New coins are worth something. People will compete to produce them, resulting in marginal value ~= marginal cost. You can either make this simple enough that it’s obvious that’s what is going on, or you can hide it behind complexity. Proof of stake hides it: it creates bizarre problems like a black market in private keys that used to hold lots of coins so that you can generate new POS coins. Other options (complete pre-mine, for instance) come with their own problems.
Forcing people to spend lots of real resources generating coins has a really desirable side effect: it means that many of the producers will be forced to sell the coins they mine, which means there will be a market for those looking to buy them.
For the same reason, ASIC miners causing hash rate explosions are not a bad thing. The economic incentives don’t care about capital costs vs electric costs, just that cost to produce = selling price. The centralization is bad, yes, but the other complaints commonly raised aren’t actually a bad thing.
POS and other non-POW schemes lose one of Bitcoin’s most appealing features: trustless history. I can tell from my copy of the blockchain that it is valid. If someone disagrees, they can simply present their version with a stronger POW, and I can easily tell who is correct without trusting either party.
A single example nullifies your entire argument: PrimeCoin.
Ok, you say, finding primes isn’t all that useful either. Fair objection. But there’s no reason to think that someone won’t come up with a valid POW system that does something incredibly useful, like molecular simulations. Actually it’s not that hard to do, the main difficulty is ensuring cryptographic strength. The idea of cryptographic hashes that do useful computations is already becoming a huge research field.
But fact is, POW is entirely separated from the value produced by mining. People often confuse these two concepts.
Anything with a use has value to a person benefiting from that use. The trick is to make it such that out-of-band payments to specific miners are not likely to occur.
That’s not to say that it’s absolutely, 100% a priori impossible to have a “useful but no-value” proof of work. Only theorized example I know of is time-lock decryption: you have a deterministic process for generating public keys, and the proof of work solution is the recovered private key. However this invalidates other assumptions that are required of a secure proof of work, at least with all existing public key crypto systems.
Not true. If it invalidates your ‘assumptions about incentives’, then your assumptions are wrong. All that is truly necessary is for the value of that use to be smaller than doing it in a way that doesn’t involve mining.
A simple example illustrates this: You could argue that current crypto mining already has a use: it heats up your room. In fact a lot of people run mining clusters instead of electrical heaters in the winter.
When you are trying to use a blockchain as a store of value or currency, as Bitcoin does, then the cost of Proof of Work mining may be acceptable for the reasons you mentioned.
However, being used as a currency is not the only thing that a blockchain can do, and many newer crypto projects are attempting to do other things. For example, you can use a blockchain to act as a company (a ‘Distributed Autonomous Company’, or DAC). The DAC can provide services to users, in exchange for fees, and attempt to make a profit. For example, the Bitshares project functions as a company that provides an exchange on the blockchain, in which you can trade assets such as gold, dollars, bitcoin, etc.
When you are attempting to run a company on a blockchain, profits matter, and that means that you need your fees generated from customers to exceed the cost to secure the network, and that means that you need to use a more efficient security algorithm than proof of work. Various Proof of Stake algorithms cost much less to maintain. If the goal of your blockchain is not to represent all of the money in the world, but rather to be an autonomous company performing a certain service to users, then maybe you do not need to go 100% all in on security, perhaps it makes more sense to try and make a profit using a cheaper consensus algorithm.
Finally, there are now a variety of different Proof of Stake algorithms. Not all of them suffer from the vulnerabilities of the original proof of stake, in which you can use old keys which used to control many coins in order to attack the network. For example, Ripple (Ripple Consensus algorithm), Bitshares (Delegated Proof of Stake), and NXT (Transparent Forging) algorithms do not suffer from this weakness, as far as I know.
Full disclaimer: I work for Vitalik and the Ethereum Research Team.
Here are a couple of reasons for why we are ultimately eschewing PoW:
(1) We are pushing to get blockchain updating down to 3 seconds. You really can’t do this with PoW, since 3 seconds is our budget for our network overhead.
