Now we're going to talk about another topic for alternate puzzles, which are puzzles that discourage consolidation of mining power. Now, Bitcoin miners mostly participate by joining mining pools rather than participating as independent individuals. This means that very large mining pools that are directed by a central pool administrator become a very large potential consolidation of power. A Bitcoin's core value is decentralization. So, this consolidation of power poses a big threat to Bitcoin's core values. If the power is consolidated in a few large centrally managed pools, then the large pool operators become a juicy target for attacks like coercion or hacking. So a point could be made that we might want to discourage the very large pools from forming. There's even an analogy to voting here. It's illegal in the United States, for example, to sell your vote to someone for money. Arguably, by participating in a pool controlled by someone else, it's akin to selling your vote in the Bitcoin network. Now, recently this has become a popular problem because the very largest Bitcoin mining pool GigaHash.IO has reached larger than 50% of the network's overall hash power. This has led to a bunch of public outcries explaining that this is a very big threat to Bitcoin, and Spells Doom or something to that effect and demanding technical solutions to this problem. Now the observation behind one technical approach to this problem is the observation that numbers in a Bitcoin mining pool don't inherently trust each other. Actually, pools can only form and become very large because members of the pool are able to prove to the pool operator that they're toeing the line in doing mining work that can only benefit the pool as a whole. This works by using the shares protocol that was described in earlier lectures. Now recall that in the Bitcoin mining pool, there is typically a pool operator who has a well-known public key. Now each of the miners sends their near misses or mining shares to the pool operator to show that they're mining on a puzzle that directs the reward to the pool operators public key. When a solution is found, the pool operator then distributes the awards among the pool participants who have contributed to finding the solution. Now, there's an interesting attack on Bitcoin mining pools which we're gonna call the vigilante attack. Suppose that there's a pool member who's very upset with a large mining pool. He can participate in the pool by mining and submitting his near miss share values to the pool operator just like normal. But in the event that he actually finds a Bitcoin puzzle solution that would reward the pool, he just throws that away and doesn't tell the pool operator about it. Now the effect of this attack is that the overall effective mining output of the mining pool is reduced. However, the vigilante only loses a little bit cuz he still gets rewards for other puzzle solutions that are found. He gets a proportional reward due to the shares that he submits. Now one problem with this attack is that a vigilante still has to lose something and doesn't gain anything. And so it seems unwise to rely on vigilantes like this monitoring the network and rightfully choosing when to do this to only attack large pools. Here's an illustration of what the vigilante attack looks like. The vigilante still submits shares to the pool operator and if he finds a solution, discards it. So the approach of a nonoutsourceable puzzle is to encourage the vigilante to perform this attack in the following away. We'd like to make it so that whoever actually finds the Bitcoin puzzle solution is able to take the reward for themselves. Now the vigilante would have an incentive, a direct personal incentive, to perform the same attack and harm the pool. Now the approach to having a puzzle that works this way is to have a puzzle where each puzzle attempt requires signing the puzzle solution value using a private public key pair. In particular, each attempt at a puzzle solution requires knowledge of the private key. And that same private key would then be used to spend the reward later. Now as an illustration of this, instead of the pool operator just having a key, any of the mining pool participants who are contributing mining resources also have to have knowledge of the private key in order for their mining to be effective. If any one of them does find a solution then they would be able to take the money. A secondary goal is that we like to even provide the ability for mining pool members in this case to evade detection. Now I'm going to describe how a particular instance of a nonoutsourceable puzzle would work. Now a solution to this puzzle contains the same information as an ordinary Bitcoin puzzle. Including the previous block hash, a mrkl_root which is a commitment to all of the transactions to be included in this block, and an arbitrarily chosen nonce value. Now, this also includes a Public Key, PK, which the miner would have to know the corresponding private key in order to find puzzle solutions. It's also going to include two signatures made using this key pair, s1 and s2. Now the first step to determining whether a particular a nonce value as a puzzle solution is to create a signature as one using the key pair. Now this has to be a valid signature over the previous black hash as well as the nonce value that's been chosen. And in order to tell if this nonce was a valid solution, you have to compute the hash H over this string containing the previous block hash, the public key, the nonce and the signature s1. Then you compare this hash value to a target just like in Bitcoin's puzzle. Now only after you find out whether or not this nonce was a valid puzzle solution, you then compute a second signature s2 using the same key pair. And only in this signature do you include the mrkl_root of the transactions. So the idea here is that you need to be able to compute the signature value s1 using the private key in order to find out whether or not you've found the puzzles solution. And only if you've found the puzzles solution do you then compute the second signature s2 in order to choose which transactions are going to be included. This means that to find a puzzle solution, you have to know the private key and if you know the private key, you get to choose transactions that will direct the reward to yourself. There are several potential concerns with this nonoutsourcable puzzle. One problem is that it basically throws the baby out with the bath water. This nonoutsourcable puzzle would discourage all pools from forming. Not only the centralized ones which were the original motivation for this, but also the harmless decentralized mining pools like P2Pool which were discussed in previous lectures as well. Now the effect of this could be that if miners are discouraged from participating in any mining pool, they might find themselves geared towards other forms of outsourcing which are even more harmful such as hiring hosted mining services to do their mining for them. Now hosted mining services are a potentially and even larger threat to the decentralization of Bitcoin's mining power because the hosted mining administrator is actually in physical possession of all of the Bitcoin mining rigs. Now there are potential approaches to addressing these concerns, but that's an ongoing research project and I won't get into the details here.