
Minimum Viable Block Chain - vikrum
http://www.igvita.com/2014/05/05/minimum-viable-block-chain/
======
EGreg
I like that this actually covers why each piece is needed.

My only beef with this system is the proof of work, which leads to an arms
race in electricity consumption. Proof of stake is better, and frankly,
distributed timestamps don't need a race to solve a problem every time
something has to be timestamped.

For currency, it would actually be nicer to have a system that treats
trust/credit/reputation as the scarce resource. It would help people who
aren't rich in the traditional sense nevertheless organize and help each
other, and would allow people to "create their own currency" in communities,
or the equivalent of that, that they aren't able to do now.

~~~
bjitty
I'm familiar with proof of work and how it works within a blockchain to secure
blocks.

I keep hearing about prof of stake. I'm very interested in it, however I
haven't found an explanation that clearly explains to me how it works. I've
looked at the Wiki article and read a little about Peercoin. Do you know of
any article, video or source that may help explain exactly how proof of stake
works?

~~~
flatline
If you haven't read the peercoin whitepaper[1], it may get you a bit closer to
an understanding. That being said, I still don't have a solid grasp of
_exactly_ how coins destroyed results in solving blocks...

[1] [http://www.peercoin.net/whitepaper](http://www.peercoin.net/whitepaper)

~~~
bjitty
Thank you! I can't believe I missed it and didn't think to check for a white
paper for this. Especially since that's what really cleared up bitcoin's proof
of work blockchain to me.

------
sadfaceunread
Excellent read. This is not for a general audience, but helped me get a nicer
grasp on the fundamentals technology than I had before without getting too
particular in the under the hood stuff.

The "blocks are never final" idea is what I believe has led to some of the
proposed 51% attacks on the bitcoin network.

Question: Does proof of work have to be a near 'lottery' system? Obviously it
needs to be asymmetric, but are there other good options than hash collision?

~~~
theswan
Some other proof of work protocols: [http://en.wikipedia.org/wiki/Proof-of-
work_system#List_of_pr...](http://en.wikipedia.org/wiki/Proof-of-
work_system#List_of_proof-of-work_functions)

~~~
tromp
Or on the more detailed cryptocurrency wiki:
[https://en.bitcoin.it/wiki/Proof_of_work](https://en.bitcoin.it/wiki/Proof_of_work)

------
nwh
The author seems to have mildly misunderstood the technicalities of hashcash-
like systems.

They seem to have thought that the hex representation of the hash matters when
mining, when really we're talking about large integers. If you just do the
former "look for a hash with two 0 at the start", you end up with almost no
granularity in the difficulty needed. You end up in the situation where 0000
is too easy, but 00000 is too hard. Bitcoin uses integers, and can therefor
adjust the target difficulty down to an arbitrary number of digits if
required.

Seems to be a common misconception when people have been told a simplified
version of what is going on.

~~~
nadaviv
Technically, you could say that you're looking for an hash with N zero _bits_
at the beginning. But yes, a lot of people seem to think that you're looking
for N zero _bytes_ instead.

~~~
oleganza
Even granularity of 1 bit is too big. It is 2x increase or decrease in
difficulty while the actual hashing rate grows by 10-20% every 2 weeks even
during today's crazy time of land grabbing.

------
rumcajz
The article fails to mention that while separation of a blockchain from the
currency is technically possible, in reality a blockchain without associated
currency won't work as nobody's going to spend their CPU time maintaining it
without getting something (money) in return.

~~~
3pt14159
This isn't actually true. In theory a blockchain could be maintained by
interested parties only. For example, if an honest blockchain solved a problem
of great importance to me (value = x) and even by putting a small amount of
work (value < x) into mining the blockchain I could protect myself (say
withdraw from action during double action attacks) then you can create a
system where many people are mining, making the entire blockchain more secure
each while guarding their own interests.

The closest analogy would be people setting up water sprinklers in their home.
Sure it helps keep the whole town safe, but the reason they do it is for their
own protection.

