public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [bitcoin-dev] Proof of Nodework (PoNW) - a method to trustlessly reward nodes for storing and verifying the blockchain
@ 2017-02-07 11:27 John Hardy
  2017-02-12 20:22 ` Sergio Demian Lerner
  0 siblings, 1 reply; 5+ messages in thread
From: John Hardy @ 2017-02-07 11:27 UTC (permalink / raw)
  To: bitcoin-dev

[-- Attachment #1: Type: text/plain, Size: 5045 bytes --]

Proof of Nodework (PoNW) is a way to reward individual nodes for keeping a full copy of and verifying the blockchain.


Hopefully they also do useful ‘traditional’ node activities too like relay transactions and blocks, but there isn’t really any way I can think of to trustlessly verify this also.


PoNW would require a new separate area of block space, a nodeblock, purely concerned with administering the system. A nodeblock is committed to a block as with SegWit. A recent history of nodeblocks needs to be stored by nodes, however the data eventually becomes obsolete and so does not need to be retained forever.


In order to prevent Sybil, a node must register an Bitcoin address by submitting an addNode transaction - along with a security deposit to prevent cheating.


This transaction will be stored in the nodeblock. Once a node can see that its addNode transaction has been added it can begin the PoNW process. The node’s registered address will be hashed with the block header of the block it wants to work on. This will determine exactly where within the blockchain to begin the PoNW.


The PoNW method could be as simple as creating a Merkle tree from the randomly generated point on the blockchain, though a method that is CPU/Memory heavy and less likely to be replaced by dedicated hardware like ASICs would be better. This process could not begin until the most recent block has been fully verified, and while being carried out should still enable normal relay activities to proceed as normal, since it shouldn’t tie up network at all. The data processed should also be mixed with data from the latest block so that it cannot be computed in advance.


A node can do as much PoNW for a block as it likes. Once finished it will then create a nodeWorkComplete transaction for that block with its final proof value, add how much ‘work’ it did - and create a couple of assertions about what it processed (such as there were x number of pieces of data matching a particular value during calculating). These assertions can be accurate or inaccurate.


The system will run in epochs. During each epoch of say 2016 blocks, there will be an extended window for PoNW transactions to be added to nodeblocks to limit minor censorship.


The random hash generated from a node’s address and blockhash will also be used to determine nodeWorkComplete transactions from a previous block that the node must also verify, and correctly calculate whether the assertions it made were true or false. The average PoNW that a node performed in its previous x nodeblocks will be used to determine the target PoNW for the node to verify - and this will randomly be a large number of smaller PoNW transactions, or a smaller number of large PoNW. This process will be deterministic based on that block and address hash. All the data will be put together in a transaction and then signed by the node addresses private key.


If a nodeWorkComplete transaction contains any incorrect information in an attempt to cheat the validation process a challenge transaction can be created. This begins a refereeing process where other nodes check the challenge and vote whether it is to be upheld or not. The losing node is punished by losing their accrued PoNW for that epoch and a percentage of their security deposit.


Nodes will also be punished if they broadcast more than one signed transaction per block.


In order to prevent nodes from having multiple keys registered - which would enable them choose to perform PoNW on a subset of the data that they hold - the share of reward that the node gets will be multiplied based on the number of blocks within an epoch that the node performs PoNW on. The share of reward is limited based on how much security deposit has been staked. The higher the PoNW the higher the deposit needed in order to claim their full allocation of any reward.


At the end of an epoch, with a wait period for any delayed or censored transactions or challenges to be included and settled up, the process of calculating the reward each node is due can begin. This will then be then paid in a regular block, and means for all the data involved in PoNW, the only permanent mark it makes on the main blockchain is for a transaction that pays all addresses their share of the reward at the end of epoch. Any miner who creates a block without correctly calculating and paying the due reward will have mined an invalid block and be orphaned.


The question of where and how much the reward comes from is a different one. It could come from the existing miner reward, or a special new tx donation fee for nodes. If there was some way for users to ‘donate’ to the reward pool for nodes this would increase the incentive for additional nodes to participate on the network in the event of centralisation.


This is a relatively effective way to create a reward for all nodes participating on a network. I’d be keen to field any questions or critiques.

Thanks,


John Hardy

john@seebitcoin.com

[-- Attachment #2: Type: text/html, Size: 8971 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [bitcoin-dev] Proof of Nodework (PoNW) - a method to trustlessly reward nodes for storing and verifying the blockchain
  2017-02-07 11:27 [bitcoin-dev] Proof of Nodework (PoNW) - a method to trustlessly reward nodes for storing and verifying the blockchain John Hardy
@ 2017-02-12 20:22 ` Sergio Demian Lerner
  2017-02-13 11:58   ` John Hardy
  0 siblings, 1 reply; 5+ messages in thread
From: Sergio Demian Lerner @ 2017-02-12 20:22 UTC (permalink / raw)
  To: John Hardy, Bitcoin Protocol Discussion

[-- Attachment #1: Type: text/plain, Size: 7503 bytes --]

Hi John,
 RSK platform (a Bitcoin sidechain) is already prepared to do something
similar to this, although very efficiently. We set apart 1% of the block
reward to automatically reward full nodes.

We have two systems being evaluated: the first is based on PoUBS (Proof of
Unique Blockchain Storage) which uses asymmetric-time operations to encode
the blockchain based on each user public key such that decoding is fast,
but encoding is slow. The second is more traditional proof of
retrievability, but it requires some ASIC-resistance assumptions.

In both cases, a special smart contract is being called at every block that
creates periodic challenges. Every full node that wants to participate can
submits a commitment to the Merkle hash root of a pseudo-random sequence of
encoded blocks. Then the smart contract chooses random elements from the
committed dataset, and each full node has a period to submit Merkle-proofs
that such random elements belong to the commitment.

To prevent blockchain bloat we designed a very cool new type of transaction
payload: Ephemeral Payload. Ephemeral payload is a payload in a transaction
that gets discarded after N blocks if no smart contract does reference it.
If is does, it's solidified forever in the blockchain.
Then there is a challenge phase where other full nodes can inform the smart
contract if they find an error in the submitted responses. Then the smart
contract ONLY evaluates the responses which have been questioned by users.

This way the smart contract does very little computation (only when a user
misbehaves) and the blockchain normally does not store any proof forever
(only the ones created by misbehaving users).

Because RSK/Rootstock has a very short block interval (10 seconds), all
this happens very quickly and does not require much computation.

Best regards,
 Sergio Lerner
 Chief Scientist RSK (aka Roostock)


On Tue, Feb 7, 2017 at 8:27 AM, John Hardy via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Proof of Nodework (PoNW) is a way to reward individual nodes for keeping a
> full copy of and verifying the blockchain.
>
> Hopefully they also do useful ‘traditional’ node activities too like relay
> transactions and blocks, but there isn’t really any way I can think of to
> trustlessly verify this also.
>
> PoNW would require a new separate area of block space, a nodeblock, purely
> concerned with administering the system. A nodeblock is committed to a
> block as with SegWit. A recent history of nodeblocks needs to be stored by
> nodes, however the data eventually becomes obsolete and so does not need to
> be retained forever.
>
> In order to prevent Sybil, a node must register an Bitcoin address by
> submitting an addNode transaction - along with a security deposit to
> prevent cheating.
>
> This transaction will be stored in the nodeblock. Once a node can see that
> its addNode transaction has been added it can begin the PoNW process. The
> node’s registered address will be hashed with the block header of the block
> it wants to work on. This will determine exactly where within the
> blockchain to begin the PoNW.
>
> The PoNW method could be as simple as creating a Merkle tree from the
> randomly generated point on the blockchain, though a method that is
> CPU/Memory heavy and less likely to be replaced by dedicated hardware like
> ASICs would be better. This process could not begin until the most recent
> block has been fully verified, and while being carried out should still
> enable normal relay activities to proceed as normal, since it shouldn’t tie
> up network at all. The data processed should also be mixed with data from
> the latest block so that it cannot be computed in advance.
>
> A node can do as much PoNW for a block as it likes. Once finished it will
> then create a nodeWorkComplete transaction for that block with its final
> proof value, add how much ‘work’ it did - and create a couple of assertions
> about what it processed (such as there were x number of pieces of data
> matching a particular value during calculating). These assertions can be
> accurate or inaccurate.
>
> The system will run in epochs. During each epoch of say 2016 blocks, there
> will be an extended window for PoNW transactions to be added to nodeblocks
> to limit minor censorship.
>
> The random hash generated from a node’s address and blockhash will also be
> used to determine nodeWorkComplete transactions from a previous block that
> the node must also verify, and correctly calculate whether the assertions
> it made were true or false. The average PoNW that a node performed in its
> previous x nodeblocks will be used to determine the target PoNW for the
> node to verify - and this will randomly be a large number of smaller PoNW
> transactions, or a smaller number of large PoNW. This process will be
> deterministic based on that block and address hash. All the data will be
> put together in a transaction and then signed by the node addresses private
> key.
>
> If a nodeWorkComplete transaction contains any incorrect information in an
> attempt to cheat the validation process a challenge transaction can be
> created. This begins a refereeing process where other nodes check the
> challenge and vote whether it is to be upheld or not. The losing node is
> punished by losing their accrued PoNW for that epoch and a percentage of
> their security deposit.
>
> Nodes will also be punished if they broadcast more than one signed
> transaction per block.
>
> In order to prevent nodes from having multiple keys registered - which
> would enable them choose to perform PoNW on a subset of the data that they
> hold - the share of reward that the node gets will be multiplied based on
> the number of blocks within an epoch that the node performs PoNW on. The
> share of reward is limited based on how much security deposit has been
> staked. The higher the PoNW the higher the deposit needed in order to claim
> their full allocation of any reward.
>
> At the end of an epoch, with a wait period for any delayed or censored
> transactions or challenges to be included and settled up, the process of
> calculating the reward each node is due can begin. This will then be then
> paid in a regular block, and means for all the data involved in PoNW, the
> only permanent mark it makes on the main blockchain is for a transaction
> that pays all addresses their share of the reward at the end of epoch. Any
> miner who creates a block without correctly calculating and paying the due
> reward will have mined an invalid block and be orphaned.
>
> The question of where and how much the reward comes from is a different
> one. It could come from the existing miner reward, or a special new tx
> donation fee for nodes. If there was some way for users to ‘donate’ to the
> reward pool for nodes this would increase the incentive for additional
> nodes to participate on the network in the event of centralisation.
>
> This is a relatively effective way to create a reward for all nodes
> participating on a network. I’d be keen to field any questions or critiques.
>
> Thanks,
>
>
> John Hardy
>
> john@seebitcoin.com
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>

