Useful PoW is totally fine for a cryptocurrency the same way useless PoW is - you have to solve a particular instance of some kind of problem, not just "computation that you were going to do already". I think Primecoin is a good example: the general problem that's being solved for mining happens to have a useful byproduct, but you still have to provide PoW on the particular instance that is on the chain.
Even Bitcoin has provided useful work for a very weak definition: it has created incentives for MASSIVE research and development in cracking or otherwise breaking SHA-256. I don't know where I could find data, but I would bet that there's an inflection point in "crack speed" around 2009, and that further progress probably correlates pretty well with the USD-BTC exchange rate.
Right, I agree that a useful PoW is possible in theory[1], but the requirements imposed (by needing to work as PoW for a blockchain cryptocurrency) are burdensome:
1) The difficulty must be adjustable so that you can make it harder or easier as computational power joins or leaves the network -- so it can't be some generically hard problem with no free parameter that affects the hardness.
2) The difficulty must be precisely predictable, so you know how much to adjust it for 1). That probably rules out NP-complete problems, where it's hard to generate random instances while ensuring you'll get one of the hard ones.
3) The problem must be capable of being arbitrarily generated from a random string, so that your work is associated with a specific ledger update (block), and so the work must have started after that node became aware of the block. This would require you to optimally "compress" the problem space so that a random string decompresses to a valid instance. But if you could compress the problem space that way, it wouldn't be hard!
Partial hash inversion (used in Bitcoin) satisfies those because:
1) You can adjust how many digits of a match are required.
2) There is no shortcut to guessing all the nonces, and each output is effectively a random number with predictable properties.
3) You can require the nonce to be prefixed by the Merkle root of the new block + previous Merkle root.
Edit: Primecoin was a good start, but it quickly exhausted all of the academically useful primes, and is unable to meet 1) while still being useful.
[1] At least, I don't know of a rigorous impossibility proof.
Your list is missing verifiable. What makes hashing < vale is useful is you get a high probability that someone handing a solution actually did a lot of work. Someone getting lucky could find a solution within a second using a CPU miner today, they are not going to keep getting lucky for 100 blocks.
750000000000 chance every 10 minutes * say 1,000,000 CPU miners = 1 / 750000 per 10 minutes, and 1 in 14.27 per year. I don't think their are 1,000,000 CPU miners, but I suspect their are at least a few thousand of them for the lul's.
Consider a situation in which the US government realises that primecoin's output is crucial to further quantum computer research. They pump 100s of billions into mining primecoin. Now, 99.9999% of hashpower and full nodes belong to the US government - an entity whose only interest in primecoin is as a minor return on some work to reduce costs.
In this case, every assumption of trustlessness and censorship resistance has gone out the window.
A consensus algorithm using proof of useful work will become a market of miners for whom the mining rewards and thus the integrity of the network are merely a secondary concern.
Mining inherently means whoever is most efficient ends up with 51% of the market. If companies X spends less than anyone else per hash they will end up at 51% unless they intentionally hold back.
However, proof of useful work could be a public good. Though that makes coming up with an algorithm much harder.
> Even Bitcoin has provided useful work for a very weak definition: it has created incentives for MASSIVE research and development in cracking or otherwise breaking SHA-256
And chip performance in general. It wouldn't surprise me if Bitcoin ASICs nudge the state of the art in chip design and fabrication forward.
Another (very marginally) useful bit of work mining does: converting electricity to heat.
I doubt many miners are currently using the heat, but it seems inevitable that eventually most miners would be located in areas where 1) electricity is very cheap, and 2) the heat produced by mining can be used productively
Useful PoW is totally fine for a cryptocurrency the same way useless PoW is - you have to solve a particular instance of some kind of problem, not just "computation that you were going to do already". I think Primecoin is a good example: the general problem that's being solved for mining happens to have a useful byproduct, but you still have to provide PoW on the particular instance that is on the chain.
Even Bitcoin has provided useful work for a very weak definition: it has created incentives for MASSIVE research and development in cracking or otherwise breaking SHA-256. I don't know where I could find data, but I would bet that there's an inflection point in "crack speed" around 2009, and that further progress probably correlates pretty well with the USD-BTC exchange rate.