Tesla Coils And Corpses report, 2014-06-19
Zooko Wilcox-OHearn
zooko at leastauthority.com
Sat Jun 21 18:07:01 UTC 2014
In attendance: Zooko (scribe), Glenn Willen, Dcoder, Brian
Zooko says that Bitcoin is doomed to mining centralization. He claims
that any pure-PoW system is so doomed, even with non-outsourceable
mining (a la Amiller's recent paper and Emin Gun Sirer's recent blog
post), because capital costs of mining are high and marginal operating
costs (power and cooling) are low. Glenn says, in support of that
claim, that ghash.io has about 25% of Bitcoin's mining power in its
own physical control. Zooko says, yeah, even if Bitcoin had been
non-outsourceable from the beginning, Ghash.io would still be halfway
to Dominant Miner by now, so non-outsourceable only *slows* the
process of centralization.
Hypothesis: low or no capital cost and high marginal operating costs
would solve the problem of mining centralization. Why? Zooko has
trouble articulating why he thinks this. It has to do with the idea
that you can't establish an *incumbent position* that gives you an
advantage over a newcomer. There's no barrier to entry. Does that slow
or even prevent the process of mining centralization?
Glenn pointed out that with the current Bitcoin Proof-of-Work system
expected returns on mining are being pushed close to or even below 0.
So, shouldn't *that* have the same effect as Zooko's claimed effect of
high marginal operating costs? Zooko thinks it doesn't have the same
effect, but has trouble articulating why. Something about the
investment and commitment of buying/building hardware for PoW mining.
Zooko's "Pay-To-Mine" idea is a way to make marginal operating costs
high and capital investment costs 0. It is similar to or perhaps
identical to some variants of "Proof-of-Stake" (but "Proof-of-Stake"
is an inaccurate name for it), and Zooko hasn't been able to figure
out how to make it actually secure. He brought some proposals to
Amiller, who explained challenge scenarios that Zooko's proposals
couldn't handle.
We talked for a bit about the problems of Pay-To-Mine. Basically, if
some miners controlling an aggregate amount of resource, X, attest
that you can rely on a given transaction because they bless it as
being the first/only transaction that spends the money, then how can
you know whether, after you decide to rely on that, that a new, bigger
coalition controlling a greater amount of resource, Y, will arrive and
reverse it, saying that the transaction is the loser in a
double-spend?
Zooko claims that Proof-of-Work systems have an analogous problem, as
Ben Laurie has argued
(http://www.links.org/files/decentralised-currencies.pdf ). (I.e. that
the word "resource" in the previous description could mean either
hash-power or pay-to-mine money.) Zooko uses the example of The Alien
Miner, who appears, wielding vastly more hashpower than all of
humanity combined.
Then we went back to the topic of whether Pay-To-Mine, if it *could*
be made secure, would achieve anti-centralization. Here's the argument
for why it could:
Because of The Sybil Problem, our system can't distinguish between a
giant miner who controls 51% of all the resource (whether that
resource is proof-of-work-power or money with which to pay-to-mine,
either way), and millions of small players who collectively control
51%. "The Sybil Problem" is the problem that no open system can
distinguish between those two situations — a big player can, if it is
advantageous to them, choose to appear as a lot of small players, or
else to appear as a single big player, or any combination thereof.
So, our approach is that we aren't going to attempt to distinguish
between big players and lots of small players, but we're going to
offer a mining operation which is *unattractive* to the big player but
attractive to the small player. There are two ways that we can
financially engineer an offering to be attractive to small players but
not big players.
One is that the reward from mining could be low expected return and
extremely low or no variance. Suppose you have to invest your money
for 28 days in order to mine, and at the end of it you get 1.00002X
your investment back, with no variance. (Zooko got this number by
looking at the most recent auction price of 28-day T-bills.)
