September 03, 2014

Proof of Work made useful -- auctioning off the calculation capacity is just another smart contract

Just got tipped to Andrew Poelstra's faq on ASICs, where he says of Adam Back's Proof of Work system in Bitcoin:

In places where the waste heat is directly useful, the cost of mining is merely the difference between electric heat production and ordinary heat production (here in BC, this would be natural gas). Then electricity is effectively cheap even if not actually cheap.

Which is an interesting remark. If true -- assume we're in Iceland where there is a need for lots of heat -- then Bitcoin mining can be free at the margin. Capital costs remain, but we shouldn't look a gift horse in the mouth?

My view remains, and was from the beginning of BTC when Satoshi proposed his design, that mining is a dead-weight loss to the economy because it turns good electricity into bad waste, heat. And, the capital race adds to that, in that SHA2 mining gear is solely useful for ... Bitcoin mining. Such a design cannot survive in the long run, which is a reflection of Gresham's law, sometimes expressed as the simplistic aphorism of "bad money drives out good."

Now, the good thing about predicting collapse in the long run is that we are never proven wrong, we just have to wait another day ... but as Ben Laurie pointed out somewhere or other, the current incentives encourage the blockchain mining to consume the planet, and that's not another day we want to wait for.

Not a good thing. But if we switch production to some more socially aligned pattern /such as heating/, then likely we could at least shift some of the mining to a cost-neutrality.

Why can't we go further? Why can't we make the information calculated socially useful, and benefit twice? E.g., we can search for SETI, fold some DNA, crack some RSA keys. Andrew has commented on that too, so this is no new idea:

7. What about "useful" proofs-of-work?

These are typically bad ideas for all the same reasons that Primecoin is, and also bad for a new reason: from the network's perspective, the purpose of mining is to secure the currency, but from the miner's perspective, the purpose of mining is to gain the block reward. These two motivations complement each other, since a block reward is worth more in a secure currency than in a sham one, so the miner is incentivized to secure the network rather than attacking it.

However, if the miner is motivated not by the block reward, but by some social or scientific purpose related to the proof-of-work evaluation, then these incentives are no longer aligned (and may in fact be opposed, if the miner wants to discourage others from encroaching on his work), weakening the security of the network.

I buy the general gist of the alignments of incentives, but I'm not sure that we've necessarily unaligned things just by specifying some other purpose than calculating a SHA2 to get an answer close to what we already know.

Let's postulate a program that calculates some desirable property. Because that property is of individual benefit only, then some individual can pay for it. Then, the missing link would be to create a program that takes in a certain amount of money, and distributes that to nodes that run it according to some fair algorithm.

What's a program that takes in and holds money, gets calculated by many nodes, and distributes it according to an algorithm? It's Nick Szabo's smart contract distributed over the blockchain. We already know how to do that, in principle, and in practice there are many efforts out there to improve the art. Especially, see Ethereum.

So let's assume a smart contract. Then, the question arises how to get your smart contract accepted as the block calculation for 17:20 on this coming Friday evening? That's a consensus problem. Again, we already know how to do consensus problems. But let's postulate one method: hold a donation auction and simply order these things according to the amount donated. Close the block a day in advance and leave that entire day to work out which is the consensus pick on what happens at 17:20.

Didn't get a hit? If your smart contract doesn't participate, then at 17:30 it expires and sends back the money. Try again, put in more money? Or we can imagine a variation where it has a climbing ramp of value. It starts at 10,000 at 17:20 and then adds 100 for each of the next 100 blocks then expires. This then allows an auction crossing, which can be efficient.

An interesting attack here might be that I could code up a smartcontract-block-PoW that has a backdoor, similar to the infamous DUAL_EC random number generator from NIST. But, even if I succeed in coding it up without my obfuscated clause being spotted, the best I can do is pay for it to reach the top of the rankings, then win my own payment back as it runs at 17:20.

With such an attack, I get my cake calculated and I get to eat it too. As far as incentives go to the miner, I'd be better off going to the pub. The result is still at least as good as Andrew's comment, "from the network's perspective, the purpose of mining is to secure the currency."

What about the 'difficulty' factor? Well, this is easy enough to specify, it can be part of the program. The Ethereum people are working on the basis of setting enough 'gas' to pay for the program, so the notion of 'difficulty' is already on the table.

I'm sure there is something I haven't thought of as yet. But it does seem that there is more of a benefit to wring from the mining idea. We have electricity, we have capital, and we have information. Each of those is a potential for a bounty, so as to claw some sense of value back instead of just heating the planet to keep a bunch of libertarians with coins in their pockets. Comments?

Posted by iang at September 3, 2014 02:12 PM | TrackBack

If an additional value is generated by mining, and miners can capture this value, the increased incentive to mine will increase mining activity.
Since there is no cap to the amount of security that the network will provide, I wonder to what extent the 'joint production' of security and computational utility is a desirable situation.
Increased mining activity will increase difficulty, at least directionally up to the point of marginal break-even. If bitcoin use and its demand increase, pushing up the price to a multiple of its current value, mining might expand even futher.

Posted by: Claudio Migliore at September 6, 2014 09:02 AM

As Claudio has said, the security in the bitcoin network (with respect to the distributed consensus) is measured not by the total amount of mining activity, but by the portion of mining cost that does not otherwise have economic value.

If the cost of mining is equal to its economic value (e.g. by introducing 'useful' proof of work) then there is no security at all, because there is no cost to acquire and deploy the mining resources needed to dominate and attack the network. If mining is free at the margin, as in the heating example, then the network security is found in the fixed hardware costs.

Hence the primacy of the BTC unit in Satoshi's scheme for distributed consensus - if BTC has no value, then miners have no incentive and the network falls apart.

On a related note, in Weidai's b-money (, he writes that "anyone can create money by broadcasting the
solution to a previously unsolved computational problem", but a condition is "that the solution must otherwise have no
value, either practical or intellectual." I'm not entirely sure of the reasoning behind this or its relation to bitcoin, though.

Posted by: John Tan at September 10, 2014 01:51 AM

"that the solution must otherwise have no value, either practical or intellectual" is a desirable design feature for an efficient currency because cheaper energy exchange is the desired outcome for all economically interacting participants.

In other words, an efficient currency should have no other market value beyond what it costs to produce. In this way, its a bitcoin's price reflects roughly how much it cost to produce. This forces miners to economize.

The Petrodollar is a bit like a fish riding a bicycle to the degree that its value is derived from the scarcity of oil, and secured by military 'proof of force', but nuclear energy and renewables are cheaper, cleaner and more plentiful than fossil fuels so a currency based on proof-of-work 'without value' introduces a global standard of energy scarcity which reflects local energy abundance.

Bitcoin is a reinvention of the wheel where energy efficiency is the goal.

Posted by: richardboase at September 28, 2014 08:47 AM

Useful piece - thanks Ian. The thing I explain to anybody who asks for a "socially useful" proof of work is that, aside perhaps from prime factorisations, you face the following problem:

* When people say "socially useful", they usually mean things like protein folding, searching for aliens or other activities where work has to be injected into the system from a third party (e.g. the operator of Seti@Home)
* This third party has the ability to send "easier" work to their friends and "harder" work to their friends" (or they could send the same work to everybody, but that's still problematic since an accomplice could simply fire up massive amounts of rented compute only when they knew an easy work package had been distributed - and they'd win on average)
* So you need some objective measure of "work difficulty", which all observers can retrospectively compute for all others... so that I can know that you've truly done the work you claim to have done.
* And here's the killer: I suspect (but have no proof) that the _easiest_ way to determine the "difficulty" of an arbitrary piece of code+data is to run the code with that data and see how long it takes. So it now becomes just as hard to validate a block as to find one and the system falls apart.

I'm really not sure there's a way around this problem.

Posted by: RIchard G Brown at October 5, 2014 10:55 AM

In a world of so huge differences of computing power between the layman and secret services or finance, it's not like if complexity was granting any security.

For civilians, this difference is in the 1m range, enough to make anything done by "the people" utterly irrelevant.

And for the Army, the cost is no longer about how computationally expensive a problem can be - it's merely how expensive it's to bring the data to one of THE number-crunching machines.

As this cost is close to zero, if the thing supposed to be protected is of any value, forget about complexity.

Use real security - the one that cannot be broken.

Posted by: Socrates at October 31, 2014 10:44 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.