Hacker News new | comments | show | ask | jobs | submit login
Proof of Work Without All the Work (arxiv.org)
208 points by federicoponzi on Aug 7, 2017 | hide | past | web | favorite | 115 comments

I think the title and abstract of this are not very clear.

I gave it a fast skim to figure out what general class of thing it actually is.

This should be compared with "proof of idle" (https://www.cs.virginia.edu/~shelat/14s-pet/2014/02/11/proof...).

It is an online scheme for resisting sybil attacks in a P2P network where nodes have cryptographic identities which works by periodically forcing all users to do proof of work within a limited time window. Peers that don't respond fast enough are banned from the system (have to create a new identity to join, which is computationally expensive).

The idea is that this get some of the benefits of POW for sybil resistance without spending as much energy.

It doesn't, however, produce a large amount of cumulative work building up over a history. So it's not the sort of thing you'd want to use to protect the history of a ledger directly.

One of the holy grails in cryptocurrency research is figuring out a PoW alternative the provides similar security at reduced energy cost. A few other examples:

1. Bram Cohen's Proof of Space & Time: https://youtu.be/aYG0NxoG7yw; https://cyber.stanford.edu/sites/default/files/bramcohen.pdf

2. DFINITY VRF-based Threshold Relay: https://youtu.be/o8HHM18PedU (https://en.wikipedia.org/wiki/Verifiable_random_function)

3. Algorand: https://people.csail.mit.edu/nickolai/papers/gilad-algorand-...

These are some of the more interesting ones, but plenty of others.

Proof of useful work?

I.e. the problem is that hashing is wasteful. But we have demand for distributed computing.

Could the work that's being evidenced actually be performing useful computations? Perhaps by structuring a distributed computation platform that accepted standard units of compute work. Like perhaps an Erlang reduction.

Hashing is wasteful, but its redeeming quality is that it takes negligible work to validate, despite taking significant work to find values whose hashes have certain characteristics. Just hash the value produced by the worker node and make sure it conforms to the parameters. Should take microseconds.

With proof of useful work, it's probably significantly harder to find similar problem domains where the validation is fast but the useful work is laborious.

Maybe I'm wrong but wasn't a property of NP-hard problems that you can verify them in P time but find a solution only in >P time? (As far as we know)

NP can only verify positive solutions in P time.

Useful cryptographic problems are usually in the intersection of NP and co-NP.

Current best guess is that NP and co-NP are different.

Thus NP complete problems can't be in co-NP, and thus are probably not cryptographically useful. There's a way to make this argument a bit less vague, but it basically explains why cryptographers have stopped looking at NP complete problems.

There was a cryptosystem based on solving knapsack problems. But they had to patch problems until people stopped paying attention.


Think of the traveling salesman problem for example.

The only way to verify someone's answer is to do all of it yourself too.

You can do it by checking that the solution provided is a valid traversal of the graph, and does not touch two vertices twice. If there are N vertices, you can check in O(N) time.

It's about validating the proposed solution on being the fastest path, not if the proposed solution is a valid path.

I would dispute the assertion that hashing is wasteful. That implies it's inefficient or you're not getting something of equal value in return for what you're paying. But in PoW you spend energy and get in return the security of a global public accounting ledger, which has considerable potential social value, easily comparable to the cost of it. It should not even be surprising that such a thing has great cost, given that economics is certain of only two things - incentives matter and there's no free lunch. There's no free lunch in blockchain. (well, maybe there is, but it would take a considerable CS breakthrough).

And if you're concerned about the environment, don't worry, most of Bitcoin is secured by hydropower right now anyway, and in the foreseeable future will probably migrate to solar power (https://finance.yahoo.com/news/why-california-giving-away-el...).

It may have a lot of potential, but currently cryptocurrencies have at most as much social value as traditional currencies - which cost considerably less energy. (That's assuming they are actually used as currecies and not just as a hype and speculation vehicle)

As for energy consumption, I see no fundamental reason why mining has to stay green. If the valuation should climb high enough that renting a nuclear plant becomes profitable then someone will probably do that.

Even with hydro, the mining spends energy that could have been used for other things.

Finally, what I find most worrysome is the combination of PoW and self-adjusting difficulty. The practical effect seems to be that not just is constant energy required to maintain the system but that energy demand is also steadily growing.

