Useful work is not actually a good foundation for securing a decentralized cryptocurrency.<p>The value of PoW in cryptocurrency is that I know for a fact that you have to burn $X million dollars if you want to double-spend my cryptocurrency. That has to be burned in electricity, and that burn can't be used for anything else. It's expensive for you to attack me.<p>If suddenly we've got useful works, such that you can apply that $X million in electricity to solve problems that are actually not wasteful, and worth perhaps $X million dollars in solutions, then I don't actually have confidence that it costs you money to double-spend my transaction. You might be able to double-spend my transaction as a by-product of computation that you were going to do already.<p>Further, useful PoW is a centralizing pressure, because not everyone is going to have equal access to people who are willing to pay for solutions of useful work. This unequal access to revenue means unequal ability to compete, favoring people who are able to sell solutions more effectively. For cryptocurrency, we like to remove these advantages as much as possible (granted, the existing system has a lot of room for improvement, but useful work moves things in the wrong direction).
Here's a little writeup of how I could imagine mathematical proofs as a useful proof-of-work: <a href="https://pastebin.com/raw/ZAys0mYp" rel="nofollow">https://pastebin.com/raw/ZAys0mYp</a><p>Note that it's more of a market for mathematical proofs, not a replacement for proof of work in a currency that needs a new block every 10 minutes.<p>Still, "miners" (theorem provers) get rewarded for their efforts with tokens.<p>My mathematician friends say such a genericized proof market should be possible using Model Theory.
This work is theoretically very interesting, but nowhere does the paper explore what parameter choices would make its use in e.g. bitcoin practical. In particular, would n be close to a million? How large would the problems (f,x) be? How large are the solutions?
Both of these would need to be included in the block header which is currently only 80 bytes long. Any sizes substantially larger than a few KB would make this rather impractical.
What are the best known implementations for these sizes? How many seconds does it take to solve and how many to verify a solution?
An important consideration that is missing in section <i>7 A Blockchain Scheme</i> is that the PoW must also be tied to the miner's receive address otherwise anyone could claim the reward as soon as the PoW was broadcast onto the network. A simple solution is to also hash the miner's receive address along with the previous block and transaction hash. This seems like a pretty major omission on the part of the authors and cast some doubt on the rest of the paper.
I love it when a plan comes together.<p><a href="https://news.ycombinator.com/item?id=14949971" rel="nofollow">https://news.ycombinator.com/item?id=14949971</a>