They are not really verified by full nodes either.
Computation is done by a Prover and duplicated by a Verifier. If the Verifier finds the computation result to be wrong, then they can identify a single gate (e.g. a NAND-gate) in the circuit doing the computation whose output bit(s) is wrong for its input bits, and expose this by engaging in an on-chain gate fraud proof, consisting of an alternation of transactions by Prover and Verifier that ends with one of them taking funds (the Prover in case the single gate computed correctly, the Verifier otherwise).
The verifier would normally have a financial stake in the correctness of the computation. For example, 2 parties could use this model to play a game on-chain for some amount of bitcoin. Then for every move, the party making the move commits to some move and new game state (acting as Prover) while the other party checks that the new state is correct (acting as Verifier). So the roles of Prover and Verifier are swapped at every move.
On-chain computation is required if state is also stored on-chain. Local state is transformed by every node on the network in exactly the same way. It's not wasteful—it's the reason that every node knows definitively that the state advertised by the rest of the network is actually correct.
Not true! Validators and users don't actually care what what computation happened, they only care that whatever computation happened, did so according to the rules that were set in the contract in the beginning.
To make things concrete let's look at an example. Computational state in a block chain contract is typically stored in a Merkle hash trie. Let's say that the data stored is a key, and the holder of the key is allowed to spend the coins bound to the contract. The _computation_ is to check that the key is contained within the Merkel trie, then check signature of the key and the spend. However with some cool zero-knowledge crypto magic, you don't even have to reveal the Merkle inclusion proof, nor even the key itself. All you have to do is provide a zero-knowledge transcript which verifies that the computation of the contract (Merkle inclusion proof and signature check) validates. This is, essentially, how zerocash works.
This result generalizes. For whatever computation you want to perform in a contract, the contract can be rewritten to instead just validate a transcript of a successful execution of that computation. This isn't just academic either. All NP problems have transcripts that are validatable in polynomial time. A derivative of this result is that while you might need Turing completeness to express the logic of a smart contract, you do NOT need Turing completeness to validate its transcript. As a trivial example, a smart contract that involves computing a hash preimage by brute force in a tight loop, could be replaced with a contract that merely takes a string and checks that it hashes to the desired value.
> All NP problems have transcripts that are validatable in polynomial time
Sure, but are they provable in polynomial time?
Proof generation is much more expensive than just running through the original computation through standard means.
> However with some cool zero-knowledge crypto magic, you don't even have to reveal the Merkle inclusion proof, nor even the key itself.
I hate that the exact way that ZK systems work is always omitted from any discussion of the subject. It is very complicated, which explains why no one like to (or is even able to) get into the specifics, but somehow this also leads to handwavy assertion that all we need to do to avoid all that expensive and duplicative computation is to sprinkle in some zero-knowledge proofs.
Due to performance limitations, for all intents and purposes ZK tech is impractical to the point of being infeasible for truly decentralized blockchains with turing-complete smart contract capabilities. It works for more specialized purposes, but it is not a currently solution to the "duplicative computation" problem.
It doesn’t matter, does it? That computation happens off-chain.
As an actual example, there are contracts locked to providing a collision proof for various hash functions. The one for SHA1 was claimed a few years ago when Google generated the first SHA-1 collision. That represented a lot of work on Google’s behalf, but was trivial for bitcoin nodes to validate.
> Due to performance limitations, for all intents and purposes ZK tech is impractical to the point of being infeasible for truly decentralized blockchains with turing-complete smart contract capabilities. It works for more specialized purposes, but it is not a currently solution to the "duplicative computation" problem.
You misunderstand me. I’m not suggesting that such a general zkp system be used, but rather offering it as a theoretical point.
In practice you make a specialized zk proof for whatever you are trying to do. And despite the hype, the practical use cases for Turing complete smart contracts are quite small and limited in scope. If you have a smart contract with real world applicability that can’t be reduced down to a handful of easily checked signatures and if-else clauses (or something of similar complexity), I’d like to see it. I know of scant few examples, and this is my field of expertise.
Can you please recommend a book on ZK proofs for someone with basic CS level understanding of algorithms and data structures? I would like to understand it better and use it in dapps. I feel like it completely change the relation between what's data and what's computation, a bit how matter and energy was linked in physics.
In practice, yes. And for real world applications I know of, the depth of primitive recursion is small enough that loops can be fully unrolled. So e.g. bitcoin’s lack of a looping construct isn’t even a problem.
Kind of! But that state can also be a proof that a transition function is correct, rather than eg raw application state.
Look into Mina or Zcash to better understand what I mean. Off-chain clients (eg, wallets in Zcash) keep the application state, and the state committed to the chain is just the proof that the application state is following an agreed-upon state transition function.
Relying on hashing, computation proofs, etc are ways to asymmetrically enjoy the benefits of global coordination without requiring all nodes in the network to run the code. Instead, they just verify the receipts of off-chain agents who ran the code.
This model then only makes sense for computations that are easier to verify a solution for than to solve (or where both are trivial in terms of computation), presumably?
This is only true in a very loose and rather useless sense. This isn't because of some weakness of the BitVM construction, these are products of limitations of Bitcoin itself.
As far as I understand, all possible settlement pathways have to be predetermined. They can't be chosen/constructed on the fly according to the circuit. It also has a pretty restrictive prover-verifier relationship. If the prover lies then the verifier can force a recovery pathway, but if the verifier fails to perform their duties then the prover can choose the settle the construction in any of the predetermined settlement pathways. The only ways that that would work would require some trusted third party to sign off on the other outcomes. They can also, of course, collude to settle the contract in any arbitrary way, meaning that the verifier has to be trusted by third parties. There's also no obvious way to chain instances of this construction in an arbitrary data-dependent way. There's also large communication costs, where two hashes have to be exchanged for each wire in the circuit, which adds up a lot when you'd want to do nontrivial circuits. Although I can imagine someone could invent some clever construction to deterministically generate wire commitments in a way that each party could agree on, but I'm not sure what it would look like though given the constraints Bitcoin has.
So it's only possible to build a "Bitcoin-on-Bitcoin" with it if you don't care about moving funds between it and the host Bitcoin ledger or being able to be trusted by anyone other than the parties actively involved in executing the construction (like you could do with a rollup), which means it's useless as a thing to improve throughput.
It states in the paper that a more practical construction should be used in a real use-case. I'm still a little bit fuzzy on the details so I might be slightly off here. It's a very cool construction, and it's pretty neat that it's doable on Bitcoin today without modifications to the core protocol. Bitcoin only needs a couple of very minor modifications in order to enable basically anything-on-Bitcoin, which I sketched out [1] a while back that got some attention and further work [2].
As funny as this comment is, I really think the bitcoin blockchain is an implementation of a truth engine. It's currently a ledger for most people but you can be pretty damn sure what has been written 1 hour ago, is the absolute truth.
“you can be pretty damn sure that some JSON got POSTed with appropriate signatures/a hash reward attached to it to some nodes listening on a peer-to-peer network and propagated around”
With bitcoin blocks as slow and small as they are, which is a good thing for security and decentralization, implementing bitcoin on top of the bitcoin chain would just slow this down even more.
Time to bring together every trend into a single product: An LLM and image generator developed through a cryptocurrency-based distributed network that is also a social media platform.
So is using sed to play chess. This exists as a proof on concept not as a suggestion that it is a practical solution.
Since you chose to post this request here and not on the thread about playing chess with sed, I suspect you are imagining some form of real world effect from the energy expenditure from people doing this. I think that lacks a sense of perspective, a better approach would be to consider the change in state of the world after an extended period of expected use of the approach. Considering the considerable lack of practicality of calculating in Bitcoin (and indeed playing chess in SED) the expected use is negligible and consequently the impact would also be negligible.
Bitcoin uses less than 0.1% of the world's energy. Any time somebody says things like "uses more energy than a country" they are either dishonest or malicious and clearly have an agenda. I'd recommend to try to stick facts, not opinions.
Bitcoin or not I don't like the idea of having opinionated people and entities judging what I do with the energy I paid for. Today is proof of work, tomorrow might be high end computer gaming, hopping on a car for a trip etc. You can already see on this very site judgmental comments about carbon usage when you mention a hobby like home lab.
My initial point was to inform the OP about peer-reviewed articles on current waste, not which energy uses are allowed or disallowed, nor a call to judge or curtail individual energy expenditures.
As with many things, there is not a single 'right' or wrong, but degrees of evidence. Highlighting current chain inefficiencies allows future versions to better mitigate these energy impacts. Honing any process to use less energy while achieving similar or better results is not an unreasonable goal.
Re: your first point, am I right to understand that entities that are able to afford higher usage should have no qualms doing so?
> My initial point was to inform the OP about peer-reviewed
"Peer-reviewed" is meaningless if it's not scientific, fact-based.
> articles on current waste
See, you start with the assumption that it's wasted. You can only come to that conclusion if you assume that bitcoin serves little or no purpose.
