Pages:
Author

Topic: The Bitcoin consensus mechanism is incorrectly labeled Proof of Work (Read 4339 times)

sr. member
Activity: 256
Merit: 250
i think BURSTs PoC (proof of capacity) algo is worth to look closer at because it removed the PoW and PoS design flaws (long term secure affordable decentralization).

since the algo is based on precomputed data comparable to rainbow tables there is no way to develop special centralized hardware like asics for it (in terms of running costs as capacity replacement).
for the decentralization this means everyone can buy regular hdds in the next shop around the corner or use spare capacity.
compared to PoW there are almost "no" running costs.

the coin exists for over a year now and instead of having a whitepaper it has a over 1000 pages long bitcointalk thread here:
https://bitcointalksearch.org/topic/annburst-burst-efficient-hdd-mining-new-123-fork-block-92000-731923

Quoting from https://eprint.iacr.org/2015/528.pdf

"Perhaps the most serious security issue with Burstcoin is that it allows for time-memory
trade-offs: a miner doing just a small amount of extra computation can mine at the same rate as an honest miner while using just a small fraction of the disk-space that an honest miner would."

thanks for this link to the document. it is new to me.

the authors of the document assume that it is possible to only compute a specific scoop of a plot since they base their whole information on the only available flow chart which exists ("...a miner can initially compute and store only the value x4096." --- http://burstcoin.info/assets/img/flow.png )

they either intentionally or due to the simplifications in the flow chart came to the conclusion that the scoop datafile content for a account-nonce combination represents a single shabal hash.
the implementation requires to compute all 4096 scoops as a block and then these get cut into 64 byte blocks which are read during the mining.

i have done my own analysis some time back (based on the c plotter sourcecode) and came to the conclusion that even the most efficient asics result in higher running costs than mining from at this time available storage devices.

grinding is basically not possible since there is no merkle root and transactions have no influence on the generated blocks.

in future asics may support the plotting and mining process like gpus do today in large rigs.
legendary
Activity: 990
Merit: 1108
i think BURSTs PoC (proof of capacity) algo is worth to look closer at because it removed the PoW and PoS design flaws (long term secure affordable decentralization).

since the algo is based on precomputed data comparable to rainbow tables there is no way to develop special centralized hardware like asics for it (in terms of running costs as capacity replacement).
for the decentralization this means everyone can buy regular hdds in the next shop around the corner or use spare capacity.
compared to PoW there are almost "no" running costs.

the coin exists for over a year now and instead of having a whitepaper it has a over 1000 pages long bitcointalk thread here:
https://bitcointalksearch.org/topic/annburst-burst-efficient-hdd-mining-new-123-fork-block-92000-731923

Quoting from https://eprint.iacr.org/2015/528.pdf

"Perhaps the most serious security issue with Burstcoin is that it allows for time-memory
trade-offs: a miner doing just a small amount of extra computation can mine at the same rate as an honest miner while using just a small fraction of the disk-space that an honest miner would."
sr. member
Activity: 256
Merit: 250
who cares about how a consesus algorythm is labeled as long as it works?

since proof of work can only kept decentralized as long as cheap compute resources are available to the masses it is a public secret that decentralized PoW has failed.
i think BURSTs PoC (proof of capacity) algo is worth to look closer at because it removed the PoW and PoS design flaws (long term secure affordable decentralization).

since the algo is based on precomputed data comparable to rainbow tables there is no way to develop special centralized hardware like asics for it (in terms of running costs as capacity replacement).
for the decentralization this means everyone can buy regular hdds in the next shop around the corner or use spare capacity.
compared to PoW there are almost "no" running costs.

the coin exists for over a year now and instead of having a whitepaper it has a over 1000 pages long bitcointalk thread here:
https://bitcointalksearch.org/topic/annburst-burst-efficient-hdd-mining-new-123-fork-block-92000-731923
legendary
Activity: 1260
Merit: 1000
Another delegated proof of work vs DPoS comparison in reference to Byzantine fault tolerance and Sybil below.
|
|
\/

only POW provably solves the byzantine generals problem in the face of sybil attack

Delegated proof of work, which Bitcoin is, doesn't.  It's not more fault tolerant than DPoS either.  If 70% of the hash rate is in china owned by three pools, you have no way of knowing these pools aren't owned by the same person (sybil).  The only way is to audit them yourself, which is the purpose of the voting mechanism in DPoS, to audit the block validators for sybil.  The only difference is, the audit mechanism is built into the protocol of DPoS and excluded entirely from DPoW (delegated proof of work).

