BitCoin Puzzles – Crypto Academy Lecture 8

CryptoSlo cryptocurrency news and
investing in this lecture we’re going to talk
about alternatives to bitcoins existing proof-of-work mining puzzle mining
puzzles are at the very core of Bitcoin because mining puzzles determine the
incentive system in Bitcoin Bitcoin miners get rewards for the puzzles that
they solve we expect that miners will spend considerable effort trying to find
any shortcuts available to them to solve these puzzles faster or more efficiently
there’s a faster way to solve puzzles we think they’ll take it also if there’s
extra stuff to do that might help the network but doesn’t directly help them
solve puzzles any faster we expect that they might eventually not bother to do
so at all therefore the nature of the puzzle plays a very important role in
steering and guiding participation in the network now we’ve talked about some
of the basic features that bitcoins existing sha-2 hash based mining puzzle
already satisfies so for example it’s fairly difficult to solve a whole bunch
of puzzle solutions this makes a tax on the Bitcoin network very costly or
unlikely to succeed on the other hand puzzle solutions are found at a fairly
predictable rate once every ten minutes by someone
this means that honest miners to participate have some incentive to keep
participating and compensate themselves for the resources that they put into the
network if we were going to design a new puzzle system from scratch or modify
bitcoins puzzle system to be different somehow what else could we design the
puzzle to achieve what other kinds of behaviors would we like to encourage or
disincentivize in this lecture we’re going to talk about a variety of
possible alternative puzzle designs some of them are already used in practice and
alt coins existing today others are research ideas that might turn out to be
used in the future the puzzles that we’ll look at can achieve a variety of
possible goals such as asic resistance which means leveling the playing field
between users with ordinary computing equipment and users with special
optimized custom hardware will also look at puzzles that discourage users from
delegating their participation to directors of large centralized pools and
we’ll look at useful proofs of work that have
intrinsic social benefit we’ll also talk about some of the essential security
requirements for mining puzzles it doesn’t do any good to have some fancy
secondary feature if the puzzle doesn’t still satisfy the basic requirements
that it needs to keep Bitcoin secure before going into the alternate puzzle
designs let’s talk a little bit about some of the essential requirements that
any viable mining puzzle has to satisfy now there are many possible requirements
we’ve talked about some of them before mining puzzles need to be cheap to
verify the solutions because every node on the network validates all of the
puzzle solutions even ones that aren’t involved in mining directly puzzles also
have to have adjustable difficulty so that the difficulty of the puzzle can be
adjusted over time as new users join the network with increasing amounts of hash
power contributed only going to talk in detail right now about one other
essential requirement which is a little bit subtle this is that the chance of
winning a puzzle solution in any unit of time should be roughly proportional to
the hash power contributed in particular this means that really large miners with
very powerful hardware should only have a proportional advantage in being the
next miner to find puzzle solution even small players should have some
proportional chance of being successful in receiving compensation now to
illustrate this point let me show you an example of a bad puzzle that doesn’t
satisfy this requirement consider a mining puzzle that takes exactly n steps
to find a solution there are examples of puzzles like this I don’t need to go
into details though but consider these a sequential proof of work a miner would
be able to find one of these proof of work solutions by computing n steps in
order in a sequence once it reaches n steps finds a solution now the problem
is that if it takes exactly n steps in a sequence to find a puzzle solution then
a fastest miner in the network will always be the one who wins the next
reward alright so consider a scenario with two equally powerful miners in a
third miner that’s slightly faster at making computational steps than the
other two for every step that the small miners
take the large miner takes two steps here this means that the large miner
finds its puzzle solution at the end of n steps while the smaller miners are
still computing theirs in this case the fastest miner would be the only one who
would receive any compensation at all therefore none of the other nodes would
have any incentive to participate in the first place so the alternative to this a
good puzzle is one that gives every miner a chance of winning the next
puzzle solution in proportion to the amount of hash power they contribute
this forms a weighted sample of all of the miners so imagine throwing a dart at
a board randomly at a board of different sized targets where the size of the
target corresponds to mining power the more hash power you contribute the
better your chance of being the note that finds the next puzzle solution a
