Can Chia even support fair pools?

Edit: Here is my understanding of the proposed solution after watching the first part of the Pooling Zoom call

There has been this thing nagging my mind:

How can pool operators that want to distribute pool profits according to the degree of participation in the pool, verify that plots claimed by their pool participants actually exist as unique valid plots?

Let me elaborate based on my 20.000 ft level mental model.

Chia rewards are proportional to space and time. Of course, it can not really ‘see’ all the space dedicated by inspecting total netspace consists of valid plots, and it does not have to. It just relies on reward challenge that would be near impossible to complete without having expensively precomputed lookup tables (the plots). The construction of the table (plotting) is long and costly (otherwise you could just ignore it and do the challenge on the fly), but the production of the response (harvesting) is fast and cheap once you have the pre-computed lookup tables.

Now you could try to fudge the process, by in the extreme just participate in evry challange and instead of computing just guessing the correct response, but the solution space is made so large that you would never ever be able to guess a correct answer. In other words, you can pretend to have plots all you want, but they would never help you pass the test unless they where the real valid uncompressible lookup tables required to find the right response at the time of the challenge.

Chia really does not care whether you lie about having 1.000 plots that do not exist, as your imaginary plots will never win any Chia.

Now enter pools. The way most people think about pools is this: If a bunch of people that individually all have a very, very small chance of winning the Chia lottery anytime soon, all bundle their lottery tickets (plots), they together have a much higher chance of winning a lottery in the short term. If we then distribute the winnings fair amongst everyone participating in the pool according to their contribution to the effort, all would see a steady stream of fractions of Chia trickling into their wallets.

But here is the catch. Whereas before my fraudulent claim of having 1.000 plots did gain me nothing, now if I can convince a pool that I have them and put them in the pool, I’m enjoying a steady trickle of Chia without having to actually have any real space/time committed. Hey, I’m just unlucky, right? After all, the other guy with 1.000 real plots also isn’t winning. So as long as I don’t overplay my hand and stay under the statistical radar, I can free ride this game.

So pool operators now have a burden that Chia itself has not: How can you test that a plot is actually a real plot, not just once, but repeatedly to proof it still exists even though it is not passing any Chia challenges, and do so cheaply and in a non-fudgible way?

How do current unofficial pools solve this? HPool seems to detect some imposters, but I suspect not the ones that keep their fraud small enough to avoid statistical detection.

Bonus question: If such a verification function did exist, why did Chia not use this stronger proof themselves?

That’s what they’re working on.

From my understanding, the pool server will send normal farming like challenges to the members, but with a lower difficulty than the current network (so someone with 10 plots might find one proof a day on average). Based on the difficulty of the challenge and how many proofs you find the pool can determine how many plots you are farming with.

I only read the first paragraph of your long post. But the answer is the chia pooling protocol. The new built in protocol should validate plots at the client side and report to the pool. This should not be something the pool developer should need to do.

So what if I do just enough work to have my plots pass the easy mode, but not enough for the harder challenges? Would I not be able to get away with less space or be able to use compute/space tradeoffs within the time window that wouldn’t work for a hard challenge?

(real question, I genuinely do not know)

There’s just no way to do that, technically/mathematical, that’s the whole goal of the pooling protocol

Would the validator not be fakable? After all, I have full control over my machine, I just need to be able to fudge the “everything’s fine here, nothing to see” responses.

You could try to do that to the blockchain too, but the Proof of Space and Time part requires the proof, and pooling will be no different.

I understand that is the goal, but I can see how non trivial reaching that goal can be in practice.

It is only possible because of the work they did initially for proof of space and time. It was very non-trivial to get chia’s proof of space and time working for a blockchain. Pooling is just an extension of those challenges.

It is a different challenge though.

The first challenge should only be won by a real plot.

We don’t care how many you claim to have, if you win, we know that one real plot did exist at the time of this challenge.

vs.

