<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>I started writing this
      <a class="moz-txt-link-freetext" href="https://gist.github.com/Ayms/aab6f8e08fef0792ab3448f542a826bf">https://gist.github.com/Ayms/aab6f8e08fef0792ab3448f542a826bf</a> some
      time ago, but stopped since I was under the impression that this
      was of very little interest for the Bitcoin community</p>
    <p>It's not final and finished at all, but since I wrote it and
      don't have plans right now to pursue it, I placed it in a gist and
      publish the link, probably not everything is correct and this does
      not cover everything but it can maybe give some ideas (which are
      for some the combination of concepts from former/other projects)
      that could be reused, addressing:</p>
    <p>- incentive to run full nodes</p>
    <p>- make sure that they are indeed full nodes</p>
    <p>- make sure that they participate to the network and are
      efficient enough<br>
    </p>
    <p>- make sure that they don't collude in pools to get the rewards
      and are independent<br>
    </p>
    <p>- set up quickly a full node (incremental torrent-like download)</p>
    <p>As this was written this was supposed to add some modifications
      to the bitcoin protocol but I don't think that's necessarily a
      good idea, most likely this can be handled via sidechains and/or
      external systems<br>
    </p>
    <br>
    <div class="moz-cite-prefix">Le 13/02/2017 à 15:48, Sergio Demian
      Lerner via bitcoin-dev a écrit :<br>
    </div>
    <blockquote
cite="mid:CAKzdR-p25HXQty_o0y+rS2dBz568tCjyW9kvAoBJxJuii8k9eA@mail.gmail.com"
      type="cite">
      <div dir="ltr"><br>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Mon, Feb 13, 2017 at 8:58 AM, John
            Hardy <span dir="ltr">&lt;<a moz-do-not-send="true"
                href="mailto:john@seebitcoin.com" target="_blank">john@seebitcoin.com</a>&gt;</span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
              0.8ex;border-left:1px solid
              rgb(204,204,204);padding-left:1ex">
              <div dir="ltr">
                <div
                  id="gmail-m_2300798131680571998divtagdefaultwrapper"
style="font-size:12pt;color:rgb(0,0,0);font-family:calibri,arial,helvetica,sans-serif"
                  dir="ltr">
                  <p>Hi Sergio,</p>
                  <p><br>
                  </p>
                  <p>Thanks for your response, interesting work, very
                    excited for RSK.</p>
                  <p><br>
                  </p>
                  <p>I like the ephemeral payload, I suppose that aspect
                    of my proposal could be described as
                    ephemeral blockspace.</p>
                  <p><br>
                  </p>
                  <p>I'm curious about the challenge phase, what
                    incentive do nodes to have to check other nodes'
                    responses?</p>
                </div>
              </div>
            </blockquote>
            <div>The reward is split between all full nodes. Therefore
              each full node has an incentive to check at least some
              other full nodes responses because there is a competition
              for the full node reward. At the end, each full node
              response will be checked by more than other node with high
              probability. Also each full node does a small pre-deposit,
              that is consumed if the node cheats.</div>
            <div><br>
            </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
              0.8ex;border-left:1px solid
              rgb(204,204,204);padding-left:1ex">
              <div dir="ltr">
                <div
                  id="gmail-m_2300798131680571998divtagdefaultwrapper"
style="font-size:12pt;color:rgb(0,0,0);font-family:calibri,arial,helvetica,sans-serif"
                  dir="ltr">
                  <p> Is any validation of responses mandatory, or does
                    policing the system rely on altruism?</p>
                  <p><br>
                  </p>
                </div>
              </div>
            </blockquote>
            <div>As previously said,  validation is not mandatory.</div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
              0.8ex;border-left:1px solid
              rgb(204,204,204);padding-left:1ex">
              <div dir="ltr">
                <div
                  id="gmail-m_2300798131680571998divtagdefaultwrapper"
style="font-size:12pt;color:rgb(0,0,0);font-family:calibri,arial,helvetica,sans-serif"
                  dir="ltr">
                  <p>
                  </p>
                  <p>I also wondered how time-based responses are
                    enforced? What prevents a miner censoring challenge
                    responses so they do not get included in a block 'in
                    time' - if  inclusion within a block is the
                    mechanism used?</p>
                </div>
              </div>
            </blockquote>
            <div>There is not many defenses against censorship but try
              to hide your identity until the end of the protocol. But
              if somebody knows that your transactions belong to you,
              then there is little defense. We just wait more than a
              single block for the commitments, so several miners must
              collude in order to censor a transaction. </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
              0.8ex;border-left:1px solid
              rgb(204,204,204);padding-left:1ex">
              <div dir="ltr">
                <div
                  id="gmail-m_2300798131680571998divtagdefaultwrapper"
style="font-size:12pt;color:rgb(0,0,0);font-family:calibri,arial,helvetica,sans-serif"
                  dir="ltr">
                  <p><br>
                  </p>
                  <p>I saw your tweet on Lumino - sounds very promising.