I agree, but I want to break it down a little more:

Effort ->

You do a lot of hashing to try and win the 10 minute lottery by finding the magic hash that lets you make the next block.

Rewards ->

You win a block reward (or portion of one if you're pooling work with others) that has economic value.

You win transaction fees for the transaction included in the winning block.

Profitability ->

If you are generating enough hash power per your operational expenses, these rewards are profitable, even though you don't win every block.

Some may mine unprofitably because they are speculating on the future value of those rewards rather than the immediate value.

Side Effects ->

This scheme increases the security of the global ledger. Making it more viable and bolstering the value of the rewards you're getting above.

If the overall system is valuable to society, that also bolsters the value of the rewards, but also has a value to society approximately equivalent to the value of the system.

Thus, bitcoin, which does consume energy, is currently, in my opinion providing a better monetary solution at lower cost than the system it is disrupting (banks use power, employ people, etc. etc.)

The perception that it is wasteful could only come, to my mind, if one thought bitcoin was not providing value to society, or that bitcoins were going to zero in economic value.

which has considerable potential social value, easily comparable to the cost of it.

The value is 'potential,' the cost is real.

What evidence or milestones are there to indicate this considerable potential social value panning out is increasingly more or less likely? What exactly is the social value that the average HNer could perceive firsthand, rather than some mythical "unbanked" or whatever?

How long has bitcoin been around, a decade? Has anyone putting it to use in a sustainable, self-perpetuating use case that isn't a dark market or ransomware?

It's been around less than a decade and jury is still out whether it will even succeed or not yet, hence why I wrote "potential". But assuming it does prove sound and reliable over the long term, then its best value is as a hedge against governments screwing up their currency, like Venezuela and other distressed economies. There are already US dollar black markets in those places, and new cryptocurrency black markets are starting to form now too.

As for "unbanked", I don't even know why you mention it unless you're setting up a strawman to knock down. But here, let me do that for you - people who are unbanked don't have access to financial services b/c they don't have money, b/c they live somewhere that economic norms, institutions, and growth all have problems that make it hard to create wealth. Solve those problems and the banks and finserve folks will come running and those people won't be unbanked anymore. But I have yet to see a good case for how cryptocurrency in its current incarnation will solve those problems.

> Proof of useful work?

In the Bitcoin industrial space most of us are of the belief that only the marginal value of the work matters for security.

For example, if you can combine mining the Bitcoin chain and calculating ads for google, and the Bitcoin mining pays $1 and the ad crunching pays $5, then this process is really only providing $1 in security. The reason for this is that the for the security of the chain we care about your lost opportunity to mine one chain vs another, which keeps you working to say on the eventual winning chain so that you get paid that $1.

It's also inaccurate to describe mining as not useful. It makes Bitcoin secure. This is very useful, at least to those of us who use Bitcoin!

From a practical perspective the general constraints on what makes a proof of work good for a system like Bitcoin (e.g. that it must be largely optimization and approximation free and that you can randomly generate instances all with roughly equal hardness and that it be cheap to verify) broadly exclude most classes of work you'd likely call otherwise useful.

My maths isn't good enough for this yet, but I did wonder why there wasn't a popular SETIcoin

Hashing needs to be asymmetric-- expensive to produce a hash that fits the criteria but very cheap to validate that the hash fits the criteria.

This is why attempts to make scientific computation into a proof of work have been difficult-- often the validation cost is equal to the work itself.

Would this (posted earlier today on HN) be a possible candidate? https://news.ycombinator.com/item?id=14947768

Currently it's difficult to verify useful work, especially when there's incentive to spam the system with useless work disguised as useful work.


>Bitcoin is widely regarded as the first broadly successful ecash system. An oft-cited concern, though, is that mining Bitcoins wastes computational resources. Indeed, Bitcoin’s underlying mining mechanism, which we call a scratch-off puzzle (SOP), involves continuously attempting to solve computational puzzles that have no intrinsic utility. We propose a modification to Bitcoin that repurposes its mining resources to achieve a more broadly useful goal: distributed storage of archival data. We call our new scheme Permacoin. Unlike Bitcoin and its proposed alternatives, Permacoin requires clients to invest not just computational resources, but also storage. Our scheme involves an alternative scratch-off puzzle for Bitcoin based on Proofs-ofRetrievability (PORs). Successfully minting money with this SOP requires local, random access to a copy of a file. Given the competition among mining clients in Bitcoin, this modi- fied SOP gives rise to highly decentralized file storage, thus reducing the overall waste of Bitcoin. Using a model of rational economic agents we show that our modified SOP preserves the essential properties of the original Bitcoin puzzle. We also provide parameterizations and calculations based on realistic hardware constraints to demonstrate the practicality of Permacoin as a whole.