puzzle that has this property is sometimes called progress free now this
was just one of the requirements there are others but for now we’re going to
move on to types of alternative puzzles and we’ll discuss essential requirements
as they come up we’re going to start by talking about
ASIC resistant mining puzzles these are far and away the most widely discussed
and sought-after alternative mining puzzles now there are several reasons
why we might want an ASIC resistant mining puzzle if you recall from
previous lectures Bitcoin mining used to be done using ordinary computers like
CPUs and GPUs then eventually move towards customized FPGA devices and now
mining is mostly conducted using very powerful optimized ASIC chips which are
so vastly more effective than general-purpose computing equipment that
it doesn’t even pay off to use an ordinary computer or a very old
generation of mining equipment but this is too bad in a way because it used to
be very appealing that ordinary users could use could mine bitcoins out of
thin air just by leaving their computer on overnight a computer that they
already had this was really good for a low barrier to entry because it gave a
compelling reason for ordinary users around the world to join the Bitcoin
mining network and participate so wouldn’t it be nice if we could go back
to the good old days when it was possible to mined bitcoins using
ordinary general-purpose computing equipment so the approach to go back to
this is to come up with a puzzle that reduces the gap between the most
cost-effective customized hardware and general purpose equipment that ordinary
people already have a separate goal is to try to prevent the very large ASIC
manufacturers from dominating the Bitcoin mining game there are only a few
companies that are able to produce large semiconductor fabrication in order to
actually produce the Asics so this represents a sort of consolidation of
power now a lot of customers of Bitcoin mining Asics have this concern that the
manufacturers are going to delay the shipment of their mining devices in
order for them to the manufacturers to use the mining devices themselves in
order to use them for their own benefit to get their own rewards at the expense
of their customers another concern is that if there is some breakthrough and
there’s a vastly more efficient ASIC design whoever comes up with that design
might keep it a trade secret to themselves and use it to build their own
very powerful industrial mining Center and then they would be able to dominate
the network so the approach here might be to build a puzzle that reduces the
gap between potential future hardware ASIC designs and the Asics that we
already have which are largely distributed to a sick mining customers we’re going to start by talking about
the most widely used approach towards having an ASIC resistant puzzle this is
called a memory hard puzzle now the premise here is fairly simple and it’s
based on a well known phenomena since the 80s about the change in the
performance of computing equipment over time since the 80s the performance of
processing has increased at an exponential rate
you’ve probably heard of this referred to as Moore’s law now the performance of
memory and storage have also increased at an exponential rate
but this rate is much slower much lower rate than that for processors there’s a
performance gap between the most efficient processors and the most
efficient memory and storage and this gap actually grows over time this means
that if we had a puzzle that required lots of memory to compute rather than
just processing circuits then the potential improvement from next
generations optimized Hardware the current generation of optimized hardware
or even general-purpose computing equipment would be much lower and that’s
what we want so we’re going to talk now about the most popular instance of a
memory hard puzzle this is called s crypt s scripts actually a memory hard
hash function in an F script based mining puzzle is the same as the Bitcoin
mining puzzle just replacing the sha-2 hash with the s script hash F script is
memory hard in the sense that it has a constant time memory trade-off this
means that the hash can be computed using a fixed amount of memory it’s
possible to compute it using less memory but doing so increases the amount of
time that it takes to compute now as I mentioned this puzzle is actually widely
used in Bitcoin alternatives including the second most popular cryptocurrency
light coin in a variety of others one thing that is des Crips advantages that
this hash function is also used another place
insecurity especially password hashing which has similar goals to ASIC
resistance in Bitcoin mining this gives extra confidence that if there are
security problems with the hash function then other people are looking at them
and might find them now the basic way that F script works goes in two steps
the first step involves filling a large block of random access memory with
random values and the second step involves reading from this memory in a
random order now I’m going to give a detailed illustration of just how the F
script hash function works now the goal here is going to be to compute the F
script hash function of an input string X this is going to be the first step the
