Hacker News new | ask | show | jobs
by seanwilson 3122 days ago
One of the big selling points of Bitcoin is that it's meant to be decentralised but it doesn't look like this plays out. Proof of work seems to inevitably lead to all the power going to parties that can afford specialised hardware who are in countries with low electricity costs.

Running a Bitcoin miner on commodity hardware now is pointless which seems to go against the spirit of Bitcoin when it started. Was this predicted at the inception of Bitcoin? It's interesting how economics impacts the security of the protocol like this.

Proof of stake is meant to consume less resources but then the power is then handed to people with the most money? Coming up with a way to have a decentralised currency where everyone involved gets a fair say without consuming too many resources is a super interesting problem.
10 comments
jasode 3122 days ago
>Was this predicted at the inception of Bitcoin?

It was not predicted in the original Bitcoin whitepaper. Yes, it discussed the theoretical feasibility of a 50+% attack to double-spend but it didn't explicitly predict a "consolidation" to specialized hardware miners that leaves out the miners at home using regular computers.

>It's interesting how economics impacts the security of the protocol like this.

Every decentralized protocol suffers from unintended centralization caused by economics. The same thing happened to other protocols like NNTP (Usenet), SMTP, HTTP+HTML, and Git.

The underlying issue is that technical protocols still have to be realized on real hardware like cpus + harddrives + network bandwidth and consume real costs like human labor. You can decentralize a protocol specification but you can't decentralize the amount of money different entities are willing to spend on that protocol. Each protocol whether NNTP/SMTP/Git/bitcoin does not come with a $1 million grant for homeowners to spend at Newegg to keep protocols decentralized.

That's why protocols consolidate towards big players in a power law distribution.

link
seanwilson 3122 days ago
> It was not predicted in the original Bitcoin whitepaper.

> Every decentralized protocol suffers from unintended centralization caused by economics.

> That's why protocols consolidate towards big players in a power law distribution.

Hmm, given the amount of foresight in the original whitepaper I'm surprised the current situation wasn't predicted especially if it's common with other protocols that are intended to be decentralized.

link
dyeje 3122 days ago
It could have been foreseen and omitted. We still don't know who Satoshi is or what their motivations are.
link
asdgkknio 3122 days ago
>Coming up with a way to have a decentralised currency where everyone involved gets a fair say without consuming too many resources is a super interesting problem.

I think the obvious solution is to do useful work rather than throwing away work on crypto. Have miners solve real problems and give them credit for getting the right answer.

This is what Ethereum is supposed to do. I don't think it's a great solution. It's still extremely wasteful since every node runs every computation. Even something like TrueBit, which is designed to be scalable and efficient, is still far less efficient than normal cloud architectures. It still throws away the vast majority of the work in the interest of safety and incentives. These systems are good if you want trustworthy computation, but not if you want high-performance and power-efficient computation.

I'm trying to design a system where something like 95% of the work goes to useful computation, but I have nothing anywhere near shippable. It's a hard problem.

link
jasode 3122 days ago
>obvious solution is to do useful work rather than throwing away work on crypto

Keep in mind that the parent stated multiple conditions in the problem and your "obvious solution" only addresses the "too many resources" component.

Doing "useful work" is obviously better but still doesn't address the "fair say in decentralization".

>I'm trying to design a system where something like 95% of the work goes to useful computation, [...] It's a hard problem.

And to make it an even harder problem, also try to design a cryptocurrency system where Bill Gates' billions to buy supercomputer hardware has no advantage over a typical homeowner with a cheap computer. Maintaining _economic_ decentralization is very hard. I'm not aware of any decentralized protocol that has solved it. Heck, most whitepapers about decentralized protocols don't even explicitly discuss it.

link
asdgkknio 3122 days ago
I disagree. Making proof of work involve real applications rather than just cryptography means that machines will need to be general. It isn't possible to build an ASIC capable of running ordinary applications.

