chia

Bram Cohen, the inventor of BitTorrent, is finalising his thesis for a greener alternative to Bitcoin's proof of work mining algorithm.

Engineering work will soon begin on his new project, Chia Network, which uses vacant disk space on hard drives to run his resurrected version of proof of space (PoSpace), co-ordinated with another consensus algorithm, proof of time (PoT). The goal is to prevent the sort of energy sapping, ASIC-powered centralisation which has happened in Bitcoin.

The power consumption iniquities of Bitcoin are well known. In addition, mining centralisation can cause practical problems, specifically exercising a hold over protocol development. Proofs of space have a nice property in being ASIC resistant. Storage is just storage no matter what the medium, and optimising hardware for PoSpace is similar to optimising it to be better storage media to begin with.

Proof of space cryptocurrency mining is not a new idea. In the past, proponents have tried to address its "nothing-at-stake" problems; because mining is cheap, miners can mine on multiple chains and try multiple blocks per chain at very little additional cost, potentially allowing for double spending attacks and slowing down consensus.

The first and relatively simple implementations of PoSpace were susceptible to grinding attacks and so later versions used complex mathematical gaming techniques called "graph pebbling". However, the latter approach is complex and cumbersome.

Chia Network is resurrecting the simpler version of PoSpace. "People had previously come up with these pebbling algorithms which kind of work," said Cohen, "but they are really complicated and a little bit ugly.

"They also have this other problem that there's not a single canonical representation of a winning thing; you can twiddle it, and that causes a lot of problems elsewhere in the system. The idea is to resurrect the nice beautiful simple approach but making it so that the Hellman attacks don't work anymore."

The way PoSpace works is somewhat analogous to filling your vacant storage space with bingo cards (proof of work, by contrast, is more like trying to win a lottery). Cohen's solution involves adding a property that makes doing the calculation of any single bingo card just as expensive as calculating the entire disk-full. The hashed contents of the whole hard drive are sorted in adjacent pairs, a step which can be repeated, making time/memory trade-off attacks much weaker, he said.

The other part to this is proof of time (PoT). Transactions are "farmed" into the Chia blockchain via a process of selecting the three best bingo card results of PoSpace (Cohen pointed out that the number three here is not actually enforced by the protocol, it's more of a social convention, which helps mitigate selfish mining attacks). Then a group of proof of time servers go to work on these. When a PoT is finished for a PoSpace, this becomes the validated block. The better the PoSpace is the shorter the PoT that follows it is, and vice versa.

There are only a handful of PoT servers running and a PoT is a calculation that's completely canonical based off of the challenge, said Cohen. If two different people run the same PoT on something they will get the same answer, so it only makes sense for the people who have the very fastest proof of time servers to actually be running on the system.

Cohen stands by the ASIC resistance of PoSpace; providing a small subsidy to general purpose storage capacity and technologies is something he's perfectly happy with. However, proofs of time can most definitely be optimised in hardware.

"The worry is that it might be possible to get meaningful return on investment on faster proofs of time at such massive budgets that it does a fair amount of counteracting the reductions in wasted resources which proof of space plus proof of time (PoST) provide. The party who has the fastest PoT is also a major potential source of centralisation in the system."

This point was publicly taken up by Bitcoin core technology expert Peter Todd, who claimed this constitutes an even bigger concern than it is in PoW.

"That is a bit extreme," said Cohen, "but it is a major point of concern worth addressing, and it is true that Bitcoin has demonstrated a certain empirical level of decentralisation which the still theoretical PoST construction has not."

But Cohen believes there are substantial reasons for optimism. The physics of electronics are such that they tend to hit a certain limit of clock speed and max out. Indeed new CPUs run at a number of gigahertz scarcely bigger than what they did years ago, and the premium on an even marginally faster one is quite high. This is because it's basically hitting the limit of what can be done with silicon.

There are other materials which can go faster; for example people have been saying there will have to be a switch to gallium arsenide for decades, but those also tend to quickly hit a limit of how fast they can go and there are only so many materials to be had. It's also possible to speed things up a bit by super-cooling them.

Cohen said: "What I'm hoping for is that proofs of time become the standard benchmark which R&D at chip companies use to demonstrate how badass their chip design abilities are.

"And also as a line of research likely to result in commercially viable chips in the future. The results in the best known proof of time dedicated chips would be made available to the public at commodity cost, sold into a niche market using them for Chia farming and also timestamping and other protocols they happen to be particularly useful for."

Even much more modest budgets for PoT chips would implicitly be helping fund useful R&D into chip design, said Cohen; so a good thing, unlike custom PoW chips, which serve no useful purpose whatsoever.

"Depending on how things shake out I may put budget into development of custom PoT chips to pre-emptively undercut attempts to profit from making them. This brings up the other set of problems with anyone planning to profit out of PoT chips, which is that it's intentionally difficult to make a business model for them."

Cohen pointed out there is no direct incentive in the protocol for doing proofs of time. You can implicitly use it for extracting more out of proofs of space, but to get full benefit requires coordination with whoever has the space. They, in turn, might be unwilling to cooperate, or splintered enough that they can't cooperate.

Proofs of space will be made non-outsourceable, so trying to run a for-profit pool suffers from the problem that clients can pretend to participate in the pool but if they happen to win a block they can just keep it for themselves and not give it to the pool.

In addition, it only takes one other party who has a comparable PoT server to ruin it for everybody by altruistically running on the best PoSpace for every block. So even if they had to spend more building their one good chip, the market as a whole is decimated because, unlike with PoW, the marginal cost of producing more units doesn't give any advantage once the first one is out, said Cohen.

"Even the implicit threat of someone else doing this provides significant disincentive from anybody going too crazy with expecting future profits from optimising PoT chips now," he said.

"PoT servers are a bit analogous to running full nodes: there isn't much of a direct incentive for doing so, but there isn't such a huge disincentive for doing it that there aren't plenty of resources devoted somewhat altruistically to making sure it's done right."

When it comes to centralisation concerns, there's also the intentional feature that the PoT output is completely canonical and includes no transaction data, added Cohen.

So if it's "centralised" in the sense that there are a handful of PoT servers which always "win", they're acting as helpers to the system rather than exerting any sort of control, he said.

"There will probably be dozens of other PoT servers running in the wings who will start winning if the few fastest ones simply disappear, with no change to the functioning of the system other than that the rate of blocks will be slightly slower until a work difficulty adjustment corrects for it.

"And if they come back online the only effect will be a slightly increased block rate until the work difficulty factor adjusts back up again."

Looking ahead, the goal is to support Lightning and then also add in some kind of covenant support, probably based around the Simplicity language that Dr Russell O'Conner from Blockstream recently came out with.