Then, according to this theory, people who have only a little money,
like $1000 worth, might *store* it into cryptocurrency mining because
it is safe, and getting $1000.02 back is better than what your local
bank would give you. Whereas people who have a lot of money might find
a more attractive investment that has a higher expected return.
Brian said, what would we have to do to *guarantee* that there is a
better use of money for the rich people? What characteristic of the
economy is this, that you can find more profitable uses for your
money? Zooko said, well I had been assuming that the economy will
provide it for us. But, now that you ask, what *would* we have to do…
Then Zooko remembered another of Amiller's crazy ideas: lotteries!
So, the idea is, we can have two kinds of mining, one that has
extremely low variance, and pays an extremely low return, as described
above, and a second kind that is the "lottery", which has high
variance (thus excluding poor people from being able to play it very
much, because of "gambler's ruin", where you go bankrupt and have to
stop playing due to variance, even though your long-run expected
return is positive), and has *slightly* better expected return than
mining does.
Therefore, even though we can't tell whether a set of miners is a
single rich person or a large set of poor people, we can expect that
the rich person will tend to prefer the high-variance, higher-reward
lottery.
The trick is that the lottery doesn't count as voting in the
transaction-verification and double-spending-resolution consensus! It
is a pure gambling system that doesn't confirm transactions.
Brian laughed and said "If you have a lot of money, then we'll *pay*
you to stay out of mining.". Zooko laughed and said "Yes! And it is
even worse than that: it isn't that *we* pay you, it is that money
gets taken from *everyone*, including all the poor people, and paid to
you. So it is a regressive tax! I hate it!".
Then we only had about 5 minutes left. We spent a couple of minutes on
meeting planning — Brian would prefer to have Tesla Coils & Corpses on
Fridays.
Then we rapidly threw in two other crazy cryptocurrency notions.
The first is using "distance-bounding" protocols to limit your
interactions to computers within a certain latency of you. So you
could for example respect only blocks produced by miners within a
fixed light-sphere of you. Andrew calls this "proof-of-proximity". So
an attacker who has greater resource (e.g. hashpower) than your
community can still do rollback attack on your community, but he has
to come hang out in your neighborhood in order to do it!
This seems to fit with the notion of "Local/Community Currencies".
You could have multiple layers of this — for example one layer only
interacting with miners within 100 nanoseconds (30 meters), one layer
within 100 microseconds (30 kilometers), one layer within 10
milliseconds (3000 kilometers), and one layer within 100 kiloseconds
(30 terameters).
Brian jokes that the Alien Miner can still rollback our puny human
economy, but he has to fly all the way to our solar system to do it.
We noticed that proof-of-proximity might fit nicely with Brian's
"braiding" idea, in which each miner is responsible for only a subset
of all transactions, but the slender blockchains built over these
subsets get linked/braided together into a stronger blockchain.
The final crazy cryptocurrency notion that we zoomed through in the
last few seconds is this: people sometimes ask for cryptocurrency
mining to reward only humans and not computers. All the typical
suggestions for how to do this are dumb (i.e. unimplementable, or
doomed to centralized control, because of The Sybil Problem). But,
Zooko thinks here's one that might be possible: abstract strategy
games. Mining rewards are doled out to the top 5% of players in
today's Go tournament. Brian says you might as well use Arimaa or
something that is actually designed to be hard for computers to play.
(But Arimaa is patented.) Also Brian doesn't see how we can
unforgeably bind useful information in with the game transcripts, like
public keys and transaction records. But we are almost out of time for
this meeting. It could relate to Zooko's Forced Latency Interlock
Protocol.
Finis
--Zooko
P.S. Andrew later asked me to add two counter-claims to the above,
from him: “First, if the lottery is high variance enough, its self
sustaining and progressive, on average. See the paper "evidence from
the powerball." Second, although ghash.io runs their own mining rigs,
they aren't doing it for their own direct benefit with their own
capital, they're selling mining power to cloud users. So non outsource
able puzzles (imperfectly) address this.”
More information about the tahoe-dev
mailing list