Presentation by Stefan Dziembowski, associate professor and leader of Cryptology and Data Security Group University of Warsaw. In BIU workshop on Bitcoin. Covered exclusively by vpnMentor.com
2. Drawbacks of Bitcoinโs PoWs
costs money
bad for
environment
1. high energy consumption
2. advantage for people with
dedicated hardware
3. Drawbacks of Bitcoin transaction
system
1. lack of real anonymity
2. non-Turing complete scripts
OP_DUP OP_HASH160
02192cfd7508be5c2e6ce9f1b6312b7f268476d2
OP_EQUALVERIFY OP_CHECKSIG
4. Natural questions
Can we have:
1. PoWs where there is no mining in hardware?
2. more energy-efficient PoWs?
3. PoWs doing something useful?
4. PoWs that are impossible to outsource (so there are no
mining pools)?
5. a cryptocurrency with real anonymity?
6. a cryptocurrency with Turing-complete scripts?
Answer to most of these questions: yes (but still some more
research is needed).
5. Alternative cryptocurrencies
a) Litecoin โ a currency where hardware mining is
(supposedly) harder
b) Spacemint โ a currency based on the Proofs of Space
c) Currencies based on the Proofs of Stake
d) Currencies doing some useful work (Primecoin,
Permacoin)
e) Zerocash โ a currency with true anonymity
f) Ethereum โ a currency with Turing-complete scripts
g) Other uses of the Blockchain technology
Disclaimers: (a) some of them are just academic
proposals, (b) this order is not chronologic.
6. Plan
1. Litecoin โ a currency based on the
Scrypt hash function
2. Spacemint โ a currency based on the
Proofs of Space
3. Currencies based on the Proofs of Stake
4. Currencies doing some useful work
(Primecoin, Permacoin)
5. Ethereum โ a currency with Turing-
complete scripts
6. Other uses of the Blockchain technology
7. Litecoin
Released in Oct 2011 by Charles Lee.
Instead of SHA256 Litecoin uses scrypt hash function
introduced in:
Colin Percival, Stronger Key Derivation via Sequential Memory-
Hard Functions, 2009.
Idea: scrypt is a function whose computation requires a lot of
memory, so itโs hard to implement it efficiently in hardware
as of June 2016:
Market cap โ 226 million USD
1 L๐๐ โ 5 USD
really?
8. How scrypt works?
๐๐ = ๐(๐) ๐๐ = ๐(๐๐)๐๐ = ๐ ๐ ๐ตโ๐ = ๐(๐ ๐โ๐). . .
second phase: compute the output by accessing the table
โpseudorandomlyโ
Z โ ๐(๐ ๐โ๐)
for i = 0 to N โ 1 do
๐ฃ โถ= ๐ ๐ฆ๐จ๐ ๐
Z โ ๐(๐ โ ๐๐ฃ)
output Z
computing scrypt(X)
init phase: fill-in at table of length ๐ with pseudorandom expansion of ๐.
๐๐ ๐๐ ๐๐ ๐๐ ๐๐ ๐๐ ๐๐ ๐๐ ๐๐ ๐๐
result (for N = 10):
9. What is known about scrypt?
[Percival, 2009]:
โข it can be computed in time ๐ถ(๐),
โข to compute it one needs time ๐ and space ๐ such that
๐ ร ๐ = ๐ ๐ ๐
this holds even on a parallel machine.
Pictorially:
a circuit
computing
scrypt
output
input
T
S
10. An observation
[Alwen, Serbinenko, STOCโ15]: this definition is not
strong enough.
The adversary that wants to compute scrypt in parallel
can โamortize spaceโ. Example:
S S S
T
๐๐
๐
can be
computed in
parallel as
follows:
Note:
๐๐
๐
โช ๐๐.
So: the bound provided by Percival is meaningless.
circuitfor
scrypt
circuitfor
scrypt
circuitfor
scrypt
11. The contribution of [Alwen and Serbinenko]
1. the โrightโ definition:
2. a construction that satisfies this definition (uses
advanced graph theory).
a circuit
computing
scrypt
T
S
instead of looking at ๐ ร ๐. . . look at the sum of
memory cells used over
time
โthe area on the pictureโ
13. Plan
1. Litecoin โ a currency based on the
Scrypt hash function
2. Spacemint โ a currency based on the
Proofs of Space
3. Currencies based on the Proofs of Stake
4. Currencies doing some useful work
(Primecoin, Permacoin)
5. Ethereum โ a currency with Turing-
complete scripts
6. Other uses of the Blockchain technology
14. Spacemint
[Sunoo Park, Krzysztof Pietrzak, Albert Kwon, Joรซl Alwen,
Georg Fuchsbauer, Peter Gaลพi, Eprint 2015]
Based on the Proofs of Space [D., Faust, Kolmogorov, and
Pietrzak, CRYPTO 2015]
Main idea: Replace work by disk space.