Similarly, in theory there are some other blockchain applications that give
each miner a gain _just from mining_. For example, imagine that scientific
communities around the world built a blockchain that checked folded proteins
for applications in medicine. In order to compactly represent this they use a
proof of work algorithm that solves these protein problems. The blockchain
allows them to quickly share paths that do (or do not!) bear fruit in a
specific direction, but it also coordinates search efforts along various veins
of discovery.

These are just two examples I thought of in the span of 5 minutes, I'm sure
there are countless ways of using blockchains, PoW algorithms, and
cryptographic techniques for communication, synchronization, and commerce.

~~~
wmf
_For example, if an honest blockchain solved a problem of great importance to
me (value = x) and even by putting a small amount of work (value < x) into
mining the blockchain I could protect myself (say withdraw from action during
double action attacks) then you can create a system where many people are
mining, making the entire blockchain more secure each while guarding their own
interests._

Wouldn't a rational actor free ride instead of mining? Also, the total hash
rate needs to be high enough to prevent 51% attacks, so there's no guarantee
that your cost of mining would be smaller than your benefit. A blockchain that
doesn't pay miners seems to have an equilibrium where trolls 51% it into
oblivion (as has already happened with some scamcoins AFAIK).

~~~
3pt14159
The 51% attack isn't a global problem, just a bitcoin problem due to it being
a currency. There are other blockchain uses that do not suffer from it.

~~~
thefreeman
How so? With 51% of hashing power you can essentially rewrite the block chain
to say whatever you want. What possible use could you have for a block chain
that is not accurate and controlled by a single entity?

~~~
Dylan16807
No you can't. With 51% hashing power you can exclude/remove transactions at
will, and nothing more. You cannot forge transactions.

~~~
lostsock
Actually yes you can.

If you have > 51% hashing power for a long period of time then you could
theoretically choose an arbitrary block some time in the past (the further
back you go the more difficult and time consuming it will be) and begin mining
from that block. Including (or making up) whatever transactions you want as
you go. Eventually you will have a longer chain than the "main" block and
unless manual intervention is made you will orphan all of the other blocks and
be able to rewrite history.

~~~
eridius
Dylan16807 is correct. You can't forge transactions. You can create an
alternative history, but each transaction still requires holding the necessary
private key to sign the transaction. If you're trying to make up new
transactions out of whole cloth, you can only do so if they're transactions
that you could have otherwise legitimately created.

What the 51% attack lets you do is remove transactions, which lets you double-
spend. And of course there may be other benefits too. For example, if someone
is using the blockchain for purposes other than sending money to people (e.g.
notarizing a document, proxy transactions that represent movement of physical
goods, etc) then removing transactions may be beneficial without double-
spending.

~~~
lostsock
You (and Dylan) are spot on, thanks for taking the time to correct me.

------
tsmith
Excellent write-up, but having taken Corporate Accounting courses the "triple-
entry bookkeeping" moniker tripped me up a bit - it's an inaccurate metaphor
(see [http://en.wikipedia.org/wiki/Double-
entry_bookkeeping_system](http://en.wikipedia.org/wiki/Double-
entry_bookkeeping_system) to understand why).

~~~
igrigorik
Curious, could you elaborate? The wiki page is long, not sure what I'm looking
for... It seems like "triple-entry" is often used alongside "momentum
accounting", but its not clear to me why they are conflated. Disclaimer: I'm
no accountant, so the simple terms are good. :)

~~~
thefreeman
fyi comrade your hellbanned

~~~
thefreeman
Uhh, I was just trying to let comrade1 know that all of his comments were
appearing dead. It seems to have been fixed now though.

I guess that is somehow deserving of downvotes...

------
mey
For handling distributed convergence in an entirely trusted space, take a look
at Vector Clocks
[https://en.wikipedia.org/wiki/Vector_clock](https://en.wikipedia.org/wiki/Vector_clock)

Blockchains build off the general concept by introducing proof of work and
consistent design to handle forks (longest blockchain wins)

------
oleganza
Note that blockchain is more than a currency, but it must contain a
collectible within itself in order to be. New blocks will appear and will be
backed by the maximum computing power only if miners are competing for the
rare collectible that exists within the blockchain. Such collectible must tend
to become a universally accepted money (i.e. most marketable commodity) to
guarantee maximum amount of CPU time. If that collectible is too inflationary
or sucks at something (poorly transferrable, or poorly divisible), then the
entire blockchain is at risk. In other words, if there could be a long-term
viable and secure blockchain, there will only be one. Everything else will be
insecure and fall victim of the law of opportunity cost.

See also: [http://blog.oleganza.com/post/54121516413/the-universe-
wants...](http://blog.oleganza.com/post/54121516413/the-universe-wants-one-
money)

~~~
panabee
i'm new to bitcoin, so forgive me if this is a silly question. is it possible
to compensate miners in another way beyond offering a rare collectible?

~~~
oleganza
Blockchain is a decentralized consensus. It must contain all information
relevant to determining consensus in itself, so every node can have all the
data necessary to determine which chain is the main chain. That's why any
incentive to maintain the chain must be produced by the chain itself. You
can't peg the reward to a USD bank account, or a Facebook stock, or some
Folding@Home tasks. They exist outside of the chain and thus can't be
trusted/verified by every peer.

So you need to create some incentive in form of a valuable reward that is
purely informational, can be verified independently by anyone, contains all
necessary information in the blockchain and does not consume enormous amount
of bandwidth/time/energy in order to be verified. This could only be a
fungible cryptographic token and this token must be rare. This does not
guarantee that it will be valuable, but fungibility and scarcity are necessary
to start with.

This token must be created in a way that can't be counterfeited and can be
independently verified using only the blockchain data (because one can only
trust what's in the blockchain). So far it was proof-of-work that provided
scarcity. I don't think there is a drastically different way to solve this
problem.

~~~
panabee
so higher miner fees would not be a viable incentive? thanks for the
information, very helpful in understanding blockchains better.

given your analysis, how will miners be compensated once we hit 21M bitcoins?
others have asserted higher miner fees. if they are right, this seems to
negate one of bitcoin's supposed benefits -- negligible transaction fees --
precluding certain applications like microtransactions.

not attacking bitcoin, just trying to understand its true applications.

thanks for your help!

~~~
oleganza
> so higher miner fees would not be a viable incentive?

Miner fees are irrelevant if one does not have the coins to begin with. The
chain will be maintained by competing miners only if they are incentivized
with initial distribution of a limited supply of units. If all units belong to
just one guy, then why anyone should mine anything? If you need coins, you can
just buy them from him. But why would they have any value then?

> how will miners be compensated once we hit 21M bitcoins?

We will never "hit" 21M bitcoins. We will slowly approach lower and lower
inflation until it becomes zero. But we will notice how miners receive bigger
and bigger portion of income from the fees. There will be more demand for on-
chain transactions which will increase competition among users and fees will
go up. To increase income, miners will be eager to increase the block size
limit thus allowing more throughput and as a side effect making fees stabilize
at some level. The process will be slow that no one will be shocked by the
adjustment of the reward. At the same time, all known events of the future are
already priced in. Miners already know that in 3 years they will have 2x
smaller reward.

Think of the process this way: miners want to maximize their revenue, users
want to minimize their costs. If on-blockchain transactions become too
expensive, users will use some clearing houses thus depriving miners from
extra fees. Therefore miners will be eager to process more transactions at the
current or slightly lower prices to collect those fees. But by allowing more
transactions, they reduce competition between users thus preventing the fees
from growing further. The system will stabilize at an intersection of 1)
affordable bandwidth for miners (so they do not lose too much money on side
blocks), 2) optimal fees for users to pay and miners to earn. If bandwidth/CPU
is infinite, miners would collect trillions of transactions costing a 0.0001
of a penny and users would enjoy microtransactions right on the blockchain.
But we have some real-world limitations that shift equilibrium somewhere to
lower throughput and higher fees.

See also: 1) [http://blog.oleganza.com/post/43677417318/economics-of-
block...](http://blog.oleganza.com/post/43677417318/economics-of-block-size-
limit) 2) [http://blog.oleganza.com/post/43849158813/this-is-how-
block-...](http://blog.oleganza.com/post/43849158813/this-is-how-block-size-
limit-will-be-raised)

------
neil_s
Finally an analogy-based explanation of cryptocurrencies/blockchains that I
read all the way through!

Two questions: Currently, bitcoin transactions don't have any transaction
fees. In this case, where are these 'mined' coins coming from? Is it by adding
a transaction from 'the ether' to the miner?

Also, if there are transaction fees but the person who verifies the block adds
their own fee to the block, what's stopping them from verifying that Alice and
Bob have offered the miner a transaction fee of 100 BTC instead of 1 BTC?

~~~
maaku
Yes, the first transaction of a block is allowed to "overspend" by up to the
subsidy amount, currently 25btc. Obviously the miners pay these newly minted
coins to themselves.

~~~
maaku
Why the downvotes? What I wrote is correct:

[https://github.com/bitcoin/bitcoin/blob/master/src/main.cpp#...](https://github.com/bitcoin/bitcoin/blob/master/src/main.cpp#L1838)

------
maaaats
Somewhat related: The size of a chain will be constantly growing, right? How
fast, and will it be a problem?

~~~
ars
It's already a problem. Bitcoin is around 20GB right now - it means you can't
have a full bitcoin client on a cheap USB key anymore. (A common security
recommendation to avoid hacks.)

If you have more than one currency installed on your computer you might use
100GB or more for them. It fits, but it's starting to become a significant %
of a typical hard disk. (Although presumably people with lots of wallets are
not typical and have larger disks.)

~~~
glitch003
If you're storing the entire blockchain on a USB key to "avoid hacks", you're
doing it wrong.

An offline live-CD or USB key has no need to store the entire blockchain if
you just want to store coins and keep them safe.

~~~
ars
How would you initiate any transactions from your live-key if you don't have
the client installed? And the client needs the entire block chain.

(I'm aware of light clients that work with a server, but that's not the
standard.)

You can store the wallet cold on a usb key, certainly, but that's not the use
case here. The use case here is a usb-key you boot ONLY for bitcoin, and
nothing else. No web browser, no nothing, just the bitcoin client.

This is recommended if you are on windows, or if you aren't certain you can
secure your computer (most people can't).

~~~
Dylan16807
You can get by just fine with a client that stores the root hash of each block
and part/all of the blocks where it sent or received money, ignoring all other
blocks. You won't be able to fully verify old transactions but you'll be able
send and receive.

Whether someone has coded such a client I don't know, but it's not a difficult
problem, and does not require a server.

------
eridius
> The critical property of the above workflow is that the output of the
> cryptographic hash function (SHA-256 in this case) is completely different
> every time we modify the input: the hash value of the previous attempt does
> not tell us anything about what the hash value of the next attempt when we
> increment our counter - i.e. its a non-deterministic algorithm.

It's a fully-deterministic algorithm. It would be quite useless if it were
not. I believe what the author is trying to say is that it's not
_predictable_.

------
bshanks
I propose that someone create a proof-of-work system that creates a
distributed auction of the computing power of the miners. This has the twin
benefits of not wasting electricity on doing useless hashes, and of providing
a backing for the value of the created currency (because the currency can be
used to purchase computing power from miners). A standardized NP-complete
problem formulation could be used.

I haven't worked out exactly how to do this (specifically: if the problems
posed to the miners are not random, what is to prevent a miner from posing a
problem to which they already know the answer?), it's just an idea.

more rumination at
[https://en.bitcoin.it/wiki/Intrinsic_worth_brainstorming#pse...](https://en.bitcoin.it/wiki/Intrinsic_worth_brainstorming#pseudo-
BTC_that_uses_computational_power_in_service_of_some_problem)

------
deathhand
As much as I hate the concept of "trusted computing" I believe it could help
with Sybil attacks.
[http://en.wikipedia.org/wiki/Trusted_Computing#Endorsement_k...](http://en.wikipedia.org/wiki/Trusted_Computing#Endorsement_key)

~~~
wmf
Then you have other problems as described in Vinge's _Rainbows End_.
[http://vrinimi.org/front9uns.jpg](http://vrinimi.org/front9uns.jpg)
[http://vrinimi.org/back9rev.jpg](http://vrinimi.org/back9rev.jpg)

