Ethereum creator Vitalik Buterin mentions LessWrong, discusses the various camps and ideologies in Cryptocurrency development

by Ander1 min read31st Dec 201429 comments


Personal Blog

Vitalik says cryptocurrency developers should "reach out to LessWrong more", in order to not be ignorant of advanced computer science and game theory topics.



I think Vitalik raises several major important points, namely:

* Bitcoin's $600 million wasted on electricity yearly in order to secure the network is a huge problem.  Various Proof of Stake algorithms are attempting to improve upon this.  The ideal solution would be one which combines the low cost of the Proof of Stake algorithm, with the high security or Proof of Work.  I not enough of an expert to be able to say which solution is best, but both the Ripple consensus algorithm and the Bitshares Delegated Proof of State algorithm look promising.  I am interested to see what algorithm Vitalik will choose for Ethereum. 

* ASIC miners are a problem due to the resulting centralization.  They have also lead to increased centralization in Bitcoin, as the network is now increasingly controlled by a few large mining pools.

* Blockchain technologies have a great potential to change the world, and solve governmental and organizational problems that society is facing.  Beyond simply revolutionizing money, blockchain technologies could also be used in the future to support prediction markets, voting/consensus building, exchanges, etc.

29 comments, sorted by Highlighting new comments since Today at 1:18 PM
New Comment

ASIC miners are a problem. Not only have they lead to an explosion in the hash rate - and electricity costs to secure the Bitcoin network

No they didn't. Market forces will always drive the cost of mining a bitcoin to the value of a bitcoin regardless of the algorithm used.

Thanks, I didnt mean to imply that ASICs specifically lead to the increase in mining costs/electricity use. I edited to make this more correct.

Any one willing to get technically up to speed for this? I'm willing to go through white papers & specifications with some one and try to see what exactly there is help for. Seems like a great technology and well worth the effort. We can just make a thread about this and work through it together.

The money spent on mining is not wasted.

New coins are worth something. People will compete to produce them, resulting in marginal value ~= marginal cost. You can either make this simple enough that it's obvious that's what is going on, or you can hide it behind complexity. Proof of stake hides it: it creates bizarre problems like a black market in private keys that used to hold lots of coins so that you can generate new POS coins. Other options (complete pre-mine, for instance) come with their own problems.

Forcing people to spend lots of real resources generating coins has a really desirable side effect: it means that many of the producers will be forced to sell the coins they mine, which means there will be a market for those looking to buy them.

For the same reason, ASIC miners causing hash rate explosions are not a bad thing. The economic incentives don't care about capital costs vs electric costs, just that cost to produce = selling price. The centralization is bad, yes, but the other complaints commonly raised aren't actually a bad thing.

POS and other non-POW schemes lose one of Bitcoin's most appealing features: trustless history. I can tell from my copy of the blockchain that it is valid. If someone disagrees, they can simply present their version with a stronger POW, and I can easily tell who is correct without trusting either party.

A single example nullifies your entire argument: PrimeCoin.

Ok, you say, finding primes isn't all that useful either. Fair objection. But there's no reason to think that someone won't come up with a valid POW system that does something incredibly useful, like molecular simulations. Actually it's not that hard to do, the main difficulty is ensuring cryptographic strength. The idea of cryptographic hashes that do useful computations is already becoming a huge research field.

But fact is, POW is entirely separated from the value produced by mining. People often confuse these two concepts.

[-][anonymous]6y 4

A useful proof of work invalidates assumptions about incentives. To be useful it needs to be useless.

It needs to be valueless, not useless. Finding primes actually seems like something that might be both useful and low-value.

[-][anonymous]6y 1

Anything with a use has value to a person benefiting from that use. The trick is to make it such that out-of-band payments to specific miners are not likely to occur.

That's not to say that it's absolutely, 100% a priori impossible to have a "useful but no-value" proof of work. Only theorized example I know of is time-lock decryption: you have a deterministic process for generating public keys, and the proof of work solution is the recovered private key. However this invalidates other assumptions that are required of a secure proof of work, at least with all existing public key crypto systems.