Advantages:
โข no โdedicated hardwareโ,
โข less energy wasted (โgreenerโ).
15. Example of an application other than
cryptocurrencies
Goal: prevent malicious users from opening lots of fake
accounts.
Method: force each account owner to โwasteโ large part
of his local space.
Important: the space needs to be allocated as long as the
user uses the service.
cloud computing service
(e.g. email system)
16. Main difference from PoWs
To prove that one wasted n CPU cycles one needs to
perform these cycles.
while:
To prove that one wasted n bytes one does not need
touch all of them.
19. How to measure time and space
Time is measured in terms of the calls
to a random oracle ๐ฏ.
Space is measured in blocks of length ๐ณ
(outputs of ๐ฏ).
E.g. ๐ณ = ๐๐๐.
block
๐ณ
20. The general scenario
verify prove
R
๐ต blocks of length ๐ณ.
...
๐๐ง๐ข๐ญ(๐๐)
๐๐ซ๐จ๐จ๐
๐๐ซ๐จ๐จ๐ proveverify
proverโs memory
verifer prover
output โ {๐๐๐๐๐ฉ๐ญ, ๐ซ๐๐ฃ๐๐๐ญ}
๐๐, ๐ต ๐๐, ๐ต
The proof is done with respect to an identifier ๐๐ (e.g. email address).
๐๐ should be unique for each execution
(e.g. can contain a nonce from a verifier)
21. How to define security of a PoS
Properties:
โข completeness,
โข soundness, and
โข efficiency.
If the prover is honest then
the verifier will always
accept the proof.
less trivial to define
22. How to define the efficiency?
Let us show a very simple (but not efficient)
PoS.
Note: we have not defined the security yet, so
itโs just an โinformal exampleโ.
23. A โtrivial PoSโ
๐น = (๐น ๐, โฆ , ๐น ๐ต)
๐ฑ โ ๐, โฆ , ๐ต
such that ๐ฑ = ๐
๐น๐ ๐โ๐ฑ
R
๐๐ซ๐จ๐จ๐
checks if
the answer
is correct
Note: if ๐น is generated pseudorandomly then he need to store
only the seed.
Easy to see:
to pass the verification the
prover needs to store โ ๐น
data.
Problem:
the initialization phase
requires the verifier to do a lot
of work
๐๐ง๐ข๐ญrandom
๐ โ security
parameter
24. Efficiency
verifier prover
๐๐ง๐ข๐ญ ๐ฉ๐จ๐ฅ๐ฒ(๐ฅ๐จ๐ ๐ต , ๐) ๐ฉ๐จ๐ฅ๐ฒ(๐ต)
๐๐ซ๐จ๐จ๐ ๐ฉ๐จ๐ฅ๐ฒ(๐ฅ๐จ๐ ๐ต , ๐) ๐ฉ๐จ๐ฅ๐ฒ(๐ฅ๐จ๐ ๐ต , ๐)
We require that the computing time of the parties is as
follows:
Note:
this also imposes limit on communication complexity.
Remark:
In our protocols ๐ฉ๐จ๐ฅ๐ฒ is small (e.g.: ๐ฉ๐จ๐ฅ๐ฒ ๐ฅ๐จ๐ ๐ต , ๐ = ๐ค โ ๐ฅ๐จ๐ ๐ต).
25. How to define soundness?
Informally:
we want to force a cheating prover to constantly
waste a lot of memory.
26. What would be the goal of a cheating prover?
โCompressโ ๐น:
verify prove
...
Init(Id)
proof
proofverify
๐ฟ
๐ต ๐ โช ๐ต โblocksโ
prove
๐น
๐ต
27. Observation: a cheating prover has a simple
(but inefficient) winning strategy.
Init(Id)
erase ๐น but store all the
messages from the verifier:
each time
before the
proof:
erase ๐น
X
๐ฉ๐จ๐ฅ๐ฒ(๐ฅ๐จ๐ ๐ต , ๐)
answer by
simulating
expand by
simulating
Rproof
X
Moral:
we need to restrict the power of
a cheating prover.
