Discussion:
Some thoughts on removing timestamps in PoW
(too old to reply)
Tao Effect via bitcoin-dev
2018-02-19 01:29:50 UTC
Permalink
Copied from: https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/pull/13 <https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/pull/13>


# Blockchain Timestamps Unnecessary In Proof-of-Work?

*Author: Greg Slepak ([@***@mastodon.social <mailto:***@mastodon.social>](https://mastodon.social/@taoeffect <https://mastodon.social/@taoeffect>))*

----

The Bitcoin blockchain has a 10-minute target blocktime that is achieved by a difficulty adjustment algorithm.

I assert, or rather, pose the hypothesis, that the use of timestamps in Bitcoin's blockchain may be unnecessary, and that Bitcoin can operate with the same security guarantees without it (except as noted in [Risks and Mitigations](#risks-and-mitigations)), and therefore does not need miners to maintain global clock synchronization.

The alternative difficulty adjustment algorithm would work according to the following principles:

- The incentive for miners is and always has been to maximize profit.
- The block reward algorithm is now modified to issue coins into perpetuity (no maximum). Any given block can issue _up to_ `X` number of coins per block.
- The number of coins issued per block is now tied directly to the difficulty of the block, and the concept of "epocs" or "block reward halving" is removed.
- The chain selection rule remains "chain with most proof of work"
- The difficulty can be modified by miners in an arbitrary direction (up or down), but is limited in magnitude by some maximum percentage (e.g. no more than 20% deviation from the previous block), we call this `Y%`.

### Observations

- Miners are free to mine blocks of whatever difficulty they choose, up to a maximum deviation
- The blockchain may at times produce blocks very quickly, and at other times produce blocks more slowly
- Powerful miners are incentivized to raise the difficulty to remove competitors (as is true today)
- Whether miners choose to produce blocks quickly or slowly is entirely up to them. If they produce blocks quickly, each block has a lower reward, but there are more of them. If they produce blocks slowly, each block has a higher reward, but there are fewer of them. So an equilibrium will be naturally reached to produce blocks at a rate that should minimize orphans.

A timestamp may still be included in blocks, but it no longer needs to be used for anything, or represent anything significant other than metadata about when the miner claims to have produced the block.

### Risks and Mitigations

Such a system may introduce risks that require further modification of the protocol to mitigate.

The most straightforward risk comes from the potential increase in total transaction throughput that such a change would introduce (these are the same concerns that exist with respect to raising the blocksize). The removal of timestamps would allow a cartel of miners to produce high-difficulty blocks at a fast rate, potentially resulting in additional centralization pressures not only on miners but also on full nodes who then would have greater difficulty keeping up with the additional bandwidth and storage demands.

Two equally straightforward mitigations exist to address this if we are given the liberty of modifying the protocol as we wish:

1. Introducing state checkpoints into the chain itself could make it possible for full nodes to skip verification of large sections of historical data when booting up.
2. A sharded protocol, where each shard uses a "sufficiently different" PoW algorithm, would create an exit for users should the primary blockchain become captured by a cartel providing poor quality-of-service.


--
Please do not email me anything that you are not comfortable also sharing with the NSA.
Tao Effect via bitcoin-dev
2018-02-19 05:15:59 UTC
Permalink
Real quick (I've received some off-list replies and do plan to respond to those), want to be clear: this thread is not meant to be interpreted as a proposal to modify Bitcoin (it is not a BIP), it is just, exactly as the subject says, some thoughts I had that I hadn't seen expressed elsewhere, that I felt like sharing, in case they are at all useful/interesting to anyone.

Cheers,
Greg

--
Please do not email me anything that you are not comfortable also sharing with the NSA.
To be frank, this kind of thing would be better off attempted as a fork to a new coin. Changing the max number of coins, the block reward, the difficulty algo, mining policy and protocol is going to be a non-starter. Also, what are the proposed quantifiavle benefits from removing timestamps? How would this be done at the protocol level? Are these other changes related to removing timestamps/rationale for other supply changes?
Regards,
Ryan J. Martin
Damian Williamson via bitcoin-dev
2018-02-19 09:04:02 UTC
Permalink
Post by Tao Effect via bitcoin-dev
1. Introducing state checkpoints into the chain itself could make it possible for full nodes to skip verification of large sections of historical data when booting up.
What you are suggesting, unless I am mistaken, is that new full nodes should have no way of knowing if an output is spent or even if it exists. Since large sections of the blockchain will potentially be skipped, the full node will not have complete knowledge of utxo's just for starters.


Regards,

Damian Williamson

________________________________
From: bitcoin-dev-***@lists.linuxfoundation.org <bitcoin-dev-***@lists.linuxfoundation.org> on behalf of Tao Effect via bitcoin-dev <bitcoin-***@lists.linuxfoundation.org>
Sent: Monday, 19 February 2018 12:29:50 PM
To: Bitcoin Protocol Discussion
Subject: [bitcoin-dev] Some thoughts on removing timestamps in PoW

Copied from: https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/pull/13


# Blockchain Timestamps Unnecessary In Proof-of-Work?

*Author: Greg Slepak ([@***@mastodon.social<mailto:***@mastodon.social>](https://mastodon.social/@taoeffect))*

----

The Bitcoin blockchain has a 10-minute target blocktime that is achieved by a difficulty adjustment algorithm.

I assert, or rather, pose the hypothesis, that the use of timestamps in Bitcoin's blockchain may be unnecessary, and that Bitcoin can operate with the same security guarantees without it (except as noted in [Risks and Mitigations](#risks-and-mitigations)), and therefore does not need miners to maintain global clock synchronization.

The alternative difficulty adjustment algorithm would work according to the following principles:

- The incentive for miners is and always has been to maximize profit.
- The block reward algorithm is now modified to issue coins into perpetuity (no maximum). Any given block can issue _up to_ `X` number of coins per block.
- The number of coins issued per block is now tied directly to the difficulty of the block, and the concept of "epocs" or "block reward halving" is removed.
- The chain selection rule remains "chain with most proof of work"
- The difficulty can be modified by miners in an arbitrary direction (up or down), but is limited in magnitude by some maximum percentage (e.g. no more than 20% deviation from the previous block), we call this `Y%`.

### Observations

- Miners are free to mine blocks of whatever difficulty they choose, up to a maximum deviation
- The blockchain may at times produce blocks very quickly, and at other times produce blocks more slowly
- Powerful miners are incentivized to raise the difficulty to remove competitors (as is true today)
- Whether miners choose to produce blocks quickly or slowly is entirely up to them. If they produce blocks quickly, each block has a lower reward, but there are more of them. If they produce blocks slowly, each block has a higher reward, but there are fewer of them. So an equilibrium will be naturally reached to produce blocks at a rate that should minimize orphans.

A timestamp may still be included in blocks, but it no longer needs to be used for anything, or represent anything significant other than metadata about when the miner claims to have produced the block.

### Risks and Mitigations

Such a system may introduce risks that require further modification of the protocol to mitigate.

The most straightforward risk comes from the potential increase in total transaction throughput that such a change would introduce (these are the same concerns that exist with respect to raising the blocksize). The removal of timestamps would allow a cartel of miners to produce high-difficulty blocks at a fast rate, potentially resulting in additional centralization pressures not only on miners but also on full nodes who then would have greater difficulty keeping up with the additional bandwidth and storage demands.

Two equally straightforward mitigations exist to address this if we are given the liberty of modifying the protocol as we wish:

1. Introducing state checkpoints into the chain itself could make it possible for full nodes to skip verification of large sections of historical data when booting up.
2. A sharded protocol, where each shard uses a "sufficiently different" PoW algorithm, would create an exit for users should the primary blockchain become captured by a cartel providing poor quality-of-service.


--
Please do not email me anything that you are not comfortable also sharing with the NSA.
Tao Effect via bitcoin-dev
2018-02-21 21:58:10 UTC
Permalink
Post by Damian Williamson via bitcoin-dev
What you are suggesting, unless I am mistaken, is that new full nodes should have no way of knowing if an output is spent or even if it exists. Since large sections of the blockchain will potentially be skipped, the full node will not have complete knowledge of utxo's just for starters.
So, this might not have been clear, but by "if we are given the liberty of modifying the protocol as we wish" I meant that I was discussing a protocol where these sorts of concerns are not an issue because we are not limited by the constraints of Bitcoin's current design.

There have been plenty of proposals across the web for how to design a blockchain where what you're referring to is not an issue because of merkle commitments, etc., and some blockchains already do this (e.g. I believe Ethereum does this via parity).

Cheers,
Greg

--
Please do not email me anything that you are not comfortable also sharing with the NSA.
Post by Damian Williamson via bitcoin-dev
Post by Tao Effect via bitcoin-dev
1. Introducing state checkpoints into the chain itself could make it possible for full nodes to skip verification of large sections of historical data when booting up.
What you are suggesting, unless I am mistaken, is that new full nodes should have no way of knowing if an output is spent or even if it exists. Since large sections of the blockchain will potentially be skipped, the full node will not have complete knowledge of utxo's just for starters.
Regards,
Damian Williamson
Daniele Pinna via bitcoin-dev
2018-02-19 13:41:21 UTC
Permalink
Granted that removing the 21M coin cap is basically a non-starter in de
bitcoin community I'd like to respond to a couple points in your proposal.

