[Cryptography] Proof of Work is the worst way to do a BlockChain

Wed Feb 7 20:02:00 EST 2018

On 07/02/2018 08:54, Tony Arcieri wrote:
> There will be a number of proof-of-stake systems launching this year. I 
> could say that they operate under a slightly different threat model than 
> Bitcoin: they are "permissionless" in that anyone can spin up their own 
> chain at any time and interoperate with other chains, but each chain is 
> operated by what is effectively a cabal, which does not fit some 
> people's definition of what "permissionless" and "decentralized" should 
> mean...
> 
> ...except the vicious cycle of proof-of-work has lead to the exact sort 
> of cabal proponents of some platonic ideal of "decentralized" hope to 
> prevent: it only takes two mining pools, either in collusion or through 
> compromise, to pull of a so-called 51% attack against Bitcoin with the 
> current miner distribution, and greater-than-99% of all Bitcoin 
> transactions will be confirmed by less than a dozen mining pools. The 
> experiment is a failure: proof-of-work does not work and is not a valid 
> solution to the "decentralization" problem. Several chains operated by 
> several cabals sounds like it does a better job of being "decentralized" 
> than one chain operated by one cabal.

Need open entry into the "cabal", as well as cooperation and secure 
efficient transactions between competing cabals, so that there is no 
very strong difference between a competing cabal and a side chain.  The 
cabal should consist of peers in good standing, where the block chain 
records a peer's provision of data storage and bandwidth to the chain, 
and a peer loses good standing if he deviates from the rules.

Money should be controlled by client wallets hosted by peers, but each 
transaction output should be associated with a peer, albeit a client 
wallet can change the association without the cooperation of a peer.  To 
be a peer in good standing requires that the peer hosts transaction 
outputs worth substantial value, as well as requiring that the peer 
provides substantial bandwidth, storage, and up time.

The definitive version of the blockchain should rest on the vote of the 
peers in good standing, and the number of peers in good standing should 
be a lot larger than the existing number of dominant mining pools, but 
should not be enormously large, perhaps a few thousand peers, a hundred 
or so peers in good standing, hosting billions of wallets and hundreds 
of billions of unspent transaction outputs.

Normally one peer in good standing, primus inter pares, is approved to 
provide definitive approval of the final state of a block, and what he 
says goes, except that at any time any of the other peers in good 
standing can launch a delay, and hold a vote for a new primus inter pares.

The decision of the primus inter pares becomes effective and final when 
evidence is generated, and stored in the block chain, that a majority of 
the other peers in good standing have seen and acknowledged the 
decision. This is in effect yet another variant of the Paxos protocol.