We have to prove the existence of every plot you claim to have every time we issue a challenge.

So why do you think that second quick check is so hard for the new protocol to do? If the check has to prove they have a winning block (or not), why is it so far fetched that the protocol also has to confirm the presence of how many plots that person has?

Because that second challenge or test or whatever you call it would have to be a challenge that on the one hand will be passed by every unique real plot, while it would need to be failed by every fake or duplicate plot.

But that system is already in place. Just go and try to duplicate your system and try to farm the same plots twice.

Isn’t that just an assertion in the harvester? A more tolerating harvester could just ignore it as long as it would make sure the ‘real’ challenge was only answered by one copy, right? What is the point in having copies as they are still tied to my key only, and I’m not going to win the same block twice right?

However, both copies could independently pass the ‘cheap’ test, their uniqueness would have to be validated externally, which now just needs to happen for winning plots.

And for all that a copy could be the easiest to detect of all the possible fudges.

I don’t think so. Take HPOOL as an example. They are able to detect if you are double farming a plot. Once on their network and once on the actual chia network. So how are they able to see what is farming on the chia network? Because each plot is tracked individually on the netspace. So that same mechanism can be used in your scenario. At that point, all the pool needs to do is make sure that you are still farming all the same plots (plus new ones) that you were when you started farming with the pool.

So there is a global register of plots? Where is that hosted, and by whom? Or is this a separate blockchain?

That was an assumption. But after looking at the Chia Consensus document, I think I understand. Taking a look at the Proofs of Space and Proofs of Time sections (Pages 2-5), basically the farmer (known as the Prover) receives a challenge from the Full Node (known as the Verifier). The farmer needs to prove that they have that space currently being farmed at that specific time and reports back.

With Pools involved, the pool would just become another verifier in the chain. When a farmer receives a challenge, it not only has to check for winning blocks but it also has to prove that it currently is farming the amount of space that it has.

Unless at that time the Prover is just proving it has the space (plot) for that specific challenge and not its total space. But even if that is the current case, adding a quick check to prove the total space would not take much more in the realm of resources. And the prover could run those checks in the background at an interval to double check that the plot files are still there. Then, if they ever physically disappear, it could report back on it’s next challenge response. That would adjust the space assigned in the pool and possibly invoke a reverification to make sure rewards were not given for space not proven.

I have gone through the Proof of Space section from the doc, and it did not change my mind:

once the Prover has initialized 100 GiB, they are ready to receive a challenge and create a proof. One attractive property of this scheme is that it is non-interactive: no registration or online connection is required to create a plot. Nothing hits the blockchain until a reward is won, similar to PoW

So far, no-one besides my very own Prover knows whether the block exists or not. It’s my Prover, I can writer one that lies, or i can make a layer below the Prover that lies.

Farming is the process by which a farmer receives a sequence of challenges to prove that they have legitimately put aside a defined amount of storage. In response to each challenge the farmer checks their plots, generates a proof and submits any winning proofs to the network for verification.

most proofs generated by this process are not good enough (as discussed later) to be submitted to the network for verification

Seems like unless I claim to have a “good enough” proof, nothing so far actually proves or verifies I even have the plot I claim to have.

A further optimization is to disqualify a certain proportion (for example 511/512) plots from eligibility for each challenge. This is referred to as the plot filter.

Good if all you are after is the best qualifying proof, but from an adversarial pov this once more gives us free passes to escape any verification that my plot really exists

Verifying: After the farmer has successfully created a proof of space, the proof can be verified by performing a few hashes and making comparisons between the x-values in the proof.

Again, all focussed on verifying the claim to have a good proof, nothing checks wether the plots for which we do not claim to have found and submit a good proof exist.

I don’t think it is as easy to fool as you make it seem. It would be like me saying I can join Slushpool for Bitcoin and just tell the pool I did the work but don’t do any. Fooling an encrypted protocol is not an easy task.