(2) A single block chain doesn’t scale well—we’re pushing for protocols that involve multiple blockchains processing transactions independently. The current proposals all rely essentially on PoS based on the central Ethereum Blockchain. Proof of Work isn’t generally secure for these architectures—if a new blockchain was created then a botnet could easily gain 51% of the compute power for a while before hashing power could be directed from other parts of the network.
If you can have similar or better security properties as mining without the cost incurred by the competition of energy expenditure, then the mining is wasteful.
While absolute trustless history seems good, it has a significant drawback as well: it isn’t anti-fragile. That is, there is no way for the network to become stronger after recovering from a double spend attack, e.g. by slashing stake of the attackers.
You don’t need long-range fork protection as long as the expiration of a block hash is known in advance. That is, short-range fork protection is all you need as long as the range is long enough—e.g. a year. And this can be done entirely without mining.
If say the guaranteed protection against forks for the short term is up to a year, that means clients need to sync with the network at least every year. If you’re always syncing, you won’t be fooled by sham blockchains because it doesn’t follow from your last trusted blockchain tip. If it does follow from your last trusted blockchain tip and you were syncing at least every year, then it’s a short-range fork, and the consequences will be severe for the attacker—it’s unlikely to happen.
Even without syncing often, the client can get the blockchain hash from external trusted sources (or many trusted sources from existing validators), and sync thereon. Both of these solutions can be utilized to create a practical and secure solution.
It’s solved for everyone who is always periodically syncing.
Also, if you’re comfortable with Bitcoin’s security model, then for Tendermint you only need to get a trusted block hash (after a long period of being offline) if and only if you detect a fork in the block-chain. Most of the time there won’t be.
The money spent on mining is not wasted.
New coins are worth something. People will compete to produce them, resulting in marginal value ~= marginal cost. You can either make this simple enough that it’s obvious that’s what is going on, or you can hide it behind complexity. Proof of stake hides it: it creates bizarre problems like a black market in private keys that used to hold lots of coins so that you can generate new POS coins. Other options (complete pre-mine, for instance) come with their own problems.
Forcing people to spend lots of real resources generating coins has a really desirable side effect: it means that many of the producers will be forced to sell the coins they mine, which means there will be a market for those looking to buy them.
For the same reason, ASIC miners causing hash rate explosions are not a bad thing. The economic incentives don’t care about capital costs vs electric costs, just that cost to produce = selling price. The centralization is bad, yes, but the other complaints commonly raised aren’t actually a bad thing.
POS and other non-POW schemes lose one of Bitcoin’s most appealing features: trustless history. I can tell from my copy of the blockchain that it is valid. If someone disagrees, they can simply present their version with a stronger POW, and I can easily tell who is correct without trusting either party.
A single example nullifies your entire argument: PrimeCoin.
Ok, you say, finding primes isn’t all that useful either. Fair objection. But there’s no reason to think that someone won’t come up with a valid POW system that does something incredibly useful, like molecular simulations. Actually it’s not that hard to do, the main difficulty is ensuring cryptographic strength. The idea of cryptographic hashes that do useful computations is already becoming a huge research field.
But fact is, POW is entirely separated from the value produced by mining. People often confuse these two concepts.
A useful proof of work invalidates assumptions about incentives. To be useful it needs to be useless.
It needs to be valueless, not useless. Finding primes actually seems like something that might be both useful and low-value.
Anything with a use has value to a person benefiting from that use. The trick is to make it such that out-of-band payments to specific miners are not likely to occur.
That’s not to say that it’s absolutely, 100% a priori impossible to have a “useful but no-value” proof of work. Only theorized example I know of is time-lock decryption: you have a deterministic process for generating public keys, and the proof of work solution is the recovered private key. However this invalidates other assumptions that are required of a secure proof of work, at least with all existing public key crypto systems.
