The following simple technique which I call the solution lottery technique (SLT) can be used in conjunction with other techniques (such as having multiple POW problems, the technique mentioned in Noah Stephens-Davidowitz's answer, etc) to help transform computational challenges into viable proof of work problems. The SLT helps ameliorate issues with cryptocurrency mining problems other than conditions 1-4.
Suppose that CC is a computational challenge of the form “find a suitable hash kk along with a string xx such that (k,x)∈D(k,x)∈D.”
Problem Ψ(C)Ψ(C) setup: Suppose that DD is a set, HH is a cryptographic hash function, and CC is some constant. Suppose furthermore that Data(k,x)Data(k,x) is a piece of information that is easy to obtain after one determines that (k,x)∈D(k,x)∈D but which cannot be obtained otherwise.
Problem Ψ(C)Ψ(C) objective: Find a pair (k,x)(k,x) such that kk is a suitable hash and where (k,x)∈D(k,x)∈D, and where H(k||x||Data(k,x))<CH(k||x||Data(k,x))<C.
Let us now investigate how problem Ψ(C)Ψ(C) satisfies requirements 1-4.
- We have to assume CC is already randomized for the SLT to satisfy this property.
2-3. Ψ(C)Ψ(C) will typically become more difficult than CC and this is a good thing. The difficulty of a proof-of-work problem needs to be finely tunable, but the original problem CC may or may not have a finely tunable level of difficulty (remember that the difficulty in mining Bitcoin is adjusted every two weeks). The difficulty of problem Ψ(C)Ψ(C) is equal to the difficulty of finding some suitable (k,x)∈D(k,x)∈D multiplied by 2nC2nC. Therefore, since the constant CC is finely tunable, the difficulty of Ψ(C)Ψ(C) is also finely tunable.
Even though the problem Ψ(C)Ψ(C) is more difficult than the original problem CC, almost all of the work for solving the problem Ψ(C)Ψ(C) will be spent on simply finding a pair (k,x)(k,x) with (k,x)∈D(k,x)∈D rather than computing hashes (one cannot compute whether H(k||x||Data(k,x))<CH(k||x||Data(k,x))<C or not until one has computed Data(k,x)Data(k,x) and one cannot compute Data(k,x)Data(k,x) unless one verifies that Data(k,x)∈DData(k,x)∈D).
Of course, the fact that Ψ(C)Ψ(C) is more difficult than CC presents some new concerns. For a useful problem, it is most likely the case that one would want to store the pairs (k,x)(k,x) where (k,x)∈D(k,x)∈D in some database. However, in order to receive the block reward, the miner must only reveal a pair (k,x)(k,x) where (k,x)∈D(k,x)∈D and H(k||x||Data(k,x))<CH(k||x||Data(k,x))<C instead of all the pairs (k,x)∈D(k,x)∈D regardless of whether H(k||x||Data(k,x))<CH(k||x||Data(k,x))<C or not. One possible solution to this problem is for the miners to simply reveal all pairs (k,x)(k,x) where (k,x)∈D(k,x)∈D out of courtesy. Miners will also have the ability to reject chains if the miners have not posted their fair share of pairs (k,x)∈D(k,x)∈D. Perhaps, one should count the number of pairs (k,x)∈D(k,x)∈D for the calculation as to who has the longest valid chain as well. If most of the miners post their solutions, then the process of solving Ψ(C)Ψ(C) will produce just as many solutions as the process of solving CC.
In the scenario where the miners post all of the pairs (k,x)∈D(k,x)∈D, Ψ(C)Ψ(C) would satisfy the spirit of conditions 2-3.
- Ψ(C)Ψ(C) may or may not satisfy condition 4 depending on the specific problem.
Other Advantages of this technique:
The SLT offers other advantages than conditions 1-4 which are desirable or necessary for a proof-of-work problem.
Improving the security/efficiency balance: The SLT will help in the case that C may be too easy to solve or too difficult to verify. In general, Ψ(C) is much more difficult to solve than C, but Ψ(C) is about as easy to verify as C.
Removal of a broken/insecure problem: The SLT could be used to algorithmically remove bad POW problems in a cryptocurrency with a backup POW-problem and multiple POW problems. Suppose that an entity finds a very quick algorithm for solving problem C. Then such a problem is no longer a suitable proof-of-work problem and it should be removed from the cryptocurrency. The cryptocurrency must therefore have an algorithm that removes C from the cryptocurrency whenever someone has posted an algorithm that solves problem C too quickly but which never removes problem C otherwise. Here is an outline of such a problem removal algorithm being used to remove a problem which we shall call Problem A.
a. Alice pays a large fee (the fee will cover the costs that the miners incur for verifying the algorithm) and then posts the algorithm which we shall call Algorithm K that breaks Problem A to the blockchain. If Algorithm K relies upon a large quantity of pre-computed data PC, then Alice posts the Merkle root of this pre-computed data PC.
b. Random instances of Problem A are produced by the Blockchain. Alice then posts the portions of the pre-computed data which are needed for Algorithm K to work correctly along with their Merkle branch in order to prove that the data actually came from PC. If Alice's algorithm fed with the pre-computed data PC quickly, then the problem is removed and Alice receives a reward for posting the algorithm that removes the problem from the blockchain.
This problem removal procedure is computationally expensive on the miners and validators. However, the SLT removes most of the computational difficulty of this technique so that it can be used if needed in a cryptocurrency (instances which this technique is used will probably be quite rare).
Mining pools are more feasible: In cryptocurrencies, it is often very difficult to win the block reward. Since the block rewards are very difficult to win, miners often mine in things called mining pools in which the miners combine their resources in solving a problem and in which they share the block reward in proportion to the amount of “near misses” they have found. A possible issue for C is that it may be difficult to produce a qualitative notion of what constitutes as a “near miss” for the problem C and the algorithm for finding a near miss may be different from the algorithm for solving C. Since the pool miners will be looking for near misses, they may not be very efficient at solving C (and hence, few people will join mining pools). However, for Ψ(C), there is a clear cut notion of a near miss, namely, a near miss is a pair (k,x) where (k,x)∈D but where H(k||x||Data(k,x))≥C, and the algorithm for finding near misses for Ψ(C) will be the same as the algorithm for finding solutions to Ψ(C).
Progress freeness: A proof-of-work problem P is said to be progress free if the amount of time it takes for an entity or group of entities to find next block on the blockchain follows the exponential distribution e−λx where the constant λ is directly proportional to the amount of computational power that entity is using to solve Problem P. Progress freeness is required for cryptocurrency mining problems in order for the miners to receive a block reward in proportion to their mining power to achieve decentralization. The SLT certainly helps mining problems achieve progress freeness.