
Time, Randomness, and a $100k Prize to Forever Change Blockchain - Supranational
https://aws.amazon.com/blogs/startups/competition-forever-change-blockchain/
======
kanzure
I recently typed a transcript of a talk about verifiable delay functions:
[http://diyhpl.us/wiki/transcripts/verifiable-delay-
functions...](http://diyhpl.us/wiki/transcripts/verifiable-delay-
functions/vdf-day-2019/dan-boneh/)

------
Supranational
Hey All!

We're one of the sponsors of this competition. Please let us know if you have
any questions!

~~~
mpreda
What is the algorithm for verifying the VDF output?

Specifically, I compute y = x^(2^N) mod M using N modular squarings, how do
you verify the result?

~~~
justindrake
One efficient verification scheme is by Benjamin Wesolowski (see academic
paper
[here]([https://eprint.iacr.org/2018/623.pdf)](https://eprint.iacr.org/2018/623.pdf\))).

The scheme is surprisingly simple and fits on just one slide. See
[https://www.youtube.com/watch?v=zqL_cMlPjOI&feature=youtu.be...](https://www.youtube.com/watch?v=zqL_cMlPjOI&feature=youtu.be&t=652)

~~~
gchamonlive
> [https://eprint.iacr.org/2018/623.pdf](https://eprint.iacr.org/2018/623.pdf)

------
iancoleman
chia.net is also running VDF competitions with $100,000 prize. They recently
announced the results for round 2.

[https://www.chia.net/2019/07/18/chia-vdf-competition-
round-2...](https://www.chia.net/2019/07/18/chia-vdf-competition-
round-2-results-and-announcements.en.html)

------
ghostpepper
Can someone explain why proof-of-stake is not inherently monopolistic? It
seems like a system where the more of a currency you possess, the more you can
obtain, which is obviously unstable, right?

~~~
narush
In current Proof-of-work (PoW) blockchains, the more mining hardware you have,
the more coins you get, and the more mining hardware you can buy. In this
sense, the same exact monopolistic structure you mention exists in both PoW
and Proof-of-stake (PoS) blockchains.

However, (PoS) is a lot less monopolistic than PoW for other reasons:

1\. Massively reduced economies of scale. Pretty much all POW mining happens
in mining farms for a reason: it's a lot cheaper, per unit of revenue, to move
all your mining to one big warehouse. This makes it pretty much impossible for
a normal person to contribute to PoW in any meaningful way -- good luck
running a competitive mining farm out of your house. In PoS, however, 10x more
coins will get you exactly 10x more rewards, and costs don't fall at all,
leading to less economies of scale, and so less pressure towards a monopoly.

2\. Ability for the protocol to apply punishments as well as rewards. In PoW,
because the miners aren't tied to any address, there is no real mechanism for
punishing them. In PoS, because the "mining power" (aka coins) is in the
protocol, bad behavior can be punished. This has two benefits from the
perspective of monopolistic market structure. First, it makes it so 51%
attacks are costly in protocol. If evidence is shown that you 51% attacked,
your coins can be "slashed," or taken away. Notably, in PoW, a 51% attack is
free to the attacker if successful. Second, collective punishments can be
applied to miners (validators in PoS language). This makes it so miners can be
punished if they censor other miners -- again leading to less
centralization/monopoly pressure.

Please do disagree (or make me clarify) with anything that seems
stupid/unclear/incorrect in the above. I'd love to engage more!

~~~
trianglesphere
While proof of stake does have a lot of advantages over PoW, it cannot handle
more than 1/3 of the voiting power acting incorrectly. This is a well known
hard bound on BFT algorithms.

In terms of implementing PoS, most BFT algos have traditionally scaled poorly
(HotStuff which is linear in communication costs relative to the number of
nodes/validators is very recent). In addition, going offline for validators,
even accidentally, hurts the network and slashing PoS schemes often have
uptime requirements. Validators also need to have the infra to be hidden and
not DDOS'd.

tl;dr, Proof of stake is still decently centralized, but a lot of work is
being done to scale it.