My argument here is basically:

you can't solve byzantine generals problem with a probabilistic model unless you've first solved sybil with a probabilistic model and Bitcoin doesn't do that
because there's no way of telling if all pools are owned by the same person, then it's not collusion or 51% attack, it's a sybil attack
since the essence of the byzantine generals problem is sybil attack, dealing with sybil comes first in the hierarchy before byzantine generals is discussed at all
legendary
Activity: 2044
Merit: 1005
Byrne is also developing a replacement for trading exchanges by using the blockchain . Just a matter of time imo before it happens.

yea, can't wait for Byrnecoin.... he is a pretty trustworthy dude.. right?

until then, however, only public coins like BTC & BTS have:

Proof of Domination.

they've been running undeterred by hackers for years

private coins don't have "proof"

they have "trust" (in the private entity to tell you the truth about what's in their blockchain) (only they can see or view the code)

That's the part I meant its a matter of time.. I do not know what Byrne wants to do or care for that matter.

In terms of private entities on the blockchain, there need to be incentives for corporates to conduct business via Apps (scripts) on the chain which are fully open source or closed source according to requirements from businesses. Private or closed source apps made possible on a blockchain will open up a new wave of innovation. I believe there are a few projects including BTS that this is made possible on.

These private apps don't need any "proof" as they are hosted on a public chain.
legendary
Activity: 2044
Merit: 1005
The interbank is really only traded amongst the banks

If you are going to assume a closed market with participants who follow some specified rules, then you have satisfied the dictatorial control requirement I stated. Given real world experience I doubt the sustainability of even that. They will find a loophole or just cheat.

On a public blockchain open to anyone, it won't work.


Some people believe that's where Bitcoin is best served without worrying about block size.. Replace the interbank so money transmission can be more efficient.. I guess that's just plan b in many eyes because it's assumiing banks don't collapse or give their power back to the people.

Byrne is also developing a replacement for trading exchsnges by using the blockchain thus eliminating hfts.. I mean smart people know it's s problem and are focused on fixing it.. Just a matter of time imo before it happens.
legendary
Activity: 2968
Merit: 1198
The interbank is really only traded amongst the banks

If you are going to assume a closed market with participants who follow some specified rules, then you have satisfied the dictatorial control requirement I stated. Given real world experience I doubt the sustainability of even that. They will find a loophole or just cheat.

On a public blockchain open to anyone, it won't work.

legendary
Activity: 2044
Merit: 1005
Another example semi-related to topics in this thread about the state of PoW:

Smooth (Monero dev) and I were talking about decentralized exchanges and I brought up that HFT (high frequency trading) is a form of PoW itself in practice that demonstrates the end game for Bitcoin PoW.  You're fighting over a finite resource (skimming profits) where even the speed of light matters.  Parties are expending resources to position themselves to capture this supply, and eventually it's a winner take all monopoly or something extremely close to it...

Yes the effect of competition over arbitrage is to eliminate the arbitrage but that is not a bad thing, nor does not imply a single surviving participant because market participants have complex multidimensional preferences. The median voter theorem (and its economic equivalents) does not apply in multiple dimensions.


Closing the arb loop does increase efficiency for price discovery but because of the ability to place trades im high frequency many other attack vectors open up that allow people to game the system.

Of course it does, but the problem is that it is unavoidable without some sort of dictatorial control over markets. If you have an exchange with 1 second order execution time, I can open one with 1/2 second and I will get a ton of business from arbs if nothing else. Then my exchange will have tighter spreads and the retail order flow will find its way there too. Your exchange will die.

Depends.. The interbank is really only traded amongst the banks so I'd imagine it wouldn't need to change much, they already require last looks on trades and cancel them if you are doing arbs all day on them if you trade through currenex which built it into its protocol.