goal is to fill a block of memory containing n cells with random values
here n is 36 now these values are going to be filled in in sequential order the
first value V 1 is simply the hash of the input string X where the hash
function H is an ordinary hash function like sha 2 now the second value V 2 is
the hash sha 2 of the previous value of e 1 this is the same as the hash
function applied to the input string X twice and so on the third value V 3 is
the hash function applied to the input value x three times and so on after n
iterations all in memory cells are filled up with pseudo-random values in
the last value is the same as the hash function H applied to X n times now in
the next step we’re going to read back the values of memory in random order now
we’re going to begin by having an accumulator value a which involves
computing the hash function H one more time on the last value now for n
iterations we’re going to use the current value of the accumulator a to
pick an index I out of these n potential memory cells then we’re going to read
that value of memory XOR it with the current accumulator value a take the
hash h once more of this value and replace the accumulators value with this
updated value now after n iterations the final value
of the accumulator a is the output of this hash function now let me explain
the intuition for why this F script hash function is memory hard now you can
compute this by using the end memory cells as described just before it’s also
possible to compute the script hash value using less memory suppose you
wanted to cut down the amount of memory you needed by half you could do this by
only storing every other value V in the table only the odd values in this case
now what happens if you need to access one of the even-numbered values of V
which you aren’t storing or you need to compute it from the values of V that you
are storing now you can always compute VI by computing the hash H of VI minus 1
now this works and you got away with using less memory but you had to compute
an extra value for H now this intuition holds up on average if you wanted to
reduce the amount of memory by half you would have to increase the amount of
computation cycles you need by a factor of one and a half and so on now to talk
a little bit about s crypt use it in practice there are a couple of
disadvantages one is that even though it has this advantage of being memory hard
to compute the F script based mining puzzle also requires an amount of memory
and n cycles in order to check a proof-of-work puzzle solution this puts
a constraint on how large you can set n in other words how memory hard you can
make it now a good question is is this memory hard puzzle actually ASIC
resistant and there’s some uncertainty here s crypt Asics are already available
at least the first generation of these and there are at least somewhat faster
than what you can do with general-purpose computing equipment like
CPUs and GPUs there are several companies competing to make faster s
crypt Asics and it’s unclear how much better this performance gap will be able
to get there’s some concern that in the altcoins that currently use s script
based mining puzzles that the parameter n hasn’t been set correctly and this is
one of the factors leading to Asics arriving now this
general approach of having a memory hard hash function is good because as I
mentioned death script is used in other applications like password hashing and
so if there’s any future improvements in password hashing then memory hard mining
puzzles would be able to use these new password hashing functions and be able
to achieve the desired effect now I’m going to talk about another approach to
having a memory hard proof-of-work mining puzzle this puzzle is called kuku
hash cycles and the main advantage this has over F script is that it doesn’t
require any random access memory to check a puzzle solution now we’re going
to look at how this works which involves for every mining attempt we’re going to
start with a potential solution X which you can think of as a random string and
we’re going to use the following procedure to determine whether or not X
is a puzzle solution for the first step we’re going to select the e
pseudo-random edges in this graph now for each edge we’re going to pick a
random node from the top set of nodes and a random node from the bottom set of
nodes now we do this by computing hash values using again the underlying hash
value H which can just be an ordinary hash function now the edges are filled
in in the graph as illustrated below once the graphs completed you want to
determine whether or not there’s a cycle in the graph of size K now a cycle is a
set of edges such that if you align the edges tip to tip or tip to end then they
form a complete cycle so here’s what a cycle of size four would look like in
this Illustrated graph okay is another parameter of the puzzle if the graph
determined by input X has a cycle of size K and we say that this has a
solution and we just output the input value X as well as the evidence that
there is a cycle so the K indexes of the edges now it’s not as intuitive why this
is a memory hard function but the explanation is that this is a finding
cycles and graphs is a fairly well studied problem and the best known