                    Would be keen to take a look at the paper if you're
                    looking for any additional review at this stage.</p>
                </div>
              </div>
            </blockquote>
            <div>I'm keeping it private against all my desire because I
              want it to be reviewed before I publish it. Credibility is
              very easily lost. </div>
            <div>The same idea (Ephemeral Data) has been used to design
              the Lumino Network.<br>
            </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
              0.8ex;border-left:1px solid
              rgb(204,204,204);padding-left:1ex">
              <div dir="ltr">
                <div
                  id="gmail-m_2300798131680571998divtagdefaultwrapper"
style="font-size:12pt;color:rgb(0,0,0);font-family:calibri,arial,helvetica,sans-serif"
                  dir="ltr">
                  <p><br>
                  </p>
                  <p>Regards,</p>
                  <p><br>
                  </p>
                  <p>John Hardy</p>
                  <br>
                  <br>
                  <div style="color:rgb(0,0,0)">
                    <hr style="display:inline-block;width:98%">
                    <div id="gmail-m_2300798131680571998divRplyFwdMsg"
                      dir="ltr"><font style="font-size:11pt"
                        face="Calibri, sans-serif" color="#000000"><b>From:</b>
                        Sergio Demian Lerner &lt;<a
                          moz-do-not-send="true"
                          href="mailto:sergio.d.lerner@gmail.com"
                          target="_blank">sergio.d.lerner@gmail.com</a>&gt;<br>
                        <b>Sent:</b> Sunday, February 12, 2017 8:22 PM<br>
                        <b>To:</b> John Hardy; Bitcoin Protocol
                        Discussion<br>
                        <b>Subject:</b> Re: [bitcoin-dev] Proof of
                        Nodework (PoNW) - a method to trustlessly reward
                        nodes for storing and verifying the blockchain</font>
                      <div> </div>
                    </div>
                    <div>
                      <div class="gmail-h5">
                        <div>
                          <div dir="ltr">Hi John,
                            <div> RSK platform (a Bitcoin sidechain) is
                              already prepared to do something similar
                              to this, although very efficiently. We set
                              apart 1% of the block reward to
                              automatically reward full nodes.</div>
                            <div><br>
                            </div>
                            <div>We have two systems being evaluated:
                              the first is based on PoUBS (Proof of
                              Unique Blockchain Storage) which uses
                              asymmetric-time operations to encode the
                              blockchain based on each user public key
                              such that decoding is fast, but encoding
                              is slow. The second is more traditional
                              proof of retrievability, but it requires
                              some ASIC-resistance assumptions. </div>
                            <div><br>
                            </div>
                            <div>In both cases, a special smart contract
                              is being called at every block that
                              creates periodic challenges. Every full
                              node that wants to participate can submits
                              a commitment to the Merkle hash root of a
                              pseudo-random sequence of encoded blocks.