If it was on blockchain you can keep hfts away from interbank and let market makers deal with them.
legendary
Activity: 2968
Merit: 1198
Another example semi-related to topics in this thread about the state of PoW:

Smooth (Monero dev) and I were talking about decentralized exchanges and I brought up that HFT (high frequency trading) is a form of PoW itself in practice that demonstrates the end game for Bitcoin PoW.  You're fighting over a finite resource (skimming profits) where even the speed of light matters.  Parties are expending resources to position themselves to capture this supply, and eventually it's a winner take all monopoly or something extremely close to it...

Yes the effect of competition over arbitrage is to eliminate the arbitrage but that is not a bad thing, nor does not imply a single surviving participant because market participants have complex multidimensional preferences. The median voter theorem (and its economic equivalents) does not apply in multiple dimensions.


Closing the arb loop does increase efficiency for price discovery but because of the ability to place trades im high frequency many other attack vectors open up that allow people to game the system.

Of course it does, but the problem is that it is unavoidable without some sort of dictatorial control over markets. If you have an exchange with 1 second order execution time, I can open one with 1/2 second and I will get a ton of business from arbs if nothing else. Then my exchange will have tighter spreads and the retail order flow will find its way there too. Your exchange will die.
legendary
Activity: 2044
Merit: 1005
Another example semi-related to topics in this thread about the state of PoW:

Smooth (Monero dev) and I were talking about decentralized exchanges and I brought up that HFT (high frequency trading) is a form of PoW itself in practice that demonstrates the end game for Bitcoin PoW.  You're fighting over a finite resource (skimming profits) where even the speed of light matters.  Parties are expending resources to position themselves to capture this supply, and eventually it's a winner take all monopoly or something extremely close to it...

Yes the effect of competition over arbitrage is to eliminate the arbitrage but that is not a bad thing, nor does not imply a single surviving participant because market participants have complex multidimensional preferences. The median voter theorem (and its economic equivalents) does not apply in multiple dimensions.


Closing the arb loop does increase efficiency for price discovery but because of the ability to place trades im high frequency many other attack vectors open up that allow people to game the system. Since people have a slower reaction time to hft you have ice berge orders that end up being front run for quick spread plays. You have people placing big orders to entice liquidity but quickly pulling it to try to get favourable prices (the flash crash dude did this and now is facing jail time).. Anyways it's too hard to regulate hft because it's happening so quick you can't place resistance on non conforming trade behaviour.. So better to not allow it in the first place and allow for arbs to happen in semi realtime.
legendary
Activity: 2968
Merit: 1198
Another example semi-related to topics in this thread about the state of PoW:

Smooth (Monero dev) and I were talking about decentralized exchanges and I brought up that HFT (high frequency trading) is a form of PoW itself in practice that demonstrates the end game for Bitcoin PoW.  You're fighting over a finite resource (skimming profits) where even the speed of light matters.  Parties are expending resources to position themselves to capture this supply, and eventually it's a winner take all monopoly or something extremely close to it...

Yes the effect of competition over arbitrage is to eliminate the arbitrage but that is not a bad thing, nor does not imply a single surviving participant because market participants have complex multidimensional preferences. The median voter theorem (and its economic equivalents) does not apply in multiple dimensions.

legendary
Activity: 2968
Merit: 1198
It was predicted in the early days by Satoshi that mining would end up somewhat centralized, he specifically mentioned "specialized" which basically means centralized. This is why keeping nodes decentralized is the way to go, and this is why we need to avoid things like Bitcoin XT like the plague. Dont want to end up with both centralized mining and centralized nodes, thats the end of Bitcoin basically.
Nodes only help with redundancy not with security (against tx history reversing) so node decentralization doesntmean anything and is easy to achieve.