Not true. If it invalidates your 'assumptions about incentives', then your assumptions are wrong. All that is truly necessary is for the value of that use to be smaller than doing it in a way that doesn't involve mining.

A simple example illustrates this: You could argue that current crypto mining already has a use: it heats up your room. In fact a lot of people run mining clusters instead of electrical heaters in the winter.

When you are trying to use a blockchain as a store of value or currency, as Bitcoin does, then the cost of Proof of Work mining may be acceptable for the reasons you mentioned.

However, being used as a currency is not the only thing that a blockchain can do, and many newer crypto projects are attempting to do other things. For example, you can use a blockchain to act as a company (a 'Distributed Autonomous Company', or DAC). The DAC can provide services to users, in exchange for fees, and attempt to make a profit. For example, the Bitshares project functions as a company that provides an exchange on the blockchain, in which you can trade assets such as gold, dollars, bitcoin, etc.

When you are attempting to run a company on a blockchain, profits matter, and that means that you need your fees generated from customers to exceed the cost to secure the network, and that means that you need to use a more efficient security algorithm than proof of work. Various Proof of Stake algorithms cost much less to maintain. If the goal of your blockchain is not to represent all of the money in the world, but rather to be an autonomous company performing a certain service to users, then maybe you do not need to go 100% all in on security, perhaps it makes more sense to try and make a profit using a cheaper consensus algorithm.

Finally, there are now a variety of different Proof of Stake algorithms. Not all of them suffer from the vulnerabilities of the original proof of stake, in which you can use old keys which used to control many coins in order to attack the network. For example, Ripple (Ripple Consensus algorithm), Bitshares (Delegated Proof of Stake), and NXT (Transparent Forging) algorithms do not suffer from this weakness, as far as I know.

Full disclaimer: I work for Vitalik and the Ethereum Research Team.

Here are a couple of reasons for why we are ultimately eschewing PoW:

(1) We are pushing to get blockchain updating down to 3 seconds. You really can't do this with PoW, since 3 seconds is our budget for our network overhead.

(2) A single block chain doesn't scale well - we're pushing for protocols that involve multiple blockchains processing transactions independently. The current proposals all rely essentially on PoS based on the central Ethereum Blockchain. Proof of Work isn't generally secure for these architectures - if a new blockchain was created then a botnet could easily gain 51% of the compute power for a while before hashing power could be directed from other parts of the network.

If you can have similar or better security properties as mining without the cost incurred by the competition of energy expenditure, then the mining is wasteful.

While absolute trustless history seems good, it has a significant drawback as well: it isn't anti-fragile. That is, there is no way for the network to become stronger after recovering from a double spend attack, e.g. by slashing stake of the attackers.

You don't need long-range fork protection as long as the expiration of a block hash is known in advance. That is, short-range fork protection is all you need as long as the range is long enough -- e.g. a year. And this can be done entirely without mining.


[-][anonymous]6y 0

This is simply wrong. When presented with a valid history and a simulation how do you tell them apart?

If say the guaranteed protection against forks for the short term is up to a year, that means clients need to sync with the network at least every year. If you're always syncing, you won't be fooled by sham blockchains because it doesn't follow from your last trusted blockchain tip. If it does follow from your last trusted blockchain tip and you were syncing at least every year, then it's a short-range fork, and the consequences will be severe for the attacker -- it's unlikely to happen.

Even without syncing often, the client can get the blockchain hash from external trusted sources (or many trusted sources from existing validators), and sync thereon. Both of these solutions can be utilized to create a practical and secure solution.

[-][anonymous]6y 1

You are outsourcing the trust problem, not solving it.

It's solved for everyone who is always periodically syncing.

Also, if you're comfortable with Bitcoin's security model, then for Tendermint you only need to get a trusted block hash (after a long period of being offline) if and only if you detect a fork in the block-chain. Most of the time there won't be.