Not true. If it invalidates your ‘assumptions about incentives’, then your assumptions are wrong. All that is truly necessary is for the value of that use to be smaller than doing it in a way that doesn’t involve mining.
A simple example illustrates this: You could argue that current crypto mining already has a use: it heats up your room. In fact a lot of people run mining clusters instead of electrical heaters in the winter.
When you are trying to use a blockchain as a store of value or currency, as Bitcoin does, then the cost of Proof of Work mining may be acceptable for the reasons you mentioned.
However, being used as a currency is not the only thing that a blockchain can do, and many newer crypto projects are attempting to do other things. For example, you can use a blockchain to act as a company (a ‘Distributed Autonomous Company’, or DAC). The DAC can provide services to users, in exchange for fees, and attempt to make a profit. For example, the Bitshares project functions as a company that provides an exchange on the blockchain, in which you can trade assets such as gold, dollars, bitcoin, etc.
When you are attempting to run a company on a blockchain, profits matter, and that means that you need your fees generated from customers to exceed the cost to secure the network, and that means that you need to use a more efficient security algorithm than proof of work. Various Proof of Stake algorithms cost much less to maintain. If the goal of your blockchain is not to represent all of the money in the world, but rather to be an autonomous company performing a certain service to users, then maybe you do not need to go 100% all in on security, perhaps it makes more sense to try and make a profit using a cheaper consensus algorithm.
Finally, there are now a variety of different Proof of Stake algorithms. Not all of them suffer from the vulnerabilities of the original proof of stake, in which you can use old keys which used to control many coins in order to attack the network. For example, Ripple (Ripple Consensus algorithm), Bitshares (Delegated Proof of Stake), and NXT (Transparent Forging) algorithms do not suffer from this weakness, as far as I know.
Full disclaimer: I work for Vitalik and the Ethereum Research Team.
Here are a couple of reasons for why we are ultimately eschewing PoW:
(1) We are pushing to get blockchain updating down to 3 seconds. You really can’t do this with PoW, since 3 seconds is our budget for our network overhead.
(2) A single block chain doesn’t scale well—we’re pushing for protocols that involve multiple blockchains processing transactions independently. The current proposals all rely essentially on PoS based on the central Ethereum Blockchain. Proof of Work isn’t generally secure for these architectures—if a new blockchain was created then a botnet could easily gain 51% of the compute power for a while before hashing power could be directed from other parts of the network.
If you can have similar or better security properties as mining without the cost incurred by the competition of energy expenditure, then the mining is wasteful.
While absolute trustless history seems good, it has a significant drawback as well: it isn’t anti-fragile. That is, there is no way for the network to become stronger after recovering from a double spend attack, e.g. by slashing stake of the attackers.
You don’t need long-range fork protection as long as the expiration of a block hash is known in advance. That is, short-range fork protection is all you need as long as the range is long enough—e.g. a year. And this can be done entirely without mining.
See http://tendermint.com
This is simply wrong. When presented with a valid history and a simulation how do you tell them apart?
If say the guaranteed protection against forks for the short term is up to a year, that means clients need to sync with the network at least every year. If you’re always syncing, you won’t be fooled by sham blockchains because it doesn’t follow from your last trusted blockchain tip. If it does follow from your last trusted blockchain tip and you were syncing at least every year, then it’s a short-range fork, and the consequences will be severe for the attacker—it’s unlikely to happen.
Even without syncing often, the client can get the blockchain hash from external trusted sources (or many trusted sources from existing validators), and sync thereon. Both of these solutions can be utilized to create a practical and secure solution.
You are outsourcing the trust problem, not solving it.
It’s solved for everyone who is always periodically syncing.
Also, if you’re comfortable with Bitcoin’s security model, then for Tendermint you only need to get a trusted block hash (after a long period of being offline) if and only if you detect a fork in the block-chain. Most of the time there won’t be.