From: Chris Page <pagecr@gmail•com>
To: Jameson Lopp <jameson.lopp@gmail•com>
Cc: "bitcoin-development@lists•sourceforge.net"
<bitcoin-development@lists•sourceforge.net>
Subject: Re: [Bitcoin-development] Request for comments on hybrid PoW/PoS enhancement for Bitcoin
Date: Tue, 24 Feb 2015 12:13:47 -0500 [thread overview]
Message-ID: <CAEG8yzmzMtVgMZfuK28ct62kKewzGXjbrcOmYWzivkN11eCq2g@mail.gmail.com> (raw)
In-Reply-To: <CADL_X_cYanZGob_EdYwVmRonK3kHBv5KFxg3epJNasrmnxjutg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 14677 bytes --]
Thanks for the feedback and questions. Answers inline.
On Tue, Feb 24, 2015 at 9:54 AM, Jameson Lopp <jameson.lopp@gmail•com>
wrote:
> This is an interesting idea from the standpoint of trying to incentivize
> people to run nodes, though from a high level it seems to just be adding
> complexity to the current process by which nodes 'endorse' blocks. When a
> node receives and validates a block it then informs its peers of the new
> inventory, thus offering to send the block that 'endorses' as valid.
>
> "Because there is an incentive to include endorsers, there is an incentive
> to broadcast mined blocks as soon as possible." - I'd say that this is
> already the case due to the incentive for a miner's block to get propagated
> around the network first.
>
I agree with this, for well meaning miners. In the case of a 51% attack,
there is an incentive to mine a block and not share it right away, so that
another block could be mined on top of it. Because that first block wasn't
shared, it wouldn't have endorsers. The total work represented in this
"attack" chain, even with 2 blocks, would ideally represent less work that
one fully endorsed block. This is because, as currently proposed,
endorsers provide a work multiplier, which when a block has a full
complement of endorsers, its proof of work is doubled for the purpose of
best chain selection. That's if we allow up to 10 endorsers each providing
a 10% work bonus.
My concern is that giving endorsers too much power potentially opens up
another attack vector where endorsers could collude to endorse an invalid
block. But that's why it is so important that the selection criteria for
endorsers needs to be both random and narrow. I discuss that more below.
>
>
> My first question would be whether or not your proposal would include a
> change to how nodes propagate new blocks. At the moment, a node that hears
> about a second valid block at the tip of the chain will ignore it and not
> propagate it to its peers. Wouldn't your proposal necessitate a change to
> this logic so that blocks with 'better' endorsements get propagated even if
> they are received after non-endorsed or lesser-endorsed blocks?
>
I think that the proposal does impact consensus, which creates a high
barrier to acceptance, and I'm not yet convinced that the benefits are
worth the risk. My hope is that in sharing the idea, we can identify ways
to reduce the risk.
Whenever there is a fork, Bitcoin chooses the chain with the most work. I
could easily be mistaken, so correct me if I cam wrong, but based on a
current level of difficulty, any arriving valid block is going to present
an equivalent proof of work. So currently, it makes sense to simply ignore
a second valid block. With the proposal, if a second valid block came in
with more endorsers, it would displace the current tip.
In practice, with proper incentive, I would expect all found blocks to have
the same number of endorsers. Therefore all incoming blocks would be
interchangeable, and it would be the case that in practice, a second valid
block would be ignored just as today.
>
> I'd also be interested to know more how endorsements would be limited
> (fairly) to only a subset of nodes.
>
>
A node endorses by providing an address for payout. The limiting criteria
is a function of that address.
The first requirement is that the address must have a relationship to the
block that it is endorsing. As an
example, 0000000000000000082ab88cefb003f1dc1fa25881dbd56ed58c0548fbec5382 is
the hash of a recent block. The requirement is that the address matches
some number (TBD) of trailing bits. If the threshold were 32 bits, then
the address (more likely, the hash of the public address) would need to end
in fbec5382..
An valid address must have some proof of stake. Maybe that isn't fair,
because it limits participation by balance, and it is yet another case of
the rich get richer. But without proof of stake, everyone would generate
enough addresses so that they could always find an address that meets the
first requirement.
Assuming the idea has merit, in order to get it right, we'd need much
discussion to understand what combination of PoS and size of mask makes
sense.
> I'm a bit fuzzy on the endorsement timing. You're saying that a miner will
> add endorsement payouts in their block based upon nodes that endorsed the
> previous block? Which means they're paying nodes to endorse a block that
> they probably didn't even mine? Or would a miner only include payouts to
> endorsers for the last block that they mined that was accepted by the
> network?
>
>
With my proposal, miners would not be required to payout to endorsers at
all. I think that this would help us avoid a hard fork. But when they
choose to payout to endorsers, yes, they would be paying out to those that
endorsed the tip of the chain that they are building on. Why would a
miner ever do that? Because they would benefit from the multiplier
provided by the endorsers.
Any block that includes endorsers would be providing a higher level of work
which would displace tips without endorsement. This sort of turmoil
wouldn't sit well with anybody, so I suspect that miners would soon begin
including a full complement of endorsers.
If we were to move ahead with something like this, we might want to ramp up
the amount of the reward shared with endorsers from 0 to the final target
some years later. I do not want to mess with short term business plans of
miners.
Thanks again for the feedback, thoughts, and questions. I hope my answers
provide more clarity.
-Chris
> - Jameson
>
> On Mon, Feb 23, 2015 at 2:27 PM, Chris Page <pagecr@gmail•com> wrote:
>
>>
>> I'm soliciting feedback on an idea to will improve security, increase the
>> number of full nodes, and provide more avenues for bitcoin distribution.
>> The idea is still in its infancy, but I need constructive feedback before I
>> take this further, or decide to abandon the idea.
>>
>> In particular, my ego is in check and I'm ready to be made a fool, but in
>> turn, I'll be that much better educated, so fair trade!
>>
>> Here is the high-level overview:
>>
>> 1) A new block B0 is mined and broadcast as usual
>>
>> 2) Full nodes verify block B0. A subset of these nodes broadcast a new
>> "endorsement" message endorsing the block as valid, and preferred.
>>
>> 3) Miners, now assembling and beginning mining a new block (B1), add
>> endorsements of B0 to B1's coinbase transaction, sharing the block reward
>> with endorsers of B0.
>>
>> As proposed, the idea of Block Endorsement requires a new message, but
>> fits into current structures.
>>
>> Here some details about each of the steps above, and what it buys us:
>>
>> 1) The mining of block B0: No changes to current process or format.
>> Blocks are mined and broadcast as they are today.
>>
>> 2) Only a subset of nodes are eligible to endorse a block, and hence,
>> only a subset are eligible for an endorsement reward. We restrict to avoid
>> a flood of endorsement messages by every node following the announcement of
>> each new block. An endorsement message needs to identify exactly one block
>> at a specific height that it is endorsing. It needs to include a payout
>> address that meets certain validation criteria relative to the block it is
>> endorsing. A valid payout address will include some proof of stake (PoS),
>> whether that be that it has a 1+ bitcoin balance, some age weighted
>> balance, or something else is TBD. The reason for PoS is that it should
>> not be the case that a subversive miner could easily fabricate a valid
>> endorsement payout address. The other requirement is that the tail bits of
>> a valid endorsement payout address, when masked (size of mask TBD) need to
>> match the trailing bits of the hash of the block it is validating. This
>> directly ties endorsements to a specific block, and makes it
>> computationally inexpensive to verify/relay, or drop invalid endorsement
>> messages. The combination of PoS and mask will restrict the number of valid
>> addresses. There are no restrictions on which endorsements a miner can
>> include, as long as they are valid. As part of new block validation, full
>> nodes would need to do all that they do now, but they would also need to
>> validate endorsements included in the coinbase transaction.
>>
>> 3) Miners consider whether to include endorsement payouts as part of
>> their coinbase transaction. They need not do so, but by including
>> endorsements, they significantly increase the likelihood that their block
>> will be selected.
>>
>> CHANGE TO BEST CHAIN SELECTION
>>
>> Block Endorsement requires a change to the best chain selection algorithm
>> to encourage miners to include endorsement payouts. Because there is an
>> incentive to include endorsers, there is an incentive to broadcast mined
>> blocks as soon as possible.
>>
>> For the purpose of best chain selection, a block should get a significant
>> bonus to its work (10%) for each valid endorsement payout included in a
>> block's valid coinbase transaction. How many endorsements should be
>> permitted is a design parameter which is in play, but let's assume that up
>> to 10 endorsements are permitted. For the purpose of block selection, a
>> block's work, with 10 endorsements, is be effectively doubled.
>>
>> EFFECT ON 51% ATTACK
>>
>> With Block Endorsement, because of the extra weight given to a block that
>> has endorsements, a sustained 51% attack becomes more expensive. Valid
>> blocks with full endorsements would win out over the attack blocks unless
>> the attacker was able to not only control 51% of the compute power, but to
>> also control sufficient endorsements to overcome the rest of the network.
>> To prevent an attacker from just using suitable addresses as endorsers from
>> the blockchain, a full node would have to maintain a list of recently
>> broadcast endorsement messages for TBD (100) blocks to prove the validity
>> of the endorsements. Quite possibly we might need to provide a way for a
>> booting node to request lists of endorsers.
>>
>> CHANGE TO BLOCK REWARD
>>
>> Miners would share block rewards with endorsers using a defined formula
>> which is TBD. Endorsement rewards would be as much as 20% (design
>> parameter) of the block reward, and shared evenly between all endorsers
>> included in the coinbase.
>>
>> CHANGE TO MINING STRATEGIES
>>
>> When a new block is broadcast, miners will begin assembling yet another
>> block. Meanwhile, full nodes would validate the new block, and
>> endorsements would propagate quickly thereafter to all miners. This should
>> not take long as it is easy to identify whether or not an address is a
>> valid endorser. I would expect shortly after assembling a block, there
>> would be a number of potential endorsers to include in the coinbase tx, and
>> if 10 were not available, a miner could decide to wait, or begin mining
>> it. I suspect the time to collect 10 valid endorsers would be low, as
>> endorsers should reply quickly in hopes of being included. Therefore, this
>> additional wait time, if any, would not have a appreciable impact on the
>> level of difficulty required to mine a block.
>>
>> I have thoughts on how to provide additional incentives to miners to
>> include multiple endorsers - for example, reducing the total endorsement
>> fee down to 10% if endorsed by a full complement of endorsers. We could
>> also start with a lower reward and ramp up to some target over time to not
>> burden the business plans of current mining operations. But these and
>> other ideas are added complexity that I don't know offers much return. It
>> is easy to add complexity. The challenge is to keep it as simple as
>> possible.
>>
>> CONCLUSION
>>
>> By implementing Block Endorsement, we increase security of the blockchain
>> by giving more weight to blocks that have been broadcast and endorsed by
>> multiple full nodes. By providing a reward to these endorsers, we provide
>> an incentive for more full nodes. With proof of state mining on top of
>> existing proof of work, we provide a low barrier to entry, while not
>> sacrificing the benefits provided by PoW. With a lower barrier to entry,
>> we provide a more accessible avenue for mining, and in turn, encourage
>> bitcoin adoption.
>>
>> This is just the beginnings of an idea. Assuming there isn't a
>> fundamental flaw(s), there are many knobs to tweak, and no doubt, it would
>> benefit greatly by the technical expertise and creativity of others. I do
>> feel as if there are still some gaps and that it hasn't yet been full
>> explored yet even as a thought experiment. For instance, what new attack
>> vectors might be introduced? Would a person controlling many potential
>> endorsement addresses be able to launch an attack by endorsing a set of
>> blocks, essentially launching a 51% attack but by using endorsements as a
>> PoW multiplier? Or is that not practical? The answer is probably a
>> function of the endorsement criteria. There are many different angles that
>> require thought and scrutiny. I'm sure there are many that I've yet to
>> even consider.
>>
>> And as I read discussions about double-spends and zero-confirmation
>> transactions I can't help but wonder if maybe there is a way for endorsers
>> to play a role in identifying possible double-spends. Negative
>> endorsements?
>>
>> I'm new to the development process and the code base. Assuming the
>> feedback isn't derailing, would the next step be to proceed with
>> implementation, or would a new BIP be recommended?
>>
>> Well, I thought this would be only a few paragraphs. It is easy to carry
>> on when you are excited about something. That's also the time when a
>> person is most likely to miss some short-comings, so I am anxious for
>> feedback. Thanks for reading, and I'd be most appreciative of constructive
>> comments and questions.
>>
>> Thanks
>> Chris Page
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Bitcoin-development mailing list
>> Bitcoin-development@lists•sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>>
>>
>
[-- Attachment #2: Type: text/html, Size: 18233 bytes --]
next prev parent reply other threads:[~2015-02-24 17:14 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-23 19:27 Chris Page
2015-02-24 14:54 ` Jameson Lopp
2015-02-24 17:13 ` Chris Page [this message]
2015-02-25 12:30 ` Mike Hearn
2015-02-25 13:43 ` Chris Page
2015-02-25 21:58 [Bitcoin-development] Request for comments on hybrid, " Andrew Lapp
2015-02-26 1:21 ` Chris Page
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEG8yzmzMtVgMZfuK28ct62kKewzGXjbrcOmYWzivkN11eCq2g@mail.gmail.com \
--to=pagecr@gmail$(echo .)com \
--cc=bitcoin-development@lists$(echo .)sourceforge.net \
--cc=jameson.lopp@gmail$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox