In this post I will depart shortly from my classical technical viewpoint and enter the quicksands of opinions. But I’ll come back, don’t worry. The idea of the proof-of-work powered block-chain, while powerful, has lead us to a situation where many people sees Bitcoin mining as a wasteful and vicious activity. Articles against Bitcoin mining can be read here, here and here. Articles in favor of Bitcoin mining can be found here.
But even if economists discover that Bitcoin mining is more efficient and less wasteful than state money printing, and even if nothing better could be done, people may still perceive mining as something that should be avoided. In a few years we may have Greenpeace groups protesting a the doors of every Bitcoin related company, claiming that we’re hurting the ecosystem. And still, nobody has come with a better idea to replace a plain old PoW. A Proof-of-Stage / Proof-of-work or consensus hybrid system, while being more power efficient, pose additional threats and goes against the fully distributed paradigm. In most incarnations, it requires all coins to be pre-mined. So we’re stacked with PoW, and that’s the Bitcoin’s Karma.
New cool alt-coins that choose ASIC-unfriendly PoWs
Many cryptocurrencies appeared after Bitcoin and I think some of these coins have something new to offer to the world (my favorite examples are NimbleCoin, Ethereum and QixCoin). I obviously dislike plain Bitcoin clones, but that is not the subject of this post. Almost all of these new interesting alt-coins began using ASIC or GPU unfriendly mining functions for proof-of-work, such as scrypt, Cuckoo cycle, Dagger, partial hash collisions, RandMemoHash and SplashHash. From the ecology perspective, one claim often presented is that by using PC idle cycles instead of running still another data processor, no energy is wasted. This is untrue, since current microprocessors automatically enter power reduced states when idle. So, now we know that PoW mining could eventually become an environmental problem, and it’s currently a marketing problem. Then why not minimize the damage? Since it’s clear that we’re going to have a PoW block-chain in this world, let’s make Bitcoin PoW the only one. If we create a clear standard for merged-mining, every new alt-coin could make use of Bitcoin to secure transactions.
Using Bitcoin merged mining you can re-use the work spend on finding a proof-of-work for the Bitcoin chain to find a PoW for the alt-coin chain. Then you have two totally separate block chains that are unrelated in any way (the Bitcoin chain and the alt-coin chain) that can be mined together. When a miner mines a Bitcoin block, the header of the block contains the Mekle-root, which refers to the transactions included in the block. By storing a hash of a the header of the alt-coin block in a Bitcoin transaction stored in a predefined place in the Merkle-tree it’s possible to uniquely associate the PoW of the Bitcoin header to the alt-coin header.
There are to possible ways to implement merged-mining. The standard way (used in NameCoin) is that the Bitcoin header is inserted into another block-chain (the NameCoin chain). This chain can have another difficulty and another block rate. The other way, sometimes called a side-chain, is when the Bitcoin chain contains the alt-coin chain (as it was proposed in DIANNA-project.org). This implementation brings a lot of technical problems in order to cope with Bitcoin blocks that hold invalid or missing alt-coin blocks (either by mistake or to attack the alt-coin). So we’ll only analyze the standard merged-minig approach.
The problem with standard merged-mining is that it’s possible for a Bitcoin pool to destroy a merged-mined alt-coin with pump-and-dump and 51% attacks. This has occurred at least one time in the past. I propose a protocol to allow merged-mining with some safety protections.
Distributed Merge-Miner Registration
Bitcoin miners willing to do merged-mining must first register an identity in the alt-coin cryptosystem, and pay for it. This is done by creating a transaction carrying a modified Bitcoin header, where the fields on the first 64 bytes are replaced by a single Bitcoin address (or ECDSA public key or hash of an ECDSA public key) filled with zeros and the remaining 16 bytes can be anything. This header needs to have proof-of-work similar to 1/n of the current difficulty of the Bitcoin network. This transaction is included as any other in the block-chain. Suppose that we choose n=1, then producing the header has a cost of at least 16K USD, since by investing ASIC time in it the creator is loosing the reward of a Bitcoin block. After an identity has been registered, the registered miner can merge-mine as many blocks as he wants. This initial payment serves as an investment in the coin. The network can automatically monitor the block rate of each merged-miner (using a sliding-window average for example) and detect if the miner has stopped producing blocks. In the case the network hash rate drops suddenly, the network can automatically detect whose blocks are missing and revoke the identity record of the offending miner. Also the network could detect if two blocks of the same height are produced by the same miner and revoke the identity record. This is done by including in a transaction both headers. It’s also possible that merged-miners be asked to provide a real identity to an alt-coin foundation, then the foundation signs the identity registration transaction, and the network only accepts identity registrations signed by the alt-coin foundation private key. Note that normal alt-coin miners may or may not need to go through any registration process. Normal miners block are identifiable because they do not have an associated Bitcoin meta-header.
Registration could be programmed to be unnecessary after some time of after the network hash rate achieves a certain threshold. For example, the network could require miners registration during the first M blocks (e.g. equal to 4 months) to prevent early attacks, and allow free mining after that. Also the registration fee (in terms of the divisor n) could be a function of the merged-miner hashing power over the current network hashing power, or be limited to a pertain percentage of the current hashing power (e.g. no more than 40%). Then the network will discard blocks solved by a certain merged miner that have surpassed his registered quota, measured in a certain time window.
By implementing some of these protections into the alt-coin design, safe merged-ming can be allowed.