28. Restrictions on cheating prover
We restrict his operating time.
We say that ๐ท is an
๐ต, ๐ป -cheating prover
if:
size of
๐ทโs storage
time used by ๐ท
during ๐๐ซ๐จ๐จ๐
(we also have a variant of a definition with a restriction on
๐ท โs space during proof).
Note: no restrictions on ๐ทโs computing power during ๐๐ง๐ข๐ญ.
29. Security definition
A protocol is a ๐ต, ๐ป -Proof of Space if it is
complete, efficient, and sound.
โ
๐ต, ๐ป
-cheating
prover
๐๐๐๐๐ฉ๐ญ๐ฌ
P( ) โค ๐ง๐๐ ๐ฅ(๐ค)
31. Why is constructing the PoS schemes hard?
Time-memory tradeoffs
R
X
time
๐ต
R
๐ต
๐ต
Instead of storing ๐ต blocks
the adversary stores ๐ต blocks
and before every ๐๐ซ๐จ๐จ๐ phase
computes ๐น in time ๐ต.
For example:
32. Example of a time-memory
tradeoff: function inversion
๐ญ: ๐, ๐ ๐ โ ๐, ๐ ๐ โ a random permutation
Fact: ๐ญ can be inverted efficiently if one can do
precomputation and store the result in memory of
size ๐ ๐
.
1. compute F on every ๐ โ ๐, ๐ ๐
and
put every ๐, ๐ญ ๐ into a table ๐ป
2. sort the table ๐ป by the
second column
๐ ๐ ๐ญ ๐ ๐
๐ ๐ ๐ญ ๐ ๐
๐ ๐ ๐ญ ๐ ๐
๐ ๐ ๐ญ ๐ ๐
๐ ๐ ๐ญ ๐ ๐
๐ ๐ ๐ญ ๐ ๐
๐ ๐ ๐ญ ๐ ๐
๐ ๐ ๐ญ ๐ ๐
33. Can we build a PoS out of it?
No ๏
[M. Hellman, 1980]: a time-memory tradeoff exists for
this problem:
๐ญ can be inverted in time ๐ต given pre-processing in
space ๐ต.
34. Main technique
๐ฎ = (๐ฝ, ๐ฌ) โ a directed acyclic graph with ๐ฝ = ๐ต.
๐ฏ๐๐ โ a hash function that depends on ๐๐.
(for example ๐ฏ ๐ฐ๐ ๐ = ๐ฏโฒ(๐ฐ๐ ||๐) for some other hash function ๐ฏโฒ)
We construct ๐น = ๐น ๐, โฆ , ๐น ๐ต by recursively labelling vertices ๐ฝ as
follows:
1 2
3 4
5
๐น ๐ = ๐ฏ ๐ฐ๐ (๐) ๐น ๐ = ๐ฏ ๐ฐ๐ (๐)
๐น ๐ = ๐ฏ ๐ฐ๐ (๐, ๐น ๐, ๐น ๐) ๐น ๐ = ๐ฏ ๐ฐ๐ (๐, ๐น ๐)
๐น ๐ = ๐ฏ ๐ฐ๐ (๐, ๐น ๐, ๐น ๐)
Note: every ๐ฎ induces a function ๐ ๐ฎ of a form ๐๐ โฆ (๐น ๐, โฆ , ๐น ๐ต).
35. Very informally
A graph that is bad if it can be โquicklyโ labeled if one
stores a โsmallโ number of labels.
Example of a bad graph:
1 2 3 Nโฆ
๐ต ๐ต
The adversary that stores labels in positions
๐, ๐ต, ๐ ๐ต, โฆ can compute every label in ๐ต steps.
Call a graph good if it is not bad.
36. How to build a PoS from a good
graph?
Problem: the entire ๐น needs to be sent to the verifier.
๐น = (๐น ๐, โฆ , ๐น ๐ต)
๐ฑ โ ๐, โฆ , ๐ต
such that ๐ฑ = ๐
๐น๐ ๐โ๐ฑ
๐๐, ๐ต ๐๐, ๐ต
Compute
๐น = ๐น ๐, โฆ , ๐น ๐ต โ ๐ ๐ฎ ๐๐
๐๐ง๐ข๐ญ
๐๐ซ๐จ๐จ๐
37. Solution: let the prover commit to ๐น with a
Merkle tree.