[-- Attachment #2: Type: text/html, Size: 11628 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [bitcoin-dev] Proof of Nodework (PoNW) - a method to trustlessly reward nodes for storing and verifying the blockchain
  2017-02-12 20:22 ` Sergio Demian Lerner
@ 2017-02-13 11:58   ` John Hardy
  2017-02-13 14:48     ` Sergio Demian Lerner
  0 siblings, 1 reply; 5+ messages in thread
From: John Hardy @ 2017-02-13 11:58 UTC (permalink / raw)
  To: Sergio Demian Lerner, bitcoin-dev

[-- Attachment #1: Type: text/plain, Size: 8477 bytes --]

Hi Sergio,


Thanks for your response, interesting work, very excited for RSK.


I like the ephemeral payload, I suppose that aspect of my proposal could be described as ephemeral blockspace.


I'm curious about the challenge phase, what incentive do nodes to have to check other nodes' responses? Is any validation of responses mandatory, or does policing the system rely on altruism?


I also wondered how time-based responses are enforced? What prevents a miner censoring challenge responses so they do not get included in a block 'in time' - if  inclusion within a block is the mechanism used?


I saw your tweet on Lumino - sounds very promising. Would be keen to take a look at the paper if you're looking for any additional review at this stage.


Regards,


John Hardy


________________________________
From: Sergio Demian Lerner <sergio.d.lerner@gmail.com>
Sent: Sunday, February 12, 2017 8:22 PM
To: John Hardy; Bitcoin Protocol Discussion
Subject: Re: [bitcoin-dev] Proof of Nodework (PoNW) - a method to trustlessly reward nodes for storing and verifying the blockchain

Hi John,
 RSK platform (a Bitcoin sidechain) is already prepared to do something similar to this, although very efficiently. We set apart 1% of the block reward to automatically reward full nodes.

We have two systems being evaluated: the first is based on PoUBS (Proof of Unique Blockchain Storage) which uses asymmetric-time operations to encode the blockchain based on each user public key such that decoding is fast, but encoding is slow. The second is more traditional proof of retrievability, but it requires some ASIC-resistance assumptions.

In both cases, a special smart contract is being called at every block that creates periodic challenges. Every full node that wants to participate can submits a commitment to the Merkle hash root of a pseudo-random sequence of encoded blocks. Then the smart contract chooses random elements from the committed dataset, and each full node has a period to submit Merkle-proofs that such random elements belong to the commitment.

To prevent blockchain bloat we designed a very cool new type of transaction payload: Ephemeral Payload. Ephemeral payload is a payload in a transaction that gets discarded after N blocks if no smart contract does reference it. If is does, it's solidified forever in the blockchain.
Then there is a challenge phase where other full nodes can inform the smart contract if they find an error in the submitted responses. Then the smart contract ONLY evaluates the responses which have been questioned by users.

This way the smart contract does very little computation (only when a user misbehaves) and the blockchain normally does not store any proof forever (only the ones created by misbehaving users).

Because RSK/Rootstock has a very short block interval (10 seconds), all this happens very quickly and does not require much computation.

Best regards,
 Sergio Lerner
 Chief Scientist RSK (aka Roostock)


On Tue, Feb 7, 2017 at 8:27 AM, John Hardy via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org<mailto:bitcoin-dev@lists.linuxfoundation.org>> wrote:

Proof of Nodework (PoNW) is a way to reward individual nodes for keeping a full copy of and verifying the blockchain.


Hopefully they also do useful ‘traditional’ node activities too like relay transactions and blocks, but there isn’t really any way I can think of to trustlessly verify this also.


