[Cryptography] Proof of Work is the worst way to do a BlockChain

Tony Arcieri bascule at gmail.com
Tue Feb 6 19:54:31 EST 2018


There will be a number of proof-of-stake systems launching this year. I
could say that they operate under a slightly different threat model than
Bitcoin: they are "permissionless" in that anyone can spin up their own
chain at any time and interoperate with other chains, but each chain is
operated by what is effectively a cabal, which does not fit some people's
definition of what "permissionless" and "decentralized" should mean...

...except the vicious cycle of proof-of-work has lead to the exact sort of
cabal proponents of some platonic ideal of "decentralized" hope to prevent:
it only takes two mining pools, either in collusion or through compromise,
to pull of a so-called 51% attack against Bitcoin with the current miner
distribution, and greater-than-99% of all Bitcoin transactions will be
confirmed by less than a dozen mining pools. The experiment is a failure:
proof-of-work does not work and is not a valid solution to the
"decentralization" problem.  Several chains operated by several cabals
sounds like it does a better job of being "decentralized" than one chain
operated by one cabal.

To keep up with the state-of-the-art in Bitcoin mining today, and actually
mine at a hash rate where you stand a decent chance of producing winning
blocks at a semi-frequent rate, you are looking at building something like
this:

https://news.bitcoin.com/wp-content/uploads/2017/08/bitmain_4-1024x683.jpg

Where datacenters like that might inspire awe, the absolutely ridiculous
aspect of it is the actual useful work being accomplished by that
multi-silo datacenter facility and all of the miners around the world,
collectively, to the tune of 4 gigawatts of energy expenditure, could be
accomplished in a centralized system by a Raspberry Pi hooked to the
Internet by a 28.8kbps modem.

If we simply accept that nature abhors a vacuum and regardless of what
incentive structure you offer to system operators the system will naturally
move towards being operated by a cabal of the most proficient people,
well... that doesn't sound like the worst thing in the world to me (it
sounds like human nature), except in the case of Bitcoin that thing happens
to be building the biggest electricity waster.

If you change the incentive structure to something like a delegated
proof-of-stake system, the incentive for validators becomes building and
operating a system with high availability, high security, and the
bandwidth, storage, and compute resources to keep up with what could be a
so-called "big blocker's" fantasy. This would eliminate the sort of utopian
dream of "anyone can run a Bitcoin node" but that too is an idea I find
highly questionable. If the validators (and things like inter-chain peg
zones, auditors, and a handful of other use cases) are the only ones who
need to see the firehose, it can move much, much faster than the 4 tx/sec
Bitcoin is doing on-chain today, and the rest of the network can operate
using light clients.

It also means the system can come to consensus much faster, in seconds
rather than minutes, because the validators can run a traditional BFT
algorithm between each other rather than Bitcoin's
consensus-by-lottery/race condition. This means clients can be much simpler
than systems which use off-chain payment channel protocols, and there is no
(surprising) latency to open a channel: the system can operate at a scale
where transactions are confirmed on-chain at a reasonable rate to begin
with.

A faster blockchain is a more expensive one to operate, but in the process
should also be a more lucrative one for system operators with respect to
transaction fees. Instead of investing in an arms race to do the best job
wasting electricity, we could be investing in compute resources to make the
system faster: a virtuous cycle instead of a vicious one.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180206/a9020cab/attachment.html>


More information about the cryptography mailing list