In attendance: Zooko (scribe), Glenn Willen, Dcoder, Brian Zooko says that Bitcoin is doomed to mining centralization. He claims that any pure-PoW system is so doomed, even with non-outsourceable mining (a la Amiller's recent paper and Emin Gun Sirer's recent blog post), because capital costs of mining are high and marginal operating costs (power and cooling) are low. Glenn says, in support of that claim, that ghash.io has about 25% of Bitcoin's mining power in its own physical control. Zooko says, yeah, even if Bitcoin had been non-outsourceable from the beginning, Ghash.io would still be halfway to Dominant Miner by now, so non-outsourceable only *slows* the process of centralization.
Hypothesis: low or no capital cost and high marginal operating costs would solve the problem of mining centralization. Why? Zooko has trouble articulating why he thinks this. It has to do with the idea that you can't establish an *incumbent position* that gives you an advantage over a newcomer. There's no barrier to entry. Does that slow or even prevent the process of mining centralization? Glenn pointed out that with the current Bitcoin Proof-of-Work system expected returns on mining are being pushed close to or even below 0. So, shouldn't *that* have the same effect as Zooko's claimed effect of high marginal operating costs? Zooko thinks it doesn't have the same effect, but has trouble articulating why. Something about the investment and commitment of buying/building hardware for PoW mining. Zooko's "Pay-To-Mine" idea is a way to make marginal operating costs high and capital investment costs 0. It is similar to or perhaps identical to some variants of "Proof-of-Stake" (but "Proof-of-Stake" is an inaccurate name for it), and Zooko hasn't been able to figure out how to make it actually secure. He brought some proposals to Amiller, who explained challenge scenarios that Zooko's proposals couldn't handle. We talked for a bit about the problems of Pay-To-Mine. Basically, if some miners controlling an aggregate amount of resource, X, attest that you can rely on a given transaction because they bless it as being the first/only transaction that spends the money, then how can you know whether, after you decide to rely on that, that a new, bigger coalition controlling a greater amount of resource, Y, will arrive and reverse it, saying that the transaction is the loser in a double-spend? Zooko claims that Proof-of-Work systems have an analogous problem, as Ben Laurie has argued (http://www.links.org/files/decentralised-currencies.pdf ). (I.e. that the word "resource" in the previous description could mean either hash-power or pay-to-mine money.) Zooko uses the example of The Alien Miner, who appears, wielding vastly more hashpower than all of humanity combined. Then we went back to the topic of whether Pay-To-Mine, if it *could* be made secure, would achieve anti-centralization. Here's the argument for why it could: Because of The Sybil Problem, our system can't distinguish between a giant miner who controls 51% of all the resource (whether that resource is proof-of-work-power or money with which to pay-to-mine, either way), and millions of small players who collectively control 51%. "The Sybil Problem" is the problem that no open system can distinguish between those two situations — a big player can, if it is advantageous to them, choose to appear as a lot of small players, or else to appear as a single big player, or any combination thereof. So, our approach is that we aren't going to attempt to distinguish between big players and lots of small players, but we're going to offer a mining operation which is *unattractive* to the big player but attractive to the small player. There are two ways that we can financially engineer an offering to be attractive to small players but not big players. One is that the reward from mining could be low expected return and extremely low or no variance. Suppose you have to invest your money for 28 days in order to mine, and at the end of it you get 1.00002X your investment back, with no variance. (Zooko got this number by looking at the most recent auction price of 28-day T-bills.) Then, according to this theory, people who have only a little money, like $1000 worth, might *store* it into cryptocurrency mining because it is safe, and getting $1000.02 back is better than what your local bank would give you. Whereas people who have a lot of money might find a more attractive investment that has a higher expected return. Brian said, what would we have to do to *guarantee* that there is a better use of money for the rich people? What characteristic of the economy is this, that you can find more profitable uses for your money? Zooko said, well I had been assuming that the economy will provide it for us. But, now that you ask, what *would* we have to do… Then Zooko remembered another of Amiller's crazy ideas: lotteries! So, the idea is, we can have two kinds of mining, one that has extremely low variance, and pays an extremely low return, as described above, and a second kind that is the "lottery", which has high variance (thus excluding poor people from being able to play it very much, because of "gambler's ruin", where you go bankrupt and have to stop playing due to variance, even though your long-run expected return is positive), and has *slightly* better expected return than mining does. Therefore, even though we can't tell whether a set of miners is a single rich person or a large set of poor people, we can expect that the rich person will tend to prefer the high-variance, higher-reward lottery. The trick is that the lottery doesn't count as voting in the transaction-verification and double-spending-resolution consensus! It is a pure gambling system that doesn't confirm transactions. Brian laughed and said "If you have a lot of money, then we'll *pay* you to stay out of mining.". Zooko laughed and said "Yes! And it is even worse than that: it isn't that *we* pay you, it is that money gets taken from *everyone*, including all the poor people, and paid to you. So it is a regressive tax! I hate it!". Then we only had about 5 minutes left. We spent a couple of minutes on meeting planning — Brian would prefer to have Tesla Coils & Corpses on Fridays. Then we rapidly threw in two other crazy cryptocurrency notions. The first is using "distance-bounding" protocols to limit your interactions to computers within a certain latency of you. So you could for example respect only blocks produced by miners within a fixed light-sphere of you. Andrew calls this "proof-of-proximity". So an attacker who has greater resource (e.g. hashpower) than your community can still do rollback attack on your community, but he has to come hang out in your neighborhood in order to do it! This seems to fit with the notion of "Local/Community Currencies". You could have multiple layers of this — for example one layer only interacting with miners within 100 nanoseconds (30 meters), one layer within 100 microseconds (30 kilometers), one layer within 10 milliseconds (3000 kilometers), and one layer within 100 kiloseconds (30 terameters). Brian jokes that the Alien Miner can still rollback our puny human economy, but he has to fly all the way to our solar system to do it. We noticed that proof-of-proximity might fit nicely with Brian's "braiding" idea, in which each miner is responsible for only a subset of all transactions, but the slender blockchains built over these subsets get linked/braided together into a stronger blockchain. The final crazy cryptocurrency notion that we zoomed through in the last few seconds is this: people sometimes ask for cryptocurrency mining to reward only humans and not computers. All the typical suggestions for how to do this are dumb (i.e. unimplementable, or doomed to centralized control, because of The Sybil Problem). But, Zooko thinks here's one that might be possible: abstract strategy games. Mining rewards are doled out to the top 5% of players in today's Go tournament. Brian says you might as well use Arimaa or something that is actually designed to be hard for computers to play. (But Arimaa is patented.) Also Brian doesn't see how we can unforgeably bind useful information in with the game transcripts, like public keys and transaction records. But we are almost out of time for this meeting. It could relate to Zooko's Forced Latency Interlock Protocol. Finis --Zooko P.S. Andrew later asked me to add two counter-claims to the above, from him: “First, if the lottery is high variance enough, its self sustaining and progressive, on average. See the paper "evidence from the powerball." Second, although ghash.io runs their own mining rigs, they aren't doing it for their own direct benefit with their own capital, they're selling mining power to cloud users. So non outsource able puzzles (imperfectly) address this.” _______________________________________________ tahoe-dev mailing list tahoe-dev@tahoe-lafs.org https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev