Hacker News new | past | comments | ask | show | jobs | submit login
Minimum Viable Block Chain (igvita.com)
335 points by vikrum on May 5, 2014 | hide | past | web | favorite | 73 comments

I like that this actually covers why each piece is needed.

My only beef with this system is the proof of work, which leads to an arms race in electricity consumption. Proof of stake is better, and frankly, distributed timestamps don't need a race to solve a problem every time something has to be timestamped.

For currency, it would actually be nicer to have a system that treats trust/credit/reputation as the scarce resource. It would help people who aren't rich in the traditional sense nevertheless organize and help each other, and would allow people to "create their own currency" in communities, or the equivalent of that, that they aren't able to do now.

I'm familiar with proof of work and how it works within a blockchain to secure blocks.

I keep hearing about prof of stake. I'm very interested in it, however I haven't found an explanation that clearly explains to me how it works. I've looked at the Wiki article and read a little about Peercoin. Do you know of any article, video or source that may help explain exactly how proof of stake works?

If you haven't read the peercoin whitepaper[1], it may get you a bit closer to an understanding. That being said, I still don't have a solid grasp of exactly how coins destroyed results in solving blocks...

[1] http://www.peercoin.net/whitepaper

Thank you! I can't believe I missed it and didn't think to check for a white paper for this. Especially since that's what really cleared up bitcoin's proof of work blockchain to me.

proof of stake was first proposed in 2011 on bitcointalk, the go-to reference for everything bitcoin/altcoin.




If any coins make it you can see at watching the marketcap of the coins at http://coinmarketcap.com

Awesome, thanks for the links.

Thanks I appreciate it. Off to read it now.

> Proof of stake is better,

It sounds like it should be, but it isn't, lacking PoW, there's no reason not to create many possible blocks and without central check-pointing the whole thing falls apart. The problem with proof of stake is that nothing is at stake.

No. That is not a problem. Please read about the Slasher proof of stake algorithm. It is very easy to punish the creator of many possible blocks. People always use this nonesense phrase that "with proof of stake nothing is at stake". That is no problem. If the protocol allows that your mining profit is taken away and given to the next honest stakeholder then why do you say that it is a problem that nothing is at stake.

Yes it is a problem and last I checked, there's still no working PoS implementation that doesn't rely on central check-pointing. "Slasher" is an idea (likely full of unforeseen issues), not an implementation and until there's a working implementation that doesn't rely on central check-pointing, PoS is vapor-ware.

No, it's very easy to convince yourself that these problems are solved when they in fact are not. I have not seen any proof-of-stake mechanism which does not either require centralization (despite claims to the contrary), or devolve into proof-of-work as miners grind blocks until they find one that names themselves or one of their sock puppets as the next signer.

that part of the problem is partially solved. not every node has to "mine" all blocks. in fact in PoS there's no mining at all. the big problem is that you create all coins at genesis. there are a bunch of proposals and work in this direction.

i agree about the arms race, however block reward halving will diminish electricity requirements in a stepwise fashion and lessen the impact of this problem over time

Excellent read. This is not for a general audience, but helped me get a nicer grasp on the fundamentals technology than I had before without getting too particular in the under the hood stuff.

The "blocks are never final" idea is what I believe has led to some of the proposed 51% attacks on the bitcoin network.

Question: Does proof of work have to be a near 'lottery' system? Obviously it needs to be asymmetric, but are there other good options than hash collision?

Wikipedia has a nice list of various proof-of-work functions: https://en.wikipedia.org/wiki/Proof-of-work_system#List_of_p...

As for "lottery", I believe the answer is yes and no. The basic point is to raise the cost of "faking" a confirmation, and how you do that is completely up to you - e.g. captchas are a great example! That said, the random part of the non-deterministic process provides a lot of really nice properties for a distributed system - fairness claims, etc. That said, this is a deep topic (with lots of caveats) in its own right.

The described proof-of-work system is known as hashcash http://www.hashcash.org/docs/hashcash.html which asks for a partial preimage of a hash function.

There are indeed other proof-of-work algorithms. Probably the first one is Primecoin, which asks for a Cunningham chain of prime-numbers.

My own Cuckoo Cycle, asking for a cycle in a huge graph, is another example, in which a single proof attempt takes hundreds of MB of memory, but verification is instant and takes no memory.