PoNW would require a new separate area of block space, a nodeblock, purely concerned with administering the system. A nodeblock is committed to a block as with SegWit. A recent history of nodeblocks needs to be stored by nodes, however the data eventually becomes obsolete and so does not need to be retained forever.


In order to prevent Sybil, a node must register an Bitcoin address by submitting an addNode transaction - along with a security deposit to prevent cheating.


This transaction will be stored in the nodeblock. Once a node can see that its addNode transaction has been added it can begin the PoNW process. The node’s registered address will be hashed with the block header of the block it wants to work on. This will determine exactly where within the blockchain to begin the PoNW.


The PoNW method could be as simple as creating a Merkle tree from the randomly generated point on the blockchain, though a method that is CPU/Memory heavy and less likely to be replaced by dedicated hardware like ASICs would be better. This process could not begin until the most recent block has been fully verified, and while being carried out should still enable normal relay activities to proceed as normal, since it shouldn’t tie up network at all. The data processed should also be mixed with data from the latest block so that it cannot be computed in advance.


A node can do as much PoNW for a block as it likes. Once finished it will then create a nodeWorkComplete transaction for that block with its final proof value, add how much ‘work’ it did - and create a couple of assertions about what it processed (such as there were x number of pieces of data matching a particular value during calculating). These assertions can be accurate or inaccurate.


The system will run in epochs. During each epoch of say 2016 blocks, there will be an extended window for PoNW transactions to be added to nodeblocks to limit minor censorship.


The random hash generated from a node’s address and blockhash will also be used to determine nodeWorkComplete transactions from a previous block that the node must also verify, and correctly calculate whether the assertions it made were true or false. The average PoNW that a node performed in its previous x nodeblocks will be used to determine the target PoNW for the node to verify - and this will randomly be a large number of smaller PoNW transactions, or a smaller number of large PoNW. This process will be deterministic based on that block and address hash. All the data will be put together in a transaction and then signed by the node addresses private key.


If a nodeWorkComplete transaction contains any incorrect information in an attempt to cheat the validation process a challenge transaction can be created. This begins a refereeing process where other nodes check the challenge and vote whether it is to be upheld or not. The losing node is punished by losing their accrued PoNW for that epoch and a percentage of their security deposit.


Nodes will also be punished if they broadcast more than one signed transaction per block.


In order to prevent nodes from having multiple keys registered - which would enable them choose to perform PoNW on a subset of the data that they hold - the share of reward that the node gets will be multiplied based on the number of blocks within an epoch that the node performs PoNW on. The share of reward is limited based on how much security deposit has been staked. The higher the PoNW the higher the deposit needed in order to claim their full allocation of any reward.


At the end of an epoch, with a wait period for any delayed or censored transactions or challenges to be included and settled up, the process of calculating the reward each node is due can begin. This will then be then paid in a regular block, and means for all the data involved in PoNW, the only permanent mark it makes on the main blockchain is for a transaction that pays all addresses their share of the reward at the end of epoch. Any miner who creates a block without correctly calculating and paying the due reward will have mined an invalid block and be orphaned.


The question of where and how much the reward comes from is a different one. It could come from the existing miner reward, or a special new tx donation fee for nodes. If there was some way for users to ‘donate’ to the reward pool for nodes this would increase the incentive for additional nodes to participate on the network in the event of centralisation.


This is a relatively effective way to create a reward for all nodes participating on a network. I’d be keen to field any questions or critiques.

Thanks,


John Hardy

john@seebitcoin.com<mailto:john@seebitcoin.com>

_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org<mailto:bitcoin-dev@lists.linuxfoundation.org>
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev



[-- Attachment #2: Type: text/html, Size: 13687 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [bitcoin-dev] Proof of Nodework (PoNW) - a method to trustlessly reward nodes for storing and verifying the blockchain
  2017-02-13 11:58   ` John Hardy
@ 2017-02-13 14:48     ` Sergio Demian Lerner
  2017-02-14 18:44       ` Aymeric Vitte
  0 siblings, 1 reply; 5+ messages in thread
From: Sergio Demian Lerner @ 2017-02-13 14:48 UTC (permalink / raw)
  To: John Hardy; +Cc: bitcoin-dev

[-- Attachment #1: Type: text/plain, Size: 9930 bytes --]

On Mon, Feb 13, 2017 at 8:58 AM, John Hardy <john@seebitcoin.com> wrote:

> Hi Sergio,
>
>
> Thanks for your response, interesting work, very excited for RSK.
>
>
> I like the ephemeral payload, I suppose that aspect of my proposal could
> be described as ephemeral blockspace.
>
>
> I'm curious about the challenge phase, what incentive do nodes to have to
> check other nodes' responses?
>
The reward is split between all full nodes. Therefore each full node has an
incentive to check at least some other full nodes responses because there
is a competition for the full node reward. At the end, each full node
response will be checked by more than other node with high probability.
Also each full node does a small pre-deposit, that is consumed if the node
cheats.

Is any validation of responses mandatory, or does policing the system rely
> on altruism?
>
>
> As previously said,  validation is not mandatory.

> I also wondered how time-based responses are enforced? What prevents a
> miner censoring challenge responses so they do not get included in a block
> 'in time' - if  inclusion within a block is the mechanism used?
>
There is not many defenses against censorship but try to hide your identity
until the end of the protocol. But if somebody knows that your transactions
belong to you, then there is little defense. We just wait more than a
single block for the commitments, so several miners must collude in order
to censor a transaction.

>
> I saw your tweet on Lumino - sounds very promising. Would be keen to take
> a look at the paper if you're looking for any additional review at this
> stage.
>
I'm keeping it private against all my desire because I want it to be
reviewed before I publish it. Credibility is very easily lost.
The same idea (Ephemeral Data) has been used to design the Lumino Network.

>
> Regards,
>
>
> John Hardy
>
>
> ------------------------------
> *From:* Sergio Demian Lerner <sergio.d.lerner@gmail.com>
> *Sent:* Sunday, February 12, 2017 8:22 PM
> *To:* John Hardy; Bitcoin Protocol Discussion
> *Subject:* Re: [bitcoin-dev] Proof of Nodework (PoNW) - a method to
> trustlessly reward nodes for storing and verifying the blockchain
>
> Hi John,
>  RSK platform (a Bitcoin sidechain) is already prepared to do something
> similar to this, although very efficiently. We set apart 1% of the block
> reward to automatically reward full nodes.
>
> We have two systems being evaluated: the first is based on PoUBS (Proof of
> Unique Blockchain Storage) which uses asymmetric-time operations to encode
> the blockchain based on each user public key such that decoding is fast,
> but encoding is slow. The second is more traditional proof of
> retrievability, but it requires some ASIC-resistance assumptions.
>
> In both cases, a special smart contract is being called at every block
> that creates periodic challenges. Every full node that wants to participate
> can submits a commitment to the Merkle hash root of a pseudo-random
> sequence of encoded blocks. Then the smart contract chooses random elements
> from the committed dataset, and each full node has a period to submit
> Merkle-proofs that such random elements belong to the commitment.
>
> To prevent blockchain bloat we designed a very cool new type of
> transaction payload: Ephemeral Payload. Ephemeral payload is a payload in a
> transaction that gets discarded after N blocks if no smart contract does
> reference it. If is does, it's solidified forever in the blockchain.
> Then there is a challenge phase where other full nodes can inform the
> smart contract if they find an error in the submitted responses. Then the
> smart contract ONLY evaluates the responses which have been questioned by
> users.
>
> This way the smart contract does very little computation (only when a user
> misbehaves) and the blockchain normally does not store any proof forever
> (only the ones created by misbehaving users).
>
> Because RSK/Rootstock has a very short block interval (10 seconds), all
> this happens very quickly and does not require much computation.
>
> Best regards,
>  Sergio Lerner
>  Chief Scientist RSK (aka Roostock)
>
>
> On Tue, Feb 7, 2017 at 8:27 AM, John Hardy via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Proof of Nodework (PoNW) is a way to reward individual nodes for keeping
>> a full copy of and verifying the blockchain.
>>
>> Hopefully they also do useful ‘traditional’ node activities too like
>> relay transactions and blocks, but there isn’t really any way I can think
>> of to trustlessly verify this also.
>>
>> PoNW would require a new separate area of block space, a nodeblock,
>> purely concerned with administering the system. A nodeblock is committed to
>> a block as with SegWit. A recent history of nodeblocks needs to be stored
>> by nodes, however the data eventually becomes obsolete and so does not need
>> to be retained forever.
>>
>> In order to prevent Sybil, a node must register an Bitcoin address by
>> submitting an addNode transaction - along with a security deposit to
>> prevent cheating.
>>
>> This transaction will be stored in the nodeblock. Once a node can see
>> that its addNode transaction has been added it can begin the PoNW process.
>> The node’s registered address will be hashed with the block header of the
>> block it wants to work on. This will determine exactly where within the
>> blockchain to begin the PoNW.
>>
>> The PoNW method could be as simple as creating a Merkle tree from the
>> randomly generated point on the blockchain, though a method that is
>> CPU/Memory heavy and less likely to be replaced by dedicated hardware like
>> ASICs would be better. This process could not begin until the most recent
>> block has been fully verified, and while being carried out should still
>> enable normal relay activities to proceed as normal, since it shouldn’t tie
>> up network at all. The data processed should also be mixed with data from
>> the latest block so that it cannot be computed in advance.
>>
>> A node can do as much PoNW for a block as it likes. Once finished it will
>> then create a nodeWorkComplete transaction for that block with its final
>> proof value, add how much ‘work’ it did - and create a couple of assertions
>> about what it processed (such as there were x number of pieces of data
>> matching a particular value during calculating). These assertions can be
>> accurate or inaccurate.
>>
>> The system will run in epochs. During each epoch of say 2016 blocks,
>> there will be an extended window for PoNW transactions to be added to
>> nodeblocks to limit minor censorship.
>>
>> The random hash generated from a node’s address and blockhash will also
>> be used to determine nodeWorkComplete transactions from a previous block
>> that the node must also verify, and correctly calculate whether the
>> assertions it made were true or false. The average PoNW that a node
>> performed in its previous x nodeblocks will be used to determine the target
>> PoNW for the node to verify - and this will randomly be a large number of
>> smaller PoNW transactions, or a smaller number of large PoNW. This process
>> will be deterministic based on that block and address hash. All the data
>> will be put together in a transaction and then signed by the node addresses
>> private key.
>>
>> If a nodeWorkComplete transaction contains any incorrect information in
>> an attempt to cheat the validation process a challenge transaction can be
>> created. This begins a refereeing process where other nodes check the
>> challenge and vote whether it is to be upheld or not. The losing node is
>> punished by losing their accrued PoNW for that epoch and a percentage of
>> their security deposit.
>>
>> Nodes will also be punished if they broadcast more than one signed
>> transaction per block.
>>
>> In order to prevent nodes from having multiple keys registered - which
>> would enable them choose to perform PoNW on a subset of the data that they
>> hold - the share of reward that the node gets will be multiplied based on
>> the number of blocks within an epoch that the node performs PoNW on. The
>> share of reward is limited based on how much security deposit has been
>> staked. The higher the PoNW the higher the deposit needed in order to claim
>> their full allocation of any reward.
>>
>> At the end of an epoch, with a wait period for any delayed or censored
>> transactions or challenges to be included and settled up, the process of
>> calculating the reward each node is due can begin. This will then be then
>> paid in a regular block, and means for all the data involved in PoNW, the
>> only permanent mark it makes on the main blockchain is for a transaction
>> that pays all addresses their share of the reward at the end of epoch. Any
>> miner who creates a block without correctly calculating and paying the due
>> reward will have mined an invalid block and be orphaned.
>>
>> The question of where and how much the reward comes from is a different
>> one. It could come from the existing miner reward, or a special new tx
>> donation fee for nodes. If there was some way for users to ‘donate’ to the
>> reward pool for nodes this would increase the incentive for additional
>> nodes to participate on the network in the event of centralisation.
>>
>> This is a relatively effective way to create a reward for all nodes
>> participating on a network. I’d be keen to field any questions or critiques.
>>
>> Thanks,
>>
>>
>> John Hardy
>>
>> john@seebitcoin.com
>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>>
>

[-- Attachment #2: Type: text/html, Size: 16344 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [bitcoin-dev] Proof of Nodework (PoNW) - a method to trustlessly reward nodes for storing and verifying the blockchain
  2017-02-13 14:48     ` Sergio Demian Lerner
@ 2017-02-14 18:44       ` Aymeric Vitte
  0 siblings, 0 replies; 5+ messages in thread
From: Aymeric Vitte @ 2017-02-14 18:44 UTC (permalink / raw)
  To: Bitcoin Protocol Discussion

[-- Attachment #1: Type: text/plain, Size: 12891 bytes --]

I started writing this
https://gist.github.com/Ayms/aab6f8e08fef0792ab3448f542a826bf some time
ago, but stopped since I was under the impression that this was of very
little interest for the Bitcoin community

It's not final and finished at all, but since I wrote it and don't have
plans right now to pursue it, I placed it in a gist and publish the
link, probably not everything is correct and this does not cover
everything but it can maybe give some ideas (which are for some the
combination of concepts from former/other projects) that could be
reused, addressing:

- incentive to run full nodes

- make sure that they are indeed full nodes

- make sure that they participate to the network and are efficient enough

- make sure that they don't collude in pools to get the rewards and are
independent

- set up quickly a full node (incremental torrent-like download)

As this was written this was supposed to add some modifications to the
bitcoin protocol but I don't think that's necessarily a good idea, most
likely this can be handled via sidechains and/or external systems