Nodes help with security if they are under independent control (or weak or no control at all, as unattended embedded devices) and are economically significant.

legendary
Activity: 1260
Merit: 1000
Another example semi-related to topics in this thread about the state of PoW:

Smooth (Monero dev) and I were talking about decentralized exchanges and I brought up that HFT (high frequency trading) is a form of PoW itself in practice that demonstrates the end game for Bitcoin PoW.  You're fighting over a finite resource (skimming profits) where even the speed of light matters.  Parties are expending resources to position themselves to capture this supply, and eventually it's a winner take all monopoly or something extremely close to it...

sr. member
Activity: 441
Merit: 250
It was predicted in the early days by Satoshi that mining would end up somewhat centralized, he specifically mentioned "specialized" which basically means centralized. This is why keeping nodes decentralized is the way to go, and this is why we need to avoid things like Bitcoin XT like the plague. Dont want to end up with both centralized mining and centralized nodes, thats the end of Bitcoin basically.
Nodes only help with redundancy not with security (against tx history reversing) so node decentralization doesntmean anything and is easy to achieve.
hero member
Activity: 503
Merit: 501
Proof of Domination.
legendary
Activity: 1204
Merit: 1028
It was predicted in the early days by Satoshi that mining would end up somewhat centralized, he specifically mentioned "specialized" which basically means centralized. This is why keeping nodes decentralized is the way to go, and this is why we need to avoid things like Bitcoin XT like the plague. Dont want to end up with both centralized mining and centralized nodes, thats the end of Bitcoin basically.
sr. member
Activity: 420
Merit: 262
I had gone into elaborate analysis as to why proof-of-stake and reputation based systems are inherently centralizing.

Proof-of-work has the potential be an unbounded entropy (i.e. effectively random and not gameable) up to 25 - 51% (25 - 33% for selfish mining) concentrated control of the hash rate. That is where I agree with smooth's caveat, except if permission-less commerce is the goal even that caveat has another caveat which is you've still got to find sufficient hash rate to push your transaction through without KYC if 51% of the hash rate is regulated for KYC.

You can't push anything through period if 51% is regulated because that 51% will reject unapproved (not signed with a MSB license number) blocks. That's the 51% attack right there.

I wrote if that if the 51% is regulated to require KYC meaning on the transactions in the blocks those miners/pools create. I didn't write that the regulation forced them to also hard fork the chain protocol and reject blocks that don't have KYC along with transaction in the blocks produced by the other 49%. Indeed it is probably likely that if regulation requires the former, then it might require the latter, but as you like to always say "not necessarily so". You see a hard fork might be more difficult political quagmire, so I think my distinction was apropos.

Without that issue, I contend that owning the hash rate yourself is not really necessary to push the transaction through yourself because as long as the system is permissionless you can always find someone to push it through for you for a fee. Anywhere you go in the world, even under the most authoritarian regimes, you can always find a black market if you look for it. Thus such oppression really becomes a question of how much it costs to push a transaction through, not whether you can do it at all.

With that attitude I can see why Monero has gone no where fast. The velocity of money collapses in your solution.

I have a much more superior solution than that! I wouldn't tolerate a solution that forces people to enter the underworld just send a transaction.

Going back to the original case, Bitcoin's security model simply does not work at all if 51% (really >50%, or >25% or >33% or really even a moderately-large smaller share that could easily collude with some other moderately-large smaller share to form such a bloc) of the hash rate is attacking it.

Yeah Bitcoin is dead in the water. Any thing new to say?

It can be a temporary condition though, where users can just sit on their keys and wait it out, like a hurricane. Whether that is effective is a complex political game theory question that you probably agree we can't really answer and is best avoided altogether if you want any kind of strong security model. That requires either a fundamentally different system or a much better distribution of mining than exists today.

Yadayada.
legendary
Activity: 2968
Merit: 1198
I had gone into elaborate analysis as to why proof-of-stake and reputation based systems are inherently centralizing.

Proof-of-work has the potential be an unbounded entropy (i.e. effectively random and not gameable) up to 25 - 51% (25 - 33% for selfish mining) concentrated control of the hash rate. That is where I agree with smooth's caveat, except if permission-less commerce is the goal even that caveat has another caveat which is you've still got to find sufficient hash rate to push your transaction through without KYC if 51% of the hash rate is regulated for KYC.

You can't push anything through period if 51% is regulated because that 51% will reject unapproved (not signed with a MSB license number) blocks. That's the 51% attack right there.

Without that issue, I contend that owning the hash rate yourself is not really necessary to push the transaction through yourself because as long as the system is permissionless you can always find someone to push it through for you for a fee. Anywhere you go in the world, even under the most authoritarian regimes, you can always find a black market if you look for it. Thus such oppression really becomes a question of how much it costs to push a transaction through, not whether you can do it at all.

Going back to the original case, Bitcoin's security model simply does not work at all if 51% (really >50%, or >25% or >33% or really even a moderately-large smaller share that could easily collude with some other moderately-large smaller share to form such a bloc) of the hash rate is attacking it. It can be a temporary condition though, where users can just sit on their keys and wait it out, like a hurricane. Whether that is effective is a complex political game theory question that you probably agree we can't really answer and is best avoided altogether if you want any kind of strong security model. That requires either a fundamentally different system or a much better distribution of mining than exists today.
sr. member
Activity: 420
Merit: 262
It consumes less electricity.

Miners or delegates or validators or whatever will expend resources only to the extent justified by transaction processing profit margin, which delegates in DPoS will also do. In fact DPoS may well have high profit margins because the number of delegates is fixed, making it a closed market.

So perhaps less electricity, but if so then more resources expended on something else (politics most likely).

(This assumes that the coin distribution phase of Bitcoin is over or insignificant, which must be done to meaningfully compare with DPoS since DPoS is incapable of distributing coins at all.)

Thus as I pointed out in 2013, a very high incentive exists to centralize mining, because transactions fees are a Tragedy of the Commons. We keep coming back to the research I did in 2013. I had already figured all this stuff out back then.

I had even pointed out the block size issue back in 2013, which is now the raging problem today with BitcoinXT alias GavinCoin.

Since I already argued that one can't mine with lower economies-of-scale without losing hash rate share over time

I don't agree with your argument that your argument is conclusive. You need to show that economies of scale are net positive at the economically relevant scale, which depends greatly on many undetermined factors.

I don't understand why you argue that economies-of-scale could be anything other than net positive at increasing scale? Afaics, the only way that wouldn't be true is if mining is not profitable any scale (which is what I hope to achieve in my design).

Also how will you compete as a miner against a increasingly globalized government cooperation which will spend up to 17-18% of the global economy perpetually (the Laffer limit for taxation) to insure it can tax the crypto-currency economy? The government can subsidize miners who comply with demands to censor transactions which do not have KYC, so that they government is not rendered extinct by tax avoidance.

Besides the government can leverage up that 17% homeostatic rate of healthy taxation by using regulation of ISPs.
sr. member
Activity: 420
Merit: 262
I had gone into elaborate analysis as to why proof-of-stake and reputation based systems are inherently centralizing.

Proof-of-work has the potential be an unbounded entropy (i.e. effectively random and not gameable) up to 25 - 51% (25 - 33% for selfish mining) concentrated control of the hash rate. That is where I agree with smooth's caveat, except if permission-less commerce is the goal even that caveat has another caveat which is you've still got to find sufficient hash rate to push your transaction through without KYC if 51% of the hash rate is regulated for KYC.

The poll lacks a choice for "no proof-of-stake system will win".

Proof-of-stake will never remain decentralized:

https://bitcointalksearch.org/topic/m.6501774

Send all proof-of-stake currencies to the trashcan.


It is time to squash Proof-of-Stake once and for all. It can NEVER remain decentralized. Satoshi's Proof-of-Work is the only known solution to the Byzantine General's Problem (was a known unsolved problem since at least the 1970s).

Apologies I've been busy and hadn't had time to squash bytemaster's latest N.A.O.D. (nonsense algorithm of the day).

First of all, he never was able to address the issues I raised about Transactions as Proof-of-Stake quoted as follows.

This proposal appears to be flawed, unless I am missing something. I have only read the first 4 pages thus far.

1. You propose to decrease the coin rewards as coin-days-destroyed volume increases, so this makes it less costly for an attacker to obtain > 50% of the hash rate assuming the attacker includes all the transactions. You apparently are attempting to imply there is no useful attack to do if the attacker is including the most coin-days-destroyed? Please confirm or deny then I will dig into more analysis of this vector.

2. Also how do you choose between someone who generates a proof-of-work hash with lower coin-days-destroyed several times sooner than the network propagation delay versus another who generates it that much delayed with a higher coin-days-destroyed? If you choose the latter, then you've killed the proof-of-work incentive because it means it will always pay to be later and wait for more transactions to arrive.