                              Then the smart contract chooses random
                              elements from the committed dataset, and
                              each full node has a period to submit
                              Merkle-proofs that such random elements
                              belong to the commitment.</div>
                            <div><br>
                            </div>
                            <div>To prevent blockchain bloat we designed
                              a very cool new type of transaction
                              payload: Ephemeral Payload. Ephemeral
                              payload is a payload in a transaction that
                              gets discarded after N blocks if no smart
                              contract does reference it. If is does,
                              it's solidified forever in the blockchain.</div>
                            <div>Then there is a challenge phase where
                              other full nodes can inform the smart
                              contract if they find an error in the
                              submitted responses. Then the smart
                              contract ONLY evaluates the responses
                              which have been questioned by users.</div>
                            <div><br>
                            </div>
                            <div>This way the smart contract does very
                              little computation (only when a user
                              misbehaves) and the blockchain normally
                              does not store any proof forever (only the
                              ones created by misbehaving users).</div>
                            <div><br>
                            </div>
                            <div>Because RSK/Rootstock has a very short
                              block interval (10 seconds), all this
                              happens very quickly and does not require
                              much computation. </div>
                            <div><br>
                            </div>
                            <div>Best regards,<br>
                            </div>
                            <div> Sergio Lerner</div>
                            <div> Chief Scientist RSK (aka Roostock)</div>
                            <div><br>
                            </div>
                          </div>
                          <div class="gmail_extra"><br>
                            <div class="gmail_quote">On Tue, Feb 7, 2017
                              at 8:27 AM, John Hardy via bitcoin-dev
                              <span dir="ltr">&lt;<a
                                  moz-do-not-send="true"
                                  href="mailto:bitcoin-dev@lists.linuxfoundation.org"
                                  target="_blank">bitcoin-dev@lists.<wbr>linuxfoundation.org</a>&gt;</span>
                              wrote:<br>
                              <blockquote class="gmail_quote"
                                style="margin:0px 0px 0px
                                0.8ex;border-left:1px solid
                                rgb(204,204,204);padding-left:1ex">
                                <div dir="ltr">
                                  <div
id="gmail-m_2300798131680571998m_8783055025000134944divtagdefaultwrapper"
                                    dir="ltr"
style="font-size:12pt;color:rgb(0,0,0);font-family:calibri,arial,helvetica,sans-serif">
                                    <p><span
id="gmail-m_2300798131680571998m_8783055025000134944docs-internal-guid-4ac5038f-1853-2d21-3f80-3a53c5100e51"></span></p>
                                    <p dir="ltr"
                                      style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Proof of Nodework (PoNW) is a way to reward individual nodes
 for keeping a full copy of and verifying the blockchain.</span></p>
                                    <br>
                                    <p dir="ltr"
                                      style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Hopefully they also do useful ‘traditional’ node activities
 too like relay transactions and blocks, but there isn’t really any way I can think of to trustlessly verify this also.</span></p>
                                    <br>
                                    <p dir="ltr"
                                      style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">PoNW would require a new separate area of block space, a nodeblock,
 purely concerned with administering the system. A nodeblock is committed to a block as with SegWit. A recent history of nodeblocks needs to be stored by nodes, however the data eventually becomes obsolete and so does not need to be retained forever.</span></p>
                                    <br>
                                    <p dir="ltr"
                                      style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">In order to prevent Sybil, a node must register an Bitcoin
 address by submitting an addNode transaction - along with a security deposit to prevent cheating.</span></p>
                                    <br>
                                    <p dir="ltr"
                                      style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">This transaction will be stored in the nodeblock. Once a node
 can see that its addNode transaction has been added it can begin the PoNW process. The node’s registered address will be hashed with the block header of the block it wants to work on. This will determine exactly where within the blockchain to begin the PoNW.</span></p>
                                    <br>
                                    <p dir="ltr"
                                      style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">The PoNW method could be as simple as creating a Merkle tree
 from the randomly generated point on the blockchain, though a method that is CPU/Memory heavy and less likely to be replaced by dedicated hardware like ASICs would be better. This process could not begin until the most recent block has been fully verified,
 and while being carried out should still enable normal relay activities to proceed as normal, since it shouldn’t tie up network at all. The data processed should also be mixed with data from the latest block so that it cannot be computed in advance.</span></p>
                                    <br>
                                    <p dir="ltr"
                                      style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">A node can do as much PoNW for a block as it likes. Once finished
 it will then create a nodeWorkComplete transaction for that block with its final proof value, add how much ‘work’ it did - and create a couple of assertions about what it processed (such as there were x number of pieces of data matching a particular value
 during calculating). These assertions can be accurate or inaccurate.</span></p>
                                    <br>
                                    <p dir="ltr"
                                      style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">The system will run in epochs. During each epoch of say 2016