~~~
narush
The 1/3 bound is for general byzantine behavior. If you're willing to get more
specific about the type of behavior you want to tolerate, the bounds are more
flexible[1] (this link is from the HotStuff people, actually!). For example, a
node could tolerate no more than "20% Byzantine faults and 30% alive-but-
corrupt faults" In turn, this allows different clients to make different
assumptions (one huge advantage PoW has over traditional BFT protocols).

Also, w.r.t. linear communication, CBC Casper[2] has the ability to come to
consensus on a blockchain with, in the limit (and in the optimal case), a
single message per block that is finalized. It uses essentially the same form
of pipelining that HotStuff does, but to the extreme (at at the cost of a much
longer time for blocks to be finalized). Full disclosure: I work on CBC
Casper, so take what I'm saying with a grain of salt.

[1] [https://dahliamalkhi.wordpress.com/2019/04/24/flexible-
byzan...](https://dahliamalkhi.wordpress.com/2019/04/24/flexible-byzantine-
fault-tolerance/)

[2] [https://github.com/cbc-casper/cbc-casper-
paper/blob/master/c...](https://github.com/cbc-casper/cbc-casper-
paper/blob/master/cbc-casper-paper-draft.pdf)

~~~
trianglesphere
Good point with the flexible BFT paper. I didn't realize casper pipelines,
I'll have to look into it. I'm working on IBFT (fixed to be more pbft like).

------
devwastaken
Wouldn't this simply be a matter of designing hardware that does these
operations on chip as a software accessible operation?

~~~
justindrake
The ultimate goal is indeed to build an ultra-fast ASIC. There's a $1M ASIC
circuit competition planned for for 2020. This $100K FPGA competition is a
"warm up" to the ASIC competition.

A bit more information here
[https://www.youtube.com/watch?v=9-77V1IareQ&feature=youtu.be...](https://www.youtube.com/watch?v=9-77V1IareQ&feature=youtu.be&t=914)

------
aey
This is rad. You can actually build a fairly secure vdf with a sequential hash
function using intel’s sha256 instructions, and verify the output across all
the available simd lanes.

------
ForHackernews
Really pleased to finally see a possible alternative to the atrociously
wasteful proof-of-work algorithms. Here's hoping bitcoin will switch, too.

~~~
griffero
The whole point of PoW is to be expensive. The security of the network is a
derivative of the cost of running the nodes.

~~~
wmf
PoS is also expensive but the expense is in opportunity cost not in capex and
energy. There's clean expensive and dirty expensive.

------
zaroth
If it is embarrassingly parallelizable, then why would the total amount of
energy (megawatts) invested in running the function not grow until it equals
the economic value of the outputs, _regardless_ of the particulars of the
algorithm.

And if it's not embarrassingly parallelizable, first, tell me why, and second,
what's all this business about optimizing the algorithm in the first place?

~~~
zodiac
The computation described (compute x^(2^t) mod N) is designed to not be
parallelizable.

~~~
zaroth
Interesting... so let's assume everyone can compute it in about the same
amount of time, how does the "lottery" work?

OK, I found this fairly informative [1]. It's designed to be an entropy source
feeding into a proof-of-stake algorithm.

If you can't run it "that much" faster than everyone else, it's more likely
your result is not manipulated to steer an unfair portion of the block reward
your way.

I haven't read much about any of this. The point that seems to stick out most
is the idea that "everyone" submits some amount of data, versus just the first
to reach the difficulty target submitting.

Once you have that concept, then you need time gates to control how quickly
the rounds happen, and VDF can be used to dictate the clock rate.

A conceptual piece I must still be missing is how all the submissions are
aggregated, and why many/most can't just be ignored. Ah, fucking blockchain
catnip.

[1] - [https://ethresear.ch/t/verifiable-delay-functions-and-
attack...](https://ethresear.ch/t/verifiable-delay-functions-and-attacks/2365)

~~~
justindrake
ELI5 version: 100 people, one by one, (re)roll dice placed in a dark room.
After the last person lights turn on, revealing a fair random number. The
Verifiable Delay Function (VDF) ensures lights aren't turned on early.

For a video explanation of the randomness mechanism see
[https://www.youtube.com/watch?v=zqL_cMlPjOI&feature=youtu.be](https://www.youtube.com/watch?v=zqL_cMlPjOI&feature=youtu.be)

------
devin
If the solution could save hundreds of millions of dollars and is of import to
Amazon, why would anyone give it away for 100k?