๐น ๐ ๐น ๐ ๐น ๐ ๐น ๐
๐ฏ(๐น ๐, ๐น ๐) ๐ฏ(๐น ๐, ๐น ๐)
๐น ๐ ๐น ๐ ๐น ๐ ๐น ๐
๐ฏ(๐น ๐, ๐น ๐) ๐ฏ(๐น ๐, ๐น ๐)
C
Recall: Merkle trees allow to efficiently prove that each block
๐น๐ was included into the hash ๐ช.
This is done by sending ๐๐๐ซ๐ค๐ฅ๐๐๐ซ๐จ๐จ๐ ๐น๐
๐๐๐ซ๐ค๐ฅ๐๐๐ซ๐จ๐จ๐ ๐น ๐ =
๐น ๐, ๐ฏ ๐น ๐, ๐น ๐ , โฆ๐๐๐ซ๐ค๐ฅ๐(๐น ๐, โฆ , ๐น ๐)
38. New ๐๐ง๐ข๐ญ phase
๐๐๐ซ๐ค๐ฅ๐(๐น)
๐๐ ๐๐
Compute
๐น = ๐น ๐, โฆ , ๐น ๐ต โ ๐ ๐ฎ ๐๐
b c
a
๐น ๐ ๐น ๐
๐น ๐
checks if
๐น ๐ = ๐ฏ ๐ฐ๐ ๐, ๐น ๐, ๐น ๐
if yes, then we say
that ๐ is consistent
repeat ๐ times
39. New ๐๐ซ๐จ๐จ๐ phase
In the ๐๐ซ๐จ๐จ๐ phase the prover opens the Merkle
commitment to every ๐น๐ he is asked about.
๐ฑ โ ๐, โฆ , ๐ต
such that ๐ฑ = ๐
๐น๐ ๐โ๐ฑ
40. Easy to see
๐ฎ โ a graph to which a malicious prover committed.
If the consistency check was ok for ๐ times, then most
likely:
a large fraction of nodes in ๐ฎ is consistent.
41. How to deal with the inconsistent
nodes?
graph ๐ฎ: ๐ inconsistent
nodes
The adversary can โsaveโ memory
by not storing these ๐ blocks.
Observation: such an adversary
with memory ๐ต ๐ can be
โsimulatedโ by an adversary with
memory ๐ต ๐ + ๐ that commits to a
graph with no inconsistent nodes.
42. Techniques
We construct good graphs such that the time-memory
tradeoffs for computing ๐ ๐ฎ are bad.
For this we use techniques from graph pebbling.
The constructions are based on tools from graph theory:
โข hard to pebble graphs of Paul, Tarjan, Celoni, 1976,
โข superconcentrators, random bipartite expander graphs,
and
โข graphs of Erdos, Graham, Szemeredi, 1975.
The details are in the paper.
43. The results of [DFKP15]
We construct a ๐ ๐ ๐ต, ๐ ๐ ๐ต โProof of Space.
(for some constants ๐ ๐, and ๐ ๐)
We also have a construction that is secure when the
proverโs space during the execution is restricted.
Caveat: in the model we need a โsimplifying
assumptionโ that the adversary can explicitly state
which block he knows.
45. Why cannot the PoSโs be used to
directly replace the PoWs?
1. PoW is single-phase, while PoS has the Init
phase
2. How to make the reward proportional to
invested resources?
3. Where does the challenge come from? (we will
talk later about it)
46. Single-phase vs. โwith initializationโ
random ๐
proof ๐ random ๐
proof ๐
commitment ๐ช โ
(Merkle(f(Id)),Id)
Note: the consistency
check can be performed
in the proof phase
Good news: also PoS is โpublic coinโ.
PoW: PoS:
prover verifier prover verifier
47. The solution
Every user who joins the system โdeclaresโ how
much space he can devote. This is done as follows:
Gen (secret key sk, public key pk)runs
๐น ๐, โฆ , ๐น ๐ต = ๐ ๐ฉ๐ค
๐ช โ ๐๐๐ซ๐ค๐ฅ๐ ๐น ๐, โฆ , ๐น ๐ต
Take a PoS scheme
๐ โ the function that fills-in the memory
transaction โฉ๐๐จ๐ฆ๐ฆ๐ข๐ญ, ๐ช, ๐ฉ๐ค โช
Note: no need to run
the consistency check
(this is done later)
48. How to make the reward proportional
to invested resources?
Suppose we have 5 miners, with the
following proportion of space:
How to determine who has the right to
extend the chain in from a given block?
49. Observation
Let ๐ต ๐, โฆ , ๐ต ๐ be the memory sizes of the miners.
Suppose ๐ต ๐ = โฏ = ๐ต ๐.
Suppose we have a random challenge ๐.
Observe that the PoS of [DFKP15] is public-coin.
Let every miner execute the PoS with respect to this
challenge:
In Bitcoin the
challenge was
the previous
block.
๐
๐ ๐๐ ๐ ๐ ๐ ๐ ๐๐ ๐
๐ฎ: ๐, ๐ โ โ {๐, โฆ , ๐พ} โ
a hash function (with
very large ๐พ)
๐ท๐ is the winner if ๐ฎ( ๐ ๐) is larger than all the other ๐ฎ( ๐ ๐)โs.
๐ท ๐ ๐ท ๐ ๐ท ๐ ๐ท ๐ ๐ท ๐
proofs
50. Easy to see:
For each ๐ท๐ his probability of
winning is equal to ๐/๐.
This is because for a given
commitment ๐ช and a the challenge
๐ the solution ๐ is uniquely
determined.
Note: this is not true if
one can change ๐ช.
This is why we require
the miners to post
commitments on the
blockchain
If it was not the case then a malicious miner could try
different ๐โs.
Hence we would be back in the Proof of Work scenario.
51. But what if the ๐ต๐โs are not equal?
We need a function ๐ซ ๐ต ๐
such that the following condition
yields a winner with probability
๐ต๐
๐ต ๐ + โฏ + ๐ต ๐
Turns out that
๐ซ ๐ต ๐
(๐) โ ๐ฎ(๐)/๐พ ๐/๐ต ๐
is such a function (the details are in the paper).
๐ท๐ is the winner if ๐ซ ๐ต ๐
(๐๐) is larger than all the
other ๐ซ ๐ต ๐
(๐๐)โs.
52. Quality of the
blockchain
Using the function ๐ซ ๐ต ๐
we can also define the quality
of the block chain.
First, let ๐๐ โ ๐ซ ๐ต ๐
๐๐ข .
Define:
๐ธ ๐๐ โ ๐ฆ๐ข๐ง
๐ต
๐๐ซ ๐๐ < ๐: ๐ โ ๐ซ ๐ต(๐ผ) โฅ ๐/๐
in Bitcoin it is its length
๐ ๐ ๐ ๐ ๐ ๐ ๐ ๐ ๐ ๐ ๐ ๐
the space required to get a better proof than ๐๐
on a random challenge with probability 1/2.
Then let the total quality of blockchain to be equal to the
sum of ๐ธ๐โs.
uniform
53. This solution need some small
modifications
1. To avoid bad events that happen with small
probability we need to limit the maximal
๐ธ๐ that counts
(this limit is imposed with respect to the
median of other ๐ธ๐
โฒ
s).
54. 2. What if the amount of space in the system
increases dramatically?
Then the adversary that โstarts computing the blockchain from
the beginningโ can produce a better quality chain (even if his
memory is <1/2 of the total).
Solution: only last 1000 block count (note: it requires
checkpoints)
time
space
55. Where does the challenge ๐ come from?
1. Use a NIST beacon or some other trusted source โ
not a good solution for a โfully distributedโ currency.
2. โAskโ some other miner โ possible but complicated
(what if he is not online?)
3. [Bitcoin solution]: Use some previous block.
not so easy as in
Bitcoin...
56. Problems with using previous block:
By manipulating the transaction list the miner can
produce different ๐๐
โฒ
๐ .
๐i ๐i+1
transactions
from period
i+1
H
This again would lead to Proofs of Work...
this is called
โgrindingโ
57. Solution
The challenge does not depend on the transactions.
Spacemint blockchain syntax:
Block ๐ฉ๐+๐
s๐+1
signature
transactions
Block ๐ฉ๐
s๐
signature
transactions
Block ๐ฉ๐+๐
s๐+2
signature
transactions
signature
chain
proof
chain
x ๐+๐ = ๐ฏ(s๐) x ๐+๐ = ๐ฏ(s๐+๐)
58. Yet another problem
Suppose there is a fork
blocki+1
blocki+2 blockโi+2
blocki+3
If ๐๐ฅ๐จ๐๐ค ๐ข+๐
โฒ
gives a challenge that is โgoodโ for him,
then itโs better for him to work on this chain
Note: in Bitcoin working on a shorter chain never made sense.
