Bitcoin Forum

Hello.

Excuse the bump, but I would like an update on what
happened to these proposals.

Why hasn't the community decided to implement a
proof-of-stake element to guard against attacks?

Have other implementation proposals been written
besides the 2 in the wiki?

What would the drawbacks be from using POS.

Thanks.

POS has its own very serious problem:

Someone with a stake can spend it to mine any number of forks simultaneously.

In contrast POW can only be created on alternatives if computing capacity is split between them. This forces convergence while POS does not.

Hmm... thanks.

POS is something I'm
just starting to learn about.

Perhaps you could expand on this.

Is what you are saying inherent to POS
in general, or just the implementations
suggested?

In POW, the longest-chain-wins is used
to force convergence.  Couldn't something
similar be used with POS, but POS is still used
to determine who wins the blocks?

Sorry if my reasoning is convoluted, this
is a new area for me.

The consensus IS that the longest chain wins.

Length being defined as work spent to create it in case of POW.

If you would replace work with stake then the same stake could be expended at any alternate continuation of the current highest block at no cost, hence the whole consensus falters.

There might be useful areas for stake and people do explore that, but unlikely successful as an alternative to work.

no one is saying replace entirely. hmm ok I will have to think about it.  thx.

If you examine the designs listed in the wiki (https://en.bitcoin.it/wiki/Proof_of_Stake), you'll see they're both resilient to this.

In my system, if a stakeholder signs two conflicting blocks, evidence of this is referenced and the voting weight of his address is reset. (Moving to a new address also resets voting weight, until it accumulates weight again).

The same cannot be said about the alts that pass for PoS these days.

That idea is good, very good.

Anyway PoS limits the partecipation to an oligopoly, while PoW is open to everybody, without distinction.

They are two very, very different models.

No, both PoS and PoW allow everyone to participate in exact proportion to their resources.

Why then, do you think we haven't adopted it yet?

No: you can't buy coins of the chain you want to mine if they are not for sale, whatever are your resources.

While you can build how many hashing power you want if you have the resources, and nobody, nobody, can't stop you.

The difference is quite abysmal.

I should clarify that when I talk about PoS I mean only as a synchronization method. Every coin that uses PoS synchronization also needs some issuance method, and the best known issuance method is PoW. The problem with the PoS coins we see today is that they think that by using PoS they don't need PoW, so they use a broken issuance method instead.

For a proper PoS coin that uses PoW issuance, everyone can participate in "the game" by acquiring hashrate normally and minting new coins.

If you move forward in time past the original distribution, it is true what you say that to participate you need someone to sell you coins. But in practice coins are being sold on the market, so this is only a problem if someone tries to acquire a large amount - and that's not really a problem, since the most likely person to do this is an attacker. Therefore, I consider the difficulty to acquire a large voting power quickly an advantage.


1. It's too big a change.
2. It doesn't work well with merged mining and alternative uses of the blockchain (a la colored coins).

I'm interested in understanding more on this point (why PoS is incompatible with colored coins), can you please elaborate?

Thanks :)

What attack could potentially be launched from mining multiple forks simultaneously? What would be the potential gain of someone doing that?

The block chain is all about creating consensus on a history of events, by requiring miner to vote on any alternative continuation of history with a sacrifice of a their limited resource.

Stake is simply not a limited resource on the alternate continuation of the present but equally existent in any of them. Therefore deploying stake (alone) is not suitable to enforce consensus.

The exploit is that someone with enough stake can unwind the history again and again at no cost until the continuation is the way he likes it. This obviously destroys the utility of the whole system.

Doesn't checkpointing prevent that? At some point in time the resources will be distributed enough to turn the checkpointing off. After that point, it will be extremely expensive to aquire 51% of the coins (and attack your own stake).

If you give out the new money to those who have the most already, you only exacerbate the problem of unequal distribution of wealth.  Haven't we learned our lesson there yet?   

 

This is a problem at any stake. Random coalitions to alter the past can be formed at no cost to those colluding.
Checkpointing is not an alternative to decentralized consensus but central override of it.

Interesting discussion and a great thread.  It would be good to track the original concepts of PoS and all the proposals that have been made, expanding on https://en.bitcoin.it/wiki/Proof_of_Stake

problems mentioned in this thread were

1) bandwith problem (Mike Hearn)
2) issuance problem (Meni Rosenfeld)
3) parallel vote problem (grau)


Yes. Of course this assumes that hashing power is in fact distributed. Which turns out is a big problem. The tie to hashing power is not some kind of natural law. It only is if one assumes that PoW is the only possibility to secure a blockchain.


I would distinguish between a 51% stake attack and failed consensus.

51% stake attack depends on the fact that others would not know somebody would have acquired that stake. Assume a PoS coin has a 1B$ marketcap. Now the attacker needs to buy 500M$ worth of coins. Such a cornering of the market would be quickly noticed in many different ways. On the other hand if 5 people own 100M$ each and meet in a room, they could corner the market in a much more subtle way. If 100 people with 10M$ would collude that would not stay a secret for too long. So there is a very interesting dynamic there ([3]).

This argument should be distinguished from the PoW tied to the history of the chain (failed consensus). Some ideas exist to tackle failed consensus, for example by randomizing the vote. Daniel Larimer recently suggested a delegation of vote (delegated PoS). Slasher was an earlier idea to tackle this [2] (which turns out to be not workable AFAIK).

[1] http://bitshares.org/security/delegated-proof-of-stake.php
[2] http://blog.ethereum.org/2014/01/15/slasher-a-punitive-proof-of-stake-algorithm/
[3] Actually when the biggest bankers of the USA got together in 2008 that was a very real 51% attack. It helps if the secretary of the treasury is a former banking CEO.

That's not why checkpointing exists (or at least not the only reason it persists).

The latest checkpoint is for block 279000.  This is the 6th of January.  

A reversal back to the 6th of January would be pretty devastating anyway.

Checkpoints give other advantages.

First, you don't need to verify the signatures for any transactions before the checkpoint.  This makes initial downloads faster.

Second, once you have downloaded the main chain, you can ignore any forks that happen before the last checkpoint.  This protects against an attack where an attacker sends you lots of low difficulty blocks.

If the node sent 1MB blocks from 1 to 1000, you node would have to store and forward them.  There would be no way to tell that they aren't from the main chain.  All nodes on the network would have to store them, just in case.  Generating these blocks would be easy, since they could be difficulty 1 headers.

With checkpoints, nodes can just ignore them and definitely not forward them.

The signature speed benefit doesn't require the checkpoint to be a hard checkpoint.  It could be advisory.  A block with a known hash at a particular height has been verified.

If the checkpoint was soft, then nodes could enter safe-mode if the main chain doesn't contain the checkpoint.  Miners would still mine the longest chain though, in order to prevent network splits.

The block spam attack is greatly weakened by headers first.  You don't actually download the blocks until you have verified the full header chain.  This means spamming 1MB blocks doesn't work.  If you send 1000 difficulty 1 blocks, then it only costs the receiver 80kB.  The receiver wouldn't even need to store them to disk.  

Even smaller proofs can be achieved using the "high hash highway" system.  This allows a short proof that your chain has a high POW.  A new node could just ask all peers to prove that their chain has high POW and then download from the one(s) with the highest proof.

It is however not clear at all what the cost of collusion is, very much depending on the system. The Byzantine general problem assumes there is a (small) fixed number of generals. Presumably the soldiers under the command of a general are not colluding. In Lamport's model there is no cost of communication between generals. The fact that the plans are also tied to the history makes the situation much more complicated.

Checkpointing is a centralized solution.

The network should work well even without them.

Proof-of-stake will never remain decentralized:

https://bitcointalk.org/index.php?topic=558316.msg6501774#msg6501774

Send all proof-of-stake currencies to the trashcan.

The idea of PoS after full adoption is interesting. Don't forget that currently all PoS approach suffer from the nothing at stake problem. If the longest chain is based on biggest stake hashing an early adopter that sold can recreate the chain from the begging and reverse his sale. Also it easy to double spend instant transaction since someone can keep trying without losing the stake. Still many questions s unanswered by PoS proponents that need to resolved. As of now no solution is addressing these problems.

I have proposed a solution which I believe would eliminate some of the problems with existing PoS systems.  I call it Proof-of-Connection.

https://bitcointalk.org/index.php?topic=553414

Basically, this system requires "ping" transactions to be submitted to the network at random intervals.  A wallet node must be connected to the network in order to receive the trigger for these transactions, and to be able to send them.  Upon successful inclusion of these PoC transactions into a block, that address's Stake-Days are reduced to 0, but their stake earnings are paid out to them in the coinbase transaction for that block.  Of course, mining a PoS/PoC block will also reset your Stake-Days to 0.  Most importantly, your Stake-Days will ALSO be reduced to 0 if you DON'T send the PoC transaction in a timely manner.  So you will not be able to let your coins lie dormant and and let your Stake-Days accumulate without being connected to the network.  You MUST be actively connected in order for your stake to accumulate.

I believe that this effectively prevents the Stake Accumulation problem.  No matter what, your Stake-Days will be reduced to 0 on a regular, random basis.  This should require a true 51% coin holdings in order to successfully pull off a 51% attack.

Furthermore, the PoC concept can be used to implement a rough time-synchronization enforcement.  In this paradigm, the timestamp can be moved forward a small amount, but never backwards.  The timestamp of the most recently generated block will serve as a reference to all connected nodes.  By sending the PoC transactions, nodes indicate their acceptance of this timestamp, and start counting up from that point.  It is understood that transactions not matching the current timestamp within X allowed variance, will be discarded.  It is understand that new blocks not matching the current timestamp within X allowed variance, will be discarded.  This is needed because of the way that PoS mining works.  The nonce used for block generation is based on the timestamp.  One nonce per second.  If people are able to manipulate time and create blocks with timestamp (nonce) far out into the future, it essentially turns into a PoW coin, because people could increment the seconds an arbitrary length of time until they find a block.  If their hardware is very fast, it would be easy to mine block after block.  A basic sanity check on the timestamp prevents this from occurring, and the only way to implement a basic timestamp sanity check is to require some level of clock synchronization.

If two competing blocks with roughly the same timestamp are generated, the one with more Stake-Days Destroyed will be chosen.  (Note, as is discussed in the linked thread, Stake-Days are not destroyed when simply sending coins in a standard transaction, as in Peercoin.)

A further refinement (not yet posted in the linked thread) is that the successful miner/minter of a block will obtain transaction fees based not only on the standard transactions, but also on the PoC transactions included in their block.  This incentivizes them not to discard PoC transactions.  These fees are true transaction fees for standard transactions, but the PoC transaction fees are generated in the coinbase transaction.  Yes, this means that somebody with a tiny amount of coins could potentially earn a multiple of their current holdings through transaction fees.  However, they would have to be very lucky, as their Stake-Days will always be very small, thus raising their effective PoS mining difficulty.

I think it can not be called replacement, the development direction of POW in future will likely will be force output to computing projects intentionally, and can produce results, will only stay a part to ensure the network running.
This may be a good direction for the future, the road is own pow coin.

Yeah. That is the reason why Bitcoin uses checkpointing: https://bitcointalk.org/index.php?topic=558316.msg6520315#msg6520315

Yes, but in another sense than you think.

Hashing power can be introduce at will and without any control of the network. That is pretty bad IMHO.

Stake cannot be introduced afterwards AND if so the network controls it and can react.

There was a coin where the network had no control concerning newly added hashing power.  It was called liquidcoin.  Typically a difficulty adjustment algorithm takes care of that :) 

Takes care of what? The difficulty cannot change the proportion of consensus power within one network.

No, if you'd bothered to do some research you'd find out that checkpoints solve a number of boring DOS attack weaknesses which are better— though less simply— solved with a more intelligent fetching architecture. They also solve some initialization isolation attacks, which are better solved with threshold difficulty. I expect that once we've merged headers first we'll drastically reduce or eliminate the role they play in the reference software.

What is your opinion about that paper if referenced?

(http://www.links.org/files/decentralised-currencies.pdf)

 What you are referring is a Proof of stake problem and not proof of work.

Assume the current mining infrastructure for bitcoin is 1 billion. Say the attacker buys 1.1 billion worth of equipment. For someone to make a profit is to be able to sell 12 million coins on the markets and recover more than 1.1 billion (plus something to cover the hashing power that came from transactions). So the rational attacker needs to take the expected profit into account. Bitcoin has much less liquidity to even recover 200million.

On top of that long term this is not an issue when transaction rewards are higher than block rewards because the attacker does not gain from transactions hashing power .


On the other hand for proof of stake , an early adopter can have let's say 10% and sells that early. Now let's say the current minting stake of a proof of stake coin is 5%. It means that the early adopter who sold and doesn't care about the pos coin creates a parallel chain that eventually will be stronger than the current chain. In a decentralized consensus system you have to accept the stronger chain. That the early adopter produced. In particular any group of people that sold can gather and produce a stronger chain and profit . and this attack has zero cost for early adopters that sold. Whatever the attacker gains from selling is a net profit.

Anyone can create a bitundo type of pool gather investors who sold the coin and have X+1 stake where X is the current stake hashing and attack. That will be pure profit and someone might do it.

 Compare that with the pow attacker who possibly will have a loss due to the equipment cost and amount he can recover.

The paper is about Bitcoin. So, it is definitely about proof of work.

The same works for Bitcoin, too.

Why do you insist on defining a mining rig differently from a PoS token?

If bitcoin miners collude, they could alter the past.
If Nxt forgers collude, they could alter the past.

I see no difference.

You misunderstand.  The risk isn't that someone could attack the network, it is that they could attack the network with no cost.

Imagine bitcoin worked using a PoS.  An early adopter had acquired 1M BTC at one time in the past but over time he lost/sold/spent/transferred them.   Today he has no bitcoins but the blockchain contains a history of a time when he did have 1M BTC.  If the amount of the stake being used is <1M BTC he could rewrite history not by using coins he has today (a real cost), not by buying millions of mining rigs (a real cost) but by using the history of the coins he once had (no cost).  He has absolutely nothing at risk and nothing to lose.   If he and potentially others decided to attack the network they would rewrite the blockchain starting from when they had a larger stake, creating a parallel history where they didn't lose/sell/spend/transfer the coins. 

They can attack the network based on what they had (but no longer do) in the past.  There is nothing at risk and no cost to the attack.  THAT is the PoS problem.  


Sure they can, however there is a cost to that attack and there is something at risk which they lose if they fail.  With PoS you can attack the network for "free" using something you had but no longer do.  It is very hard to secure against an attack where the attacker can do so at any time without any cost and without any risk.

Beautifully explained, as always.

Okay, I got that. However, calling it a problem is a rather bold claim. I would call it a property of PoS.

(No matter if PoS or PoW)
How would want to be on that fork anyway? In doing so, they would destroy every single bit of confidence in that very cryptocurrency.

It is more than a "property" it is an as of yet unresolved problem.  There is no security in PoS unless it is resolved.


Um, well no. I can't mine using computing power I no longer have (but did have at one point in the past).



The cost to the attacker is absolutely zero.  If he can gain anything more than zero he has everything to gain and nothing to lose.   It would destroy confidence in the PoS currency you are correct especially when it happens over and over and over without end.  That is why it is the Pos problem.

Let me restate my question. Why should a node 100000 blocks ahead accept a blockchain re-organisation?


Our mining rigs destroy themselves? I doubt it.


Well, as I said this is true for PoS and PoW. Trying to destroy would definitely diminish confidence in the cryptocurrency as such no matter if PoS or PoW.

Your statement about 'no cost' is true as well.

However, the huge advantage of PoS is: the network controls the consensus power and the network can punish the bad guys. I would call this the PoW problem as the consensus power can easily be introduced from outside without any control whatsoever.

does this quite follow?

To POS mine you have to have the coins now in your possession. The fact that you have spent them [according to your senerio] means you can not longer mine with them in a proper POS setup. Eg, spent coins, for you can not anymore accumulate  coin age.

Thus your mining power = 0.

on another point, NXT appears to be 100% POS and has not been forked or hacked by anyone to date. Further it Appears that the network swiftly punishes miner that try to undertake dubious activity, like producing dogey blocks.

I think they are saying you could 'roll back' on your own node to a point where you did have coin age, and try to attack from that point.

But it's not clear how you would get very far because there would be a longer chain soon and your coin age would be used up fast.

That is like saying you can't 51% attack a PoW network because the main chain is growing.   Yeah if you have less computing power than the "good guys" you can't but what if you have more?  With more than half of the network computing power you will eventually build the longest chain.  With a PoS you will eventually build the longest chain if you have more than half of the network stake.

So on a hypothetical coin say in block 4,000 I (or a cartel of attackers) had more than half of the network stake.  We sell these coins (exchange, p2p trades, spending, etc) and as of block 4,0001 the cartel has no coins however in block 4,000 we did.   So despite the fact that the main chain is growing and may be ahead starting from block 4,000 and with over half of the network stake it is a mathematical inevitability that the attack chain will be longer.  We double spend the sales in block 4,001 and eventually we will have a longer chain at which point it is published to the network, the network reorgs and we performed an attack with 0 cost and 0 risk.

All PoS coins (including NXT) prevent this "history attack" by centralized checkpoints.  The developer has absolute control over the network.   If centralized checkpoints were removed it would be beyond trivial to attack the network with no risk and no cost.   So PoS "works" as long as you want a centrally controlled and secured "decentralized" currency.

True. In both cases a majority ownership either in stake or hashing power would make an attack possible. 
But how does that make PoS inferior ?

The attack has no cost or risk.  

Very simplified example:
The network stake is 2M xCoins.
I acquired 1.1M xCoins as of block 1,000.
I sell you 1.1 M xCoins for $$$$$$$ and the transfer is recorded in block 1,001.
I now no longer have any xCoins (effective block 1,001+), I have no cost as I received $$$$$$ in return for the 1.1M xCoins.
I start building an attack chain as of block 1,000 double spending my transfer.

Eventually even if the main chain has a head start, my attack chain will be longer.  This is no different than a 51% attack on a PoW based network however my attack has no cost and no risk.   I already sold the coins.  I am merely using my history of prior ownership to attack the network.

Compare that to PoW.  I build a hashing farm with 51% of network capacity.  If I attack with it then the attack has cost and risk.  The farm wasn't free, I may not succeed in which case I would lose all the legit blocks I could build.   If I sell the hashing farm I can't engage in an attack based on the history that at one point in the past I had more hashing power than the rest of the network.

Both are vulnerable to a 51% attack however PoS allows the attacker to exploit the history (your security mechanism is recorded in the very thing you are attempting to secure) to attack without cost or risk.

Doesn't it depend how far ahead the network is and how many transactions are going on?

Let's say that in your example, 100,000 coins trade hands daily.
That means in 11 days, there would be more coin days than you have.
You only have 1.1 million coin days assuming you had your coins for a day.

Transactions destroy not create coins days so not getting your point on that.  

I guess you may be indicating that while in theory with >50% of the hashpower (or stake) the attack chain will become the longest chain, that there are some practical limits on the attacker based on the attackers share and the block deficit.  That is correct.   Still this is no different than PoW.  While we call it is a 51% attack, the attacker probably isn't going to attack with 50% + 1 hash of the total hashrate.  If starting behind say 10,000 blocks with a 50% + 1 hash while in theory one would eventually catch up (given an infinite amount of time), the attackers margin of a mere 1 hash per second combined with effect of variance and the large block deficit means it could be a very long time (potentially centuries) before the attacker passes.  Related to that, the attacker can never be sure the network hashrate (or network stake) won't increase.  In the dubious 50% + 1 hash example, if the hashrate of the network rose by a mere 2 h/s (hashes per second) the attacker would never catch up.   So while we say "51%" attack, in the real world no attacker is going to perform an attack with such a small margin, if you got that kind of resources, planning, and capabilities you are going to smash the network with an attack that gives you a comfortable margin (say a 70% attack).

Coming full circle in this respect PoS and PoW are no different.  The major difference is I can't attack the Bitcoin network based on the history that at one point since the genesis block I had (past tense) >50% of the network hashrate.

oops, yeah that was a bit of convoluted thinking as far as the example,
but you get my drift.

Point is, PoS attack would have limitations and you would only
have a window of time to manipulate the ledger.  If you had
initially held your coins for a long time, you could try to
do a double spend, but you could only do it once because
after that you would have much less coin days.  Any scenario
that you tried to rewrite history by sending your coins to other
addresses would leave you with low number of coin days.

Another difference between the Pos and PoW is that
if you wanted an ongoing monopoly, it gets more potentially more
expensive with PoS, because you would have to keep buying those
coins back, whereas with PoW, once you own the mining gear,
you can just keep using it to stay on top.

Well the PoW attack has the same "window" and limitations.   It isn't a difference they are exactly the same.  In either system with a large enough stake or enough computing power you could build a longer chain all the way back to the genesis block.  Since you don't know how much stake a cartel of potentially unlimited number of people have ever had since the genesis block, no amount of blocks can be deemed safe (just like with PoW).

Remember the whole point of waiting for a certain number of confirmations is that assuming the attacker doesn't have more than half the network resource (computing power or stake) is that the probability that transaction can be reorged rapidly approaches zero.  However if the attacker has more than half there is number of blocks that are safe.   There are practical limits if the attacker is just barely ahead but we don't know for sure that is the case.  The attacker may have a massive advantage in resources (computing power or stake).   So 6 blocks, 100 blocks, 10,000 blocks there is no point where you put the probability of a reversal below say 0.1%.   To do that you would need to know the upper bound of the attackers resources which is unknown.

Also the attacker doesn't need to buy more/new stake.  I think you are forgetting that both for the attacker and the legit miners coin days are both accruing and being destroyed.  There is no difference, they are in equilibrium.  If the attacker has more than half the network stake then the attacker's attack can continue forever.  Just like an attacker with more than half the computing power can continue an attack forever and eventually the attackers chain will be longer.  Once again this is no different than PoW.

The one massive difference, is that in a PoS system you have the ability to attack without cost or risk.

I think that really depends on how the PoS is implemented.  (How are the coin "days" being timestamped/calculated?)  If you initially spent your coins on Jan 1,
and then on Jan 5th tried to rewrite history, you wouldn't be able to do it forever if other coins are getting older as the month goes on, and the network
is aware of this.

I think you may not understand how PoS works.   It isn't oldest coin wins.   

For the attacker.  Coin age of stake is reduced when blocks are created.  Coin age increases with time.
For the "good guys".  Coin age of stake is reduced when blocks are created.  Coin age increases with time.

It isn't like coin age only declines or coin age isn't reduced for the good guys when the mint new blocks.  If the attacker has more than half of the network stake then he WILL outrun the legit miners.  I mean saying "it really depends" is like saying PoW is immune to a 51% attack it just really depends on how you do it.

PoS Axiom: If the attacker has more than half of the network stake he will eventually create the longest chain.
PoW Axiom: If the attacker has more than half of the network hashrate he will eventually create the longest chain.

We can make it generic for a  Proof of X system.
PoX Axiom: If the attacker has more than half of the critical resource he will eventually create the longest chain.

Yeah but the problem with this model is that
the critical resource gets used up when you
move the coins.

In PoS, you lose your stake (you lose coin days),
when you do a double spend, versus in PoW,
you do not lose your critical resource.

Example:

Dec 21: You buy 1.1M coins.
Jan 1: You have 11M coin days.
(assume the network also has 10M coin days)

You sell your coins.  Now you have 0 coins, 0 coin days.

Jan 5th: assuming nothing else moved to simplifiy the example,
the network now has 15M coin days,
you try to rollback your node's activity
to Jan 1st, and send the coins to yourself.
(double spend)... On your version of
the chain, on Jan5th, you now only have
5.5M coin days, but the network has still 15M.

(BTW, I'm not proclaiming there is any magic bullet here
for either system)


 

What?  The attack chain would be started prior to when the coins were sold.  The attacker starts from Jan 1 when it has 11M coin days (more than 50% of the total network stake) it wouldn't pick a date/block which reduces its stake.It is like saying in PoW the attacker sells coins in a tx in block 1000 now if the attacker builds an alternate chain from block 1,001+ then the tx can't be double spent.  Well of course it can't but the attacker is going to decide where to build the attack chain from.  How about block 999.

I don't think I can explain it further and responses like the last thee make me think you are still thinking the mechanics of a reorg to double spend in PoS is somehow different than the mechanics to reorg a double spend in PoW by some undefined reasons.  They are identical.  I am going to take a break.  I think at this point further responses aren't going to be effective.

I will have to think about this more, and I apologize for the confusion.

However, please note:  I wasn't saying you can't double spend.
I'm saying you can't do multiple double spends because of
the coin days.  Yes you would do the attack back on Jan 1
before you spend the coins intially, but after that, you are
out of coin days.

Tell you what:  Give me an example scenario where you
can double spend a large number of coins MORE THAN ONCE,
and I'll be satisfied. :)

Um that isn't the standard.   The attacker has just double spent the network and defrauded buyers of the coins.   Saying "well he can't do more" is really moving the goal posts wouldn't you say.

Still it would seem you missed the obvious.  The scenario started with the attacker having 11M coins.   The scenario ends with the attacker having 11M coins (plus the value stolen from the value of the double spend).  There is no reason the attacker can't repeat the cycle all over again as many times as he wishes (as long as he has half the network stake).  Each time it will cost him nothing and he will have nothing at risk.

Yes I missed that.  :-[ Obvious now, Ty. 

I do remember reading something where a coin could defend against even a 90% attack although I don't recall what it was.

It gets worse the more you think about it.  An attacker could acquire coins (if he didn't already have them) by buying private keys which have no coins today but which had significant balances at one point in the past.   Imagine you at one time had 100,000 peercoins but no longer have any.  The private keys are worthless to you but to an attacker which intends to rewrite the chain back from that point they may have some value.  So he gives you 100 PPC equivalent for the private keys which "had" 100,000 PPC.  In this case the attacker isn't attacking for free but he is doing so at very low cost.  He doesn't even need to have already owned or buy up a significant stake and then try to sell them off before the attack he can just attack for millibits on the coin.

:o   !

Wow, thanks DaT..  for getting me all paranoid.  I guess this is avoided in PoW by difficulty weighting.  In other words, if I say here take a look at my big chain 400,000 blocks also starting from the same satoshi genesis that I produced in 1 hour falsifying timestamps, this is longer than the current chain use me!   a node would say:  yeah great, but the difficulty was 0.001 the whole time that is not really a longer chain than our current BTC chain.  At least, I sure hope that's in the code.     

Unfortunately stake difficulty doesn't represent real work so it can always be faked in a reorg going back to some substantial early stake as you point out to us.

Yes: the best chain is selected not for its length but for the amount of work it carries with it.

The cost(work) it takes to produce a PoS chain, is the cost it takes to duplicate("fake") one, that's probably all there needs to be said about it.

Maybe this is just another half-baked idea, but couldn't the PoS be implemented in such a way that once a certain number of blocks are in place, the time stamp is verified and you can't go back and build a longer chain?

For example, jan 1 you spend 1.1M coins.
Jan 5th, you try to build a longest chain starting
From jan 1, but no nodes will accept it because
It's too far in the past.

This is what I meant by implementation.

I think nxt might do this with a 12 or 24 hour period.
I guess the flip side is that that is long confirmation
period.  But at least you couldn't tear down the chain
Back to the genesis block.

This works if all nodes learn of blocks in real time as they occur. What about nodes that are offline at the time the blocks are created?  Say you are offline and when you come online you learn of two chains A & B.  A is longer.  Since you have no knowledge that B occurred "first", you use "A" as the primary chain.  However what you don't know is that most nodes are using B because it occurred "first".  The network had forked because chain selection is no longer uniform among nodes.  A new variable has been added which is not consistent for all nodes.   From this point of view a new node is very similar to an offline node except it has been offline since the genesis block.

The fact that it becomes trivially easy to fork the network is an attack in itself.  The attack can be extended to double spend for financial gain.  Isolation attacks are always a risk in p2p networks however in "longest chain wins" as the sole rule for consensus they are reasonably difficult as if the victim node connects to any non-attack node they will learn of the longer chain.   If this rule is not enforced (i.e. most of network favors "B" even though it is shorter) then an attacker can "isolate" a node coming online by simply connecting to it.  Even if the victim node is connected to other non-attack nodes it will pick A over B and be isolated from the majority of the network because the chain selection is not consistent across all nodes.   Once a node is on chain A the attacker can double spend the victim, waiting for 6, 12, 20,000 confirmations is insufficient to ensure a transaction is valid.

It is often a good idea to step back and consider WHY we use a blockchain.  The blockchain is a timestamp mechanism.  It used because no other decentralized provable timestamping system exists.   If we could prove which chain was made first we could also prove which transaction was created first.   We wouldn't even need a blockchain or confirmations.

It is.  The phrase "longest chain" is just used because "chain with the largest sum of the difficulty of the blocks in the chain selected among all valid chains" becomes a lot to write.  It is trivial for nodes to make this selection because difficulty is encoded in the block header and validated at the time the blockheader is validated.  Nodes simply sum the difficulty of the blocks in the chain and compare it to other chains to pick the "longest".

As a side note the network also enforces the difficulty change rules. Difficulty can't be less than 1 and is recomputed every 2016 blocks.  A block with invalid difficulty is invalid.  The timestamp of the genesis block is hardcoded in clients.   To keep the difficulty at 1 would require that the time between blocks remain 10 minutes.  While an attacker can fake timestamps he can't use an incorrect difficulty. So to have a chain of 300,000 blocks @ difficulty 1 would require 3,000,000 minutes since the genesis block.  That would put block 300,000 about 6 months into the future.   As a secondary check any block more than 3 hours from the network median time so to make a valid chain which has a valid timestamp for block 300,000 would require higher than difficulty 1.   


Exactly.  The only "solution" is absolute centralized checkpoints which prevent reorgs prior to the checkpoint.   PoS proponents often bring up that Bitcoin uses checkpoints however they are not necessary to enforce the security of the blockchain.  Case in point the oldest checkpoint is more than 5 months old, and a 5 month reorg would destroy Bitcoin.  Checkpoints are used by Bitcoin to prevent an attacker for wasting the resources of bootstrapping nodes as a DOS attack by feeding them spoofed chains.  There is no requirement that they be centralized.  Different clients could use different checkpoints at different block heights and it would work just as well. 

I see.

Questions:

1. Is it still trivially easy to fork, even if we are not using Peercoin's method?  What if we are using NXT which uses a more deterministic method of selecting which node creates the next blocks.
Probably less trivial?  ...and could this solve the issue of attacking isolated node?

2. Would it be helpful to differentiate between online-only and online/offline versions of "decentralized provable timestamping systems"?  And do instances of the former exist other than PoW?
Could they? 

Not that I need some attention, but I would like to have answers to my questions.

Why on earth could one not use this argument for PoS as well?

Because it is invalid.   PoS DOES rely on checkpoints for security reasons to prevent a reorg.  Bitcoin could remove checkpoints from the code right now and no reorg attack becomes possible.  No PoS based system can do so.  They would instantly be vulnerable to the "PoS problem" without checkpoints.

You try to avoid my question from above:

I would have thought that they would be self evident by now.


Because the network follows a longest chain is valid rule?  If it doesn't then you are relying on a node knowing that an alternate chain came "later" and not all nodes will know that.  As I already pointed out up thread imagine you are a new node, you connect to the network and receive two competing chains A & B.  A is longer.  Which chain do you use?  If you use A and other nodes use B that is a problem (isolation attack and network fork due to non deterministic chain selection).  If they are choosing B over A because they "saw it first" there is no way for you to confirm that or even know that.  

Still it doesn't need to be 10,000 blocks.  A 51% attack can be accomplished with a reorg of any length.


If I have a rig (or more accurately a massive mining farm that is a majority of the hashing power) I have incurred a cost and I am taking a risk by executing an attack.  The difference with PoS is that an attack can be executed without cost or risk.  That would only be true for PoW if I could build a farm, then sell it, and then somehow execute an attack after the sale with the farm I don't have.  It was tongue in cheek to show that since PoW can't be exploited by history, I can't perform an attack with no cost of risk


The network can't punish the bad guy.  The whole point is that PoS, the bad guy can attack without cost or risk.  How exactly does a PoS punish an anonymous entity who no longer has anything at risk and can attack you with no cost.  If that were true that checkpoints wouldn't be needed.   There is no PoW "problem".  There is a limitation that both PoS and PoW share and that is the security model only works if the attacker has less than half of the resource.  An attacker can buy computing power and an attacker can buy a stake neither are closed systems.

So, you are talking about two different things:

1) new nodes

2) existing nodes


Both handle things differently.



No, you do not. Because you are anonymous and you can do it over and over again because nobody can punish you for publishing these blocks.



It can because the consensus power is known to the network entirely. Existing nodes know who is going to generate the next block and therefore will not accept any derivations or re-orgs especially not those coming from ages ago.



No cost/risk = depends on how the network punishes him. Distributing his coins, removing his coins, whatever. Because the consensus power lies within the network, the network can decide what to do if a bad guy tries to bring it down.


It is THE PoW problem. The network CANNOT simply punish bad guys. How could it? The consensus power lies outside of the control of the network.

The problem of finding a fork that is stronger than the legit one is well explained by Come-from-Beyond here: https://nxtforum.org/bitcoin2014-btc-foundation-conference-amsterdam-(may-15-17)/technical-questions-need-answering-from-amsterdam/msg22489/#msg22489

That is for an attacker with less than half the stake.  That isn't a 51% attack, that isn't what is being discussed.


Even the security from 720 confirmations is due to rolling checkpoints which is a centralized protection.  Without it, it would be worse.  This explanation also ignores what we are talking about when it comes to history attack.  If at block x the attacker has 51% of the active stake the attacker can then sell his stake and thus the attacker has no cost, he no longer has any coins but as of block x he did so he can reorg from that point.   The attack can be done with no cost or risk based on the fact that in the past the attacker did have sufficient resources to perform the attack.

With PoW, it costs energy to do all those hashes, and you also incur the opportunity cost of not using your resources to do honest mining.

720 confirmations are maintained by each node separately. Maybe, we have a different notion of centralization but that is what I would call decentralized.


Buying 51% of the stake AND selling it SUCCESSFULLY within a timeframe of 720 blocks seems, well, ambitious.

Then the network can be attacked by hard forks.  New nodes (or nodes temporarily offline) will see a reorg of greater than 720 blocks as valid and be permanently forked from the nodes who were online and saw the reorg as invalid because it was too deep.  Non deterministic behavior of nodes is something to be avoided, to achieve consensus all nodes must reach the same conclusions on which chain is the "best".


The attacker has no limit on how long it takes to acquire the coins.  The clock starts from the point of the reorg which can be just prior to selling the coins.  So if attacker has x+1 coins where the network stake is 2x at block y he can start the attack chain from there.  He now has 720 blocks in which to record the sale/transfer of the coins for material gain and produce a longer chain.

The attacker isn't limited to buying "valid" coins, just the "history" of coins that a private key had in the past.  A private key which at one point had unspent outputs worth x coins but today has no unspent outputs ("zero  balance address") has no direct value to the owner but to an attacker it has value in attacking the network.  "Hey large coin holders I will buy your empty wallets based for 0.1% of the coins they had as of block y".

The attack isn't limited to 720 blocks.  A reorg of longer than 720 block is possible it just once be accepted by the entire network.  Permanently forking the network is still a powerful attack, especially for one which has no cost or risk.

The fact that you are moving the goal posts from "the history can't be used" to "this would be hard" (so is a 51% PoW attack) is good enough for me.  I think you do now see that someone can attack the network without cost or risk which was the point you refuted as false.  How difficult it would be to acquire that stake which is a totally different argument. 

https://nxtforum.org/general/how-does-nxt-fix-the-nothing-at-stake-problem/msg22882/#msg22882


You can register to answer him directly on that forum 

True. So, how do new Bitcoin nodes handle this issue?


Sorry, that was my mistake. I meant, first ( buying 51% of all PoS tokens ) and then ( selling 51% of all PoS within 720 block ) are both ambitious goals each and even more ambitious done together.


Interesting point. So, if you find many somebodies who would be willing to sell their historical passphrases...


True.

New nodes would need to make sure they are on the legit chain.

But well, how do "Bitcoin" nodes? <<< I mean having a client looking like Bitcoin and feeling like Bitcoin does not necessarily mean it is the real Bitcoin network you are on, right?

So, new nodes need to verify anyway no matter if PoW or PoS. Is that correct?


I see where your are coming from and tend to agree, if I would not substitute 'difficult' by 'expensive'.

It always comes down to that: costs. And I am with you: the costs for maintaining several PoS chains are significantly smaller than maintaining several PoW chains. However, I doubt 720 block to be sufficiently long enough to do any damage.

Simple the longest chain is the best chain.  The behavior is deterministic.  It doesn't matter if a node is online, offline, or newly created, all nodes select the longest.  There is only an issue where nodes select a chain based on criteria that can't be known to all nodes (i.e. chain A is shorter but it is the best chain because it came first and chain B is longer but came second and they differ by more than 720 blocks).


Best is probably a better term than "legit" it is possible the best chain is the one created by an attacker (in both PoS & PoW) however the consensus system is limited to picking the best chain.  The chain built from the genesis block which is the longest is the best chain.  Any new node is relying on an assumption that other nodes are using the same selection criteria.  If all nodes are using the same selection criteria (and it is deterministic and uniform across all nodes) they will all end up selecting the same chain as the "best" one.


If it can be done once it can be done again.  An attacker would be foolish to limit it to a single attack.  If merchants are limited to waiting for 719 confirmations to ensure they aren't double spent then the attacker has done a good job of damaging the utility of the coin.  The ability to fork offline clients is just an added bonus to add to the chaos.  If your node goes offline you can't be assurance that you are on the same chain as other nodes.

Yeah when the thread is filled with insults before a countering view is even posted I don't really see the point.  Still the example is flawed.  There is no assumption that all of Alice's "old coins" would be contributing to the stake.  100% of the money supply isn't being used for forging it isn't a valid assumption that 100% of the coins she sold would be used as well.  Still it is possible depending on how much stake Alice had and how much of it ends up supporting the main chain she might not be able to sell all of the coins.  The attacker may only have reduced amount at risk rather than nothing at risk scenario.

How does a node verify the genesis block?

Is that not exactly the same as verifying an arbitrary block?


One question still bothers me:

Why should nodes discard blocks (and therefore invalides many transactions?)? Especially those nodes running by merchants that can cross-check if their due transactions are on the blockchain already.

Would it not be more intelligent to distribute the raw transactions as broad as possible? All this assumes an extremely well developed network controlled by the attacker, right?

And if so, why would this extremely well developed network controlled by the attacker be unable to send the new blockchain in time to the merchant's node? Would this not raise awareness on the side of the merchant?

The genesis node is hardcoded in the client.

No.



Non deterministic behavior of nodes is bad.  If some nodes switch to the longest chain and some stay with the shortest chain then the network is permanently forked.  That is something to be avoided at all cost. While such behavior may make double spends harder, it makes the money you are trying to protect from double spends worthless.  Money can't have value if there isn't a single shared view over who has the money. A permanent fork in the network is a lack of consensus, a disagreement over "who has the money" and it is a worse outcome than the double spend you are trying to avoid.

That line of thinking also assumes that all nodes are online.  They aren't.  The current longest chain is chain A.  Merchant is paid in tx on chain A.   Attacker builds a chain B which double spends merchant and chain B is longer.  Now lets assume all "legit" nodes disregard chain B because it has double spends.  That opens up all kinds of timing and propagation attacks but to keep it simple lets pretend they don't exist.  Now a new node connects to the network and is receives chains A & B.  Both are valid chains with valid transactions.  There are differences between the two chains but neither one is invalid by the rules the node uses to validate transactions and blocks.  B is longer.  The new node would select B as the "best" chain.  Oops the network is now split.  Now imagine the attacker pays this new node using outputs only valid on Chain B.  You now have a permanent split which can't be resolved except with outside force AND entities on both sides of the split who will lose if the other fork is used.


I don't know what you are asking.  However for the last question it indicates a false belief that 100% of nodes receive 100% of blocks in realtime, and have 100% uptime since the genesis block.  That is the only way they can know in all cases which chain is the "best" even if it isn't the longest.  No such system for consensus like that exists.  Sure if the Bitcoin network consisted only of nodes who have been and always will be online and learned of blocks in realtime then forming a consensus would be easy.  However most of the time nodes haven't been online with 100% uptime since the genesis block.  When there are two competing chains they don't know which one came first or which one has the double spend and which one has the "original" spend.  The only thing the node can independently verify is that the two chains are valid but different and one is longer.

Given two chains A & B which are different but equally valid without relying on a trusted third party tell me which one is the "best" chain?

Bitcoin says the longest chain is the best one.   Still this has gone beyond just PoS & PoW.  The same consensus issues remain regardless of what system is used for proof.   The proof forms the longest chain, if nodes can form a consensus on transaction ordering while ignoring the proof then why do you need proof to begin with? :)  I think we have come full circle.

Thank you very much for you patience so far. :)



This makes no sense. The genesis node IS a checkpoint.

How do you verify a checkpoint? Either you do not (so you trust the checkpoint creator) or you verify it in some way.

So, new nodes have to verify the last block some way or another by e.g. asking their neighbors, watching TV, asking their local government, friends etc. etc.

I think we still mix up two different scenarios. This question is also related to NEW NODES:
This is solved by verification, code review etc. etc.


Our merchant runs an EXISTING NODE here he should wait the number of blocks that satisfy his need of security as the blockchain approach leads to eventual consistency.

yeah thx DT.  We must be driving you crazy.
But we are learning a lot.  I wonder how
you learned so much about cryptocurrencies!

Not sure if its worth answering these questions
I posted earlier but here they are again.

Those are vague nonsense answers. 
Code review?  What CODE will allow you to verify which of two chains is the best if not using criteria that longest chain is best chain.
Verification?  What can you verify to determine which chain is the best if not using the criteria that the longest chain is the best chain.
etc?

Give me specifics.  You are a brand new node bootstraping today you receive from peers two equally valid yet different chains A & B.  The code in the client can be assumed to be without error.   Chain A is longer, thus by the Bitcoin consensus rules a Bitcoin node would report that Chain A is the best chain.  You seem to believe that nodes could reach a consensus that B the shorter chain is "best".  How exactly would a new node reach that conclusion.  Without specifics that is simply imagining the problem away.  Some magical as of yet code will allow the client to pick Chain B because it is the better chain despite being shorter is not a real answer.  What exactly could the new node do to determine that B is the better chain over A?

All these discussions will end when a smart person creates a StakeUndo pool like the BitUndo service. Old stake owners will contribute their stake to create a longer chain to claim back their stake.  And when StakeUndo accumulates  stake more than current minting stake it will be be obvious to everyone.

Old stake owners will participate because they want to claim their stake back. It is their ownership after all and they want it back!!! Very profitable as well.

On the other hand for PoW old stake owners it will be unprofitable to spend more money to claim their stake back by creating a longest chain.

That is what made bitcoin popular in the first place. PoS solutions are a step backward proposing solutions similar to those existing before bitcoin.

In computing, the definition of a checkpoint is a point beyond the beginning.  For example (http://en.wikipedia.org/wiki/Checkpoint_restart), "Checkpoint restart, a method for restarting a long software process at a point beyond its beginning."

If you create an entirely new blockchain built from a different genesis block, then it's just an alt-coin.  It's not even a fork.  

I have not seen anything which shows how deterministic vs random selection makes it more difficult for an attacker to produce an reorg (I assume you mean reorganization not fork).  It is an interesting idea and it does ensure that a node either maliciously or inadvertently doesn't creates a stake and then fail to produce blocks (this can cause oscillations in difficulty an average time between blocks).  As I understand it with deterministic minting, when a node should create the next block but doesn't the value of its stake is reduced to zero.  An attacker is however going to produce blocks and deterministic or random if an attacker has 51% of the stake it will produce the longest chain in the long run.


I don't believe so.  I have not seen any provable decentralized timestamps which work in a network of untrusted peers without using a proof of something.  The security of this model requires the attacker to have less than a majority of the "something".  That isn't to say they are impossible, but it would require some significant out of the box thinking on the order of Satoshi's blockchain solution to transaction ordering.  It is also very likely they would have a different security assumption/limitation.  Baring direct well articulated evidence of such a system, when I read a proposal and the security model assumes that timestamps are valid (or can be validated), so far to date it has been a good indicator that the author lacks the basic knowledge of the problem.  The author might as well build a security model which uses God as a trusted oracle. Imagine a forge proof system with no work, cryptography, or potential flaws.  You get instant verification anywhere in the universe by just asking God if the transaction is valid.

problem is that theologists can't come to a consensus on whether God is centralized or distributed  ;D

If I create a Bitcoin clone, name it Bitcoin and the only difference is the genesis block, it is Bitcoin.

Even, if I would pump billions of GHs in that Bitcoin, no other Bitcoin node would accept my chain (even if it is longer than the first one).

Why, because the default Bitcoin software checks the genesis block. I would call this a checkpoint no matter what Wikipedia says and what unintuitive definition of checkpoint they use. I see no reason to exclude a fixed beginning from being a checkpoint from an abstract point of view.

Please, do not mix up things. As I told you, we need to separate issues first.

Code review is necessary to ensure, you have the 'right' checkpoints (including the genesis block - for those who cannot imagine the genesis block hard-coded in the node software being a checkpoint), the right consensus rule that everybody has, etc. etc.

In particular the checkpoints are the ones that determine which chains will definitely being sorted out and which ones could win in the future.


See above. Checkpoints are a valid way to do so. A node provider could even introduce custom checkpoints at will.



There is nothing wrong with this rule.

I think you agree that the coins on a fork are worthless to the real world. There can be only one legit chain. So, the real world decides that in the end. The real world are people, exchanges, friends and so on. If my node has two valid chains, I will consult them to find out which one it the right one.

What is wrong with that consensus rule? After that, I am on the same "fork" as the rest of the publicly available world is. I am on the same "fork" where the rest of the publicly available world draws its value from the coin.

The thing is, the longest chain is the ONLY proven way to create conensus. 
You can "consult your friends" till the cows come home, and they might
never agree.

The genesis block is part of bitcoin.  It is not a checkpoint according to the generally-accepted definition of the word "checkpoint" as applied to computing.  A checkpoint is a point beyond the beginning.

If you make up your own definitions for words, however, you can argue anything you like.  

@ ChuckOne: is this what you mean by "solved by verification, code review etc. etc." when the network can't determine which chain is "best"?

[The quote below is from the Nxt thread (a proof-of-stake coin) and Cryptsy is a foo-coin exchange.]

And
https://nxtforum.org/general/how-does-nxt-fix-the-nothing-at-stake-problem/msg22968/#msg22968

How do you know when setting up a brand-new node if the hard-coded genesis block is the correct one WITHOUT looking it up?


1) The only way I see is that you remember (at least) the hash of the genesis block of the Bitcoin you refer to AND make sure that the software does assume zero accounts at this point.

2) If your node software uses another checkpoint, you have to make sure again that the block is the correct one (by verifying its hash) AND make sure that the software does assume the correct balances for all accounts in existence for that Bitcoin you refer to.


Speaking of computing: this can be done by the very same subroutine:

def start_from_checkpoint(checkpoint_block, balances)

for 1) start_from_checkpoint(genesis_block, [])
for 2) start_from_checkpoint(checkpoint_block5, [...............................])

There is simply no difference, not from an abstract point of view and not from an computing point of view. All differences are made up AFAICT. Maybe, you could prove me otherwise.

Speaking of the 'beginning': just a definition.

There is no need for a dedicated 'beginning'. You can start with any block sufficiently old enough. It makes no difference.

Maybe, you can elaborate bit more.


Do you refer to promoting the new release? I remember Bitcoin having also several releases: https://bitcoin.org/en/version-history
I do not see what the problem therein is. Updates might break something or they might cause a change in the protocol at which a hard fork will occur.

That need to be brought to people's attention and then they need to decide for themselves what to do, reviewing the code, verify checkpoints. etc. etc.

Bitcoin could theoretically work without a hard coded genesis block (although alt-coins based directly on bitcoin would have to have to have genesis blocks because total cumulative difficulty would be lower than bitcoin). Bitcoin's security relies on the fact that it has more hashing power than any other coin based on SHA256d. The full game theory implications of how bitcoin could be attacked by enticing miners to mine on a different chain while shorting/double spending bitcoin has not been extensively explored.

Achieving consensus with bitcoin is dependent on a number of things, knowledge of the protocol, the genesis block etc. but the SPV (simple payment verification) assumption is that one can simply rely on a short chain of blocks with the greatest difficulty. This requires no knowledge of the genesis block or the protocol rules, the only knowledge required is the type of hashing algorithm. If a transaction is buried within the highest difficulty chain then it is highly likely to be valid.

Unfortunately these assumptions do not carry over to PoS coins (forgetting all the other PoS problems) (or even most alt-coins which do not have the greatest difficulty with their type of hashing algorithm). This means that to verify a transaction, the security relies on a longer part of the chain back to the most recent checkpoint in the code and the mechanism of delivering the checkpoints.

The SPV assumption is incredibly important for making clients which will work on low power, low storage or low memory devices without reliance on some central server. Try developing a scalable decentralised PoS wallet for a phone and you will understand why.

Who or what gets to decide the checkpoint block?
Either you have to have a consensus (back to the
distributed consensus problem), or the protocol
must handle it.  But if the protocol handles it,
you still have the isolated node attack problem.

The difference with the genesis block is that
its not a moving target.  You establish it
as consensus when the reference client is
released.  .(right?)
 

The Blockchain (proper noun) is the "best" chain (of blocks containing digital signatures) that originates from the Genesis Block (proper noun).  A proper noun refers to a "unique entity."  A chain of blocks that does not originate from the Genesis Block cannot be the Blockchain by definition.  

Consensus about the Genesis Block is more a question for linguistics than computer science.  Just like gold is that shiny yellow metal with atomic number 79, the Genesis Block is that collection of bytes with the message "The Times 03/Jan/2009 Chancellor on brink of second bailout for banks" encoded and with hash 00000000839a8e6886ab5951d76f411475428afc90947ee320161bbf18eb6048.  

Both gold and the Blockchain have certain properties, as shown below.  Arguments like "if we all agree to start calling different things bitcoin, the blockchain and the genesis block, then that's all that matters," is again linguistics:  people could start calling the alloy of copper and zinc (i.e, brass) "gold" instead.  If everyone does this, then its name might eventually become "gold."  But this will never happen because it is useful for words to have specific meanings, and even if it did happen it doesn't change the fact that "gold" (copper/zinc) still isn't gold (element 79).  

https://i.imgur.com/Mar6cvF.png

Whilst true, SPV nodes have no way of validating the genesis block so they can only work when we assume the greatest difficulty chain segment is bitcoin (regardless of which genesis block the chain originates from).

wtf, no. Of course they know and validate the genesis block, it's part of the definition of the coin. They would ignore a greater work chain that disagrees with the genesis block.

Why do you think that?  SPV clients are hardcoded with the contents of the genesis block just like any other node.  There is no difference between the two.  If you are following a chain which doesn't begin with the Bitcoin genesis block you are not part of the Bitcoin network.

SPV clients still validate the block headers. To validate block one requires knowing the correct hash for the previous block (block zero = genesis block).  Technically an SPV client could be hardcoded with just the genesis block hash, but an SPV client already must have the ability to compute the current block difficulty, perform block hashing, and validate that the block hash is smaller than the target so you don't really save anything by hardcoding the hash instead of the contents.