3. You claim to defeat my Transactions Withholding Attack, by blacklisting those who send blocks with transactions that were not recently seen by all miners. I retorted against this recently. This centralizes the network (all for one and one for all outcome) by requiring every miner to be responsible for the incoming network connectivity of other miners. And it centralizes the network in other ways, such it can't tolerate a temporary partitioning of the network due to connectivity outages.

P.S. By coin-days-destroyed, I assume you mean coin value x days, otherwise you would motivate proliferation of dust.

The most significant flaw of any proof-of-stake system and any system that diminishes coin rewards, is it can't distribute currency from the hoarders to the users of the currency, thus it will end up with the hoarders (the banksters) accumulating all the coin and the currency usage dying.

This is because the wealthy spend a much lower % of their net worth than the masses do.

[snip]

Whereas those who actually mine are proactively using their time, ingenuity, initiative and capital to secure the network, thus it seems more capitalistic they should receive the redistribution from the hoarders. Besides it may beis the only viableplausible way to secure the public ledger.

The other attacks you describe all derive from the fundamental reason I declared all non-proof-of-work systems to be insecure back in April.

My logic was mathematically fundamental. The input entropy set is quite deterministic and well known and thus can be preimaged. For example, accumulating a lot of coin-days-destroyed and then targeting them in clever ways to subvert the security.

The randomness (entropy) of each proof-of-work is fundamental and mathematical and it can not be preimaged. It can only be surely defeated with > 50% of the network hash rate. Note I recently offered what I believe to a solution to the selfish-mining attack (the one at hackingdistributed.com that claims 25 - 35% attack).

I am skeptical that you can characterize all possible attack vectors of proof-of-stake in one coherent mathematical proof. Thus you will not know formally what the security is; instead a list of adhoc attacks and counter-measures.

[snip]

Edit: Perhaps coin-days-destroyed in some attack vectors motivates not transacting for long periods of time.



The bottom line is that no proof-of-stake system can ever remain decentralized.

They all will require some sort of delegation of reputation to achieve consensus. I would have to go through a laundry list of examples to cover all the cases. For example, in Transactions as Proof-of-Stake it is required to delegate trust of propagation to the other nodes as I explained above. Thus there needs to be some reputation system to enforce this, e.g. blacklisting, whitelisting, etc.. All the other proof-of-stake systems have a requirement for some form of delegated reputation.

I have many times explained to bytemaster and others the fundamental problem is that any system that attempts to replace proof-of-work will rely on some form of reputation, and reputation is centralization. And centralization is precisely what decentralized crypto-currency is not supposed to be because centralization will always end up control and manipulated (i.e. it is a fiat system).

Trust is orthogonal to reputation and centralization. I can trust Proof-of-Work, which is decentralized trust without reputation. Reputation isn't needed in Proof-of-Work, because the input entropy is fresh (can't be preimaged) on every new TB.

You can 75% attack it if you like, but your nodes wont have any trust, so that block chain will just be ignored.

(In any non-Proof-of-Work design, ) It is mathematically impossible for there to be external consensus trust of the honest chain if the dishonest chain is controlled by more than 51% of the peers. We've covered some of the scenarios upthread, and it always boils down to that the external viewers can not know who to trust except by trusting the majority of peers.

The only mathematical way around this is to centralize the network, by placing more trust in some peers than others over time.

Indeed long-term reputation is a mathematically viable alternative to Proof-of-Work. This is centralization. There are tradeoffs.

So this is not "7 billion individually watching the network", but rather a fewer # of peers with reputation being trusted. This is just the political power vacuum all over again with its contingent problems of vested interests Olsen power scramble:

https://bitcointalksearch.org/topic/no-money-exists-without-the-majority-226033 (No Money Exists Without the Majority)

Notwithstanding the above, any non-Proof-of-Work system can be attacked with much less than 51% of the peers, due to the fact that the input entropy is preimageable, as I explained upthread. Again the only way to work around this is to trust some established peers to guard against this.