algorithms for doing this do require a large amount of memory now what is
really clear to see is that this puzzle is very easy to check the only thing you
need to do in order to check the puzzle solution is to recompute what the edge
endpoints would be for each of the K edges provided using the input value X
you only have to compute K hash functions and no random access memory is
required now there are even more approaches towards building a SiC
resistant mining puzzles I’m only going to describe these really briefly one is
to simply build much more complicated hash functions than the ones that we’ve
talked about so far one example of this is the mining puzzle based on the X 11
hash function which is simply 11 well-known hash functions strung
together in a sequence another approach is to have a mining puzzle that’s a
moving target here you would have a mining puzzle that actually changes all
together every so often this means that optimized mining Hardware for one puzzle
probably wouldn’t be good at solving all of the puzzles even after the puzzle
changes and customized mining hardware that’s only good at solving one instance
of the puzzle won’t be very useful once the puzzle does change now it’s unclear
exactly how we would change the puzzle every so often in order to maintain the
security requirements that we need now there’s a counter argument that says
that there’s really no point in trying to make an ASIC resistant puzzle because
the sha-2 based mining puzzle that we already
is already good enough now the sha-2 circuit is pretty well understood we
have a good idea of what’s the optimal way of computing sha-2 as a result
Bitcoin mining Asics aren’t changing very much and it seems unlikely that
there’s going to be a breakthrough in computing these proof-of-work solutions
any faster now even as it is today mining Asics consists of multiple copies
of the same basic sha-2 circuit and the only difference between the largest
Asics and the smallest or cheapest Asics is that they have more copies of the
same essential circuit this means that even the biggest mining Asics are only a
little bit more cost-effective than the smaller Asics they compute puzzle
solutions faster but they’re also more expensive now we’re going to talk about another
possible desired quality for puzzles which is for them to have some sort of
socially beneficial intrinsic use now there’s a sense in which it seems like
Bitcoin mining is extremely wasteful if you recall from previous lectures we
think that Bitcoin mining consumes about 150 to 900 megawatts of power in total
and this is comparable to the power output of a really small hydroelectric
power plant for example now this mining work is put towards computing the SHA to
mining puzzles which don’t serve any purpose outside the Bitcoin mining
system so this raises a very natural question is there some way that we could
have a puzzle where computing the puzzle solution actually provides some sort of
useful benefit to society while still solving the satisfying the basic things
that Bitcoin puzzles need this would amount to something like recycling and
it would have advantages such as lowering the overall cost of the Bitcoin
system and potentially reducing bitcoins environmental impact now there are a
bunch of natural candidates for this that seem like they might work the
general structure of these possible candidates are problems that are
involved finding a solution in a potentially very large solution space
where the good solutions that you’re looking for a very sparse within this
space this is like finding a needle in a haystack problems of this sort include
protein folding where the goal is to find a 3d configuration of a molecule
that has a very low potential energy or searching for aliens and signals from
radio signals in space and looking for anomalous patterns that might indicate
extraterrestrial life now for the same reason these seem like they might work
as a Bitcoin mining puzzle these have been successfully used in the past as
crowdsource distributed computing projects such as folding at home and
SETI at home now there are a bunch of challenges that would have to be solved
in order to use a problem like this in Bitcoin in the cases that I just
described at home like folding at home in SETI at home there’s a trusted
administrator of the distributed computing project that’s able to choose
which instances problems all of the participants in the
network are supposed to be working on now in Bitcoin there is no trusted
administrator to choose the problems so instead instances of the problem have
to be generated pseudorandomly from public information such as the hash
of the last block that was found now in order for these to be useful randomly
generated puzzle instances of this sort would have to still be useful and also
randomly generated puzzle solutions have to be hard now it’s not known how to
turn any of these problems into such a puzzle scheme now there is one example
that seems to work and has already been implemented and somewhat used in
practice which is called prime coin now the goal here is to have a mining puzzle
where finding a puzzle solution involves finding a chain of very large prime
numbers in particular to find a puzzle solution in prime coin you have to find
a Conyngham chain now a Conyngham chain consists of a sequence of prime numbers
