On Mon, Dec 15, 2014 at 11:21:01AM +0100, Tamas Blummer wrote:
> Burn mining side chains might be one of the foundation ideas for that ecosystem, enabling permission-less merge mining for
> anyone with interest in a side chain.
> 
> I am puzzled by the lack of feedback on the idea.

It's not a new idea actually - I outlined a system I eventually called
"zookeyv"š based on the notion of sacrificing Bitcoins to achieve
consensus a year and a half ago on #bitcoin-wizards. The discussion
started here and continued for a few days:

https://download.wpsoftware.net/bitcoin/wizards/2013/05/13-05-29.log

I later wrote up the idea in the context of adding Zerocoin to Bitcoin:

http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg02472.html

For key-value mapping I eventually decided that the system didn't
necessarily need to be a strict linear blockchain - a directed acyclic
graph of commitments had advantages as there needed to be less
syncronization between transactions. This also means that the graph
doesn't necessarily need to be revealed directly in the blockchain,
exposing it to miner censorship. OTOH revealing it makes it easy to
determine if an attacker larger than you exists. These days I'd suggest
using timelock crypto to defeat miner censorship, while ensuring that in
principle consensus over all possible parts of the chain can eventually
be reached.˛

Proof-of-sacrifice for consensus has a few weird properties. For
instance you can defeat attackers after the fact by simply sacrificing
more than the attacker. Not unlike having a infinite amount of mining
equipment available with the only constraint being funds to pay for the
electricity. (which *is* semi-true with altcoins!)

As for your specific example, you can improve it's censorship resistance
by having the transactions commit to a nonce in advance in some way
indistinguishable from normal transactions, and then making the
selection criteria be some function of H(nonce | blockhash) - for
instance highest wins. So long as the chain selection is based on
cumulative difficulty based on a fixed target - as is the case in
Bitcoin proper - you should get a proper incentive to publish blocks, as
well as the "total work information rachet" effect Bitcoin has against
attackers.


1) In honor of Zooko's triangle.

2) This doesn't necessarily take as much work as you might expect: you
   can work backwards from the most recent block(s) if the scheme
   requires block B_i to include the decryption key for block B_{i-1}.

-- 
'peter'[:-1]@petertodd.org
000000000000000018d439a78581d2a9ecd762a2b37dd5b403a82beb58dcbc7c