[dlubarov]

> 1) Randomness (or entropy) in a p2p system is bounded by the data present in the chain. What this means is that (at the very least) an attacker can know ahead of time whether he will win the block reward, because he has all data necessary to compute the result of the random function, no matter what components he is required to use. He can then chose not to participate if he will lose.

You could require miners to announce their proof of burn well in advance of the block they will use it for. Those announcements could be stored in the block chain so that the network can easily agree on when each announcement was made. If the distance in blocks between a burn announcement and the block it will be used for is less than K, the network would ignore that announcement.

So if you want to predict the outcome of block N, you would have to win block N-K and all the blocks in between (or be colluding with all the winners). If K was small you could just burn more than the block reward justifies, discouraging competing miners from burning, but if K is sufficiently large (e.g. 1 month), that would be prohibitively expensive.

> 2) Finney attack. It is completely trivial for an attacker to generate an infinite sequence of valid blocks in which he is the solo participant and is also the winner.

I think you could come up with some rotation mechanism so that only certain accounts can participate in a certain round. It could perhaps be weighted by stake, so to participate in all rounds, one would need to control 100% of the currency (or some lower threshold could be chosen to minimize the rounds that no miners are eligible for).

> 3) Making the block reward equal to the burnt amount makes this functionally equivalent to Proof of Stake for the case of the single miner. However, if you don't make the block reward at least equal to the amount burnt, it is not profitable to mine.

I think you're looking at it backwards; the block reward should be chosen based on the desired inflation rate, and miners will adjust their burn amounts so that burn costs will always roughly equal block rewards. If the costs ever exceed the rewards, it will be brief; some miners will sit out until mining becomes slightly profitable again.

[barbegal]

The key is:

>you could come up with some rotation mechanism so that only certain accounts can participate in a certain round

which is impossible to do in a way that can't be exploited and is fair (without relying on some external source of randomness). And I advise against trying to come up with a way to do so because the internet is full of failed attempts.

[dlubarov]

How about this rotation mechanism --

- Use the block index as the random seed. (Yes, the resulting random sequence is predictable, but that's okay...)

- Randomly select N UTXOs weighted by their output sizes. (This could be done efficiently by storing UTXO hashes in a sort of trie structure, with larger UTXOs higher in the trie, and descending the trie based on the random value until we get to the deepest node with at least N UTXOs beneath it.)

- Only the owners of those N UTXOs may participate in the current burn contest.

- If none of those owners are active or choose to participate, an empty block is added to the chain.

As for the value of N, for maximum security we would want N=1, which makes this equivalent to proof of stake. Then it's impractical for attackers to generate more than a few blocks in a row, since they would need to target single owners who might not be selling.

Higher N values might have some performance advantages (fewer empty blocks), and more even rewards (everyone gets a tiny reward as coins are burnt), but worse security. We would probably want to use N=1 for every, say, 10th block, so that if someone needs a particularly strong guarantee that their branch will prevail, they can wait for ~5 * 10 = 50 blocks.

I think proof of stake is better overall -- it's simpler and there's not much downside -- but both approaches seem viable.