Chia Blockchain – A Decade in the Making

Bram Cohen’s idea for building a better Bitcoin based on commodity storage and elapsed time began almost a decade ago in Bitcoin developer IRC channels. As we past Chia’s first reward halving marking almost 3 years since mainnet launch, let’s take trip into the past to the beginnings of what would eventually become Proof of Space and Time consensus mechanism and the Chia blockchain.

Credit to Kurt86 on Chia’s Discord server for resurfacing this information.

Bram dives into Bitcoin (2014)

Although Bitcoin was built on top of the foundational peer-to-peer networking protocol BitTorrent invented by Bram (and likely named in homage to it), Bram has been described as a Bitcoin skeptic in its early days. It wasn’t until years into Bitcoin’s development circa 2014 when Bram started to look into it seriously. It was in Bitcoin IRC Channels, and specifically the still accessible #bitcoin-wizards channel (for Bitcoin experts and futurists interested in discussing the long term direction of cryptocurrency) that we see Bram share early thoughts about the shortcomings of Bitcoin and how he thinks about fixing it.

Advised against creating a new blockchain

An early conversation between Hashcash inventor and eventual Blockstream CEO Adam Back (adam3us) and Bram (bramc) sees Adam question Bram’s motives in researching Bitcoin — whether it is to help improve Bitcoin or if Bram was just interested in creating his own blockchain. Adam mentions Litecoin as an example against trying to build an alternative to Bitcoin.

<adam3us> so bramc is your interest to catchup with bitcoin or to start a bramcoin, just curious 🙂 if you dont mind us asking you a question in return!

<bramc> adam3us, I’m not announcing anything right now, people are drawing not unreasonable inferences though

<adam3us> bramc can you give an example of a not unreasonable inference (i am a bit behind on wizarsd backscroll)

<bramc> There’s been some more off the path discussion in ##altcoin-dev where I was talking about how to mix together cuckoo and nonoutsourcable proofs of work

<adam3us> so you know, i went through the hmm people seem to know who I am, i could start an altcoin and probably make some pump & dump $ on it, for all of about 15seconds and then i was thinking, no thats antisocial, evil and selfish – its more sensible to work on improving bitcoin. hence arriving at encrypted values, and interest in sidechains.
<adam3us> bramc: just trying to nudge you through the right exit to that funnel so we dont get another “silver to bitcoins gold” moment (litecoin ref if you werent around for that one). a) its unlikely to over take bitcoin whatever it is – making it an unethical pyramid; and b) you shouldnt try because if you did it would be destructive of the very concept

<bramc> I’m not interesting in a pump and dump of an altcoin, but I have a lot of interesting in what the problems in bitcoin really are and how they might be improved. Almost all the really interesting stuff has to do with decentralizing mining (cuckoo, nonoutsourcable proofs of work, enforced wait times)

<adam3us> bramc: so my view is if there is a problem, its very interesting to work on solutions, and then integrate with bitcoin. if the improvement is marginal however dont be surprised if its not-worth changing. something has to be a significant improvement to take the risk at core. sidechains hopefully will allow more experimentation and you could indirectly experiment with pow in a sidechain off a sidechain.
<adam3us> bramc: frankly i am personally going to be a little less interested to help you learn about bitcoin and common blockchain fallacies if you’re going to turn around and do the #1 fallacy and make yet-another-altcoin. there are 1200 or so. the world really doesnt need another one.

<bramc> adam3us, Like I said I’m still investigating and not announcing anything right now

<adam3us> bramc: yes bram but is that code for i am working on alt coin but i’m not going to say it or people wont give me 100s of hours of free strategic advice. then i’m going to go off and do the anti-social thing.

<bramc> I won’t make another coin unless there’s a compelling reason why the same functionality couldn’t be crammed into bitcoin. If I do start serious plans to do so I’ll give you the opportunity to convince me that I should do it on a sidechain instead

Source: #bitcoin-wizards IRC chat logs, 2014-12-17

A focus on decentralizing mining

Almost all the really interesting stuff has to do with decentralizing mining (cuckoo, nonoutsourcable proofs of work, enforced wait times)

Bram Cohen, #bitcoin-wizards IRC channel, 2014-12-17

In the conversation above we see mentions of a few aspects that will become core to the design of Proof of Space and Time to avoid the centralizing forces of Proof of Work mining.