59. Solution: look deeper in the past
The challenge for block ๐ is a hash of block ๐ โ ๐๐๐.
Why not to look deeper into the past?
We do not want the miners to know that they can
stay long offline (so they could erase their disks)
60. A more subtle problem
In Proofs of Work mining costs, while in Proofs of Space it is
โfor freeโ.
So a miner that sees a fork the best (selfish) strategy is to work
on both chains.
In this case he โwinsโ in both cases!
blocki
blocki+1
blocki+2 blockโi+2
blocki+3 blockโi+3
A similar problem shows up in โProofs of Stakeโ:
โThe problem with Proofs of Stake is that there is nothing at stakeโ
61. Solution: penalize such behavior
blocki
blocki+1
blocki+2 blockโi+2
blocki+3 blockโi+3
discovers that these
blocks were signed
by the same party
posts a transaction with a
โproofโ of this, and gets a
reward
(the party that signed 2
blocks looses her reward)
62. Full description of the protocol
See [PPKAFG 2015].
This paper contains also a game-theoretic model and a
security proof.
64. Plan
1. Litecoin โ a currency based on the
Scrypt hash function
2. Spacemint โ a currency based on the
Proofs of Space
3. Currencies based on the Proofs of Stake
4. Currencies doing some useful work
(Primecoin, Permacoin)
5. Ethereum โ a currency with Turing-
complete scripts
6. Other uses of the Blockchain technology
65. Proofs of Stake
The โvoting powerโ depends on how much money one
has.
Justification: people who have the money are naturally
interested in the stability of the currency.
Currencies: BlackCoin, Peercoin, NXT,
shares of coins โvoting powerโ
โ
66. Challenges when constructing Proof-
of-Stake currencies
Similar to the Proofs of Space (note: Proofs of Stake is
a much earlier concept).
How to determine which miner has the right to extend
the chain?
How to prevent mining on many chains? (โThere is
nothing at stakeโ)
How to prevent grinding?
67. Other problems
1. How to distribute initial money?
2. How to force coin owners to mine?
68. A potential speculative attack on
PoStake coins
[Nicolas Houy, It Will Cost You Nothing to 'Kill' a Proof-of-Stake Crypto-
Currency, 2014]
I am going to destroy
your currency by
buying > ๐๐% coins
and gaining the
voting majority
shall I sell
him my
coins?
if I believe
that he
succeeds then
I should sell
at any non-
zero price
if everybody thinks this way then the
coin price will quickly go close to zero
I buy the coins
now (cheaply)
69. Plan
1. Litecoin โ a currency based on the
Scrypt hash function
2. Spacemint โ a currency based on the
Proofs of Space
3. Currencies based on the Proofs of Stake
4. Currencies doing some useful work
(Primecoin, Permacoin)
5. Ethereum โ a currency with Turing-
complete scripts
6. Other uses of the Blockchain technology
70. Idea
Can we have a currency that does
something useful?
Some ideas proposed:
โข Permacoin [A. Miller, A. Juels, E. Shi, B. Parn, J. Katz,
Permacoin: Repurposing Bitcoin Work for Data
Preservation, 2014]
โข Primecoin [Sunny King, Primecoin: Cryptocurrency
with Prime Number Proof-of-Work, 2013]
71. Permacoin
Main idea: parametrize PoWs with a large file ๐ญ (โtoo
large to store by individualsโ).
To solve a PoW one needs to store some part of ๐ญ.
(the more you store, the higher your probability is).
72. Why is it useful?
Can be used data that is useful for some purpose.
Difference between Permacoin and Spacemint:
โข Permacoin is still a Proof of Work (consumes
energy)
โข The data in Spacemint is random (in Permacoin it is
not random)
โข Permacoin doesnโt scale (maybe in 20 years
everybody will have the library of congress data on his
mobile?)
73. Another nice feature of Permacoin
Itโs PoWs are nonoutsourcable:
A miner in a mining pool can always steal the PoW
solution.
Hence: creating mining pools makes no sense.
See also:
[Miller, Kosba, Katz, Shi, Nonoutsourceable Scratch-
Off Puzzles to Discourage Bitcoin Mining Coalitions,
ACM CCS 2014]
75. Chains of primes
โข Cunningham chain of the
first kind:
โข ๐ ๐
โข ๐ ๐ = ๐๐ ๐ + ๐
โข ๐ ๐ = ๐๐ ๐ + ๐
โข ๐ ๐ = ๐๐ ๐ + ๐
โข โฆ
(all ๐๐โs are prime)
Example: 2, 5, 11, 23, 47,...