I wonder if there's some way to do proof of location based on the latency of light.

Edit: It would clearly require some pretty complex network interactions. You can't be able to precompute a proof and send it to another place.

I'm thinking something like every node broadcasting a public key, which every other node then uses to sign an identifier and sends back. From this, you can generate local maps of the network. While nodes could collude to seem close to each other or lie and claim other nodes are far away, there's presumably some density of truth at which you can construct a reliable global map.

I was thinking of an activity called "mapping the stars". Essentially users with telescopes all around the world map as much stars coordinates as they can, and create a block with such info. Next blocks does the same and so on.

Users verify the validity of the chain by making sure those stars exist at those coordinates.

It's hard for any single entity to create a copy of this chain as they would have to map all the stars themselves.

Of course the whole endeavor ends when all the stars have been mapped - but maybe there are so many that this can be viable, and more importantly, cheaper than energy consumption.

EDIT: another idea would be using supernovas, which may actually be infinite since they're constantly exploding. Similar to mapping the stars, users signal the coordinates of the found supernova. Users validate the block based on whether or not it's a supernova - I think there are specific traits which remain in the sky for a long period of time that proves whether there was a supernova there.

You can always introduce more latency artificially. So the only thing you could prove is a "no farther than" property, because you can't be farther than the speed of light, but you could be arbitrarily closer.

How could it not be gamed by introducing artificial latency?

High frequency trading?

So let's say you replace hashing with some algo that just requires a lot of memory. Wouldn't the cost just be sunk into buying a lot of ram and 'wasting' it? Ram isn't free to produce and has its own externalities.

That would not be a recurring cost unlike electricity.

To be precise, the point of PoW is not having a recurring cost, but just organizing a "decentralized lottery" where it is very unlikely that you get to verify your own (fake) transactions.

As someone commented above, there are studies on "proof of idle", but other systems have bigger drawbacks than PoW.

I'm not sure what you mean by fake transactions, but transactions are verified with public key cryptography, and a block with invalid transactions will be rejected out of hand by blockchain nodes.

There are two* major classes of attack which someone could do with the power to mint blocks at will (i.e. a 51% attack):

    - discriminatory filtering, where valid transactions are 
      never validated
    - double spends, where a transaction appears like it's 
      been validated for a time but is then rolled back and 
      becomes invalid
But no one can mint transactions without private keys.

* They can also monopolize the rewards of mining, but that's not nearly as bad as the other issues.

Burstcoin has a design like this, except for hard drive space instead of RAM.

Great, so far I had only read about proof of Stake and proof of Activity

Forget using POW to secure a ledger. It's comically bad because of the wasteful arms race which now makes each transaction take as much energy as a household does in a day(!)

The reason bitcoin is so far ahead is because it was the first. Proof of work to secure the blockchain AND also elect a dictator to mine the next block is cute, but I wish they had decoupled it, as they did for example for bitcoin-ng.

What I am far, far more interested in is proof of work for avoiding sybil attacks, or used COLLABORATIVELY by nodes to secure a history, as done in Ripple for example.

So, back to sybil attacks: proof of work, can we trust it?

What are the best ways to make it expensive for an attacker to create multiple identities, yet cheap for everyone else to make one identity?

One is the cumulative time and activity invested by you and those who invited you.

For example, reputation. Maybe making accounts is cheap but reputation comes from random nodes with reputation upvoting you. But then you can spam all those nodes since they're operated by humans.

It seems we have yet to design a system that's truly impervious to sybil attacks. The best we have is tying things to a human real world transaction, eg buying a smart phone, and hoping that whoever made the smart phone also has a service to sign data (they don't) that wasn't compromised.

