There is an inefficiency in POW truthcoin. If more than one person learn the same valuable piece of information in the same block period, assuming they are both rich enough to completely leak the information, then only one of them can collect the prize for leaking this information.
They both try to bribe the miner, so that they can take the prize. Whoever offers more money to the miner will get their tx included first. The result being that the miner gets 90%+ of the prize, even though he did not leak any information.
Using a good proof of stake system, this money would not go to the miner. Instead it would get burned.
I will outline the mechanism of how it gets burned:
A block is only valid if more than 50% of the signers sign on it. Signers cannot sign on competing blocks.
So at every block height, there is at most 1 valid block.
Usually, cost to produce that block is small, about 10 cents.
But if there are no valid blocks at a particular height, then it costs R as much to skip it and make a block at the next height. (where R is a number > 1)
Skipping N blocks makes the next block cost R^N times as much as usual.
So it would cost (10 cents)*R^(block depth) to double-spend a transaction.
When 2 people are competing to leak information first, they will repeatedly skip each other's blocks, paying a higher and higher fee. Eventually the fee would exceed the reward. At that point, they stop skipping more blocks. If R=1.1, then then one of them ends up taking 5% of the reward on average, and the rest of the reward is burned.
of course, if the 2 people decided to work together instead of competing, they could have split the full reward 50/50.
Proof of stake is defective...I have been drafting the blog post about this for a few weeks, but I only have an hour or two each day to work on all things Truthcoin, and writing comes very slowly to me.
Just one example among
many:
Quote from: zack on November 05, 2014, 07:16:36 PM
Signers cannot sign on competing blocks.
This is obviously untrue. It is obvious to me that you are referring to the Slasher hodgepodge being sewn together by Vitalik et al, so you meant: "Signers are discouraged from signing on competing blocks".
I know how Slasher intends to discourage this, and it won't work. People will still sign on other blocks for lots of reasons, the most obvious of which is that a double-spend is way more valuable than some lost block rewards.
In the meantime you can re-read Poelstra's paper (https://download.wpsoftware.net/bitcoin/alts.pdf), as I constantly suggest.
Yes, you are correct it is mathematically feasible that they could sign both chains.
Besides sacrificing their reward, they would also lose a large safety deposit on both chains.
The safety deposit is 50 times bigger than the reward.
If they fail to sign on any chain, then they get the safety deposit back, but no reward.
So an attacker who is willing to spend 50x more money per block than the real chain costs would be able to bribe signers to make his chain look valid.
Many of the signers will be unbribeable. The attacker will have to pay much more than 50x, since he will have to skip a lot of blocks.
This attack only works for transactions that are less than 100 or so deep. Beyond that the ESS (exponential subjective scoring) makes forks impossible.
So for very small txs, you can trust it after 5-10 confirmations. For high-value transactions you should wait for 100 confirmations.
ESS means that you tell your software a recent block hash, and your software dislikes chains which do not end in your goal. Forks which leave the expected path further ago in history are punished higher exponentially.
Sorry, but some of your premises are false ("ESS makes forks impossible") and others are Not-Even-Wrong ("signers will be unbribeable"), and even the true premises you introduced do not support your implied conclusion ("that proof of stake is an alternative to proof of work for distributed consensus").
I don't really have time to explain it to you. I'm afraid you'll just have to figure it out yourself or wait for my blog post, which I am in really in no hurry to write (having not a lot of free time, and spending it on friends/family/full-time-job/hobbies).
Anyway, it would probably be better for you to do your own thinking on this matter.
We only need >1/3rd of the signers to be unbribeable. If I personally maintain ownership of 1/3rd of the coins, then I can be sure it is secure.
I understand that you don't have time, I excuse your inability to talk further on the subject.
Truthcoin is the only thing I talk to my friends or family about. It is my only means of employment. It is also my only hobby.
So I can afford to go on some pretty deep tangents.
If I find anything interesting, you will catch up quickly soon enough.
If proof of stake doesn't work, then I will have wasted two months of my labor.
If proof of stake does work, then I will be a billionaire.
I think that you should try anything you are passionate about, and report back to others with what you learned (#science), but I would keep in mind that..
Quote from: zack on November 07, 2014, 04:19:33 AM
If proof of stake doesn't work, then I will have wasted two months of my labor.
If proof of stake does work, then I will be a billionaire.
..has been true of many, many, bad ideas.
Just read Poelstra's paper.
Why can't truthcoin work with merged mining? I think proof of work is the only way which works.
Truthcoin could work with merged mining. That is another alternative that we have been considering.
We could also build it on top of Ethereum.
If I launch a bitcoin fork, how are you supposed to tell whether my fork is bitcoin or whether bitcoin is bitcoin?
Block time is a lot faster in Dogecoin than in bitcoin, so technically dogecoin has more blocks of depth. How do you decide to store your wealth in bitcoin instead of dogecoin?
If someone sends you dogecoin, how are you to know that it isn't bitcoin?
Just to install bitcoin you have to trust a github page, or a link from a friend, or a website or something.
Since you can ask anyone for the link, this is an example of a decentralized protocol.
This decentralized protocol is maintaining a consensus of the basic software needed to download the bitcoin blockchain.
It is a simpler consensus protocol that is used to bootstrap POW.
Do you trust this decentralized consensus protocol which is not POW?
Well I have the signing keys of the bitcoin devs and use that to verify that packages have been released by the core team. So the distribution mechanism in this way is centralized for me. I store wealth in the btc blockchain as opposed to dogecoin because it isn't how many blocks exist but the hashing power used to create them, plus the network effects of bitcoin make it *the one*. :)
Trapped as I am in the Ft Lauderdale Airport, I finished my blog post about "alternatives" to proof of work / mining: http://www.truthcoin.info/blog/pow-and-mining/
From your blog post:
"Whatever "it" is, if it creates $100 worth of value, but costs <$100, everyone will be doing it as fast as possible. Applied to blockchains, if X dollars of coins are being released by each new block, then X dollars are going to be spent mining that block."
I cannot agree more. That is why my versions of slasher don't ever allow for the creation of money. In my slasher the total number of coins can only decrease.
Later you talk about why proof of work is effective, and against I completely agree. POW does work to maintain consensus.
If there was a cheaper alternative to POW, it would eventually out compete. $1/2 a million per day is very expensive.
Thirdly you talked about how it needs to be expensive to create blocks.
I agree with you. That is why my POS scheme charges a big fee for creating a new block. You have to burn a bunch of money.
You could think of it as a negative block reward.
The total number of coins has a half-life.
Do you have any evidence that proof of stake cannot work? If it is truly ineffective, I would like to find out soon so that I don't waste any more time on it.
I think it would be more appropriate to post in the comments section of the blog, don't you? Otherwise things will become less-organized.
Just to support Zack:
Some implementation will of PoS will clearly be the long term solution for cryptocurrencies. POW was good for the initial coin distribution but it is way too expensive for the consensus mechanism when block rewards converges to 0. (And if it would not be too expensive it would be to insecure) The incentive scheme has serious flaws.
I have given a talk on this meanwhile twice: http://de.slideshare.net/MartinKppelmann/miningwars. (I guess the slides are not self explaining and I have not found the time yet to write it all down)
For Truthcoin I see 3 possivle solutions:
1. as a sidechain on Bitcoin (but sidechains make the POW incentive flaws even worse: compare: https://www.reddit.com/r/Bitcoin/comments/2mkd0o/we_are_the_founders_of_counterparty_the_free_and/cm58upk)
2. on Ethereum
3. An own PoS solution
By the way, I just agreed to give a presentation on POS here: http://www.meetup.com/BitDevsNYC/events/218781358/
Would be great to have you there...
I've already responded to your points on Twitter..PoS IS PoW. They're the same thing, except that one is cumulative. One is not "more expensive" than the other...that is economically impossible (as I explain on my blog).
I feel that the PoS question is separate from the long-term Fees/Coinbase question. I've expressed my views on the comments section of ( http://www.truthcoin.info/blog/basics/ ).
I would be happy to attend the presentation this Tuesday.
I agree to: money spend into mining (MSIM) = reward for miners (rfm).
This holds true for POW and POS.
However, for POW it is important that the MSIM is at least a decent fraction of the total coin market cap. For POS this is not necessary. Instead a high coin market cap helps to secure the consensus/network.
Might it be that you are assuming a POS implementation where you have to "burn" money to get votes? Note that this is not necessary - proof of control is enough.
Quote from: psztorc on November 29, 2014, 10:28:30 PM
I would be happy to attend the presentation this Tuesday.
Nice, this will become an interesting discussion. Zack, can you possibly join as well?
I would love to attend a meeting about proof of stake.
Here is my unfinished implementation: https://github.com/zack-bitcoin/slasher
I am in California, have a plane ticket to Texas on the 2nd.
I can't afford to get myself to New York, or back to Texas after.
Neither do I have anywhere to stay in New York.
NXT has lasted so long. Maybe it is easier to put truthcoin onto an existing POS instead of writing a new one?
They have a pretty big bounty to find bugs, and no one is finding any.
I don't program java yet, so I am not sure how feasible this plan is.
Maybe the Jython compiler would let us use the same code from the truthcoin implementation.
I would be sad if the majority of the profit from truthcoin went to NXT people instead of people like psztorc who actually worked on truthcoin.
What a pity.
I could have helped out with a place to stay.
Have you somewhere written down the conceptual details of slasher?
From Vitaliks latest post: https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/ - what of the option discussed here do you use? Or do you use different one?
this is the only writing about slasher I did: https://github.com/zack-bitcoin/slasher
I use a lot of Vitalik's ideas.
From this essay: https://blog.ethereum.org/2014/01/15/slasher-a-punitive-proof-of-stake-algorithm/
1) his algorithm for selecting signers from the coin-holders, with a small adjustment.
2) the punitive transaction type.
from the essay you linked I took:
1) weak subjectivity (I haven't implemented this yet)
from here https://blog.ethereum.org/2014/07/05/stake/
1) the low influence random number generator
I use something similar to Daniel Larimer's transactions as proof of stake. Every transaction must reference the hash of one of the 10 most recent blocks.
from this essay: https://blog.ethereum.org/2014/10/03/slasher-ghost-developments-proof-stake/
1) creating a new block should cost a large fee. A negative block reward. (The only part of slasher that I personally invented.)
2) I use something similar to his idea (7), quote: "If there is an insufficient number of signers to sign at a particular block height h, a miner can produce a block with height h+1 directly on top of the block with height h-1 by mining at an 8x higher difficulty (to incentivize this, but still make it less attractive than trying to create a normal block, there is a 6x higher reward). "
But instead of charging POW, I charge a fee.
from here http://vitalik.ca/ethereum/patricia.html
1) I took the idea to use Patricia trees so that users can efficiently prove how much money they had at any point in history.
An idea that Vlad Zamfir explained to me:
The total amount of money spent in a block must be less than or equal to the total amount of safety deposits left by the people who signed on that block. That way, any double-spend attack ends up costing more money than can be stolen. All the safety deposits are deleted.
My slasher will have 4 transaction types:
1) spend money
2) sign on a block to help make the next valid block.
3) punish someone who signed on contradictory chains.
4) redeem your reward for having signed 3000 blocks ago.
It will NOT have a forth-like scripting language like bitcoin.