P where each of the peas is of the form 2 to the power some number times a
constant a plus 1 now each P in the sequence has to be a large probable
prime where whether or not it’s a probable prime uses a probabilistic
prime – checking algorithm and also the first instance of the prime number P has
to be a multiple of the hash function of the metadata for the block such as the
hash of the previous block the merkel route of the transaction and a random
nonce value that miners get to choose now this has been used in an altcoin
called prime coin and it’s actually paid off in some sense many of the largest
known Conyngham chains have become from miners in the prime coin network now
this is interesting because there have been distributed computing projects such
as prime grid which have also tried to find prime number chains of this sort
this also adds some confidence that this is truly a hard problem because a lot of
other people are also interested in finding solutions to this sort of
problem so is this actually useful well possibly there are there is at least one
known use of Conyngham prime number chains but the kind of Conyngham chains
that are found by prime coin miners actually entirely overkill for the
application now there’s another approach towards having a proof of useful work
which is rather than focusing on the amount of power or work output of the
network we might instead focus on the effect of investment in Bitcoin mining
infrastructure now just as an estimate a lot more than 100 million dollars have
been spent on customized Bitcoin mining Hardware overall this includes designing
new Bitcoin mining equipment as well as actually manufacturing it now this
Bitcoin mining equipment is very good at computing sha-2 hashes but this
improvement in technology is only useful for the Bitcoin network it has no other
use otherwise so the idea is what if we could design a puzzle where the
investment in newer and better Bitcoin mining hardware would itself be useful
even if the work that’s done in the power output of the network is still
wasted now here’s one example of a proposal that has this quality it’s
called per McCoy and the idea is to replace Bitcoin mining rigs which
compute Shaw to hash functions with storage devices such as hard drives in
memory now the side effect of Bitcoin miners investing in better mining
equipment would be a side effect of having a massively distributed
replicated backup storage system now the way that per McCoy works begins by
assuming that we have a large file F which everyone knows about and the goal
of the network is going to be to store this file now for simplicity imagine
that F has chosen globally by a trusted dealer at the beginning each user is
going to store a random subset of this file now permit coin is based on a
alternative puzzle that uses storage now assume that you have the file F broken
up into several blocks the first part of per Mikoyan involves building a merkel
hash tree over each of the blocks of the file now every user is going to generate
a key pair in order to mine which is going to include a public key PK and are
going to use their public key K to suit or randomly select a subset of these
file segments F that they’re now responsible for storing now for each mining attempt the miner is
going to select a random nonce value and they’re going to compute a hash function
H one that includes the previous block hash the merkel route of transactions
their public peak their public key PK and the nonce value that they chose now
rather than checking if this is a puzzle solution immediately they first have to
fetch Kay pseudo randomly chosen file segments from the subset that they’re
storing which is determined from that hash value h1 now they compute a second
hash value h2 which includes all of the data used to compute the first hash as
well as the actual contents of the file blocks F now from the second hash value
h2 it’s compared to a target in order to see if the puzzle solution is actually a
valid solution so the idea here is that the only way to make attempts at finding
a puzzle solution and determine if an attempt is a valid puzzle solution
requires you to store the random subset of files blocks that you were supposed
to based on your public key here’s one application of the per Mikoyan storage
puzzle and this involves a kind of subtle point about bitcoins incentives
there’s a cost to being an honest miner in Bitcoin remember that honest miners
are supposed to validate every Bitcoin transaction that’s included in a block
however validating a transaction requires storing the unspent transaction
outputs database which at the current time requires about 200 megabytes of
storage now maintaining this unspent transaction output database doesn’t help
you find puzzle solutions any faster it’s a little bit like unpaid overtime
so the idea would be to use the perma coin storage based puzzle in order to
reward miners for actually storing copies of the unspent transaction output
database this would reduce the marginal cost of being honest versus just mining
for the sake of getting all of their rewards so to summarize this section
having a proof of useful work is a very natural goal but the challenge is to
have this very side effect while still maintaining
