(regarding the true randomness source) I believe there
would be no trouble propagating this to all nodes, by
out-of-band means if necessary.
Similarly, surviving on a deserted island is easy - I believe you'll have no trouble finding a can opener and plenty of canned food.
If your solution to a distributed consensus problem starts with "assume all parties cooperate and agree on a continually-updating feed of data", it's not exactly compelling.
Also, there's no need to make up words like "remurrage" - economics already has "deflation" for when HODLing currency returns a positive amount.
>There are in fact some further issues, to do with making sure it's not cheap for a miner to re-exhibit their proof (of having performed a suitably substantial burn a suitably long time ago) on multiple competing chains. Details to follow.
which kind of seems like a major omission, as this is the one thing a proof of X should protect against.
I think that would be easy to fix, though. Hash every X'th block in some manner, to take effect in 5X blocks or whatever, would probably be good enough. Again, if someone is manipulating literally every bit of an accepted block successfully to successfully hack you via this method, your currency already has a problem.
There's enough agreed-upon entropy lying around for this to work.
To be fair regarding your last critique, we could also say there’s no need to make up words such as “HODLing” when English already has “holding”. I believe the key idea the author wanted to convey with their new word is that the positive amount is returned explicitly because the quantity of the currency has decreased. This is a particular case of deflation, so it isn’t completely odd to consider introducing a word that succinctly captures that meaning.
I did a bunch of analysis on proof of burn, and came to the conclusion that it cannot work in practice because it relies on transactions in order to burn, which themselves are subject to consensus.
The problem is that the coin that is provably burned isn't scarce unless the network has reached consensus in the first place, and doing a provable burn of something non-scarce is non-sensical. Doing a provable burn on a fork of the Bitcoin chain is irrelevant, as nothing is lost, which means it requires already-existing consensus in order to be effective.
It's the same with proof-of-stake: it purports to use a chain's own coin -- as opposed to energy -- as the scarce commodity that is consumed in order to reach consensus. But coins on a chain are only scarce if only one chain exists, which means proof-of-stake relies on pre-existing consensus in order to reach consensus.
In general, what Bitcoin solves through proof-of-work is actually making a digital token scarce in the first place (by reaching consensus on a single, valid chain). After this, a lot of cool stuff becomes possible, but you can't make use of this cool stuff until consensus has been reached, which means you can't use it to reach consensus.
And the same applies to proof of stake. You need some form of external randomness to give you security. Of course many people have tried to come up with schemes where randomness can be created fairly by a group of people who don't necessarily trust each other [1]. Unfortunately all these schemes require at least half the participants to be honest so are vulnerable to trivial Sybil attacks. And the only way we know how to prevent Sybil attacks is to use proof of work or some sort of centralised system: leaving us back where we started.
I am convinced it can be mathematically proven that Proof of Stake/Burn algorithms don't work (without some sort of external randomness) but I don't have the mathematical skill to produce the proof.
> 1) Randomness (or entropy) in a p2p system is bounded by the data present in the chain. What this means is that (at the very least) an attacker can know ahead of time whether he will win the block reward, because he has all data necessary to compute the result of the random function, no matter what components he is required to use. He can then chose not to participate if he will lose.
You could require miners to announce their proof of burn well in advance of the block they will use it for. Those announcements could be stored in the block chain so that the network can easily agree on when each announcement was made. If the distance in blocks between a burn announcement and the block it will be used for is less than K, the network would ignore that announcement.
So if you want to predict the outcome of block N, you would have to win block N-K and all the blocks in between (or be colluding with all the winners). If K was small you could just burn more than the block reward justifies, discouraging competing miners from burning, but if K is sufficiently large (e.g. 1 month), that would be prohibitively expensive.
> 2) Finney attack. It is completely trivial for an attacker to generate an infinite sequence of valid blocks in which he is the solo participant and is also the winner.
I think you could come up with some rotation mechanism so that only certain accounts can participate in a certain round. It could perhaps be weighted by stake, so to participate in all rounds, one would need to control 100% of the currency (or some lower threshold could be chosen to minimize the rounds that no miners are eligible for).
> 3) Making the block reward equal to the burnt amount makes this functionally equivalent to Proof of Stake for the case of the single miner. However, if you don't make the block reward at least equal to the amount burnt, it is not profitable to mine.
I think you're looking at it backwards; the block reward should be chosen based on the desired inflation rate, and miners will adjust their burn amounts so that burn costs will always roughly equal block rewards. If the costs ever exceed the rewards, it will be brief; some miners will sit out until mining becomes slightly profitable again.
I'm not entirely convinced that cryptocurrencies require fee incentives to stay secure. Most people using a currency aren't interested in the 'value' of a transaction, but rather, they want to perhaps pay a vendor or simply hold a balance. The miners (or stakeholders, in proof of stake) act in order to earn a profit, and may not actually act in the best interests of currency users (including holders and vendors). Miners and stakers are, in a way, just siphoning off profits, and it might be true that actors in the system would still behave honestly without the mining/staking incentives.
The fee incentive is required if, like Bitcoin, you have a capped money supply (and, therefore, the block reward must decrease over time).
A key insight into Nakamoto Consensus is that the security model depends on the the economic rationality of mining honestly: the difficulty of executing a double spend increases exponentially with the number of blocks the victim waits between the transaction hitting the chain and them "accepting" it, but the reward for executing that attack scales linearly with number of blocks (double spend + block reward/fees), which means that the return on investment for the attack decreases over time. The return on investment for mining honestly instead is constant: it's just given by your share of the mining power.
Assuming a worst case scenario of an attacker having just shy of 50% of the mining power, I can calculate how many blocks I should wait before the money I received is considered secure, and that time grows as the amount sent grows in respect to the block reward. Without fees, the block reward goes to zero over time, and the time-until-secure goes to infinity.
They are an easy way to limit transactions to prevent spam, as well as give the option to pick and choose which transactions get into a limited size block.
Without fees, miners have no incentives to include anything into a block in a PoW system (since not including any transactions is faster, which would mean more profit over time), and users have no incentive to not make significant amounts of transactions for no reason on the blockchain.
When I was thinking of how to set up a distributed marketplace, I came up with Proof of Burn myself.
The idea would be that you want sellers to pay something to participate in the market, but it's not fair for them to pay it to a central authority. So the solution is to burn some coins.
I should really put together the rest of the ideas into a whitepaper or something... There's a way to do a distributed marketplace in a fair and reliable way. There are a few people trying to do that currently, but most of them seem hung up on some weird design decisions.
Mainly you want to be able to see how many orders a seller has "in flight" at any given time. If 30 orders are placed, and the seller hasn't processed any of them, it's a good sign they're going to welch with the coins. The fact that certain currencies are publicly viewable (BTC for example) allows buyers to have those insights into sellers' activities in a distributed fashion.
I also came up with the idea of Proof of Burn last week.
This would be the ideal one-way upgrade path to a better crypto-currency, without the implications of a coin split (Bitcoin Gold, Bitcoin Cash, Bitcoin Diamond, etc).
Basically anything which is cheap to verify but costly to prove could be used.
Proof of burn and proof of stake both ultimately destroy resources. But what if the proof is something that can be used by humanity? Like proof of charity? So instead of sending the coins to an unspendable address, you send the coins to an address which is a charity, such as the Pineapple Fund? Of course such a charity would need to have strict controls on it such that it doesn't funnel misuse the money (such as mining for itself), but actually performs charity.
Brainstorming about ways to prevent misuse of the coins used for mining. Having the charity be operated by humans might be problematic (cause as we all know humans are corruptible). So might be better to have the charity be operated algorithmically, ideally via a smart contract. And dumber algorithms might be better since complexity provides more opportunities to exploit.
Since people seem to like the idea of basic income, what if the charity address was exactly that...a basic income provider, which would evenly send out received coins to every real human who registered their own basic income address?
Proof of burn is leveraged by Counterparty [1]. Counterparty is a colored-coin system that uses Bitcoin. You can create tokens in it just like Ethereum.
Bitcoin's enormous popularity and ensuing transaction fee growth has made counterparty much less useful IMO.
I think proof of burn could work in case of 2 blockchains - first is powered by good old proof of work, second is using proof of stake. Proof of stake validators could burn coins in 1st blockchain and reference these transactions from the 2nd. Actually, there could be > 1 proof of stake blockchain parasitising on a shared proof of work blockchain. Oh ok, seems like a white paper just born...
But if your good blockchain depends on a bad one (i.e. burning real-world resources), how is it ever going to require burning less real-world resources than only having a bad one? If you propose to just burn less, then any attacker is going to attack the weaker chain.
Does this have any benefits whatsoever over Proof of Stake?
(I admit, I couldn't finish reading. The writing style was awful and seemed technically incompetent, though that's probably an unfair assessment from the style.)
You burn your coin to prove that you endured some cost.
Why do you have to prove that you endured some cost? So there is a cost to mining. Why does there need to be a cost to mining? To disincentivize dishonest mining.
> "Proof of work is slow energy ineficient, does it changes that?"
While it doesn't change the proof of work, it does allow that wasted money to be shared by multiple proof-of-burn chains. Remember, it is not the individual coins which are energy inefficient, it is mining which is energy inefficient. There isn't a limit to the number of coins which can be stored in a block, though, so there isn't really a large energy cost of an individual coin.
maybe by sending to an address which couldn't be possibly generated. Such as maybe address 0 (or another address which could be provable to not be able to be generated).
[+] [-] al2o3cr|8 years ago|reply
If your solution to a distributed consensus problem starts with "assume all parties cooperate and agree on a continually-updating feed of data", it's not exactly compelling.
Also, there's no need to make up words like "remurrage" - economics already has "deflation" for when HODLing currency returns a positive amount.
[+] [-] contravariant|8 years ago|reply
>There are in fact some further issues, to do with making sure it's not cheap for a miner to re-exhibit their proof (of having performed a suitably substantial burn a suitably long time ago) on multiple competing chains. Details to follow.
which kind of seems like a major omission, as this is the one thing a proof of X should protect against.
[+] [-] jerf|8 years ago|reply
There's enough agreed-upon entropy lying around for this to work.
[+] [-] alextheparrot|8 years ago|reply
[+] [-] wildbunny|8 years ago|reply
You can read my detailed analysis here: https://bitcointalk.org/index.php?topic=1182677.0
Cheers, Paul.
[+] [-] runeks|8 years ago|reply
It's the same with proof-of-stake: it purports to use a chain's own coin -- as opposed to energy -- as the scarce commodity that is consumed in order to reach consensus. But coins on a chain are only scarce if only one chain exists, which means proof-of-stake relies on pre-existing consensus in order to reach consensus.
In general, what Bitcoin solves through proof-of-work is actually making a digital token scarce in the first place (by reaching consensus on a single, valid chain). After this, a lot of cool stuff becomes possible, but you can't make use of this cool stuff until consensus has been reached, which means you can't use it to reach consensus.
[+] [-] barbegal|8 years ago|reply
I am convinced it can be mathematically proven that Proof of Stake/Burn algorithms don't work (without some sort of external randomness) but I don't have the mathematical skill to produce the proof.
[1] https://eprint.iacr.org/2017/216.pdf
[+] [-] dlubarov|8 years ago|reply
You could require miners to announce their proof of burn well in advance of the block they will use it for. Those announcements could be stored in the block chain so that the network can easily agree on when each announcement was made. If the distance in blocks between a burn announcement and the block it will be used for is less than K, the network would ignore that announcement.
So if you want to predict the outcome of block N, you would have to win block N-K and all the blocks in between (or be colluding with all the winners). If K was small you could just burn more than the block reward justifies, discouraging competing miners from burning, but if K is sufficiently large (e.g. 1 month), that would be prohibitively expensive.
> 2) Finney attack. It is completely trivial for an attacker to generate an infinite sequence of valid blocks in which he is the solo participant and is also the winner.
I think you could come up with some rotation mechanism so that only certain accounts can participate in a certain round. It could perhaps be weighted by stake, so to participate in all rounds, one would need to control 100% of the currency (or some lower threshold could be chosen to minimize the rounds that no miners are eligible for).
> 3) Making the block reward equal to the burnt amount makes this functionally equivalent to Proof of Stake for the case of the single miner. However, if you don't make the block reward at least equal to the amount burnt, it is not profitable to mine.
I think you're looking at it backwards; the block reward should be chosen based on the desired inflation rate, and miners will adjust their burn amounts so that burn costs will always roughly equal block rewards. If the costs ever exceed the rewards, it will be brief; some miners will sit out until mining becomes slightly profitable again.
[+] [-] sova|8 years ago|reply
[+] [-] brndnmtthws|8 years ago|reply
I wrote a blog post about this: https://medium.com/@brndnmtthws/questioning-assumptions-do-c...
[+] [-] pdpi|8 years ago|reply
A key insight into Nakamoto Consensus is that the security model depends on the the economic rationality of mining honestly: the difficulty of executing a double spend increases exponentially with the number of blocks the victim waits between the transaction hitting the chain and them "accepting" it, but the reward for executing that attack scales linearly with number of blocks (double spend + block reward/fees), which means that the return on investment for the attack decreases over time. The return on investment for mining honestly instead is constant: it's just given by your share of the mining power.
Assuming a worst case scenario of an attacker having just shy of 50% of the mining power, I can calculate how many blocks I should wait before the money I received is considered secure, and that time grows as the amount sent grows in respect to the block reward. Without fees, the block reward goes to zero over time, and the time-until-secure goes to infinity.
[+] [-] kneel|8 years ago|reply
PoS doesn't work by itself, anyone who tells you otherwise doesn't understand the underlying security of a decentralized blockchain.
A saw a nice rant on twitter the other day about this very subject: https://twitter.com/hugohanoi/status/951762596255838209
You CAN have a PoS network built on top of a PoW network(LN) but there will still be fees.
[+] [-] Klathmon|8 years ago|reply
They are an easy way to limit transactions to prevent spam, as well as give the option to pick and choose which transactions get into a limited size block.
Without fees, miners have no incentives to include anything into a block in a PoW system (since not including any transactions is faster, which would mean more profit over time), and users have no incentive to not make significant amounts of transactions for no reason on the blockchain.
[+] [-] shoq|8 years ago|reply
Feeless, near-instant, scalable, no mining. Apart from minor hiccups (see https://www.reddit.com/r/RaiTrade/comments/7qev9q/can_we_be_...) and the fact that security is not tested throughout, this could be the future.
[+] [-] sillysaurus3|8 years ago|reply
When I was thinking of how to set up a distributed marketplace, I came up with Proof of Burn myself.
The idea would be that you want sellers to pay something to participate in the market, but it's not fair for them to pay it to a central authority. So the solution is to burn some coins.
I should really put together the rest of the ideas into a whitepaper or something... There's a way to do a distributed marketplace in a fair and reliable way. There are a few people trying to do that currently, but most of them seem hung up on some weird design decisions.
Mainly you want to be able to see how many orders a seller has "in flight" at any given time. If 30 orders are placed, and the seller hasn't processed any of them, it's a good sign they're going to welch with the coins. The fact that certain currencies are publicly viewable (BTC for example) allows buyers to have those insights into sellers' activities in a distributed fashion.
[+] [-] miguelrochefort|8 years ago|reply
This would be the ideal one-way upgrade path to a better crypto-currency, without the implications of a coin split (Bitcoin Gold, Bitcoin Cash, Bitcoin Diamond, etc).
[+] [-] contrarian_|8 years ago|reply
What? Why would you want to do that beyond covering expenses for scam prevention?
[+] [-] em3rgent0rdr|8 years ago|reply
Basically anything which is cheap to verify but costly to prove could be used.
Proof of burn and proof of stake both ultimately destroy resources. But what if the proof is something that can be used by humanity? Like proof of charity? So instead of sending the coins to an unspendable address, you send the coins to an address which is a charity, such as the Pineapple Fund? Of course such a charity would need to have strict controls on it such that it doesn't funnel misuse the money (such as mining for itself), but actually performs charity.
[+] [-] em3rgent0rdr|8 years ago|reply
Since people seem to like the idea of basic income, what if the charity address was exactly that...a basic income provider, which would evenly send out received coins to every real human who registered their own basic income address?
[+] [-] wyldfire|8 years ago|reply
Bitcoin's enormous popularity and ensuing transaction fee growth has made counterparty much less useful IMO.
[1] https://en.wikipedia.org/wiki/Counterparty_(technology)#Use-...
[+] [-] viach|8 years ago|reply
[+] [-] lucb1e|8 years ago|reply
[+] [-] miguelrochefort|8 years ago|reply
[+] [-] eximius|8 years ago|reply
(I admit, I couldn't finish reading. The writing style was awful and seemed technically incompetent, though that's probably an unfair assessment from the style.)
[+] [-] Ceezy|8 years ago|reply
[+] [-] em3rgent0rdr|8 years ago|reply
You burn your coin to prove that you endured some cost.
Why do you have to prove that you endured some cost? So there is a cost to mining. Why does there need to be a cost to mining? To disincentivize dishonest mining.
> "Proof of work is slow energy ineficient, does it changes that?"
While it doesn't change the proof of work, it does allow that wasted money to be shared by multiple proof-of-burn chains. Remember, it is not the individual coins which are energy inefficient, it is mining which is energy inefficient. There isn't a limit to the number of coins which can be stored in a block, though, so there isn't really a large energy cost of an individual coin.
[+] [-] libeclipse|8 years ago|reply
How would you accomplish something like this?
[+] [-] em3rgent0rdr|8 years ago|reply
[+] [-] Proven|8 years ago|reply
[deleted]