Bitcoin Forum

DO you guys ever think that bitcoin will do proof of stake? Just wanted to get some peoples insights on this.

No, because PoS doesn't work as a decentralised consensus. Every single PoS coin is a private club, with trusted owners, much like Visa the company is. When you invest in a PoS coin you are being tricked into thinking you're investing in the future, when actually you're investing something that can never work as designed.

Read this for more details:

https://bitcointalk.org/index.php?topic=1382241.0

Cheers, Paul.

No.

Unless there was an update through Bitcoins final development there wouldn’t be any PoS implemented into Bitcoin because there’s already altcoins that feature that concept. There wouldn’t be any point for Bitcoin to get a PoS coded into it because Bitcoin is already capped at 21 million coins.

Plus, if there was a PoS code placed into Bitcoin then the transactions within Bitcoin’s Blockchain would be cluttered because there isn’t that many miners that can keep up with the competitive mining difficulty that Bitcoin has.

If you are spending 0.0001 Bitcoin for transactions you would have to spend much more to get your transactions confirmed.

I do not think so. Do not look for problems where they do not exist.

Proof of Stake is definitely superior, that's the reason why ETH will convert to PoS in the future, they are actively working on the conversion currently, with experimental versions already in beta test.

But Bitcoin probably won't, Bitcoin is more decentralized, and the forces against PoS in Bitcoin is too strong, the miners will 100% oppose it. It nearly turned into a figurative thermo-nuclear war for getting a 1 line code change to change block limit from 1MB to larger blocks. It's hopeless to change to Proof of Stake for Bitcoin, you might as well fork Bitcoin like Bitcoin Cash did.

I believe bitcoin going for PoS is more of technical issue than populist issue.

Thus I believe bitcoin will ultimately go for PoS.

I don't see why Bitcoin would become POS. If that happens, it can cause some problems.

This topic has already been discussed a couple of times. But this answer deserves a comment:


The attack described in monsterer's thread is the well known "Long Range Attack". It has often been cited as "the final blow to PoS" or "the hard problem" or something similar by Proof of Stake critics.

However, if you look at the attack, it is so complicated and so expensive that it will probably be easier to attack a Proof of Work currency in 51% fashion. At this moment, you need about $400-800 million dollars to attack the $44 billion Bitcoin chain (and in PoW too, you can get some or even all of them back by short selling in the right moment).

To attack a PoS currency via the Long Range attack you would have to possess about 15% of the coin supply at some moment in the blockchain history (according to statistics from NXT, normally about 30% of the coin owners are "staking" or "forging", so 15% is enough for a "51% PoS attack") AND then trick the rest of the network into a long chain reorganization.

Imagine now a 44 billion $ PoSCoin. You have basically two options:

1) You buy old keys that at the same time in the blockchain history had 15% of all coins. Maybe some old exchange keys (BTC-E? ;) ) will do the trick. (That is the "bribing attacker" Vitalik Buterin has described in his PoS analysis.)
2) You buy 15% of the supply and send them to your wallet, send them back to the exchange, privately mine a double-spend attack chain, and sell the coins again, and then you publish the chain for an attack.

Option 2 will cost you at least 5 billion $ (probably much more, above all if you try to buy them fast), although you will recover some by selling again. Maybe you will get most of them back, but it isn't at all sure that you, in the end, will "get away" cheaper than with the 400-800 million PoW 51% attack.

Option 1 looks cheaper, but first I don't think you will get the keys for free, and second, "buying a key" involves the risk that the old owner uses it in the same way. You would have to trust the old owners - and every single of them can tell the others your plan that you are attacking the coin.

And then you must trick the chain into a "reorg" - most PoS coins simply prohibit long reorganizations. So Option 1 is almost impossible, and option 2 will be very expensive - probably more than an 51% attack.

I know that PoS is, in theory, a little bit weaker because no external resources are used, but in a practical sense I think PoW and PoS are equally secure.

3) You convince a majority of coin stake* to send a transaction to themselves at the same time and you bring the entire network to a semi-permanent halt as no new blocks will be produced since PoS coins are forced to put safeguards around the amount of time taken after a transfer of funds before staking can begin due to other long range attacks.

There are so many variations of the long-range attack that we almost certainly haven't discovered them all.

Cheers, Paul.


*) this could be as little as three people, depending on the distribution of coins at the time

Well, this attack scenario seems very unlikely to succeed. Why should the current holders of the coin 51% it? Knowing the danger, big holders should not do that without a very good reason and that would need extremely good (and expensive) social engineering. I can imagine it only in a very small PoS currency where few people (more exactly: people with a small part of the supply) are "staking" (or "forging").

All the long range attack variants have something in common: Their success probability is negatively correlated with the size of the coin: the attacks are easier when the coin is small, distribution is uneven and "staking"/"forging" is done by few participants. That is an inherent weakness of PoS: it is a bad (=insecure) choice for typical "sh*tcoins" (small cryptocurrencies with large premines - that's why they need checkpoints and these things), but the bigger they get, the more secure it becomes. That's why I think Bitcoin could change to PoS without problems - it's not that it's distribution is totally even, but it's even enough to make such attacks more costly and difficult than to 51% it.

I had a large discussion in a very similar thread (https://bitcointalk.org/index.php?topic=1843355) with dinofelis (the funny thing is that I was the "PoS skeptic" in that discussion) but I came to the conclusion that PoS is, from a practical point of view, equivalent to PoW and the arguments against it brought in by Andrew Poelstra and others are merely of theoretical nature.

I also think Bitcoin will not take the route to proof of stake. It works well in Proof of Work when it comes to being decentralized.   ;D

Hmm I do not think this will happen.. There may never be such agreement

I hardly believe BitCoin will move to Proof of stake. Ethereum will be using the proof of stake in future but it will be difficult for bitcoin to use proof of stake to reach consensus.

"If not bit then what is the fun in it" -Ame.

Knowing the danger? The danger of sending your own funds to yourself? How is that a danger in any legitimate currency?

The 'nothing at stake' attacks might sound theoretical, but more are being discovered all the time - it's only a matter of time before one is discovered that hasn't been patched over in one of the major PoS coins.

It could bring a problems. So why we need this?

Proof of Work algorithm gives you the option to always get some coins.
In PoS system, early adopters hold the power forever, this is not a good long term strategy, since no body is perfect and nobody can be trusted.
In PoW everybody is equal in casting a vote regarding to time they joined the network, but still bounded only by the amount of electricity they have and since electricity can be traded, it means richest are the most powerful.
In PoS you can get bigger power to vote in two ways, you are an early adopter or you have a lot of coins currently. And since those coins can presumably be traded as well, that means the richest have most of the power in PoS as well.
So PoS has one more vector for reorganization, but the benefit of lower costs of the network.

I believe Bitcoin should stay PoW and I can't see a reason for it to make a switch. I don't believe security of it should be put on the risk for the benefit of saving some money. A natural system of who can bring more to the table is the best option we currently have to keep the blockchain safe.

PoS is problematic on many levels and is extremely hard to deploy. Research on the topic is also scarce.

Miners have been shown to be problematic towards the long term health of bitcoin.

A more interesting point is how the bitcoin community lost the thought/research leadership in this area which is a real harm and probably more dangerous in the long term than most people think.

The real opposing force would be miners, true. They have invested over a few million bucks to rake in huge amount of profits every day just to let it go that easily. Besides, switching over to PoS means that consensus wise, people who have the fatter wallets would have the most voice over a certain issue/development that the coin might face in the future.

Will lightning network sort of be like bringing proof of stake to bitcoin on the second layer?

If this attack is known, then large holders will also know that they should avoid sending all their stake to themselves, and divide their stake in various outputs/accounts (depending on the currency type). And again: This kind of attack has only chances to succeed if the currency is very unevenly distributed.


Please provide me some sources for new Nothing at stake attack variants. I am really interested. If there is one of them that also would work (without costing more than a 51% attack) in a well-distributed currency, then I may reconsider my stance on PoS.

Why would you expect joe public, who is the ultimate holder of said coin, who only has a basic understanding of cryptocurrency, to understand that they shouldn't send money to themselves? Seems like a pretty fundamental failing to me.

This attack is a new variant on nothing at stake.

Here's another one for you: death. Major stake holder dies unexpectedly; there go 50% of your blocks. Eventually, the coin will die out as it's major stake holders die in the physical world.

So you think it's easy to tell thousands or millions of "average Joes" to send coins to themselves?
The only event I can imagine where massive sending of currency at the same time could occur is a generalized panic on exchanges (sending to other addresses should have the same effect, as the coins would have to "mature" there).

But for 51% to send coins the panic would have to be really massive, and these 51% holders would have to be online in a relatively short timeframe for the "blockchain stop" to occur.

I think it's an extremely difficult attack, even if you consider a short seller that wants to profit from it. And it doesn't fit really in the "Nothing at stake" category. A PoW/PoS hybrid coin, for example, would not be affected.

Another one that is only feasible if there are few holders and distribution is very uneven.

As I said previously, you may only need to convince 3 people for this attack to work; it all depends on the distribution of staking coins.

In any case, that's beside the point. Why should joe public know not to send themselves money?

When it comes to uneven distributions, you shouldn't forget that majority of worlds money is in hands of top 1% (https://en.wikipedia.org/wiki/Distribution_of_wealth#Data_about_global_distribution_of_wealth).
It shouldn't be unreasonable to assume that distribution would be quite uneven. Plus we are talking about control of the coins here, not just ownership, which is even more centralized since you have banks and investment funds, where few control a lot of money.

Exactly, it depends on distribution - that's what I'm highlighting in every single post of this discussion. PoS coins that are badly distributed are weak and can be easily attacked, that's beyond question. And if a coin is so badly distributed that the "departure" of only three (or four, or five ...) stakers would already be critical, then one could assume that:

1) the coin is a very small cryptocurrency (basically, a failed one or a very young one, or one with a large premine);
2) these three stakers should know what they're doing, so they won't be "average Joes" but most probably crypto enthusiasts (like the coin developer and crypto investors, or crypto exchange owners). They should know about the danger.

In any other case (=in mature and active PoS cryptocurrencies), you must convince a larger group to act in a way that has not even a benefit for them. That needs advanced social engineering - or as I outlined, an expensive short-sell attack.

This world is quite old and still the distribution of wealth isn't even at all. This isn't due to any particular event either, the wealthiest man at the moment got rich relatively quite recently, so we shouldn't assume that coins will be more evenly distributed over time, maybe the near future, but in the very long run I wouldn't bet on it. Bitcoin should be designed to be here and stay for as long as it can.

Those are some awfully big assumptions. Why chose a currency with all this extra, non-obvious risk-baggage associated with it?

Only small or very badly designed Proof of Stake currencies would have these weaknesses.

Small PoW coins have a similar problem - they are also weak and can be attacked easily via 51%ing them because mining power typically is weak and very unevenly distributed. Even in stronger currencies this problem persists - there is often a pool or miner group that in theory could 51% the currency. I've followed the Segwit adoption in Vertcoin and Litecoin and there were often situations when a single address (pool or miner) mined more than 50% of the blocks of a day.

Well if the real world hasn't exploded from the bad distribution, what's wrong with having it in a Proof of Stake crypto? You think the current situation of 5-6 people controlling 90% of Bitcoin PoW hash rate is the ideal crypto utopia?

I don't think so.Aiming at a series of problems, the future should have a solution. ;)

I don't follow your comparison to PoW; in a small PoW currency, the PoW will have been designed such that it is in incompatible with bitcoin's ASICs and hard to accelerate on graphics cards. Therefore, the initial distribution of miners will be the best it can possibly be.

Furthermore, PoW doesn't suffer from any of the problems listed here in this thread. Miners can come and go as they please, even a miner with 50% hashing power disappearing forever doesn't leave the currency dead in the water - it will eventually recover, the only consequence is an increase in confirmations required to accept a transaction.

PoS isn't permissionless like PoW is; you have to buy stake with which to produce blocks and once that stake is gone, it is gone forever. PoW converts electricity into blocks which anyone with a computer can do.

Well the real world doesn't really have PoS, it is actually more like PoW. My point was that distribution probably will always tend to be uneven. Uneven distribution in PoS system adds a new vector of fewer parties controlling the system. That new vector is time of adoption of that stake, it this case adoption of cryptocurrency. If distributions always tend to be uneven then PoW and PoS will have that problem over time for whatever the reason that is occurring (might be natural selection at play or something else), the problem of centralization. However PoS will have it occurring for one more reason than PoW and that is the early adoption, like I said in my first post quoted below.


I don't think Bitcoin is ideal crypto utopia, there are plenty of good advancements made in many altcoins, Bitcoin just takes a slow,stable and secure approach in it's development compared to other cryptos. Centralization of mining power is a very real problem in Bitcoin and that might be inevitable, however we should fight for the chance that it isn't. One of the biggest issues there is mining pools and some cryptos saw that and did their best to stop it happening it their own coin, using smaller block time target of couple of seconds and making it more accessible for more people to start mining, like trying to stop ASIC mining with new hashing algorithms. A PoS coin has no way to battle the initial distribution, it is a more likely a lost cause.

Considering all the altcoin that are PoS and are based on BTC. I think its already done.
Its just a question of Bitcoin value over other PoS/PoW coin that arnt well known yet.
i think that in mass adoption PoS coin will have a lot more success so probably BTC will nto stay the #1 for eveer that my opinion.

The weaknesses of small PoS and PoW coins are not the same ones. But botnets and cloud mining are two forms an attacker can use to get easily a majority for a short time in a small PoW currency. This kind of attack isn't free, but should be easier to perform than a history/long range attack on PoS currencies. However, I think you are right that a _very_ small PoS currency is probably weaker than a _very_ small PoW currency, if the PoW currency is using an ASIC/GPU-unfriendly algorithm.

As far as I know only some PoS algorithms have the problem to come to a halt after a large "stake rate" drop. Even then, a hard fork or a snapshot-based restart can save the currency. That would need a collective effort of the "validators", but it is comparable with the collective action Bitcoin miners took in March of 2013 to kill the fork that had been produced by BTC 0.8.

By the way: with Bitcoin Cash we saw that a extremely large hashrate drop in a PoW currency also can result in a "semi-permanent halt" - one block per 6 hours for a whole difficulty period, like at the beginning of the BCC existence would have made the currency almost unusable for a long time and it would probably have died. I know that is an extreme situation, but in my opinion we here are debating about gradual differences and not about a fatal flaw.

I get that point. It's a theoretical disadvantage of PoS currencies, but in my opinion not a fatal flaw because currencies without a working market practically are not currencies, and so the option to "buy in" is as easy (in most currencies much easier!) than to mine a PoW currency.

When choosing between both systems, it has to be analyzed if this disadvantage is more important than the generally much higher cost of a PoW cryptocurrency node network because of the higher energy consumption.

Both algorithms are good for their own thing, in my opinion. PoS can make a lot of sense, it is a trade between security and cost, which is a very fair trade sometimes. That isn't to say that PoS is never secure, just that it is less then PoW, at least in the use as a decentralized currency. If the currency should be more centralized for some reason, then it is a win-win. But for a global currency like Bitcoin, I would say that PoW is a way to go.

In the context of one of these attacks it is very different. How will you buy PoS coins from an exchange when the network isn't producing blocks? In this case, there is no way for the network to recover barring a hard fork, which is very damaging for a currency which is supposed to be decentralised.

You comparison to BCC is actually a very revealing example of how a PoW coin deals with a sudden and catastrophic drop in hash rate. Less blocks, slow recovery. If a PoS coin suddenly lost 95% of the staking power, a hard fork would have been the only way to recover.

Initially I was hoping for a proof of stake Bitcoin as well. But then I realized that the best path for Bitcoin would be to move towards useful proof of stake, where the computations help the world somehow (like Gridcoin). Of course, they already help the world by confirming transactions, but more could be achieved.

I would say that Primecoin might be a better example of a useful secure PoW coin. You get big primes as a result, which is always useful in cryptography. Since prime numbers are used in public/private key cryptography, it would be kind of like it is feeding it self :D Who knows, maybe one day we figure out how to make a nice switch in Bitcoin's PoW algorithm, that might take some time tho.

and how it could be dangerous?

Early adopters control the system forever. All the problems of centralization apply. One point of failure and all that.

Gridcoin is as useful. Check it out.

There's also Curecoin which supposedly does useful computations.

For the situation right now, i don't really think so i think that would really not fair specially for the new miners specially those not holder
Of bitcoins yet. It will be more favorable for the old time miners perhaps.

You are right that that is definitively a disadvantage of PoS. But as I said, I don't consider it fatal, because the attacks you have described are very unlikely to succeed - and in any case, a hard fork can correct it, so it's not necessarily the death of the currency. In the case of a well distributed and accepted PoS currency, such an hard fork would very probably succeed because of collective action taken by the stakers to protect their stake.

The (very low) risk of a temporary blockchain halt is one I would be willing to take as a compensation for the big disadvantage of PoW (very high costs because of the miners' energy consumption).

The high cost of mining would be better spent on something more useful than solving a hash puzzle, but one thing that high cost does give us is a very clear attack cost for producing blocks, and therefore a bound on transaction acceptability.

semi off topic, but this is exactly the reason I'm excited for stuff like filecoin/siacoin. It'd be fun to see if improving storage technology was actually more profitable because of increase in potential rewards.
I like the idea of POS because it acts as an incentive to hold coins and earn a passive bit of income (kind of like saving with a bank)

D'accord here, that's also why I'm still supporting Bitcoin's current model and I would not support a change to PoS (or a similar system) in the current state. We still need research and experience with current PoS coins and simulations about attack costs (e.g. with Nem or Nxt - PPC does not count because of the centralized checkpointing) until a multi-billion dollar currency like Bitcoin could be changed to that system. But that does not mean, for me, that we should discard PoS.

So far so Good so I don't think it is not required to go for Proof of Stake Bitcoin. Still long run to observe about it and in future how it is going to be we cant expect. so Expect the un Expected.

I still do not understand why you say It will be more favorable for the old time miners perhaps.
Please give a little explanation sir

Well distributed currency does not exist and probably can't exist. Over time, rich are getting richer. Someone who is good at making money will continue to make money and might even use already acquired money to earn even more.

I wouldn't called super mining warehouses  in china decentralize  ;D

Indeed that's why I bought some sia down the road. Mostly for the long term as well. PoS is also more accessible to the big public. You don't need to purchase expensive mining equipment nor pay high electricity bills. It's comparable to interest on a savings account indeed.

"Well distributed" does not necessarily mean "equally distributed". Whales are not automatically bad for a PoS currency. A PoS currency with, let's say, less than 50 whales that control 51% of the currency will be relatively weak because from these whales some could conspire and attack the currency.

But also a totally equally PoS currency where all participants have low amounts would be relatively weak because these participants could be vulnerable to the "bribing attack". The more people that really have a stake (=they would lose significant wealth if the currency dies or loses much value), the better for PoS currencies.

There is no telling on how centralized currency can or has to get over time. We can try and speculate that at no point there will be less then 50 people who control half of the coins, but I am pretty sure that richest top 50 have more then trillion dollars.

You can add more tricks to it with the banks and hedge funds where few control money that isn't theirs and you can have quite the pickle.

PoW is the safest way to have the confirmations, there will be same problems with the rich and powerful, but you don't have a closed club of the people with all the power, at least in PoW if you get the money or people pool the money together later, you can have the current powerful people broth down. In PoS it is a done deal, those few are safe for ever and if they fall the currency has to fall with them. People wouldn't won't to end Bitcoins's life, because few of the powerful are messing with them now and then. Revolutions would be more costly.

There is no difference between PoW and PoS with respect to the power of "the super-wealthy". Wealthy people that want power over the currency, in PoW can just buy hashrate and they will get it back and even probably profit from it. So they can increase their holdings slowly, just like in PoS. And if they want to attack the currency, they can do it, too - they need about 2-5% of the currency supply for 51% it for a long time, just as much as for many dangerous attacks in PoS.

The only difference with respect of the power balance - clearly an advantage - is that in PoW currencies you have a technically determined possibility for new people to enter (a person from outside the system can buy hashrate with fiat and get coins), while in PoS currencies the ease to enter the system depends exclusively on the market situation and so on social conditions. That's why I prefer combined systems (e.g. PoW/PoS like in Peercoin or Decred) to pure PoS currencies because it leads probably to a fairer distribution - with the cost of an more inflationary currency, but that should also incentive usage and dis-incentive too much "hodling".

Actually, there is a difference: hash rate is more scarce than money. You can't buy 51% of hashing power.

Sure you can, you can buy almost anything with money.

But PoS is still less secure, because for PoW you need 51% right now and for PoS you need 51% at any point in time. There is simply a bigger attack surface. There is noting that PoS will save you from compared to PoW except the electricity, you can always lunch more attacks on PoS then PoW.

PoW is real, it is about a race, race in power, hashpower, but PoS is about who was a bigger part of it, ever. People always talk about how they owned something before it was popular, before everyone else came, here is where that is a problem. If you ever find people who once had a large portion of the currency, but since lost their power, you could probably get them together to take it back. If you have early adopters that don't like how the currency is going, then they have a good excuse to take the power back.

Ease of getting in the system is a good thing. It allows for progress, it insures decentralization and therefor security. PoS has fewer points of failure and more ways it can go wrong.

If there is scarcity of mining hardware, that should be a temporary situation because of the current bull market. I don't know exactly how much it would cost to an attacker to fabricate mining hardware on his own (without having to wait for his [e.g.] Bitmain miners), but 2 billion $ (less than 3% of the Bitcoin supply according to "market capitalization") should be enough.


Yes, pure PoS currencies need restrictions on chain reorganizations because of that "long range attack" problem, even if practical long range attacks are difficult to perform (the "bribing attack" is well known, but in a mature currency should be impossible to perform, and the "buying old keys" attack would need an extremely long chain reorganization). There are however relatively elegant solutions for this, like Vitalik Buterin's "exponential subjective scoring" (https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/). But even a simple rule ("don't reorg for more than 720 blocks") like in Nxt does the trick.


That relates to what I already said before: a currency without a (liquid) market is pointless. Thus, if a currency want to be successful, it must be easy to get "into" and "out of" it (buying and selling currency, or even more important buying and selling goods and services for that currency) - otherwise it will be a failure as a currency and only a speculative asset. That applies to PoS currencies, too. A "purely speculative" PoS currency (like almost all of current "altcoins") does indeed have the weaknesses you say, here I agree. But a coin that has real usage as a currency, does not.

Interesting idea about limiting chain reorganizations. I wonder how that would work. New nodes can't really know how many blocks are there and how much the reorganization is happening, then again I am not sure how you would make sure that blocks are created periodically. It is a weird idea that PoS thing, there is noting real that it binds to. It seems to me that if you want to be secure in PoS your node needs to be online all the time, you can't miss something, otherwise you are in trouble. Bitcoin isn't really so virtual and imaginary as some people say, it has some actual work placed behind it and scarcity of it enables it's value. In PoS you can create the whole 100 year history in just one second and two disagreeing blockchains would seem equally valid for a new node. PoS seems to me like a very risky idea, it should definitely be more tested before it would be implemented in the biggest cryptocurrency.

I didn't really refer to the ease of starting to use cryptocurrency, everything should be as easy to start to use as it can be. I was talking about the ease of getting power in the network. There shouldn't be any restrictions on your power in the network based on your time of adoption. Some people are simply young, some businesses are young, yet they are the ones that often bring true progress, a new idea that improves the old. Only to the new set of eyes you can objectively see the benefits and costs of both new and old system, because for a new person in the field, they are only evaluated by their characteristics and not by their age.

That is not a big problem - just look at the Nxt code how it's done. Chain reorganizations occur when there are two parallel chains, you are on "chain A" and suddenly your client detects a "chain B" with a higher "score" (in many PoS currencies that value is called "chain trust"). If the client comes into this situation, he simply must look if the last block that have both chains in common is more than e.g. 720 blocks "away" in the past. If yes, then it won't reorganize. The client will stay on the fork.

Now that could be undesirable, because a fork that normally would get "orphaned" could persist a long time because clients won't reorg. That is also why some dub the "reorg prohibition" a "dirty hack". But the answer to that is that such long forks normally only occur when someone is trying to attack. That's why "Economic Clustering" is used: This feature allows you to look fast if you are on the same chain than other nodes, for example, the exchange you use, or your friends. If nobody uses your fork, you cannot use your money on it. You would then abandon the fork on your own and start syncing the blockchain again.


You are not necessarily in trouble, but you are vulnerable in this situation if you don't look on which other chain the other known nodes (exchanges, service providers) are. That is the main weakness of PoS. The well known blog post from Vitalik Buterin I already linked above explains it well.



You would need a pretty big supercomputer to create a "100 year history in one second", but I get your point.

The "equally valid" does only hold true if both blockchains have exactly the same "score" which is very unlikely. Like in PoW, the "longest chain" wins - but in PoS, an attacker can re-create a "longest chain" with the well-known nothing-at-stake attacks, however, as already said, that's not trivial because he must obey the blockchain rules (he cannot create "stake" out of thin air, as long as he doesn't re-create the genesis block).


Here I agree, as I already said. There is more research needed before implementing it in Bitcoin. I would also first implement a hybrid PoW/PoS version.


With the "reorg-prohibition" earlier described, "young" nodes have the same power than "old" nodes with the same stake.

i dont believe that btc will move to Proof of stake. Hard to believe.

That is too deep of a coding change and I don't even think that can be pulled off as a fork. If you were really interested in creating this type of system then what you could do is create your own website, back it with a huge chunk of change add offer the service of a savings account for Bitcoin.

Isn't lightening a form of proof of stake?

Coding is not the problem, it's difficult and time consuming, sure, but it can be done.

The issue is of course the incumbent culture and the group of developers of Bitcoin will not easily agree to even a hint of PoS. Hell it took over a year and multiple forks, and still not agree to a simple block size increase. Proof of Stake in Bitcoin? not until the heat death of the universe.

Isn't PoS completely insecure due to the nothing at stake problem?

Or is there any solution to this problem?

No. Not even close ;) Lightning is an off-chain transaction method. The only thing both have in common is that LN, on its own, doesn't require much additional electricity use. But LN needs a blockchain to work, and in the case of Bitcoin, a proof-of-work blockchain.


That's what was discussed here in the earlier postings. There are disagreeing views: Myself I think there are "solutions", or that the vulnerability is merely theoretical (in my opinion, above all, the "bribing attacker (https://blog.ethereum.org/2016/12/07/history-casper-chapter-2/)" scenario and also "multi-chain forging" is based on unrealistic conditions). There are others that think that the "bribing attacker" are fatal to PoS systems, or that special conditions (e.g. an "oligarchy" of cooperating whales) are needed for PoS systems to work.

Bitcoin core could fork once again into a proof of stake coin. I suppose it would allow for another massive airdrop to bitcoin core holders. Ultimately the market will decide which version (or versions) succeeds.

But you would have to develop a strong set of terms and conditions that says if somebody hasn't logged in or at least touch their account and X number of days that the account is up for grabs. A lot of legal stuff, a lot of possibility to lose money, but somebody's got to dive in there and do it.

People put their big coins in, and you pay monthly interest, which is basically the same as staking. There's a good possibility you could even make some money off of it, but you would have to act the way that Banks do and Leverage that overall lump of coins that are in your possession to create a greater return to the interest you're paying out.

i don't think btc will move to Proof of stake  8)

I think "proof of stake" should be with the work! The system of nodes in the Dash coin is unique and quite decentralized! I think this is the best implementation of this work.

Gosh all this nonsense about PoW vs PoS.
They only way crypto can really work is by using x-byzantine-fault-tolerance, resolving the problems of both PoW and PoS.

I found an article on Byzantine fault tolerance on Wikipedia https://en.wikipedia.org/wiki/Byzantine_fault_tolerance#In_practice
Is this what you are referring to?
I haven't read it, but I see that they say that one example of it is Bitcoin.

Here is some beginner material:
https://themerkle.com/what-is-delegated-byzantine-fault-tolerance/
https://cryptoinsider.com/byzantine-fault-tolerance-blockchain-systems/

I do not think that this can ever happen . I also think that it would be really bad for BTC if by any chance this happen someday in the future ( i HIGHLY HIGHLY DOUBT )

Proof of Stake is a proposed alternative to Proof of Work. Like proof of work, proof of stake attempts to provide consensus and doublespend prevention (see "main" bitcointalk thread, and a Bounty Thread). Because creating forks is costless when you aren't burning an external resource Proof of Stake alone is considered to an unworkable consensus mechanism.

I don't think this will not be a good news for the incoming miners, and i also believe people will not be allowing this to happen. I don't think Bitcoin will follow the move of ETH doing the same thing. since many coins are in ETH platform so i think that's the reason why eth decided to go for PoS.

That is a completely different coin. It is too big of a change to implement and there are too many other options that produce the same end results. There are a number of sites that act as a small saving bank for bitcoin and there are other ways to get to the end using a method that does not involve flipping the coins completely.

And with the wrong turn of luck you could end up with your very own 1930s depression with too many people try to take their coins out of your Institution and you have them invested elsewhere. You could actually guard against this a little bit by having a pretty high minimum withdrawal. And believe it or not you would actually make some money off of deposit that people make and completely forget about or walk away from.

This $800 million sounds about right, but can you source or show how you calculated this number?

This makes PoW seem way less secure than PoS.

PoW is also a huge pointless electricity drain on the world, already using more electricity than Iceland, the country.

If prices go 1000x higher as we like, it'll be 1000 Icelands, or entire continents of power just for PoW.

PoW therefor seems to have no future.

There is no fixed amount that will allow you to attack Bitcoin as it depends on how long you run the attack. It is a different story on how much you would have to spend on the initial costs for buying the mining rigs.

If you already have the mining hardware then it can simply cost you as much as it costs the entire network to mine, which should be about the same as the amount they get from it, which is 12.5 bitcoins per 10 minutes on average, which is about $47000 currently per 10 min.
As for the initial costs, they are about 700 million to match the hashrate of the network, which is about 8 million TH/s, with the Bitmain's Antminer S9-14TH/s that costs 1310 USD.

I calculated it based on cloud mining prices, because there should be everything included (electricity, hardware costs etc.). This was in early August, so I guess now the number should be higher - we have a higher Bitcoin price and more hashrate/higher difficulty.

A quick calculation:

- Hashflare, today, prices 10 Ghash/sec (for an 1 year contract) at $1,50.
- Hashrate is at 7,5-9,5 million Thash/sec.

To instantly 51% the network you must have the same hashrate than the current miners. So you would buy $1,50 * 100 * 8500000 = 1275000000 (1,275 billion USD) per year + 2,9 million USD maintainance cost per day.

This is obviously only a rough calculation, because if the attacker buys (or manufactures) mining hardware the attack cost should be cheaper as with cloud mining, but on the other hand it's unrealistic to buy such large amounts of hashrate at once (nobody will be able to sell it to you, neither in the form of hardware nor in the form of cloud mining contracts).

With pure PoS, due to the Nothing at Stake problem, you can attack the network also probably with less than 5% of the current supply, although I estimate that even then, the PoS attack costs should be higher.

I think it's not possible  switch to POS. Consensus in the community on this issue is not reachable. Fork only.

It's amazing that you can do that for only 400-800M, what if some rich dudes decide to do that just for fun?

What do you think is the solution for PoS to prevent that?

I do not think there will ever be a move to PoS even though there are a lot of benefits on moving to that platform. The infrastructure alone would cost a lot. All the years of hard work of developing bitcoin to what it is now would go down the drain if they ever move to PoS from PoW.

There is a saying, "If it is not broken, do not try to fix it.". And that saying fits perfectly into this train of thought.

As I already wrote, at this moment a Bitcoin 51% attack probably costs 1,2-1,5 billion USD (or about 375.000 Bitcoins assuming an exchange rate of 4000/BTC, which are ~2% of the current Bitcoin supply).

In PoS, according to the theory, you can attack the network only with 51% of the supply - BUT that is assuming that all coins are used for "staking". That never occurs. In NXT, some months ago they calculated the staking amount at about 25 to 30% of the total supply.

So with 30% "staking" coins, you could attack the chain with almost 100% success rate if you buy 25 to 30% of all coins (and not 51%), but probably 15-20% would do the trick.

But now comes the Nothing at stake (N@S) problem. This problem enables a series of attacks with less than 51% of the staking coins. The best-known attacks are the so-called "bribing attack" and the "old keys attack" (or "history attack"), you can google them easily. Both involve some social engineering, but could probably achieve an attack with 5-10% of the supply. There are also short-term N@S attacks, that's why in PoS currencies more confirmations are needed to achieve a similar security level.

Wow ouch. That's like saying the stock market doesn't work because only the original owners and a few wealthy shareholders get to make all the rules. Shareholders do still put pressure on companies, even small shareholders. I guess if you thought the design of PoS was total democracy you are right...PoS won't create democracy. But heck, neither does the US voting system.

All systems would be perfect if all people had good intentions and were not always trying to find ways to crack them, a perfect system is not "perfect" is just a system that can prevent all possible attacks or work arrounds from the society

@monsterer2 what would be your solution?

I think I Finally understand why Proof of Stake may be a bad idea. No wonder some elites promote Ethereum so much these days. Correct me if am wrong, PoS could sort of encourage centralization of Cryptocurrency.

Better Bitcoin stick with Proof of Work no matter the cost.

Hi! Yes, there are possibilities considering the fact that managing Bitcoin is decentralized. Although may I say that it will not happen anytime sooner, I totally stand on the belief that Bitcoin doing PoS in the future is a strong possibility. This way, Bitcoin can attract more investors because the PoS will help the latter preserve their wealth. There may be technical complications at the outset but it will definitely come to pass given the wide parameters of handling the investors' accounts. 

Or create another kind of proof that doesn't exist yet...

No block reward
Also, all the digital currencies are previously created in the beginning, and their number never changes.
This means that in the PoS system there is no block reward, so, the miners take the transaction fees.
This is why, in fact, in this PoS system miners are called forgers, instead.

Either way, Sha256 PoW or any PoW is not a good solution - it does not provide good decentralization. Essentially, all the power of Bitcoin is in hands of few companies (so few you can count them on your fingers) that have hashing chip designs and fabs. A far cry from the idea of democratized mining of average Joes on PCs. The GPU scene is not too great also - huge farms, huge pools. It's better than specialized chips, but still not very decentralized.

Yup, that's what I think :)
But what is more decentralized in Bitcoin? PoW has miners that we depend on so if they pull out the switch where off.
PoS have the master nodes, but both have the same power of stopping their activity if things don't please them.
POS is more eco-efficient and lets more people take part in the equation. = PoS actually turn your wallet in the most advanced mimic of a saving account at the bank but with way better returns.

But its impossible that Pow algo could converted into Pos bitcoin will never do that and most of the people they don't wanted to let bitcoin convert to pos this is just like other altcoin that you are just let your coin staking and the more you save altcoin in your wallet that more you can stake and gaining interest.. This is what i experience in some altcoin but mostly people are choosing PoW algo due to the price can be increase fast and it is more profitable than PoS.. This is just what i experience so i think PoW is the best for bitcoin since most of the trending coin and in good rankings are Pow Algo's..

It doesn't make sense to say that it is not a good solution when it is literally the only one, the only reason why Bitcoin exists, without PoW there is no blockchain, there is no purpose of it. The whole invention of Bitcoin is the use of the hashcash PoW for it's blockchain, there is no other benefit of the blockchain if you remove it. The whole idea is to bind it to something real, the only more democratic solution is to bind it to something that all people have the same number of, which makes no sense to even look for that and to make it integrated in an efficient way for the computer based system. Unless you want to give each person in this world a key (or they give it to you) with witch they can vote then PoW is as close as it gets. Key distribution (in a way PoS as well) is very hard to do in a decentralized manner.


But PoS is less secure since it costs nothing to try to attack it, unlike in PoW. That is undisputable, you will trade some security for the electricity, whether you think it is worth it is another thing.

That is never going to happen, it takes away from the trading power that is there. We net around 34% increase on BTC in the trading markets and I have yet to find a person or institution that is going to pop 34% daily compound interest on something as under backed as Bitcoin.

PoS resembles a ponzi to be honest. ..  if earning lots of coins in an effortless manner or without work can be GUARANTEED I guess something could go wrong.
Taking away hardware mining could make the whole thing look like a pure ponzi scheme.  
What would be your best line of defense if you are accused of engaging in ponzi....like how John McAfee  defended Bitcoin effectively with his  "miners invest massive amounts of supercomputing power and electricity in creating Bitcoin"  

Gone through some material online to understand the features and benefits of PoS to crypto , still haven't found anything very useful.  Have also looked at the pros and cons.

 Wonder who was the first to propose such idea. It feels like something a tyrannical govt would propose.
Wonder if there are limits placed on the amount of coins one can staked like the limits placed on the amount of Bitcoin that can be produced every 10min
[ OK, looks like this user was the first person to propose PoS: https://bitcointalk.org/index.php?topic=27787.0 ]  


Finally..
Here is a PoS excerpt from Wikipedia:
"in PoS-based cryptocurrencies the creator of the next block is chosen in via various combinations of random selection and  wealth or age  (i.e. the stake)."

Those red colored words are abomination to decentralized Cryptocurrency?

This BitcoinStake recently launched, and I got some from the airdrop.

I do not know how the market will accept it, the airdrop was real fast though and very professional IMO.


https://bitcointalk.org/index.php?topic=2223417.0

https://bitcointalk.org/index.php?topic=2313203.0       - new Ann

https://bitcoinstake.net/

Some serious developer says pos coin. Has flaws by design and is not recommended for serious network

I think it is hard to imagine that they will reach consensus to move to POS after so much money is invested in POW infrastructure.

There is a nothing at stake problem regarding identifying the true chain from genesis when an unknown number of sybils can create a false history with no cost.

I don't think that PoS is good for bitcoin. PoS is for shitcoins.

Actually, i dont believe that BTC will move to Proof of stake. It`s really hard to believe because of its specifical essence

I can’t see that ever happening as the investment now to hold a representative amount of coins is simply to large for anyone that didn’t get started early 2016 or before.

its not possible to put POS for decentralized system,and i believe
lots of users will disagree about this matter,same as the fees upon transaction
will get higher.so for me this will only be effective if the bitcoin community will
allow this that i surely know they wont.

Hybrid PoW and PoS will be good to secure a blockchain.
Not everyone can buy special hardware for mining. PoS allows ordinary users with ordinary PC to stake their coins and secure the blockchain as well.

Currently all proposed POS algorithms are flawed (some to ludicrous extent, allowing one validator to seize control over whole block chain). Ethereum is struggling to develop reliable POS by implementing slashing condition but we yet to see if it will be efficient POS or ETH demise. Right now BitCoin have some issues but definitely isn't broken and working just as it was designed. Implementing POS would almost surely break it. And wise man once said "Don't fix what isn't broken!"

And even with a swap you can't spend the btc in POS someday, you think? That said, it would be less and less for minors, not sure if they accept...

Guess Bitcoin could experiment with both Proof of Stake & Proof of Works.
I find PoS a bit suspicious though. It seems like it could seriously Centralize the Network.

It will be good for the environment as it saves energy. However, it may be very hard for bitcoin to make a big change like that. It is more possible that a fork of bitcoin that uses POS.

Priorities are different for that matter.
I don't hate an environment, quite the opposite, but unless POS will work as robust and bulletproof as POW working now it's not feasible to switch just for the sake of saving environment (also demise of bitcoin sized market won't be good for the environment either).

Also with wake of solar energy I assume miners won't be hurting environment as much as they do now in 15-10 years.

Bitcoin will definitely go to the proof of stake someday. It is quite better than ETH, which will eventually go to the former soon.

PoW has been shown, in bitcoin, to centralize, and we know the economic reason for that: "economies of scale". 

The problems, as seen in bitcoin, with PoW, are the following:

- hugely wasteful if the market cap grows.  The amount of wasted hardware and power is gigantic, and is an economic necessity in PoW schemes.  I don't know how accurate it is, but it is said that bitcoin is using about the electricity of Denmark.  That's crazy.  Scale this up a factor of 100 (full adoption of PoW coins all over the world) and most of our power production on earth would simply serve to make a piece of data.  Crazy.

- the industrial proportions that mining takes, splits the eco-system in an industry of block chain providers on one hand, and a set of customers (users wanting to do transactions) on the other side.  As a coin owner, you are at the mercy of the miner industrial complex for them to make a block chain and put your transaction in

- obvious centralization, due to economies of scale.  Bitcoin's consensus mechanism is entirely centralized on a few pools.

- cryptographically not very secure.  Indeed, the cryptographic security resides solely in the need for an external attacker to do a *similar* amount of work than was needed to generate the security in the first place.  This is unseen: good cryptography normally requires an attacker to spend *immensely more* work to break a cryptographic seal than was needed to make it.  This is also why proof of work will end up needing the majority of electricity consumption on earth: to avoid that another majority can exist and overdo it.  But at the same time, industries on such a scale are always under a central control, and cannot go "underground".  You can calculate digital signatures in your basement, but if you need 60% of a country's energy for mining, that will obviously have governmental implications.


But that is what a crypto currency should be: entirely determined by its owners.  It is very strange to have a crypto currency that is depending on an external industry, and of which the users are not making up the consensus.  A PoW coin is very much exposed to an external attack, while a PoS coin is cryptographically secure against an external attack.  It can of course suffer *internal* attacks. 

However, we forget one thing if we discuss all these schemes of attack: that is: the market. It is assumed that "stake holders" are a priori motivated to keep the value of a coin more than external agents.  It is true that this is more complicated if in the financial markets, you can short against the coin, but that's even more true for external attacks.  If you have high stakes in a coin because you own it, it would be somewhat stupid to use that stake to destroy it in the market (any successful long range attack will of course entirely destroy it in the market).


That's just as well the case for a PoW coin.  PoW doesn't work as designed.  In bitcoin, it is now entirely centralized, it is hugely wasteful, and honestly, it could easily be attacked by a collusion of 5 or 6 mining pools.  The day that the mining pool owners massively short bitcoin, they might be inclined to do some stupid things, simply to kill it.  Maybe they even get some money from the Chinese government for doing so on top of their shorting.

There are no absolute and decentralized secure mechanisms of consensus building.  This is even a theorem.  But some do kind of work, because we are not in a totally decentralized world, there are market interests and all that.  Bitcoin most probably would even continue to work correctly, even if mining were in the hands of 2 or 3 people (in fact, we're not very far from that case).  Simply because they have stakes in it, it is their business.  With proof of stake too.  Because in the end, the "long range attack" would oblige all on-line nodes to accept reorganising the chain over a long line.  Most simply won't.  You can easily "lock in" the blocks of yesterday and decide not to accept a reorganisation that goes back to yesterday if you are online.  Contrary to PoW, where the full non-mining nodes have nothing to say, with PoS, that is not the case, as all users are staking ("mining").

The PoS algorithm simply needs to take into account certain cases.  And yes, it won't be entirely secure, as no consensus algorithm is entirely secure.

This is why all these discussions about "absolute consensus security" are moot.  In reality, people forget that
1)there is a market
2) there are news feeds
3) that you can't do that unnoticed (some people will have "old copies of the block chain")

What these consensus algorithms do, is to prevent some moderate-sized hacker group to overthrow the system.  But if a major player really, really wants to (think, government(s), very rich entities, ....) none of this stands, unless we scale up to ridiculous sizes.  The only way to be absolutely sure that there cannot be a PoW attack, is to have a PoW that indicates that we use, say, 80% of earth's power production.  With the remaining 20%, to run the whole economy that remains (you know, making food, building houses, ....) there's no room to do an attack.  This is what PoW would converge us to (and destroy entirely human economy) if it would be all-encompassing.  If tomorrow, we all use bitcoin for all of our monetary affairs, that's the state we'll converge to, in an unavoidable way.
And anything less is fundamentally attackable.

There's one thing people forget: after such an attack, which will be noticed, the coin is dead.  There's no point doing an attack with the hope of being rich on the chain, because the market will kill it.  And THAT's what makes that all these imperfect algorithms actually work in practice.

Because this is "decentralized" according to you ?

https://blockchain.info/pools

3 pools have majority.

5 pools have more than 75% hash rate.

10 pools have essentially all hash rate.

Duh. Decentralized, my a**.

I know that these are just the "pools".  But the "pool owner" is the one that decides what is done with the hash rate he buys from miners.  He's the one that decides on what block to mine, and what block to make.  Most miners don't even know what block their pool is mining on, or is constructing: they simply sell hash power to the pool.  Hell, most miners simply buy mining equipment and connect it, without knowing zilch of what's going on in their devices.

By the time miners realise what the pool is doing with their hash power, the attack may already be over.

The move to PoS will of course not be done by miners, by definition.  It will also obviously be a hard fork.  There's no way to implement PoS by a soft fork.  So the obvious way for PoS bitcoin to emerge, is to do a hard fork.  Those wanting to remain on the PoW coin will do so (and the miners will of course be part of it), and sell their PoS coin version.  Those wanting to do PoS will sell their PoW version.

The only question that remains is simply: which prong of the fork will be entitled to the brand name "bitcoin".  This will be an exchange's decision.  If exchanges decide to call the newly implemented features "bitcoin", then bitcoin will "have switched to PoS" and the original one will now be labeled an "alt coin" (bitcoinhash or something).  If exchanges decide to keep the original bitcoin line called bitcoin, then the PoS version will be an "alt coin (bitcoinstake or something).  Most probably, the monopoly to the name "bitcoin" will be decided by the few people that have pushing rights on the bitcoin core centralized Github archive.  That's how the original bitcoin now became an alt coin, called, bitcoin cash, and the new version with other segwit technology, remained bitcoin.

As the market is quite technology-ignorant, and very brand-name sensitive, this will be an oligarchic decision between 10 or 20 deciding entities.

No. PoW in bitcoin has shown to be a trustless, reliable proxy for elapsed time.


Firstly, 'cryptographic security' is the wrong term for what you are trying to describe. Secondly the security of a PoW chain is not based on doing a 'similar' amount of work, but to do more work than the rest of the miners in the network combined. That is indeed, 'vastly' more work.


Again, you're misusing 'cryptographically secure' and even if we take your intended meaning, your statement is still wrong as PoS coins are vulnerable to a much broader range of attacks than PoW coins, both external and internal. Please see this thread for details:

https://bitcointalk.org/index.php?topic=1382241.0

There is a paper describing a provably secure PoS chain, but even the author concedes that it can only be that way if a majority of honest nodes remain online. This is not a very resilient design, especially in the face of power cuts, wars and 'force majeure'.

Don't get me wrong, I'm not saying that bitcoin is a success - the network is congested beyond usability, but PoW remains the only trustless solution to the byzantine generals problem.

Cheers, Paul.

The banking hubs coming with Lightning Network are not really decentralized and become a single point of failure
anyway if you only open one channel and personally I can accept a cluster of specialized nodes inside the bitcoin
network and it does not mean that Alan Greenspan owns it but he might like to own some of the banking nodes we
have coming.

NEO has some interesting concepts and they have separated the network from the currency and Ripple
has done the same with PoW being dropped by everyone as far as I know in the newer systems or 3rd generation
as they call it.

If I understand correctly, the transaction fees is what are the earnings of miners in a POW system. So, how can you make POW system exist with zero transaction fees in future - when bitcoin is mainstream and used as a payments system in future ?

i think converting to POS will be better for bitcoin in future.

Yes, and nobody needs that.  One only needs ORDER, not "real world time proxies".  You need the order of spendings, in order to exclude the double spend, and to certify the first spending.  In bitcoin, if these are more than a few times 10 minutes apart, that's usually considered definitive.  But *any* mechanism that comes to a consensus that transaction A came before transaction B is good enough.  You don't need real world time for that.  You only need order.  


No, that is not vastly more work.  If I make a digital signature, I can do that with a smart phone using a few mW during a few seconds.  In order to FAKE that digital signature, even the NSA with all its supercomputers, can't.  So the effort of the attacker (here, the NSA) is so vastly more important than the effort the "good guy" (me) had to do, that it is simply practically not feasible.  This is the core of cryptography: the good guy (with the key) can do something easily that the bad guy without the key cannot even dream of doing with all the computation power in the world.  It is sufficient to show that one single digital signature has been faked without the key, and one considers that scheme as broken.

In proof of work, if you do slightly more work than the "good guys" (that is, the ensemble of miners that were working "honestly"), you won.  It is sufficient that you have proven, say, 50% more hashes than the "good guys" your chain will take over.  With a digital signature, that is not "50% more", but 2^128 times more or so.


They are only vulnerable to attacks from the inside, that is, from their owners, and then it depends exactly on the PoS scheme used.  They cannot be attacked from the outside, from someone who doesn't have any stake in the system and never owned some stash.  As to the exact attacks that are possible, that depends on the precise implementation of the PoS scheme.

Yes, PoS can be attacked by its owners.  Which is obvious, because that's what a crypto currency is about: the owners should be the master of what's going to happen, of the rules, and of everything.  But it cannot be attacked from the outside because it is cryptographically simply unfeasible if you don't possess any of the signing keys.


PoW can even be attacked with all users offline, because the PoW stake holders have nothing to do with the coin.  If tomorrow, the Chinese government confiscates most of the mining equipment, bitcoin is in the hands of the Chinese government.  With a PoS coin, that's simply impossible.

The thing is that all these theoretical attacks are way beyond the normal use case: by the time these attacks become possible, the use case of the coin has already crumbled.  If you first need to obtain 15% of the stash of a coin before you can attack it, you could do already much more harm in the market than you would by setting up a rather improbable attack.   We now have 4 people in the world that, via a simple phone call and an agreement, could attack bitcoin, and they don't even need to possess it.  They won't, because it is their business.  If you own 15% of a coin, you won't set up an attack.


I think PoW proved that it failed, by economies of scale.  If 4 people can decide to attack the system, even if they won't, I think that I can rest my case.  If this system is considered safe, then PoS should be considered safe too for all practical purposes, even though theoretical attacks are possible.  

The real, initial problem with PoS was that one thought that it wouldn't *converge*.  That semi-honest players wouldn't find the same consensus.  The "nothing at stake" issue.  

That, from a certain level of investment onward, you can break the system, is obvious, but we saw that with PoW in practice.  4 guys (and maybe they are the same guy !!) can collude, and kill bitcoin tomorrow if they want to.  Simply, they don't want to.

If the 4 most important mining pools decide to reduce their hash rate in the building of the new chain, and use 80% of their hash power to overdo an older piece of chain, reversing transactions of last week, next week we have broken bitcoin with an orphaned prong a week long.

The point is that in PoW, you don't know how much invisible potential PoW hardware is available to an attacker.  In PoS, you know: it is the amount of stash.  Nobody knows if someone is not stealthily collecting mining hardware without using it, so without pushing the difficulty upward, and to switch it on in the frame of an attack.   This is especially the case in the case of large price swings on the market.  If tomorrow, bitcoin tumbles a factor of 5 in the market, and miners "switch off hardware" because it is wasteful, there's a huge potential of hardware ready to be used for an attack.

So all these attacks are just as well theoretically possible with PoW.  PoW is just as theoretically broken as PoS.  In reality, they won't happen, because they need big players to kill their own investment in one way or another ; and these big players can do that also in the market if they want to.  From that PoV, PoS is more logical.  An outside attacker might want to invest in the killing of a coin more probably than an insider.

In a coin without tail emission, that is, in a coin where there will only be a finite given number of coins from a certain time onward, yes.  In coins that continue to emit coins (tail emission, like ethereum, monero and the likes), mining is paid for by inflation, like it still mostly is for bitcoin.  Bitcoin's mining has always been paid by inflation until now.  It is only since last year that fees start to be a sizeable fraction of the mining revenue, still smaller than inflation, but nevertheless appreciable.  In a few times 4 years, however, the inflation will be so much reduced that it are the fees that have to pay for the joke.

Note that this is equivalent: the whole of the bitcoin ecosystem is "leaking value" at the rate of mining resource waste.  In the beginning, the price is paid by people POSSESSING bitcoin, through inflation ; towards later times, this is paid by people USING bitcoin, through fees.

In a PoS system, there is no such value leak.  The system can hold its value.  A PoW system leaks value because of the necessary economical waste in proof of work.

And how do you think you arrive at the order? Without reliable time-stamping, you don't and cant. It is the building block upon which all this is based.



'Slightly more' work than the rest of the network is vastly more work than solving a single block.


If I pay 100% of staking, stake-owners to send a transaction to themselves at at precisely 12:00pm next monday, whichever chain I choose would be stalled forever. That's a fairly obvious external 'attack'.


Sorry, that's just plainly incorrect. If the chinese government confiscates all mining equipment in china, bitcoin blocks will slow down as the rest of the world gradually takes up the slack. On the other hand, if some force confiscates all the staking stake from a PoS chain, the chain is dead forever barring a hard fork.

Order is simply a consensus.  It has not much to do with time.  In fact, transactions don't even need to be time-ordered.  If there are no double-spends, their order is automatic.  I could give you all the individual transactions in the bitcoin block chain in a random order, and you could be able to put them in order again.  They form a strictly ordered graph.  They don't need any time stamp.  They don't even need an indicated order, they order themselves.

The only thing one needs some "consensus state momentary pictures" is that one needs arbitration of double-spends.  One needs to come to consensus over which of two spendings is going to be part of the "accepted truth".  This doesn't even need to be the one with the earliest real-time stamp.  It is a random decision, but that random decision needs to be part of a consensus.  If there are no double spends, the consensus is automatic.  If there are double spends, we need to come to a consensus of which one to retain as the 'real one'.  It sounds like obvious that it should be the first in real time, but it doesn't have to.
It is only after this consensus is reached, that one can be certain about one's balance.  Up until the moment of global consensus, when transactions are pending, there could be double spendings, and one cannot know which one will be part of the next consensus.

The consensus images need to be ordered concerning transaction graphs.  They do not even need to be ordered between disjoint transaction subtrees.  Of course, when sub trees mix, there needs to be a logical order between the last "unsynchronized consensus" on each sub tree, and the first one after the mix.  In other words, the consensus pictures need to have a similar order than the ordered graph of transactions.

But that's all that is needed; order.  Not "real world time".  Of course, IF you tag real world time to transactions, you automatically get an ordering.  And IF you tag real world time to consensus pictures, they are of course also automatically ordered.  But it is not a necessary condition.


It is slightly more work than was needed to make the piece of block chain you want to overdo.  (and hey, you even get the new block rewards too).  If I want to overdo 10 weeks of block chain, I'll need somewhat more proof of work than 10 weeks of block chain building.  The question is in how much time I can do this.  But the amount of *work* is not related to the RATE of my work.  If I had the hardware to do 100 times the rate of work that is really spent on the block chain right now, I wouldn't need to spend much more actual WORK.  I could do it in a day or so (10 weeks of block chain).  In order to avoid this, one needs to make sure that nobody is accumulating hardware capacity without using it.  Bitcoin is only protected if one can make sure nobody has a significant amount of unused hardware.  If one has a huge pile of unused hardware, one can switch it on and outperform the existing system with not much more proof of work than was put into it.

So bitcoin's ultimate protection is not by proof of work, but by proof-of-non-existence-of-unused-hardware.  See, the attack of piling up unused hardware is obvious in PoW.



That really depends on the PoS algorithm.  It would be a stupid algorithm that doesn't allow staking.  Normally, a good PoS algorithm ORDERS the staking candidates according to things like actual current stake, previous stakers, and pseudo-random numbers calculated from the previous accepted consensus, and extra weights for coin age and so on, and then gives priority to that staker that actually proposes a consensus and is highest on the list.  So there is always a highest staker on the list of those that propose a consensus.  All possible previous states should always accept a single valid staker amongst all proposed stakes.


I meant: the Chinese government confiscates all mining equipment to use it as an attack on bitcoin, not to stop it from running.  As I said, there shouldn't be any staking stake.  There's just proposed consensus solutions by those who stake, and a PoS algorithm, known to everyone, indicates, amongst the propositions, which one is the accepted winner.  If there's only one proposition, obviously that single proposition wins.

You can say: hey but what happens if a higher-ordered staker propagates a past consensus decision then ?  Well, if in the mean time, new consensus decisions arrived on top of the previously accepted one, it's done, he lost his chance to stake.  As such of course, you can get divergent histories, but a good PoS algorithm also has a global branch preference, which is essentially a pseudo-random number.  If you are, as a staker, confronted to two branches, you should stake on the one with the highest "global preference", even if you are to be a staker on the lower one.  This is the solution to the "nothing at stake" problem: there should also be a pseudo-random cumulative weight of each branch: obviously one will win.

And finally, there shouldn't be any reward for staking.  It should be a voluntary act.  That would avoid people to want to disrupt the staking, just to get the rewards.

If there were no double spends, we don't need a blockchain, or bitcoin or anything fancy. But guess what?


Trustless ordering cannot occur without a unforgeable proxy for elapsed time.


No one piles up unused hardware because there exists a competition to mine; mining is, on average, more profitable than attacking the network, that is the key of why PoW is superior to PoS.


No it doesn't depend on the PoS algorithm; block producers are elected by stake, and to prevent that election happening repeatedly as stake moves around (creating attack vectors), stake must be bonded in some way by preventing new blocks from being produced right away. So if you send your stake to yourself, you're subject to that bonding period. If everyone does that, no one can produce a block and the network stalls, forever.

The order doesn't need to be the one of real time.  Any order is good enough from the moment that it is an order.  Any set can be ordered.  One simply needs a consensus on the order, that's all.

And then there is of course obvious "real time ordering" on the long term.  The problem with all these false attacks is that one wants a system that can prove to a newcomer that it was ordered in real time before.  That's not needed.  A newcomer just accepts the next consensus, without asking questions about the past.  It is to a newcomer, as if the starting point, the "genesis block" if you want bitcoin speak, was published at the next consensus he will be aware of, and needs to accept that.  There's no need to dig into the past.

And yes, of course, once you're in the system, you have to remain attentive to the new consensus decisions.  If you're absent (if you are a long time off line), you cannot say anything.  You accept the new truth when you're online again, as if you were a newcomer.  Of course you have to stay on line, or trust your peers the time you're absent.  It is a silly idea to want to be able to prove to you that during your absence, everything happened according to the rules.

So the long-term real-time order is evident, because you were there, or you accept the truth from those that were there.  There's no way we will come back to the consensus decisions of yesterday.  Wanting to prove that, is what makes all these things difficult for no reason.   The consensus of yesterday is fixed once and for all, simply because you were there.  You're not going to wind back.   The consensus of today can still be discussed, but by tomorrow, that one will be fixed forever.  Simply  by those that were online.  The only thing that is needed for this to come to global consensus, is that there's sufficient communication between all participants during a lapse of one day.  Well, that is obviously the case.  There won't be a "split of the internet in large chunks for more than a few hours", so there won't, for all practical purposes, be entirely different histories when they are connected back ; and if there are, there's a simple rule to decide which one is to be accepted, on the basis of a pseudo-random number.

As I said, one is making this thing much more complicated on the grounds of unrealistic requirements, such as the need to prove that the system behaved well in the long past.  For all practical purposes, nobody cares.  Everyone accepts the state of yesterday, no matter how it got there, like everyone accepts what was printed in the newspaper yesterday, as being the thing that was printed in the newspaper yesterday.  We're not going to accept to re-write history "if we were there", and the others shouldn't care.  If you weren't there, you shouldn't have anything to say.  So it is normal that only those on-line decide about how this is advancing, and there, real-time order is evident if it is slow enough to account for every form of network delay.  You can think that one day is good enough.  Which is why there isn't any difficulty to consider that day by day, there are historical points of no return.  The block chain starts yesterday.  Every day.  How it got there, is of no importance any more.



That is an assumption about the attacker that you shouldn't make.  Of course, *within the system*, mining correctly is mostly profitable.  Not because of technical reasons, but because otherwise, you crash the market.  However, for an external attacker, you cannot know what are the motives.  As I said, piling up hardware without using it, and hence, without pushing up the difficulty, can be profitable if the market wouldn't crash.  When you orphan a big chunk of chain, you do not increase the difficulty, and you do reap in the block rewards of the chain you redo.  It may be profitable to buy hardware and pile it up (or just rent it) to do such an attack, rather than to pump up the difficulty by competing.  I think that the past total cost of bitcoin's yearly mining was about $2 billion.  Let us assume that $1 billion is in hardware costs, and $1 billion in mining costs.  Suppose now that an attacker piles up for $3 billion worth of mining equipment.  He has hence 3 times the total hash power of bitcoin.  However, he will use that hardware to redo last year's chain.  Yes, the whole last year's chain.  That will take him grossly 3-4 months to do so, while nobody knows about it.  He will use about the same amount of energy to do so, which is grossly in our case, $1 billion (the total mining cost last year was $2 billion, we put $1 billion in hardware, and $1 billion in energy).  So his total cost is $4 billion.  But now he publishes his chain, orphans the 1 year + 4 months of previous block chain, and hence reaps in the 60 000 block's rewards plus fees, and all reversals of all payments he did last year.  At the current price of bitcoin, $10 000, that would bring him already $9 billion of profits from the rewards only.  Add to that reversed transactions and all other things he can do with rewriting history and he's a winner.

Of course, in reality, bitcoin would be done.  So, for a total cost of $4 billion, someone external to the system can bring the whole thing down by redoing a whole year worth of history.  But even better now.  Suppose the guy shorts bitcoin for $20 billion in cash.  I think his $ 4 billion are well-spent.  




You cannot elect a block producer by stake, because you don't know if he's willing to stake.  You simply give an ordering those that do stake, to decide which one of the proposed competing consensus solutions is to be accepted.  If there's only one node online, of course that node will do all consensus decisions by himself repeatedly.  Any other design would be crazy.  If you are the genesis block creator, of course you stake all by yourself all the time until you have sent coins to someone else.  How could a PoS system even bootstrap if what you say is unavoidable ?  If you did recently stake, of course, that diminishes your priority to stake.  But if you are the only one, of course, even low priority, you can stake.  It is just that if there is a higher staker on the list that stakes, this one is to be preferred to stake on top.  So the NEXT staker is going to stake on top of the highest priority staker that did stake.  In case there is, because of network delays, a split that goes further than one last staker, another algorithm determines the FORK priority, which is cumulative over the different blocks, and indicates what prong the next staker should prefer.  A priori, the only way in which there can be a split is when two different stakers decide to stake within the time lapse of network propagation time between them ; the "ping" say.  When the chain splits because of this, most nodes will be aware of it within a few times the network propagation time.  The idea is that if such a split occurs, then all participants wait for a few times the network propagation delay to make sure everyone has the two prongs before continuing.   An algorithm them makes clear which of the prongs is to be continued.  If ever one finds out that two prongs continue to exist, the waiting time is doubled before staking.  When it is seen that the right prong grows, the waiting time is diminished again.

Again, there shouldn't be staker rewards, it should be a voluntary and altruistic act "of confirmation of mempool" and of "random choice of double spends received up to a point".  This avoids continuous staking on the losing prong with the hopes that it will take over.  If your transaction is within a single consensus which is old enough, and you haven't seen a competing prong, and you get from your on-line peers sufficient confirmation that they haven't seen any, then you can start to assume that your transaction has gotten into the irreversible consensus.

I can't continue having this discussion if you truly believe that statement to be true.

If you want to adhere to that, your system is unduly complicated.  

And look, this is EXACTLY what something like the LN is trying to achieve.  You don't have to know what happened in a channel, from the outside.  You don't want to know whether they screwed one-another or not.  You only see the final balance on the block chain.  You don't care what happened in those channels, and whether they did it according to the rules.   What matters is the end balance.

I could even say: this is already the case in bitcoin.  Nobody records the mempool for you if you aren't online.  Miners are supposed to be online.  Yes, PoW allows you to do "offline mining", like in my example, where you do offline mining of a whole year worth of block chain, just to overthrow all that has been done online during a year.  But that's a bad feature of PoW.  

The whole desire to have a system that has "its own offline clock" that can be checked, and to allow someone that has been absent for a whole year, to re-vote everything, is what makes the crypto consensus mechanism unduly heavy, and even prone to attacks that have no reason to exist if you take them to real time online.

After all, the only thing consensus is about, is an agreed-upon decision of what transactions are to be considered valid at a certain point in time, and to come to consensus that all competing transactions after that point in time, will be considered double spends.  That's something that can be judged "on the moment" by those online.  That's way easier.  The only thing that needs to be taken into account, is that due to network delays, if ever there are competing double spends, which one is the one we pick to be the true one.  After a few minutes, we can clearly declare that we've seen all sensible candidates, and pick one in a way everyone will agree upon.  Those that weren't there, simply have to accept that decision.

What screws up most consensus mechanisms, is that there's a reward for proposing consensus.  That complicates matters, because you can develop strategies to obtain the reward.  But if there's no reward, and there shouldn't be any, it is an almost trivial matter if you can take the decision within an online network.

We only have to "confirm the mempool" from time to time.  If you don't get a reward for that, you're not going to compete to do so.  You will do so if others don't, because you have stakes in the good functioning of the system.  If someone else stakes the mem pool slightly differently from you, that doesn't matter much, you can just as well accept his consensus as yours ; it is only a matter of a "symmetry-breaking agreed-upon rule" to decide between you and that other guy, which one is the one to be preferred.

Agree on you sir, i believe this would be a very bad idea to put BITCOIN in "Proof of stake". Not mentioning it's effect to the miners but the whole effect for the whole BTC users. I mean we all hate transaction delays as of now most of us are really complaining to it now imagine when this things happen. And the additional transaction fee will not be a very good thing to add with. But who knows those thing are uncontrollable factor, Let's just hope POS will not be implemented for BTC.

I cannot stand PoW and you raise a good point and I am working on something were server-side wallets become distributed across several
nodes and was kind of thinking about making the "Miners" or wallet nodes bid to host wallets using gas and then getting a fine paid in "Gas" if they
did not deliver the goods, time out, cheat or attack other nodes.

into the mix I might even throw a small sprinkling of this new thing called "trust" where nodes with good up times and good speeds are
invited to become members of the coordinators team so a human can be contacted within the network anonymously without taking control
and maybe I will give users a say in whats happening by allowing them to vote and not just reserving this privilege for "Miners"

Yes "power to the people" without fat cats and miners taking over.

That will always be the case in an open, anonymous, permissionless system.  The only way to avoid that, is by using "one man (woman, animal, ...) , one vote", and then you need to rely on real-world identities, issued by, well, centrally controlled identity-issuers.  How else do you associate one single human being to one pseudonymous identity on an open network ?  From the moment the network is open and anonymous, sybil sock puppets are possible.  Whatever proxy you use for "person", be it a CPU, an IP address, a smart phone IMEI, a phone number, .... you have the double problem that:
1) there are centrally controlled entities that ISSUE these things and/or
2) the fatter your wallet, the more of them you can afford.

Within a crypto currency system, however, it seems normal that the stake holders can vote according to their stake, in the same way that share holders can vote according to their share.   It would mean that the more vested interest you have in the system, the more you have to say about the system.  In any case, in a value-carrying token system, if a majority of tokens are in the hands of a colluding group, you better get out right away in any case.

With PoW, you get a combination of fatter wallets and better energy and hardware opportunities to be the voting key distribution.

PoS allows past stake holders to have same amount of power. That means early adopters retain complete power forever.
Also you can see that those past stake holders could have a lot less (even nothing) to lose by trying to revert the blockchain.

Not really.  It depends on the exact PoS implementation.  I think I'm going to write up my arguments instead of partially typing them in forum posts.

I would like to draw one's attention to the thread I have elsewhere, which points to a fundamental problem with PoW.  

That is, for the proponents of PoW, what's the vision on that ?

https://bitcointalk.org/index.php?topic=2847680

Largely a very long rant about money being the root of all evil, isn't it?

Not at all.  Read it.  It is about the amount of waste produced by a successful PoW asset, eating up a significant part of earth's economy in electricity and hardware to produce waste and nothing else.  It has nothing to do with money, but all with Proof of Waste.

BTW, couldn't resist: https://ideas.repec.org/p/edn/esedps/110.html

Truely trustless, decentralised technologies will always be slower and more wasteful than centralised alternatives, that's a fact I don't dispute.

I think PoW is total junk and just like mining it keeps Intel, AMD and big oil rich but PoS is just I've got more money than you but you cannot touch it anyway
but what if maybe the miners were made to deposit some BTC much like happens with what the banker hubs are doing in the Lightning network and they
got a fine from the deposit if they started to be naughty boys.

implied trust is a hard one to nail down but maybe a cluster of coordinators  could police the miners and the miners police the coordinators and
dish out fines or something like that is worth investigating    

Wasteful to the point of using up a significant portion of earth's energy ?

The problem PoW tries to solve in bitcoin is bordering on the limit of madness and can indeed only solve it if it wastes provably more than half of human's resources.  As such, it solves a problem that needs not to be solved, because it is self-defying.

Here's the problem bitcoin's proof of waste tries to solve:

"show me that, amongst X different possible states of consensus, consensus proposal "A" is the unique right one, even if I wasn't there, and even if I don't trust ANYBODY".  Moreover, "show me that just any other entity like me, not trusting anyone, and not having been online when these decisions were made either, will come to the same conclusion that it was A, and not B, even if that other person is presented another collection Y of possible states of consensus.  The only condition is that both X and Y do contain the "right" consensus A.".

Bitcoin's PoW system has indeed found a way to solve this entirely idiotic problem: it is that consensus proposal that has shown most proof of waste, and that it is not possible that anyone ever has wasted more than the one that wrote proposal A.

With that rule, I don't need any trust in nothing.  I only need to find a document that is cryptographically linked to the biggest proof of waste, and if that document contains a proof of more waste than half of human's resources, I know that this document is unique. Simply because no other human has ever been capable of making another such document: there weren't sufficient resources on earth to do so.

From the moment that document A contains a HUGE amount of proof of waste, but humanity has still more resources, I cannot be sure that no document B exists that has MORE waste to it ; but if it has been wasting more than half of human's resources, this document must be unique.  There is no other way.

This is indeed, the ultimate solution to the consensus problem, that allows someone that doesn't trust ANYBODY, and HASN'T BEEN THERE during the consensus decision, to know that this is the unique consensus.

Moreover, proof of waste is unique in this respect, because no other cryptographic technique can hold and do the same.  Anything based upon digital signatures will require me to trust the owner(s) of those keys, and by definition, I don't want to.  And if you don't use more than half of human's economic output, you don't really know if some entity didn't put in more proof of waste, to override the "true" consensus.

But this is pure lunacy.  Needing more than half of human's economic output to be able to prove to Joe the Cavemen that doesn't trust anyone and never was online that his ledger is the true one, is silliness to the point of being criminal.

This is why, in practice, you have to relax some of these absolute consensus proof requirements.  And if you bring this down to something much more reasonable, the so-called advantages of proof of waste melt away.   In our society, total trustlessness is ridiculous.   People use devices they didn't design themselves, they didn't check the functioning, they install software they trust, they use name spaces they trust, they use digital signatures of entities they trust....
You cannot base your system on total trustlessness. There is a right balance to be found between cryptographic protections against scammers, and trust you can have.  Otherwise you run into ridiculous and potentially dangerous systems, excluding reasonable solutions on the basis of religious dogmas.

Proof of waste is such a case.

If, however, you relax the condition that consensus must be proven without any form of trust to someone that wasn't there when the decision was taken, you can reach reasonably solid consensus decisions without ANY waste.  That means that you have to accept to be "online" when consensus is reached, OR that you have to accept some form of trust in those that were online when consensus was reached.  This will hurt dogma's, but it is in practice just as workable, and you don't have to use a big part of human's resources to do so: a smart phone can do it.  That trade off is worth while, because in any case, all the rest of our human existence is also needing trust.

Note also that PoW trustlessness doesn't even need decentralization any more.  Indeed, like is almost the case in bitcoin, the consensus DECISION is taken by 3 or 4 mining pools holding majority, and at best, by some 10 mining pools making most of the chain.  PoW only serves to prove that that decision is graved in stone, not that it was taken according to some or other rule set.  PoW only proves the uniqueness of the document, and hence of the consensus, not that its rule set was respected.  At this moment, bitcoin's consensus decision based on PoW is quite more centralized, as I said jokingly, than the Euro, that needs 15 ministers to come to agreement.

A lot of the hype that you see around with all the new blockchain applications are people trying to securely scale and solve the PoS problem.

- It is unlikely bitcoin would do PoS, but I cannot see the future - perhaps in some future the miners become evil and attack the network and the nodes change the algo?

Unlikely man.

That is indeed correct. And, in fact, any consensus design which doesn't have this condition at it's core is utterly pointless, because once you remove any of these conditions, you might as well just use Visa, which is much faster and more widely accepted than any cryptocurrency.

What do we think about PoW and PoS hybrids like LUX and others?

I think they do a good job of mitigating the risks and downsides of each of the two methods.

And as I said, the only fully secure proof of that is a proof of waste of more than half of humanity's resources.

Because if not, the other half may be used to produce that famous B.   How do you know that in fact, bitmain doesn't have 8 times the amount of mining hardware they have sold on the market, in a secret place somewhere, ready to be switched on to produce a "false" block chain ?  Maybe they get subventions from the Chinese government to screw bitcoin, who knows ? 

If you tell me "people would see it" then you've shown that *in reality* you are counting on people's past online presence to have "old copies of the block chain".  If you count on old fixed points of the block chain in Core's software, then you'trusting Core's digital signatures.  So the sole proof that is fully secure is if you have a document, a block chain that proves more than half of the worlds' resources wasted on it.  Otherwise, it is not secure and a "B type document" may be made.

But this is entirely idiotic.  After all, how are you going to check that in a trustless way ?
Are you going to build your own silicon foundry and make your own chips by your own design to make your own computer ?  Are you going to write your own operating system and writing your own bitcoin software to verify it ?  Because if not, you're trusting some entity.  You're trusting Intel, your computer OEM, Linus Thorwalds' signature if you install linux (you're not using Windows or Mac, are you ??),  you trust the world's assessments you find on the internet of the world's capacity in electricity, you trust miner hardware specifications, etc...

Hey, how come that you trust the genesis block ?  Because it is written in software that some dudes signed with their signatures on centralized Github ?  Maybe it is not the right one !  Maybe what that piece of software tells you, is actually not the "true" bitcoin block chain !  Who knows !  You trusted Core's signatures ?

So you're not doing something trustless.  If you try, you starve before you get half way.

So wasting humanities resources on a mirage of absolute trustlessness that you can't have in any case, is complete and utter madness.  Good for the asylum.

In reality, you have to trust some entities.  You have to trust some signatures.  You have to trust some functionality.  Blind trust in one entity is not good enough.  But if you can find several indications, at different places, that you have most probably the right data set, that's good enough to be practical.  

For instance, if there are a few hundred resources scattered all over the world that give you the same hash list of block headers, and if you can be online some time and see that some tracks of block headers do correspond to what they publish, that's good enough to have trust that you have the right block chain.  It cannot be 2 or 3 websites.  But if you have a few hundreds of them, and you "know" them by digital signature for a while, you can assume that they are not all "sybils surrounding you".  You start to build your "social cercle" in that environment, you start to know peers.  And after sufficient time, as with real people, you start to put some partial trust in them.  If all of them tell you the same thing independently, then you can accept that as the truth.  Like with everything else: if sufficient sources tell you something, you take it as real.   Because that's the practical compromise between blind trust and the madness of full trustlessness.

We've discussed this before. There is a competition to mine; it is more profitable to mine than it is to sit on mining hardware, therefore you can be pretty sure this isn't the case.


You don't have to. If you're presented with two candidate blockchains with different genesis blocks, the one you accept is the longer chain of PoW. PoS cannot use this feature because block production is costless, therefore its trivial to produce myriad candidate blockchains which only online nodes can distinguish from the true blockchain.

If you're talking about trustlessness, you cannot include hypotheses like this.   After all, this is very well not true, especially when there are possibilities to short bitcoin outside of the system.  It may very well be profitable to kill bitcoin, because, as you say, there's competition in the larger market too.  If bitmain has a long-ranging plan to kill bitcoin (say, because the Chinese gov wants it to and has convincing arguments), it is NOT going to join the competition with its extra hardware, because it would like to take bitcoin by surprise.  And they can even make a big benefit in the market if they know when they will do it.  Game theory arguments with limited game rules are not a solution to trustlessness.  Trustlessness is a lure.  It is a mirage.  It doesn't exist.  From the moment you have to use such arguments, your system is in any case not watertight.  

As such, having hundreds or thousands of "on line consensus spectators" see the consensus arrive, and sign it, and not accepting any form of major "rewind" is a more secure practical way of doing things for much less effort.  If you think that major exchanges all over the world are going to accept a major rewind for instance, together with all online amateur users, exactly when YOU were offline, that's just as improbable.  Because of the same reasons of game theory, benefits and losses.
And we'll not need to waste earth's electricity.

So I take it that if ethereum overtakes bitcoin one day, and is still on PoW, you will think that ethereum is bitcoin now because it is a document that proves more PoW ?  And you're quite frustrated that you've been had with former transactions that do not exist on the unique ledger with most PoW ?

And you realize that all this talk on this forum, all the code signed by Core, and all the rest was just a big fraud, and the real bitcoin is made by software from Switzerland ? Or do you nevertheless trust some digital signatures and "old stuff" you've seen when you were on line ?

To use PoS proponents mostly commonly used counter argument to this claim - why would anyone with huge stocks of highly expensive mining hardware risk making all their inventory worthless by carrying out this attack?

Even if they somehow make this a profitable attack, their chances of pulling it off are minimal because they still need to outpace the rest of the world in producing the longest chain.

I think so! With the popularity of online currency I definitely believe in your statement... May we all benefit in this new trends...

The point is that if you have to apply this kind of arguments, your system is, in the end, not as secure as you may want to believe, and hence the necessity of its monstrous waste, and even its danger to human economy, not justified.  If we need to risk to blow up human economy to avoid something, that can in fact in principle happen, but of which you argue that the attacker will not be motivated and it will not happen in practice, I call bullshit.  Because PoS like systems are also, for all practical purposes, secure (especially those that are based on on-line no-rewind principles).  In fact, these systems are even more secure for all practical purposes, from the moment that there are sufficient "slightly-to-be-trusted" entities online, because in that case, no attack is even possible.

If it is necessary for a system to waste GW of electricity as its fundamental "security" principle, as compared to systems that can be made as economical as technologically possible, there's no justification for that huge waste, which engenders a lot of OTHER problems, like the power concentration (the centralization of decision).  A PoS system that gets as centralized as bitcoin's PoW structure would economically be useless in any case, because it would mean that the majority of coins are held by just a few participants.  If that's the case, they can play amongst themselves, which is their good right, and the others will leave.  It is then a closed club, and they play their greater-fool game amongst themselves.  If we would be 10 people to possess 99% of a crypto currency, that currency would be worthless in the market.  Well, bitcoin's PoW is for 99% in the hands of 10 deciders.  To have a similar distribution in PoS, 99% of the coins would have to be in the hands of 10 entities, at which point, they can have it.  

Another problem with PoW is that you get a separation between the users/stake holders on one side, and the "consensus industry" on the other.  Users have to ask the consensus industry to please include their transaction, and have to pay that industry.  PoS kind of systems are do-it-yourself systems, where the users decide amongst themselves, with no need for an external industry.

The cost of a PoW system makes the system leak value.  What's wasted on PoW is value extracted from the system.  It is not even a zero-sum game, it is a lossy negative-sum game, because piles of waste have to be bought with inflation and fees.

And all these problems, plus the ecological/economical danger and damage of converting limited resources into huge quantities of waste do not even give us an absolute cryptographic guarantee of security.  In fact, an attack is even provably effective: use 3 times more resources, and you can blow up the system for sure.  There's not even a DOUBT that the attack will work, it will work FOR SURE.

Let us suppose bitcoin at $10 000, and let us suppose current technology, and mining equilibrium, that is: cost of waste = mining reward.  Let us assume total block reward + fees 20 BTC.  Let us assume antminer S9 hardware: 0.1 J/GH, $5000 per 13 TH/s.  Let us assume electricity price $0.1 per KWhr.

20 BTC per block is $200 000 per 10 minutes, is $1.2 M per hour.  It means one has to waste 12 GWhr per hour to arrive at a cost of $1.2M per hour.  If all this were smoked up in electricity, we would need to burn 12 GW.  But of course, hardware needs to be paid too.  We can take it that the life time of hardware is 2 years (I'm nice here: who is still competitive with 2 year old miners ?).  The price of an "antminer-hour" in hardware is hence: 5000/(2*8760) = $0.28  ; the power used in one hour is 1.3 KWhr which is a cost of $0.13.
Running an antminer for an hour hence costs $0.41.  The number of antminers needed hence to waste $1.2 M in electricity and hardware is grossly 3 million.  We need 3 million antminers to be at equilibrium.  We hence have an equilibrium power consumption of about:
4 GW, and a hash rate of about 39 million TH/s (twice the actual rate).

The total hardware investment is hence $15 billion dollars over two years.  Well, with a budget of $45 billion, you can successfully attack bitcoin.  You will have almost 3 times the hash rate, so you can redo the chain 3 times faster than it is advancing, giving you a net factor of 2.  You will have to consume 12 GW for the time of the attack.  Suppose you want to redo the last two months.  That will be scary enough, no ?  All transactions of the last two months erased, what do you think ? Funny idea, no ?  You will have to run for a month to do that.  One month at 12 GW will cost you grossly $0.8 billion in electricity, say $1 billion.

For the price of $46 billion dollars, bitcoin is entirely destroyed.  You publish a higher PoW chain that has totally screwed up the last 3 months, one month from now.  The big peak included in December !  My attack is guaranteed to work.

In reality, cost would be half of that, because bitcoin is now out of equilibrium as we saw.  Hash rate is only 20 million TH/s while equilibrium is 40 million TH/s.  So right now, destroying bitcoin could be done for $23 billion.  Which I can get out of the market by shorting bitcoin.

Now, $46 billion is quite an amount of money, but less than bitcoin's market cap.   I might short $50 billion in the futures market.  There will be a lot of takers of my offer for bitcoin at $20.  My expenses are covered.  But I might get subventions from states, and, most likely, even from climate change actions.  After all, I'm going to blow a big electricity waster to pieces.  This is not an "impossible" attack at all.

The argument that "it most probably won't happen because miner incentive" is very, very, very weak as compared to all the problems it brings.

There is of course something that might save bitcoin from such a devastating blow: people might restore the block chain before the attack was published, .... from a trusted source with a digital signature !  Say, a few Core devs that publish the "correct" block chain tag in an urgency release of the Core code.... mmmm...  maybe digital signatures of trusted entities is not such a bad idea, is it ?  ;D

The justification is asymptoticly secure, trustless, decentralisation. Take it or leave it.

PoS gives you none of that security model, and is slower than visa, making it an exercise in utter futility.

Could not agree more and mining is even worse but for saying this we get called trolls around here even if our logic
is perfectly obvious and we lay out our reasons for not agreeing with the vicar of the church

Why do I get the feeling that you and dinofellis are the same person?  :(

Nope.  Anti-cen has visibly the same relatively critical opinion as I do on PoW, but we're not the same person.  People can be different persons, and share an opinion.  Alas, it is impossible to prove that we're not the same, and the irony is that that's why Satoshi used PoW as a way to try to dismantle Sybils.  We're touching here the fundamental reasons of all these things.

Unfortunately, it didn't work, which is exactly why PoW fails.  It didn't work in the following sense: Satoshi presented PoW as a way to "make sybilling the network" expensive.  He presented PoW in his paper as a way so that each participant (human participant) would have "one vote".  He used "CPU" as a proxy for "human", with the idea that you could cheat a little bit, by using not one, but 10 CPU for instance, and get 10 votes, but if you wanted to have 10 000 votes, that would become quite expensive.  However, in Satoshi's presentation of things, votes didn't need to be EXACTLY right.  What Satoshi needed was that there were SUFFICIENT different voters, even if some had more weight than others ; as long as the majority wouldn't be in the hands of a small colluding club.  Whether Joe had 3 votes or 100 votes didn't matter, if in total there were 1 million votes.  The majority, that is to say, 500 000 votes, would still be distributed over enough different non-colluding entities for the system to acquire trustlessness by decentralization.

Trustlessness by decentralization is the brilliant idea behind bitcoin (which turned out to fail, exactly because PoW failed).  It is the game-theoretical "super-Nash" equilibrium, where the equilibrium is "follow the common set of rules", and where, contrary to a simple Nash equilibrium, which takes potentially a simple collusion of two players to be broken (in the typical example, the Prisoner's Dilemma, if the two prisoners collude, they can leave their Nash equilibrium), in this "super-Nash" equilibrium, it takes a collusion of majority of many, many players to be able to be broken ; which is so impractical to be done, that we can assume that every player stays in the equilibrium (that every player follows the same rule set).  This is the inverse "tragedy of the commons".

Satoshi said that one couldn't count on "different IP addresses" to do so, because it would be quite easy for an attacker to become the single controlling human of a large majority of IP numbers.  That's why "one node one vote" wasn't possible (and this is also why all this nonsense of "decentralization by full nodes" is bullshit: bitcoin was designed not to take this into account!) However, "holding the majority of CPU voting" would be much harder to do, which is why Satoshi presented PoW as a fairly robust way to defend against "having a majority of voting power in the hands of a small clique".

Well, it failed.  PoW IS in the hands of a small clique.  3 entities have majority, to be precise.  You can see it in the hash rate distribution of the mining pools.  Worse: even though we KNOW this now, there's nothing we can do about it.  The "majority vote by CPU" IS now in the hands of a few, and yes, they really do have control over the majority of CPU, even more so than would have been the case with IP numbers.

It is quite funny that Satoshi presented PoW as a way to avoid Sybils in his paper, and nevertheless was able in 2008 to explain that "mining would be left to specialists with farms of specialized hardware".  There's a slight contradiction here, because that is already admitting that his PoW system would not be a good approximation of "one human, one vote" by "one CPU one vote".  It is true that Satoshi seems to have thought that it would nevertheless be "hundreds or thousands" of "specialists", not 10, or 4.  However, that by itself doesn't make sense: the same dynamics (economies of scale) that would bring the "home CPU vote" into the "hands of specialists with farms" would continue to bring together "specialists with farms" into a few big farms.   His position simply doesn't make sense.

The fundamental reason why his "making sybilling the network expensive" didn't make sense, is that in his system, the more you sybil, the higher your costs, but also the higher your rewards !   His explanation that it would, nevertheless, remain profitable to "play by the rules" even if you have majority (that there's no reason to attack the network, while you can profit from your hash rate) is begging the question.  Remember the super-Nash equilibrium.  If you have majority, you DICTATE THE RULES.  Of course you will be following your own, dictated rules !   The error in all this is that if you reward voters, there's no way to remain decentralized, because all difficulties and costs of sybilling are compensated.  However, PoW requires compensation because it generates economic waste by definition.

All this is lies and deception.  This is why it works so well.  Like world religions.  They too, started out often with some good intentions.

I wouldn't mind this, if it weren't so wasteful.

I can see this as a problem in the future. Why would bitcoin need POS?

Well, it fails on decentralization already, and "asymptotically" means wasting more than half of human's resources.  
It is true that it solves trustless UNIQUENESS if we waste more than half of humanity's resources.  But it doesn't even guarantee that that unique document has been made according to the rules.  You cannot have it both ways: if the document is unique, you have to accept it.  You cannot put another requirement, because it is unique.  If you can put another requirement to select amongst possible candidates, obviously, it is not going to be unique.  So PoW only proves trustless uniqueness if that's the sole condition.
If tomorrow, the single entity that has more than half of world's power, decides to produce a unique document with the most PoW that has entirely different rules than bitcoin, you still have to accept it as the "unique true consensus".  Like I said, if ever it is the ethereum block chain, you would have to accept that bitcoin is now ethereum, and your bitcoin addresses are worthless.

Because if you are presented with different block chains, and the ethereum block chain contains more proof of economic waste than what people used to call the bitcoin block chain, according to your rule, you have to accept the ethereum block chain as the sole true consensus document ; if it contains a proof that more than half of human's resources have been wasted on it, you know that there cannot be any other such document around, and you have your unique consensus.  Too bad your addresses of your coins don't work on it.

If you are going to say: it is the highest PoW chain "within a certain set of documents that satisfy other rules" then you have the ambiguity from the moment there are forks.  Suppose that BCH overtakes the BTC chain.  Is bitcoin then from one day to another BCH, and should we reject BTC as a false document ?  No, of course not.  They are different crypto currencies.

The foolishness of uniqueness of PoW breaks down entirely when there's a crypto currency market.  Because there's no such thing as uniqueness.

The power law of economics says that anything which has a profit motive will centralise. But, there is no other way (yet discovered) to achieve a nash equilibrium than establishing a profit motive, so we're stuck with it.

I believe there is a way to achieve more decentralisation than we have in blockchains currently, still using PoW, but that's another post.


Are you honestly saying that the LCR rule doesn't distinguish between blockchains? Obviously it only functions within a single blockchain and yes, clients can tell the difference between an ethereum chain and a bitcoin one.

This is the error: there's no *monetary* profit motive necessary to get a Nash equilibrium.  As you say, monetary profit centralizes by economies of scale which result, as you say, in a power law distribution.   There's no reason to motivate people to participate in consensus.  They can.  They don't have to.  If they don't, they accept others to vote in their place.  If that goes "wrong", their problem.   The motivation is to keep your share, or to risk that others will push you out of the consensus.  If that happens, too bad for you.  You weren't there.  You've lost your stash because you failed to be online ?  Your problem, not mine.  So, fear of missing consensus is a good motivation.


They can only tell the difference because they trust or were online.  They have to trust the signatures of the "true" rule manifest (usually a piece of software).

If there's a Martian visiting earth, how is that Martian going to know what is the true bitcoin block chain if he's not going to trust anyone and never was online before ?  He'll look at all block chains around, and find the one with the highest PoW in economic waste.  "that must the unique true consensus document".  From the moment you require OTHER extra rules, as I said, you have to trust those who said it were the right rules, or you must have been there when they were established, or you must trust someone that was there when they were established.

If someone saw bitcoin's protocol in early 2010, left for Jupiter for 8 years and came back, and imagine that BCH has more PoW, he would say that the true bitcoin ledger is BCH, and BTC is a tentative to fraud.

If someone had seen just Satoshi's paper in 2008, only remembering "maximum PoW", left for Saturn, and came back, realizing that rules may have changed completely, and ethereum would prove more PoW, he'd say that the only true ledger is the ethereum ledger, and all the rest is fraud.

In order to "know" that it isn't so, he will have to use and trust recent online information, or they "had to be there".

Other example.  Suppose that earth is hit by a catastrophe and for 500 years, we're back in the middle ages, even though the legend of bitcoin is orally transmitted.  500 years from now, technology is again developed, and some people go to look after that Satoshi of the Round Table and his trustless Ledger, some ledgers are finally discovered.  Which one is the "true" one ?  If the rule "maximum PoW" is recognized as the sole unique totally trustless rule, if ever the ethereum chain has more PoW to it, it will be said that it was bitcoin.

Finally "trustlessness and money" is an oxymoron. Money is about belief in value.  If you don't trust anyone, you don't believe that others believe in money.

There isn't a way to achieve one without it. Without a profit motive, the rational behaviour to maximise gains is to attack the system, this is the opposite of a nash equilibrium.


No, they don't need to do anything. Their client, which can be offline, then online, will always know whether it is being presented with a candidate blockchain on the right hard fork, in the right blockchain.

You seem to be suggesting that the attack vector is to convince someone who's never had a bitcoin, or ethereum client before to install an impostor client. This is a social engineering attack, not a technical one.

You cannot attack a system that doesn't rewind.  But for that, you simply need online presence, or trust other online presence not to wind back.  It is much much easier to assume that there will be online systems that don't rewind, or remain online yourself, than to want to reach a Nash equilibrium with "offline rules".  There's no long-term Nash equilibrium to be reached if decisions are never rewound.  The only attack possible would consist in a "sustained split of the internet".

The unneeded difficulties caused is that one wants to prove in a trustless way to an offline participant that the consensus decision has to be unique.  That is devoid of any real-world meaning as I tried to explain.  In practice, nobody does so for anything else.  If I'm online, and I just record the successive online hashes of successive consensus decisions published by half-trusted peers, I don't need any proxy of past time (I was there) and I won't rewind (I know the hashes of consensus).  As my attacker cannot know what different peers I check, he cannot present me any consistent alternative history, even if I leave my online presence for a short while.  And that goes for most participants.  I can find them later, because they have unique keys, somewhat akin to a web of trust with mutually signed public PGP keys.  When using the network, I will learn about more and more network nodes, and learn to half-trust them.  Some will go, some will come.  I will regularly check their histories with mine (we will in any case all be voting over the last consensus when we are online).  It would be extremely difficult, for an attacker, to convince me of another history even if I were offline for a while.  And if I got tricked because I'm offline, my fault.  Let the attacker win.


Absolutely not.  As that agent who doesn't trust anyone cannot distinguish between both and doesn't trust any digital signature, how is he to make the difference ?  He won't believe the name "bitcoin core" (obviously).  He won't believe the name "ethereum".  He won't believe anything signed or published.  There is no such thing as "imposter" in a trustless system.    He will only cryptographically find out that some ledger includes more proof of economic waste than the other.    He will only find suggestions in software "out there" that seems to work with certain ledgers, and not with others.  He can establish that some ledgers contain "remarkable results".

I don't have to tell you that when you have a pair of numbers, one of which is the pre-image through hashcash of a near-zero number, that that pair of numbers is remarkable.  I can suggest you to look at that pair of numbers with different hash functions, and if you find out that the hashcash function maps one of the numbers on a very small number, that in itself is a remarkable feat.  In as much as you can establish yourself that the hashcash function is not reversible, and in as much as you can figure out yourself how much electronics and electricity it would take to find that remarkable pair, you can estimate how much wasted economical effort went into this, without having to know in advance that you should look at "hashcash".  

So you simply find ledgers.  You have no client.  But you find different clients on the internet.  You don't trust their authors.  But you see that some ledgers you find, "work" with some clients, and not with others. You can easily map untrusted ledgers to untrusted clients.  Through analysis of these clients, you realize that some ledgers contain "remarkable pair of numbers".  You can estimate the relative efforts that have been wasted to find those.  From that, you determine the highest-PoW ledger, and automatically, the client that goes with it.

If it turns out that amongst all untrusted ledgers you found, the one with the most remarkable pair of numbers, was the ethereum chain, and you found that the untrusted ethereum client "worked" with it, then that must be the right ledger and client.

The absolute trustless cryptographic unique signature is the discovery of that document (ledger) that contains that remarkable couple of numbers that has needed most economic effort wasted to find it.  In order to find out how remarkable it is (and hence, how much effort was wasted on it to find it), you can use untrusted SUGGESTIONS, but you don't have to trust them.  The document is moreover sufficiently complex to allow you to discover, amongst all possible suggestions, the only pieces of code that actually work with the uniquely tagged ledger of maximum waste.  That must be the "rule set" then, the right "client".

You're basically saying: without double spends, we don't need a blockchain. Guess what?

As soon as you bring trust into the equation, you throw away the security model, making all the other sacrifices that go along with using a cryptocurrency over the banking system, pointless.


He doesn't need to care. Either one of these two conditions is true:

a) He has a client installed on his machine, which knows the chain it expects to receive, offline or online, doesn't matter
b) He doesn't have a client in the first place

The only aspect of trust here is that he trusts his existing client to be correct, or he locates the genuine client if he never had it to start with.

No, that's not the case.  Every consensus decision on-line will have picked one of the double spends and not the other one - otherwise, the online nodes wouldn't have accepted it as a consensus - YOU wouldn't have accepted it as a consensus !  If you don't rewind, you'll never re-consider.  Of course, in order to even be accepted as consensus decision, it needs to be correct.  Double spends are not correct.  So no consensus proposal containing double spends is to be accepted by the online deciders.
Given that one doesn't rewind, you need online stakeholders to sign for it even to be a proposition of consensus, and you need online nodes to acknowledge (by signature) that they accepted it.  Only then, the consensus is acted and no online node will wind back.

You cannot prove that to an offline party afterwards of course, but that's the concession that is needed.  You can only witness the emergence of the consensus if you were online.  However, you can register the consensus that was reached.  Normally, all online nodes will register that (and its hash).  If there is enough diversity in online nodes, and none of them is willing to "wind back", there's no way for an attacker to "overdo past consensus".   Of course, if you've been offline, you need to check with all your "former online buddies" what is their list of consensus hashes.  Normally, all of them will give you the same list.  At worst you get different lists and you know there's something fishy.  But it is impossible for an attacker to give you a false list not have you find the right list somewhere.  For that, the attacker would need to overthrow your entire list of former buddies, and he doesn't know them all, doesn't know what you know (when you were online and when not), and doesn't know the different trust scores you've attached to different buddies.  You will not have much difficulties establishing what was the right list by cross-checking what you know, and your different buddies.  You can then also know who is not to be trusted and who is.  People build a "web of trust" that way.

Note that if you consider that stake holders and online entities could nevertheless decide upon proposing and accepting an erroneous consensus, you can just as well assume this to be done by the PoW consensus deciders.  In as much as this harms other stake holders is their fault: they simply had to be online.  If they aren't, they take this risk.  Everybody will see of course that people decided upon a double spend.  So be it.  Exactly as if you'd discover that there was a double spend in bitcoin's block chain, 50 blocks ago.  So be it.

How can he trust these clients ?  If we assume trustlessness, you don't trust any client by itself.  You do not distinguish the bitcoin core client from the bitcoin cash client from the monero client from the ethereum client from the litecoin client from the DASH client.... all these are untrusted pieces of software of course.  

You only have a list of untrusted ledgers, and untrusted pieces of software.  No trust in a trustless system.  You can match them.  That's not trustless.  You can see that the bitcoin ledger "works" with the Core client.  You can see that the monerod client works with the monero ledger.  But you do not trust anything.  What's the "true" ledger (and hence, what's the "true" client) ?  --> The one with the most remarkable pair of numbers that required the biggest economic effort wasted on it.

This is insufficient in providing the necessary resilience that a p2p currency should enjoy.


List's of buddies are ephemeral. Even when they remain consistent, as an attacker in such a network, I can create a majority of false online nodes at near zero cost, all broadcasting impostor blockchain data which a syncing node will not be able to distinguish from reality - and since I've been doing this for a while, your list of buddies will contain all my nodes, which do not start their attack until much later on.

Web of trust = web of fail. Just look at all the sites selling reddit upvotes, or twitter followers for $5 per 100,000.

Given that no online node winds back, if you do that, you've simply created a clone and the newcomer will be on your clone.  But what happens on your clone will not be accepted by the "older nodes" that don't accept your alternative history, simply because they were there.  Exchanges that remain online all the time will not recognize your history.   So you've simply created another P2P money all by yourself, but with no link to the existing one.  Newcomers may be tricked in using YOUR P2P coin, but they will not be able to buy or sell their coins on an exchange, simply because that's another chain that doesn't rewind.


Well, you may have successfully created a different coin, yes.  It wouldn't be an "attack".  Because there's no rewinding.  You may trick some newcomers into your coin, thinking it is another one.  They will find out.  Your difference will be noted.   You will have a hard time having constant online entities like exchanges believing your nonsense coin.  And I will most probably put some trust in different exchanges.  Not one, but several.  If you don't give up, and if you keep sufficient followers for a sufficiently long time, your version may be listed on exchanges too.  And the market will take care of it.

There's no accepting other's votes.  My trust in you has more to do with you behaving correctly on the network for a long time while I watch you (like you watch me).  Note that you are not a staker, you cannot propose anything.  You can only confirm a proposed consensus by a staker, for which the confirmation should be automatic.  You add your signature to that proposition if it is the right one, and everyone online can SEE it is the right one.  The more you sign correct propositions, the more I can trust you that you will have continued doing so if I am absent.  Even though I shouldn't be absent in my own interest.

No, it's much worse than that. Because I am persistent, I make sure my nodes are UPS protected and geographically distributed such that they become the nodes with the most up-time across the entire network. Therefore, over time it is not my blockchain that is rejected as fake, but the original one.

There only way to prevent this is to use subjectivity by manual intervention. This is a horrible way to run something as important as a currency; credibility would be destroyed.


So, I perform a long-con whereby my majority of nodes start out trustworthy, enough to acquire the trust of nodes like yours, then I carry out my attack, by purchasing old private keys, for example from the genuine chain with which I can become a staker and broadcast a fork where I can do what I like, which will be accepted by your syncing node, or even your regular node, potentially due to network latency.

wow, there is so much erroneous information on this thread about POS coins...
I'm not going to point any fingers but with this level of misinformation out there about POS I can understand some things better.
ok, you guys have fun, I'm going back to Beanland.

As I said, I should make a write-up of how one can solve this.   The whole misunderstanding is that money is about an offline ledger, while it is a common agreement of parties.   Most usage of crypto right now is between users and exchanges.  But maybe one day, that will be between users, exchanges, stores, etc....   Most professionals in this game will remain online all the time.  As such, they cannot be talked into rewinding something.  You will not be able, no matter how many nodes you have, to convince, say coinbase, to rewind.  Coinbase has been on the network all the time, and has acknowledged all consensus decisions on the network.  Of course, coinbase by itself cannot be fully trusted.  But Bitfinex will also have been online all the time.  They will ALSO have acknowledged all consensus decisions.  Maybe some banks will too.  Maybe some day, Amazon will accept coins too.  Maybe Google.  Maybe your local supermarket.  In any case, your coins are only useful with these partners, and if all of them give you the same chain, you may fire up one million nodes saying something else, this one million nodes will not convince, because they are in disagreement with a backbone of trusted nodes.  So their keys are immediately tagged as untrustworthy, because they tell bullshit. It doesn't need to be just big companies that have trusted nodes.  You can have the devs running some trusted nodes too.  There's no chance that all of them, if they adhere to the principle of no wind-back, suddenly accept another chain.  The idea is that you fill up a list of keys of trusted nodes - but you can know them publicly too.

The only danger is a global net-split, a kind of a MITM attack on global scale.  That's not so easy to pull off.  And then, if ever that happens, the solution is to accept a merge, and accept double spends.  Accepting exceptional double spends in the case of a global network split is the best solution.  Nobody is hurt.  The only thing you get is a bit of inflation.  Not much, because you can only have some double spends of spendings during the split.

The fundamental rule is simply: you never wind back.  You never accept to "erase" a former observed consensus.  At best, you accept double spends.  Most of the time, and in reality, all of the time, all online nodes will be aware of all propositions of consensus in a given time lapse.  Especially if here are relatively central hubs most of them connect to.  The only way to be able to obtain a double accepted consensus, is if you can succeed in propagating a consensus proposal on one half of the network while the other half propagates another consensus proposal, and never gets to see the first one.
If there is the slightest leak of the first proposal to the second network block, all nodes in the second part of the network will be aware of it, compare it to the first, and come to the same consensus conclusion.  As there are no rewards attached to the proposition of the consensus, there are no motivated preferences apart from the rule that tells you which consensus to accept.  If you see that you are in check with a lot of trusted nodes, like the dev's nodes, big commercial nodes,  your buddies and so on, that's just as good as being in sync with some obscure Chinese mining pools.  It is essentially impossible to split the backbone of big, known nodes, and as most probably all user nodes are somehow also connected to some of these backbone nodes, it is essentially impossible to split the network.  If the network is not split, there's no way to have a split in consensus.  And if ever it happens, the idea is not to rewind, but to merge, and accept eventual double spends as the price to pay for the split.

Note that a split is not enough: you also have to have stake holders signing, and you can only bring confusion over the time lapse you arrive at keeping the network split.  


Absolutely not.  Like the dollar is not destroyed because exceptionally, there have been some counterfeiters.  


Nope, because you will not be a stakeholder according to my latest records, so your propositions of new consensus are not even valid, and I never wind back.  I might be convinced in accepting a double spend, if enough stake has proposed it, and enough of my trusted nodes have acknowledged it, in which case I assume there has been a network split.  But I never wind back.  If I see that important nodes like exchanges and all that have accepted those other spends simultaneously, I accept them too.  But I don't wind back.  Never.  So at most, we all accept some legacy double spends, which are then simply some extra coins, in those cases where there was a network split.  It won't happen, because a backbone of important nodes will not do so.

Double spends are erasure of former consensus. You can't just accept them blindly, the currency would be worthless.

If you refuse to wind back, you will end up with a corrupt blockchain, as latency and temporary outages will present you with missing and or incorrect data with no malintent.

My point was that in the unlikely event of the observation of a consensus split, which only can happen by a concordance of a very sophisticated attack and a full network split, the best solution is to merge both consensus and accept the double spends as an extra coin creation.  In reality, it will not happen, because to succeed the full split of a large network, and at the same time, propagate in both halves an accepted, different, consensus with two different spends, is very difficult to pull off.  But if ever it happens, there must be a response to it, and the best response it to merge both "account states" - that is, to accept the creation of some extra coins by the double spend that was successfully incorporated in the two otherwise legitimate accepted half-consensus parts.  As I said, it is essentially impossible to pull off.  You would expect that there's a well-known backbone of nodes most of the network is connected to.  In order for it to work, there must be a significant part of the network YOU trust, that has adopted ANOTHER consensus even though you thought you were on the network, while another significant part of the network YOU trust, has adopted the same consensus than you did.  It would be something like you seeing that Bitfinex, Amazon and Coinbase had accepted one consensus (yours), while at the same time, the dev's node, Kraken, Poloniex and Google had accepted another consensus.  This would be not even possible if you were connected to all of them at that time, because you would have relayed them the consensus proposals of both sides, and there would have been an obvious single choice.  It is only when suddenly, say, the dev's node, Kraken, Poloniex and Google seemed "offline" to you, just to come back 20 minutes later with a different consensus history, and lo and behold, their different consensus history has double spends with regards to yours (and Bitfinex's, Amazon's, and Coinbase's), which means that an attacker had succeeded in splitting them off, be on the split, and moreover, propose a different winning consensus on both halves.  Hard to pull off.

As to latency and outages, the whole idea is that the network doesn't propose a next consensus round, as long as most of the trusted participants haven't "checked off" this one within sufficient latency time.  One uses real world time, and a given sequence of events: a slot for sending proposals, a moratorium when they should propagate which is long enough for all network delays, a slot for sending acceptance, and a moratorium when these acceptance signatures should propagate.  There can be a whole network protocol to see what nodes are slow, spamming etc...  and eventually exclude them.  Point is, for sufficiently slow slices of time, for all practical purposes, network propagation delays are smaller than slot times and we can take it that for most nodes, proposals have arrived, and signatures of approval have been sent.

nokat tried this with Bitbean long ago, the other developers caught it and prevented it. Its not really possible in a practical situation. seeing you guys argue is like watching democrats and republicans. One side will NEVER concede to the other... At the end of the day POS still works and this sort of thing isn't going to take place.

I agree, and I bored of the argument.

Lets just agree the following:

* PoW uses a lot more energy than PoS, but is objectively more secure than PoS
* PoS can be secure if a majority of nodes remain online at all times

?

I half agree with that.  PoW uses an INACCEPTABLE amount of energy, to establish a kind of security that is not needed, and only becomes truly secure if half of human's production capacity of electricity and/or hardware is devoted to it.   Whenever much less than this amount is used for PoW (even if still extremely wasteful) the security of PoW is based upon limited game-theoretical arguments of benefits and costs to attackers, but the attack is provably possible, even if its "motivation" may be put into question.  Given this relativity of security in PoW, the HUGE waste and damage done to the environment most probably doesn't justify the relative limited security it procures.

PoW has a game-theoretical advantage as to the uniqueness of its consensus, but on the other hand, has, apart from its huge waste, also an evident problem of centralisation.

PoS can be for all practical purposes be secure, if we drop the strict requirement of absolute, offline trustlessness, which is in any case not a real practical case: everyone is obliged to put trust *somewhere*.  Especially in monetary affairs, where "belief in other's belief in value" is a fundamental issue.   There's no need for a "majority" to be online.  There's a need for a sufficiently decentralized, half-trusted set of entities to be online at any time.  In all human activities, trust is part of the game.  In as much as blind trust is foolishness, trustlessness is madness.  There's a compromise to be found in sufficient decentralization, while at the same time allowing sufficient trust in "known peers" in order not to diverge into impossible or impractical situations.   The winning system is the one that puts sufficient trust in reliable partners, while at the same time putting sufficient cross checks to avoid being gullible.  

Most of the problems of PoS come from the assumption that PoS needs to be rewarded in a similar way that PoW needs to be rewarded.  In fact, in as much as rewards are an essential feature of PoW (otherwise, nobody is going to do so), PoS is rendered less secure by rewards, because it stimulates otherwise honest consensus deciders to go to strategies to be awarded more rewards.

In my opinion, PoW is the right way to *create* coins (to burn seigniorage, and to limit price increase), but it is the wrong way to provide consensus (as it is too wasteful, and has automatic centralisation as a consequence).  Consensus is supposed to be quite straight forward: confirming the broadcast set of transactions, making a deterministic choice between double spend alternatives.  Apart from some limited network delays, it should be something most online nodes in the network can agree upon.  There's no need to go to extreme measures to do this.  

I know the argument of the "underground" kind of robustness.  Requiring to be publicly online is not exactly what one would consider a robust system that can survive government attacks and go underground.  The point is, a system that needs to spend 10 GW of power cannot go underground either.   Any large-scale financial system needs to be socially accepted - if it isn't, it will crumble in any case.  You can't need to consume 10 GW of power, hold a market cap of several hundreds of billions and be at the same time a half-secret underground grass roots thing.

I couldn't disagree more with that statement, but I'm not wasting any more time arguing this point.

It is true that the thing I argue for, is not the classical PoS.  Classical PoS that wants to play the same game as PoW has indeed a problem of principle, because both approaches are wanting to adhere to a property that is, when you think about it, quite crazy.  It is what I said before:

"suppose that an entity E is presented with a set of potential consensus propositions X (containing the "true one" A) and entity F is presented
with another set of potential consensus propositions Y (also containing A), how to make sure that both will elect A, assuming E and F don't trust anyone, and have no previous information (weren't online) ?"

In absolute terms, PoW can provide a solution, by spending more than half of planet earth's energy and hardware on the true consensus A.  Any set can only contain consensus documents with less PoW, so "maximum PoW" will elect this A for sure.    But this is madness.

If we define PoS in a very similar manner as PoW, that is, a block chain with rewards by stakers, to stakers in a similar way that PoW works, then there's no way to satisfy the above condition.  Indeed, if A was the "true" chain, there can be an infinite amount amount of different chains that can be just as well chosen.  Any selection procedure that picks "the best" chain out of a set, can be tricked in picking a chain that is different if you are allowed to propose chains.   I can make easily hundreds of chains that will all be preferred over the "true" chain, no matter what is the deterministic selection function.  This is the main reason why people say that PoS is not trustless secure.

Indeed, I can always make a new genesis block, giving me the first coins.  As I'm the only staker at that point, I can make the second block, and win coins.  I can now transact from myself to myself.  I'm still the only staker, but it looks like there's two of us.  And so on.  I can make an entirely new chain from scratch, and I'm the full owner of all coins. I could decide to transact to "real users" on the original chain. Depending on the deterministic selection function, I can steer that in such a way, that my chain will be preferable over the the original one, and that I and all my addresses, remain nevertheless stakers for all blocks according to the rules at hand.  As such, I can give myself a big chunk of coins, while leaving some of them to others.  If ever I publish this entire chain, all nodes should switch to it, and forget the original true chain.

However, we saw that PoW is only solving the issue when we accept madness: wasting more than half of humanity's energy on it.

So something has to give in.  Some trust must be allowed for.  If we accept trust in the genesis block, and a given client software, it becomes harder... but now, the founder of the chain has all the power to do what I proposed and/or if this genesis block is checked for in the software, the software signer can do so.  These guys can screw the entire system if they want to, but at least, ONLY they can do so.

But PoS as presented is not at the end of its problems.  Former owners of stake, that have transacted their coins later, and are, on the true chain, not stake holders, were potential stake holders in the past.  There are ways for them to construct a new chain from a point after they became legitimate owners, as stake holders, and so they can, as stake holders, remove the transaction where they weren't stake holder any more.  Of course, any sensible pseudo-random stake selector will try to avoid to allow same stakers to stake successively.  But as our former stake holder can put in new transactions of his former holdings (to himself), and is also winning new blocks, and can include or exclude as many other transactions as he wants to, he can tweek the stakeholder choice function (a pseudo random generator) in such a way, that nevertheless, he's allowed to make every successive block with all the stuff he has.  This requires some "proof of work", but you can easily see that if, say, in total, there are 1 billion potential stakers in the system, of which he holds, say, 100 addresses, you only need on average to try 10 million different configurations (order, date, whatever the pseudo random generator is sensitive to as source of entropy) to always have it fall on one of YOUR addresses "by coincidence".  So that's the PoW equivalent of a meagre "10 million hashes" or so, each time to "be lucky" and be allowed to be the next preferred staker.

This is why many people consider the bare bones PoS system to be profoundly insecure.  But that is because this kind of PoS imitates bitcoin's PoW, that mixes up coin creation, consensus voting online, and "consensus proof after-the-fact".   Pure PoS that way is simply not secure, and this is why people say that it is IN GENERAL not secure.

The first thing to remove, is coin creation.  As PoS doesn't require a huge effort, there's no reason to be rewarded a fortune over it.  In fact, this rewarding can actually induce you to try to attack the chain, just to be able to stake and reap in the rewards.  

The second problem, which is common with PoW, is the silliness of rewinding far back in time.  Uncertainty over reached consensus comes from splits of the group, so that two or more parts independently, and honestly, each come to a different consensus in their own partition of the group.  Whenever the group joins, one can only see that others came visibly according to the rules, to a different chain of consensus decisions.

If one defines an absolute consensus rule that has no notion of time, then this problem seems "easy": of different proposals, find the "best" one.  As I said before, no matter what PoS system, it is always possible to invent a "better" chain than a given one.  In as much as in PoW, the decision is easy (even though terrible for the part that truly lost) and the attack expensive, in PoS, pretending to be a "lost piece of network" and winning over everyone is easy.  

But this is in practice not thinkable.  The rule that one should accept a risk of attack and rewind over a long period, because of the theoretical possibility of a long net split, is stupid.  The net doesn't split in separate big parts for days of weeks - most probably not even  for tens of minutes, apart maybe catastrophic events.  As such, there is no reason to allow a "rewind" for a long period.  In reality, a network consensus can be reached in real time in a period of several minutes.  It is totally ridiculous to accept attacks that "redo past consensus" for long periods, when it is obvious to all parties online present, that this winding back is an attack.   This is also why many clients have "fixed points" in their code.  But this is nothing else but a very slow PoS kind of consensus, by a centralized signature, that of the dev.  
This is even something that makes PoW also much, much more secure.  Indeed, "overtaking the chain" in PoW usually takes time, unless one has an IMMENSE amount of extra PoW hardware over the rest of the network.  If there are "PoS" signatures of consensus that don't allow one to wind back, these attacks fail.  But then, instead of having such a clumsy and centralized way of "certifying past consensus by dev signature" in the code, it is much smarter to make this certification the real consensus fixing rule.  If, after a reasonable time lapse by which all network propagation times are largely taken into account, a network consensus is reached, it would be pure madness for an online entity to accept to wind back the consensus it witnessed, for many epochs, by some or other silly rule, in the same way that the devs will not re-consider their "fixed points in the past" in the code.

So my idea is that when one drops the unnecessary and illusionary requirements, and one looks at the practical mechanism of consensus, one can arrive at a much, much lighter and in for all practical purposes even more secure way to do things, avoiding the huge disadvantages of many current systems.

Not all are so poorly planned.

Proof of Work algorithm gives you the option to always get some coins.
In PoS system, early adopters hold the power forever, this is not a good long term strategy, since no body is perfect and nobody can be trusted.
In PoW everybody is equal in casting a vote regarding to time they joined the network, but still bounded only by the amount of electricity they have and since electricity can be traded, it means richest are the most powerful.
In PoS you can get bigger power to vote in two ways, you are an early adopter or you have a lot of coins currently. And since those coins can presumably be traded as well, that means the richest have most of the power in PoS as well.
So PoS has one more vector for reorganization, but the benefit of lower costs of the network.

I believe Bitcoin should stay PoW and I can't see a reason for it to make a switch. I don't believe security of it should be put on the risk for the benefit of saving some money. A natural system of who can bring more to the table is the best option we currently have to keep the blockchain safe.
 
I like you

I do not think so.They bought asics for million dollars, so they wouldn't support changes in bitcoin protocol.

It would be better that only small portion of bicoin goes for pos system that could be used for voting system to make and allow users to participate future decisions. It might prevent all those hard fork political movements/attemps, and there are such crypto currencies already like DECRED coin out there that has the pos +pow mechanism but it is not much popular as bitcoin.

Such dramatic changes will never be accepted.

In either system, you have to spend money to get coins, whether it's paying for energy and mining equipment or another person, doesn't really matter.  

That is incorrect. In PoS you don't need to spend money to get coins if you were an early adopter and had at one point more than half of the coins (or have a group of early adopters that together make more than a half of coins at that time). You can sell those coins and still retain the power to revert the blockchain to an earlier state when you had more than half of the coins. A new node will not be able to verify which blockchain came first as both seem to be valid and equal continuations from that point in history when this early adopter had majority of coins.

This is the loss of security with PoS. In PoW blockchain is bounded to time by verifiable work, in PoS there is nothing like that. History can be edited as nodes have to trust the primary source of those coins.

Bitcoin won't change. It doesn't have consensus among miners.

What is stake bitcoin

they need only money )))  :D

PoS will do nothing but shrink the value of Bitcoins.
You know why Bitcoins is the most valuable cryptocurrency of all? It's because people get paid for spending their electricity through mining (processing) the transactions using the computational power of their hardware. You may have already seen PoS coins before, don't you remember what happened to them?
If we decide to generate a very low amount of Bitcoins per year through PoS, new investors will not be able to buy because of less production as huge whales who possess a lot of bitcoins, are not going to release them in markets.
And if we generate a higher amount, that will also be harmful to its value as everybody will dump.
Whatever is going on, is good. So let it be. ;)

So POS is great instead of harmful POW, which been treat by Moore law at middle time.
One of POW utilization is third party notariat for POW, as I described https://bitcointalk.org/index.php?topic=2895120

I do not think Bitcoin is a risk. Because it is a coin that is really astonishing. A few days ago, Bitcoin prices had dropped a lot. And now it's getting faster again. And you eat it but prices like stock market decreases. No one can decide the exact price of Bitcoin. You are talking about risk, see almost all the risks there is less risk. If you do business at first, there will be a loss. Because the business type did not understand. So I want to say that there is a problem I have to believe in all the risks. It has to work with such mentality.

I was wondering, can a coin that hasn't been coded in POS, be coded later? Is the code of a token modifiable once it's published and verified on a blockchain or is it final?

I agree, I'd prefer bitcoin has PoS, even a small one. As long as it uses PoS in a decentralized way (no masternode which is semi-centralized), it will be fine. It will encourage more people to hold it.

Probably not since the number of Bitcoin that can be mined is limited and all of the miners who have been working PoW all these years likely won't suddenly agree to work PoS.

If bitcoin stays true to its ideal of being "trustless", it wouldn't move to PoS.
Because Proof of stake needs atleast some level of trust about who the validators are.  An entity can easily (relative to a 51% attack) fool others to believe in the malicious set of validators.

We are still far away from a full fleged implementation of PoS. Casper on Ethereum seems to be the best bet in the space. That too does budge from some ideals.
Given that, i think Bitcoin Maximalists won't make the move to PoS.

The energy consumption remains a valid concern. I don't think PoS is ready to be adopted to trade the security that comes with the energy burnt.

I agree, it seems that bitcoin does not require POS, I really salute with you although it is new but you have a wide enough insight, and able to make a fairly accurate argumen

It depends on what you define as the same coin. Certain changes in the protocol, like PoS, are what we call hard-forks.
A hard fork means that earlier clients will not be compatible with the new one and will end up on different blockchain.
If there is still a significant number of people using the old protocol, they might prefer to call coins on their blockchain with the same old name, although this wasn't always the case, like with Ethereum Classic.

So in short, you can change whatever you want, but people might debate about if it is still the same coin or not.

There is no way for PoS. Btc will be no decentralized with pos + miners, which bought a lot of acis for million dollars.

I think bitcoin will get to a height soon where mining will no longer be profitable for miners and will cause miners to abandon the network for other profitable mining . Bitcoin developers might consider other algorithm in new future.

 
I think they may not, for security purposes.PoS might lower the network security as block incentives tend to be rejected over time. this may inturn leave the network vulnerable,

secondly, PoS encourages monopoly as a single entity may take charge of most verification resources. if the monopolist retain control for long,
they might use it for malice thereby reducing the users' confidence in bitcoin. this will in turn reduce the purchasing power of bitcoin and consequently, the market value.

I do not think BTC will ever move to POS ... There will be different kinds of currency and Bitcoin Core / Bitcoin Cash will always stay proof of work where there will be other alternatives with different implementations.

Bitcoin won't change. It doesn't have consensus among miners

Maybe later there will be strong arguments for proof of stake in bitcoin. But for now we still need research and experience with current PoS coins. PoW is the safest way to have the confirmations at the moment.

I think Bitcoin won't change.

Isn't Proof of Stake the literal implementation of the rich get richer though? I suppose Proof of Work is the same, but it's a shame that it can't be implemented another way. Every public consensus algorithm seems to collapse to rich get richer by necessity :/

I have actually bought up the question of PoW limitations in another thread on this forum. https://bitcointalk.org/index.php?topic=2976071.0 (https://bitcointalk.org/index.php?topic=2976071.0)

I think first and foremost, the security of a protocol needs to be considered, a protocol is being susceptible to attacks or not is a binary measure of success.  I think we can all agree the PoW is a successful protocol on that front. PoS is yet to pass these tests with different permutations of attack that are possible (long-range attacks, etc.) [I have a feeling though, like PoW, PoS will become more secure as the ecosystem grows]. Secondary reasoning needs to consider how the protocol forms emergent behavior of all players in the game.

PoS and other solutions have risen in the wake of perceived issues with PoW in secondary reasoning. The perceived issue of PoW is that the computational demand scales with the hashing power of the network and becomes labor intensive. If there is any other issue with it, please tell me, because i have not considered it yet. But looking at this point, lets make an observation of the implications PoW has to the emergent behavior of players in the ecosystem.

the hashing power provided from the network is a choice of the miners who are all playing with game theoretic like behavior. They mine for profit they obtain from mining a block. the function for block profit can be described in the following function:

netProfit BTC = (block_reward + transaction_fees) - (electricity + misc_overheads)

there are two ways the block profit can scale:

• The value of BTC can increase
• The transaction fees become higher
• reduction of electricty cost via more efficient ASICS & reduction of misc_overheads

as per the bitcoin protocol, the block_reward will halve until the amount of circulating coins asymptotes to the maximum amount of possible BTC. at which point the function is: netProfit BTC =  (transaction_fees) - (electricity + misc_overheads)

As the profit they obtain from the block goes up, miners have more capability to invest and place more hashing power on the network (with the expected outcome being a higher probability that they will solve future blocks). From my observations, the miner's behavior is directly influenced by the profit of the block. Currently the bitcoin protocol is supplying the bitcoin ecosystem with BTC (12.5 supplied as a reward per block). This increases the block profit significantly, and therefore skews the behavior of the miner to increase hashing power. This is intentional from the Bitcoin protocol because it wants to incentivize the development of the infrastructure.

When the price determination of the market set BTC to $20,000USD, miners became more competitive to mine the block, I assume more ASIC machines were employed to provide huge amounts of hashing power (which was feasible with a BTC price of 20k given the winner is getting BTC12.5 + transaction fees). The large computational burden is actually a regulatory factor against the block netProfit function in a highly speculative market. The Bitcoin protocol wants steady progressive growth and development of the ecosystem and services.

So is this an issue for PoW? I would like to think, we are all here discussing this new technology because we are in it for the long run. Imagine a time when all the coins are effectively in circulation. the grossProfit would only consist of transactions_fees. This means a miner would only be able to place a feasible amount of hashing power based on the transaction_fees (this greatly simplifying the situation, but for explanation purposes, it will suffice). The transaction_fee value will be another game, played by the end users (people placing tx in the mempool).

the transaction_fee game:
choice: How much to put down as transaction fee
expected outcome: my transaction is on the next generated block

all end users playing this game will regulate the transaction_fee value with volume and demand. So this will govern the computational burden of the PoW approach. Unless I have missed something. At this point, I think PoW is working quite well in relevance to this topic.

I am up for critique on this observation. But i think we need to consider what are the reasons for saying PoW is inferior as i have seen in this thread. Its okay to say it, if we have all come to the same consensus. But until then we need to discuss it.

For the situation right now, i don't really think so i think that would really not fair specially for the new miners specially those not holder
Of bitcoins yet. It will be more favorable for the old time miners perhaps.

This is exactly my point that the reply above yours didn't take into account, as far as I can see (I read the whole reply slowly, but it got be a bit confused at the end).

PoW, other then higher security (this is indisputable I think, it is definitely higher), also provides a safe way of acquiring bitcoins. With PoS eventually it is possible for governments and other big players to hoard the coins, like some did with gold back when it was used as currency. This isn't an issue with the price, price would get even higher, the issue is that people will not be able to have any money, unless they follow the exact rules set by the government and these other big actors.

PoW provides a way to always enter the system, no matter what the state of it is. PoS would allow for many possible problems, including early adopters to revert blockchain to a state where they had a lot of money.

In my evaluation, PoS defeats the whole purpose of a blockchain and I would never accept it as a Bitcoin. It is the exact same problem that we already have with the current fiat system. There is no such thing as a fair distribution or a good government, there will always be corruption, the only way to battle this is remove power from them to do anything with our money and only PoW allows that in the most reasonable way possible. The one that brings the work is the one that decides, that is the idea.

No it's not. PoS sacrifices security and decentralization which are the core values of Btc.

Well if you want to see your stakes or bounty you can see the signature campaign, facebook campaign or ther campaign you joining you see in the spreedshet to that campaign so thaay is the proof of stakes in bitcoin

I don't know why people think about this when it's clearly stated that bitcoin is using POW instead of POS ahahaha  ;D

Yes why would you even want this? I can't comprehend.

I don't think Proof of Stake will work with something that's main purpose is to function as a currency or payment network. If you are talking about some other type of network simply trying to protect against DoS it could work very well and efficiently, but not for BTC blockchain.

Proof of Stake has been here for few years now, I can't really understand why Bitcoin didn't move away from mining to POS. Instead of paying the miners fees for doing transactions the fees could have been distributed among the bitcoin users through the means of staking. Also it would have helped Bitcoin become more decentralized.

PoW mining is attractive for people, whose goal is to manipulate the market. Pools, 51%+ of capacities are belonged to, have opportunities to dictate their own pricings and terms to another playes. While, if you are a whale of PoS-mining coin, you will be never interested in dumping market to set your rules, cause you would be the main investor with 51% of all the coins, and in case of network attack you would loose money as much as nobody. So, if we are talking about really decentralized economy model, where common people wouldnt depend on capacities manufacturers or market monopolists, prevalence of PoS-mining coins is just a matter of time  ;)

 :D :D :D you mean like only the bankers/miners having the BTC to finance the channels even if no money is moved in the account ledger?

Well, yes I guess you could call it proof of stake if Alice is not the Queen of England and Bob's is not even on the map
anymore https://lnmainnet.gaben.win/ and if the Lightning Network looks like this with just $55m washing around as they
test it then what will it look like when real customers move in.

Even if it would happen we would have a whole bunch of miners who would be staying on the "old" chain.

Costs from real world must be saved in bitcoin system, like costs of energy because it's real money. For example Proof of Stake can be use in Lightning Network.

Yet Ethereum was planning on implementing it later this year. But nobody knows exactly when this is going to happen but it has been discussed by the inventor and creator of Ethereum already.
So it is going to happen no matter what eventually.
They do not hide they are going to do this so to monopolize it cause it is targeted towards the business sector and the big banks was its core intention from the very start.

PoS on bitcoin is an interesting idea, but it will be very ambiguously perceived by the community. I think, serious work should be done to implement PoS.