• “Cuckoo” refers to Cuckoo Cycle (John Tromp, February 2014) which is a memory-hard algorithm using Cuckoo hashing as a more ASIC resistant alternative to Hashcash. Bram considered specialized hardware a centralizing factor in Bitcoin mining and although cuckoo itself did not end up being viable, it was this thinking that led to the eventual choice of storage as the ideal commodity hardware resource.
• “Non outsourcable proof of work” refers to a solution to discourage centralized pooled mining. This is accomplished by Proof of Work schemes that allow miners to steal rewards from pools thus making it not feasible to run pools at all. One such scheme that uses trapdoor information is reminiscent of how Chia plots are generated with a public farmer key and requires a private key to farm.
• “Enforced wait times” are what we now know as Verifiable Delay Functions that are run by Timelords and serve as the basis for Proofs of Time. Bram explains this concept of “proof of wait” in a parallel conversation with user op_mul.

<op_mul> ” enforced wait times” sounds impossible.

<bramc> op_mul, Oh but it isn’t
<bramc> op_mul, https://eprint.iacr.org/2011/553.pdf

<op_mul> unless you have proof of wait up your sleeve

<bramc> op_mul, that link gives a way of making a proof of wait, and it can be improved on

<op_mul> bramc: without having to deal with 28 pages of dense math. how does it get around the sybil problem?

<bramc> op_mul, It has to do with its overall API, it’s completely non-interactive. Given hash X, I can generate a proof that I performed a series of sequential operations after X was generated, and have a proof of that which you can verify quickly

<op_mul> bramc: not really proof that you’re doing nothing though, isn’t that just like peter todds timelock, forcing highly non-concurrent computation?

<bramc> op_mul, If the block chain requires proofs of sequential work between blocks, that’s time when everybody just has to sit around and wait

<op_mul> bramc: sounds like a reason for me to get into liquid nitrogen CPU cooling.

<bramc> op_mul, feel free, it’s an interesting experiment to see how well it works. There’s no direct payoff to running an honesty server beyond possibly getting more mining time for yourself if you get to it first. Having multiple people who do that just results in the overall work factor going up and they cancel each other out

<op_mul> quite
<op_mul> I’m used to working with things in tens of megahertz, not trying to get gigahertz out of a CPU with extreme cooling.

<bramc> Nobody’s asked about how to fix the problem that you only have one measure of whether things are too easy or too hard, time, and there are now two different work factors to adjust for
<bramc> Trying to combine nonoutsourcability and time gaps is proving to make quite the frankensteinian monster, I’m not entirely sure it can be done well

Source: #bitcoin-wizards IRC chat logs, 2014-12-17

Bram’s last couple messages foreshadow his multi-year journey of inventing new math to combine Proofs of Space and Proofs of Time into Proof of Space and Time, the first new Nakamoto consensus since Bitcoin. It also alludes to how Timelords are known to work on the Chia blockchain where the fastest timelord is all that is required to move the chain forward.

(Editor’s note: If you’re not the fastest timelord, you may as well be the slowest timelord.)

A desire to reduce energy waste

In this exchange between Bram and Adam, we can see Bram’s desire to pursue an ASIC resistant algorithm — one that can utilize unused hardware as opposed to specialized custom hardware that centralize to ASIC manufacturers and low cost energy locations.

The argument centers around the debate of capital expenditure versus operating expenditure and whether the concept of energy backing the value of Bitcoin needs to be true.

<bramc> adam3us, I view limiting the amount of senseless destruction which goes into mining as a good thing

<adam3us> bramc: its not senseless. its an economic necessity. thats an economic fallacy.

<bramc> adam3us, There’s plenty of hardware sitting around depreciating all the time. If the costs of mining were adjusted to be primarily hardware depreciation then the amount of new investment in mining would go down, and it would be relying primarily on sunk costs

<adam3us> bramc: if coins have a production cost below their value, rational economic actors will spend up to the market value chasing it. if thats via politics, buying or bribing stake holders (pos) etc
<adam3us> bramc: i dont think my arguments change. its economic fundamental of commodity pricing.
<adam3us> szabo wrote about it, and paul sztorc.

<bramc> adam3us, I have in fact worked through this. If actors are basically proving that they already wasted some money on depreciating hardware, then they aren’t going to incur much new costs because the depreciating hardware has already happened

<op_mul> proof of work is more about the power cost than the hardware cost.

<adam3us> bramc: so then their depreciating hardware isnt costing them anything new. there has to be a separable mining dedicated cost on either hardware or power. obviously something will shift. eg price of used hardware will rise, or people will make asics for whatever it is. to think hardware cant win over software is pure fallacy.

<op_mul> any ASIC you can buy today will use more power than it’s own outright cost in a matter of days.

<bramc> op_mul, the interesting question is how to change that. Cuckoo and proofs of time shift things quite a bit
<bramc> I don’t think that the power thing happens in a matter of days, last numbers I saw the power and hardware costs of miners are roughly on par with each other

<adam3us> bramc: if the cost is the same, and necessarily so, and already work just fine, why is it interesting to engage in creating something different. different isnt better its just different. unless you can persuade bitcoin to change, via rational argument its a dead duck. you could maybe do it on a sidechain via a pow-adaptor sidechain, but still if its no advantage why bother.

<bramc> adam3us, There’s a *lot* of depreciating hardware out there, far more than the amount of bitcoin specific hardware

<op_mul> the value of the hardware is next to meaningless though
<op_mul> it’s all about the running costs.

<adam3us> bramc: so what. it still uses power, and economic systems are dynamic. the price of used hardware will rise. and anyway within 6-12mo of it being relevant an asic will arise which will decimate it.

<bramc> adam3us, the political reason is to shift power away from the miners is that they’re highly centralized, while people who already have depreciating hardware are highly decentralized
<bramc> I’m not so sure that an asic can decimate cuckoo. And putting in time gaps hurts it via depreciation quite a lot.

<adam3us> bramc: decentralisation is something that is interesting, yes. but i dont think you can imagine depreciating hardware can compete against asics.

Source: #bitcoin-wizards IRC chat logs, 2014-12-17

Proof of Storage is the answer

A few weeks later on New Years day, Bram comes back to share the insight that storage, and not compute, is the ideal resource to secure a chain, but only when combined with aforementioned Proof of Time or “Proof of Wait”.

<bramc> It turns out there’s an interesting approach to tackling the electricity problem

<maaku> bramc: the electricity problem?

<bramc> maaku, the problem that mining inevitably winds up producing economic waste equal to the value of the rewards because it gets spent on electricity

<op_mul> I’d call that a core function rather than a problem

<bramc> The potential loophole is to use a calculation which uses no electricity and no time
<bramc> op_mul, The use of resources is a core function, but ideally the calculation would demonstrate depreciation of already extant resources rather than require the sinking of new resources

…

<gwillen> (I’m curious but skeptical of the idea of demonstrating consumption of an existing resource, in a way where that demonstration can’t be reused, without wasting any new resources.)

<bramc> The various attempts at asic resistance have focused on making the calculation use memory, which makes a fair amount of sense: If you spend time waiting for memory you aren’t using electricity during that time, and memory is much more commodity than CPU calculations are

<maaku> i’ve gotten enough use out of bittorrent to allow bramc a few cycles of my time in good faith

<bramc> The other idea I suggested before is to use proofs of sequential work, aka proofs of time, as essentially placeholders where everybody sits around doing nothing until the proof of time is done
<bramc> These both can do a probably pretty good job of asic resistance, but I think they don’t go far enough

<kanzure> what were your prior objections to the objections to asic resistance?

<bramc> What you need is a proof of *storage*, because storage is vastly more commodity than even memory is: there’s basically no way to optimize it more than is already done. and there’s lots of it always sitting out there depreciating. And there’s a simple proof of storage calculation which can be done. Embarassingly trivial, really.
<bramc> kanzure, I have nothing against asic resistance, it’s a worthy thing, the problem is that it doesn’t fix the problem that electricity will be essentially wasted on mining, exactly in accordance with what the mining rewards are

…

<bramc> Now this gets into the part which is really weird. Absolutely central to my idea is alternation between proofs of storage and proofs of time, with essentially no time at all being used in the proofs of storage and all of it spent in the proofs of time, but the two interacting
<bramc> Here’s the proof of storage, which might help clarify or make what I’m saying even more mysterious: The proof of storage is a public key whose hash when xored to the hash of the previous proof of time is as small as possible
<bramc> To initialize everything, you fill up all available storage with a list of public keys sorted by their secure hash, the more the better
<bramc> (there are some constant factor improvements on that, but I’ll skip over them for now because they don’t change anything fundamentally)
<bramc> After you find out the output of the previous proof of time, you go look up the best proof of storage you have locally, use it to sign a new set of transactions, and start giving these to your peers. You re-transmit any record breaking one which peers might send you

Source: #bitcoin-wizards IRC chat logs, 2015-01-01

Bram describes the current day process of plotting and farming and the interaction between farmers with storage and Timelords generating signage points.

That key innovation of alternating between proofs of storage and proofs of time was the breakthrough that enables the use of storage as a means to secure a blockchain where previous attempts at Proof of Storage have failed. Upon being further flushed out, the outcome as we all know, is the Proof of Space and Time consensus mechanism that secures the highly decentralized Chia blockchain today.

Further reading

We covered just a few highlights here but the full chat logs themselves offer many more insights into the early thinking behind Chia and the challenges Bram faced with improving Bitcoin, eventually motivating him to build a separate blockchain.

Full chat logs from the #bitcoin-wizards IRC channel are available here:

• [gnusha.org] #bitcoin-wizards chat logs
• [wpsoftware.net] #bitcoin-wizards chat logs

Hope you enjoyed this little peek into the past!