~~~
mangodwango
Bingo. The absurdity of this, let’s create something that by their own
admission is worth hundreds of millions for a few thousand dollars and some
street cred. Also, VDF is probably worth much more than that if it can be
effectively done.

------
marknadal
Doesn't this assume that Blockchains are useful?

~~~
rolltiide
It is sponsored by organizations that have utility for blockchains and believe
it can have utility for others

~~~
ForHackernews
...well, Amazon just likes selling shovels to miners...

~~~
rolltiide
I'm not sure I really understand that happening in this case, the contest
seems to want people to create new hardware, so this wouldn't use Amazon
infrastructure.

It is a partial subsidy to the winner. So they aren't really selling shovels
they're paying people to develop better shovels.

~~~
wmf
Amazon wants people to create bitstreams that run on FPGAs rented from Amazon.
They're paying people to develop more demand for their shovels.

------
brighton36
Who at amazon promoted this, and does management know that this person is
promoting their investment in ethereum, using the company brand and
resources...

~~~
drexlspivey
Amazon already invested in Ethereum [https://aws.amazon.com/managed-
blockchain/](https://aws.amazon.com/managed-blockchain/)

------
nnnnn11111
If there’s a reward for computing a VDF faster than everyone else, why won’t
the amount of wasted resources, in the the form of e.g. human capital
dedicated to computing faster VDFs, not be equivalent to the economic waste if
the verification scheme used is proof of work? The article claims that proof
of work is costing Ethereum hundreds of millions of dollars per year, but this
VDF competition is also wasting millions of dollars in human capital to
compute a fast VDF before there’s even a running blockchain using it (ie
before there’s even a real non-synthetic incentive to break the system). Given
that we need millions of dollars of waste just to launch the system safely,
why wouldn’t we expect the wasted human capital dedicated to computing faster
vdfs to increase to hundreds of millions once an actual attackable system is
out in the wild, same as proof of work.

Moreover, it seems very unclear that wasting human capital is less
economically bad than wasting the same “valu” in raw energy, particularly if a
lot of that energy is from renewable sources anyway.

~~~
justindrake
> If there’s a reward for computing a VDF faster than everyone else

There's no direct reward for being a bit faster than everyone else. If you are
much faster (say, 100x faster than the general public) then you may be able to
bias the randomness, and therefore manipulate things like lotteries built on
Ethereum.

> The article claims that proof of work is costing Ethereum hundreds of
> millions of dollars per year, but this VDF competition is also wasting
> millions of dollars in human capital

It's about orders of magnitude. Ethereum burns about $0.5B per year. The VDF
project is about $15m, and the ASIC should last about 10 years.

~~~
nnnnn11111
From what you’re saying it seems like an “incentive cliff” at 100x the power
of whatever the competition produces is being relied upon for the security of
the currency, meaning there exists a strong incentive for someone to waste
human capital computing a faster VDF if he thinks he can “hurdle” the
incentive cliff of 100x the power of whatever the competition produces.

Given the competition is only a ~$15m investment in a group of hobbyists, and
given we’ve already seen order of magnitude improvements over and over again
with proof of work in Bitcoin once the incentives are there, why is it assumed
that someone won’t mount a long range attack to break the system by
engineering a 100x faster VDF? Moreover, how does the system recover if that
were to happen?

~~~
topmonk
There is quite a difference between a steady stream of income, and some far
off reward which you may or may not be able to achieve.

Nearly anyone can do the former, but only a few have the luxury to attempt the
latter.

~~~
nnnnn11111
Modern asic farms require a lot of up-front investment in developing hardware.
All it takes is for one person to think he can hurdle the cliff and he can
raise a lot of money to do it if the reward is there, not unlike the first
group of people to raise funds to develop ASICS for Bitcoin (which were orders
of magnitude faster than the hardware available at the time). We know Bitcoin
can cope with a 100x more powerful asic coming online— can these systems cope
with a 100x more powerful VDF?