Bitcoin is entirely owned by people with ASICs. The barriers to entry are enormous. It's totally pointless for me to mine Bitcoin on my laptop, or even on my Beowulf cluster. But if mining involves normal computations like you'd want to run on a normal cloud, then a laptop is capable of doing useful work and the barrier to entry is low.

Making normal computers useful is a huge improvement over Bitcoin and is the motivvation behind currencies like Monero.

link
jasode 3122 days ago
> a laptop is capable of doing useful work and the barrier to entry is low.

No, the "low barrier to entry" because of laptop use instead of ASIC is orthogonal to volume of computation/diskspace/specialization. That does not solve the "spend more money on computing resources" that inevitably leads to centralization. Making useful computations that's resistant to ASICs is an improvement but does not prevent economic centralization. Therefore, Monero doesn't solve it either.

You can see real-world evidence of this where SMTP email protocol and Git protocol do not run on specialized ASICs and yet, they still got economic consolidation.

link
asdgkknio 3122 days ago
A system where anyone can rent out their CPU time will result in less centralization than we see with current cloud providers. A system where anyone can mine productively will result in less centralization than we see with current cryptocurrencies. Will it result in zero centralization? No, and I wouldn't expect it to. That's most likely impossible.
link
jasode 3122 days ago
>A system where anyone can rent out their CPU time will result in less centralization than we see with current cloud providers.

This is an aspirational wish but not reality at the moment. Nobody including BOINC or any other decentralized grid computing endeavor has proven that economically. For your cause & effect of "less centralization" to happen, homeowners cpu would have be cost competitive with cloud services. Selling "idle" time on home cpus isn't cost effective. Most realistic computation workloads also require large datasets (diskspace) in addition to cpu cycles. People don't pay only for the Amazon cpu clock cycles; it's also S3 data storage and network bandwidth.

Likewise, Filecoin's whitepaper for decentralized disk storage is also aspirational and economically unproven at this time.

>A system where anyone can mine productively will result in less centralization than we see with current cryptocurrencies.

Probably not. The "mine productively" in your solution has 2 components: (1) the useful computation and (2) the cryptocurrency computation.

For a thought experiment, let's assume you invent the 95% useful computation algorithm that you targeted. The 5% computation will still be have to be done on hardware where different entities can spend vastly different amounts of money. (Pay more for more powerful computers or pay less for watts of energy because China computer is near hydroelectric dam, etc.)

The 95% of useful computation (say brute force protein folding or DNA cancer analysis) can be an absolute gain for society. However, the 5% computation's "productive value" is _relative_ to all other participants mining that cryptocurrency. Since others can work through that 5% computation much more efficiently (both in pure hardware cycles and/or energy efficiency), the 5% crypto work on the homeowner's laptop loses value in relation to everybody else. Whatever crypto coins the laptop successfully mines, others have mined even more coins rendering the laptop coins to be worth less because of the relative time & energy it took on that modest laptop cpu.

The 95%/5% ratio that's resistant to ASICs does not stop the inevitable trends towards centralization into major entities holding disproportionate power and/or coins in the system. The 5% "non-useful" computation can still be optimized by people spending more money than others. Since spending is not decentralized, the resulting rewards from the 5% computation will also not be decentralized.

link
qsucvatz 3122 days ago
Proof of work must be impossible to cheat, and easy to verify. Can't make issuing money as easy as printing paper.
link
thisisit 3122 days ago
> Was this predicted at the inception of Bitcoin?

At inception? No. But Satoshi was made aware of this problem. Here's a long passage from Nathaniel Popper's Digital Gold:

Laszlo’s CPU had been winning, at most, one block of 50 Bitcoins each day, of the approximately 140 blocks that were released daily. Once Laszlo got his GPU card hooked in he began winning one or two blocks an hour, and occasionally more. On May 17 he won twenty-eight blocks; these wins gave him fourteen hundred new coins that day.

Satoshi knew someone would eventually spot this opportunity as Bitcoin became more successful and was not surprised when Laszlo e-mailed him about his project. But in responding to Laszlo, Satoshi was clearly torn. If one person was taking all the coins, there would be less of an incentive for new people to join in.

