ends up being something like "bitcoin days destroyed" in what way does this system offer *any* advantage over the one I mentioned?
Assuming two c/X's are the same and sign two different blocks, how are the miners supposed to decide which chain to build from? Randomness? While the random approach might solve a complete take over, it still does nothing for double spend protection.
Wouldn't all reasonable c/X's be included for extra protection? If so, when do we start denying small amounts? When do we just say "let mtgox sign the blocks that it chooses, that is decentralized"? Where again does this boil down to 1 extra txn per block?
Does your proposal boil down to this: the only people that can mine are those that already have a lot of coins? I'm honestly not sure. Is this some kind of proposed system that would be switched to only after the actual mining reward is minimal?
Rather than worrying about taking down the network, most people around here worry more that the power of mining would be abused to double spend. I think the latter is far less important than the former, but what does your system accomplish in regards to double spend attempts? With the assumed relative low difficulty of the future, what is to prevent someone with a lot of old coins being paid off to reverse a lot of recent transactions? Is it check-pointed? If so, again how many coins/signatures/whatever do we need to be assured that history will not be changed? Half the coin base? You even mention "majority of signatures" in a later post. Please explain to me what you mean by this.

Okay well if coinbase transactions are allowed to have at least one input other than the coins that come from nowhere then a simple way to accomplish this "signing with a stake" would be to take inputs. Just like you can output to umpteen addresses, maybe you could also input from umpteen addresses. People could thus pool together to contribute a stake, and they could even each be returned their stake (their input) among the outputs.

In fact, the actual miner need not provide any of the stake at all, it could all be provided by stakeholders, the miner might not actually even own any coins at all. They could simply be some computation-for-hire service who neither knows nor cares what their computing power is actually being used for. (Like Eligius's miners, maybe, and those who gang up on proportional pools by way of proxy pools?)

If nefarious pools can so simply get miners to send them hashes, maybe they can also get miners to send them stakes? Make payouts proprtional not only to hashes sent but also stake sent?

-MarkM-

Yes, that works. Plus the confirmations on the coins get reset after they are used for a signature, just like when they are sent.

So you pick an address whose balance you want to use as stake for the block you are mining, and sign the block with that address's signature to prove it is your stake not someone else's?

-MarkM-

My idea does not add significant overhead, though Meni's idea might. My idea is basically the same as the current protocol except that difficulty is individual-specific. Difficulty would depend on the product of how many coins a miners has and how many blocks have been mined since these coins were last sent or used to mine a block. All the sending info is already in the blockchain, all you need to record is the identity of the stake which mined each block. This is like one additional txn per block worth of overhead. Overhead is pretty trivial.

Please make an effort to gather information before making random claims.

I guess stakeholder's don't want to prove their stake by holding it in the form of mining rigs, let alone also actually running those rigs, because then the larger their stake the more electricity they will burn until they get to be the monopolist who supposedly can turn off most of his rigs as long as he continues to visibly continue to aquire more and to keep up with the latest improvments in rig technology.

They would much rather offload the costs of being rich, since if it costs a rich person a larger percent of their riches to remain rich than it costs a borderline-poverty person to stay above the poverty-line well that is hardly fair is it? Rich people ought to be able to pay a lower percent, surely? Otherwise they might end up on an asymptotic climb instead of an exponential one and find they cannot afford to buy all the poor folk completely totally and finally or some such disaster.

-MarkM-

P.S. Quite likely the whole story about how the monopoly ends up taking control applies to any particular money too anyway, so that no matter what we use for money someday someone will "win" and we should then basically say okay that was fun, challenging game that was, now lets put that game away and start a new one. We all aknowledge the guy who owns 51% of the wealth as the winner, write them into the history books as the great winners of the that kind of currency period of history, and start over with some other convenient scorecard/scoreboard...

Yes we've established that proof of stake does nothing but trade one form of power for another. It still doesn't solve much in the way of keeping the currency decentralized. And proof of stake adds a ton of overhead. Have bitcoin proponents just given up on the whole decentralized aspect?

People with more BTC = people able to buy more mining power. It's quite equivalent.

If a person has a lot of mining power today, but not a lot of BTC, it's by his investment choice. Both are a form of property.

I don't like the idea of proof of stake because it puts the power into the hands of a few individuals. My approach is still completely decentralized and allows for much less mining power needed to secure the network. Plus proof of stake requires actual intervention by these powers that be. And, at least as it is now, there are few accounts that have a significant amount of money, yet there are many individuals that have a significant amount of money spread across many accounts. Each one of those accounts would be required to sign a block for that individual's stake to be measured. That is a lot of excessive data, not to mention CPU time in verifying all these signatures.

Well we want to stop 51% attacks, right? As it is now, all this requires is computing hardware. With the approach I described, anyone can throw as much power in the universe at the blockchain, and all they will accomplish is spamming their local nodes who will ignore blocks that have less weight (number of transactions, number of old coins used, so on) than other blocks they have received. It basically means that the blocks with the most activity will win. Unless a malicious entity controls the majority of the hashing power, a large amount of coins, and a large amount of coins that have not been used recently, they can not affect the network. Even if they control those three factors, once they spend the coins to give weight to their block, the age counters on those coins are reset so they are no longer useful to attack the network. No 51% attack can be sustained because they would quickly burn through their old coins. They might delay transactions for a time, but that is far less damaging than being able to deny transactions and miners indefinitely. Rewriting history, as unlikely as an attack as that would be, would be impossible as the check-point would basically be built-in to the block chain, not a hack on the software.

This does allow for permanent forks if the network were actually physically split, but I think this is a pretty unlikely scenario. In that case, the user should be notified of competing blockchains instead of just assuming the longest chain wins. Most of the time it should be obvious where the problem is such as if an entire country was cut off from the external internet by government.

This adds importance to the actual transaction history, not just computing power. Sending a transaction is (essentially) free, and in this way it actually helps secure the network.

Blockchain Defense
Heuristics: All clients agree that competing blocks will have priority weight based on number of transactions, average age of coins in transactions, and other factors.

Would it not be possible to make proof of stake one of those factors?

Done, thanks.


You provide a lot of technical details, but I'm not quite sure how the changes you propose contribute to the stated goal.

No offense, but this is a pretty silly hack to fix the problem. Make it more centralized and concentrate even more power to the bitrich?

https://bitcointalksearch.org/topic/new-musings-for-a-stable-currency-64637

Here I describe the early musings of a "heuristic" approach, although tied to an idea for a stable currency. Revalin brought up a good point that the bitcoin days destroyed concept would fit well. Essentially coins that have not been used recently will have a greater weight in which chain will prevail. There then needs to be a timer such as an hour ahead of each block where it may be replaced and anything ahead of it would be removed. Some balance between length of time to replace and block weight would have to be done so that a block with one more transaction can't come along 50 minutes later and replace a block from 50 minutes ago and such. But it allows for much less mining power necessary to secure the network. Theoretically, none at all is really required although that would certainly make for a lot of collisions. Instead of # of confirmations, time would simply be the indicator for how secure a historic transaction is.

But using bitcoin days destroyed, any potential attack would only be able to be carried out if the person had a lot of old coins and mining power, and once carried out, their power is removed for at least a very significant amount of time. No centralization of power, no signatures required, still requires a fork although this would be a much more acceptable compromise I think. It needs to be fleshed out more, but I think it solves the problem much more elegantly than proof of stake.

https://en.bitcoin.it/wiki/Hardfork_Wishlist

Put it there

Not necessarily. P2SH will work without a fork pretty soon.

Obviously PoS is a huge change, much larger than P2SH, but it could be implemented within the system if people are convinced it's the best for everyone involved.

Remember, the danger this tries to prevent is many years in the future ... it's not urgent to do it now. Building the consensus can even take a few years.

Rather than a fork, it could just be a fresh alt chain ... let the market forces decide if Bitcoin+PoS is better than Bitcoin. I prefer to see the evolution of core Bitcoin instead of a zillion different alt chains that fail to gain market share. If a new alt chain came out with Proof of Stake right now, I wouldn't buy it, because I think it's premature.

Changes like this smell like chain fork... It's the way to much of the change for Bitcoin