At scale, some of the distributed problems are asymmetrical. When they're doing the protein folding stuff or checking for pharmaceutical activity in simulated drugs, it's much easier to confirm a hit than it is to find one... but the reason those are distributed is because they are such incredibly difficult problems.

It has to be trivial to verify yet really really hard to solve in the first place. Hash collisions has the added benefit of allowing variable difficulty

Or on the more detailed cryptocurrency wiki: https://en.bitcoin.it/wiki/Proof_of_work

There are even alternatives to PoW for obtaining consensus such as Proof of Stake which doesn't consume much CPU power in theory.

The author seems to have mildly misunderstood the technicalities of hashcash-like systems.

They seem to have thought that the hex representation of the hash matters when mining, when really we're talking about large integers. If you just do the former "look for a hash with two 0 at the start", you end up with almost no granularity in the difficulty needed. You end up in the situation where 0000 is too easy, but 00000 is too hard. Bitcoin uses integers, and can therefor adjust the target difficulty down to an arbitrary number of digits if required.

Seems to be a common misconception when people have been told a simplified version of what is going on.

Technically, you could say that you're looking for an hash with N zero bits at the beginning. But yes, a lot of people seem to think that you're looking for N zero bytes instead.

Even granularity of 1 bit is too big. It is 2x increase or decrease in difficulty while the actual hashing rate grows by 10-20% every 2 weeks even during today's crazy time of land grabbing.

The article fails to mention that while separation of a blockchain from the currency is technically possible, in reality a blockchain without associated currency won't work as nobody's going to spend their CPU time maintaining it without getting something (money) in return.

This isn't actually true. In theory a blockchain could be maintained by interested parties only. For example, if an honest blockchain solved a problem of great importance to me (value = x) and even by putting a small amount of work (value < x) into mining the blockchain I could protect myself (say withdraw from action during double action attacks) then you can create a system where many people are mining, making the entire blockchain more secure each while guarding their own interests.

The closest analogy would be people setting up water sprinklers in their home. Sure it helps keep the whole town safe, but the reason they do it is for their own protection.

Similarly, in theory there are some other blockchain applications that give each miner a gain just from mining. For example, imagine that scientific communities around the world built a blockchain that checked folded proteins for applications in medicine. In order to compactly represent this they use a proof of work algorithm that solves these protein problems. The blockchain allows them to quickly share paths that do (or do not!) bear fruit in a specific direction, but it also coordinates search efforts along various veins of discovery.

These are just two examples I thought of in the span of 5 minutes, I'm sure there are countless ways of using blockchains, PoW algorithms, and cryptographic techniques for communication, synchronization, and commerce.

For example, if an honest blockchain solved a problem of great importance to me (value = x) and even by putting a small amount of work (value < x) into mining the blockchain I could protect myself (say withdraw from action during double action attacks) then you can create a system where many people are mining, making the entire blockchain more secure each while guarding their own interests.

Wouldn't a rational actor free ride instead of mining? Also, the total hash rate needs to be high enough to prevent 51% attacks, so there's no guarantee that your cost of mining would be smaller than your benefit. A blockchain that doesn't pay miners seems to have an equilibrium where trolls 51% it into oblivion (as has already happened with some scamcoins AFAIK).

The 51% attack isn't a global problem, just a bitcoin problem due to it being a currency. There are other blockchain uses that do not suffer from it.

How so? With 51% of hashing power you can essentially rewrite the block chain to say whatever you want. What possible use could you have for a block chain that is not accurate and controlled by a single entity?

No you can't. With 51% hashing power you can exclude/remove transactions at will, and nothing more. You cannot forge transactions.

Actually yes you can.

If you have > 51% hashing power for a long period of time then you could theoretically choose an arbitrary block some time in the past (the further back you go the more difficult and time consuming it will be) and begin mining from that block. Including (or making up) whatever transactions you want as you go. Eventually you will have a longer chain than the "main" block and unless manual intervention is made you will orphan all of the other blocks and be able to rewrite history.

Dylan16807 is correct. You can't forge transactions. You can create an alternative history, but each transaction still requires holding the necessary private key to sign the transaction. If you're trying to make up new transactions out of whole cloth, you can only do so if they're transactions that you could have otherwise legitimately created.