โข Cunningham chain of the
second kind:
โข ๐ ๐
โข ๐ ๐ = ๐๐ ๐ โ ๐
โข ๐ ๐ = ๐๐ ๐ โ ๐
โข ๐ ๐ = ๐๐ ๐ โ ๐
โข โฆ
(all ๐๐โs are prime)
Example: 151, 301, 601,
1201,...
โข bi-twin chain: ๐ ๐, ๐ ๐, ๐ ๐, ๐ ๐, ๐ ๐, ๐ ๐, โฆ such that
โข ๐ ๐, ๐ ๐, ๐ ๐ are Cunningham chain of the first kind,
โข ๐ ๐, ๐ ๐, ๐ ๐ are Cunningham chain of the second kind, and
โข each (๐๐, ๐๐) is a prime twin pair (i.e. ๐๐ = ๐๐ + ๐)
Famous Conjecture: for every ๐ there exist infinitely many
chains like this of length ๐.
76. Main idea of Primecoin
Proof of Work = โfind as long chains as possibleโ
Some challenges:
1. Verification of a PoW solution
should be very efficient
Solution:
โข limit the size of the numbers
โข allow pseudoprimes
2. Quality measure of the solution should be more fine grained than
just the length of the chain.
Solution:
accept chains ๐ ๐, ๐ ๐, โฆ , ๐ ๐, ๐ ๐+๐, where all ๐๐โs but the last one are
prime.
The quality of such a solution is equal to ๐ + ๐, where ๐ โmeasures
how close is ๐ ๐+๐ to a primeโ
โin terms of the Fermat testโ
a โpseudoprimeโ is a composite
number ๐ that passes
Fermat test:
โcheck if ๐ ๐โ๐ = ๐ (๐ฆ๐จ๐ ๐)โ
77. Yet another question
How to โlinkโ the solution to the hash of the previous
block ๐๐ข?
Answer:
Require ๐ ๐ + ๐ to be a multiple of ๐ฏ(๐ฉ๐).
For more details see [Sunny King, Primecoin:
Cryptocurrency with Prime Number Proof-of-Work,
2013].
79. Plan
1. Litecoin โ a currency based on the
Scrypt hash function
2. Spacemint โ a currency based on the
Proofs of Space
3. Currencies based on the Proofs of Stake
4. Currencies doing some useful work
(Primecoin, Permacoin)
5. Ethereum โ a currency with Turing-
complete scripts
6. Other uses of the Blockchain technology
80. Ethereum โ a โcurrency
designed for contractsโ
main feature: Turing-complete scripts
the transaction ledger is maintained using the GHOST protocol of
Sompolinsky and Zohar
Developers: Gavin Wood, Jeffrey Wilcke, Vitalik Buterin, et al.
Initial release: 30 July 2015
currency unit: Ether (ETH)
as of 24.05.2016:
Market cap โ 1 billion USD
1 E๐๐ โ 12 USD
Main uses: decentralized organizations, prediction markets, and
many othersโฆ
Susceptible to verifierโs dilemma?
82. Plan
1. Litecoin โ a currency based on the
Scrypt hash function
2. Spacemint โ a currency based on the
Proofs of Space
3. Currencies based on the Proofs of Stake
4. Currencies doing some useful work
(Primecoin, Permacoin)
5. Ethereum โ a currency with Turing-
complete scripts
6. Other uses of the Blockchain technology
83. Namecoin (NMC)โ a
decentralized DNS
Idea: use Bitcoinโs ledger as a DNS.
It maintains a censorship-resistant top level domain .bit.
The same blockchain rules as Bitcoin.
Placing a record costs 0.01 NMC.
Records expire after 36000 blocks (โ ๐๐๐ days) unless
renewed.
this money is
โdestroyedโ
85. ยฉ2016 by Stefan Dziembowski. Permission to make digital or hard copies of part or
all of this material is currently granted without fee provided that copies are made
only for personal or classroom use, are not distributed for profit or commercial
advantage, and that new copies bear this notice and the full citation.
Editor's Notes
See: Joel Alwen and Vladimir Serbinenko High Parallel Complexity Graphs and Memory-Hard Functions