Intrinsically useful proof-of-work using Mersenne or Fermat numbers factorization. Could it be possible?

I was reading this question and got myself thinking - why can't a crypto-currency use as proof-of-work a difficult problem that has value outside of the network? I understand the effort to produce all those hashes is not completely "useless", but still it seems like too much electricity consumption just to secure a crypto-currency - a proof-of-work that could produce a valuable by-product would be much appreciated, I think.

So I was thinking, what problems could there be if proof-of-work were, say, the factorization of Mersenne or Fermat numbers? Validating a number's factorization is relatively easy, compared to looking for the factors. And a crypto-currency based on it could give an big bonus to finding a Mersenne prime, and a mega-enormous bonus should a miner find a new Fermat prime (assuming there are some more), for these are intrinsically valuable even though validating the discovery would also be incredibly heavy, computationally speaking...

Appart from the obvious problem of difficulty being uncontrollable and going always up, (might be solved by allowing less profitable blocks be mined using another proof-of-work), I thought of the case where a country gets disconnected from the rest of the Internet: In current bitcoin this means coins mined there during the disconnection are lost after the country's reconnected, and any merchant accepting those locally-mined coins will lose their money.

In a system aiming to have a useful by-product as proof of work, all discovered factorizations should get eventually accepted, even if they were mined in such isolated conditions or were initially included in a blockchain that happened not to be the longest - unless some other miner discovered them independently and included them in a longer blockchain.

But then I realized this system could mean miners could attempt using this proof in more than one blockchain - I guess this would open the door for some types of fraud.

Could it also lower difficulty for double spending attacks? What other problems could arise in a system of this type? Are they intrinsically unsolvable?

The same could be said of using protein-folding, or analyzing SETI@home packages as proof of work...

Joe Pineda

Posted 2013-06-14T23:18:51.083

Reputation: 2 040

2Sorry, what's the actual question? This reads more like an "I was thinking", which is cool and all, but might fit better on a forum (the Stack Exchange is more for simple, factual answers to simple, factual questions). – eMansipater – 2013-06-15T02:13:14.290

So why is it useful to factor Mersenne numbers? – Nick ODell – 2013-06-15T05:25:25.740

My questions are at the very end, sorry didn't make them more explicit. Basically I'm asking if it's at all possible to create a new proof of work that does something perceived as useful outside of the network, that doesn't ever waste effort done by the miners (unless unfortunately somebody else found the answer previously) and still avoid double-spending. – Joe Pineda – 2013-06-15T22:13:49.613

@NickODell I thought basing a crypto-currency on factorizing Mersenne numbers (or Fermat, which right now are a bit forgotten) could stimulate advances in algorithms or in hardware, both would be great. Just finding the factors might be useful for future number theorists (Mers. Prime Search looks for factors in confirmed non-prime Mersennes for this very potential). Else, with much more people trying to factor them, at least Mersenne primes would be spotted faster - and there are some monetary prizes for finding them. – Joe Pineda – 2013-06-15T22:25:14.260

@JoePineda Heres one

– Loourr – 2013-07-09T12:10:23.930

Answers

How would solving these problems secure the network? Miners are rewarded for the proof of work they do because the specific proof of work they do -- hashing block headers -- in fact secures the system. Solving other problems doesn't secure the currency. If you want to pay people for doing work, you certainly can. But don't at all confuse it with the proof-of-work that crypto-currencies use to solve the double spend problem -- that must be the actual proof-of-work that actually solves the double spend problem.

The point is that the block hashes are tied to a specific block and to specific transactions in that block. The proof of work cannot be severed from the block header and the transactions. Thus the proof of work secures that block header and those transaction. Factorization of Mersenne numbers isn't tied to a specific block or set of transactions, so it does not secure the block chain.

David Schwartz

Posted 2013-06-14T23:18:51.083

Reputation: 46 931

OK, so it must be tied to a proof of work of some kind that includes the hashes of previous blocks so we get a new (hopefully long) chain of blocks. Still, I can't think of a reason why difficulty of such hashes can't be kept simple and the bulk of the work being done in the factorization of Mersennes or in protein-folding... – Joe Pineda – 2013-06-15T22:05:45.123

1@JoePineda: Because it's the difficulty of the work that is attached to the blocks that provides the proof of work that secures the network. If the difficulty of the hashes was simple, then an attacker could easily create his own blocks that had more work attached to them. Work not attached to the blocks doesn't actually prove anything. The whole point of the system is to require an attacker to attach more work to his blocks than all the honest miners together have attached to theirs. Work not attached to blocks serves no purpose. – David Schwartz – 2013-06-15T23:23:56.417

OK, so the work spent in the hashes is absolutely needed, even though it may not be very useful outside of the bitcoin network, for that work's absolutely needed to secure the network. Associating it with another, more useful payload that may also give credits is a totally different beast... will read the NooShare paper and see how the author tries to accomplish it. Thanks! – Joe Pineda – 2013-06-16T22:24:22.490

Only a problem that meets a number of very specific requirements can possibly be used. The work must be much easier to verify than to perform. The work must be inseparable from the block it is attached to. The work must not require a central authority to assign it. And so on.

I dont see why such a problem cant also be useful. Say the network was trying to fold proteins. say there are arbitrarily many degrees of complexity for classes of proteins. The network could send out a protein structure that it knew could be folded. The only way to fold is by trial and error, so it is easy to check a solution but difficult to find one.

The network would send the protein out to all miners and when one found a solution it could be quickly tested, if it was correct then the bitcoin would be timestamped and a contribution would have been made to science.

As more miners join the network, the network would adjust the difficulty but sending out more complex protein structures, similarly to how it currently just ups the numbers of zeros prepending the output to the hashing function.

Now I'm not sure if protein folding is a good candidate for a proof of work, because I dont think difficultly could be determined with the accuracy required for the bitcoin network, and it likely also has an upper bound, but in principle I think the idea is sound.

Loourr

Posted 2013-06-14T23:18:51.083

Reputation: 3 022

As per Scharwz's answer, the proof of work must have a hash of some kind to create the block chain of blocks. The only downside I see with your idea is: broadcasting a protein structure known in advance to be foldable opens the door to corruption and manipulation, plus if it's known in advance it's solvable then the miners are basically doing double work for nothing - the idea of proof of work being useful is that miners should do work that has value outside the coin network. – Joe Pineda – 2013-06-15T22:10:52.320

1@JoePineda you only need a hash because that's what the bitcoin network currently expects but there is no reason you can't make it accept answers of some different form. All proteins are foldable just as all hash functions are solvable. Knowledge of a solution existing in both cases does not make the answer to the problem easier to find. The idea is that you would always be looking at different proteins or for a new way to fold an existing protein. – Loourr – 2013-06-15T22:41:16.143

1"Any problem which requires a predictable and manipulatable amount of computing power can be used for proof of work in the bitcoin network." That's just totally false. Only a problem that meets a number of very specific requirements can possibly be used. The work must be much easier to verify than to perform. The work must be inseparable from the block it is attached to. The work must not require a central authority to assign it. And so on. The rest of your answer is completely wrong because it's based on that false premise. – David Schwartz – 2013-06-16T02:57:24.240

@DavidSchwartz case and point

– Loourr – 2013-07-09T12:08:52.237