[-][anonymous]6y 2

I read this and was disappointed. Addressing your summary:

Proof of stake is broken in the same fundamental way as DRM: you can make it arbitrarily difficult to break but in practice not difficult enough to be infeasible. Once broken it becomes a worse version of proof of work, at best. Ripple consensus does not work as advertised.

ASICs help Bitcoin for much the same reasons evand mentioned.

I am not a bitcoin maximalist despite claims to the contrary. I co-created Freicoin for pete's sake.

Totally agree with the last point.

We're all on the same side... Can't we all get along without name calling or petty politics?

I'm curious, what exactly is the problem with the Ripple consensus algorithm? Why doesn't it work?

[-][anonymous]6y 3

If used as advertised, with anyone selecting their own validator list, it fails to reach consensus under non-pathological cases. It basically only works if you have a common list of validators that everyone uses[1], as has been recently demonstrated on Stellar[2] (a fork of Ripple). That would mean there'd be a handful of known servers around the world which together control the ledger. That may be useful in some contexts, but it is absolutely not a comparable solution to bitcoin.



Thanks for the info, two more questions:

  • Is NXT's Transparent Forging vulnerable to attacks by old private keys in the way that normal PoS is? Or does one have to control 51% of the current forging stake in order to attack it? If this is not vulnerable, then getting control of 1% of the stake seems as hard as controlling 51% of bitcoin hash power, and the person controlling this stake would not wish to harm their own stake. (The risk in the attack is if one can sell coins and then still attack).
  • Is Bitshares' DPoS vulnerable to such attacks? It seems that in order to attack the network you would need to compromise 51 out of 101 delegates, who produce the blocks. The delegates are voted on by shareholders, and you can vote again at any time. So if someone held stake, used it to vote in delegates that would attack the network, and sold their stake, the new buyer could vote in different delegates right away (if they were paying attention).

I suppose that you could social engineer your way into a position to attack by building a reputation and then getting 51 delegates elected without people realizing they were all part of the attacking group. Is it harder to fool everyone, or to get 51% of mining hash power?

As long as these systems are at least 'almost' as hard to attack as bitcoin, then they seem useful as a low cost alternative for applications where absolute security is not required. That is, maybe you arent trying to be the ultimate store of value like Bitcoin is. For many applications, high security at a low cost would be a better choice than perfect security at a high cost.

[-][anonymous]6y 2

Or you can just buy / steal the private keys to coins that have already been spent, and then simulate alternate histories.

The trouble with these schemes is that it is quite easy to make them more difficult to review, without actually adding any security. In both cases I saw earlly versions that were criticized for being entirely insecure, then there were some iterations that added no security, until it got complex and the people involved learned to not provide free consulting, which I won't do here either: the objections to proof of stake schemes are general. It can be shown that any proof of stake scheme must be broken by simulation. It's just a matter of showing what the necessary procedure is for a given scheme, which can be made arbitrary difficult to review. One of the guys I work with quiped that this "cryptographic security against review." That shouldn't be mistake for actual security.

There are general results showing that the security being advertised is not possible, the perpetual motion sense. It's a waste of time for credible people to spend their time disproving perpetual motions machines, particularly when their proponents can make them arbitrarily difficult to review. Do not mistake a lack of review for an indication of security.

While basic Proof of Stake may be 'broken', that does not necessarily mean that every variant of it is similarly broken. Several variations on proof of stake are more secure than the original.

But it is possible for Proof of Stake to be useful even if its NOT as secure as Proof of Work, because it is MUCH less expensive. This means that if you have a blockchain application that doesnt need to be absolutely 100% ultra secure, but it needs to make a profit/spend less money securing the network, then Proof of Stake (or an improved variation) is probably better for that application than Proof of Work.