What the 51% attack lets you do is remove transactions, which lets you double-spend. And of course there may be other benefits too. For example, if someone is using the blockchain for purposes other than sending money to people (e.g. notarizing a document, proxy transactions that represent movement of physical goods, etc) then removing transactions may be beneficial without double-spending.

You (and Dylan) are spot on, thanks for taking the time to correct me.

do you know if it's possible to compensate miners beyond offering them a digital currency? could they, for instance, demand a higher transaction fee? just wondering what happens to the system when we hit 21M bitcoins, and if there are other ways of preserving the blockchain. thanks!

Higher transaction fees is one of the ways that blockminers will be compensated. There are other possible solutions as well, depending on protocol changes to Bitcoin, or crypto-currencies in general.

if miners charge higher transaction fees, doesn't this negate one of the benefits over centralized systems like MC and visa that charge high (2% - 3%) fees on each transaction? that's not to say this neutralizes other benefits of bitcoin, just that applications like microtransactions are not viable? not trying to attack bitcoin, just trying to understand the true benefits and applications.

The article has a whole section on transaction fees, but non-monetary blockchains do tend to raise the question of what currency fees should be paid in and how they can be paid securely.

Excellent write-up, but having taken Corporate Accounting courses the "triple-entry bookkeeping" moniker tripped me up a bit - it's an inaccurate metaphor (see http://en.wikipedia.org/wiki/Double-entry_bookkeeping_system to understand why).

Curious, could you elaborate? The wiki page is long, not sure what I'm looking for... It seems like "triple-entry" is often used alongside "momentum accounting", but its not clear to me why they are conflated. Disclaimer: I'm no accountant, so the simple terms are good. :)

In the OP, double-entry accounting is taken to mean that the two parties to a transaction each keep a record of it (and by extension triple-entry accounting is if three parties keep a record of it). This is a mis-use of the term "double-entry accounting" to mean "two-party recordkeeping".

Double-entry accounting means that for each transaction, there will be two (sometimes more) entries in the ledger (set of accounts) - one on the "credit" side, and one on the "debit" side. For example, when you withdraw $100 from your bank account, from the bank's perspective it is crediting an Asset (Cash) and debiting a Liability (Customer Accounts), so a credit entry of $100 would go into the Cash "account" and a debit entry of $100 would go into the Customer Accounts "account".

Triple-entry accounting implies that a third entry would go... somewhere else in the ledger; but OP isn't describing a classic set-of-accounts ledger.

double-entry means the transaction cancels out at both ends. The result is a transaction of 0. Triple-entry is meaningless.

atm-withdrawal + cash $100 - bankaccount $100

fyi comrade your hellbanned

Uhh, I was just trying to let comrade1 know that all of his comments were appearing dead. It seems to have been fixed now though.

I guess that is somehow deserving of downvotes...

Triple-entry is the technical term for this type of book keeping.

For handling distributed convergence in an entirely trusted space, take a look at Vector Clocks https://en.wikipedia.org/wiki/Vector_clock

Blockchains build off the general concept by introducing proof of work and consistent design to handle forks (longest blockchain wins)

Note that blockchain is more than a currency, but it must contain a collectible within itself in order to be. New blocks will appear and will be backed by the maximum computing power only if miners are competing for the rare collectible that exists within the blockchain. Such collectible must tend to become a universally accepted money (i.e. most marketable commodity) to guarantee maximum amount of CPU time. If that collectible is too inflationary or sucks at something (poorly transferrable, or poorly divisible), then the entire blockchain is at risk. In other words, if there could be a long-term viable and secure blockchain, there will only be one. Everything else will be insecure and fall victim of the law of opportunity cost.

See also: http://blog.oleganza.com/post/54121516413/the-universe-wants...

i'm new to bitcoin, so forgive me if this is a silly question. is it possible to compensate miners in another way beyond offering a rare collectible?

Blockchain is a decentralized consensus. It must contain all information relevant to determining consensus in itself, so every node can have all the data necessary to determine which chain is the main chain. That's why any incentive to maintain the chain must be produced by the chain itself. You can't peg the reward to a USD bank account, or a Facebook stock, or some Folding@Home tasks. They exist outside of the chain and thus can't be trusted/verified by every peer.

So you need to create some incentive in form of a valuable reward that is purely informational, can be verified independently by anyone, contains all necessary information in the blockchain and does not consume enormous amount of bandwidth/time/energy in order to be verified. This could only be a fungible cryptographic token and this token must be rare. This does not guarantee that it will be valuable, but fungibility and scarcity are necessary to start with.

