Could a cryptocurracy be made, to increase participation?

[R. Gerbicz]

Quote:

Originally Posted by LaurV

I could test a range of exponents, and wait patiently one year or so, until the wave reach them, then jump into it and adjudicate the respective blocks when the time comes. The key of the blockchain is not the "crypto" part, that provides the safety, but the key is the randomness,
...
As the blocks are hundreds of bits, you can not prepare the nonces in advance for them. Which is not the case for prime hunting, unless some more clever guy here comes with the math... I could make a "secret database" of LL tests and TF/P-1/ECM factors in advance, and if the opportunity appears, pump them into the chain, no-one will stop me.

Interesting topic. Still don't see a way, my failed approach in the prp(!) setup:

The key idea is to change the base after a successful mining to a random base with say 64 bits.
And then the new task would be to compute res=base^(2^p) mod mp, the score of this task would be the number of trailing zeroes.
Notice that all ongoing computation is still using their "old" base and they get their score for that base, so there is no point to halt their calculation in the middle if someone else mined out [and there is absolutely no point to start a new calc using the new base, because the expected score would be the same].
We can easily verify the computation so their score with the proof scheme, so there would be no cheating.
And you can stack up your computers with precalculated base^(2^p) mod mp trash res values, as it is quite hopeless calculating the res from different bases [we could use prime values as base, but this is not needed]. Unless...

The "only" problem with the factored Mersenne numbers:
if mp is Mersenne prime then we can still handle this, because res=base^2, so just use only odd bases, and their score will be zero.
The bigger problem would be the (fully) factored non-Mersenne primes: with CRT you
can get "easily" res for any base. And that is the problem, a cheater could keep the secret that
he factorized mp, cracking the system. Don't see how the cheater could send a proof without doing all p iterations, but even (re)doing it with any base is still fine for the cheater.
Right? To sum up, ok there is not a lot of factored Mersenne numbers (even in future) but this is a real hole in my method.

[chalsall]

Quote:

Originally Posted by R. Gerbicz

Interesting topic. Still don't see a way, my failed approach in the prp(!) setup:

Thanks for that. Sincerely...

Someone somewhere brought up an interesting point recently... "How does Musk square the circle wrt the carbon cost of Bitcoin?

The answer, of course, is this isn't really meant for transactions (by definition, it doesn't scale), but rather for holding.

Much like Gold.

[LaurV]

Quote:

Originally Posted by R. Gerbicz

The key idea is to change the base after a successful mining to a random base with say 64 bits.
And then the new task would be to compute res=base^(2^p) mod mp, the score of this task would be the number of trailing zeroes.
Notice that all ongoing computation is still using their "old" base and they get their score for that base, so there is no point to halt their calculation in the middle if someone else mined out [and there is absolutely no point to start a new calc using the new base, because the expected score would be the same].
We can easily verify the computation so their score with the proof scheme, so there would be no cheating.

That is actually an interesting idea, in the sense that it will render all the poaching futile (don't know if this is good or bad, probably is good, if the server will enforce harder the expiration times, otherwise we end up in locked expos). You may get the base when you get the assignment, and get the coins when this is certified. Poachers still may report or verify results, but they won't be able to match the base so they won't get the coins. Also, the cert may be part of mining incentives (you get a little bit of mertoshi - that is satoshi for mersennes haha - when you vertify work). But some more detail of the math is needed, for understanding how exactly works.

[retina]

To be a currency it needs to have the ability to be traded; bought and sold. Otherwise it is just ordinary credit which we already have in place.

So no double spending. No forging. No duplicating. etc. If you can do any of those things then it is not so good as a currency.

[LaurV]

Well, two of the three are taken care by the blockchain. Duplicating is easy to avoid, as you don't get credit for work which was done before (by yourself of someone else). Maybe you referred to "double spending", which is different, and I assume you did so. We are talking here about what you call "forging". Or, getting the currency without doing the (Gimps-related) work. We could very easy do a blockchain with all the actual credit we have, add some hash to it, and start spending it**. Any shit information can be added to the blockchain and call it "money", and use it for trade. Bitcoins are nothing special, they are some numbers, added to your wallet, which you can spend. Please give them all to me. Everybody can see how much "numbers" you have and how you "spend" them. It's the mining process what certifies the transactions, and add money to the pool, avoid double spending. Mining takes a lot of time and computing resources doing "futile" calculations (hashes). It is the costly hash procedure what avoids forging. The question is how to change these calculations to be useful (gimps-related) and yet not easy to "forge", i.e. I should not be able to compute one whole year and collect the results (i.e. hoarding them in secret), then "forge" them into circulation as coins when the opportunity appears. Because you either spend the ticks to hash, or you spend the ticks to PRP, you can't do both, unless use two machines.

Before, with the LL, I could not see this possible. But now, with the PRP and certification, it may be possible. You can introduce there a "randomness" (the base) for example. Before, with LL, you had the random shift, but that was nothing like a hash, because it was easy to "reverse", you can compute the LL residue in advance, and once you get the shift from the server, compute the final shift (just a rotation of 1 on p bits and one multiplication) and compute the final residue, without any time wasted. That could not constitute a proof-of-work.

------
** I don't advocate that we have to do that, it would be silly. It was just an example.

[retina]

It would also need to avoid the 50%+1 problem.

Could Ben/Facebook/Some_government/DDoS (or someone that hacks their setup) take over the currency with a 50%+1 attack?

How much wasted work would need to be done to validate, manage and verify all the work to make sure it complies? Will users start competing against each other (like bitcoin does) and do lots of wasted work to get the next coin?

[M344587487]

Quote:

Originally Posted by chalsall

And, then suddenly, everything got quiet.

Nature abhors a vacuum...

And when you point out the silence there's discussion. Sod's law :P

Quote:

Originally Posted by R. Gerbicz

Interesting topic. Still don't see a way, my failed approach in the prp(!) setup:

The key idea is to change the base after a successful mining to a random base with say 64 bits.
And then the new task would be to compute res=base^(2^p) mod mp, the score of this task would be the number of trailing zeroes.
Notice that all ongoing computation is still using their "old" base and they get their score for that base, so there is no point to halt their calculation in the middle if someone else mined out [and there is absolutely no point to start a new calc using the new base, because the expected score would be the same].
We can easily verify the computation so their score with the proof scheme, so there would be no cheating.
And you can stack up your computers with precalculated base^(2^p) mod mp trash res values, as it is quite hopeless calculating the res from different bases [we could use prime values as base, but this is not needed]. Unless...

The "only" problem with the factored Mersenne numbers:
if mp is Mersenne prime then we can still handle this, because res=base^2, so just use only odd bases, and their score will be zero.
The bigger problem would be the (fully) factored non-Mersenne primes: with CRT you
can get "easily" res for any base. And that is the problem, a cheater could keep the secret that
he factorized mp, cracking the system. Don't see how the cheater could send a proof without doing all p iterations, but even (re)doing it with any base is still fine for the cheater.
Right? To sum up, ok there is not a lot of factored Mersenne numbers (even in future) but this is a real hole in my method.

I'm not following what you mean by score, when you say trailing zeroes it makes me think of how bitcoin varies difficulty by requiring a certain number of zero bits at the end of a hash. For us difficulty can easily be altered by varying iteration count for a chunk of work, the goal as with bitcoin to emit blocks at a somewhat consistent rate.

Each node on the network validates blocks before adding them to the chain. I don't see how a cheater can utilise trash res values without a 51% attack which is a weakness of any crypto.

Are we in agreement as to the basic structure of a workable solution? ie a chunk of PRP as PoW for a block, and a lossless transformation at the start of a chunk designed to eliminate pre-computation by making proof files inconvertible, using the hash of the previous block and the next block's header as a random seed.

Quote:

Originally Posted by chalsall

Thanks for that. Sincerely...

Someone somewhere brought up an interesting point recently... "How does Musk square the circle wrt the carbon cost of Bitcoin?

The answer, of course, is this isn't really meant for transactions (by definition, it doesn't scale), but rather for holding.

Much like Gold.

All you need is the vague goal of scalability at some future date and you're golden. Much like Ethereum has had the vague goal of switching from PoW to PoS yet here we are 4 years later in a third mining boom.

Quote:

Originally Posted by retina

To be a currency it needs to have the ability to be traded; bought and sold. Otherwise it is just ordinary credit which we already have in place.

So no double spending. No forging. No duplicating. etc. If you can do any of those things then it is not so good as a currency.

Building a crypto following from grassroots is hard, getting on a reputable exchange is next to impossible and getting on the dodgy exchanges is not ideal. Creating an ERC20 token is the easiest path to adoption as there is a decentralised exchange for Ethereum tokens, but that's not possible when the whole point is doing useful work. Adoption is the real killer, better get the megaphone out and start evangelising ;)

Quote:

Originally Posted by retina

It would also need to avoid the 50%+1 problem.

Could Ben/Facebook/Some_government/DDoS (or someone that hacks their setup) take over the currency with a 50%+1 attack?

How much wasted work would need to be done to validate, manage and verify all the work to make sure it complies? Will users start competing against each other (like bitcoin does) and do lots of wasted work to get the next coin?

As each node on the network validates blocks they all need to validate every proof file, so choosing an efficient proof file setting helps. A miner isn't (usually) a node, typically a miner joins a pool and the pool is the node. Users competing on the same work can be mitigated by having multiple exponents in-progress as I outlined earlier.

Building slightly on my idea:

• TF/P-1 cannot be used as PoW but it could be encoded into the blockchain. There has to be a mechanism that adds off-chain data to the chain, otherwise at some point the chain will start doing PRP on exponents that have been ruled out elsewhere. It could be built into the code of the nodes to query GIMPS for new off-chain results to onboard it
• At genesis the state of all exponents within a range is known, to avoid redoing work known to be completed at time of creation
• The chain can start at a range no where near wavefront so that the chain and GIMPS don't trip over each other when GIMPS is not yet aware of the chain
• The chain can be parsed easily by GIMPS to add on-chain data to GIMPS. Exponents in the near future of the chain can be avoided by GIMPS to avoid in-progress overlap

[LaurV]

Quote:

Originally Posted by M344587487

For us difficulty can easily be altered by varying iteration count for a chunk of work, the goal as with bitcoin to emit blocks at a somewhat consistent rate.

Nope. Then slow computers will have no chance, and the coins will always be collected by the guys with the big guns. Not fair.

Still reading your post, didn't finish all.

[R. Gerbicz]

Quote:

Originally Posted by LaurV

You may get the base when you get the assignment, and get the coins when this is certified.

Oh, yes that is even better what I've written, and maybe: forcing that the server wouldn't give out the same prime exponent twice per day. In this way even if you have a fully factorized mp you would need to wait a long time to see a high score [because in each day you reserve and then unreserve the exponent if you see a low score for this p]. And ofcourse on each day you get a different base for the same exponent.

Quote:

Originally Posted by M344587487

I'm not following what you mean by score, when you say trailing zeroes it makes me think of how bitcoin varies difficulty by requiring a certain number of zero bits at the end of a hash.

The score is the number of trailing zero bits in res=base^(2^p) mod mp [this can't be infinite as res!=0 for base<mp].

[M344587487]

Quote:

Originally Posted by LaurV

Nope. Then slow computers will have no chance, and the coins will always be collected by the guys with the big guns. Not fair.

Still reading your post, didn't finish all.

That's covered by having multiple in-progress exponents and incentivising including other's results in your block. Here's a breakdown that might be as clear as mud:

• Only blocks that reference the current head of the chain have the potential to be the next head of the chain, otherwise it isn't a chain. You're correct that this means that only fast computers can mint blocks
• Miners that don't win the race do not discard the work they've done, they continue until the work is complete and offer up the result for a minter to include in their next block
• When your work is included in someone else's block, you get the reward for the work. This is why you reference the header of your block as well as a previous block to seed your work, the address to send your reward is encoded in the work you've done so someone else can't come along and try to pass your work off as their own
• There has to be a small incentive for a minter to include your result in their block, as well as the normal incentive a minter has to include transactions
• There has to be a difficulty variable if the goal is to adapt to mining power to emit blocks consistently. This isn't strictly necessary for a coin that isn't meant as a realtime currency, but wild swings in block output based on mining power is probably not a good thing to let happen unchecked

Anything I've theorised to date has been purely PoW. Another option is a hybrid PoS + PoW coin, where:

• PoS is used by nodes to verify blocks. People holding coins can verify blocks to be added to the chain and get a cut of the transaction fees and a reward for verifying proofs
• Known factors are also added to blocks by nodes to keep the chain and nodes synchronised, limited to a sliding window beyond the pending exponents to avoid a flood of unnecessary factors being encoded
• Blocks can be output consistently or as efficiency demands (wait until there's enough transactions and results to far outweigh the overhead of creating a new block)
• PoW is used by miners doing PRP testing, as described above to verifiably link work done to the one doing it. There is no longer an incentive to be the fastest computer to get the minting rewards as a miner does not mint, but the usual benefits of having better hardware apply
• Basically a re-implementation of GIMPS credit as a cryptocurrency, where PoS holders verify and mint new coins to arbitrary addresses instead of a centralised server doling out feel-good numbers to registered members

PoS like PoW has been figured out at this point, with positives and negatives that apply to any coin that uses it. One of the main negatives for a PoS coin is that early adopters tend to hoard coins for PoS. For a coin that actually does something other than just be a speculative greed machine that's a positive for the health of the coin, the early adopters are in it for the primes with the benefits of using crypto being a secondary concern.

[LaurV]

The million bitcoins question: How to call our currency?

If we (that's you all, because I don't have such talents) come with a nice name that we like, then we may try to put some math together, or some tentative implementation for testing

Up to now I only have in mind stupid names. Mersenne coin is a mouth-full and it sounds ugly... We won't waste the time for some coin with no catchy name. Something like wooze, or geez haha, marketing style...
C'mon, I know there are so many clever people here!