Any other ideas? Paying for accounts with bitcoins? That at its root is just back to the proof of work arms race and reputation of bitcoin.

Question: is there some sort of service by the Secure Enclave that can sign a piece of data with an HMAC or something to prove that it was signed on a legitimate, non-jailbroken smart device?

You would be interested in Byteball. See https://byteball.org/

Secure distributed ledger, without PoW, without PoS.

The bad side? Not 100% trust-less like blockchains, instead (number chosen by no real reason) only has to trust that majority of 12 witnesses does not collude. The witnesses should have real world identities.

Basically transforming what bitcoin has become, with few mining pools/operators deciding its fate and whom users anyway have to trust - into witnesses which can be replaced.

> Basically transforming what bitcoin has become, with few mining pools/operators deciding its fate and whom users anyway have to trust - into witnesses which can be replaced.

This is a poor analogy because colluding Bitcoin miners can never steal funds; they just stamp a chain with proof of work, while the Bitcoin P2P network verifies the stamped blocks, and rejects them if they’re invalid. In the case of Byteball, colluding witnesses can steal funds, which becomes increasingly problematic as the value of the currency increases.

With Ripple, no one can steal money. Just like with bitcoin, all transactions have to be signed by the payer at least. However, instead of POW being what selects the next miner, there's a different consensus algorithm that doesn't waste electricity. And Ripple moves more money than bitcoin per day.

I don’t dispute that. Ripple is centralized, there are dozens of centralized payment systems out there, but that’s not what Bitcoin is competing against. Creating performant, centralized payment systems are a solved problem. The question is what Ripple brings to the table that the other payment systems don’t.

Bitcoin is just as centralized now in practice. There are just a few mining pools that have the most electricity to spend. In Ripple they will eventually expand the number of main nodes way beyond what bitcoin has.

Once a transaction has been made you just need SOMEONE to confirm it for the blockchain. In bitcoin, that's the miner that happened to solve the POW. If they don't take your transaction, the next miner will. In Ripple it's effectively the same thing.

Even with Byteball the witnesses cant steal funds or generate new ones without the other full nodes noticing and rejecting the same way as other bitcoin full nodes can reject if a miner generates a 10000 coinbase reward to itself.

I don’t understand. If nodes do not accept whatever the witnesses say is the true transaction history, why are the witnesses needed in the first place?

I know that it’s not possible for a witness to fake some users signature, and send these funds to themselves, but that’s not the attack we need to worry about. The attack we need to worry about is witnesses colluding to present a false history of transactions, such that the user’s funds (that the miners want) were never sent to that user in the first place, thus remaining the property of the coinbase owner. Since all coins originate as a coinbase, if witnesses go far enough back in time, all coins are theirs.

If new coins are distributed as block rewards, then collectively, miners will spend (nearly) the monetary value of those coins in competition to solve as many blocks as possible. In other words, any gains in marketcap will translate to increased mining efforts. Paul Sztorc has written a lot more about this in http://www.truthcoin.info/blog/pow-cheapest/

If a cryptocurrency becomes too big to fail, then it seems inevitable that nation-states and large corporations will mine it at a loss.

What interest does a government or large corporation have in cryptocurrency?

This is why cryptos as currently implemented will always be fringe and used for the most part illicitly, because as soon they gain a wide enough currency the participants in the system will switch to a more efficient, i.e. centralized system.

If enough people use them that a government or large corp would care, those "enough people" would form a new government or become the customers a new corp, that facilitates their transactions in a more efficient way.

...and a touch ironic that you seem to be pining for TBTF cryptos when Satoshi himself railed against the TBTF system.

I guess the build chain for complex international products (cars, smartphones) spans multiple currencies. Maybe it becomes worthwhile for Samsung, Toyota or BMW to use Bitcoins instead. Now it makes sense for them to do some mining just to secure the blockchain. The primary goal would be security not profit.

(I don't consider that scenario likely, just possible)

I see the reasoning, especially from one steeped in the coinosphere, but this one seems best classed as very unlikely.

Currency exchange is a solved problem with costs and overhead that is very likely much less than going into the "securing the blockchain" business, even as a side gig.

How much "securing" would they need to do anyway? Just a little to help them sleep at night?

Not to pick on you particularly, but in general there is so much mushiness and hand waving in the coin space about what exactly is the value proposition other than to the person selling you the coin at a profit.

If it is solar powered, I don't see how it will be mined at a loss? Power is the number one cost, and we have a free unlimited supply of it.

Tell us more about your solar power station that has no capital investment or operating cost.

"opportunity cost"

PoW wouldn't work if power was free or unlimited.

It would, just the hardware/admin/maintenance costs would dominate instead.

Sounds like the paperclip machine.

Thank you for sharing this.

For a while I’ve had a sense that “useful PoW” simply doesn’t make sense, but I was unable to explain why. This article perfectly explains why it doesn’t make sense, albeit using very econ-specific terms. I think it may be possible to explain it in simpler terms, without needing to introduce marginal revenue and cost, but I’m not sure exactly how just yet.

I'm in the process of auditing new low-power Po* algos for a crypto system I'm researching. This paper needs a way better abstract. The math is incomprehensible without knowing what it's end goal is. The paper uses acronyms (ex "Good ID") before explaining what they are. Overall a poorly written paper. The work maybe revolutionary, but what good is that if it's so difficult to understand. People forget that the purpose of a paper is to communicate your idea to other people. If it doesn't do that effectively then no matter how awesome the work is, you've failed.

For those who interested in the topic. Nem uses something called proof of importance https://www.nem.io/NEM_techRef.pdf

Would this make it possible to implement a cryptocurrency that wasn't an ecological disaster?

Bitcoin mines are in western China and Oregon precisely for the abundant and cheap hydro power. That's not so bad, ecologically speaking.

Bitcoin is only as ecologically harmful as the source of the electricity used to run the miners, and it's no more harmful than any other use of electricity. If the world switches over to solar and wind as baseload power, problem solved. If the world doesn't switch away from using coal, that's not Bitcoin's fault. It's not a problem Bitcoin can solve.

> and it's no more harmful than any other use of electricity

That's a tautological statement. My 50,000 watt bulb that I shine inside a closed box is also "no more harmful than any other use of electricity," but the question is whether I should be using that electricity in the first place.

You can argue whether the "wealth" generated is worth carbon dioxide released into the atmosphere, but you can't deny that more carbon dioxide has been released because of BitCoin.

Back to my lightbulb in a box: "If the world switches over to solar and wind my 50,000 watt useless bulb's problem is solved. If the world doesn't switch away from using coal, that's not my fault. It's not a problem I can solve."

I'd love a fact-based comparison of bitcoin mining vs gold / nickel / aluminum production, in kWh spent per $1000 of value mined. I suspect bitcoin would look relatively favorably, especially if you factor in no space being taken to store the waste, and nearly no water consumed / contaminated.

Gold, nickel and aluminum aren't money, they're resources that get used to produce things in the economy. If you mine a bunch of gold in a new and efficient way you make PCBs and cable connectors cheaper to manufacture and improve life for everyone by a little bit. If you mine a bitcoin in a similarly innovative way we get nothing we didn't have before.

There is a price for a kg of raw gold, and other metals (and not only metals). There is a price for 1 raw bitcoin. Either has energy costs attached; it is quite possible to compare the (market) value created per kWh spent.

You're missing the point. Your flaw is a semantic glitch with the word "value". You're saying in this post that bitcoin has "value" in the sense of exchange, that you can trade it for other stuff. But in the previous post you were describing the "value" of natural resources, which are being created when they are produced and cause economic activity, thus making us all wealthier.

Not the same kind of value. You can mine a billion coins tomorrow and society will still be stuck with the same junk it has today. You could mine a billion tons of cobalt tomorrow and give us all nearly free batteries in perpetuity.

Absolutely not, it has been posted several times in the past the comparison with the world money and bitcoin power waste was simply outrageous compared to the world monetary base. Aluminium, nichel and gold have other real uses other than minting coins.

How about comparing it to fiat currency?

The problem with fiat currencies is that they are not normally mined, but printed.

Printing a $25 or a $100 note must be an involved process, though.

I think for any crypto to have long term (100+ year) life, it must be powered with free, or close to free energy. So solar, wind, etc.

I don't see any way around this limitation. Eventually the difficulties will be so high, and finding blocks gets harder and harder, keeping it on a traditional power source would not be prudent.

