Proof of burn bitcoin mining

There is no hurry about this, it doesn't need to be exactly every week, or even the same lottery every time, it just needs several tens of bits of fresh lottery data added roughly weekly. I believe there would be no trouble propagating this to all nodes, by out-of-band means if necessary. The format should be utterly simple and transparent, a 1-line plain text description of the results and the timestamp t in RAND t from which they are to be paid attention to, onwards.

Obviously the meta-level words "for use from Each line is added in a leisurely, unhurried fashion, at some time it doesn't matter when between the draw and the intended start-paying-attention-to-it date. Some time between and This gives plenty of time for people to add it themselves, from their favourite news source, and check by out-of-band means that they've added what everybody else has added, right down to spelling and punctuation.

Which in practice probably means copying it from somewhere. The point is, the "somewhere" doesn't need to be trusted - a lie, or an unexpected variation in format or spelling or punctuation, would be called out well within the leisurely timescale.

RAND t is then HASH config-file [excluding any lines that are "for use from time later than t onwards" of course], plus t itself [in some standard format, e. Thus RAND t is a bit integer, which we regard conceptually as a real number between 0 and 1 by putting a binary point in front. I'm aware that people on the forums are coming up with randomness protocols for proof-of-stake, proof-of-activity and the like which don't involve external true randomness like lotteries - they just hash the last hundred blocks' hashes together, or something like that.

I don't think this is good enough. However, if I'm wrong about this, and hashing the last hundred blocks is in fact fine, then good! We can drop the lottery rigmarole! Anyway, for the rest of this description, I'll simply assume that RAND t becomes available for all t, but remains unknown until a week or two before t, and in particular, RAND 2 months or more from now is "massively unknown" right now - unknown with many tens to hundreds of bits of unknowable future entropy.

That's all that matters for turning burnt coins into simulated mining rigs. What do we do with this RAND t stream? We simulate the capricious behaviour of a true proof-of-work mining rig! Now, what does it actually mean for your rig to perform h hashes during 1 second?

It means you're producing h uniform random numbers between 0 and 1. That binary point again! But you don't really care what they all are individually - how well you did during that 1 second is defined as "what was the lowest hash value you produced during that 1 second? This is then inspected for whether it beats [is lower than] the network's current target; or, perhaps, whether it beats the lesser [i.

If it's good enough, that precious lowest hash is published to the network or mining pool , and the others are just thrown away not published. If it's not good enough, even the [not-so-]precious lowest hash isn't published - and certainly not the others. So, in the simulation, we only need to produce, for each second, a simulated "lowest hash for that 1 second".

The "others" don't have to exist at all! For reproducing statistically the pattern of hits and misses w. First of all, it turns out to be desirable to include the block number chain height 1 per block in the formula - just to keep the owners of simulated mining rigs "on their toes" and not be able to tell a week or so in advance when they'll be lucky.

This encourages them to run a continuous full node. Maybe that's not in fact that important. We should not include finer details of the block, to avoid "gaming" a la the hundred blocks business I mentioned earlier. Secondly, it turns out that to keep the burning process going forever, rather than a pulse of initial burning that no-one ever again wants to contribute further burning to, we should simulate one more property of real-world mining rigs: That is, we should demurrage away the strength of a simulated mining rig.

A plea to the reader: Don't be alarmed by the word "demurrage". This is burnt coins I'm talking about - they should be treated "harshly", in whatever style mimics real-world mining rigs to the required fidelity. Ordinary unburnt coins are not being demurraged! We could demurrage each burnt coin in that style - it abruptly expires E years after its creation - but I think a smooth exponential demurrage is nicer, i. So there you have it! With this formula, life as a miner is spookily similar to the real proof-of-work case.

You "buy a mining rig" - you burn coins, and that hits you in exactly the way sending off money to a chip supplier would have hit you, even though over the whole economy, no real resources have been expended - and you then hope that, by submitting lucky hashes to the network in the form of blocks, you can make more back in fees over time than you spent initially.

If you don't keep connected to the network, you won't know what transactions are eligible for including in your next would-be block, and your next lucky hash will run to waste. Meanwhile, other people are "buying mining rigs" burning coins too, either freshly or to make up for the "wearing out" of their existing ones; and the network is adjusting its target hash value [reciprocal difficulty] to regulate the rate all this mining effort is producing blocks at, to some preferred average rate.

All spookily normal, in other words! Now, I'm being a little bit disingenuous to say that everything is normal. We need protection against certain things use of a lucky hash on two or more competing chains; timestamp-falsification abuse which either do not exist at all under true proof-of-work - the former - or exist but with the consequences and mitigation strategy being different in detail - the latter.

I believe I have a way of standing up to the various forms of malice we need to worry about of those kinds. More to follow soon hopefully! The key insight is that verifiably, publicly burning some coins of a known-total-stock-issued currency is the same as "remurrage" opposite of "demurrage" - it may not be a correct word, but it's a nice back-formation on the remainder. Another way to see the identity of real effect would be to redefine "burning n bitcoins" to mean, not "sending n to an unspendable address", but rather "scattering" the n bitcoins, i.

This would be a horribly gigantic transaction to actually do explicitly, but the point is, burning can be thought of "as if" done that way. Quantity-deflation is remurrage in disguise, in exactly the same way that quantity-inflation is demurrage in disguise. So, what that means is, if while you're sleeping you a non-miner hold 1 bitcoin purely passively, i.

In a world without any attempt at explicit remurrage, the real facts of the situation are of course! Your nominal holding is unchanged at 1; but this is now 1 part in 20 million of the whole money stock, not the 1 part in 21 million it was before.

So, basically, if you're holding bitcoins and trying to hold an "economy-tracking amount", no more and no less, you find you can go out into the market and use the fraction of your holdings that counts as "dividend above and beyond economy-tracking" on some treat or other. Indeed, "you can go out Who's selling you the real resources embodied in the "treat"? And what's their motive? Well, transaction fee payers presumably like to re-stock their bitcoin real balances to roughly the same [economy-tracking] level as before, on average - they're paying for the transaction processing as a service.

These fees are then burned by miners. Well, not literally the fees themselves - the fees themselves are collected by miners, but the way they achieve this is to burn an approximately equal amount, as explained earlier. So, ordinary Bitcoin users, to achieve their desired re-stocking, have to either produce slightly more, or consume slightly less, or a proper or improper mixture thereof, than they would have needed to in a hypothetical presumably impracticable alternative world where they pay no fees for their everyday transactions and some magic mining-god just altruistically and reliably creates a blockchain out of all the transactions, without charging anybody anything.

That is, they have to do this regardless of whether the protocol is proof-of-work, proof-of-stake, proof-of-burn or whatever. The fraction of fees they'd collect if they did that would be just like the "dividend" as I called it above - it would be like explicit remurrage, except instead of being automatic, it would require each holder's active participation i. Incidentally, it's also fascinating to consider what happens if the community does decide a demurraging of [ordinary, unburnt] coins, the revenue being added as a coin-[re-]minting stream to the flow of fees, is necessary to continue with forever, for the sake of network strength.

The amazing answer, as far as I can honestly work out, is that in long-run equilibrium, the burn rate is just such as to make hardly any of this demurrage real demurrage at all! Or if you like, the implicit demurrage of inflationary fresh-coin-minting. Either way, we seem to get the possibility of amazing network strength "for free"!

I plan to say more about this soon - but this quick teaser description should already be food for thought. Proof of burn may also be of interest as a tool for managing an orderly transition from one cryptocurrency "oldcoin", let's call it to another "newcoin". If the developers of newcoin are looking for a way of avoiding proof-of-work's real resource consumption even in newcoin's initial distribution phase , they can't use proof of newcoin-burn: But they can use proof of oldcoin-burn!

Assuming their reason for creating newcoin is not a doubting of oldcoin's security model, anyway. The newcoin blockchain would thus start with at least a hash referring to a complete catalogue of all the [sufficiently deeply buried] unspent txouts of oldcoin. Miners would then exhibit burning events within oldcoin up to a certain date; after which, the protocol would switch to burning of newcoin itself and the dependency on oldcoin could even be thrown away entirely, if a checkpoint of that transition moment was promulgated and accepted by the newcoin community.

This has the nice consequence that, if people throughout the broader economy are gradually deserting oldcoin as newcoin catches on , its value need not collapse! Instead, oldcoin gets burnt in the transition process, neatly reducing its nominal supply in just such a way as to roughly keep pace with its declining real demand. Meanwhile, those same acts of burning are minting fresh newcoins, at just the pace required to keep up with newcoin's growing real demand. Forum member ripper points out an earlier work by forum member dacoinminster suggesting coins could be burnt as one component of a broader protocol.

The earlier work is discussed on StackExchange. It revolves around a centralised "trusted entity" system, and so is not directly comparable to decentralised proof-of-burn mining; but it may be of interest to some readers.

Participants with full Slimcoin nodes can earn coins finding Proof of Burn blocks. The probability of a participant identified by its address or public key to find a block is being determined by a score called Effective Burnt Coins based on the amount of coins burnt from its address.

Burnt coins decay over time: Then you publish your private chain and hope that other nodes mine on top of it. That is the way how double-spending attacks are prevented in Bitcoin: The important thing to understand is that the raw computing power is not important to prevent manipulation by double spending.

What is important is the cost of the computing power. It must be costly for an attacker to achieve the power to mine several blocks in a row.

So in Proof of work, the right to mine blocks is tied to a monetary cost for the miner. The more a miner pays for computing equipment that is able to solve the cryptographic puzzle mining rigs , the more chances he has to get the right to mine blocks. That is the principle behind Proof of Burn. We call it also minting , because no real work is done. But the brilliant mind that has invented Proof of Burn, Iain Stewart, has provided us an analogy: Burnt coins are mining rigs!

The act of burning coins can be compared to the act to buy a mining rig. In Proof of Burn, every time you burn coins, you buy a virtual mining rig that gives you the power to mine blocks. The more coins you burn, the bigger that virtual mining rig. If you burn coins, you not only get the right to compete for the next block. You burn coins and this rises your chance to get blocks for a long time - at least for a year.

Now, to prevent early adopters from benefitting too much or attacking the system , the power of burnt coins decays every time a block is mined. But this also mimics mining: Mining rigs eventually become obsolete because there is better technology available. So miners, to stay competitive, will have to renew their equipment sometimes.

The same is true for Proof of Burn: Like in Proof of Work, the block rewards are high enough to allow the participants to make a financial gain profit from minting. Proof of burn has the advantage over Proof of Work that it does consume much less energy. But Proof of Burn has also advantages over Proof of Stake, another consensus method that minimizes energy use. We will cover this point in a later post. The reason is mainly security: Proof of Burn and Proof of Stake alone have some weaknesses, but the mandatory presence of some Proof of Work blocks helps to prevent the exploitation of them.

Proof of burn works like virtual mining: You buy a virtual mining rig if you burn coins.