[Cryptography] Proof of Work is the worst way to do a BlockChain

Lee Clagett forum at leeclagett.com
Thu Feb 8 14:08:50 EST 2018 

On Tue, 6 Feb 2018 16:54:31 -0800
Tony Arcieri <bascule at gmail.com> wrote:

> There will be a number of proof-of-stake systems launching this year.
> I could say that they operate under a slightly different threat model
> than Bitcoin: they are "permissionless" in that anyone can spin up
> their own chain at any time and interoperate with other chains, but
> each chain is operated by what is effectively a cabal, which does not
> fit some people's definition of what "permissionless" and
> "decentralized" should mean...
> 
> ...except the vicious cycle of proof-of-work has lead to the exact
> sort of cabal proponents of some platonic ideal of "decentralized"
> hope to prevent: it only takes two mining pools, either in collusion
> or through compromise, to pull of a so-called 51% attack against
> Bitcoin with the current miner distribution, and greater-than-99% of
> all Bitcoin transactions will be confirmed by less than a dozen
> mining pools. The experiment is a failure: proof-of-work does not
> work and is not a valid solution to the "decentralization" problem.
> Several chains operated by several cabals sounds like it does a
> better job of being "decentralized" than one chain operated by one
> cabal.

I think the mining == centralization is still debatable. If a
significant number of Bitcoin users thought decentralization was an
important goal they could independently purchase mining specific
hardware. The goal would not to be make money, but to preserve the
decentralization properties. They would not be spending lots of money
or electricity per month individually, but collectively they would make
some noticeable percentage of the hash power of the network. I've been
calling this concept "Han Solo Mining" in my head, but I am not sure
how many people are interested in such a thing. Modern CPUs (arm64,
Intel, Amd) have built-in SHA256 instructions so the cost per hash
should have really dropped for the "average" person even without custom
low-cost ASICs.

Also, numerous other crypto-currencies have taken the stance that the
PoW of work function should change in the face of ASICs. These still
might fall into a "cabal"; botnets or large organizations like the FBI
could just point their mass amounts of CPU at the chain. But even here,
a large number of "real" users can offset these large organizations.

Its also worth mentioning that even when mining is centralized, this
does not automatically mean the miners are able to set the
protocol rules, inflate as desired, or steal. The full-node operators /
merchants / users, etc, would have to agree to this behavior. Refusing
to accept this behavior could result in a drop in hash rate for while
(and thus backlog transactions), but miners do not "own" the network in
quite the same way that nodes "own" the network in a delegated scheme.

> To keep up with the state-of-the-art in Bitcoin mining today, and
> actually mine at a hash rate where you stand a decent chance of
> producing winning blocks at a semi-frequent rate, you are looking at
> building something like this:
> 
> https://news.bitcoin.com/wp-content/uploads/2017/08/bitmain_4-1024x683.jpg
> 
> Where datacenters like that might inspire awe, the absolutely
> ridiculous aspect of it is the actual useful work being accomplished
> by that multi-silo datacenter facility and all of the miners around
> the world, collectively, to the tune of 4 gigawatts of energy
> expenditure, could be accomplished in a centralized system by a
> Raspberry Pi hooked to the Internet by a 28.8kbps modem.
> 
> If we simply accept that nature abhors a vacuum and regardless of what
> incentive structure you offer to system operators the system will
> naturally move towards being operated by a cabal of the most
> proficient people, well... that doesn't sound like the worst thing in
> the world to me (it sounds like human nature), except in the case of
> Bitcoin that thing happens to be building the biggest electricity
> waster.

If it lowers the barriers of trust in an exchange, then it is not a
waste of electricity. So I think your complaint is actually one of human
behavior - if people trusted those outside their group more, then less
total resources would be wasted. The problem is that in trusting these
other people more, they are also creating a bigger opportunity for
being scammed/conned (which still does exist). Not everyone thinks
about mutual beneficial outcomes.

> If you change the incentive structure to something like a delegated
> proof-of-stake system, the incentive for validators becomes building
> and operating a system with high availability, high security, and the
> bandwidth, storage, and compute resources to keep up with what could
> be a so-called "big blocker's" fantasy. This would eliminate the sort
> of utopian dream of "anyone can run a Bitcoin node" but that too is
> an idea I find highly questionable. If the validators (and things
> like inter-chain peg zones, auditors, and a handful of other use
> cases) are the only ones who need to see the firehose, it can move
> much, much faster than the 4 tx/sec Bitcoin is doing on-chain today,
> and the rest of the network can operate using light clients.

This seems like a worthwhile experiment for existing banks to think
about. Its not obvious that creating a new currency/coin with properties
closer to that of existing systems will have long-term market appeal.
Without PoW, the currency can be devalued quickly and cheaply. Some/many
people view this as a negative (the whole market appeal thing).

Also, organizations running these validators may need some revenue to
offset the increased cost of processing the higher transaction volume
that you describe. Will people accept lower tx fees for monthly
subscription fees or fractional reserve lending schemes or inflation to
finance this? Inflation is _probably_ going to be the solution decided,
which brings up the whole trust thing again.

> It also means the system can come to consensus much faster, in seconds
> rather than minutes, because the validators can run a traditional BFT
> algorithm between each other rather than Bitcoin's
> consensus-by-lottery/race condition. This means clients can be much
> simpler than systems which use off-chain payment channel protocols,
> and there is no (surprising) latency to open a channel: the system
> can operate at a scale where transactions are confirmed on-chain at a
> reasonable rate to begin with.
>
> A faster blockchain is a more expensive one to operate, but in the
> process should also be a more lucrative one for system operators with
> respect to transaction fees. Instead of investing in an arms race to
> do the best job wasting electricity, we could be investing in compute
> resources to make the system faster: a virtuous cycle instead of a
> vicious one.

    "arms race to do the best job wasting electricity"

This statement is clearly false. No one is rewarded for spending _more_
electricity than their peers. It may appear that way because miners
with more hash power may use more electricity, but they are not rewarded
specifically for the amount of electricity they spend. If this were so,
no one would bother increasing or advertising their hash rate per KWH.

There is an opportunity cost of spending time with hash rate
improvement instead of efficient transaction volume. Again, the problem
is whether there is a market of people willing to participate in such a
system if it lacks the perceived money inflation/decentralization
controls. I think the answer is "almost certainly", but the follow up is
"is there a market for a purely private venture". Little harder to
know. Again, people that find the kind of system you describe appealing
will probably want the banking system or at least government involved.
So eventually both types of systems could co-exist.

Lee

More information about the cryptography mailing list