>> and it's no more harmful than any other use of electricity > That's a tautological statement.

Sure, if you take it out of the context of the rest of my comment. But OP asked if Bitcoin would stop being an ecological disaster, and my point is was that Bitcoin's ecological costs are primarily about the source of the electricity, not the amount of electricity.

Bitcoin mining uses about 170 MWe, continuously. That's really not very much in the grand picture of things. A few medium-sized fields of solar panels isn't an "ecological disaster".

> That's really not very much in the grand picture of things.

And how does that claim hold up when you compare current level cryptocurrency adoption to the scale of money worldwide?

How does energy usage scale with the number of users in general? Linearly?

> How does energy usage scale with the number of users in general?

You're confusing Bitcoin miners and Bitcoin nodes.

Bitcoin nodes verify transactions. You can run a Bitcoin node off your home PC. It doesn't use much energy.

Bitcoin miners are what use all the energy, and their energy use is driven by the size of the mining rewards not the number of users.

> Bitcoin nodes verify transactions. You can run a Bitcoin node off your home PC. It doesn't use much energy.

You basically answered a different question, because this doesn't tell me how it scales

I'm sure I'm off a little bit in my understanding, but I thought part of the idea whole blockchain thing was being a decentralised ledger. How does that scale if everyone is on it? Is the energy use better or worse than a centralised bank, by how much, and is it significant?

But the size of the mining rewards scales with the value of Bitcoin which roughly scales with the number of users.

It is not very much? How many tons of co2 are produced in 1 hour to get 170MWh?

As others have pointed out, bitcoin mining doesn't tend to happen in places where fossil fuels are used for electricity generation, simply because it isn't profitable to do so.

Instead it tends to gravitate fairly quickly to places that currently have an surplus of energy and therefore extremely cheap power generation.

In the US that is Washington state, near Wenatchee, where the power is the cheapest in the nation: http://www.electricitylocal.com/states/washington/wenatchee/

The reason for that price is that it is all hydro, so no co2 produced. (though depending on how fungible you view power it could be argued otherwise) http://www.wenatcheeworld.com/news/2011/jun/01/cheapest-elec...

But ya, though I agree the amount of power that goes into mining and keeping the blockchain safe is absurd, the crazy competition and economies there have driven most of that to green sources. So yay I guess?

If the power was not wasted in mining it could have been used for something useful therefore reducing the carbon footprint in other places that don't rely so heavily on hydroelectric.

Maybe. See my comment about fungibility. I don't think power transmission costs are insignificant at a distance, and I suspect if it were the case for Wenatchee, Seattle and other large urban centers would happily buy up their cheap power instead of producing their own.

If the world's economies ran on bitcoin we would need a stupendous amount of energy to keep the miners running. That energy not being spent on something else is a huge opportunity cost since many problems could be solved if there were just enough spare energy..

> If the world's economies ran on bitcoin we would need a stupendous amount of energy to keep the miners running.

You've misunderstood something about Bitcoin if you think this is true. Bitcoin miners use resources based on the logic of competing with each other for the value of the mining reward, not based on the number of transactions they process. If Bitcoin solved all its scaling problems so that everyone in the world could use Bitcoin, but mining rewards remained constant, the resources the miners expend to collect the reward wouldn't be any different from today.

I think you're underestimating the issue with attackers, if the world ran on bitcoin, attacking it becomes much more attractive, so use must indeed use more energy. It must use enough to make attacking bitcoin very unattractive.

No, sorry, that's not how Bitcoin works either. If the whole world used Bitcoin and the market cap of Bitcoin was over a trillion dollars, a 51% attacker could still only double-spend its own transactions. As long a public key crypto is secure, you cannot just re-write arbitrary Bitcoin balances into your own wallet even if you had 100% of the mining power. Therefore the incentive to attack Bitcoin is only as big as your own Bitcoin holdings, not the value of the entire market cap.

>> Therefore the incentive to attack Bitcoin is only as big as your own Bitcoin holdings, not the value of the entire market cap.

That's not quite true though is it? They could certainly (for instance) block transactions and generally hold the whole thing to ransom.

You're right, it doesn't have the financial incentive that you could (for instance) steal coin, but you could potentially block all transactions that don't have a considerable fee, for you, or just break stuff. Motives to do that will become more pressing the higher value the network is to nation states.