Le 13/02/2017 à 15:48, Sergio Demian Lerner via bitcoin-dev a écrit :
>
>
> On Mon, Feb 13, 2017 at 8:58 AM, John Hardy <john@seebitcoin.com
> <mailto:john@seebitcoin.com>> wrote:
>
>     Hi Sergio,
>
>
>     Thanks for your response, interesting work, very excited for RSK.
>
>
>     I like the ephemeral payload, I suppose that aspect of my proposal
>     could be described as ephemeral blockspace.
>
>
>     I'm curious about the challenge phase, what incentive do nodes to
>     have to check other nodes' responses?
>
> The reward is split between all full nodes. Therefore each full node
> has an incentive to check at least some other full nodes responses
> because there is a competition for the full node reward. At the end,
> each full node response will be checked by more than other node with
> high probability. Also each full node does a small pre-deposit, that
> is consumed if the node cheats.
>
>     Is any validation of responses mandatory, or does policing the
>     system rely on altruism?
>
>
> As previously said,  validation is not mandatory.
>
>     I also wondered how time-based responses are enforced? What
>     prevents a miner censoring challenge responses so they do not get
>     included in a block 'in time' - if  inclusion within a block is
>     the mechanism used?
>
> There is not many defenses against censorship but try to hide your
> identity until the end of the protocol. But if somebody knows that
> your transactions belong to you, then there is little defense. We just
> wait more than a single block for the commitments, so several miners
> must collude in order to censor a transaction. 
>
>
>     I saw your tweet on Lumino - sounds very promising. Would be keen
>     to take a look at the paper if you're looking for any additional
>     review at this stage.
>
> I'm keeping it private against all my desire because I want it to be
> reviewed before I publish it. Credibility is very easily lost. 
> The same idea (Ephemeral Data) has been used to design the Lumino Network.
>
>
>     Regards,
>
>
>     John Hardy
>
>
>
>     ------------------------------------------------------------------------
>     *From:* Sergio Demian Lerner <sergio.d.lerner@gmail.com
>     <mailto:sergio.d.lerner@gmail.com>>
>     *Sent:* Sunday, February 12, 2017 8:22 PM
>     *To:* John Hardy; Bitcoin Protocol Discussion
>     *Subject:* Re: [bitcoin-dev] Proof of Nodework (PoNW) - a method
>     to trustlessly reward nodes for storing and verifying the blockchain
>      
>     Hi John,
>      RSK platform (a Bitcoin sidechain) is already prepared to do
>     something similar to this, although very efficiently. We set apart
>     1% of the block reward to automatically reward full nodes.
>
>     We have two systems being evaluated: the first is based on PoUBS
>     (Proof of Unique Blockchain Storage) which uses asymmetric-time
>     operations to encode the blockchain based on each user public key
>     such that decoding is fast, but encoding is slow. The second is
>     more traditional proof of retrievability, but it requires some
>     ASIC-resistance assumptions. 
>
>     In both cases, a special smart contract is being called at every
>     block that creates periodic challenges. Every full node that wants
>     to participate can submits a commitment to the Merkle hash root of
>     a pseudo-random sequence of encoded blocks. Then the smart
>     contract chooses random elements from the committed dataset, and
>     each full node has a period to submit Merkle-proofs that such
>     random elements belong to the commitment.
>
>     To prevent blockchain bloat we designed a very cool new type of
>     transaction payload: Ephemeral Payload. Ephemeral payload is a
>     payload in a transaction that gets discarded after N blocks if no
>     smart contract does reference it. If is does, it's solidified
>     forever in the blockchain.
>     Then there is a challenge phase where other full nodes can inform
>     the smart contract if they find an error in the submitted
>     responses. Then the smart contract ONLY evaluates the responses
>     which have been questioned by users.
>
>     This way the smart contract does very little computation (only
>     when a user misbehaves) and the blockchain normally does not store
>     any proof forever (only the ones created by misbehaving users).
>
>     Because RSK/Rootstock has a very short block interval (10
>     seconds), all this happens very quickly and does not require much
>     computation. 
>
>     Best regards,
>      Sergio Lerner
>      Chief Scientist RSK (aka Roostock)
>
>
>     On Tue, Feb 7, 2017 at 8:27 AM, John Hardy via bitcoin-dev
>     <bitcoin-dev@lists.linuxfoundation.org
>     <mailto:bitcoin-dev@lists.linuxfoundation.org>> wrote:
>
>         Proof of Nodework (PoNW) is a way to reward individual nodes
>         for keeping a full copy of and verifying the blockchain.
>
>
>         Hopefully they also do useful ‘traditional’ node activities
>         too like relay transactions and blocks, but there isn’t really
>         any way I can think of to trustlessly verify this also.
>
>
>         PoNW would require a new separate area of block space, a
>         nodeblock, purely concerned with administering the system. A
>         nodeblock is committed to a block as with SegWit. A recent
>         history of nodeblocks needs to be stored by nodes, however the
>         data eventually becomes obsolete and so does not need to be
>         retained forever.
>
>
>         In order to prevent Sybil, a node must register an Bitcoin
>         address by submitting an addNode transaction - along with a
>         security deposit to prevent cheating.
>
>
>         This transaction will be stored in the nodeblock. Once a node
>         can see that its addNode transaction has been added it can
>         begin the PoNW process. The node’s registered address will be
>         hashed with the block header of the block it wants to work on.
>         This will determine exactly where within the blockchain to
>         begin the PoNW.
>
>
>         The PoNW method could be as simple as creating a Merkle tree
>         from the randomly generated point on the blockchain, though a
>         method that is CPU/Memory heavy and less likely to be replaced
>         by dedicated hardware like ASICs would be better. This process
>         could not begin until the most recent block has been fully
>         verified, and while being carried out should still enable
>         normal relay activities to proceed as normal, since it
>         shouldn’t tie up network at all. The data processed should
>         also be mixed with data from the latest block so that it
>         cannot be computed in advance.
>
>
>         A node can do as much PoNW for a block as it likes. Once
>         finished it will then create a nodeWorkComplete transaction
>         for that block with its final proof value, add how much ‘work’
>         it did - and create a couple of assertions about what it
>         processed (such as there were x number of pieces of data
>         matching a particular value during calculating). These
>         assertions can be accurate or inaccurate.
>
>
>         The system will run in epochs. During each epoch of say 2016
>         blocks, there will be an extended window for PoNW transactions
>         to be added to nodeblocks to limit minor censorship.
>
>
>         The random hash generated from a node’s address and blockhash
>         will also be used to determine nodeWorkComplete transactions
>         from a previous block that the node must also verify, and
>         correctly calculate whether the assertions it made were true
>         or false. The average PoNW that a node performed in its
>         previous x nodeblocks will be used to determine the target
>         PoNW for the node to verify - and this will randomly be a
>         large number of smaller PoNW transactions, or a smaller number
>         of large PoNW. This process will be deterministic based on
>         that block and address hash. All the data will be put together
>         in a transaction and then signed by the node addresses private
>         key.
>
>
>         If a nodeWorkComplete transaction contains any incorrect
>         information in an attempt to cheat the validation process a
>         challenge transaction can be created. This begins a refereeing
>         process where other nodes check the challenge and vote whether
>         it is to be upheld or not. The losing node is punished by
>         losing their accrued PoNW for that epoch and a percentage of
>         their security deposit.
>
>
>         Nodes will also be punished if they broadcast more than one
>         signed transaction per block.
>
>
>         In order to prevent nodes from having multiple keys registered
>         - which would enable them choose to perform PoNW on a subset
>         of the data that they hold - the share of reward that the node
>         gets will be multiplied based on the number of blocks within
>         an epoch that the node performs PoNW on. The share of reward
>         is limited based on how much security deposit has been staked.
>         The higher the PoNW the higher the deposit needed in order to
>         claim their full allocation of any reward.
>
>
>         At the end of an epoch, with a wait period for any delayed or
>         censored transactions or challenges to be included and settled
>         up, the process of calculating the reward each node is due can
>         begin. This will then be then paid in a regular block, and
>         means for all the data involved in PoNW, the only permanent
>         mark it makes on the main blockchain is for a transaction that
>         pays all addresses their share of the reward at the end of
>         epoch. Any miner who creates a block without correctly
>         calculating and paying the due reward will have mined an
>         invalid block and be orphaned.
>
>
>         The question of where and how much the reward comes from is a
>         different one. It could come from the existing miner reward,
>         or a special new tx donation fee for nodes. If there was some
>         way for users to ‘donate’ to the reward pool for nodes this
>         would increase the incentive for additional nodes to
>         participate on the network in the event of centralisation.
>
>
>         This is a relatively effective way to create a reward for all
>         nodes participating on a network. I’d be keen to field any
>         questions or critiques.
>
>         Thanks,
>
>
>         John Hardy
>
>         john@seebitcoin.com <mailto:john@seebitcoin.com>
>
>
>         _______________________________________________
>         bitcoin-dev mailing list
>         bitcoin-dev@lists.linuxfoundation.org
>         <mailto:bitcoin-dev@lists.linuxfoundation.org>
>         https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>         <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>
>
>
>
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

-- 
Zcash wallets made simple: https://github.com/Ayms/zcash-wallets
Bitcoin wallets made simple: https://github.com/Ayms/bitcoin-wallets
Get the torrent dynamic blocklist: http://peersm.com/getblocklist
Check the 10 M passwords list: http://peersm.com/findmyass
Anti-spies and private torrents, dynamic blocklist: http://torrent-live.org
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms


[-- Attachment #2: Type: text/html, Size: 27098 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2017-02-14 18:43 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-07 11:27 [bitcoin-dev] Proof of Nodework (PoNW) - a method to trustlessly reward nodes for storing and verifying the blockchain John Hardy
2017-02-12 20:22 ` Sergio Demian Lerner
2017-02-13 11:58   ` John Hardy
2017-02-13 14:48     ` Sergio Demian Lerner
2017-02-14 18:44       ` Aymeric Vitte

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox