Bitcoin Forum

I've been thinking about ways to secure POS against "Nothing at stake" type of attacks. I don't think that Nothing at stake problem kills all POS coins off. Reality shows they are relatively fine, albeit with various tricks, which in a way do not make them completely decentralized.

As far as I understand the science behind distributed consensus POS coins cannot guarantee asynchronous consensus, that is there's a possibility of  successful fork. It manifests itself in so-called "Nothing at stake" argument, which states that since it costs nothing to generate a block for a POS miner to hedge his bets he would mine on all the competing chains that he can find. He just does not loose anything by mining on all the chains, but if he prefers to stay on the main chain he could loose mining fees if the competing chain wins, so it makes sense for him to mine on both.

Bitcoin and POW coins solve this by bringing an external factor into the game, namely computational power the miners possess.
Miner can't afford to mine on the wrong chain since he looses money he paid for his ASIC and electricity. So there's something at stake for him, which makes POW coins inherently more stable.

This is a serious theoretical argument and it has to be probably dealt with.

So, what could be at stake for a POS miner? In real world systems such as NXT a rogue miner would be penalized if he chooses to mine on a fork, the main chain wouldn't allow him to mine on it. Could we dig deeper and make the miner actually pay for his mining with the coin he mines? That would be in a way analogous to investing in ASIC's and electricity when dealing with Bitcoin, with the difference of paying for everything with the coin to be mined.

If we somehow manage to do that we will obtain a self-contained cryptocurrency with a very low energy consumption and no need for fancy asic's, which prevents miners from mining on all forks they can find by its construction.

One way to do it would be the following:

• The miner pays a mining "initiation" fee ("Bet")  by sending a payment to a special "initiation" address.
• Miner address is selected from the miners' pool, that is from the addresses who made initiation payments
  The probability for the miner to generate a block is equal to SHA256(prevhash + address + timestamp) <=   Bet / diff,
  where prevhash is the hash of the previous block, address is the miner address, Bet is the fee the miner paid to participate, diff is current adjustable difficulty
  
• Let's suppose that mining is for transaction fees only, that is the miner gets to collect the transaction fees. So his mining profit depends on the bet he made and the fees collected in the block. If the miner chooses not to mine due to his bet being less than he profit he collects from the fees, he is penalized by the network, and is unable to mine. The bet is considered to be spent.
• If the miner decides to do make another bet he has to make a new initiation payment.

Network is able to understand when a given miner has to produce a new block, the system is deterministic (check NXT cryptocurrency forging algo for example). So if in due time there's no block generated by the miner his bet is considered to be spent. So he'd better mine a block even if the bonus he collects is less than the bet he made.

So the average bet miners make turns out to be dependent on average block size, average transaction value and average time between blocks, which is adjustable the usual way through varying difficulty. We obtain a network of gambling miners, where bets they make prevent them from mining on forks, since if a fork doesn't beat the main chain his fee (which has been made on the main chain) is lost.

TLTR:

POS system is proposed where a miner has to make a bet before being eligible to generate a block; miner's profit is equal to (fees generated in the block - miner's bet);  miners who choose not to mine a block are penalized and their bet is considered to be spent.

This is not addressing the fundamental limitation which is that 'bet' is entirely internal to the system, which means that nothing preventsthe people with the keys from going back and replaying the history, even years after long after they've sold their coins and exited the system... and the resulting forged and legitimate chains are indistinguishable to a new participant.

I feel like you read the snazzy "nothing at stake" words and then stopped thinking before finding out in detail what they actually meant.

If you're going to invoke POW with POS you can try, but it's very difficult to end up with a result where the security doesn't simply reduce to one or the other (or worse, since POS signers can prevent new entrants from joining into mining in most designs; the admissions freeness of POW is potentially lost).

I've solved this problem with the Decrits Consensus Algorithm by using long-term active stakes and maintaining the history of those stakes with sign in/out messages. Historical stake holders creating fake chains cannot appear to be legitimate because they cannot sign out honest stake holders. Even without this, the worst case scenario is creating a developer checkpoint to prevent deep history rewriting - the exact same mechanism bitcoin uses.


POW pools can prevent new entrants from joining into mining as well and it generally requires the same sort of principle (more than 50% of the stake/work). It would be quite easy for several pool owners totalling more than 50% of POW to prevent anyone else from providing POW.

Do you have any arguments that actually don't also apply to bitcoin?

Yes. It can be summarized in one word: Derivatives.

The issue here is that stake does not equal exposure and it is very easy to have a large stake and zero or negative exposure. The reason this has not yet become an issue with POS coins is that none of them have evolved to the point where a significant derivatives market has developed, even to the degree that exists today with Bitcoin and Litecoin. It is today possible to control 10000 USD worth of XBT or 5000 USD worth of LTC with 500 USD margin. I leave it to the reader to determine how much EUR, or gold one can control with 500 USD in margin at a typical FX broker.

My take remains that POS can only work in a highly regulated market and even there, if the regulators are not on the ball we get the near financial disaster that occurred in 2008. After all the typical large wall street bank is ultimately governed by proof of stake. It is called one share = one vote.

Edit: Size of derivatives markets: http://www.bis.org/statistics/derstats.htm (http://www.bis.org/statistics/derstats.htm)

Yes, as the arguments against POS are accepted as defeated, we must invent newer and even less relevant but more convoluted arguments to protect proof of waste.

Rather than call Proof of Stake, Proof of Scam, I will instead let Conrad Black make the case. http://en.wikipedia.org/wiki/Conrad_Black (http://en.wikipedia.org/wiki/Conrad_Black)

I love these threads, always so much certainty mixed in with the vagueness  ;D

There is nothing new about this argument. If it seems so to you, then you haven't done your homework at all.

[insert internet troll picture with with overlaid text stating: "My argument? You don't know 'bout my argument!"]

Anyways...

What do you guys think of the particular type of Staked Proof of Work we are working on? :  https://docs.google.com/document/d/1LzY_dQz4jVDrHZq6BawSzT9rNRx_CaZou_fpEcu6CU4/edit?usp=sharing (ignore the Polychains part - that is really a separate technology).

How about this ? This is a project i am involved in. So please rewiew Smiley

http://coinsrace.com/

1 month, 5 days, 15 hours, 16 minutes, and 35 seconds until mining starts.

Instant Payments
No Electricity costs
No Hardware Setup costs
No Maintenance costs
24/7 Free Support

X15 Algorithm
Block discovery: every 2 minutes
80 coins per block reward
Total amount 2 Billion coins
Block retarget time on every block
Proof of Work
Proof of Stake reward 8%
(and decreasing every year by 1% until reaching 1% yearly)

Yes, I want to understand whether it's possible to create a system which "eats its own dogfood", without any external factors.
Theoretically it does not seem to be the case, due to FLP result, but I think this is more of a limitation not a strict ban, as Bitcoin shows.

You can't mine in the proposed setup without coins, so your argument of replaying history does not quite apply here.

One more point - I hear a lot that POS is unsustainable, but don't forget that POW is probably as much unsustainable from purely theoretical point of view. But both POW and pure POS coins exist and refuse to die easily.
Some academic thought should be here, there are not so many articles about asynchronous consensus and crypto yet.

• Incentive for n@s attack: A few million USD
• "nothing prevents people to do it."
• No one has tried and succeeded until now

It might not be an a priori argument, but those 3 sentences together look paradox to me.

https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/
Probably you've seen this, the latest on Stake from Vitalik Buterin. The proposed solution is check-pointing actually.
He mentioned something similar to what is proposed here, but discards it since he considers a security deposit, not a bet.

https://bitcointalk.org/index.php?topic=871576.0 (https://bitcointalk.org/index.php?topic=871576.0)

Take a look at this thread, which covers the same topic.
Essentially to resolve nothing at stake, you need to prohibit all forms of txns among POS miners.
You do not need checkpoints.
I discuss the theory behind this. It sounds very restrictive, but there are some ways of loosening it up.

Just so you don't miss it benjamin_bit...

https://nxtforum.org/consensus-research/multibranch-forging-approach/

First findings of the POS research group.

hahahahaha, proof of work could really be called proof of waste. 

To me it seems to work right here right now, in an unregulated market. Would you say that Nxt, peercoin, etc. do not "work", or would you say that they are situated in a regulated market?

The whole point of PoS in crypto is that the wallstreet PoS in the sense of 1 share = 1 vote is centralized. Who guarantees that my shares are not diluted (ok, some cryptos sadly inflate supply as well)? If the management does something illegal, the company that I invested in could be taken down by the government, etc.

I don't understand how derivatives apply in a PoS system. Having 'control' of paper money in a closed system like a brokerage is not the same as actually having that cryptographic currency to stake.

Individuals 'leasing' stake to other individuals though sounds like a big problem to me. And any community that allows such a market to develop is probably making a big mistake since it could greatly lower the cost of an attack.

It matters because nothing at stake means you have nothing to lose. If you lose coins but gain at least the value of those coins elsewhere, then you still have nothing at stake.

Nothing at stake is fundamental and can't ever be fixed. That doesn't mean it isn't possible to build a functional or useful currency system around that fact, but it will have some properties that will always differ from proof-of-work (where an actual thing -- energy -- is consumed and can't be "unconsumed" elsewhere in an offsetting trade). People who want to do useful work should stop trying to "fix" or "disprove" nothing-at-stake and accept it as a fact and go from there.


It can't be prevented unless the market is highly regulated. That's exactly what ArticMine was saying.

We don't even have a proper description of how N@S would work on a specific coin yet. All I hear is some bold statements "n@s is a fact". Please, you and I don't know the math behind it enough to make such claims.

Let's prove n@s first before saying it can't be disproved, allright?

Actually I can't see anything wrong with checkpointing setup sort of which is implemented in NXT now or the one Vitalik wrote about recently. Such systems worked, work, and seem to be able to work in future.  Field tests are successful, this is the most important.
Any crypto will be some cross between social consensus and "technical" consensus, so if technical consensus is not guaranteed by theory it doesn't mean that the system can't function.

"Any crypto" does not have to include social consensus, as Vitalik explained. PoW is "objective." This doesn't mean it always works perfectly -- if you are completely disconnected from the longest chain, you can't ever choose the longest chain. But in choosing between two chains, there is no social consensus involved. And in the first case (disconnected) social consensus won't help you, so it adds nothing.

But what you were saying about things that work is ultimately exactly what I was saying above. Trying to "fix" nothing-at-stake is dumb.

Real world shows that POW is not objective, gigahash could have more than 50% of hashing power easily. So they choose to behave themselves not to hurt the network. It is very subjective.

No that is not subjective. Even if ghash had >50% and even if they misbehaved, the longest chain would still be objective and unambiguous.

We are back to what works and is useful, but that's a different question.

I'm not a fan of PoW as it exists in Bitcoin with extremely large pools, but I still assert that it has a stronger consensus model that is more robust with respect to trust. Again, that doesn't even imply it is necessarily useful at all.

This approach with prepayment, bet or whatever you call it is getting hot now,
another project based on this http://tendermint.com/

@sasha, rigorous research in the the 'Nothing at Stake' assertions has been published >>> https://bitcointalk.org/index.php?topic=897488.0

Please comment in the thread >>> https://bitcointalk.org/index.php?topic=897488.0. It would be good if we could get heads together from all aspects of cyrpto in the same place to discuss.

Thank you, I'm watching this, I'm "coinomat" at nxtforum :)

I never knew! :D :D

i couldnt resist.. :D

That's very uncharitable at Christmas! You can spam when the POI whitepaper is finally released  :)

il hold you to that.. ;)

im all for spreading the word on that paper though, i just could help myself ha. good that theres finally something solid out to tackle the pos fud. i see there is virtually zero arguments against it lol

The N@S paper from Kushti is important, though, this attack vector is always brought out whenever Nxt (and POS in general) is discussed.
Right now, the paper takes a few improtant steps in demonstrating that a nothing-at-stake attack is almost ceratinly dooned to fail.

And Hi! to the Coinomat dude!