Financial transactions must be recorded in a public or private ledger trusted by both the spender and the recipient, otherwise funds could be unspent or double-spent to a plurality of recipients. To provide a ledger that can't be captured, Satoshi described a proof-of-work (PoW) scheme where transaction peers communicating over the network compete to be the first to solve a computational puzzle which is unique for each block of transactions added to a public ledger. The security of this ledger against double-spends has three (3) essential requirements.

1. The computational puzzle can't be preimaged, i.e. nothing can be known about solving the puzzle until the prior block's puzzle is solved.

2. Without at least 50% of the aggregate computational power of all transaction peers, it is not possible to create a modified chain of blocks starting from any present or past block, which would contain more blocks than the block chain controlled by the remaining cooperating peers. Thus the longer chain is trusted.

3. The block chain is cryptographically linked in forward order, such that the historical proof-of-work and transactions can be independently verified at any time in the future. Thus the transaction peers may leave and rejoin the network at will without need for a trusted centralized storage.

Note security point #1 eliminates from consideration PoW schemes in which the puzzle is some real-world computational work because the puzzles are known a priori and are thus pre-imageable. Non-PoW voting and membership schemes disqualify because the ordering of designation of authority (to decide which transactions are in each block) to transaction peers is pre-imageable, or requires peers trusted by reputation which is centralizing on a slippery slope towards Olsen capture.

You must also consider the negative impacts of design features when you state the positive impacts.

Reputation has many downsides:

a. It can be stolen, e.g. threaten first to extort private key, then kill, and keep key.
b. Censorship based on metadata which doesn't always correlate rationally.
c. Discriminate against early adopters out of jealously, i.e. retribution for #b.
d. Regulatory authorities can require the BitName same as they now do Social Security # and Id. They can now establish the BitName is real, because it has (duration) reputation.

The high cost to transfer or revoke a name also has many downsides, e.g. see #d.

I thinking the pool operator (server) does so little relative to work of the pool miners that it doesn't need to charge a very high fee. Thus there isn't much ability (incentive for pool miners) to undercut competitors based on fee.

So there just needs to be a slightest incentive to encourage pool miners to seek out another pool as a pool grows large. This will encourage a poliferation of pools.

How do pool miners know that a pool server isn't cheating them by paying some of the earnings to themselves pretending to be a pool miner?

Go down that line of thought and you will discover what I am thinking.

The only way you can prove a pool isn't cheating is by estimating the hash rate of the pool and comparing it to the number of blocks found.  Unfortunately, you could probably still skim a couple of a percent this way.

Modern protocols (GBT & Stratum) both have the full coinbase transaction visible to the miners, meaning you can verify that the block being built will be paid to a certain address or has a certain message encoded in the block that identifies the pool.  This allows you to audit if the pool is trying to skim blocks if certain users start seeing work without a coinbase message that identifies the pool.  In the case of BTC Guild, it's both, they always pay to the same address and always include "Mined by BTC Guild" in the coinbase message.

It's not no-trust, but all it would take is a few % of users monitoring this to determine if a pool was trying to skim blocks by sending a certain % of work that doesn't include identifying marks.

How could anything less than 100% of the pool miners know if some of the coinbase transactions were to addresses not owned by pool miners who contributed shares?

Since you can never know if you are the 100% (because mining pool shares* are not recorded in the block chain), thus seems to me there is no way to verify if there is skimming or not, as bytemaster and I wrote.

*For those who don't know the terminology, a pool share is a proof-of-work hash below some threshold that is easier than the current network difficulty. It might also be a block solution.

Why don't you just use P2Pool? Is there any reason?

I was waiting for bytemaster to answer because I wanted to know his thoughts. Seems to me that you have no way to stop the Share Withholding Attack since it is decentralized. And every peer has to run more of a full client if I am not mistake. And there is a lot more overhead I believe. And perhaps also much less resistance against denial-of-service flooding. Frankly I didn't analyze for long enough to be very sure of my initial intuition which is to stay away from it.

I know it is generally impossible to enforce reputation on a 100% decentralized system. So I am intuitively skeptical of P2Pool.

P.S. I won't have time to go back here and debate. I am technically qualified and I am 100% sure I am correct.
Pages:
Jump to: