RT @bitstein: Everyone should fire up a new full node once a year with assumevalid=0 to do a complete rebuild of the blockchain. You should have a constant reminder of how incredible Bitcoin's proof-of-work dynamic membership multiparty signature consensus mechanism is. https://t.co/migGuI4bPJhttps://t.co/IYIuBjpfgr
Everyone should fire up a new full node once a year with assumevalid=0 to do a complete rebuild of the blockchain. You should have a constant reminder of how incredible Bitcoin's proof-of-work dynamic membership multiparty signature consensus mechanism is. https://t.co/migGuI4bPJhttps://t.co/IYIuBjpfgr
Hi Andrew! Unfortunately, it seems quality of your rewrite isn't better than previous document. In the first place, without consensus definition given, it's impossible to reason around it's (im)possibility at all. In the second place, it seems you're missing the point why computational puzzles were introduced in anonymous Byzantine Agreement. I recommend you to read the intro to the outstanding "Bitcoin Backbone" paper on that https://eprint.iacr.org/2014/765.pdf . Then try to prove why anonymous Byzantine Agreement schemes ain't possible with other identity tools than computational puzzles(e.g. with internal tokens as in Proof-of-Stake). Havent' got your DMMS model in details, but it seems your paper doesn't contain good enough description & analysis of the model, maybe you can point to other papers on that?
It's true that I don't give a good definition of distributed consensus in the document. I cheat by deferring to Andrew Miller's analysis. I take umbridge with this affecting the "quality" of the document. The original purpose was to quell the influx to #bitcoin-wizards of people promoting stake-based systems (which were always broken by some variant of costless simulation, and every person would spend a -long- time trying to patching our suggested attacks, rinse, repeat). After a few months of this, which started around the advent of Peercoin, Greg Maxwell and Andrew Miller (among others) extracted the general pattern behind these attacks, and I wrote it down to satisfy my own curiosity about how fundamental it was. So while I believe my argument is solid, it depends on a lot of -wizards folklore, and I don't have the time or energy to write all this out (though this is a long-term goal of mine).
Later, several people, notably Gavin, started publishing my document away from IRC as a "generalized anti-proof-of-stake argument", which it sorta was, but it was definitely not as readable as it should've been to serve that purpose. So I rewrote it (a) in light of how much -wizards lore had been written down in the meantime, and (b) to make it more accessible.
I still don't have time to write it to an academic level of rigour the way you would prefer. I do believe that this is possible.
Thanks for the link to your paper. It is long but I will read it; it is a cool abstraction and describes desynchronization attacks which I don't recall having seen addressed before. I handwave them away by defining a "synchronous network" to be one where this doesn't happen. So I have this weird pseudo-synchronous requirement where I claim time-ordering doesn't exist but the network can still have "heartbeats" every ten minutes on average. I agree this sounds suspect, but I claim it's just an artifact of my writing a popular-level argument.
Unfortunately I'm rarely in the Bay Area. My home these days is Austin, TX. I hope our physical paths will cross in the future.
Hi Andrew! Thanks for the detailed explanation! Well, if are talking about Nakamoto's / Miller's / Backbone Paper's definition of consensus(above some k, a probability of mutability of (N-k) chain prefix is negligible, or e.g. probability is going down exponentially with depth), so I would like to see the proof of impossibility of it using internal tokens as identity tools. For single-chain Proof-of-Stake it seems to be easy to enhance Backbone's model and get same results. The point is all known ways to enforce participants to build single-chain only are tricky and have unclear consequences because of hard-to-analyze mix of consensus & economics properties. That's why we (https://github.com/ConsensusResearch) went into investigation of Proof-of-Stake with contribution to multiple forks allowed. Simulations show the same consensus property could be met even for that environment(with the assumption of finite size of the blocktree & some changes to chain quality function). More formal approach(than simulations) is needed though, but it's crazy hard to reason around such kind of consensus.
I'm in the Bay Area for just few weeks, but hope to see ya someday!
Tendermint uses a different trust model than Bitcoin. Last I checked the whitepaper, this is not explicitly addressed; also, there is a lot of confusion between blocktime and real time. Its author, Jae Kwon, has discussed these things at length on IRC, though little progress was made because at the time we were not thinking in terms of "trust models" and there was a lot of talking past each other. I messaged him privately and (I thought) made a lot of progress on this front, but this has not been reflected in the whitepaper.
Section 4.3 "short vs long range attacks" of my new PoS describes the Tendermint trust model as I understood it last we had these discussions.
I met Jae Kwon in San Francisco about a month ago. He was very friendly. We did not discuss Tendermint :)
There is never actual consensus in any distributed cryptocurrency, including those using proof of work, there's just various probabilities of convergence over time. The most convergent systems have a proof or information which is OUTSIDE of the blockchain and which applies to or prevents working on multiple chains. There's always the hypothetical that someone could come along with a superminer and fork the chain and everyone who was honest would have to watch their transactions get rolled back.
Proof of work is currently the king of convergent "proof of X" systems because the probabilistic proof of work exists outside of the blockchain and effort spent on one chain prevents effort spent on another.
I've been poking around with an idea which can leak information outside of a chain which would (hopefully) cause people to not try to work on multiple chains. It's based on the idea of commitments and ECDSA private key leaks to create single use minting addresses; if someone tries to double-mint, every observer can get the private key and "steal" the funds from the account.
Note that knowledge of the private key is not chain-specific, it can exist outside of any chain - which is closer to a convergent system than is a system which "depends on the very history it is trying to form to enforce loss of value."
Such a system probably would have distribution issues, and premine is the mark of a shitcoin, so I'd recommend bootstrapping it from Bitcoin or another established crypto currency.
What happens if a miner wants to change their mind about which chain to work on? In Bitcoin miners can change their mind for perfectly legitimate reasons and this is a good thing because this is part of forming consensus, this can be crucial, especially in times of crisis. Under your proposal it seems that if a miner changed their mind about which chain to work on they would be punished.
That is a shortcoming of my proposal. I didn't mention that the limitation on single-use is only for signing blocks, not for transferring funds generally, so the user could transfer funds to a new account and try again (though they'd sacrifice coin age). I would expect that this
No system is as convergent as proof-of-work, but I'm interested if other system can be good enough when weighed with the advantages of something like proof-of-stake, namely that the cost of an attack is significantly higher and, less important, the network consumes less electricity. An advantage of this specific proposal is that multiple people can sign blocks, adding consensus weight, making it more of a cooperative endeavor.
Thanks for your kind response.
Distributed consensus is a new field and has many nuances that are difficult to fully appreciate. Allowing miners to decide on which chain to work on, is ultimately what Bitcoin is all about. If miners are punished for changing their minds, such that it becomes unreasonable to change, then miners are not really deciding anything and are not contributing to consensus at all.
The Proof Of Stake proposals, which attempt to solve the "nothing at stake problem" by punishing miners who change their minds, actually destroy the most fundamental part of Bitcoin's consensus mechanism, in my view.
The main potential advantage of Proof Of Stake, as I see it, is that the cost of attacking the network is known and proportional to the value of the network. In Bitcoin this is not necessarily true, although mining revenue is reasonably related to the value of bitcoin, therefore Bitcoin does have this property, to a limited extent. In the long run, the hope for Bitcoin is that mining revenue is proportional for demand for security by the entities transmitting transactions, although its unclear to me if the network can ever reach this ideal status.
The fact that sending a transaction bears an opportunity cost doesn't mean that people will stop spending their coins.
PoS currencies must balance the incentive to spend coins and the incentive to stake them. The equilibrium depends on a number of parameters: the type of the block reward, the liquidity cost (which is a function of the period during which the coins have to be able to be eligible to mine) etc.
Interestingly enough, in Peercoin, the percentage of coins staking is actually low. This comes from the fact that Peercoin's interest rate is low (1% annually) and the liquidity cost is high (the so called "minimum stake age" is 30 days).
Therefore, empirically, PoS coins seem to actually suffer from the opposite problem.
I think this is fixable by more aggressive inflation, or limiting the amount of currency that can be bonded as stake (e.g. say you can only bond 1% of any UTXO; then only 1% of the currency will ever be used for consensus).
There are a lot of "obvious" economic problems with PoS along the lines of wealth begetting wealth, tendency to oligarchy, etc., but I'd be surprised if any of these weren't fixable by appropriate monetary policy. (Generally monetary policy is hard in cryptocurrency because it's part of consensus code and therefore really rigid. But structural problems like this seem pretty static so I don't think it's a problem.)
I could be totally off-base here, of course. I don't have any economic training and I haven't spent a lot of time thinking about it.
I don't see how reputation is solving anything as it is also a resource within the system. If cheap histories can be created, then you will always have to depend on trusted nodes to give you trusted histories in order to solve for the problem of alternate historical chains.
Studying the subject in great detail is most certainly not moot just because you have some handwavy superficial observation that you somehow conveniently believe trumps everything that requires actual study.
Yes, I suppose it is. I think the difference is that with PoS, you the only way you can generate more coins is to hoard them. That's not good for volume, because there's a inverse correlation between volume and currency creation, i.e., the more coins you have in circulation, the less coins you can generate for yourself. It _rewards_ hoarding.
In the case of Bitcoin, it's more of a psychological and predictive question: Will the price go up? Yes, but if everyone hoards the currency, it loses its liquidity and as a result its demand and value. Nobody wants to support a currency nobody uses. I imagine a much more gradual baseline value increase over the long term, but I think by the time that's an issue, there will be a replacement(s) to BTC and it'll just be another commodity that people own.
> if everyone hoards the currency, it loses its liquidity and as a result its demand and value
This is a nonsensical statement. If everyone wants it, it looses value because few people are trading it? Just look at how collectible markets work to see the flaw in this logic.
Obviously we aren't talking about collectables. We're talking about cryptocurrencies, which require liquidity and value. If a currency isn't being used as a currency, and has no intrinsic value, why would anyone want it?
There's a reason for the word scamcoin. There are dozens of altcoins, and they are worth shit because there is no liquidity, and boo reason to own them. I should go on and be more clear in my point but I'm on my phone.
What you're misunderstanding is that a currency's value doesn't come from the fact that it's frequently traded. Liquidity doesn't mean it gets traded a lot, it means that it's highly sought after, and has a deep pool of potential buyers. Take gold as an example. The only place I'm aware of where it's still used as a medium of exchange is in Vietnam for real estate deals, yet the monetary value of global gold reserves is something like $8trillion, many multiples of it's industrial use value. Just because a currency isn't traded a lot or often used in exchange doesn't directly affect it's utility as a store-of-value. Now in the case of bitcoin, I'll grant you that there is an indirect correlation, since it's an indicator of adoption, but it's hoarding that actually gives it value - the fact that lots of people want to hold it in reserve and are willing to exchange value to do so, just as with gold or any other currency for that matter.
Put another way, liquidity can't be decreased because too many people want to hold onto something. That's what liquidity *is*. You're confusing liquidity with trade volume.
That'a a minor flaw compared to what the OP exposes. Any POS system makes it, relative to POW, "cheap" to rewrite the blockchain history. As the value of a POS token rises, the incentive to rewrite that history will be destined to happen.
I rewrote the document since the original was missing a lot of context and was pretty hard to understand (even by experts who already knew the argument!) I've often seen it mentioned here that the original paper has been debunked, is old, doesn't mention specific system X, etc. Usually "specific system X" was vulnerable to costless simulation, sometimes it would have a distinctly non-Bitcoin trust model, sometimes it'd just be broken, but it would never have a clear argument showing that the authors understood what costless simulation was, had found some flaw in my argument, and had exploited it to solve the problem of cheap distributed consensus.
So I hope I can at least clarify what the problem is, and my argument that it's inevitable, so that people who think I'm wrong can focus their efforts more productively.
Oh, and this also serves as a quick introduction to the "dynamic membership multiparty signature" thing mentioned in Blockstream's sidechains whitepaper. I don't expect it to be "the DMMS paper" but I needed a written-down definition so I put one in.
While I must say that the paper is well written and highlights important aspects, I think the conclusion is wrong. You say: "We showed that by depending only on resources within the system, proof of stake cannot be used to form a **distributed consensus**, since it depends on the very history it is trying to form to enforce loss of value."
This conclusion relies very much on a wrong interpretation of **distributed consensus**, which was earlier defined in the paper as:
"A distributed consensus, as the term is used in Bitcoin, is a consensus (i.e. global agreement) between many mutually-distrusting parties who lack identities and were not necessarily present at the time of system set up."
This definition is unclear and leaves too much room for different interpretations. New Bitcoin users have to trust their downloaded Bitcoin-Software to have the correct genesis block message and the correct checkpoints.
Therefore you must agree that the bootstrapping of new clients in Bitcoin anyway involves a certain trust and is not completely in accordance with your definition ("**mutually-distrusting parties**"). Therefore if you want to define **distributed consensus**, as the term is used in Bitcoin, you must exclude the bootstrapping of new clients anyway.