 blocks, there will be an extended window for PoNW transactions to be added to nodeblocks to limit minor censorship.</span></p>
                                    <br>
                                    <p dir="ltr"
                                      style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">The random hash generated from a node’s address and blockhash
 will also be used to determine nodeWorkComplete transactions from a previous block that the node must also verify, and correctly calculate whether the assertions it made were true or false. The average PoNW that a node performed in its previous x nodeblocks
 will be used to determine the target PoNW for the node to verify - and this will randomly be a large number of smaller PoNW transactions, or a smaller number of large PoNW. This process will be deterministic based on that block and address hash. All the data
 will be put together in a transaction and then signed by the node addresses private key.</span></p>
                                    <br>
                                    <p dir="ltr"
                                      style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">If a nodeWorkComplete transaction contains any incorrect information
 in an attempt to cheat the validation process a challenge transaction can be created. This begins a refereeing process where other nodes check the challenge and vote whether it is to be upheld or not. The losing node is punished by losing their accrued PoNW
 for that epoch and a percentage of their security deposit.</span></p>
                                    <br>
                                    <p dir="ltr"
                                      style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Nodes will also be punished if they broadcast more than one
 signed transaction per block.</span></p>
                                    <br>
                                    <p dir="ltr"
                                      style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">In order to prevent nodes from having multiple keys registered
 - which would enable them choose to perform PoNW on a subset of the data that they hold - the share of reward that the node gets will be multiplied based on the number of blocks within an epoch that the node performs PoNW on. The share of reward is limited
 based on how much security deposit has been staked. The higher the PoNW the higher the deposit needed in order to claim their full allocation of any reward.</span></p>
                                    <br>
                                    <p dir="ltr"
                                      style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">At the end of an epoch, with a wait period for any delayed
 or censored transactions or challenges to be included and settled up, the process of calculating the reward each node is due can begin. This will then be then paid in a regular block, and means for all the data involved in PoNW, the only permanent mark it
 makes on the main blockchain is for a transaction that pays all addresses their share of the reward at the end of epoch. Any miner who creates a block without correctly calculating and paying the due reward will have mined an invalid block and be orphaned.</span></p>
                                    <br>
                                    <p dir="ltr"
                                      style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">The question of where and how much the reward comes from is
 a different one. It could come from the existing miner reward, or a special new tx donation fee for nodes. If there was some way for users to ‘donate’ to the reward pool for nodes this would increase the incentive for additional nodes to participate on the
 network in the event of centralisation.</span></p>
                                    <br>
                                    <p dir="ltr"
                                      style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">This is a relatively effective way to create a reward for all
 nodes participating on a network. I’d be keen to field any questions or critiques.</span></p>
                                    <div><span style="font-size:11pt;font-family:arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">

</span></div>
                                    Thanks,
                                    <p><br>
                                    </p>
                                    <p>John Hardy</p>
                                    <p><a moz-do-not-send="true"
                                        href="mailto:john@seebitcoin.com"
                                        target="_blank">john@seebitcoin.com</a></p>
                                  </div>
                                </div>
                                <br>
                                ______________________________<wbr>_________________<br>
                                bitcoin-dev mailing list<br>
                                <a moz-do-not-send="true"
                                  href="mailto:bitcoin-dev@lists.linuxfoundation.org"
                                  target="_blank">bitcoin-dev@lists.linuxfoundat<wbr>ion.org</a><br>
                                <a moz-do-not-send="true"
                                  href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev"
                                  rel="noreferrer" target="_blank">https://lists.linuxfoundation.<wbr>org/mailman/listinfo/bitcoin-d<wbr>ev</a><br>
                                <br>
                              </blockquote>
                            </div>
                            <br>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </blockquote>
          </div>
          <br>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
bitcoin-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a>
<a class="moz-txt-link-freetext" href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a>
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Zcash wallets made simple: <a class="moz-txt-link-freetext" href="https://github.com/Ayms/zcash-wallets">https://github.com/Ayms/zcash-wallets</a>
Bitcoin wallets made simple: <a class="moz-txt-link-freetext" href="https://github.com/Ayms/bitcoin-wallets">https://github.com/Ayms/bitcoin-wallets</a>
Get the torrent dynamic blocklist: <a class="moz-txt-link-freetext" href="http://peersm.com/getblocklist">http://peersm.com/getblocklist</a>
Check the 10 M passwords list: <a class="moz-txt-link-freetext" href="http://peersm.com/findmyass">http://peersm.com/findmyass</a>
Anti-spies and private torrents, dynamic blocklist: <a class="moz-txt-link-freetext" href="http://torrent-live.org">http://torrent-live.org</a>
Peersm : <a class="moz-txt-link-freetext" href="http://www.peersm.com">http://www.peersm.com</a>
torrent-live: <a class="moz-txt-link-freetext" href="https://github.com/Ayms/torrent-live">https://github.com/Ayms/torrent-live</a>
node-Tor : <a class="moz-txt-link-freetext" href="https://www.github.com/Ayms/node-Tor">https://www.github.com/Ayms/node-Tor</a>
GitHub : <a class="moz-txt-link-freetext" href="https://www.github.com/Ayms">https://www.github.com/Ayms</a></pre>
  </body>
</html>