(regarding the true randomness source) I believe there
would be no trouble propagating this to all nodes, by
out-of-band means if necessary.
Similarly, surviving on a deserted island is easy - I believe you'll have no trouble finding a can opener and plenty of canned food.
If your solution to a distributed consensus problem starts with "assume all parties cooperate and agree on a continually-updating feed of data", it's not exactly compelling.
Also, there's no need to make up words like "remurrage" - economics already has "deflation" for when HODLing currency returns a positive amount.
>There are in fact some further issues, to do with making sure it's not cheap for a miner to re-exhibit their proof (of having performed a suitably substantial burn a suitably long time ago) on multiple competing chains. Details to follow.
which kind of seems like a major omission, as this is the one thing a proof of X should protect against.
Seems like that could be defended with Casper's approach: use security deposits, slash them for burn reuse, and reward anyone who provides proof of reuse.
The problem is that the miners -- whose fraud is proven with a transaction -- have the responsibility of including this transaction in the chain they control. Which means the only solution is to fork: now we have two or more chains (any number of valid chains which includes this proof can exist) -- how do we reach consensus on which to follow?
Before the fraud, the miners were allegedly responsible for reaching consensus. And when they commit fraud, it's assumed that the network can reach consensus without the miners (on a single, valid chain which includes the proof of miner fraud). If everyone except the miners were able to reach consensus on a single chain in the first place, why did we need the miners?
Well yeah, you can use any proof of work, proof of stake system to prevent it. However if you've got one of those, what would you need the proof of burn for?
I think that would be easy to fix, though. Hash every X'th block in some manner, to take effect in 5X blocks or whatever, would probably be good enough. Again, if someone is manipulating literally every bit of an accepted block successfully to successfully hack you via this method, your currency already has a problem.
There's enough agreed-upon entropy lying around for this to work.
A method for really strong randomness is threshold signatures, like DFinity is using. As long as you get M of N submitters you get a random result which none of them can predict or manipulate; it's the same result no matter which M submit. But I think it depends on elliptic curves, so it'd be vulnerable to quantum computers.
Another possibility is for participants to submit a hash of a random number, and then submit their preimages in a second round, with a deposit that gets slashed if they fail to submit the second round.
To be fair regarding your last critique, we could also say there’s no need to make up words such as “HODLing” when English already has “holding”. I believe the key idea the author wanted to convey with their new word is that the positive amount is returned explicitly because the quantity of the currency has decreased. This is a particular case of deflation, so it isn’t completely odd to consider introducing a word that succinctly captures that meaning.
I did a bunch of analysis on proof of burn, and came to the conclusion that it cannot work in practice because it relies on transactions in order to burn, which themselves are subject to consensus.
The problem is that the coin that is provably burned isn't scarce unless the network has reached consensus in the first place, and doing a provable burn of something non-scarce is non-sensical. Doing a provable burn on a fork of the Bitcoin chain is irrelevant, as nothing is lost, which means it requires already-existing consensus in order to be effective.
It's the same with proof-of-stake: it purports to use a chain's own coin -- as opposed to energy -- as the scarce commodity that is consumed in order to reach consensus. But coins on a chain are only scarce if only one chain exists, which means proof-of-stake relies on pre-existing consensus in order to reach consensus.
In general, what Bitcoin solves through proof-of-work is actually making a digital token scarce in the first place (by reaching consensus on a single, valid chain). After this, a lot of cool stuff becomes possible, but you can't make use of this cool stuff until consensus has been reached, which means you can't use it to reach consensus.
And the same applies to proof of stake. You need some form of external randomness to give you security. Of course many people have tried to come up with schemes where randomness can be created fairly by a group of people who don't necessarily trust each other [1]. Unfortunately all these schemes require at least half the participants to be honest so are vulnerable to trivial Sybil attacks. And the only way we know how to prevent Sybil attacks is to use proof of work or some sort of centralised system: leaving us back where we started.
I am convinced it can be mathematically proven that Proof of Stake/Burn algorithms don't work (without some sort of external randomness) but I don't have the mathematical skill to produce the proof.
The issue is in a lower level than that. A proof of stake system will want to randomly choose who gets to mine the next block, weighted by how much everyone is staking. But making this choice depends on everyone agreeing on a source of randomness, which is what the previous posts were talking about.
That might actually work but there is a lot to analyse to make sure that something is actually at stake. Firstly can dishonesty be detected and traced back to a stake holder? I'm not sure about that within specific randomness generating schemes. Secondly even if participants can be detected cheating it may still be economically advantageous for them to be dishonest if there is only a small probability that they lose their stake.
> 1) Randomness (or entropy) in a p2p system is bounded by the data present in the chain. What this means is that (at the very least) an attacker can know ahead of time whether he will win the block reward, because he has all data necessary to compute the result of the random function, no matter what components he is required to use. He can then chose not to participate if he will lose.
You could require miners to announce their proof of burn well in advance of the block they will use it for. Those announcements could be stored in the block chain so that the network can easily agree on when each announcement was made. If the distance in blocks between a burn announcement and the block it will be used for is less than K, the network would ignore that announcement.
So if you want to predict the outcome of block N, you would have to win block N-K and all the blocks in between (or be colluding with all the winners). If K was small you could just burn more than the block reward justifies, discouraging competing miners from burning, but if K is sufficiently large (e.g. 1 month), that would be prohibitively expensive.
> 2) Finney attack. It is completely trivial for an attacker to generate an infinite sequence of valid blocks in which he is the solo participant and is also the winner.
I think you could come up with some rotation mechanism so that only certain accounts can participate in a certain round. It could perhaps be weighted by stake, so to participate in all rounds, one would need to control 100% of the currency (or some lower threshold could be chosen to minimize the rounds that no miners are eligible for).
> 3) Making the block reward equal to the burnt amount makes this functionally equivalent to Proof of Stake for the case of the single miner. However, if you don't make the block reward at least equal to the amount burnt, it is not profitable to mine.
I think you're looking at it backwards; the block reward should be chosen based on the desired inflation rate, and miners will adjust their burn amounts so that burn costs will always roughly equal block rewards. If the costs ever exceed the rewards, it will be brief; some miners will sit out until mining becomes slightly profitable again.
>you could come up with some rotation mechanism so that only certain accounts can participate in a certain round
which is impossible to do in a way that can't be exploited and is fair (without relying on some external source of randomness). And I advise against trying to come up with a way to do so because the internet is full of failed attempts.
- Use the block index as the random seed. (Yes, the resulting random sequence is predictable, but that's okay...)
- Randomly select N UTXOs weighted by their output sizes. (This could be done efficiently by storing UTXO hashes in a sort of trie structure, with larger UTXOs higher in the trie, and descending the trie based on the random value until we get to the deepest node with at least N UTXOs beneath it.)
- Only the owners of those N UTXOs may participate in the current burn contest.
- If none of those owners are active or choose to participate, an empty block is added to the chain.
As for the value of N, for maximum security we would want N=1, which makes this equivalent to proof of stake. Then it's impractical for attackers to generate more than a few blocks in a row, since they would need to target single owners who might not be selling.
Higher N values might have some performance advantages (fewer empty blocks), and more even rewards (everyone gets a tiny reward as coins are burnt), but worse security. We would probably want to use N=1 for every, say, 10th block, so that if someone needs a particularly strong guarantee that their branch will prevail, they can wait for ~5 * 10 = 50 blocks.
I think proof of stake is better overall -- it's simpler and there's not much downside -- but both approaches seem viable.
I'm not entirely convinced that cryptocurrencies require fee incentives to stay secure. Most people using a currency aren't interested in the 'value' of a transaction, but rather, they want to perhaps pay a vendor or simply hold a balance. The miners (or stakeholders, in proof of stake) act in order to earn a profit, and may not actually act in the best interests of currency users (including holders and vendors). Miners and stakers are, in a way, just siphoning off profits, and it might be true that actors in the system would still behave honestly without the mining/staking incentives.
The fee incentive is required if, like Bitcoin, you have a capped money supply (and, therefore, the block reward must decrease over time).
A key insight into Nakamoto Consensus is that the security model depends on the the economic rationality of mining honestly: the difficulty of executing a double spend increases exponentially with the number of blocks the victim waits between the transaction hitting the chain and them "accepting" it, but the reward for executing that attack scales linearly with number of blocks (double spend + block reward/fees), which means that the return on investment for the attack decreases over time. The return on investment for mining honestly instead is constant: it's just given by your share of the mining power.
Assuming a worst case scenario of an attacker having just shy of 50% of the mining power, I can calculate how many blocks I should wait before the money I received is considered secure, and that time grows as the amount sent grows in respect to the block reward. Without fees, the block reward goes to zero over time, and the time-until-secure goes to infinity.
This is not a useful rant. 90% of it is bad and completely unconvincing argument by analogy.
> Everything in our world ultimately translates back to energy, at the lowest level. You are energy. I am energy. Blockchain is energy.
The remaining 10% could plausibly be gesturing at a real argument, but it's way too vague and hand-wavy. It repeatedly says PoS is impossible, but then ends up admitting that it boils down to complicated questions about the stability of certain equilibrium.
The idea that somehow the law of conservation of energy applies to the security of block chains, or computing in general. The fact that tweets 1-20 come from a cryptocurrency developer is terrifying, because it reads like a speculator trying to drive down Ethereum. I get what the developer is trying to say, but it all falls apart once they tie "electricity expended in Proof of X directly maps to amount of ledger security".
Tweets 21+ are actually reasonable and well thought out. It's that whole nonsense in the first 20 that just poisons the whole thread.
I completely agree that PoS assumes that bad actors are at best a group of Chaotic Evil backstabbers and that there'd never be a massive organization of Lawful Evil people rewriting the block chain. Furthermore, it doesn't account for a group of possibly Chaotic Good miners "correcting" a coin heist by rewriting the block chain. It is the stance of a majority of cryptocurrency participants that such a power is corrupting and that no matter what, the block chain must stand immutable.
Reduced, the assertion made is: Because Proof of Stake requires less energy and is less secure than Proof of Work, all block chains are secure if and only if computing blocks requires a large investment of energy.
I don't think Proof of Stake is sufficient evidence to make that assertion. The source makes me even more skeptical, as they are invested in Proof of Work's continued dominance.
> Since PoS removes billions of dollars of the mining that secures the ledger, it must follow that a PoS blockchain is billions of dollars less secure.
No, that doesn't follow. This person doesn't know much about DPoS because they don't grant it any points for the things it does right.
One thing that mining-free PoS coins give up is equitable distribution of the coin. Arguably there are other approaches to this but none of them are trustless.
>This person doesn't know much about DPoS because they don't grant it any points for the things it does right.
They definitely acknowledge PoS, it's problem is inherent in that you can always dispute with consensus and create an alternate ledger WITHOUT any upfront costs.
Why oh why would you do something like that on twitter?!?
If you need to make multi-thousand character argument there are many better mediums. In fact, I'd be hard pressed to think of a worse presentation than 100 letter chunks surrounded by wasted space at 8 chunks per page (on 1080 vertical lines monitor).
It sounds interesting but I wonder if I should trust the judgment of somebody who thought twitter was the right medium for something like that. What a pain it is to read through these tweets, even in the right order.
They are an easy way to limit transactions to prevent spam, as well as give the option to pick and choose which transactions get into a limited size block.
Without fees, miners have no incentives to include anything into a block in a PoW system (since not including any transactions is faster, which would mean more profit over time), and users have no incentive to not make significant amounts of transactions for no reason on the blockchain.
That's how they're pitched, yes. But what's actually happen with Bitcoin currently, is that miners have started spamming the mempool with small transactions that never confirm just to bump the TX fees. Furthermore, exchanges like Coinbase haven't implemented TX batching and Segwit, which further compounds the problem. Coinbase is one of the biggest contributor to the 'spam', by forcing fees higher and higher.
So in practice, it appears not to be working as theorized.
>spamming the mempool with small transactions that never confirm just to bump the TX fees.
For starters, i'm not convinced it's "spam" and not just people consolidating dust with low fees that don't really care if it never gets confirmed, but will try for a time when it might anyway.
I have done this myself, by carefully crafting a transaction with a ton of dust addresses and setting the fee to be a hair over 1 sat/byte, and it sat in the mempool for a month or 2 (after being rebroadcast several times) before finally getting confirmed a while back. You might call that spam, but for me it was Bitcoin working as intended. My "low importance" transaction waited until the mempool was low to get included.
But even then unless the "spammers" are spending a LOT of money on the fees, it won't affect anything, since all you need to do is spend 1 sat/byte more than them and you will get in next block...
>Furthermore, exchanges like Coinbase haven't implemented TX batching and Segwit, which further compounds the problem.
And fees provide them the ONLY incentive to fix those problems. Without the need for fees, why would anyone in the bitcoin ecosystem ever do batching (a complicated and potentially less secure way of managing transactions), segwit (requires more development resources), and even things like compressed keys (which some exchanges still don't use).
The spammers have been 'caught' on a few occasions. The patterns definitely look like transactions which have been generated by a script with the intention of filling the mempool to push up fees. I've also seen screenshots of Telegram chats where people discuss doing this on Reddit and elsewhere (although I can't find it now, and there's no way to verify authenticity).
Coinbase passes the fees directly onto their customers, and they don't seem to care much. They also don't let users change the fees. In fact, Brian has started shilling Bcash on Twitter, so one might guess they're intentionally pushing up fees to push an altcoin (Bcash).
Protip: GDAX pays the TX fees, so it's possible to workaround the TX fees by moving your coin to GDAX.
Well is it really "spam" if they are paying the same rate as you? It also points to tx fees being extremely necessary, as without them what would stop a malicious actor from spamming SIGNIFICANTLY more, clogging up the blockchain making it so a miniscule fraction of the real transactions could get through?
Also, I'm well aware of GDAX and coinbase and their pitfalls and benefits, but that doesn't have much to do with the discussion of fees and why they are necessary.
AFAIK RaiBlocks is the only coin that has tried to build a compeletely feeless cryptocurrency. Whether or not it will actually work, I don't know, and the current implementation has a lot of issues. But it's interesting if you're in to crypto. Furthermore, Lightning Network could provide a similar feeless system (excluding the settlement TXs).
>Furthermore, Lightning Network could provide a similar feeless system (excluding the settlement TXs).
There are even ways to get around the extreme majority of the fees for settlement transactions! Look up Channel factories for an idea on how even the opening and settlement transactions can be reduced to about 10% of their current size/cost for a single user. And there might be ways of interacting with channel factories to keep those settlement transactions off the main blockchain for the most part!
Also, I'm fairly certain IOTA doesn't have any TX fees, as well as several others that came before RaiBlocks.
- uses a bizarre internal trinary digit system, instead of binary
- I've heard that it doesn't actually work, as in, you can't perform transactions
In terms of the top ~25 coins by market cap, AFAIK RaiBlocks is the only feeless one which acutally works. Regardless, it's worth watching these coins to see how the economics work out.
Sorry for not reading the article. Apart from that: Did you read the RaiBlocks whitepaper? Did you try the technology? Sure there's a lot of room for improvement but the foundation seems to be working just fine. In contrast to many other coins. Furthermore there are projects using (https://brainblocks.io/) and shops accepting (https://www.spendraiblocks.com/) it.
When I was thinking of how to set up a distributed marketplace, I came up with Proof of Burn myself.
The idea would be that you want sellers to pay something to participate in the market, but it's not fair for them to pay it to a central authority. So the solution is to burn some coins.
I should really put together the rest of the ideas into a whitepaper or something... There's a way to do a distributed marketplace in a fair and reliable way. There are a few people trying to do that currently, but most of them seem hung up on some weird design decisions.
Mainly you want to be able to see how many orders a seller has "in flight" at any given time. If 30 orders are placed, and the seller hasn't processed any of them, it's a good sign they're going to welch with the coins. The fact that certain currencies are publicly viewable (BTC for example) allows buyers to have those insights into sellers' activities in a distributed fashion.
I also came up with the idea of Proof of Burn last week.
This would be the ideal one-way upgrade path to a better crypto-currency, without the implications of a coin split (Bitcoin Gold, Bitcoin Cash, Bitcoin Diamond, etc).
Trust level. If you see a seller advertise 1 teddybear for sale, and you know they burned 3 teddybears worth of coins just to offer you that first teddybear, you can be pretty certain they're not going to run off with your money.
On the other hand, if a new seller didn't spend anything, they could run off with your coins on the first transaction.
This isn't just theoretical; it's the central problem in most darknet markets.
And if they are participating just to build a sufficient level of trust before doing a runner, then you are saying there must be a ratio of "trust to stake" - maybe 1:1 at first maybe increasing - it would be interesting to know what market makers in stock exchanges run at - 1:10 or more?
Basically anything which is cheap to verify but costly to prove could be used.
Proof of burn and proof of stake both ultimately destroy resources. But what if the proof is something that can be used by humanity? Like proof of charity? So instead of sending the coins to an unspendable address, you send the coins to an address which is a charity, such as the Pineapple Fund? Of course such a charity would need to have strict controls on it such that it doesn't funnel misuse the money (such as mining for itself), but actually performs charity.
Brainstorming about ways to prevent misuse of the coins used for mining. Having the charity be operated by humans might be problematic (cause as we all know humans are corruptible). So might be better to have the charity be operated algorithmically, ideally via a smart contract. And dumber algorithms might be better since complexity provides more opportunities to exploit.
Since people seem to like the idea of basic income, what if the charity address was exactly that...a basic income provider, which would evenly send out received coins to every real human who registered their own basic income address?
Proof of burn is leveraged by Counterparty [1]. Counterparty is a colored-coin system that uses Bitcoin. You can create tokens in it just like Ethereum.
Bitcoin's enormous popularity and ensuing transaction fee growth has made counterparty much less useful IMO.
I think proof of burn could work in case of 2 blockchains - first is powered by good old proof of work, second is using proof of stake. Proof of stake validators could burn coins in 1st blockchain and reference these transactions from the 2nd. Actually, there could be > 1 proof of stake blockchain parasitising on a shared proof of work blockchain. Oh ok, seems like a white paper just born...
But if your good blockchain depends on a bad one (i.e. burning real-world resources), how is it ever going to require burning less real-world resources than only having a bad one? If you propose to just burn less, then any attacker is going to attack the weaker chain.
Yes, there is still burning of electricity, in this scheme, but the number of dependent PoS blockchain can be many times > 1. So that we burn real energy once and build many energy efficient blockchains on top of it.
Does this have any benefits whatsoever over Proof of Stake?
(I admit, I couldn't finish reading. The writing style was awful and seemed technically incompetent, though that's probably an unfair assessment from the style.)
You burn your coin to prove that you endured some cost.
Why do you have to prove that you endured some cost? So there is a cost to mining. Why does there need to be a cost to mining? To disincentivize dishonest mining.
> "Proof of work is slow energy ineficient, does it changes that?"
While it doesn't change the proof of work, it does allow that wasted money to be shared by multiple proof-of-burn chains. Remember, it is not the individual coins which are energy inefficient, it is mining which is energy inefficient. There isn't a limit to the number of coins which can be stored in a block, though, so there isn't really a large energy cost of an individual coin.
maybe by sending to an address which couldn't be possibly generated. Such as maybe address 0 (or another address which could be provable to not be able to be generated).
If your solution to a distributed consensus problem starts with "assume all parties cooperate and agree on a continually-updating feed of data", it's not exactly compelling.
Also, there's no need to make up words like "remurrage" - economics already has "deflation" for when HODLing currency returns a positive amount.