For the ultimate store of value (Gold 2.0), Bitcoin with Proof of Work and the high level of security it provides is probably best. This is why Bitcoin has a place, and will survive, imo. For application that need slightly less security, Proof of Stake might be better. For example, lets say you want to run a prediction market, which is something that LessWrong seems to love. Its useful that your prediction market is not subject to 3rd party risk of a centralized source, and is instead secured by the blockchain. But maybe you dont need quite as much security as bitcoin provides. Maybe you need to run your prediction market at low cost, so that fees are low. Maybe a Proof of Stake variant is enough security, and provides better value. From what I've read, both Ethereum and BitShares will in the future allow you to run such a prediction market, and both will not require massive mining costs to secure the network.

Regarding ASICs, the problem is that the large mining pools that have developed as a result of the need to be maximally efficient in bitcoin mining have resulted in increased centralizaiton. Right now if you controlled or compromised the top two mining pools, you could attack the network. There is much more centralization in bitcoin mining now in the ASIC era than there was several years ago.

[-][anonymous]6y 1

No, the argument I was making does indeed fully generalize to the entire category of Proof of Stake solutions. The goal is to create a dynamic membership set signature, meaning that people can come and go by some mechanism. But that requirement enables simulations because if the future membership set can’t be predicted, then neither can alternative past histories be differentiated. Then no matter the construct used, with enough sybil identities anyone can grind variations on history until one is found which benefits the one doing the work. In this way any proof of stake system devolves into proof of work, only with worse properties (since if you're going to have proof of work anyway, double-SHA256 is about as good as it gets).

Furthermore, because the incentives are structured such that grinding histories is profitable behavior (and it needs to be for the system to be secure, since it is the same incentive that protects proof of stake when people follow the rules), you can be assured that unscrupulous people will grind histories, and others will too because the alternative is losing out. So proof of stake is NOT any less expensive than proof of work, because any proof of stake system becomes proof of work.

The solution to the mining centralization issue has nothing to do with proof of work algorithms or ASICs. The solution is things like smart property miners, coinbase-only mining, and delegated transaction selection. These are being worked on.

I can see why Bitcoin would want to do that.

Why is it in the interest of people here to help out? The only detail that seems substantially interesting is the last bullet point.

There's also serious academic work already on cryptocurrencies. What do you think people here can offer beyond that?

Vitalik seems to think that LessWrongers could help out the cryptocurrency world in terms of philosophy, game theory, and computer science knowledge. I would agree, given that those seem to be the greatest strengths of the LessWrong community.

It was also nice to see one of the biggest names in an industry give credit to LessWrong in a blog post.

[-][anonymous]6y 0

There is a significant gap between the fields of distributed systems (and consensus) and game-theory.

There is one well known cryptocurrency innovator who, in a private group, denounced the usage of economics or game theory to secure the consensus of a cryptocurrency ledger, and the justification lacked rationality.

It may have been this gap in academia compounded with the irrational arguments put forth by somebody well known in the crypto currency community which prompted Vitalik to seek help from this community.

My bias is with my own work, so I would appreciate if anyone here could look over the security of the Tendermint protocol. To attack it first you must understand it. I can help you understand it. You can also read the source for the reference implementation on GitHub.

[This comment is no longer endorsed by its author]Reply

In other news....I think that for anyone who doesn't have bitcoin, the current price of $280 today (Jan 3) is a really good time to buy. Even better if we hit 260ish, since that is the level of the old April 2013 high.

Either bitcoin is dying, or this is a very low price. I don't think its dying.

[-][anonymous]5y 0

The developers of the the highest market share chunk of cryptocurrency camp (Monero) are of the opinion that the maths behind Ethereum is bullshit. I really like the sound of Augur, and it's implication for Ethereum's smartcontracts fulfilled in prediction marketplaces, but with 4 publicly known academic cryptographers incl. a John Hopkins professor saying Ethereum doesn't have the math to back up their claims, I'm not prepared to buy in. On the other hand, Monero, SDK, and the whole money laundering cryptocurreny camp probably is a poor investment at the time of writing given the information I have.

[-][anonymous]6y 0


[This comment is no longer endorsed by its author]Reply