“I don’t mean to sound like a socialist,” Satoshi wrote back. “I don’t care if wealth is concentrated, but for now, we get more growth by giving that money to 100% of the people than giving it to 20%.”

As a result, Satoshi asked Laszlo to go easy with the “highpowered hashing,” the term coined to refer to the process of plugging an input into a hash function and seeing what it spit out.

But Satoshi also recognized that having more computing power on the network made the network stronger as long as the people with the power, like Laszlo, wanted to see Bitcoin succeed.

link
altern8tif 3122 days ago
> But Satoshi also recognized that having more computing power on the network made the network stronger as long as the people with the power, like Laszlo, wanted to see Bitcoin succeed.

Not sure if I entirely agree with/understand this. Even if they do want Bitcoin to succeed, how different is it from the current capitalist system if 40% of the bitcoins are owned by 1% of the population?

Doesn't the (economic) power that Bitcoin takes away from governments end up in the hands of a select few? We are then back to square one.

link
koolba 3122 days ago
> Not sure if I entirely agree with/understand this. Even if they do want Bitcoin to succeed, how different is it from the current capitalist system if 40% of the bitcoins are owned by 1% of the population?

1%? According to a Bloomberg article[1] it's 1000 people owning 40% of all bitcoins. That's about 0.000014286% of the world population. I doubt any of the are involved in mining either now either, more likely just early adopters.

[1]: https://www.bloomberg.com/news/articles/2017-12-08/the-bitco...

link
virtuexru 3122 days ago
That Bloomberg article's evidence for that number is shoddy at best.
link
Slartie 3122 days ago
That highly depends on the hashing algorithm used. For Bitcoin this is SHA256, which is very well-suited for ASIC implementation. The algorithm of Ethereum was deliberately designed to be ASIC-resistant, but GPU-friendly, therefore GPUs (which are kind of a commodity) are the hardware of choice for Ethereum mining. Monero takes this one step further by having an algorithm that is ASIC-resistant and that can be mined just as well on GPUs as on CPUs, which is probably the best you can get with regard of mining decentralization. The result is that Monero mining is much more spread-out and distributed over the world than Bitcoin mining.

The advantage of low electricity cost is of course something that cannot be eliminated without eliminating Proof of Work entirely.

link
seanwilson 3122 days ago
> That highly depends on the hashing algorithm used. For Bitcoin this is SHA256, which is very well-suited for ASIC implementation. The algorithm of Ethereum was deliberately designed to be ASIC-resistant, but GPU-friendly, therefore GPUs (which are kind of a commodity) are the hardware of choice for Ethereum mining.

Is it possible to create ASIC resistant algorithms? Litecoin was meant to be resistant by using scrypt but there's ASICs out for that now I believe.

Could you not create a protocol that constantly changes its hashing algorithm to combat ASICs?

> The advantage of low electricity cost is of course something that cannot be eliminated without eliminating Proof of Work entirely.

Any views on what the ideal system would be? I've heard of using a combination of proof of stake and proof of work. Proof of stake will mean people with more money get more power and proof of work means people with lower electricity costs get more power so neither seems ideal. I think ideally each person in the world would get an equal vote in how the protocol progresses but it's not obvious how you could enforce that.

link
tromp 3122 days ago
> Is it possible to create ASIC resistant algorithms? Litecoin was meant to be resistant by using scrypt but there's ASICs out for that now I believe.

Making the PoW require tons of memory to solve efficiently seems the best way to attain ASIC resistance. Monero's PoW requires only 8x more than scrypt's 128KB, but Ethereum requires over 1000x more than Monero's 2MB. None of these can be instantly verified though which is a desirable property of PoWs.

Modern asymmetric PoWs like Grin and aeternity's Cuckoo Cycle, and Zcash and Bitcoin Gold's Equihash combine large memory requirements (144MB-2.2GB) with instant verifiability.

link
em3rgent0rdr 3121 days ago
could you not just add a ton of ram to an ASIC?
link
tromp 3120 days ago
128MB is the current limit [1] for embedded DRAM

[1] https://en.wikipedia.org/wiki/EDRAM

link
nathan_f77 3122 days ago
> Could you not create a protocol that constantly changes its hashing algorithm to combat ASICs?

It might be interesting to combines all of the popular hash functions in a sequence. You could probably mix in some non-cryptographic hash functions in the middle as long as you use secure functions at the beginning and end of the sequence. e.g. SHA256 => MD5 => MurmurHash => BLAKE-256

You could even write an algorithm that uses the previous block hash to determine the next order of the hash function sequence.

link
moreless 3119 days ago
Wouldn't ASICs then just implement all of them and rotate execution?
link
nathan_f77 3119 days ago
Yes. It was also a bad idea because it would be expensive to verify the proof. A good proof-of-work algorithm is very difficult to create, and very fast to verify.

After posting that comment, I discovered a far better proof-of-work called the Cuckoo Cycle:

* Blog post: http://cryptorials.io/beyond-hashcash-proof-work-theres-mini... * Whitepaper: https://eprint.iacr.org/2014/059.pdf

It's really a genius solution. You have to fill up 2GB of RAM with random bits in order to find a specific cycle in an enormous graph. This means that even even a very slow CPU would quickly saturate the DRAM memory bandwidth, and it doesn't matter if you use a CPU, GPU, FPGA, or even an ASIC.

This means that a mobile phone with 2GB of RAM can mine just as fast as any server with 2GB of RAM. If you want to increase your mining capacity, you'll have to buy a lot of RAM (or a lot of cheap mobile phones.)

Since it is constrained by memory bandwidth, you spend most of the time just waiting for bits to arrive. This means that it uses much less electricity than other PoWs. The proof is also instantly verifiable.

There are a few cryptocurrencies that are using the Cuckoo Cycle proof-of-work such as aeternity [1], and Mimblewimble / grin [2].

[1] https://aeternity.com/

[2] https://github.com/mimblewimble/grin

link
thisisit 3122 days ago
> Monero takes this one step further by having an algorithm that is ASIC-resistant and that can be mined just as well on GPUs as on CPUs, which is probably the best you can get with regard of mining decentralization.

Frankly, it will be interesting to see Monero's distribution. Because I was there when a glut of Cryptonight coins were announced. The selling point was CPU mining was back.

Quite a lot of people abused the AWS free credits to get a leg up and mine tons of coins.

But the most interesting was the guy who worked on a CUDA implementation to the Monero's mining algorithm ie a GPU miner. For a long, long time this mining software remained private. I believe it was only after the BTC crash to 300 and hence, Monero's to lower $1 levels that this got released publicly.

link
gtrubetskoy 3122 days ago
> Proof of stake is meant to consume less resources but then the power is then handed to people with the most money?

I'm surprised nobody has caught on to the fact that the present fiat system is in essence a Proof-of-Stake one.

> Coming up with a way to have a decentralised currency where everyone involved gets a fair say without consuming too many resources is a super interesting problem.

Indeed. I almost wonder if it can be proven that thermodynamics is in fact the only possible way to verifiably make something take considerable time and energy, i.e. actually cost in resources that we have no way of faking, especially time.

link
seanwilson 3122 days ago
> I'm surprised nobody has caught on to the fact that the present fiat system is in essence a Proof-of-Stake one.

That was what I was meaning really. If the people that have large amounts of money (whether that's in owning coins with proof of stake or owning hardware with proof of work/space) have a disproportionally large say in what happens it's not much of an improvement to the current systems we all live in.

link
AlexandrB 3122 days ago
> Indeed. I almost wonder if it can be proven that thermodynamics is in fact the only possible way to verifiably make something take considerable time and energy, i.e. actually cost in resources that we have no way of faking, especially time.

This seems intuitively correct. So much so that I'm sure there's a paper that either confirms or denies that this is the case (perhaps in information theory). I also wonder how quantum computing affects this idea.

link
qsucvatz 3122 days ago
This form of proof of work, SHA-256, has a scramble shuffle of XORs that quantum computers aren't applicable to.
link
ethagknight 3122 days ago
I remember reading that a key weakness to bitcoin was its susceptibility to fraud if a group of nefarious miners control a significant portion of compute power on chain, because verification is based on consensus. As such, a properly motivated bad actor can produce fraudulent results that can only be disproven by exorbitant compute resources. Obviously this would destroy the value of btc but they only need to keep it going long enough to cash out. If mining is heavily focused in certain areas of extensively overbuilt power generation centers (rural China) using mass custom ASICs, then it sounds to me like Bitcoin has a fundamental flaw in its market realities.

GRANTED: more severe opportunities for fraud, unfairness and bad acting are available to Wall Street

NOTE: I find bitcoin fascinating and I really want it to work, but it has seriously flaws that aren’t being seriously acknowledged by the people willing to buy in at $15,000+ per BTC. Not trying to be a naysayer to crypto currency

link
gtrubetskoy 3122 days ago
What we are learning is that there are far easier ways to steal bitcoin than the so-called 51% attack. Miner collusion would be so expensive to pull off and the amount of money you can steal this way is not that great - you still need the elliptic curve signatures to verify, so the only thing you can really do is "double spend" the bitcoin that you need to have in the first place.
link
eternalban 3122 days ago
> steal bitcoin

Denial of service. Should the +51% choose, they can simply ignore certain transactions and those will never end up on the chain.

Our fiat private finance system does concentrate weatlh, but DOS attacks are only possible by subverting the legal regime.

link
Shoothe 3122 days ago
51% attack does not allow stealing other's coin but it allows forbidding you from using them (your transactions will not be mined). See [0].

[0]: https://bitcoin.stackexchange.com/questions/658/what-can-an-...

link
sova 3122 days ago
Yes, the initial paragraph of the bitcoin paper (bitcoin.org/bitcoin.pdf) says that as long as 51% of the network is not attacking the network (that is, trying to forge their own, new, transaction history) the protocol is safe. Even when 51% of mining power is concentrated in the hands of a group, there is still a lot of reverse engineering to do to try and inject your own blocks as history. So far I have seen no demonstrable way to do this. If anyone is aware of research in this area I'd be interested to see how far it has come along.
link
bkolobara 3122 days ago
There are a bunch of consensus protocols out there already. My favourite is the Stellar Consensus Protocol[1]. I think that modelling your consensus around entities you trust, instead of the most power or most most money, is more natural.

[1]: https://www.stellar.org/papers/stellar-consensus-protocol.pd...

link
seanwilson 3122 days ago
Awesome, thanks for the link. I'm not finding the paper that easy to read though...could you summarise how it compares to proof of work or proof of stake? The idea of electing which nodes you trust more than anonymous ones though does seem to mirror the real world though.
link
markkat 3122 days ago
It's also not as decentralized as intended in the white paper in regards to transaction. First sentence in the abstract: "A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution."

http://nakamotoinstitute.org/bitcoin/#selection-37.4-37.173

Most people trading BTC atm are not trading BTC, but trading ownership of BTC using a traditional database.

link
em3rgent0rdr 3121 days ago
Still bitcoin itself doesn't require the use of a financial institution or a traditional database.
link
api 3122 days ago
PoW is inherently subject to industrial economies of scale, virtually guaranteeing an oligopoly. I saw this in the beginning and predicted that Bitcoin would evolve something like a de facto central bank.
link
sniem 3122 days ago
>lead to all the power going to parties that can afford specialised hardware who are in countries with low electricity costs.

Is it costly just because it was newly created though, and won't this cost come down? You can also mine in countries with high electricity if you build your own renewable energy generator.

In terms of decentralisation, the nodes are still decentralised and can at least detect when miners try to use their dominance. They can only do it after the fact, and it might be messy, but it makes performing the attack fairly worthless as you can no longer mine on the network anymore.

link