The definition of **distributed consensus** in Bitcoin just means that peers who have been once in agreement with the other distrusting parties will stay in agreement. Therefore depending on your interpretation of your definition either both or neither of PoW and PoS have distributed consensus.
This critique only make sense if you rule out sharing the initial protocol. Which is silly. We can all agree on a protocol apriori then arrive at consensus purely based on PoW.
It's like arguing we can't assume we are speaking the same language before a discussion.
> New Bitcoin users have to trust their downloaded Bitcoin-Software to have the correct genesis block message and the correct checkpoints.
This is true in practice. However, if someone really wanted to, it is possible to prove that you were given the correct genesis block by comparing the amount of work preformed on every chain that people tell you about and seeing which one has the most absolute work, assuming that you are able to communicate with at least one honest node that knows The Truth. As mining becomes a larger industry, it also becomes easier to show that a minimum amount of time must have elapsed since a given block, based on physical limits. If that block also happens to contain a piece of information that you personally know could have only been known after a certain point in time, you also know the maximum amount of time that could have elapsed since a block was created. Using this information, you can make a fairly decent guess about whether or not you were told about the concenus chain *even if nobody tells you about the concenus chain*. This difference between the trust of PoS and PoW is very subtle, but it has major theoretical implications.
Well, if your genesis block is wrong you're simply not using a Bitcoin blockchain. If you're sending or receiving coins it is easy to ask the other party what his or her genesis block is to confirm that you are using the same chain; for each genesis block (with sufficient hashpower, I suppose) there will be consensus on what the "true chain" beginning with that block is, so it's sufficient that transacting parties agree on this blockhash (which is static, so not dependent on any universal time ordering) for them to know that they both have the same view of the network as any other participant.
I agree that in practice users trust that the genesis block hardcoded into their client is the correct one, and that in principle if there were multiple "Bitcoin" genesis blocks floating around that there would be no way in principle to distinguish them without finding some trusted source to ask.
But what Bitcoin seeks to obtain is a distributed consensus on the history starting with block `000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f`, since this blockhash is part of Bitcoin itself and changing it means you are on some other system. It does not seek to obtain global agreement on the definition of Bitcoin.
As for checkpoints in Bitcoin, these have nothing to do with consensus, which has been argued many many times.
What you say is definitely correct given your interpretation of distributed consensus. With my comment, I just wanted to highlight that your definition and interpretation of distributed consensus is not how it should be ideally defined.
For me distributed consensus means that the system keeps clients in consensus over time if they were in consensus at an earlier time. Therefore I think PoS achieves distributed consensus. If you want to refer to the capability of Bitcoin to bootstrap new clients without Trust, then I think you should name that differently and not "distributed consensus". Maybe something like "trustless bootstrapping". And then one could highlight exactly the theoretical problems of this trustless bootstrapping using either PoW (trust in genesis and checkpoints and seed-nodes) or PoS (additional trust that very old keys were not published and used to create a fork). Surely, in this regard PoS has a drawback in comparison to Bitcoin. But also bitcoin has some problems with "trustless bootstrapping".
So it is definitely a nice paper, but I think in your definition you should separate these two aspects.
I like this idea, but it's hard to distinguish between users who are initially bootstrapping and users who are coming online after temporarily being disconnected from the network. I don't want to separate the latter from my notion of distributed consensus --- an "always online, never partitioned" requirement is IMHO too strong for a worldwide system in an adversarial setting.
I think not, because the trust model behind DPOS is very different from Bitcoin's. In particular requiring the existence of any indentifiable party means that their consensus is not "distributed" in the sense of my paper.
I haven't looked very closely at DPOS (nor do I have time to, sorry), but I have heard from people I trust that Bitshares has churned through a /lot/ of underspecified and/or broken cryptosystems. Please don't take this post as an endorsement of any sort to any extent. Only that I don't believe my paper is applicable to their system.
The author states, "It can be mathematically proven that given only a synchronous network it is impossible to achieve distributed consensus in a cryptographically guaranteed way "
However, the paper he cites applies to an asynchronous network, not a synchronous one. Distributed consensus in synchronous environments is actually much easier, though it is probably the case that modern cryptocurrencies fall under the asynchronous model (please correct me if I'm wrong!)
Ie, the abstract:
The consensus problem involves an asynchronous system of processes,some of which may be unreliable. The problem is for the reliable processes to agree on a binary value. In this paper, it is shown that every protocol for this problem has the possibility of nontermination, even with only one faulty process. By way of contrast, solutions are known for the synchronous case, the “Byzantine Generals” problem.
I have other reasons to suspect his conclusions may be wrong, but I will take more time to formulate coherently before dropping here. This simple error is certainly worth correcting!
I see that a miner has the incentive to create different forks. However, the next miner will select the fork with the largest total stake. If all miners are grinding for the optimal stake combination to generate a block, but append their block the block with the largest stake, then consensus should be established after all.
Only if the miners take every incoming fork as possible predecessor then the network can split. But as long as more than 50% of the nodes implement the protocol correctly I cannot see how the system will diverge.
I would appreciate if someone could explain to me where I am wrong.
Isn't your implication the definition of Ad Hominem?
The paper makes logical arguments. I thought they were wrong at first but people on this thread showed me I was the one who was wrong. There are indeed problems with PoS, unfortunately. It's a pity, since I thought it made more sense than PoW, not only for not using so much energy, but mainly because initially it looked like much more difficult to perform a >50% attack on it. :(
No, that would be the case if Bitcoin miners were saying Proof of Stake is fundamentally flawed. Individuals who have nothing invested in POW hardware and want Bitcoin to succeed would have no problem seeing Bitcoin switch to POS if it wasn't fundamentally flawed, but it is, so they do.
BTC sux until:
ASICS - unfair
still high inflation (7 000 000 BTC )
BTC distribution is like DOGE = general trend down after big up until /2 reward than pump, than back to downtrend. After u get close to 21kk BTC u will change into POS with 0% inflation (Pos can be save with 0,5% now and if as big as BTC 0,1% per year or even less)
BTC will colapse - too expensive (noone get paid in BTC + huge amount of money for mining) and expensive for non US/China because we have to pay FX + not annonimous - I have to BUY btc using my bank account so gov knows Ive got BTC's and how many than I have to withdrawal them so If I get paid for sth they know how much too. Useless
For any new variation of a PoS algorithm, I just need an answer to a single question: as a new node, who has no blocks or any idea about the correct transaction history, how do I discover which block chain is the one that everyone else uses?
For Bitcoin it's simple: the chain with the largest amount of work is the correct one. This can be verified by downloading 80 bytes per block (the block header) in the chain in question.
Although I love Gavin, this is something we disagree about.
I think Blackcoin (a PoS coin) does a great job of addressing the "nothing at stake" problem.
This is how Blackcoin does that:
In order to mitigate the possibility of the pre-computation
attack, the stake modifier will be changed at every modifier
interval – to better obfuscate any calculations that would be
made to pinpoint the time for the next proof-of-stake.
It doesn't mention NaS (nothing at stake) by name, but it doesn't mean that it's measures don't help mitigate the problem. The NaS problem is more than just being able to stake on two chains at once. It also relates to being able to relatively easily to create forks.
By changing the stake modifier at ever block (if I'm understanding correctly the internals of blackcoin) it makes it very difficult to calculate the exact time of the next proof of stake, making it difficult to make a long chain of dishonest or malicious blocks. After a dishonest node's first block propagates, honest nodes that are rightly next in line for the next stake are highly likely to "cut in line" and prevent a forking of the blockchain, which is what NaS is primarily concerned with.
Of course, this isn't a "cryptographic" or "100% without a doubt" way of completely preventing any problem, but almost the entirety of [Bitcoin's issues and theoretical attacks](https://en.bitcoin.it/wiki/Weaknesses) are not directly related to cryptography, but rather how blocks are generated and propagate.
>it makes it very difficult to calculate the exact time of the next proof of stake,
You can make something difficult for a computer to calculate (PoW) or difficult for a human (security through obscurity).
I don't think that's the dynamic here at all.
PoS and PoW are both cryptographic.
PoW coins are susceptible to DOS attacks. Is having sufficient internet network strength a security through obscurity issue?
Exactly. DoS isn't a "security through obscurity" issue nor is the 51% attack or issues with large block being propagated across a network, and neither is this. Block are still verified cryptographically, this just makes it harder in the short term for dishonest node with already large amounts of coins to be devious.