the essential security requirements there’s an argument that any benefit
would have to be a pure public good because if there were a way for an
individual miner to get the benefit of the useful work they were doing then
this benefit would also benefit an attacker so it would make attacks on the
network subsidized to the same amount that it would add any secondary
improvement to society now potentially viable approaches to this include
storage and finding large chains of prime numbers but other potential
approaches could be possible as well so even though some of these useful proofs
of work have been implemented in practice arguably the benefit to society
so far from these is pretty minimal now we’re going to talk about another
topic for alternate puzzles which are puzzles that discourage consolidation of
mining power now Bitcoin miners mostly participate by joining mining pools
rather than participating as independent individuals now this means that very
large mining pools that are directed by a central pool administrator become a
very large potential consolidation of power bitcoins core value is
decentralization so this consolidation of power poses a big threat bitcoins
core values now if the power is consolidated in a few large centrally
managed pools then the large pool operators become a juicy target for
attacks like coercion or hacking so a point could be made that we might want
to discourage the very large pools from forming there’s even an analogy to
voting here it’s illegal in the United States for example to sell your vote to
someone for money arguably by participating in a pool controlled by
someone else it’s akin to selling your vote in the Bitcoin network now recently
this has become a popular problem because the very largest Bitcoin mining
pool Giga hash do has reached larger than 50% of the network’s overall hash
power this has led to a bunch of public outcry explaining that this is a very
big threat to Bitcoin and spells doom or something to that effect in demanding
technical solutions to this problem now the observation behind one technical
approach to this problem is the observation that members in a Bitcoin
mining pool don’t inherently trust each other actually pools can only form and
become very large because members of the pool are able to prove to the pool
operator that they’re toeing the line in doing mining work that can only benefit
the pool as a whole this works by using the shares protocol that was described
in earlier lectures now recall that in a Bitcoin mining pool there’s typically a
pool operator who has a well-known public key now each of the miners sends
their near-misses or their mining shares to the pool
operator to show that they’re mining on a puzzle that directs the reward
the pool operators public-key when a solution is found the pool operator then
distributes the rewards among the pool participants who have contributed to
finding the solution now there’s a interesting attack on Bitcoin mining
pools which we’re gonna call the vigilante attack suppose that there’s a
pool member who’s very upset with a large mining pool he can participate in
the pool by mining and submitting his near-miss share values to the pool
operator just like normal but in the event that he actually finds a Bitcoin
puzzle solution that would reward the pool he just throws that away and
doesn’t tell the pool operator about it now the effect of this attack is that
the overall effective mining output of the mining pool is reduced
however the vigilante only loses a little bit he still gets rewards for
other puzzle solutions that are found he gets a proportional reward due to the
shares that he submits now one problem with this attack is that a vigilante
still has to lose something and doesn’t gain anything and so it seems unwise to
rely on vigilantes like this monitoring the network and rightfully choosing when
to do this to only attack large pools here’s an illustration of what the
vigilante attack looks like the vigilante still submits shares to the
pool operator and if he finds a solution discards it so the approach of a non out
source of a puzzle is to encourage the vigilante to perform this attack in the
following away we’d like to make it so that whoever actually finds the Bitcoin
puzzle solution is able to take the reward for themselves
now the vigilante would have an incentive a direct personal incentive to
perform the same attack in harm the pool now the approach to having a puzzle that
works this way is to have a puzzle where each puzzle attempt requires signing the
puzzle solution value using a private public key pair in particular each
attempt at a puzzle solution requires knowledge of the private key and that
same private key would then be used to spend the reward later now as an
illustration of this instead of the pool operator just having a key any of the
mining pool participants who are contributing mining resources
also have to have knowledge of the private key in order for their mining to
be effective if anyone of them does find a solution then they would be able to
take the money a secondary goal is that we’d like to even provide the ability
for mining pool members in this case to evade detection now I’m going to
describe how a particular instance of a non out source about puzzle would work
now a solution to this puzzle contains the same information as an ordinary