> Honing any process to use less energy while achieving similar or better results is not an unreasonable goal.
Energy usage is what brought humanity from stone tools and caves to the moon, using energy is a good thing that advances civilization. Energy production can be problematic, which bitcoin doesn't do. Proof of work is one of the core innovations, there is no system that has better results.
I wouldn't be too quick to dismiss the linked sources, though. Similar to the authored pieces, I don't assume energy is 'wasted' on a perceived goal, but that actual waste is produced (e.g. mining devices are discarded quite frequently) as well as waste energy due to protocol implementation inefficiencies and infrastructural limitations (i.e. many compute cycles for little gain).
Both can be accounted for: would you not rather see a version where these issues are accounted for? PoS is a sure way forward, but there are still many legacy chains around that do not benefit from this [0].
No, PoS is a total failure. As it is not tied to reality the history of the ledger can be modified at will. There is no independent way of knowing which chain is the "real" one. There is no independent way of knowing which "validators" are valid. You can not leave the network and rejoin and be sure about the history without trusting some third party. This is the problem that PoW solved and PoS doesn't.
Less than .1% to secure more than 500 billion of value. Bitcoin energy usage is primarily to secure the network, not for transaction "volume", but that's a common misconception for people who have yet to learn about bitcoin.
You're splitting hairs. If the energy is needed to stave away a 51% attack, that's the energy needed to support the single digit tps monstrosity you have. As for the 500 billion in value, I doubt if everyone liquidated their positions today it'd amount to a figure remotely close to that.
> I wish people would just be honest and say yes, it's absurd and wasteful, but I think it'll make me rich so I don't care.
That's just your opinion. Most hardcore bitcoiners aren't in it to be rich, it's because it has a lot of potential to be a more sustainable monetary system over what we have now. I don't see the energy consumed by Bitcoin to be wasted and I'm doubtful that most who say it is understand why it's used in the first place.
Every industry on this planet that is worth doing uses "more energy than one country". Anybody who parrots this "argument" is either stupid or malicious.
I find it interesting to travel in such country. Take a train and when it approaches a city look at all the buildings passing by. All the lights in the windows that show that people live there. The eletric heating of many of those homes. All the electricity any of the people living there ever spends. All the factories, farms you see on the way. Massive greenhouses. Server farms. All those electric cars stuck in traffic. The train goes for hours and hours. Everything you see combined uses less electricity than bitcoin. Millions of people can run their lives and build all their businesses using less energy.
Like I said, the same can be said about any industry on this planet. That this fact is mind-boggling for you shows that you haven't really ever thought about energy consumption. That you see this as a weakness of bitcoin shows that you approach bitcoin with the preconception that it is useless, and that you try to find facts that suit your view.
That’s a fair point I don’t have good grasp on what energy usage really is.
I don’t perceive bitcoin as useless. I think the energy usage is way out of scale. POW is elegant solution to building the system, but the logical conclusion is that it ends up taking massive industry scale resources only catering to small to midsize industry. It’s economically viable only in the narrow sense that we don’t anticipate the true longterm costs of energy spent.
> but the logical conclusion is that it ends up taking massive industry scale resources only catering to small to midsize industry.
That's a fair assumption, but personally I find it absurd to think that a global open permissionless trustless non-censorable payment system will not keep growing. I think that's an expression of the financial privilege rich people in secure, wealthy countries without any financial problems have.
> That’s true, but then so does Google, Youtube, Facebook, Amazon, the cruise industry, Christmas lights, household drying machines, private jets, the zinc industry, and basically any other sizable platform or industry. From that list, Bitcoin’s energy usage is the closest to that of the cruise industry’s energy usage, but bitcoins are used by more people, and the network scales far better. If people were 10% more efficient at shutting off their electronic devices when not using them, then that alone would save more energy than the global Bitcoin network uses.
> It’s economically viable only in the narrow sense that we don’t anticipate the true longterm costs of energy spent.
Why would it be less economically viable with scale? As Bitcoin increases in value, the hashrate and energy usage will increase. If it doesn't, the hashrate and energy usage will stagnate or decrease.
If you think the energy usage is "way out of scale" for the problem it solves, I think you may be underestimating the challenges of developing a decentralized monetary system and the impact of money on society itself.
Chia uses a lisp variant, along with the a similar coin model to bitcoins utxo. So it's computationally powerful, while avoiding the security nightmares of Eths account model (i.e. no global variables, functions have no side effects)