The Y% difficulty adjustment should still be calculated through some
averaging of a certain number N of past blocks. Otherwise two lucky high
difficulty blocks in a row could potentially grind the network to a halt.
Just imagine what would happen to the bitcoin network if the difficulty
target was magically increased by 40% all of a sudden. This is certainly
not likely but must be considered imo.

The second, and most interesting (to me at least) is how the reward should
scale with difficulty. By making the reward scale concavely
(logarithmically for example) with difficulty as well as depend on past
average difficulty AND total # of mined coins, it might be possible to
retain something close to the 21M coin cap while also disincentivizing
mining blocks with excessively large difficulties.

Let D and D_0 be the difficulty of the mind block and some reference
initial difficulty respectively. S and S_0 the total floating coin supply
and the reference initial supply. Then the reward function could look
something like this:

R(D, S; D_0,S_0) =R_0(S/S_0)*Log[1+D/D_0]/Log[2]

Where R_0(S/S_0) can be some decaying exponential function of the ratio
S/S_0 such that initially (when S=S_0) R_0=12.5.

But... As I said, this is solely for sake of argument.

Daniele

---------- Forwarded message ----------
From: Tao Effect <***@taoeffect.com>
To: Bitcoin Protocol Discussion <bitcoin-***@lists.linuxfoundation.org>
Cc:
Bcc:
Date: Sun, 18 Feb 2018 20:29:50 -0500
Subject: [bitcoin-dev] Some thoughts on removing timestamps in PoW
Copied from: https://github.com/WebOfTrustInfo/rebooting-the-
web-of-trust-spring2018/pull/13


# Blockchain Timestamps Unnecessary In Proof-of-Work?

*Author: Greg Slepak ([@***@mastodon.social](https://mastodon.social/@
taoeffect))*

----

The Bitcoin blockchain has a 10-minute target blocktime that is achieved by
a difficulty adjustment algorithm.

I assert, or rather, pose the hypothesis, that the use of timestamps in
Bitcoin's blockchain may be unnecessary, and that Bitcoin can operate with
the same security guarantees without it (except as noted in [Risks and
Mitigations](#risks-and-mitigations)), and therefore does not need miners
to maintain global clock synchronization.

The alternative difficulty adjustment algorithm would work according to the
following principles:

- The incentive for miners is and always has been to maximize profit.
- The block reward algorithm is now modified to issue coins into perpetuity
(no maximum). Any given block can issue _up to_ `X` number of coins per
block.
- The number of coins issued per block is now tied directly to the
difficulty of the block, and the concept of "epocs" or "block reward
halving" is removed.
- The chain selection rule remains "chain with most proof of work"
- The difficulty can be modified by miners in an arbitrary direction (up or
down), but is limited in magnitude by some maximum percentage (e.g. no more
than 20% deviation from the previous block), we call this `Y%`.

### Observations

- Miners are free to mine blocks of whatever difficulty they choose, up to
a maximum deviation
- The blockchain may at times produce blocks very quickly, and at other
times produce blocks more slowly
- Powerful miners are incentivized to raise the difficulty to remove
competitors (as is true today)
- Whether miners choose to produce blocks quickly or slowly is entirely up
to them. If they produce blocks quickly, each block has a lower reward, but
there are more of them. If they produce blocks slowly, each block has a
higher reward, but there are fewer of them. So an equilibrium will be
naturally reached to produce blocks at a rate that should minimize orphans.

A timestamp may still be included in blocks, but it no longer needs to be
used for anything, or represent anything significant other than metadata
about when the miner claims to have produced the block.

### Risks and Mitigations

Such a system may introduce risks that require further modification of the
protocol to mitigate.

The most straightforward risk comes from the potential increase in total
transaction throughput that such a change would introduce (these are the
same concerns that exist with respect to raising the blocksize). The
removal of timestamps would allow a cartel of miners to produce
high-difficulty blocks at a fast rate, potentially resulting in additional
centralization pressures not only on miners but also on full nodes who then
would have greater difficulty keeping up with the additional bandwidth and
storage demands.

Two equally straightforward mitigations exist to address this if we are
given the liberty of modifying the protocol as we wish:

1. Introducing state checkpoints into the chain itself could make it
possible for full nodes to skip verification of large sections of
historical data when booting up.
2. A sharded protocol, where each shard uses a "sufficiently different" PoW
algorithm, would create an exit for users should the primary blockchain
become captured by a cartel providing poor quality-of-service.


--
Please do not email me anything that you are not comfortable also sharing with
the NSA.
Loading...