Part of the problem may come from shorthand language.  "Longest chain" doesn't just mean the chain with the most difficulty, it means the chain of valid blocks with the most difficulty.  An invalid block can't extend the chain.  "Valid" for Bitcoin means a variety of checks including the prior block hash and by extension that necessitates that the chain begin from the genesis block.  While you are correct that currently one could skip the genesis block validation that was never part of Satoshi's security design and it may not be true in the future (another coin could someday have more computing power).  SPV are no different than full nodes in this respect.  Given how trivially easy it is to verify the genesis block (and the added DOS hardening that adds) there is no reason to skip this check.

Where did you get this hash from? From your memory?


'renaming' is a logical tool. We call it substitution and it is necessary to abstract things and make things comparable and re-usable. It furthermore helps focusing the mind when thinking about the bigger picture.

I am not saying we should call gold copper and vice versa but I say it could be helpful to use the term metal.

I think what it comes down to is objective versus subjective reality.  Your argument seems ridiculous to me [actually I don't even understand what you are saying], but I think that's because I believe in objective reality.  Do you believe that reality exists outside our perception of it?

I think it is the same thing with proof of work versus proof of stake.  Consensus in a proof-of-work system is tethered to objective reality (the best valid chain criteria).  Consensus in a proof-of-stake system comes entirely from within the system and thus without a tether to the physical world; solving forks like the one you just had with V1.1.3 requires a subjective decision to be made.  I suppose you still come to consensus, but the consensus may not reflect objective reality (but I don't think PoS supporters believe in objective reality so perhaps this point is not important to them).  

I think perhaps a PoS-like system could be designed to agree on objective reality, but I think it would need some tether to the physical world.  Maybe people could measure radio emissions from the sun, for instance, and use this as the tether.  



If I remember the thing about the Chancellor and the Bailouts and if I have that one number memorized (block hash), then I can personally verify whether a genesis block is The Genesis Block.  The analogy to gold holds once again: if I remember that gold is shiny and yellow and if I have it's atomic number memorized, then I can personally verify whether a metal is Gold.  


If you don't believe in objective reality, then what happened in the past becomes popular opinion rather than fact.  But I think if the past is rewritable based on popular opinion, then it will be rewritten.  And then this starts sounding like Winston Smith's job at the Ministry of Truth in George Orwell's novel 1984.

A recent 51% attack on a PoS coin.
https://bitcointalk.org/index.php?topic=483847.0

Granted it is a small coin, from a clueless developer but it does illustrate one common misconception.  A common argument from PoS supporters is that obtaining 51% of the money supply would be nearly impossible however that isn't the requirement.  The attacker only needs 51% of the network stake which will be some fraction of the total money supply.  In the case of "Coin2" it looks like the money supply is ~60M NC2, and the active network stake was ~10M NC2.  It only required the attacker to obtain >10M NC2 (~16% of the money supply) to attack the network and that assumes the 10M network stake didn't contain any of the attackers coins.   The attacker can make the network appear more secure than it is by adding to the network stake prior to the attack.  We don't know exactly how much of the 10M network stake was held by the attacker but lets say it was 6M NC2 that means the effective security was only 4M coins (~6% of the money supply).  

Once the attacker had more than 51% of the network stake, he executed an a double spend against mintpal (an exchange) resulting in a loss for the exchange (customers) of 22M NC2.  

The network stake will never be more than a fraction of the total money supply as coins used for staking are essentially locked capital.  A coin with 100% of the money supply being used as a stake would require 100% of the coins to be in hot wallets not being used for anything else (no cold storage, no transactions, no economic activity).   Looking at other PoS coins the network stake tends to be somewhere in the range of 20% to 30% of the money supply.  

The "fix" from the developers is a centralized seizure of the network and reboot.  While that can "work" for a small pump and dump altcoin with no future it obviously is not viable for any crypto currency to be taken seriously.  Centralized security for a decentralized network is an oxymoron.

And believing that it's not an oxymoron is doublethink (http://en.wikipedia.org/wiki/Doublethink).  

Peter... no its not because we need a tether to physical world.  Hashes are mathematical.  Its simply because pow acts as a timestamp.

I understand you have no idea of logic.


Damn Peter. What is the matter in answering that simple question?

(But I see that you are able to abstract - well done)

Nxt doesn't have centralized points. It's PoS algorithm is different than all perrcoin clones, well according to CfB -- one of the main developer.

Ok, I've got the wrong definition of SPV. The actual definition means they check blocks back to the genesis block.

In reality, bitcoinj (the most common SPV client) only downloads headers since the last checkpoint (included in a file shipped with the client). I was under the impression that this meant that by definition SPV clients don't have to check all the blocks just enough to have confidence that they are on the real chain.

It is. I have looked through the code. The point in the Nxt forging algo is the determinism that outperforms any other PoS blockchain.

Peercoin uses another definition of stake:
 - Nxt: Stake = NXT
 - Peercoin: Stake = PPC x time

I would refer the nxt enthusiasts back to this:


I was unable to come up with a good response to this...maybe he is correct or maybe y'all have an answer.

Peter, thinking about your "tether to the physical world" concept a bit more...

It is in fact time as a property of the physical world that is the key here. 
Nodes communicate to each other in the real physical world,
which includes time as a dimension, and time itself does seem
physical.  In other words, we cannot capture it or measure
it using mathematics alone.

However, we can mathematically express sequence.

Proof of work takes time which is why it works.
It is the time between blocks being so much bigger
than the time between state changes that makes
distributed consensus possible. 

The advantage is that a bad guy has to outperform the legit chain in terms of cumulative difficulty.

With less than 51%, that is highly unlikely or expensive ( works like mining: finding the the right block chain by trying out billions of them ).
With more than 51%, well you know the answer.

With TF, we can push the limit to ~90%. Well, as we know that is just a nice number. 100% is the theory but the world is not perfect => 90%.


Isolated nodes? The same problem everywhere. Solvable only by real-world interaction.

I mean what do you expect? A node that cannot interact with the legit part of the network. How should a node become aware of the things going on on the legit part of the network? IF it can become aware of them, it is not an isolated node anymore.

What I said was completely true.  You question was of a personal rather than technical nature, and directly answering a question like that is usually a bad idea.  If I had said "yes, I have the genesis hash memorized" you may have called my a liar and I would have no way to prove myself.  If I had said "no" you may have used it as an argument to further blur reality.  

Interesting. Nxt is highly sensitive to unsynchronized clocks. It looks like we have found Peter's tether to the physical world.

You know this how?  Correct me if I am wrong but the source code for TF have not been publicly released or peer reviewed.

It is also important to keep in mind that it is not 51% of the money supply, it is 51% of the coins actively used as the network stake which for NXT and PPC right now is ~30% and there is no guarantee that the 30% all belongs to honest actors.  

As a complete hypothetical (not intended to represent any specific coin or implementation) lets consider a virtual currency, xCoin which has 100M xCoins outstanding and is secured by PoS.  The naive assumption (and often repeated by proponents) is that it would take >50M xCoins to attack the network but that is never the case.  Lets assume the network stake is 25M xCoins and that means at most it would require an attacker to have >25M xCoins.  Still even that is unrealistic because it assumes all 25M xCoins currently used as stake are "good" minters.  It would be effective for an attacker as he acquires the coins necessary to attack the network to contribute to the security of the network, and thus raise difficulty, lower the relative reward for staking and discourage additional contributions to network stake.  So lets assume that the attacker actually has 10M of the 25M xCoins in the current network stake.  This means the security of the network is only 15M xCoins.  To 51% the network would require not >50M xCoins, or even >25M xCoins but only >15M xCoins (and this hypothetical attacker already has 10M xCoins). 

Most PoS coins to date have had ~20% of 30% of the money supply used for the network stake however none of them have any significant economic activity.  As economic activity rises it is probable the percentage of the money supply remaining in high age hot wallets in order to contribute to the stake will decline not increase.  So if the example xCoin ever become an economic success the stake might only be 15% of the oustanding coins and even that may include the stake of bad actors.

Really? How ?  Thx..

Don't know all the details of NXT but I discussed all this with DeathandTaxes in this very thread.  I agree there are other ways to deal with time but PoW is the most robust.

The idea was actually inspired by your thread about the need to ensure that the time period for consensus events is much greater than the time scale at which complexity enters the network.  I still think you could take this idea further….

Perhaps "tether to the physical world" was too broad a statement.  I actually meant some way to agree on the sequence of events that came from outside the system itself--some way that was tied to objective reality.  This is why I referred to radio emissions from the sun (which I think was gmaxwell's idea).  

Come one. An IF-clause is true in most cases because I consider you an intelligent person. But that IF-clause of yours does not answer my question.


Well, not true at all.

I would have said this:

You had answered YES => "Well, so where did you read it?" If you had answered then 'from trusted hardware/software', go to NO.

You had answered NO => "I assume, you copied it form trusted hardware/software. So, where did the trusted hardware/software got it from?"


Well, and as this point, I got you.

Where does the trust come from? => code review, belief, opinions of your friends etc. etc.

Broad yes, but you're absolutely right....time IS physical.  ....(but sequence is not.)

This is somewhat counterintuitive and not immediately obvious because
In everyday experience, time seems like an abstraction, yet when
you try to express it in purely quantitative terms, you see it isn't simply
an abstraction.  It is a dimension of state changes in the physical world.

 I'll try to think more on it.

Again what I said was true.  I said you may have called me a liar.  And you may have (in fact you still might and maybe I am).  How do I know what you actually would have done if I had done something different?  

Nevertheless, my answer to your next set of questions goes back to my gold analogy: how do I know that a piece of metal is gold?  Should I just believe what I've come to know over the course of my life that gold is yellow, shinny, dense, atomic #79, etc?  What if it's not?  What if everyone is lying to me?  

What if cats are actually dogs and dogs are actually cats!!

Here, I can show you substitution and abstraction:

 - substitute each red you by each item of this list [ChuckOne, Peter R, jonald_fyookball, Mr. Obama, ...] and you will see that it is applicable to each of them

 - abstract from that list [ChuckOne, Peter R, jonald_fyookball, Mr. Obama, ...] to Blockchain Network User

The logical conclusion here is:

A Blockchain Network User needs to verify or trust the software he uses anyway no matter if PoW or PoS.

Chuck, based on your responses, you do not seem to be making a distinction between an initial release of software as a "centralized authority" and a checkpoint that was later announced for users of an existing cryptocurrency.

Yes, everybody is lying to you.

So, I assume you always build your software yourself AND before that, you look through the code.

But still, how do you verify that hash? Where does it come from initially?

Exactly, because I cannot prove the past.

From an abstract point of view, it makes no difference if the block height is 0 or if it is X when currently being at X+T and T is huge.

One could use a client using X as a checkpoint (for whatever reason) and have no problem at all.
One could use a client using 0 as a checkpoint (for whatever reason) and have no problem at all.

One could use client using X as a checkpoint (for whatever reason) and be on a fork.
One could use client using 0 as a checkpoint (for whatever reason) and be on a fork.

Substitute X and 0 with whatever symbol you see fit. They are equivalent.

EDIT: And here you see again, you have to verify or trust the last checkpoint.

This discussion about the genesis block being a "checkpoint" is pure nonsense because it is as much a part of the definition of bitcoin as the protocol, the 21 million coins, the digital signature algorithm, etc, etc.  

If you say things like "how do you know cats aren't dogs a genesis block is The Genesis Block," you could also say "how do you know that bitcoin has a 21 million coin limit?  How do you know that bitcoin uses ECDSA?  How do you know that you know?

If you deny objective reality and if you refuse to accept that words have specific meanings, then debates devolves into mush like this one has.  

That is true.  It is an assumption in the security model.  Of course you are stuck on the idea that the genesis block can be forged (because you are trying to support a logical fallacy) that you ignore far obvious examples of why this is true.   If the attacker has compromised your node (hardware, operating system, node software) then you have no assurance you are part of the network at all.  The attacker could steal your private keys, the attacker could have you generate weak private keys, the attacker could feed you false information ("yes block 123 is valid and contains your payment" when no such block or transaction even exists), the attacker could simply wait until you obtain a desired amount of wealth and then transfer it to an address he controls.  You can't assume any level of security.  If your node is compromised then you have no security at all.

So yes the security model assumes that the node (not just the client software, but hardware, operating system, and connectivity to the network at large) is secure.  
It also assumes the cryptographic primitives used are cryptographically strong.
It also assumes the implementation makes no errors which weaken that security (duplicate k values in signing as an example).
It also assumes that no malicious entity have >50% of the critical resource (computing power and/or stake).

None of those assumptions are different for Pos vs PoW so they are irrelevant for a topic called "Proof of stake instead of proof of work".  The one notable difference between PoS & PoW is that an attacker can use something he had at one time but no longer has to attack the network.   This is commonly called the "PoS problem" but I think "history attack" is more descriptive.   Taking a step back this is possible for PoS (and possibly other as of yet developed systems) due to the fact that what is being secured is also what is being used to secure it.  The irreversibility of blockchain is being secured by records of the same blockchain*.  In other words we are assuming the blockchain can't be modified because based on records in the blockchain not being modified.  This property allows an attacker to reduce the cost and risk of an attack by selling off the stake and using the prior record of it to perform the attack.

Saying that one can simply disregard the longest chain by knowing which chain is correct by "code review" or "opinion of friends" is a logical fallacy.  If you can disregard the longest chain, and pick a chain because it is "better" despite being equally valid, different, and shorter then you don't need PoS or PoW to begin with.  You can just use your "code review" and "opinion of your friends" to determine the best chain at any point in time.   Of course "opinion of friends" expanded to a global scale would be to connect to all known peers and ask them which chain is best.  The issue is that the security model is weak and subject to sybill attack.   The very reason PoW of PoS is used is because reaching a consensus based on what a majority of nodes think is weak.  Can't you see the logical fallacy?

1) Chains may contain equally valid but different sets of transactions.
2) We can't just have nodes vote on the best chain as this is subject to a sybill attack and in a decentralized trustless network there is no known solution.
3) The solution is to have miners force a consensus using a critical resource (stake of computing power).
4) When a node has two competing chains that are both equally valid the chain which is the longest* is the best chain.

now here comes your fallacy
5) When the longest chain is "bad" we can just disregard it by asking our peers which one is the best which is a contradiction of #2.  

If it were true the security model would simply be
1) Chains may contain equally valid but different sets of transactions.
2) When a node has two competing equally valid chains it asks its peers which one is the "best".

If you believe #5 is valid then the proof of work/stake is utterly pointless.  You only follow it when it otherwise is in agreement on what you believe is best but when it disagrees with that you consult your peers.  If that was a valid solution then just skip the pointless interim steps and just consult with your peers.



* Side note when writing this an idea occurred to me of using the stake in a PoW blockchain to secure a different an alternate blockchain.  I have no idea if this has any merit but when writing this, it occurred to me that this might not have have the "PoW" problem.

So you admit that.

I think this is the heart of the matter and source of the disagreement.

 
I think its irrelevant.  The key difference is that
one is a "contract/agreement" where all the rules of the game
are laid out at the very beginning (i.e. genesis block), and the other
one , has participants that can change the rules as they go along.

Can you not see a difference?

Of course it does.  The hash of block 0 will never change.  I can print it out, put it in my safe and verify that network starts from the same genesis block a century from now.  The hash of X will change periodically and may not be consistent among all nodes.  For NXT it changes twice a day.   If you can't see the difference in the level of verification of a single universal static value which is hardcoded into the client (and if the client is insecure/flawed/noncompliant you have already broken a basic security assumption of all cryptocurrencies) and a locally computed value which is continually changing and may not be consistent for all nodes then well then you just don't want to see.


The "for whatever reason" makes it a true but pointless statement.  If your node is secure and compliant then you verify the best chain independently UNLESS the protocol has local checkpoints as that behavior is non deterministic.  With a network which needs local checkpoints, you can never independently verify that you are on the best chain. That is a huge problem for a network which is designed for facilitate commerce without a trusted third party.

So to replace it with a meaningful distinction:
Given a secure and compliant node, and a protocol that uses does not local checkpoint rules, then your node can independently verify the best chain.
Given a secure and compliant node, and a protocol that uses does local checkpoint rules, then your node can not independently verify the best chain.

That will be my last post because honestly at this point if you don't see it, then it simply means you don't want to see it.

Did I state it otherwise? If so, excuse that, please.



Well, technically speaking, no. If it works like a checkpoint, looks like a checkpoint, it is a checkpoint.

I understand where you coming from. However, things change over time. So does the notion/definition of Bitcoin. I cannot tell you what Bitcoin will be in 2000 years from now. But it has to change if the community wants it to survive. It is like evolution.

I mean, take you as an example. At least your family, your friends, your neighbors etc. call you with the same name as they did 1, 2, 3, 4, 5 years ago. But is it what they call really you? You changed over time. Your identity card works like a checkpoint. However, it verifies your older self. However, it might work for many people as a checkpoint. Your "genesis block" is your birth certificate and it works like a checkpoint, too.

If it works like a checkpoint, looks like a checkpoint, it is a checkpoint.


Okay, I am out for today. Cya later guys.

Maybe DeathandTaxes is right...maybe you just don't want to see the difference.

I've leave you with 3 analogies that might help convey what we are trying to
communicate to you.

ANALOGY #1:

Take the game of basketball... imagine a new league was standard by Michael Jordan.
He sits in the stands every game, and he's allowed to change things at will.
He can, in the middle of the game, decide a basket is worth 7 points.  Or
he can role back the score.  Whatever he feels like that day.  Do you think
people would take that league as seriously as the NBA?

ANALOGY #2:

Imagine you have a mortgage on a house.  Would you rather have a fixed
rate mortgage, and know what your monthly payment is before you
sign the loan... Or would you rather have a variable rate loan where
it could be anything?

ANALOGY #3:

Do you negotiate a business contract before or after the work is done?
Do you come to a conensus upfront, before anyone has committed
any time, energy, money, and other resources,... or do you just let
the chips fall where they might, and come to an agreement later?

----

The point is, when you're talking about consensus, you're talking about
agreement among human beings.   Nearly everyone prefers to buy into a system
that is predictable and has fixed rules and parameters...  rather than
a system where it can be changed later.

I don't believe that is true for Nxt. Especially with leased forging. ("Forging" is what Nxt calls mining.) Leased forging delegates the forging power of one node to another, leave the source address unable to forge. However, the source address still owns the coins and they can still be spent - spending them reduces the effective forging power of the other node. There's a transaction that sets this up, and then the network remembers the lease and takes it into account when calculating forging powers.

Once leased, the source address no longer needs to be online. Your stake isn't locked capital. You can still spend it and be economically active. You can keep your stake in cold storage and still use it for forging.

This makes the situation worse does it not ? Now NXT owners will lease their coins to a handful of operators to earn fees.

These operators would be perfectly placed to mount an attack. They would have a % of the POS coins and they can mount a double spend attack with pretty much zero risk as identified by DaT.

It would be nice to get a clear statement from the NXT guys as to wether this is possible or not.

 

It's similar to the situation with Bitcoin hashing pools. A few hashing pools together control over 51% of the hashing power, so that becomes a vulnerability for Bitcoin. The difference is that it's easier to set up a forging pool than a hashing pool, so hopefully we will have more of them, and the power will be less centralised. But yes, leased forging makes it feasible to gain a large fraction of forging power for little financial outlay, and that's something the community needs to be vigilant about (much as how the Bitcoin needs to be vigilant about hashing pools).

(Nxt has the additional danger that forging power is effectively moved around by transactions, and the node that forges a block gets to choose which transactions they include, so they could reject transactions that transfer forging power away from themselves. That is why forging leases are temporary, so they will eventually expire even if no transactions get processed. I'm not sure that's enough. In this regard a hashing pool is more responsive, because nothing can stop an individual hasher from withdrawing from a rogue pool immediately.)

I don't think most of DaT's comments apply to Nxt, because it's such a different algorithm not based on coin-days destroyed. For example, it doesn't use checkpoints so all the discussion of those is irrelevant. Unfortunately I don't understand Nxt's algorithm too well myself; and even if I did, they plan to change it to something called "transparent forging" in a few months, and the details of that are being kept secret for fear of clones.

Thanks ChuckOne for keeping the discussion going and those posters who have helped educate me on this issue.  I have to side with those who argue the genesis block is a checkpoint of sorts.  But that is a semantic argument isn't it?  To derail more meaningful discussion?   

Indeed it looks like the goalposts have changed in this discussion.  In my opinion the proof of stake proponents still need to pursue the goal of showing us one way in which proof of stake is necessary or helpful.  So far it looks to me like the only way it is helpful is to make an economic distribution which is more unfair.  Of course, more unfair is good if you are on the right side of the fence. 

Instead of trying to explain what problem PoS tries to solve, the discussion has been around just how bad the various other security holes introduced by PoS are. 

The argument that PoS is somehow more energy efficient is false.  Either you allow your miners (forgers) to expend as much energy to mine as they like (as e.g. BTC and PPC do and perhaps NXT as well if this talk of SHA256 guesses in forging is true)..   or you don't.  If you are allowing miners / forgers to expend as much energy as they like, they might spend a lot if they so choose.  Hardly a problem in need of a solution is it.   

As to proof of stake somehow being more immune to 51% attack the discussion has basically been around how much more vulnerable it is than proof of work.  A lot more vulnerable?  Or just a little bit.  In any case there isn't really a problem here either because all participants know of the possibility of a double spend attack and associated costs and can wait for an amount of confirmations that they choose accordingly. 



 

Careful.  The number of confirmations increases the confidence that the chain can't be reversed IF the attacker has a minority of the critical resource.  This is the same for both PoW and Pos and likely any other PoX systems to be created.   If the attacker has a majority of the critical resources then it is a mathematical certainty that the attacker will eventually produce the longest chain so 6, 100, 5,000 confirmations is insufficient to ensure that a transaction can't be reversed.   

Doesnt matter what you call it ... coin days destroyed, stake lending or transparent forging. The fact is that stake holders who owned and sold their stake they can repeat the same method and produce an alternate chain of the PoS coin and claim their stake back by showing more stake power. Old stake owners will always have an incentive to do that because of profit.

Add to the fact that increased economic activity will reduce the stake used for minting (which is already very low for PoS coins) and thus lower % of stake used to secure current chain it is a recipe for long-term disaster or eventual centralization. From central bankers to central programmers.

Proof of work is significantly inferior than proof of stake, for several reasons.
1. Centralization. Just look at the distribution of hash power. The problem is that mining has almost infinite economies of scale, logically leading to complete centralization eventually, ie. one mining actor. Had a powerful state wanted to destroy bitcoin, raiding a few mining farms is already trivial and cheap. The security of bitcoin depends on lack of political will.  

There are no economies of scale in PoS. There can be in some PoS implementations, but it's not characteristic of all PoS.  

2. Low and very expensive security. The miner doesn't have any economic interest in the currency per se, only in daily miners' revenue (new coins + fees). If at some point expected return on capital from acting against currency is higher than expected future miners' revenue, rational miner will become hostile.  
This is a much more serious problem if it's possible to rent vast amount of hash power, because then the costs for the attacker are drastically smaller.

Thus, on a perfect market with renting, the price for control of pow coin for time t is just a tiny bit more expensive than half of miners' revenue in time t. Hard to say what's the time required to significantly profit from damage, probably by using derivatives on coin's price. A day?

In comparison, attacking Proof of Stake currency requires losing the value of >50% of coin's market cap, which is a much bigger number than half of daily mining reveneus. PoS currency is much, much safer.  


That only works for the attackers which collectively owned 100% of coins at one point in time (one block), because otherwise, if at any point foreign coins are present, the stake of their blockchain is lower and their attack fails.

It's very important that PoS doesn't allow one to replay transactions from different blockchain into another one, otherwise it's indeed theoretically possible to buy different coins, sell them, then buy another different coins, and then replay all those transactions in a false block.
Note that attackers, by the act of selling their coins, confirm the true blockchain. Situation:

A sells all 99% of all coins on block x in chain A, effectively affirming this blockchain's validity as of block x-1.
Now A wants to rewrite the history, he creates block x without his transaction.
If he's the only forger and there are no transactions, the blockchains, up to and including x, are equal in validity, with 99% of stake behind them. After x, he can create new blocks in fake blockchain, the buyer can create blocks in true blockchain.  
However, if in true blockchain in block x or at any point later there's another stake involved, even a minuscule amount, his fake blockchain loses. A block x with 99% of stake followed with block x+y with 0.5% of stake means that block x is confirmed by 99.5% of stake.
A can't do anything.    

This invalidates the "nothing at stake" argument. Attacks are not free. You need to own the majority of stake, because creating a transaction confirms the blockchain.  

I'm sort of afraid that one of badly designed PoS currencies will be attacked by the way you described sooner or later, which will cause everyone to think that it's the fault of PoS in general.  

The amount of stake isn't reputation.

Proof of stake is a system for achieving consensus as to the state of balances. A proof of stake currency can have PoW method of distribution which plays no other role. Or any other method.  

I think you're going to have to do better than this before you can claim to have solved the nothing at stake problem. 

You're saying that Alice who sold 99% stake to Bob would have her chain outcompeted by someone transacting with .5% share on top of Bob's chain, presumably because Bob would wait for confirmations before accepting the transaction, while others are building on top of it.

But what about when Alice owns 30% stake, sells it, and secretly has another 30% stake waiting in the wings.
The fact is you don't know how much stake an attacker has, (how much of their stake is going into the attack).

30% stake loses with 70% stake. That's the whole point.  

True chain confirmations example:
Alice's 30% -> same stake, buyer's 30% -> then someone (many someones) else with 35%, in effect
30%+35%, 30%+35%, 35%

later, even more stake.

False chain:
60%... nope, 60% < 65%, rejected.  

Now there may be a problem in practice, in that if there's not enough stake active it may take some time to destroy the illicit fork with big amounts.    
However, owners of the currency know it, so they should either run a full node for this very reason, or lend their forging to someone they trust. It's their money after all.
Zipf distribution seems to describe the wealth concentration best, so in fact it's practical.  

Even if you're pessimistic and say that's 20% of the coin is enough to fork a coin for several hours, that's still much larger security than in PoW! (as % of market cap).

The amount of full nodes in bitcoin doesn't mean anything here, as there's no comparable reason for bitcoin holders to run full nodes.

You're really not enough providing enough explanation
For how your anti-99% attack system would operate.

Look, either the best chain is the one with the
most cumulative stake, or it's the one with the
Most stake owned at a particular point.

It can't simultaneously be both.

If you're talking about cumulative stake, then
a 51% attack could simply pass coins
Back and forth to himself.

And if it's about total stake as a point in time,
Then he wins with 51% anyway.

I would love to be wrong, but I don't think
There is any magic bullet here.

It's not anti 99% attack, that simply shows you can't sell 99% of coins and then rewind if there's someone else. You still can force forks if you have >50%, but you can't force a fork if you sold them, because the buyer can also forge.

The whole point is that the cost of such attack is orders of magnitude higher than in PoW, as percent of market cap, especially in later stage, where there are only transaction fees.

Where do you get these 99% stake stuff?
PoS coins use 10% of stake and dropping as economic activity goes up. Let alone that their profits are tiny to justify such big stake in minting (Just early adopters minting to support their system). If a real economy exists many will put their coins in more productive uses than minting and will not even care.
Many exchanges or early adopters of PoS coins currently have  stake history higher than current minting rate of PoS coins. Where is the security? This is a joke and not superior to PoW.  

Why do you assume all these nodes will be online at the time of the attack?

Why do you assume that lending will be something everybody will do? Why do you assume that it will not backfire giving one person extreme stake history who might not care about the coin at the present?

Why do you say lend your coins to a person you can trust if you want to build a trustless system?

What about the fact that coins get lost and later stakers will have less cummulative total stake available?

Why do you assume that the rest honest stakers (those not having their coins reversed) will not mint both chains?
As gmaxwell said a rational miner will mine both chains to maximize profit.

All PoS coins are very centralized in their stake distribution and dont forget that when you say they are decentralized. Let alone all the other reasons PoS coins are not decentralized.

It's quite unfortunate that generally the same topic is discussed in both places. Not sure what to do about it.  

PoS is just a consensus method for a currency. Distribution is an orthogonal topic.  

Thanks for your reply iruu! 
The very real problem you outline of centralization of miners is exactly the same or worse in a proof of stake system.  If miners can work together to become a nefarious majority, so can forgers.  In fact logistically it would be much easier for the forgers but that is a moot point: proof of stake offers nothing new here.   


Of course it is possible to rent hashpower or stake at cost.  We all know that cost and so bury our TXs under an appropriate number of blocks.  These are valuable resources so a market exists for them.  I fail to see the difference between hashpower and stake in that regard.   Remember also that the >50% attack is not >50% of all the hashing power (or stake) in the world, but only >50% of the current network rate.  For a PoS coin this is much lower than half of market cap.   

Perhaps you have some kind of proof of burn system in mind with this requiring losing stake?  If you wish to claim PoS is much much safer against 51% attack you need to outline an algorithm that closes the new holes introduced by PoS (deep chain re-orgs with old keys, resusing stake, good solution to choosing which stake gets which block) but also come up with some reason it is better (none is offered). 




Good point!  However, how do you intend to incentivise forgers if not with coinbase rewards and fees?  If you remove this "interest payment", do you think folks will still be interested?  I don't.   

It offers orders of magnitude more security, because you need a big percent of market cap, not just mining power.

https://blockchain.info/stats
Total Miners Revenue $2,052,572.14
Market cap (coinmarketcap) $ 6,305,819,442

So in a perfect market, you can take control of bitcoin's network, for a day, at a bargain price of $2,052,572.14  + $0.01. That's 0.0326%. You can wait a bit for the next halvening and it's going to be even cheaper!  
Ok. Yet I'm pretty sure it's at least two orders of magnitude bigger... one exchange node would probably be enough to dwarf bitcoin's security.  

Maybe you should read the rest of my first post, and then later posts.

I'm pretty sure I have mentioned security.  

Then there's also lack of wasted energy, capital, and smaller market supply, because miners needs to sell the majority of coins to fund their operations. Mining is effectively a tax on all bitcoin users, almost a billion a year. You could run a small country on that.    

You may have rewards or not, but they are an implementation detail and can be different in each coin, using PoS or not.  

DaT,

The NXT genesis account's pass phrase is well known.  (The first line of 1984.)  I wonder if a person could use that account that held 100% of coins and create an alternate chain?  

I am also a little curious about this 51% attack thing.  It has been explained that because not everyone is supporting the network, a person might only really need 10% of coins to take over a chain.  Please help me think this out.  To do this, I think there are only two options.  The first is a group of the original stakeholders, would have to meet and agree they would sell all their coins, and then try to attack the chain.  As of now, while most original stakeholders have sold a lot, they still have a ton, so much in fact that they can't really sell it all without completely crashing the market.  If it was crashed, then there is no point in trying to attack it with a double spend, right?  In fact, the whole action would be entirely against their self interest.  They would have to sell all their coins at rates far below what they would have gotten if they slowly unloaded.  The net profit in successfully pulling off the attack would actually be a huge net loss compared to acting more rationally, wouldn't it?  

Yes, it is possible for a a group or person to do a 51% attack, but is it realistic, even at 10%?  Right now for a person to buy up even 10% of NXT would be, $4,000,000 and that is IF they could buy it at market value, but to buy that much would surely cause a huge spike in price as the buyer would be buying out all the sell walls, and new walls would go up at even higher prices.  So in reality it would be much much higher than $4,000,000 to buy 10%, and then said buyer would have to offload their 10% which would cause a huge huge drop in price, probably crashing it to next to nothing.  All this so that they could try to double spend a few coins when now the market is basically bottomed out.  Does this make sense or am I missing something?

In either of these two cases, wouldn't huge red flags go up to the community, and that in itself, just knowing a person could double spend would make the price drop.  I remember with bitcoin one mining pool came close to 50% and the community went crazy.  

BTW, this thread is awesome.  hahaha

What you are missing here is that you dont need 51% of stake and a person doesnt need to buy 10% of the tokens. Just needs access to token history of some %.... PoS can be even attacked by even less than coins given enough trials since the attacked incurs no costs by just trying. This account mints 1 out of 4 blocks (last 100 blocks) http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=4747512364439223888     Do you think this person does not have the power to double spend again and again and again with 25% of the minting power? He can keep trying. No cost if he fails thousands of times...  That 25% minting power is just 5% of total stake.... Not sure if you understand the difference. Also using 5% to earn so small earnings for forging is probably uneconomical for the rational forger who will prefer to put the coins in better use... i.e. deposit them in a just-dice.com type of service to earn more. If such services/stock markets compete for capital you should expect the effective stake for forging to be much much less

Unless the exchange has more than 50% of all coins, or is the only node, no.
Everything here is false and I already explained why, in the second half of my first post. I'm not replying to you anymore until you start reading what I already wrote on the topic.

The fact that you gave some random percentages earlier does not qualify for an answer. current forging is around 20% and anything greater than that can be a source for attack. Giving random percentages does not change current facts.

Also the current 20%  will be less when more rational forgers (excluding the three enthusiasts controlling 50% of current stake forging) who will prefer to put the coins in better use... i.e. deposit them in a just-dice.com type of service to earn more. If such services/stock markets compete for capital you should expect the effective % stake for forging to be much much less

Yes, that account is huge and I get the fact that he can double spend.  It is in his power to do so.  I didn't think it was possible to do, but this thread has convinced me otherwise.  What I am wondering is, is it realistic for him to do so?  Can he really gain if he double spends?  If he were to do that, he would realistically need to dump all his coins first.  Wouldn't that large of an account occur huge losses dumping like that?  Then yes, he could go an double spend, he is technically capable of doing so, and do so with virtually no risk, but in doing so he crashes the whole system, NXT becomes worth nothing, and then there is no point in him double spending.  Am I missing something?  Yes, he has the technical ability to do so, but realistically doing so he would suffer huge losses.  Right?

Also, I am confused still about the origin account.  The public key is known.  I myself have logged into it just for the fun of it, but while I did so, it essentially became mine.  There are a lot of NXT haters.  NXT has been under DOS attack many times, but why hasn't somebody made an alternate chain from the origin account?  If what everyone is saying, that you just need access to an accounts keys to double spend, why hasn't it happened?  Or do I need to dump all my NXT right now?  I am really just a newbie, and I am pretty sure that 90% of the people discussing things on this page know more than me about crypto.  Surely, I haven't figured out a way to bring NXT down.  Or have I?  Please tell me if I have so I can dump! :-)

LibertyCoin

POS 1%
16 Million Supply
Anon being implemented.

Buy now cheap while you can, this is going to be huge.

https://i.imgur.com/CqVs7i3.jpg

I doubt that account will do it.. But why trust anonynous people? Is it a trustless system? Say after he sells off then he can come back and create competing parallel chain collaborating with other people to create a longer chain by having more stake.. In the future if he sells  he might not have any interest in the coin and try to gain back the stake by reversing the chain from the point before selling.. after all the number of coins forging is getting less and less and it will be easier to do so..

I am not the one to tell you to sell your NXT. I am just saying it cannot be decentralized. If you are ok with that you can keep your NXT.. Bitcoin was a revolution because of decentralization. Solutions like ripple bitshares and PoS cannot remain decentralized  and thats why I criticize them ALL.... I have no problem with people speculating with them to make some money. I have problem when people promote them as some revolutionary solution to the double spending problem.

yep, lots of good things to think about in this thread!

No it's not.

Also, Nxt has different algorithm than all described here. 

Is that because of transparent forging?  Could you explain how NXT might be more immune?

Thanks for your reply.  I am interested in proof of stake but still missing something.  I don't understand some details of the NXT algo including the universal random number (just reading http://www.docdroid.net/cckd/forging0-4-3.pdf.html)

Yes:  total BTC miners revenue in a day is 3600 coin.  Before accepting 3600BTC and making a physical delivery from a source with zero trust I would wait about that long.  Lets look at NXT for comparison:

Total Forgers Revenue: 5500 NXT
 
So in a perfect liquid market of stake, I would want to wait about a day before accepting 350 mBTC worth of NXT. 

I understand that liquid markets in hash power and accretion of hashpower by individuals can be bad very bad.  But replacing hashpower by something that is even more liquid already seems like hardly a solution to that particular problem. 

Yes, I understand that the big stakeholders now holding the 100% premine might not want to accept my offer of a little extra doublespend revenue to borrow their stake because they are afraid the word could get out and this would affect the value of their personal holdings.  But isn't concentration of power in the hands of a few and requiring the network to trust them part of the problem we were trying to avoid?  If we want to trust a central entity, this whole blockchain system is a waste.   



Indeed.  Bitcoin hardly seems perfect.  But imagine if the 21million BTC  (that's 10 billion or so dollars) were all premined in the hands of a small team.  They could run a country on that, especially with their total control of the transaction record for all time.  Institutionalized double spending, here we come.

No because the genesis block is hard wired into the NXT server and all the coins from the genesis block were sent to the original investors.


I'm not an NXT developer but I have looked at the code.

Let's say I have 25% of NXT coins. And I want to mount an attack. I need to do the following.

1. Wait until I am selected as a forger.
2. Create 2 blocks, one for the network and one I hold back.
3. Continually add more blocks to the block I hold back. This is my chain I will introduce later as my attack.

The problem is step 3. To add another block to my held back block I need to be selected as the forger for that block too. However forger selection is based on the hash of the previous block and my account address.

Neither of these I can change quickly enough to be sure I generate the next block. So my probability of being selected to build the next block is 25% for each block.

I read carefully what DaT contributed, but I can't apply his attack to the code as I see it.

The problem is you have assumed a double spender would simply do the obvious thing and try to buy a single very expensive thing. The reality is that a double spender will involve a number of people who are in on the scam and will make many moderate sized purchases. As a bitcoin merchant I have no idea if the 1BTC transaction I have received is part of a set of many transactions which will all be double spent.

What DaT basically says is this:

1. whoever has 51% of the resources (poW , PoS, or another Po"X")...can attack whatever network it is.
2. PoS has the disadvantage of the nothing-at-stake problem.

I think he is generally correct.  We were told there is a secret sauce to NXT,
but until it is revealed we don't know the validity of their claims or the security trade-offs.

So I guess we should just wait to see what will unfold.

It depends. Hard to say which one is better at this moment. Both have their advantages and disadvantages.

25% of active stake is not enough, you need majority.  

A miner just a tiny bit worse per W than best miner is literally worthless, on a perfect market. Which means there's no risk to factor into because there's no capital to risk. While lending nxt, lender would have to calculate possible risk of lending his coin, which would include the risk of currency collapse, especially as any serious lender would ask for your other liabilities.  

In practice, sooner or later there's going to be a ton of miners worse by few percents than top, sold for next to nothing, so achieving non-profitable hashing power will be very easy. However, borrowing more than half of nxt or other PoS currency would be next to impossible.  

Why is currency operated by all holders less decentralized than bitcoin's two-three pools (mainly few big farms), which control everything? Proof of stake is the epitome of decentralization.  
Mining monopoly is unavoidable. It can be as well already true, just hidden between few pools.  

You can become a currency owner even for $0.01, you can't mine for that amount, you can only rent, and you're not going to make any money even with expensive miner due to lack of scale.  

That's not argument against PoS, but NXT. PoS doesn't require big IPOs, in fact you can use sell just a few percent and allow people to mine the rest. Or other method of distribution. 

Again, this doesn't apply to Nxt because in Nxt minting with coins does not preclude them being available for other uses.

People who don't want to be online 24/7 can lease to those that do. So a high proportion of coins should be online at any given time. (It's not like that now, partly because leased forging is new, and partly because I think some whales are keeping out of it to let other people gain forging revenue.)

If you have sufficient coins that leasing pays for itself, it's the rational thing to do, with no downsides, so most people will do it. (Except the ones that have enough to justify running their own node.)

It's something we need to be vigilant about, in the same way the Bitcoin community needs to be vigilant about mining pools becoming too powerful. However, because Nxt forging doesn't have the same economies of scale as Bitcoin mining, there is less pressure towards centralisation.

Because trusting a forging pool is no worse than trusting a mining pool (except you have a choice about which pool you trust, in Nxt.)

They can only mint blocks when the algorithm picks them as the current forger. Minting blocks when you aren't current is pointless.

Initial distribution is orthogonal to PoS. It's a problem for Nxt, partly because it's so new. It improves over time.

I don't understand why you think there is a connection between mining revenue per block and the number of blocks to wait before considering they are confirmed.

I know I'm butting in and I apologize. I can see there are alot of well informed people in this thread with solid arguments one way or the other and I would like you gentleman if you'd be so kind to relay onto me your opinion about multi-pow (separate algorithms mining independently on the same chain), pros ? cons ?
I'd really like to hear what you gentlemen have to say about it.

Is it more viable as a means to secure the chain further ?
Is it more viable for a fairer and wider distribution of the coins ?


Disclaimer: I'm part of the team for such a coin (Myriad) but am not the creator of the concept. I joined the team because I liked the concept and it seems pretty solid.

Not that I am expert but here is my opinion

1. I personally didnt study the mechanics of the coin but it maybe more secure if the ASIC hardware manufacturers dont decentralize and we stick to 1 or 2 like now
2. I dont know...but probably due to different hardware to mine..  Distribution is not only about mining hardware but also how many people know about it in the early cycle of the distribution unless you have a  slow distribution cycle..

Too many new technologies coming out with little time to study the problems with each until academics start writing papers about these technologies. Bitcoin has been out for 5 years and people still find and will find more attack vectors. Very tough to judge all these coins without proper white-papers. There are no proper write-ups of the technologies just some talk here and there is available on forums...

The main problem with multi-POW coins is that it is difficult to work out how to fairly and securely weight the security factor attributed to each algorithm.

Myriad uses a weighted model (code here (https://github.com/myriadcoin/myriadcoin/commit/34abdc7317c7c94e3a53143bf8c5eef73c5ae35b#diff-e8db9b851adc2422aadfffca88f14c91R841)). This means that a SHA256 block needs to have a difficulty 4096 times that of a Scrypt block for them to have equal security weighting. I haven't thought too much about the economic and security implications of this but I know that the weights shouldn't be fixed because the actual difficulty of mining a certain block depends on the type of hardware used.

Also miners rarely care about the security factor (it only comes into effect when there is a fork/orphaned block), so it is easy for the developer to change the weights without requiring the miner's explicit consensus (the change does not lead to long lasting forks).

On the other hand multi-POW coins have more decentralised coin generation (not necessarily security because of the weighting) which is theoretically good for the coin economy.

Thats a good point.

What if one technology hashing power increases over time faster that the rest due to hardware/algorithmic improvements? Does the re- weighting of each PoW needs to change? If yes who decides that? Does the algorithm have rules to change that automatically? Will miners approve that if they get penalized?

The miners essentially decide (with bitcoin the rules are sort of obvious so everyone agrees to them) but with multi-pow coins miners have to rely on working out what will make them the most money/coins.  In general this means sticking with what everyone else is doing, the only practical way of knowing what everyone else is doing is assuming everyone is following the software. In theory thus, optimum strategy is to follow the software and hence the developer gets to choose.

In reality, some miners might refuse to download new updates. Now you have different miners enforcing different rules, working out the optimum in this situation is far from trivial and could lead to instability. The full economic analysis of this is very complex.

Fair point, we are working on a dynamic method of weighing although the fix worked thus far (8x hasing power increase within minutes on SHA algo did no damage at all to the chain and a few weeks earlier a scrypt pool with 51%+ forked resulting in just that their miners lost some mining time again with no consequences to the chain) we are aware that fixed factors are somewhat unreliable in long term.

Were these attackers actually being dishonest (not mining on top of the chain with greatest difficulty) ? Or were they just flooding the hashing power?

Well I have no actual evidence they were malitious but an 8x spike in minutes that lasted for about an hour was not an attempt on mining sha. I can only presume they had ill intentions. The scrypt thing was an accident.

"Economic Clustering"

https://nxtforum.org/news-and-announcements/economic-clustering/

What's the downside of just hard coding a max limit of history blocks that can be reorged in AcceptBlocks?  And must make that max limit < confirmation needed?

Wouldn't this protect nodes with the an existing "real" chain, without fearing for it to be overwritten (at least past the limit)?


nvm.. i guess that would cause the "hard fork attack problem".. where offline/new nodes could still pick up an entirely different fork all the time.  no consensus..

great thread though.. i learned a lot:)  Someone needs to make a diagram'd youtube video though.. hehe

Where does this concept of PoS being less 'fair' come from?   Or the whole rich get richer thing?!    I would really like someone to break this down for me.

Bitcoin vs Blackcoin

You can buy them both directly on exchanges
You can still mine bitcoin directly, However it requires massive investment in specialized hardware to hope of ROI, (massive investment)
You can obviously indirectly mine Blackcoin from exchanges with numerous mining platforms not just specialized mining hardware, creating a immensely lower point of entry as a function of mining cost vs Blackcoin reward against market cap.    While this is a add-on to blackcoin itself, not part of its codebase (its no longer PoW mineable) It is the current state of reality in crypto today and likely for as long as Blackcoin commands attention.   If all other altcoins vanished miners would still mine BTC directly to sell for blackcoin with greatly dimished returns.  But possibly still greater gain in BC against market cap, than with BTC vs marketcap.

So, allowing the blackcoin multipools into the equation is leaps and bounds cheaper and easier to get blackcoin with your mining hardware than it is BTC.

Whew, hope you followed!

Now...
Bitcoin mints at 3600 BTC perday,  At current market cap that is about 2.3 MILLION dollars of supply creating constant sell pressure in a agnostic market.   Blackcoin mints at 1% interest per year.    If Blackcoin had
the same 8.5B usd market cap BTC does, that would be around 230,000 THOUSAND dollars of new supply created daily.  Roughly ten times less depreciation if there the market is stagnant in-regards to demand.

This means that you are in a race to the bottom with PoW, unless you are standing at the very top of the mining/minting game.

AND those new coins ONLY go to the miners that can keep up with current tech and price of mining.   Whereas if you hold any amount of BlackCoin that 1% is paid to you.  Not a big mining farm, but you.



Why is PoW more fair?!?!   PoW is the epitome of rich get richer,   Previous poster was correct,  PoW  TAXES the holders that can't mine if you factor in that many mined coins will be insta-dumped soon as mature. Gotta pay for those million dollar mining farms after all.

so this is just merged mining, eg with IXC and others in BTC. No problem here.



no merged mining does this without extra hash. The hash for BTC will always work for a lower difficulty.

How long should the issuance period last? In other words, if you were to create a PoW/PoS coin, when would it stop issuing new coins?

When I examine PoW, it just looks like an inefficient, gate keeping method, long way about distributing coins.  (basically, like a really poorly designed PoS)   WIth PoS, I spend money and I am guaranteed coins.  With PoW I spend money to buy a miner and electricity and am guaranteed coins.  The reason the miners buy the miners and electricity is just to get the coins.  Why not just spend the money directly to get the coins with PoS?  A thing with mining is that it is a gate keeping policy.  Only people with high enough tech skills and are friends with the devs get the coins.  This leads to skewed and unfair distributions.  With PoS the devs advertise and advertise for very long times to get as many people in for the IPO.  This is a much more egalitarian way of distributing the coins.  Is it fair?  No, it isn't, but it is much more fair that PoW.  Anybody can spend any amount with PoS from $5 to $50,000 to enter the game, but with PoW a person needs serious resources and know how.  It isn't 2010 and people aren't using their notebooks anymore. 

On top of that all that "work" that is being done in "POW" is not really all going on to secure the network as people like to so often say.  It is in fact busy work that is just ultimately wasted energy and computing power for every single miner involved but the one that won the block.  The miners are not working relentlessly to process transactions, in fact many of them refuse to process transactions!!!  What kind of financial system is designed in a way that it is actually not in the interest of the people maintaining a financial network to not process financial transactions? 

With PoS like NXT, a forgers whole computing power is gone towards processing transactions and the only reward is the fees, so the forgers are motivated to process as many transactions as they can.  Sounds like a pretty efficient system to me. 

One system the maintainers don't want to process transactions, and the other system the maintainers do...... Hmmmmm, which one is better?

So to me it is a better way of distributing coins and a better way of stabilizing the network.  And oh yeah, the 2nd gen PoS coins are adding function after function and service after service on top of their  networks.

PoW was a revolutionary idea.  +1 to Satoshi coming up with it.  Because of it, he showed that yes, crypto could indeed be real and could indeed work.  He taught us all about a new kind of value.  But now that we know that, we need a much better system that works towards the same end.  If Satoshi would have just released PoS at the start, nobody would have been interested.  It was in the mining in the early days that bitcoin was cool.  Mining made it fun and interesting.  The early days are gone.  Many years have passed.  It is time for crypto to grow up and become a quick, efficient, safe, and easy way to transfer value.  PoS gives our community that. 

Mining is so 2012-2013

You have good points.  But after talking with smart people in other threads I'm not so sure a pure Pos coin would be secure, as it suffers from the infamous "nothing at stake" attack vector. 

Also, is Pos as fair as Pow?  Both cost money to acquire initial wealth, but Pos keeps rewarding owners, so the rich get richer. 

Depend on system 1% interest rate rewards all equally.
POS have pain in later distribution need more PR to expand than POW.
But current centralization of BTC mining have same problems with distribution.

Generally to hold value are better POS coins with active community than any POW BTC clone
with dumping miner farms.

Centralization of mining could be a small concern , but that is more of a security issue
than an economic issue.  Pool participants are still rewarded.

Good point.

Interesting point of view. Though I suspect a lot of this discussion will shift to POI when it will come out.

I have hold my PPC for more than half year, but may I say POS=Proof of Shit?

The interest is very low, one can rarely get the interest without massive PPC's.

Even if Peercoin gives you no "interest" wouldn't you own some just for its security against vulnerability of a pure POW coin? Artificially high POS rate is just inflation that pushes down the exchange rate.

I believe PoS is a work in progress,  but it seems to me that very low interest is important.  There needs to be incentive to keep wallets open and staking,  you will get more total compounding interest if it is open all the time in a coin like Blackcoin.   So there needs to be incentive to stake.  But too much interest will mimic the same inflation as PoW and I think lower levels of inflation are one of POS's biggest benefits. 

PoI. What is that exactly? (Besides from Proof of Importance)

But the cost of mining is also very low. As long as the interest pays for the mining costs, it's good.

People have got used to PoW mining as a get-rich-quick scheme. People mine Bitcoin who have no real interest in the currency. They sell their block-reward coins for fiat. PoS isn't like that. As a get-rich-quick scheme, it is indeed shit. The purpose of mining is not to make money, but to help secure the money you've made. (Although since some interest is paid, you might as well have it as not.)

Isn't the current financial system sort of PoS -- the more you own, the more you earn?

Those on the top of the pyramids will make sure the lower class will never have a chance.

Sad, is it not?

Better ideas?

That's an illusion. PoS coins have no more an oligopoly than PoW coins. You think mining 0.1 LTC per day via PoW is worth anything? Spending $300 on a GPU to mine versus spending $300 on a PoS coin itself... I'd say the PoS coin actually redistributes itself better than the PoW coin.

Well, unless you're NXT of course. Then I agree with you. :P

I really like PoS, but I feel it could use a few tweaks to become "perfect" still.

The current financial system has no limit in printing.

A POS cryptocoin has a given "interest" enforced by protocol. If this "interest" is there only for mechanically securing the network, it is a trustworthy efficient system.

Exactly. The interest is no interest at all. Because the supply of coins does not increase.

What if a PoS/PoW hybrid system? Let say PoS and PoW blocks have to occur alternatively?