This token must be created in a way that can't be counterfeited and can be independently verified using only the blockchain data (because one can only trust what's in the blockchain). So far it was proof-of-work that provided scarcity. I don't think there is a drastically different way to solve this problem.

so higher miner fees would not be a viable incentive? thanks for the information, very helpful in understanding blockchains better.

given your analysis, how will miners be compensated once we hit 21M bitcoins? others have asserted higher miner fees. if they are right, this seems to negate one of bitcoin's supposed benefits -- negligible transaction fees -- precluding certain applications like microtransactions.

not attacking bitcoin, just trying to understand its true applications.

thanks for your help!

> so higher miner fees would not be a viable incentive?

Miner fees are irrelevant if one does not have the coins to begin with. The chain will be maintained by competing miners only if they are incentivized with initial distribution of a limited supply of units. If all units belong to just one guy, then why anyone should mine anything? If you need coins, you can just buy them from him. But why would they have any value then?

> how will miners be compensated once we hit 21M bitcoins?

We will never "hit" 21M bitcoins. We will slowly approach lower and lower inflation until it becomes zero. But we will notice how miners receive bigger and bigger portion of income from the fees. There will be more demand for on-chain transactions which will increase competition among users and fees will go up. To increase income, miners will be eager to increase the block size limit thus allowing more throughput and as a side effect making fees stabilize at some level. The process will be slow that no one will be shocked by the adjustment of the reward. At the same time, all known events of the future are already priced in. Miners already know that in 3 years they will have 2x smaller reward.

Think of the process this way: miners want to maximize their revenue, users want to minimize their costs. If on-blockchain transactions become too expensive, users will use some clearing houses thus depriving miners from extra fees. Therefore miners will be eager to process more transactions at the current or slightly lower prices to collect those fees. But by allowing more transactions, they reduce competition between users thus preventing the fees from growing further. The system will stabilize at an intersection of 1) affordable bandwidth for miners (so they do not lose too much money on side blocks), 2) optimal fees for users to pay and miners to earn. If bandwidth/CPU is infinite, miners would collect trillions of transactions costing a 0.0001 of a penny and users would enjoy microtransactions right on the blockchain. But we have some real-world limitations that shift equilibrium somewhere to lower throughput and higher fees.

See also: 1) http://blog.oleganza.com/post/43677417318/economics-of-block... 2) http://blog.oleganza.com/post/43849158813/this-is-how-block-...

Finally an analogy-based explanation of cryptocurrencies/blockchains that I read all the way through!

Two questions: Currently, bitcoin transactions don't have any transaction fees. In this case, where are these 'mined' coins coming from? Is it by adding a transaction from 'the ether' to the miner?

Also, if there are transaction fees but the person who verifies the block adds their own fee to the block, what's stopping them from verifying that Alice and Bob have offered the miner a transaction fee of 100 BTC instead of 1 BTC?

Yes, the first transaction of a block is allowed to "overspend" by up to the subsidy amount, currently 25btc. Obviously the miners pay these newly minted coins to themselves.

Why the downvotes? What I wrote is correct:


Alice or Bob have to sign the fee (in addition to the rest of their transaction) with their private key in order for the miner to spend it later.

Many Bitcoin transactions do pay fees today because miners are deprioritizing no-fee transactions. But yes, each block contains a coinbase[1] transaction that creates 25 BTC out of nowhere.

[1] No relation to the company of the same name.

Somewhat related: The size of a chain will be constantly growing, right? How fast, and will it be a problem?

It's already a problem. Bitcoin is around 20GB right now - it means you can't have a full bitcoin client on a cheap USB key anymore. (A common security recommendation to avoid hacks.)

If you have more than one currency installed on your computer you might use 100GB or more for them. It fits, but it's starting to become a significant % of a typical hard disk. (Although presumably people with lots of wallets are not typical and have larger disks.)

If you're storing the entire blockchain on a USB key to "avoid hacks", you're doing it wrong.

An offline live-CD or USB key has no need to store the entire blockchain if you just want to store coins and keep them safe.

How would you initiate any transactions from your live-key if you don't have the client installed? And the client needs the entire block chain.

(I'm aware of light clients that work with a server, but that's not the standard.)

You can store the wallet cold on a usb key, certainly, but that's not the use case here. The use case here is a usb-key you boot ONLY for bitcoin, and nothing else. No web browser, no nothing, just the bitcoin client.

This is recommended if you are on windows, or if you aren't certain you can secure your computer (most people can't).

You can get by just fine with a client that stores the root hash of each block and part/all of the blocks where it sent or received money, ignoring all other blocks. You won't be able to fully verify old transactions but you'll be able send and receive.

Whether someone has coded such a client I don't know, but it's not a difficult problem, and does not require a server.

You certainly can have it on a cheap USB key.

PNY has a 32gb usb key for $13 (about 0.029btc).

For how long? The blockchain is growing at something like 2GB per month - and getting faster.

It depends on what the chain is storing and whether there is value in archiving the full history.

There are really two parts to the Blockchain:

1. Header, which includes the hash of the contents and other metadata like the previous node in the chain, etc.

2. Contents, which is what the miner chose to validate when the block was mined. In Bitcoin, this includes a set of transactions (a step from a graph of inputs and outputs).

The contents could potentially be pruned by only keeping track of unspent transaction outputs, but this removes the ability to validating the headers (ie. hashing all the transactions to check if the header metadata matches) except for the fact that there are other headers on top of it.

The set of blockchain headers will continue to grow, unless there is a new genesis blockā€”this is like a forced snapshot of the current state of the relevant content of the network. In Bitcoin, it would include all the current unspent transaction inputs.

There are several blockchain technologies like Mastercoin which attempt to completely decouple the notion of a content specification from the blockchain headers themselves. That means you could conceivably send all kinds of garbage that would get happily signed by the miner but the contents would be ignored by any client that is not interested in it.

(Disclaimer: This is written off the top of my head and I gotta run, so it may be somewhat inaccurate.)

Yes, it will be. The rate itself obviously depends on number of transactions and amount of data per transaction.. Both of those are specific to your implementation.

That said, as a reference, a Bitcoin transaction today is anywhere between ~160~1000 bytes, and the full block chain is on the order of tens of GBs. Is that a problem? It can be. To address this, Bitcoin uses Merkle trees and "Simple Payment Verification" (SPV) -- worth looking into, if you're interested.. long discussion on its own. I'll just note that SPV changes what you can say about integrity/security of the transaction.

Do implementations such as BitMessage avoid this problem by setting a finite "life" of messages in the network? I believe after about two days messages expire.

Bitmessage does not use a blockchain. Rather, every peer receives an encrypted copy of every recent message, then attempts to decrypt it. Messages not intended for a specific peer are deleted from its memory after 2.5 days. This does mean that storage is proportional to message rate, rather than total number of messages, essentially solving the storage problem until someone with a lot of resources decides to flood the network with a high rate.

It's definitely not a problem right now. With the current block size limit (and blocks are currently filled less than 50%), it will take at least 20 years to surpass 1 terabyte.

Bitcoin has to become much, much more successful (think hundreds of millions of users) for the blockchain size to ever become a problem.

> The critical property of the above workflow is that the output of the cryptographic hash function (SHA-256 in this case) is completely different every time we modify the input: the hash value of the previous attempt does not tell us anything about what the hash value of the next attempt when we increment our counter - i.e. its a non-deterministic algorithm.

It's a fully-deterministic algorithm. It would be quite useless if it were not. I believe what the author is trying to say is that it's not predictable.

I propose that someone create a proof-of-work system that creates a distributed auction of the computing power of the miners. This has the twin benefits of not wasting electricity on doing useless hashes, and of providing a backing for the value of the created currency (because the currency can be used to purchase computing power from miners). A standardized NP-complete problem formulation could be used.

I haven't worked out exactly how to do this (specifically: if the problems posed to the miners are not random, what is to prevent a miner from posing a problem to which they already know the answer?), it's just an idea.

more rumination at https://en.bitcoin.it/wiki/Intrinsic_worth_brainstorming#pse...

As much as I hate the concept of "trusted computing" I believe it could help with Sybil attacks. http://en.wikipedia.org/wiki/Trusted_Computing#Endorsement_k...

Then you have other problems as described in Vinge's Rainbows End. http://vrinimi.org/front9uns.jpg http://vrinimi.org/back9rev.jpg

Except that now the power is in the hands of the manufacturer, who can now execute Sybil attacks.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact