CryptoSlo cryptocurrency news and

investing in this lecture we’re going to talk

about alternatives to bitcoins existing proof-of-work mining puzzle mining

puzzles are at the very core of Bitcoin because mining puzzles determine the

incentive system in Bitcoin Bitcoin miners get rewards for the puzzles that

they solve we expect that miners will spend considerable effort trying to find

any shortcuts available to them to solve these puzzles faster or more efficiently

there’s a faster way to solve puzzles we think they’ll take it also if there’s

extra stuff to do that might help the network but doesn’t directly help them

solve puzzles any faster we expect that they might eventually not bother to do

so at all therefore the nature of the puzzle plays a very important role in

steering and guiding participation in the network now we’ve talked about some

of the basic features that bitcoins existing sha-2 hash based mining puzzle

already satisfies so for example it’s fairly difficult to solve a whole bunch

of puzzle solutions this makes a tax on the Bitcoin network very costly or

unlikely to succeed on the other hand puzzle solutions are found at a fairly

predictable rate once every ten minutes by someone

this means that honest miners to participate have some incentive to keep

participating and compensate themselves for the resources that they put into the

network if we were going to design a new puzzle system from scratch or modify

bitcoins puzzle system to be different somehow what else could we design the

puzzle to achieve what other kinds of behaviors would we like to encourage or

disincentivize in this lecture we’re going to talk about a variety of

possible alternative puzzle designs some of them are already used in practice and

alt coins existing today others are research ideas that might turn out to be

used in the future the puzzles that we’ll look at can achieve a variety of

possible goals such as asic resistance which means leveling the playing field

between users with ordinary computing equipment and users with special

optimized custom hardware will also look at puzzles that discourage users from

delegating their participation to directors of large centralized pools and

we’ll look at useful proofs of work that have

intrinsic social benefit we’ll also talk about some of the essential security

requirements for mining puzzles it doesn’t do any good to have some fancy

secondary feature if the puzzle doesn’t still satisfy the basic requirements

that it needs to keep Bitcoin secure before going into the alternate puzzle

designs let’s talk a little bit about some of the essential requirements that

any viable mining puzzle has to satisfy now there are many possible requirements

we’ve talked about some of them before mining puzzles need to be cheap to

verify the solutions because every node on the network validates all of the

puzzle solutions even ones that aren’t involved in mining directly puzzles also

have to have adjustable difficulty so that the difficulty of the puzzle can be

adjusted over time as new users join the network with increasing amounts of hash

power contributed only going to talk in detail right now about one other

essential requirement which is a little bit subtle this is that the chance of

winning a puzzle solution in any unit of time should be roughly proportional to

the hash power contributed in particular this means that really large miners with

very powerful hardware should only have a proportional advantage in being the

next miner to find puzzle solution even small players should have some

proportional chance of being successful in receiving compensation now to

illustrate this point let me show you an example of a bad puzzle that doesn’t

satisfy this requirement consider a mining puzzle that takes exactly n steps

to find a solution there are examples of puzzles like this I don’t need to go

into details though but consider these a sequential proof of work a miner would

be able to find one of these proof of work solutions by computing n steps in

order in a sequence once it reaches n steps finds a solution now the problem

is that if it takes exactly n steps in a sequence to find a puzzle solution then

a fastest miner in the network will always be the one who wins the next

reward alright so consider a scenario with two equally powerful miners in a

third miner that’s slightly faster at making computational steps than the

other two for every step that the small miners

take the large miner takes two steps here this means that the large miner

finds its puzzle solution at the end of n steps while the smaller miners are

still computing theirs in this case the fastest miner would be the only one who

would receive any compensation at all therefore none of the other nodes would

have any incentive to participate in the first place so the alternative to this a

good puzzle is one that gives every miner a chance of winning the next

puzzle solution in proportion to the amount of hash power they contribute

this forms a weighted sample of all of the miners so imagine throwing a dart at

a board randomly at a board of different sized targets where the size of the

target corresponds to mining power the more hash power you contribute the

better your chance of being the note that finds the next puzzle solution a

puzzle that has this property is sometimes called progress free now this

was just one of the requirements there are others but for now we’re going to

move on to types of alternative puzzles and we’ll discuss essential requirements

as they come up we’re going to start by talking about

ASIC resistant mining puzzles these are far and away the most widely discussed

and sought-after alternative mining puzzles now there are several reasons

why we might want an ASIC resistant mining puzzle if you recall from

previous lectures Bitcoin mining used to be done using ordinary computers like

CPUs and GPUs then eventually move towards customized FPGA devices and now

mining is mostly conducted using very powerful optimized ASIC chips which are

so vastly more effective than general-purpose computing equipment that

it doesn’t even pay off to use an ordinary computer or a very old

generation of mining equipment but this is too bad in a way because it used to

be very appealing that ordinary users could use could mine bitcoins out of

thin air just by leaving their computer on overnight a computer that they

already had this was really good for a low barrier to entry because it gave a

compelling reason for ordinary users around the world to join the Bitcoin

mining network and participate so wouldn’t it be nice if we could go back

to the good old days when it was possible to mined bitcoins using

ordinary general-purpose computing equipment so the approach to go back to

this is to come up with a puzzle that reduces the gap between the most

cost-effective customized hardware and general purpose equipment that ordinary

people already have a separate goal is to try to prevent the very large ASIC

manufacturers from dominating the Bitcoin mining game there are only a few

companies that are able to produce large semiconductor fabrication in order to

actually produce the Asics so this represents a sort of consolidation of

power now a lot of customers of Bitcoin mining Asics have this concern that the

manufacturers are going to delay the shipment of their mining devices in

order for them to the manufacturers to use the mining devices themselves in

order to use them for their own benefit to get their own rewards at the expense

of their customers another concern is that if there is some breakthrough and

there’s a vastly more efficient ASIC design whoever comes up with that design

might keep it a trade secret to themselves and use it to build their own

very powerful industrial mining Center and then they would be able to dominate

the network so the approach here might be to build a puzzle that reduces the

gap between potential future hardware ASIC designs and the Asics that we

already have which are largely distributed to a sick mining customers we’re going to start by talking about

the most widely used approach towards having an ASIC resistant puzzle this is

called a memory hard puzzle now the premise here is fairly simple and it’s

based on a well known phenomena since the 80s about the change in the

performance of computing equipment over time since the 80s the performance of

processing has increased at an exponential rate

you’ve probably heard of this referred to as Moore’s law now the performance of

memory and storage have also increased at an exponential rate

but this rate is much slower much lower rate than that for processors there’s a

performance gap between the most efficient processors and the most

efficient memory and storage and this gap actually grows over time this means

that if we had a puzzle that required lots of memory to compute rather than

just processing circuits then the potential improvement from next

generations optimized Hardware the current generation of optimized hardware

or even general-purpose computing equipment would be much lower and that’s

what we want so we’re going to talk now about the most popular instance of a

memory hard puzzle this is called s crypt s scripts actually a memory hard

hash function in an F script based mining puzzle is the same as the Bitcoin

mining puzzle just replacing the sha-2 hash with the s script hash F script is

memory hard in the sense that it has a constant time memory trade-off this

means that the hash can be computed using a fixed amount of memory it’s

possible to compute it using less memory but doing so increases the amount of

time that it takes to compute now as I mentioned this puzzle is actually widely

used in Bitcoin alternatives including the second most popular cryptocurrency

light coin in a variety of others one thing that is des Crips advantages that

this hash function is also used another place

insecurity especially password hashing which has similar goals to ASIC

resistance in Bitcoin mining this gives extra confidence that if there are

security problems with the hash function then other people are looking at them

and might find them now the basic way that F script works goes in two steps

the first step involves filling a large block of random access memory with

random values and the second step involves reading from this memory in a

random order now I’m going to give a detailed illustration of just how the F

script hash function works now the goal here is going to be to compute the F

script hash function of an input string X this is going to be the first step the

goal is to fill a block of memory containing n cells with random values

here n is 36 now these values are going to be filled in in sequential order the

first value V 1 is simply the hash of the input string X where the hash

function H is an ordinary hash function like sha 2 now the second value V 2 is

the hash sha 2 of the previous value of e 1 this is the same as the hash

function applied to the input string X twice and so on the third value V 3 is

the hash function applied to the input value x three times and so on after n

iterations all in memory cells are filled up with pseudo-random values in

the last value is the same as the hash function H applied to X n times now in

the next step we’re going to read back the values of memory in random order now

we’re going to begin by having an accumulator value a which involves

computing the hash function H one more time on the last value now for n

iterations we’re going to use the current value of the accumulator a to

pick an index I out of these n potential memory cells then we’re going to read

that value of memory XOR it with the current accumulator value a take the

hash h once more of this value and replace the accumulators value with this

updated value now after n iterations the final value

of the accumulator a is the output of this hash function now let me explain

the intuition for why this F script hash function is memory hard now you can

compute this by using the end memory cells as described just before it’s also

possible to compute the script hash value using less memory suppose you

wanted to cut down the amount of memory you needed by half you could do this by

only storing every other value V in the table only the odd values in this case

now what happens if you need to access one of the even-numbered values of V

which you aren’t storing or you need to compute it from the values of V that you

are storing now you can always compute VI by computing the hash H of VI minus 1

now this works and you got away with using less memory but you had to compute

an extra value for H now this intuition holds up on average if you wanted to

reduce the amount of memory by half you would have to increase the amount of

computation cycles you need by a factor of one and a half and so on now to talk

a little bit about s crypt use it in practice there are a couple of

disadvantages one is that even though it has this advantage of being memory hard

to compute the F script based mining puzzle also requires an amount of memory

and n cycles in order to check a proof-of-work puzzle solution this puts

a constraint on how large you can set n in other words how memory hard you can

make it now a good question is is this memory hard puzzle actually ASIC

resistant and there’s some uncertainty here s crypt Asics are already available

at least the first generation of these and there are at least somewhat faster

than what you can do with general-purpose computing equipment like

CPUs and GPUs there are several companies competing to make faster s

crypt Asics and it’s unclear how much better this performance gap will be able

to get there’s some concern that in the altcoins that currently use s script

based mining puzzles that the parameter n hasn’t been set correctly and this is

one of the factors leading to Asics arriving now this

general approach of having a memory hard hash function is good because as I

mentioned death script is used in other applications like password hashing and

so if there’s any future improvements in password hashing then memory hard mining

puzzles would be able to use these new password hashing functions and be able

to achieve the desired effect now I’m going to talk about another approach to

having a memory hard proof-of-work mining puzzle this puzzle is called kuku

hash cycles and the main advantage this has over F script is that it doesn’t

require any random access memory to check a puzzle solution now we’re going

to look at how this works which involves for every mining attempt we’re going to

start with a potential solution X which you can think of as a random string and

we’re going to use the following procedure to determine whether or not X

is a puzzle solution for the first step we’re going to select the e

pseudo-random edges in this graph now for each edge we’re going to pick a

random node from the top set of nodes and a random node from the bottom set of

nodes now we do this by computing hash values using again the underlying hash

value H which can just be an ordinary hash function now the edges are filled

in in the graph as illustrated below once the graphs completed you want to

determine whether or not there’s a cycle in the graph of size K now a cycle is a

set of edges such that if you align the edges tip to tip or tip to end then they

form a complete cycle so here’s what a cycle of size four would look like in

this Illustrated graph okay is another parameter of the puzzle if the graph

determined by input X has a cycle of size K and we say that this has a

solution and we just output the input value X as well as the evidence that

there is a cycle so the K indexes of the edges now it’s not as intuitive why this

is a memory hard function but the explanation is that this is a finding

cycles and graphs is a fairly well studied problem and the best known

algorithms for doing this do require a large amount of memory now what is

really clear to see is that this puzzle is very easy to check the only thing you

need to do in order to check the puzzle solution is to recompute what the edge

endpoints would be for each of the K edges provided using the input value X

you only have to compute K hash functions and no random access memory is

required now there are even more approaches towards building a SiC

resistant mining puzzles I’m only going to describe these really briefly one is

to simply build much more complicated hash functions than the ones that we’ve

talked about so far one example of this is the mining puzzle based on the X 11

hash function which is simply 11 well-known hash functions strung

together in a sequence another approach is to have a mining puzzle that’s a

moving target here you would have a mining puzzle that actually changes all

together every so often this means that optimized mining Hardware for one puzzle

probably wouldn’t be good at solving all of the puzzles even after the puzzle

changes and customized mining hardware that’s only good at solving one instance

of the puzzle won’t be very useful once the puzzle does change now it’s unclear

exactly how we would change the puzzle every so often in order to maintain the

security requirements that we need now there’s a counter argument that says

that there’s really no point in trying to make an ASIC resistant puzzle because

the sha-2 based mining puzzle that we already

is already good enough now the sha-2 circuit is pretty well understood we

have a good idea of what’s the optimal way of computing sha-2 as a result

Bitcoin mining Asics aren’t changing very much and it seems unlikely that

there’s going to be a breakthrough in computing these proof-of-work solutions

any faster now even as it is today mining Asics consists of multiple copies

of the same basic sha-2 circuit and the only difference between the largest

Asics and the smallest or cheapest Asics is that they have more copies of the

same essential circuit this means that even the biggest mining Asics are only a

little bit more cost-effective than the smaller Asics they compute puzzle

solutions faster but they’re also more expensive now we’re going to talk about another

possible desired quality for puzzles which is for them to have some sort of

socially beneficial intrinsic use now there’s a sense in which it seems like

Bitcoin mining is extremely wasteful if you recall from previous lectures we

think that Bitcoin mining consumes about 150 to 900 megawatts of power in total

and this is comparable to the power output of a really small hydroelectric

power plant for example now this mining work is put towards computing the SHA to

mining puzzles which don’t serve any purpose outside the Bitcoin mining

system so this raises a very natural question is there some way that we could

have a puzzle where computing the puzzle solution actually provides some sort of

useful benefit to society while still solving the satisfying the basic things

that Bitcoin puzzles need this would amount to something like recycling and

it would have advantages such as lowering the overall cost of the Bitcoin

system and potentially reducing bitcoins environmental impact now there are a

bunch of natural candidates for this that seem like they might work the

general structure of these possible candidates are problems that are

involved finding a solution in a potentially very large solution space

where the good solutions that you’re looking for a very sparse within this

space this is like finding a needle in a haystack problems of this sort include

protein folding where the goal is to find a 3d configuration of a molecule

that has a very low potential energy or searching for aliens and signals from

radio signals in space and looking for anomalous patterns that might indicate

extraterrestrial life now for the same reason these seem like they might work

as a Bitcoin mining puzzle these have been successfully used in the past as

crowdsource distributed computing projects such as folding at home and

SETI at home now there are a bunch of challenges that would have to be solved

in order to use a problem like this in Bitcoin in the cases that I just

described at home like folding at home in SETI at home there’s a trusted

administrator of the distributed computing project that’s able to choose

which instances problems all of the participants in the

network are supposed to be working on now in Bitcoin there is no trusted

administrator to choose the problems so instead instances of the problem have

to be generated pseudorandomly from public information such as the hash

of the last block that was found now in order for these to be useful randomly

generated puzzle instances of this sort would have to still be useful and also

randomly generated puzzle solutions have to be hard now it’s not known how to

turn any of these problems into such a puzzle scheme now there is one example

that seems to work and has already been implemented and somewhat used in

practice which is called prime coin now the goal here is to have a mining puzzle

where finding a puzzle solution involves finding a chain of very large prime

numbers in particular to find a puzzle solution in prime coin you have to find

a Conyngham chain now a Conyngham chain consists of a sequence of prime numbers

P where each of the peas is of the form 2 to the power some number times a

constant a plus 1 now each P in the sequence has to be a large probable

prime where whether or not it’s a probable prime uses a probabilistic

prime – checking algorithm and also the first instance of the prime number P has

to be a multiple of the hash function of the metadata for the block such as the

hash of the previous block the merkel route of the transaction and a random

nonce value that miners get to choose now this has been used in an altcoin

called prime coin and it’s actually paid off in some sense many of the largest

known Conyngham chains have become from miners in the prime coin network now

this is interesting because there have been distributed computing projects such

as prime grid which have also tried to find prime number chains of this sort

this also adds some confidence that this is truly a hard problem because a lot of

other people are also interested in finding solutions to this sort of

problem so is this actually useful well possibly there are there is at least one

known use of Conyngham prime number chains but the kind of Conyngham chains

that are found by prime coin miners actually entirely overkill for the

application now there’s another approach towards having a proof of useful work

which is rather than focusing on the amount of power or work output of the

network we might instead focus on the effect of investment in Bitcoin mining

infrastructure now just as an estimate a lot more than 100 million dollars have

been spent on customized Bitcoin mining Hardware overall this includes designing

new Bitcoin mining equipment as well as actually manufacturing it now this

Bitcoin mining equipment is very good at computing sha-2 hashes but this

improvement in technology is only useful for the Bitcoin network it has no other

use otherwise so the idea is what if we could design a puzzle where the

investment in newer and better Bitcoin mining hardware would itself be useful

even if the work that’s done in the power output of the network is still

wasted now here’s one example of a proposal that has this quality it’s

called per McCoy and the idea is to replace Bitcoin mining rigs which

compute Shaw to hash functions with storage devices such as hard drives in

memory now the side effect of Bitcoin miners investing in better mining

equipment would be a side effect of having a massively distributed

replicated backup storage system now the way that per McCoy works begins by

assuming that we have a large file F which everyone knows about and the goal

of the network is going to be to store this file now for simplicity imagine

that F has chosen globally by a trusted dealer at the beginning each user is

going to store a random subset of this file now permit coin is based on a

alternative puzzle that uses storage now assume that you have the file F broken

up into several blocks the first part of per Mikoyan involves building a merkel

hash tree over each of the blocks of the file now every user is going to generate

a key pair in order to mine which is going to include a public key PK and are

going to use their public key K to suit or randomly select a subset of these

file segments F that they’re now responsible for storing now for each mining attempt the miner is

going to select a random nonce value and they’re going to compute a hash function

H one that includes the previous block hash the merkel route of transactions

their public peak their public key PK and the nonce value that they chose now

rather than checking if this is a puzzle solution immediately they first have to

fetch Kay pseudo randomly chosen file segments from the subset that they’re

storing which is determined from that hash value h1 now they compute a second

hash value h2 which includes all of the data used to compute the first hash as

well as the actual contents of the file blocks F now from the second hash value

h2 it’s compared to a target in order to see if the puzzle solution is actually a

valid solution so the idea here is that the only way to make attempts at finding

a puzzle solution and determine if an attempt is a valid puzzle solution

requires you to store the random subset of files blocks that you were supposed

to based on your public key here’s one application of the per Mikoyan storage

puzzle and this involves a kind of subtle point about bitcoins incentives

there’s a cost to being an honest miner in Bitcoin remember that honest miners

are supposed to validate every Bitcoin transaction that’s included in a block

however validating a transaction requires storing the unspent transaction

outputs database which at the current time requires about 200 megabytes of

storage now maintaining this unspent transaction output database doesn’t help

you find puzzle solutions any faster it’s a little bit like unpaid overtime

so the idea would be to use the perma coin storage based puzzle in order to

reward miners for actually storing copies of the unspent transaction output

database this would reduce the marginal cost of being honest versus just mining

for the sake of getting all of their rewards so to summarize this section

having a proof of useful work is a very natural goal but the challenge is to

have this very side effect while still maintaining

the essential security requirements there’s an argument that any benefit

would have to be a pure public good because if there were a way for an

individual miner to get the benefit of the useful work they were doing then

this benefit would also benefit an attacker so it would make attacks on the

network subsidized to the same amount that it would add any secondary

improvement to society now potentially viable approaches to this include

storage and finding large chains of prime numbers but other potential

approaches could be possible as well so even though some of these useful proofs

of work have been implemented in practice arguably the benefit to society

so far from these is pretty minimal now we’re going to talk about another

topic for alternate puzzles which are puzzles that discourage consolidation of

mining power now Bitcoin miners mostly participate by joining mining pools

rather than participating as independent individuals now this means that very

large mining pools that are directed by a central pool administrator become a

very large potential consolidation of power bitcoins core value is

decentralization so this consolidation of power poses a big threat bitcoins

core values now if the power is consolidated in a few large centrally

managed pools then the large pool operators become a juicy target for

attacks like coercion or hacking so a point could be made that we might want

to discourage the very large pools from forming there’s even an analogy to

voting here it’s illegal in the United States for example to sell your vote to

someone for money arguably by participating in a pool controlled by

someone else it’s akin to selling your vote in the Bitcoin network now recently

this has become a popular problem because the very largest Bitcoin mining

pool Giga hash do has reached larger than 50% of the network’s overall hash

power this has led to a bunch of public outcry explaining that this is a very

big threat to Bitcoin and spells doom or something to that effect in demanding

technical solutions to this problem now the observation behind one technical

approach to this problem is the observation that members in a Bitcoin

mining pool don’t inherently trust each other actually pools can only form and

become very large because members of the pool are able to prove to the pool

operator that they’re toeing the line in doing mining work that can only benefit

the pool as a whole this works by using the shares protocol that was described

in earlier lectures now recall that in a Bitcoin mining pool there’s typically a

pool operator who has a well-known public key now each of the miners sends

their near-misses or their mining shares to the pool

operator to show that they’re mining on a puzzle that directs the reward

the pool operators public-key when a solution is found the pool operator then

distributes the rewards among the pool participants who have contributed to

finding the solution now there’s a interesting attack on Bitcoin mining

pools which we’re gonna call the vigilante attack suppose that there’s a

pool member who’s very upset with a large mining pool he can participate in

the pool by mining and submitting his near-miss share values to the pool

operator just like normal but in the event that he actually finds a Bitcoin

puzzle solution that would reward the pool he just throws that away and

doesn’t tell the pool operator about it now the effect of this attack is that

the overall effective mining output of the mining pool is reduced

however the vigilante only loses a little bit he still gets rewards for

other puzzle solutions that are found he gets a proportional reward due to the

shares that he submits now one problem with this attack is that a vigilante

still has to lose something and doesn’t gain anything and so it seems unwise to

rely on vigilantes like this monitoring the network and rightfully choosing when

to do this to only attack large pools here’s an illustration of what the

vigilante attack looks like the vigilante still submits shares to the

pool operator and if he finds a solution discards it so the approach of a non out

source of a puzzle is to encourage the vigilante to perform this attack in the

following away we’d like to make it so that whoever actually finds the Bitcoin

puzzle solution is able to take the reward for themselves

now the vigilante would have an incentive a direct personal incentive to

perform the same attack in harm the pool now the approach to having a puzzle that

works this way is to have a puzzle where each puzzle attempt requires signing the

puzzle solution value using a private public key pair in particular each

attempt at a puzzle solution requires knowledge of the private key and that

same private key would then be used to spend the reward later now as an

illustration of this instead of the pool operator just having a key any of the

mining pool participants who are contributing mining resources

also have to have knowledge of the private key in order for their mining to

be effective if anyone of them does find a solution then they would be able to

take the money a secondary goal is that we’d like to even provide the ability

for mining pool members in this case to evade detection now I’m going to

describe how a particular instance of a non out source about puzzle would work

now a solution to this puzzle contains the same information as an ordinary

Bitcoin puzzle including the previous block hash a merkel root 2 which is a

commitment all of the transactions to be included in this block and an

arbitrarily chosen nonce value now this also includes a public key PK which the

miner would have to know the corresponding private key in order to

find puzzle solutions it’s also going to include two signatures made using this

key pair s1 and s2 now the first step to determining whether a particular nonce

value as a puzzle solution is to create a signature s1 using the key pair now

this has to be a valid signature over the previous block hash as well as the

nonce value that’s been chosen in order to tell if this nonce was a valid

solution you have to compute the hash h over the string containing the previous

block hash the public key the nonce and the signature s1 and then you compare

this hash value to a target just like in bitcoins puzzle now only after you find

out whether or not this nan so as a valid puzzle solution you then compute a

second signature s2 using the same key pair and only in this signature do you

include the merkel root of the transactions so the idea here is that

you need to be able to compute the signature value s1 using the private key

in order to find out whether or not you found a puzzle solution and only if you

found a puzzle solution do you then compute the second signature s2 in order

to choose which transactions are going to be included this means that to find a

puzzle solution you have to know the private key and if you know the private

key you get to choose transactions that will direct the reward to yourself there

are several potential concerns with this nan out source of a puzzle one problem

is that it basically throws the baby out with the bathwater this no notes or

scible puzzle would discourage all pools from forming

that centralized ones which were the original motivation for this but also

the harmless decentralized mining pools like pee to pool which were discussed in

previous lectures as well now the effect of this could be that if miners are

discouraged from participating in any mining pool they might find themselves

steered towards other forms of outsourcing which are even more harmful

such as hiring hosted mining services to do their mining for them now hosted

mining services are potentially an even larger threat to the decentralization of

bitcoins mining power because the hosted mining administrator is actually in

physical possession of all of the Bitcoin mining rigs now there are

potential approaches to addressing these concerns but that’s an ongoing research

project and we’ll get into the details here at this section we’re going to talk

about a technique called proof of stake mining puzzles in a variety of related

techniques which altogether I’ll call virtual mining because they don’t

involve any computational work at all now the motivation for this is that

Bitcoin mining seems to have an unnecessary step if you look at the

ecosystem of Bitcoin mining economics the coin miners earn monetary rewards in

the form of bitcoins they have to spend money buying power and equipment in

order to operate their mining rigs and they use those mining rigs to find

puzzle solutions which in turn give them reward so what would happen if we

removed the step of spending money on power and equipment in this case you

would have something that looks like the following which is what I mean by

virtual mining instead of mining with computational hardware like Bitcoin

mining rigs you could mine just by using the money that you would have spent on

mining rigs directly within the system think of this as using your money and

sending it to a special address and then a winner is chosen in order to have a

mining reward based on the amount of money that miners have contributed by

sending it to this special address now it would be possible in a virtual mining

scheme like this to essentially recreate the same dynamics and reward structure

as in current that quite mining the only thing that’s removed is the external

step of having to use real power and real Hardware now there are a bunch of

potential benefits to a virtual mining system like this one is that it

definitely would lower the overall cost of the Bitcoin mining system virtual

mining since it doesn’t involve using any power or manufacturing any special

hardware would have no impact on the environment now you can think of the

savings that would result from this as being distributed to all the holders of

coins in this system there’s an area argument which is that holders of the

Bitcoin currency are stakeholders in the currency they have an incentive to do

things that would benefit the Bitcoin currency system as a whole because it

increases the value of the coins that hold so this argument is that the very

people who are stakeholders in the currency have incentives aligned to be

good stewards of the system now because there’s no Asics involved there would be

no concern about an ASIC advantage so any virtual mining puzzle is also an

ASIC resistant puzzle and there’s finally an argument that this approach

would reduce the hazard of 51% attacks whereby the network is dominated by very

large miners with extremely powerful equipment

now let me describe this argument in a little more detail the way the argument

works is basically that the Bitcoin economy is smaller than the overall

world economy it’s possible for an attacker who has a lot of wealth outside

the Bitcoin network to be able to acquire very large mining rigs that they

might not be able to acquire if they could only use their wealth that’s

inside the Bitcoin network so to illustrate this imagine that there’s a

wealthy attacker like a nation-state or just some very wealthy attacker on the

network who’s able to purchase very large mining equipment that’s very

powerful and all of their wealth is outside the system and they’re able to

acquire this mining resources and then they can use it to attack the Bitcoin

economy now if mining were based on the coins

that were inside the network then a wealthy attacker wouldn’t be able to go

outside the network and find more mining power the only way they could acquire

the amount of virtual mining power they would need to attack the network would

be to buy up 51% of all of the coins in existence this would require them to go

to Bitcoin exchanges in exchange whatever form of wealth they already had

for wealth measured in the tokens inside the system this would likely raise the

price of the coins within the system while they were doing so it’s arguably

much more expensive to acquire half of the value of the bitcoins

than it would be to acquire mining power that’s larger than half the existing

Bitcoin network now this provides an extra disincentive against conducting

such a large-scale attack now there are a bunch of variations of virtual mining

and I’ll describe some of it is the original one was called proof of stake

which assigns to each coin in the system a stake value in the

is that the stake value grows over time for every coin as long as the coin isn’t

used every time you spend the coin or make a transaction including a coin or

enter a coin in a mining puzzle by using the the according to mine the stake

value for that coin gets reset another alternative is called proof of earn and

in this scenario when you decide to mine using a coin you actually have to send

it to a nun spendable address in the coin essentially is deleted or gone

forever on the other hand you do have a chance of winning a mining reward and

then that would replace the coins that you put in another variation is called

proof of deposit and this involves mining with your coins by depositing

them in something like a time-locked account where they aren’t burned forever

you’ll be able to get them back eventually but only after some amount of

time has passed effectively by choosing to mine with your coin in this scheme

you’re losing the opportunity cost of whatever else you could have done with

your coin instead at that time the last variation is proof of activity and in

this variation everyone with a coin is automatically entered into the mining

lottery if one of your coins is chosen then you’re responsible for choosing the

next block and you have to respond by creating a signed message about the

block that you choose within a certain amount of time now virtual mining

puzzles like these are an active area of ongoing research and there’s a large

open problem which we don’t know the answer to yet which goes like this is

there any form of security that you can only get by having a proof-of-work

system that involves really burning real resources acquiring real computational

hardware and expending real electrical power in order to find puzzle solutions

if so if there is some kind of security that you can only get by having a

proof-of-work puzzle and not with virtual mining then the apparent waste

of the proof of work system is actually just the cost of the security that you

get on the other hand if it does turn out that virtual mining can provide

exactly the same security or more that you can get by having a proof-of-work

system then it seems likely that eventually proof-of-work systems because

they’re so much more expensive will eventually give way in

favor of cheaper alternatives based on virtual mining but this question is as

of yet unanswered let’s conclude this lecture by summarizing some of the

things we’ve just talked about we’ve discussed a variety of approaches

towards designing alternate Bitcoin mining puzzles that achieve a variety of

different goals these include preventing ASIC miners

from becoming a consolidated source of power in the Bitcoin ecosystem we’ve

discussed puzzles that prevent large mining pools from becoming

consolidations of power they’ve also discussed puzzles that have

some intrinsic usefulness that can help society and reduce waste and we’ve

looked at the option of a mining puzzle that doesn’t require any computational

hardware at all now for now the best trade-off between these puzzles is

unclear and our speculation about the future is that for the near future there

will be many alternatives coexisting and it will continue to be unclear exactly

which alternative is the best now in the next lecture we’re going to talk about

Bitcoin as a platform this is going to include applications beyond just the

currency that we’ve seen so far this includes applications like lotteries

prediction markets smart contracts financial derivatives and many more you