Why proof-of-burn?

We’ve had many people commenting on our proof-of-burn scheme as the basis for our reputation pledge system which forms one of the core pillars of our identity and trust platform for OpenBazaar.

As previously explained on our blog, with proof-of-burn, you’ve invested resources that create an incentive to keep a good reputation and impose a significant cost for abandoning that reputation. This reputation is associated with your pseudonymous identity.

Some of the technical details behind these ideas are detailed on my paper, but read on if you want to see why we chose proof-of-burn instead of other alternatives.

People have expressed concerns about how the reputation pledging scheme alone is able to prevent us from fraud. I wanted to point out that we’re still in beta 1 and that we’re working hard to address all of these concerns: This reputation pledge system will not be used on its own. Our trust and identity system is far from complete, and we aim to combine several powerful tactics to achieve a system in which each node’s reputation is reliable. We’re researching ways to do this and we’re working on several drafts, including a web-of-trust, surety bonds, trust-as-risk, and other alternatives, which can be combined together to form a more powerful scheme and ensure safety on the network. We will publish more information and details on these schemes as they solidify. We understand that trust is a core component of a decentralized market, and we are making it our priority to build a truly free marketplace where people can be trusted even though pseudonymous.

There are two popular schemes that people are suggesting to us to use instead of proof-of-burn: These are proof-to-miner and proof-of-donation. We’ve heard about these suggestions on reddit and elsewhere. While we do like charities and wish we could donate burned money to them, this is simply not feasible, and the reasons are security-related and technical. The same applies to donating to miners, or others schemes in which funds are allocated at random. In fact, some people suggested that nodes acquire reputation by donating to the OpenBazaar development team itself, but again this has the same issues that I’m explaining below (although you can always donate directly :D).

The reason why a donation to a charity or a list of charities does not work (at least naively) is because it introduces a single-point-of-failure to the system. It is important to note here that our threat model is widely more paranoid than that employed by traditional e-shops. We aim to protect buyer and seller privacy and make the market impossible to censor by governments, big corporations, or other powerful agents. In this endeavor, one possible enemy is a malicious government which, through its legal system, issues a, perhaps secret, warrant which aims to shut down or otherwise disrupt the market. This is something we want to guard against, as we’ve seen it used again and again against various pieces of software that contained centralized components. We simply do not wish to rely on law to ensure the privacy and trustworthiness of our system. The way to guard against such attacks is through true decentralization.

When a charity or the OpenBazaar development team is receiving the funds of reputation pledges, this means that the people holding the private keys to the funds have the ability to centrally control the OpenBazaar network and break its security. Assume we decided to use reputation pledges to fund OpenBazaar development (a similar argument exists for charities). In this case, a malicious government who wishes to circumvent our security, must follow these steps:

  1. First, create an OpenBazaar market.
  2. Then, issue a secret warrant against the OpenBazaar developers asking them to forfeit their private keys. In multisig cases, ask for all the private keys.
  3. Subsequently, donate some amount X to the OpenBazaar development team in a “reputation pledging” move.
  4. Use the private keys obtained in step 2 to access the funds “pledged” and move it back to your own address. No money has been spent to do this.
  5. Repeat ad infinitum.

By following these steps, the malicious party can arbitrarily increase the reputation of any node they choose. One easy way to disrupt the market is then to randomly choose nodes on the network and increase their reputation arbitrarily, rendering our reputation system completely useless. In fact, the malicious agent in this case can increase reputation as much as they want instantaneously.

In case a proof-to-miner scheme is used, a malicious party can act to disrupt the market even without the legal power of warrants. The malicious party in this case can be any miner, even with little mining power. In this scheme, the malicious miner follows these steps:

  1. First, create an OpenBazaar market.
  2. Then, create a proof-to-miner transaction with some amount X which is a “reputation pledge” for your identity towards miners, but keep it secret.
  3. Start mining the next block, and include your secret transaction in your attempt.
  4. If you mine successfully, you’ve acquired reputation. No money has been spent to do this, as they are “donated” back to you. In this case, publish your secret transaction to the network.
  5. If you fail to mine this block, double-spend the amount from the secret transaction in a new reputation pledge attempt. The network won’t see the double-spending, as the first transaction remains secret.
  6. Repeat ad infinitum.

Again, a miner would be able to create an arbitrary amount of reputation for any node they choose and disrupt the network. However, in this case, the rate at which a miner can generate reputation is proportional to the money they own multiplied by their mining power.

As you can see, these naïve attempts to avoid proof-of-burn are unsuccessful. However, there have been several alternative suggestions, and we welcome your opinion in designing our schemes. While more complicated ideas are welcome and we are happy to discuss them, one of our priorities is to have a usable yet secure product by the end of the year, and some of these schemes are simply not feasible to implement in such a short timeframe; let’s keep in mind that shorter code means code that is easier to review and audit for security issues, and we want trust-related code to be thoroughly audited for security.

It seems that many people feel uncomfortable burning coins, and I wish to address their concerns in this post. As Vitalik Butern of Ethereum points out:

The destruction of BTC does not translate into a destruction of economic value; the value simply gets redistributed proportionately among everyone else. Hence, the protocols are actually efficient (i.e. not wasteful).

Or, to quote Satoshi Nakamoto:

Lost coins only make everyone else’s coins worth slightly more. Think of it as a donation to everyone.

The best and simplest explanation as to why value is not lost comes from /u/Amanojack:

There seems to be a widespread perception that destroying coins is somehow related to destroying wealth. It’s just a name; nothing is actually being destroyed in terms of real world wealth or purchasing power, but just being moved around. Proof of burn is actually proof of donation (to every other bitcoin holder, in proportion to how many bitcoins each person holds).

Money is just a form of memory: it records, either in a low-tech way (gold/paper) or high-tech way (Bitcoin), who did what for whom in society. It’s a kind of favor-voucher that you give to people who did something for you and you receive when you do something for someone else. Destroying your favor-vouchers of course doesn’t hurt anyone else; in fact it makes everyone else’s worth more. There are now fewer vouchers chasing the same amount of available favors (goods and services) in society, since one person – the voucher burner – was nice enough to throw away his right to collect goods and services from others.

With these schemes, it will be the first time it becomes possible to trust truly pseudonymous individuals without the need of trusting any authority or centralized system. While we’re very excited to address these issues, they are hard problems that require experimentation, thorough security reviews and auditing, as well as theoretical work as their foundation, so all of this requires time to mature. We ask for your patience as we build this system and further explore its possibilities.

We’re looking forward to building a market where sellers and buyers can trade safely, in which trust can be established between transacting parties by the network without sacrificing any anonymity. We want people to feel secure in their transactions, so that they can finally trade online with privacy and freedom.