What Bitcoin does isn't at all compariable, I consider it really deceptive of these systems to call what they're doing checkpoints.... I'm sure it had innocent origins but its very misleading.
In Bitcoin software comes preconfigured with the identity of the old best chain, this mostly avoids some sync time DOS attacks. It's fixed in the code though and either works or it doesn't. (likewise, the software could contain an exit(1) on the first line and never do anything).
What these POS systems do is have a secret key held by the developers which they can (or in most, must) intermittently use to sign blocks. These signatures are broadcast therough the network and force nodes onto the signed chain.
I think it is comparable. Why is there the need for "preconfigured with the identity of the old best chain"?
Consensus is still reached by the stakers in a distributed way. Why does Bitcoin have the "6 suggested confirmations"? It's due to the risk of a fork. PoS coins are no different. There is a short time when there is a grey area for forks to arise. This is the designed behavior.
Checkpoints are intended to relieve any extra fears of attacks (which would be very difficult, if not impossible, to sustain). They should be removed once a coin is more mature. Bitcoin had issues when it was first getting off the ground, like the time there was a successful double spending attack on the blockchain that required immediate action of the bitcoin developers to resolve. I agree, checkpoints are probably bad, especially if they are centralized, but don't throw out the baby with the bathwater.
I know it sounds that way but if you understand how the checkpoint system works in blackcoin only a centralized authority can decide on forks. Currently the only way to decentralize this would be PoW but I believe rat4 is working on another way to do this.
I may not be describing it correctly, but in theory POS is vulnerable as stated by people before me. That said, POS2.0 prevents some of these vulnerabilities as with coin age - collecting old private keys.
I'm not trying to pose a complete solution, I like the transaction speed, staking, and Blackcoin products. Blackcoin will not replace bitcoin but it would be nice if it replaced litecoin. I know I'm dreaming, but there are loads of crappy coins, sometimes one may pick a coin for its community. Blackcoin is that coin for me, not to mention BitHalo/BlackHalo and NightTrader.
But that's not the ONLY thing I want. I want Trustless/Smart contracts, I want decentralized exchanges, I want a supportive community who refuses to sell despite large dumps.
..and Blackcoin provides all that.
I tend agree that PoS has flaws, but don't agree with Gavin's past dismissal of PoW flaws as it relates to 51% attack. I have seen some hybrid systems in the past, but those are mostly only done for an expected duration; i.e. PoW/hybrid to create the coins, then PoW turned off after some time period. Alternate proposals for deterministic PoS or time-delayed PoS go a bit further into securing the blockchain, but still have weaknesses as pointed out by others in the past.
I'd still recommend a specifically alternating PoS / PoW blockchain (whether altcoin or hard-fork to Bitcoin) that would safeguard the weaknesses of each system. PoS needs protection from the "nothing-at-stake" scenario and is a great candidate to have PoW as a backup. PoW needs protection from a 51% attack and is a great candidate to have PoS add randomization as a backup.
I think a specifically alternating selection of PoS block then PoW block is key to this idea. I've written a bit more on this before at LINK.
Having less PoW blocks means less security. To force a large reorg, a miner would need less hashing power because presumably there would be less incentive for PoW miners meaning a lower difficulty sum to match.
I've proposed a split for the PoW / PoS alternating system that wouldn't change the PoW reward - no reason to disrupt the infrastructure if we don't need to - PoW, 5 minutes, PoS, 5 minutes PoW. PoS takes so little effort to do, it might not even need a reward system.
This would also mean there's no decrease in PoW blocks.
Not to be argumentative, but to make sure the point isn't missed - even a decrease in PoW blocks doesn't translate straight to a decrease in security. 2 security layers with 50% strength are often more secure than 1 layer at 100%. (Hopefully the meaning comes across there).
You are assuming that the PoS layer has equal security to PoW (for it to be two 50% layers). But in reality, you are just trusting the PoS block creator to not doublespend. Accepting the PoS confirm opens you up to Finney and other double spend attacks since the PoS block creator can trivially change the contents of a block.
PoS is no more weak to a Finney attack than PoW. In both cases, a miner has to have some assurance that his version of the blockchain will be accepted by the network. In PoW, this comes from controlling the majority of the hashing power. In PoS, this comes from controlling the majority "stake" (most often coin-age). In either case, the miner has to maintain control for long enough that his transactions are sufficiently confirmed (typically thought of as 6 blocks / an hour).
In the proposed alternating system, the miner / attacker would have to control both the hashing power and the stake for a sufficient duration. For the established bitcoin network (hash power) and cost base (market cap or $/coin), this means quite significant cost of mining hardware as well as investment in acquiring coins. Even were a person to establish this controlling position, he'd be doubly incentivized to maintain the integrity of the bitcoin network.
PS, have you read the Peercoin whitepaper?
>PoS is no more weak to a Finney attack than PoW.
This is incorrect. Someone with 0.1% of the stake designated to win the next block is basically guaranteed the next block, therefore, they are guaranteed success in a Finney attack. Someone with 0.1% of the hashrate in PoW has a 0.1% chance of winning and can only increase their E[X] by 0.1% rather than 100% with PoS.
>PS, have you read the Peercoin whitepaper?
A few months ago, but yes.
Someone with a 0.1% of the stack has a 0.1% chance to win the next block - not 100%. For PoW in bitcoin, the computation for the miner is hash(nonce)<difficulty.
It's hard to find details on the Peercoin version of PoS, but my memory is that it's [leading zeros from coinstake + hash(PCClockTime in seconds)]<difficulty. The "magic" of PoS doesn't come only from the coinstake but also from its usage of clocktime.
[Some discussion I found googling right now.](http://www.peercointalk.org/index.php?topic=2634.0;wap2)
>Someone with a 0.1% of the stack has a 0.1% chance to win the next block - not 100%
I didn't claim that. Once the previous block is made, you can know whether you have won the next block. With near 100% certainty (unless you get DoSed or something).
You could know WHEN you would win a block, but not necessarily that you will - you could prehash a bunch (using current time and incrementing up), but you can't submit that successful block solution until you are within an acceptable range of time. So, if you found a solution to the function hash(time,previous block)*coinage<difficulty where the time is Nov 5, 2018 16:30:24, it's not like you could submit that solution now. Even if you found a potential solution 6 hours from now, you can't submit it. And then if you find a solution that's acceptable within the next few minutes, yes, you can submit this solution and expect to be rewarded with the next block.
However, that's not a reasonable attack vector. You only have one PoS block under control. You might as well say that finding a successful PoW solution means you know you have won the next PoW block....so what? You have to have a means of controlling the next 6 successful blocks.
So here, in a alternating system you are prevented from extending that chain. Say you had enough coinstake to realize you would be successful in the next 6 PoS blocks. After your first PoS block, the network enforces a PoW block to be found before allowing a second PoS block. Reasonably, the PoS block finder / attacker doesn't also have PoW control. So the next PoW block modifies the blockchain and changes all future PoS / PoW hashes. What was previously determined to be a second successful PoS block has now been modified and has less chance of success.
>You could know WHEN you would win a block, but not necessarily that you will - you could prehash a bunch (using current time and incrementing up), but you can't submit that successful block solution until you are within an acceptable range of time.
I am not claiming that you can submit the block at any time, just that you know you will win the next block, meaning you know you can doublespend any tx that would be confirmed in that block with a 100% success rate.
>You only have one PoS block under control. You might as well say that finding a successful PoW solution means you know you have won the next PoW block....so what?
You don't know you have won the block until the second you won it and after you won it. With PoS, you know by the previous block you have won it, so you can determine whatever tx are in it 100% of the time you are designated to win the block.
>You have to have a means of controlling the next 6 successful blocks.
That is unrelated to a finney attack.
I think it should be noted that this paper covers a "pure" PoS system, but there have been some hacks to PoS systems to make them "work" (work while being insecure). These hacks include having a central authority control the coin (peercoin, blackcoin, and a ton more), making grinding more difficult but certainly not impossible along with making buying old private keys to attack difficult through having a centralized premine that makes the currency insecure to attacks from a central authority (NXT), or even making the next block signer deterministic, which solves stake grinding by substituting the problem with a problem that is probably much bigger, colluding delegates. , this also doesn't solve the problem of people rewriting history (bitshares).
For those who praise the blockchain but somehow see bitcoin the financial asset as suspect, they need to consider the following:
It can be mathematically proven that given only a synchronous network it is impossible to achieve distributed consensus in a cryptographically guaranteed way. Bitcoin achieves the impossible by weakening its requirement from cryptographic guarantee to a mere economic one. That is, it introduces an opportunity cost from outside of the system (expenditure on computing time and energy) and provides rewards within the system, but only if consensus on an unbroken transaction history is maintained
Wait, let me see if I digested the argument correctly.
The paper is basically saying that the randomness which is used to pick who will be the block signers is not really random and can be skewed. At least that's what I understood.
The thing that bothers me is that he says as if that was a general rule, not an implementation flaw. I always believed that, if a proper RNG algorithm is used, any number could be a seed and the results would be fairly random, or at least hard to skew on one's favor. Trying to pick a seed to generate a specific sequence should be computationally as hard as trying to brute-force a hash or something. Sort of a one-way function. Am I wrong? Is it computationally easy, for every RNG algorithm, to pick a seed that will produce an arbitrary result?
EDIT: Actually, just thinking a bit more. Even if RNG algorithms can be skewed like that, wouldn't it suffice to use a good hash as seed? Since hash functions are one-way and by the mighty powers of cryptography we can trust one cannot feasibly come out with the specific hash result he needs for the RNG algo to generate the specific sequence one wants, we can rest assure the attack described by the paper is unfeasible.
I'm willing to call BS on this paper... unless some patient person more knowledgeable than me could show me where I'm wrong.
The problem is not with the RNG, it's with the fact that the POS 'miner' can run the RNG as many times as he/she wants until it outputs their desired number, because there is nothing at stake in proof of stake so no opportunity cost to run the RNG repeatedly. A hypothetical, perfect RNG cannot stop a person from non-randomly selecting one of its output.
You can't use random numbers in a consenus algorithm. What would you do, make sure everyone generates the same random number? That's not very random!
But it describes rather well how proof-of-stake systems work. You have some deterministic function which takes the chain history as input and outputs which coin holders are allowed to sign the next block.
The _problem_ is that history can be rewritten. If I want to take control of a proof-of-work system, what I do is go back to a block I have or can get the signing keys to, (or wait until I get selected for the chain tip) and start grinding various potential next blocks until I find one that names me or my sockpuppet as the next signer. Repeat for the next block.
This attack essentially turns proof-of-stake into divergent proof-of-work, as I fight with other attackers to gain and keep control of the chain tip.
> start grinding various potential next blocks until I find one that names me or my sockpuppet as the next signer. Repeat for the next block.
If the seed is a hash, how can this technique not be a brute-force attempt? And thus, unfeasible...
Okay, I guess I've got it now.
It's always one signer per time? If there was a way to request the signatures of multiple people, by ensuring a minimum amount of stake for the signature this attack could be made much more difficult. But that doesn't seem simple... what if people just don't sign together, for whatever reason? The network would halt...
Yeah, I'm finally starting to see the problem. Perhaps it can be solved, but it looks ugly. Thanks!
No, what I was thinking was not the number of nodes, but the number of coins. If your 100 nodes only hold 1% of all coins, they only account for 1% of the "voting".
I was thinking about demanding that at least a certain amount of coins holders sign for a block, raising the bar for a takeover significantly. But I can only imagine the scalability issue this would represent. How large would the signature need to be? And by deliberately fragmenting coins all over you'd make it even huger. Unless there's a way to make it constant size, which I doubt, this is not feasible either. What, I guess, rules out PoS as an option. :(
> Why is a brute-force attempt automatically infeasible?
This guy explains it better than me: https://www.schneier.com/blog/archives/2009/09/the_doghouse_cr.html
> And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.
> Can you write down some numbers and see why they don't apply to grinding through a random individual selection from a small set?
Sorry I did not understand what you asked.
I thought the amount of stake was just the amount of coins. That's deterministic. But then, if the set needs to get too big for one to have a large percentage of coins "voting", then I guess the signature might become way to big too, and create huge resource usage making it impractical... or not?
The total amount of stake may be a function of blockheight, or it may be a function of user action. In either case the distribution will be determined by the set of accepted transactions, which requires a distributed consensus to well-define.
I don't understand your point. If the seed for your random numbers is a hash of part of previous blocks, how can it be skewed to generate the random numbers you want? Assuming you have full control of previous blocks as does the paper.
You aren't just trying to control the output of the RNG. You're influencing what is being chosen with the RNG output AND tampering with the RNG. So you can create endless blocks until enough of them points to your nodes as the new miners.
PoS implemented optimally and rationally by the miners essentially transforms into a shitty scrypt PoW (memory heavy proof-of-work).