Bitcoin puzzle including the previous block hash a merkel root 2 which is a
commitment all of the transactions to be included in this block and an
arbitrarily chosen nonce value now this also includes a public key PK which the
miner would have to know the corresponding private key in order to
find puzzle solutions it’s also going to include two signatures made using this
key pair s1 and s2 now the first step to determining whether a particular nonce
value as a puzzle solution is to create a signature s1 using the key pair now
this has to be a valid signature over the previous block hash as well as the
nonce value that’s been chosen in order to tell if this nonce was a valid
solution you have to compute the hash h over the string containing the previous
block hash the public key the nonce and the signature s1 and then you compare
this hash value to a target just like in bitcoins puzzle now only after you find
out whether or not this nan so as a valid puzzle solution you then compute a
second signature s2 using the same key pair and only in this signature do you
include the merkel root of the transactions so the idea here is that
you need to be able to compute the signature value s1 using the private key
in order to find out whether or not you found a puzzle solution and only if you
found a puzzle solution do you then compute the second signature s2 in order
to choose which transactions are going to be included this means that to find a
puzzle solution you have to know the private key and if you know the private
key you get to choose transactions that will direct the reward to yourself there
are several potential concerns with this nan out source of a puzzle one problem
is that it basically throws the baby out with the bathwater this no notes or
scible puzzle would discourage all pools from forming
that centralized ones which were the original motivation for this but also
the harmless decentralized mining pools like pee to pool which were discussed in
previous lectures as well now the effect of this could be that if miners are
discouraged from participating in any mining pool they might find themselves
steered towards other forms of outsourcing which are even more harmful
such as hiring hosted mining services to do their mining for them now hosted
mining services are potentially an even larger threat to the decentralization of
bitcoins mining power because the hosted mining administrator is actually in
physical possession of all of the Bitcoin mining rigs now there are
potential approaches to addressing these concerns but that’s an ongoing research
project and we’ll get into the details here at this section we’re going to talk
about a technique called proof of stake mining puzzles in a variety of related
techniques which altogether I’ll call virtual mining because they don’t
involve any computational work at all now the motivation for this is that
Bitcoin mining seems to have an unnecessary step if you look at the
ecosystem of Bitcoin mining economics the coin miners earn monetary rewards in
the form of bitcoins they have to spend money buying power and equipment in
order to operate their mining rigs and they use those mining rigs to find
puzzle solutions which in turn give them reward so what would happen if we
removed the step of spending money on power and equipment in this case you
would have something that looks like the following which is what I mean by
virtual mining instead of mining with computational hardware like Bitcoin
mining rigs you could mine just by using the money that you would have spent on
mining rigs directly within the system think of this as using your money and
sending it to a special address and then a winner is chosen in order to have a
mining reward based on the amount of money that miners have contributed by
sending it to this special address now it would be possible in a virtual mining
scheme like this to essentially recreate the same dynamics and reward structure
as in current that quite mining the only thing that’s removed is the external
step of having to use real power and real Hardware now there are a bunch of
potential benefits to a virtual mining system like this one is that it
definitely would lower the overall cost of the Bitcoin mining system virtual
mining since it doesn’t involve using any power or manufacturing any special
hardware would have no impact on the environment now you can think of the
savings that would result from this as being distributed to all the holders of
coins in this system there’s an area argument which is that holders of the
Bitcoin currency are stakeholders in the currency they have an incentive to do
things that would benefit the Bitcoin currency system as a whole because it
increases the value of the coins that hold so this argument is that the very
people who are stakeholders in the currency have incentives aligned to be
good stewards of the system now because there’s no Asics involved there would be
no concern about an ASIC advantage so any virtual mining puzzle is also an
ASIC resistant puzzle and there’s finally an argument that this approach
would reduce the hazard of 51% attacks whereby the network is dominated by very
large miners with extremely powerful equipment
now let me describe this argument in a little more detail the way the argument
works is basically that the Bitcoin economy is smaller than the overall
world economy it’s possible for an attacker who has a lot of wealth outside
the Bitcoin network to be able to acquire very large mining rigs that they
might not be able to acquire if they could only use their wealth that’s
inside the Bitcoin network so to illustrate this imagine that there’s a
wealthy attacker like a nation-state or just some very wealthy attacker on the
network who’s able to purchase very large mining equipment that’s very
powerful and all of their wealth is outside the system and they’re able to
acquire this mining resources and then they can use it to attack the Bitcoin
economy now if mining were based on the coins
that were inside the network then a wealthy attacker wouldn’t be able to go
outside the network and find more mining power the only way they could acquire
the amount of virtual mining power they would need to attack the network would
be to buy up 51% of all of the coins in existence this would require them to go
to Bitcoin exchanges in exchange whatever form of wealth they already had
for wealth measured in the tokens inside the system this would likely raise the
price of the coins within the system while they were doing so it’s arguably
much more expensive to acquire half of the value of the bitcoins
than it would be to acquire mining power that’s larger than half the existing
Bitcoin network now this provides an extra disincentive against conducting
such a large-scale attack now there are a bunch of variations of virtual mining
and I’ll describe some of it is the original one was called proof of stake
which assigns to each coin in the system a stake value in the
is that the stake value grows over time for every coin as long as the coin isn’t
used every time you spend the coin or make a transaction including a coin or
enter a coin in a mining puzzle by using the the according to mine the stake
value for that coin gets reset another alternative is called proof of earn and
in this scenario when you decide to mine using a coin you actually have to send
it to a nun spendable address in the coin essentially is deleted or gone
forever on the other hand you do have a chance of winning a mining reward and
then that would replace the coins that you put in another variation is called
proof of deposit and this involves mining with your coins by depositing
them in something like a time-locked account where they aren’t burned forever
you’ll be able to get them back eventually but only after some amount of
time has passed effectively by choosing to mine with your coin in this scheme
you’re losing the opportunity cost of whatever else you could have done with
your coin instead at that time the last variation is proof of activity and in
this variation everyone with a coin is automatically entered into the mining
lottery if one of your coins is chosen then you’re responsible for choosing the
next block and you have to respond by creating a signed message about the
block that you choose within a certain amount of time now virtual mining
puzzles like these are an active area of ongoing research and there’s a large
open problem which we don’t know the answer to yet which goes like this is
there any form of security that you can only get by having a proof-of-work
system that involves really burning real resources acquiring real computational
hardware and expending real electrical power in order to find puzzle solutions
if so if there is some kind of security that you can only get by having a
proof-of-work puzzle and not with virtual mining then the apparent waste
of the proof of work system is actually just the cost of the security that you
get on the other hand if it does turn out that virtual mining can provide
exactly the same security or more that you can get by having a proof-of-work
system then it seems likely that eventually proof-of-work systems because
they’re so much more expensive will eventually give way in
favor of cheaper alternatives based on virtual mining but this question is as
of yet unanswered let’s conclude this lecture by summarizing some of the
things we’ve just talked about we’ve discussed a variety of approaches
towards designing alternate Bitcoin mining puzzles that achieve a variety of
different goals these include preventing ASIC miners
from becoming a consolidated source of power in the Bitcoin ecosystem we’ve
discussed puzzles that prevent large mining pools from becoming
consolidations of power they’ve also discussed puzzles that have
some intrinsic usefulness that can help society and reduce waste and we’ve
looked at the option of a mining puzzle that doesn’t require any computational
hardware at all now for now the best trade-off between these puzzles is
unclear and our speculation about the future is that for the near future there
will be many alternatives coexisting and it will continue to be unclear exactly
which alternative is the best now in the next lecture we’re going to talk about
Bitcoin as a platform this is going to include applications beyond just the
currency that we’ve seen so far this includes applications like lotteries
prediction markets smart contracts financial derivatives and many more you

Leave a Reply

Your email address will not be published. Required fields are marked *