DEVTOME.COM HOSTING COSTS HAVE BEGUN TO EXCEED 115$ MONTHLY. THE ADMINISTRATION IS NO LONGER ABLE TO HANDLE THE COST WITHOUT ASSISTANCE DUE TO THE RISING COST. THIS HAS BEEN OCCURRING FOR ALMOST A YEAR, BUT WE HAVE BEEN HANDLING IT FROM OUR OWN POCKETS. HOWEVER, WITH LITERALLY NO DONATIONS FOR THE PAST 2+ YEARS IT HAS DEPLETED THE BUDGET IN SHORT ORDER WITH THE INCREASE IN ACTIVITY ON THE SITE IN THE PAST 6 MONTHS. OUR CPU USAGE HAS BECOME TOO HIGH TO REMAIN ON A REASONABLE COSTING PLAN THAT WE COULD MAINTAIN. IF YOU WOULD LIKE TO SUPPORT THE DEVTOME PROJECT AND KEEP THE SITE UP/ALIVE PLEASE DONATE (EVEN IF ITS A SATOSHI) TO OUR DEVCOIN 1M4PCuMXvpWX6LHPkBEf3LJ2z1boZv4EQa OR OUR BTC WALLET 16eqEcqfw4zHUh2znvMcmRzGVwCn7CJLxR TO ALLOW US TO AFFORD THE HOSTING.

THE DEVCOIN AND DEVTOME PROJECTS ARE BOTH VERY IMPORTANT TO THE COMMUNITY. PLEASE CONTRIBUTE TO ITS FURTHER SUCCESS FOR ANOTHER 5 OR MORE YEARS!

Cryptocurrency design decisions

(This is an opinion piece, however I shall attempt to give sources when applicable)

There are countless altcoins floating around, with barely a week going past before a new announcement can be seen on the Alternate Cryptocurrencies section of Bitcointalk. In this essay, I would like to explore the different design decisions made in altcoin creation, and analyse how they affect the viability of the currency.

Firstly, I would like to make a few points. I believe that early-adopter advantage cannot be too large, in order to not deter latecomers who would only have a very small portion, and to remove the possibility of them dumping their coins, driving down the value and leaving the rest with worthless coins.

Block spacing

In recent times, we have encountered numerous coins with ever-shorter block spacings (e.g. DGC – 20s, WDC – 15s, FST – 12s), presumably with the intention of fast transactions and greater security in the same amount of time. However, there is the fear of conflicting chains, orphans and double-spends due to the inability of blocks to propagate the network fast enough.

To look at this a different way, let us consider the network propagation time and simulate its relationship with block time. Say the time needed to verify a block and transmit it on is exponentially distributed with minimum 60ms and mean 200ms. If there are 10,000 nodes and the average node has 8 connections, we can assume (via the formula shown on http://en.wikipedia.org/wiki/Random_regular_graph ) that less than 9 hops are required to transverse the network (in practice, this number is reduced as a majority of nodes are connected to a single small group of nodes).

The block-generation time follows an exponential distribution with mean x seconds. For x=15 seconds, we have an orphan rate of 11%; for x=20 seconds, it is 8.5%; 30 seconds – 6%, 60 seconds – 3%; 150 seconds – 1%. The larger the network, the higher the orphan rate. As can be seen, coins with fast block times cannot support a very large network unless there exist fast links or high connectivity between nodes. Perhaps clients of coins with fast block times should set a higher default maxconnections value? (In the example above increasing maxconnections to 12 would reduce the hops to 7 on average)

Hashing algorithm

Different coins have different hashing algorithms associated with block generation. The most notable are SHA-256 (Bitcoin family), scrypt (Litecoin family) and scrypt-jane (Yacoin family). Of these, SHA-256 is the simplest, requiring almost no memory and being relatively easy to put into an FPGA or ASIC, followed by scrypt, whose memory usage presents an obstacle to hardware implementation, then scrypt-jane (technically called scrypt(N,1,1)), whose memory usage grows over time, ruling out first FPGA/ASIC then GPU. Lesser known are SHA-512 (Copperlark) and the finding of Cunningham chains (Primecoin). More recently we have coins utilising a random mix of hashing algorithms - Quarkcoin and Securecoin, among others.

I believe that scrypt is one of the more fair hashing algorithms – the barrier to entry remains low for a long time (it is far easier to get a GPU than an FPGA or ASIC), so minting is not dominated by a single class of people (the financially rich). Recently, though, the distribution of SHA-256 hashing machines has become unfair – for low-cost machines manufacturers charge far above ROI, and high-performance machines are extremely expensive. CPU-only coins, though, are prone to botnets unlike SHA or scrypt coins, since every computer has a CPU and CPU mining can be done in the background with little to no system impact. (They also may not be recognised by traditional virus scanners which search for Bitcoin mining code.)

Proof-of-stake

Proof-of-stake is an energy-efficient means of block generation, gradually replacing proof-of-work as time goes on. The creation of a proof-of-stake block can take orders of magnitude less energy than a proof-of-work block, since the nonce search space is delibrately limited by the design. It also serves as a mechanism for introducing controlled inflation.

Like proof-of-work, it relies on hashing, but its reward is not new coins but the growth of already existing coins. A special transaction, called coinstake, is created that eats a txout and spits out two new ones whose sum is greater than the original. A catch is that some PoS implementations do truncation on interest calculations, resulting on some interest being cancelled out. This is a minor issue, though in the long run (10+ years) it could become significant.

I would like to point out, though, that coins with high proof-of-stake (some were released with 100% p.a. Interest) would have their value driven down to zero within a few years, what with the coin supply increasing massively both from PoW generation and PoS interest. (Presumably, though, the coin will not last that long.) Even worse are the coins where interest starts high and decreases over time - see Novacoin for example - PoS is high when difficulty is low and vice versa. 1)

Block reward

High or low block reward? We have seen high block reward coins (Devcoin and InfiniteCoin) as well as low block rewards (BitBar, OneCoin and more recently CopperBars). There is no consensus on which is better, however I believe that the block reward should be set such that the long-term coin value is some reasonable quantity (e.g. 5 cents). Why? To encourage use in the real world (if that is the intent of the coin creator), daily-life quantities should be expressible in a reasonable amount of coins. Would you rather pay for your coffee with a million IFC or 1.25 LTC?

Of course, some coins have their reward set like it is because their authors want it to serve a specific purpose. e.g. Devcoin has a high generation rate of 50,000 per block because 90% of it will be distributed to writers/developers, and they should be paid in a large integer number, and CopperBars are meant to purchase real copper bars, explaining its high price of several LTC as a result of its 0.064 block reward.

Other developers have attempted to set a low block reward so that their coin will be worth a lot per unit, but this is a fruitless pursuit – cost measured in multiples of block rewards will be exactly the same for two coins with identical features except block reward.

Block reward change

Block reward changes over time differently in different coins. Which kind of reward change system, then, encourages fair distribution?

Initial period

The initial period of coin distribution is paramount – it determines whether people view the coin as fair or just another attempt at making a quick buck.

Different ways of thinking exist about this. One way to think about it is that early adopters should be rewarded with higher numbers of the coin as incentive to mine this coin instead of others, so coin generation starts high and drops to normal values after a few hours or days. However, this practice is risky as the majority of coins are held by few who can dump at leisure, destroying the coin value. A notorious example is Mincoin, whose first three days had block rewards of up to 250 times the normal2), though it seems to be doing quite well now. (Unintentionally, PPCoin also made a similar mistake.)

Another way of doing it is to implement low rewards at the start, then ascending to normal block rewards. This is the method used by DigitalCoin, StableCoin and others who wish for a “fairer” distribution. The low reward at start is offset by the low difficulty, resulting in the same amount of coins being created overall.”

Superblocks

Superblocks may be intended as a way to encourage mining of the currency in order to “get lucky”, however they serve no other purpose. Superblocks also make the coin more vulnerable (in theory) to coin-hoppers, no matter what method is used to determine the superblocks. If they are predetermined, just hop on at that block; if it is determined based on the previous nonce, just hop on if we detect that the next block will be a superblock, and only search nonces which will give a superblock! Proof-of-concept: https://bitcointalk.org/index.php?topic=264740.0. A superblock-hopping pool does not exist yet, but there is no doubt that it is achieveable.

Dependence on difficulty

We also have coins whose block reward is determined by the difficulty. Examples are Elacoin (dead), whose reward is proportional to difficulty, and the PPCoin reward family (PPC, NVC, BTB etc.), whose reward is k*difficulty-r, k,r > 0. I argue that both these systems are deficient. Elacoin's reward adjustment implies that profitability can only stay constant relative to the coin price (since the reward-to-difficulty ratio is constant), which puts it at a permanent disadvantage relative to coins with better prospects. PPCoin's reward adjustment provides harsher negative feedback than other coins to automatically adjust the profitability to achieve a stable PoW generation rate, but excerbates the early-adopter bonus by providing early adopters large amounts of easy money. If you look at the coin supply growth of coins such as BitBar3) and Novacoin4), you would see a huge spike at the front followed by a plateauing off (Mincoin, too, suffers this problem.). PPCoin had less of this problem because coin adoption occurred slowly, but the others were hit by massive difficulty spikes upon launch, sealing in the early-adopter advantage.

Long-term block reward

The purely deflationary coin is the traditional coin – coin reward starts at X coins and halves/decreases every N blocks, with the coin supply eventually reaching a maximum. For most coins, their life of use is so short that their reward does not decrease significantly over its life. For Bitcoin, though, in the future when coin growth slows deflation will set in.

The inflationary coin usually has a constant block reward. The most well-known example should be Groupcoin (merged mined with Bitcoin, 50 coins per block forever), and Devcoin is similar. It can be shown that the coin's value goes to zero eventually assuming demand asymptotically reaching a maximum, but such effects are unlikely to kick in within the next few decades or centuries.

The third kind of coin has a decreasing reward till a certain point, and from then on a constant reward. In practice, they look no different from a deflationary coin, since their ending reward is usually extremely small.

Finally, we have increasing-reward coins – rare, but some still exist. SIF (Simple Inflation Fork) has blockreward proportional to the square root of block number.

Difficulty adjustment algorithm

The difficulty adjustment is an often-overlooked factor that can make or break a coin. Thus, different kinds of adjustment methods have been developed.

The simplest kind is the linear adjustment method, adopted by Bitcoin, Litecoin and many others. The advantage of this method is stability and predictability, but having the readjust period set too long leaves it vulnerable to attackers or coin-hoppers. A case study: Bytecoin, the 1:1 clone of Bitcoin, had been stuck on 35,794.675 difficulty for nearly half a year. The reason for this is that the 2016-block retarget left it open to flash mining when difficulty dropped. Looking at cryptometer.org, after being stuck at 16,384 (4^7) diff for over 20 days, a difficulty drop to 9K attracted a flurry of mining activity that mined the entire 2,016 blocks in just 2 days. The gold dried up, difficulty shot sky-high and everyone left. It has happened again recently, with over 1.5TH/s picking at it and mining 3K blocks in a very short timespan.

More case-studies, anyone? Let's have a look at Feathercoin. If you look at the difficulty charts of Feathercoin, you frequently see it going up-down-up-down in an cycle, with short periods of low difficulty between long periods of high difficulty. The reason is once again coin-hoppers – 3GH/s (analogous to several TH/s of SHA-256 miners) worth of them! The same problem has plagued Terracoin after its attack and subsequent difficulty adjustment patch. To remedy this, Feathercoin has introduced a new patch, bringing the adjustment from 41% per 504 blocks to 9% every 126 blocks. (The 41% is itself a change from 4x every 2016 blocks, which nearly killed Feathercoin in its early stages when it got stuck on 192 difficulty.)

Let's now move on to the moving-average difficulty algorithm. This method adjusts difficulty every block (based on the weighted average of the behaviour during the past N blocks). Its greatest advantage is fast response to sudden changes in hashrate – an 1GH/s hopper like Middlecoin is now no threat, as once it leaves difficulty can correct really fast. However, there is a fine balance of the N parameter – too large and the reaction is slow; too small and the coin is vulnerable to runs of good or bad luck. PPCoin uses N=1008 (1 week), which has proven to be stable so far. Primecoin, though, uses some algorithm which caused block generation rate to remain steadily high in its early days.

Sadly, we have no algorithm which is both fast (reacts quickly with large changes in difficulty) and fluke-resistant (e.g. a lucky block being found in 1 second will not affect it much). We want to be resilient against massive hoppers, but one or two lucky blocks is indistinguishable from a sudden increase in hashpower. So, I think that we could consider a hybrid adjustment method, period-based difficulty adjustment. Every N blocks is counted as one period, and every period calculate the difficulty by doing a moving average over the past K periods.

Another factor to consider is the starting difficulty of a coin. If a developer wishes to do a fair launch (i.e. with pre-announcement so that people can get prepared), he should set the initial difficulty to a reasonable value, like 0.25 for scrypt and 256 for SHA-256 with a 1-minute block time. Setting the difficulty too low can result in what is known as an “instamine” where many blocks are generated very quickly and results in a large number of conflicting chains. Setting the difficulty too high results in a slow start and can make the coin die in a short time if interest is insufficient.

Premine

This is probably the most sensitive section of this essay. Premines have been the root of many arguments and coin boycotts in the forums. What is a sensible value for a premine? Some say that they will not accept any premine, some say that the developer deserves a cut (if he has put in a lot of work), others can accept most premines.

In my personal opinion, I think that a premine is acceptable, as long as 1. it is a reasonable amount of the total coins, and 2. the amount of coin mined by miners should overtake the premine in a reasonable amount of time; and all the more acceptable if the developer uses it to further the development of the altcurrency.

Of course, even those very liberal with premining would be against premines of a disproportionate scale. Take, for example, one of the more math-failing coins in recent time, Orbitcoin. On paper, the premine looks fine, if not very excessive (1M out of 31M, presumably for the support of space education). But when you look at the block reward, it starts at 0.25 and halves every 525,600 blocks (1 year), then drops to 0 at the end (it was supposed to stay constant at 0.00000001 coins per block, but due to a logic error it got truncated). After 20 years, the number of coins mined is 262,799.9316 7200 – just a quarter of the premine! Even worse, a PoS reward of 0% is implemented, resulting in the stalling of reward generation in the future. It has been delisted on Cryptsy, though, so not all is lost.

A similar practice exists in some coins - a cut is taken out of each block and given to the developers. Typically the cut is quite high - Freicoin with 80%, ZenithCoin with 50% and our very own DevCoin with 90%. If the cut is spent fairly and transparently, no-one will complain (e.g. Devcoin's 90% spending is reviewable by all), but others have had a lack of transparency on what their cut will be spent on.

Limitations

My view of cryptocurrencies is probably idealistic - I assume that cryptocurrency adopters are interested in the long-term prospects of the coin, however in real life people are usually in it just for the profit, not to support cryptocurrencies. I don't blame them - most cryptocurrencies have not much real-world usage, so the largest purpose would be filled in by default by speculation in the market and miners usually take a short position by selling to cover costs.

Conclusion

Designing a cryptocurrency is a very intricate procedure, with many different factors influencing success rate. It remains to be seen what the community wants in a coin, but for now here is my opinion.


Cryptocurrency

Notes

1) https://bitcointalk.org/index.php?topic=143221.msg2115161#msg2115161 Interest rate is calculated as 100%*(difficulty/base difficulty)^-1/6
2) https://bitcointalk.org/index.php?topic=165397.0 ”… block values for first 3 days are :- 500 MNC, 100 MNC, 50 MNC”

QR Code
QR Code cryptocurrency_design_decisions (generated for current page)
 

Advertise with Anonymous Ads