Topic: Would it be possible... (Read 1906 times)

Thanks for taking the time to understand my thoughts.

The way to stop people hijacking your factoring proof-of-work is using the relevancy property. The work you performed was relevant to the block which includes the transaction that credits you.

In the particular case of factoring we could agree on a large composite number that would be a worthwhile factoring, perhaps a number from this list.

The simplest method I can think of would be to implement MPQS where the coefficients of the polynomial are derived from the block hash. The proof of work would be one or more (depending on the difficulty) relations of sufficient quality. After sufficient relations have been found then the factorization is completed, the factors published on the bitcoin net along with the next target.

ByteCoin

I think you missed the point of my post.  I wasn't concerned about factoring itself, just the general miner-ownership property.  People have proposed all sorts of ideas, and my question was whether a problem that doesn't have miner-ownership tied into the solution can even be considered?  If my assessment is correct, that further limits the number of problems that are candidates for PoW.

Although perhaps I missed the point of your post.  What you are suggesting is that many problems could be implemented by requiring desirable properties of the resultant hash instead of leading zeros.   I don't know how many useful problems there could be that fit into this, but it's more than I thought about before.

The whole purpose of mining is to secure the transactions. Any algorithm that didn't secure the transactions, including the coinbase transaction, would be useless.

Factoring a number could be used for proof of work, but the number would have to be based on the previous block's hash and the hash of the transaction tree. So the point is, you could use factoring for your proof of work, but you couldn't choose what numbers you had to factor -- the transactions and the chain would have to do that.

In that case, the difficulty would be how big the smallest factor had to be -- otherwise, you could just work to get an even number and divide it by 2. In fact, you could drop in factoring as a replacement PoW algorithm. You'd hash just the same as you do now, but instead of looking for a low hash output, you'd look for a hash output you could factor but such that the smaller factor exceeded the difficulty. Verifying the proof of work would include making sure that neither factor was smaller than the difficulty and that the smaller factor was prime. (Otherwise, it's too easy.)

I read Bytecoin's properties of proof-of-work problems.  I believe there is another property that is necessary, but I might be wrong so I hope someone will chime in if they see a way to avoid this problem.   Consider the infeasible example of number factoring as proof-of-work.  I don't know how it would work, link to previous blocks, etc.  Just assume that the "work" is number factoring, which is hard to do, easy to verify.   

Now, I'm on a network of untrusted nodes.  We're all working to factor a number.  I find a solution, and then declare "The solution is X*Y=Z here's my public key, now give me my 50 BTC!"  What is stopping the first node that receives this message from simply claiming the solution is his own, swapping his public key into the message, and then broadcasting it?  Nodes can try to compare timestamps, but network latency is high variance.  How does he know that the other guy isn't the true "winner" but his network packets had more hops?

The nice thing about the current hashing solution is that the coinbase tx to yourself is part of your hashed solution.  If someone tries to swap in their own public key, they break the hash and it becomes invalid.  The only way to "steal" it is just to do the work themself.

So my question is, given a problem that is otherwise ideal, but does not have ownership somehow tied into the proof-of-work, is there a way to avoid the problem I described above?  If not, I think this severely limits the number of candidate problems.

-Eto

I have identified some necessary properties for a useful proof of work in this post.

SETI, folding@home etc are not suitable.

ByteCoin

You can't separate transaction fees from mining. the miner/pool who solves the block first gets both the reward and the tx fees.
This will only happen when there's no more new btc to mine.
But as said, the computing for btc (without affecting the security of bitcoin) seems an interesting idea. The rewards would tend to be equivalent to mining, so when too many miners join the mining business at the same time, part of the "over-competence can be outsourced" to the BOINC for btc market.

One major consideration is that the proof of work, as it's currently defined, has zero dependence on outside data.  This gives it a certain robustness, whereas if there were some dependence on a job list or some kind of computing grid external data, then the security of the entire system is degraded to the security of the external data source.  There is no guarantee that the jobs are as hard as they need to be, or that the system can't somehow be gamed or cheated.  The current double-SHA256 is impossible to cheat without breaking SHA256.

Better to just buy and sell compute cycles using bitcoins, rather than try to fit useful computations into the block chain proof-of-work.

I meant the concrete BOINC project having its calculations made by the bitcoin network.

Your idea is interesting but doesn't involve changing the bitcoin mining calculations.
Users would just sell their computer power to BOINC projects for bitcoins instead of using it directly for mining. It could make the difficulty more stable when many miners come at the same time. It could be healthy for mining, even if it's not the first though that comes to mind.

BOINC is an infrastructure, not a specific project.

What ould be done would be to have a BOINC powered Bitcoin pool and offering the power of the pool to others. The others would then have to submit their BOINC project + Bitcoins for the computation time + Miners then could switch between direct mining or calculations + getting paid for them with the same outcome money wise.

A bigger problem though is that companies rather invest more money just to protect the integrity + confidentiality of their data or pay other companies (Amazon) to do that calculations for them - I doubt that besides some WPA or other password cracking you would have many customers in any cluster where random people can join.

To answer the question:
Yes, it is possible to calculate other stuff next to mining too - it however would just decrease your Bitcoin income proportionally unless you get paid for that other work in Bitcoin too.
To incentivize this you could offer bounties, lotteries or whatever but everything would be outside the actual Bitcoin sphere/work/client. There is no way I can think of to actually put something like that directly into the Bitcoin client/protocol.

The problem with those calculations is that they require as much work to generate them than to verify they're right.
The hashes are hard to get but easy to verify.
If you modify the client the way you propose, non mining clients will need much more work.
Also repeated work that doesn't serve the BOINC project after the first time.
A server could verify it for you (maintaining a database), but then you're giving up the decentralization.

Why pay miners for calculations that don't secure the hash chain? These "random" hashing calculations are not random -- they add computational effort to the public hash chain, preventing double spending attacks.

You're welcome to do all those things if you want, but it doesn't help secure the hash chain. That's what miners are paid for.

Guys, please read the FAQ before posting questions like this in the dev section:

https://en.bitcoin.it/wiki/FAQ

I do not think it would work. right now, bitcoin is completely decentralized, if you were to impose things like F@H, then bitcoin becomes centralized and useless. that is unless someone provides some rock solid solutions to the problem.

Folding at home pools could be great though, that is, run such projects similar to the way mining pools work.

For example if looking for a valuable protein to patent to make a lot of money selling things licensed by the patent, then once the patent sells, or starts getting income, the people who did the computing could be paid off based on the amount of the computing they did.

There is probably some ocmpany somwhere that is going to end up making money with whatever the folding people discover, even if they pretend to be "not for profit".

Or do they have some way of making sure no-one ever makes a profit from what they find, on the contrary the results will be useable only by volunteers or something?

-MarkM-

One thing to keep in mind, which is often overlooked is that the "difficulty" is not just arbitrary waste-of-time to slow down BTC generation.  It is actually directly related to how "difficult" it is to attack the network.  The higher the difficulty, the harder it is for one person/organization start re-writing the block chain and reversing transactions.  Every extra hash that's needed to solve a block is a little bit of extra security against an attacker.   We can't just arbitrarily replace hashing with other things, without compromising the security.  Even if we tried, we'd likely end up leaving open holes for people to skip the non-hashing parts of the mining and get an advantage over other miners (which isn't dangerous but it won't be a popular revision to the protocol).

In order for something to do what you suggest (replace hashing as proof-of-work and be useful), the problem must satisfy the criteria:
(1) The solution is a piece of information that is extremely difficult to find
(2) A given solution can be checked extremely fast

To find a nonce that creates a block header with 40 leading zero bits will take 2^40 SHA256 calculations (on average), but once you've done it, it takes everyone else in the world exactly 1 SHA256 calculation to verify the solution.  I don't know much about FAH calculations, but I don't think they fall into this category.

If you can come up with a way of combining proof-of-work (as in securely provable) together with general-purpose useful work, that would be a wonderful thing.  To my knowledge, nobody knows how to do this.

Difficulty can not be faked.  Anything else can.

Mining is about generating a certificate, easily verifiable without a centralized service, that work was done acknowledging a specific timeline of transactions. This is probably incompatible with external computing projects. If you can think of a way to combine them you'll have to be much more specific.

.