It is already attractive enough for all the hackers in the world to try. And they do. The underlying technology is secure.

As it grows it becomes more attractive for more powerful and richer actors, and even state actors.

Bitcoin uses a fixed amount on energy correlated to the number of miners and their hash capacity.

As more miners join, more power is used. But at the same time, miners could be removed, and hash capacity lowered, and the number of transactions per hour would be still the same.

So: energy used: number of miners. Transaction capacity: block size.

Both things are orthogonal. One number is independent of the other.

Right now the protocol is being updated to increase transactions per hour, and this has little to do with the number of miners.

To resume: if the world's economies ran on Bitcoin, because of some big transaction capacity increase, then the energy used would be about the same, because miners would be about the same.

Energy use in Bitcoin has no correlation with number of transactions processed.

There is enough spare energy! An infinite supply a few millions of miles away.

The sun has no infinite supply of energy.

Solar Bitcoin mining has already decreased the sun's brightness by ~2 lumens

>> If the world's economies ran on bitcoin we would need a stupendous amount of energy to keep the miners running.

And we'd have to, to keep bad actors from doing similar. It's a terrible idea!

I know this place is crawling with cryptocurrency fanboys, but this is a serious issue for many sceptics.

Regardless of whether you think that criticism is valid, downvoting anyone who asks questions about how to address this does not help make their scepticism go away.

Ethereum is planning to switch to Proof of Stake in the coming years: https://github.com/ethereum/wiki/wiki/Proof-of-Stake-FAQ

There are some coins (NEO/AntShares for example) that are opting for DBFT-style governance -- https://themerkle.com/what-is-delegated-byzantine-fault-tole...

Mmmm... good luck

There's more than one Proof of Stake cryptocurrency, and Ethereum does want to go PoS sometime.

PoS have been around for 3 (maybe 4?) years by now.

Proof of Stake is quite genius in the politics of it, and the power needed to run is minimal (you still need to keep your hardware powered on)

Can you give a short summary of how PoS works?

Not a personal summary, but this is Ethereum's FAQ:


So... the more Ether you lock up, the more Ether you stand to gain; sort of like having a higher chance of winning the lottery if you buy a lot of tickets?

First, please show that cryptocurrency is an ecological "disaster" is the first place.

Next, please explain how crypto is more of a disaster than the existing monetary system. Does the cryptocurrency mining economy pose more of an ecological threat than the system put in place to secure government fiat money: buildings, employees, vaults, mints, printing presses, armored vehicles, police, (some part of) the military, etc?

https://en.wikipedia.org/wiki/Stellar_(payment_network) is a decentralized currency that already isn't the "ecological disaster" that Bitcoin is.

Byteball is such a cryptocurrency. There is no Proof-of-Work, or Proof-of-Stake.

probably not.

There's ecological disaster regardless of mining, I haven't done any math on the issue but I believe mining waste is a very small part of the overall polution in the world.

We must develop technology to clean our planet regardless of mining waste. Given this and the fact that energy is becoming cleaner by the year I think worrying about mining waste is not rational

> I haven't done any math on the issue but I believe

This is not the kind of discussion where assertion by belief has any place, on either side of the discussion.

What we need solid estimates of how this technology currently scales, how it might improve, and how it compares to existing electronic currency, and physical cash (taking into account things like embodied energy of coins).

There is something thoroughly logical about this approach to the unfortunate waste implicit in Proof of Work (PoW) schemes.

In summary of the motivations of the paper: PoW is currently limited to cryptocurrencies as a security system because of the implicit financial incentive in mining coins. This approach could allow PoW schemes to be widely adopted to secure systems as the overhead is lowered dramatically. Additionally, battery powered devices (ie phones) could make use of PoW without incurring large battery drains. This last bit is particularly interesting and could allow some interesting, distributed P2P systems on cellphones to arise.

The general principle of the paper revolves around asking network members to prove computational power only as much as necessary as the network scales. Because an attacker could easily spoof their MAC / IP address when joining the network, computational tests are periodically distributed to network members. If the test is unsolved in an allotted time period, their network membership is revoked (and the node is blacklisted). The attack referred to in the paper is an attacker adding bad (fake or otherwise) nodes to a system rapidly.

“Consequently, if the network is attacked, our scheme guarantees security, with algorithmic costs that are commensurate with the cost of the attacker. Conversely, in the absence of attack, algorithmic costs are small.”

Hope it works.

Well, in theory, you could simply alter the number of 0's required for any particular proof. Under attack? More 0's required in the hash. Not under attack? No 0's required.

Determining if you're under attack would seem to be the harder part.

The network will be under attack constantly.

Blockchain tech has a lot of potential uses outside of currency. In those fields, the likelihood of a constant foreverwar amongst the contributors is way lower.

Also, providing a sliding cost on the network might make the miners agree it's more cost effective to step back from this breakneck energy-use-maximization game they're playing.

So now we have click-baity academic papers? Can someone summarizes to me the genius behind the idea? Because as far as my math goes, it is not theoretically possible.

> So now we have click-baity academic papers?

As academic paper titles go this is pretty normal.

> Can someone summarizes to me the genius behind the idea?

I'm reading quickly, but I think the idea is that the reason we need proof-of-work is to prevent Sybil attacks, that is, a single entity pretending to be 50% of the network via spoofed identities. So you have a concept of persistent identity for each (apparent) member of the network, and you require nodes to solve a computational problem when they join the network and also periodically while they're in the network. This puts relatively little computational load on each participant, but puts a lot of load on a long-term attacker, and even more work on a short-term attacker who's trying to claim a bunch of identities in a hurry.

I'm not sure how much this actually helps Bitcoin, since my impression is that the computational load is what's needed to match the abilities of the legitimate members of the network. I guess the trick is that maybe you can make the block-mining difficulty scale up less aggressively over time, but I'm not following that logic yet.

Thinking harder I guess the only reason that mining difficulty is so competitive is that there's a reward for mining, given to just the miner, so the arms race is profitable (much as, say, the arms race for microsecond-level tech improvements is profitable to HFT because even if two algorithms make the same decision only one gets the purchase in first).

So if you get rid of that, and maybe add a nominal "reward" for solving the puzzles to remain in the network and give it to all participants, the incentive to build giant mining farms goes away: the only reason to have additional computational power is either to keep up with the network as a whole (not the fastest person in the network) or to actually gain 50% of computational power.

When I read this: "This shortcoming is highlighted by recent studies showing that PoW is highly inefficient with respect to operating cost and ecological footprint." The moment we try and do away with this inefficiency we are going against the entire solution of what bitcoin was going for: how to use all of the inefficient computer parts laying around the globe for something useful?

It makes me think people just don't get it. High inefficiency is the _ENTIRE_ point! It gives rarity to the coin. That 10 minute block time is the same as compressing millions of years of geology into 600 seconds. It is fundamentally sound mathematics, and ultimately, that is why it holds its value. It is not meaningless mathematics, people who say that don't understand fully as to what they are talking about, imho.

You're misinterpreting what people mean by "inefficient" in this context.

The bitcoin mining ASICs are extremely efficient at mining bitcoins. You can't mine them with an old GPU and expect to make back more money than you spent on electricity.

But the choice to mine bitcoins at all is (arguably) an inefficient use of resources that could have been used for pretty much anything else. There's no shortage of useful problems to be worked on by supercomputers and the world would be better off if we did that instead of mining cryptocurrencies. But the economic incentives aren't there.

EDIT: Reading your comment again, I think I was a bit quick on the "you're wrong" here. ISo to clarify, I do agree that inefficiency is at the core of the bitcoin mining ecosystem, but it's all about the "we have to spend a bunch of energy that could've done a lot of other things" inefficiency, not an individual "we can use old hardware for this" sort.

When you look at it from that angle, Bitcoin becomes a very interesting hack on economic incentives (and how they don't always map to useful real-world activity)

Whether you think Bitcoin mining has real-world utility or not depends entirely on whether you think Bitcoin has real-world utility or not.

Without Bitcoin mining, there is no Bitcoin.

Certainly, but whether you think bitcoin has any real-world utility, bitcoin-mining certainly has economic incentives.

> how to use all of the inefficient computer parts laying around the globe for something useful?

How do you reconcile this statement with the fact that mining is done by a few thousand entities in the whole world, using custom-built hardware?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact