Proof-of-stake is more decentralized, efficient and secure than PoW- white paper

[Klestin]

If you are not a programmer then start with http://en.wikipedia.org/wiki/Analysis_of_algorithms, if you are then you already see why blockchain is not scalable.

A generic wikipedia page on algorithms.  I'm completely sure that all the non-programmers out there are now fully up to speed on your argument.  It must be the unfortunate fact of my 30 years of programming experience that's preventing me from absorbing your genius.  Ahh well, back to the darkness and misery for me.

[Klestin]

Could you link something? I would be really interested in reading more about it!

coz i guess you are not meaning blockchain size and tps right?

I expect that's exactly what he's referring to, and is either being willfully ignorant of bitcoin development direction, or is just another crapcoin pumper.

[Come-from-Beyond]

It must be the unfortunate fact of my 30 years of programming experience that's preventing me from absorbing your genius.

You seem to be a team leader, they always sux in practical programming.

[LiQio]

...
PoW infrastructure on the other hand is not possible to duplicate, and since real world resource is limited, it gives PoW coin backing of scarcity from real world

Do you really believe that the value of a Bitcoin is backed by the energy wasted?
If so how is the structure of this correlation?

It is not backed by, but indicated by energy consumption and chip R&D investment

If there is any demand for a certain coin, people will use the lowest possible cost to get that coin, that will eventually drive the mining cost close to buying cost

Imagine that a PoS coin cost 3 cents to mine but cost $3 to buy, then everyone will mine it instead of buy it, and they will sell the mined coin immediately to cash in a 99% gain. The value of PoS coin thus will stay forever at 3 cents

".. indicated .." -> this is economical nonsense

"If there is any demand..." -> what if something cannot be mined, how is the price determined?

"Imagine that a PoS coin..." -> one will generally select the option with the highest benefit. Whether miners cash out immediately or not would also depend on other factors, e.g. the expectation of future value. But again the question what if a coin (anything else) is not mineable, how do you determine the price?

[johnyj]

It is not backed by, but indicated by energy consumption and chip R&D investment

If there is any demand for a certain coin, people will use the lowest possible cost to get that coin, that will eventually drive the mining cost close to buying cost

Imagine that a PoS coin cost 3 cents to mine but cost $3 to buy, then everyone will mine it instead of buy it, and they will sell the mined coin immediately to cash in a 99% gain. The value of PoS coin thus will stay forever at 3 cents

".. indicated .." -> this is economical nonsense

This is basic economy behavior, people always seek the lowest possible cost to get a coin, and the arbitraging will eventually make the cost close to coin's market price. The demand can go down, thus cause the cost to shrink, but the cost and price should always be close to each other

"If there is any demand..." -> what if something cannot be mined, how is the price determined?

A technical barrier to prevent others from entering competition? The cryptocurrencies are open source, the technology itself is free. PoS coin will be cloned to many tastes if it shows slightest sign of usefulness. Just like email, it could be useful but will not be valuable since value only exists where scarcity exists

If you take over the government, you can make a law to make people only use your PoS coin, then it will have value without cost, just like fiat money. But in a market driven environment, you can't create money out of thin air, money's value will always be close to their production cost


In fact PoS coin are more like a company's stock, whose value is backed by company's earnings and dividend. And I haven't seen any PoS coin are generating positive cash flow since the stake holders are not doing any business operation

[LiQio]

It is not backed by, but indicated by energy consumption and chip R&D investment

If there is any demand for a certain coin, people will use the lowest possible cost to get that coin, that will eventually drive the mining cost close to buying cost

Imagine that a PoS coin cost 3 cents to mine but cost $3 to buy, then everyone will mine it instead of buy it, and they will sell the mined coin immediately to cash in a 99% gain. The value of PoS coin thus will stay forever at 3 cents

".. indicated .." -> this is economical nonsense

This is basic economy behavior, people always seek the lowest possible cost to get a coin, and the arbitraging will eventually make the cost close to coin's market price. The demand can go down, thus cause the cost to shrink, but the cost and price should always be close to each other

"If there is any demand..." -> what if something cannot be mined, how is the price determined?

A technical barrier to prevent others from entering competition? The cryptocurrencies are open source, the technology itself is free. PoS coin will be cloned to many tastes if it shows slightest sign of usefulness. Just like email, it could be useful but will not be valuable since value only exists where scarcity exists

If you take over the government, you can make a law to make people only use your PoS coin, then it will have value without cost, just like fiat money. But in a market driven environment, you can't create money out of thin air, money's value will always be close to their production cost

In fact PoS coin are more like a company's stock, whose value is backed by company's earnings and dividend. And I haven't seen any PoS coin are generating positive cash flow since the stake holders are not doing any business operation

Please answer the question: "what if something cannot be mined, how is the price determined?"
(Let's forget about PoS or PoW for the moment)

[koubiac]

As you said, an attacker can simply use coins that are old
enough and keep trying with them.  Those attacks would
be smaller than 200 block reorgs.

A common misconception is that you can "keep trying". What do you mean by keep trying?
You can try creating forks at every block of the main chain but the probability to create more blocks than the rest of the network combined over a significant period of time (significant doesn't have to be more than say 10 minutes) is negligible you don't own a very large portion of the mining coins.
If you mean "keep trying" as in trying many times to create a fork at a given height, you simply cannot do that because the outcome will always be the same (since the computation is deterministic and the input is seeded on the mainchain). To get a different outcome and thus be able to "keep trying" the attacker needs to move his coins to the fork and that's when the minimum stake age kicks in.
This is what necessarily creates a lag.

As far as the new coins (or any coins), what you are not considering is that the blockchain
MUST find new blocks.

Assume you have a 10 percent stake, so you'd have a
1 in 10 chance of being awarded a block.  
Your argument is that you'd have a 10% chance (or .1 probability)
of succeeding at one block, .1^2 for two blocks in a row, .1^3 for
blocks in a row, etc.

However, here's where that argument falls apart:

What if the block found "deterministically"
wasn't broadcast by the chosen stakeholder?  Now the network
must choose again, so you get another 10% chance.  This
process can continue ad infinitum in a grinding fashion.

What do you mean it can continue ad infinitum? What you're describing is basically the percentage of coins mining dropping to zero! This is not realistic assumption!
The blocks that should mine and don't are already taken into account in the computation because the attacker compares his stake to the total mining coins and not the total coins.

[jonald_fyookball]

As you said, an attacker can simply use coins that are old
enough and keep trying with them.  Those attacks would
be smaller than 200 block reorgs.

A common misconception is that you can "keep trying". What do you mean by keep trying?
You can try creating forks at every block of the main chain but the probability to create more blocks than the rest of the network combined over a significant period of time (significant doesn't have to be more than say 10 minutes) is negligible you don't own a very large portion of the mining coins.
If you mean "keep trying" as in trying many times to create a fork at a given height, you simply cannot do that because the outcome will always be the same (since the computation is deterministic and the input is seeded on the mainchain). To get a different outcome and thus be able to "keep trying" the attacker needs to move his coins to the fork and that's when the minimum stake age kicks in.
This is what necessarily creates a lag.

As far as the new coins (or any coins), what you are not considering is that the blockchain
MUST find new blocks.

Assume you have a 10 percent stake, so you'd have a
1 in 10 chance of being awarded a block.  
Your argument is that you'd have a 10% chance (or .1 probability)
of succeeding at one block, .1^2 for two blocks in a row, .1^3 for
blocks in a row, etc.

However, here's where that argument falls apart:

What if the block found "deterministically"
wasn't broadcast by the chosen stakeholder?  Now the network
must choose again, so you get another 10% chance.  This
process can continue ad infinitum in a grinding fashion.

What do you mean it can continue ad infinitum? What you're describing is basically the percentage of coins mining dropping to zero! This is not realistic assumption!
The blocks that should mine and don't are already taken into account in the computation because the attacker compares his stake to the total mining coins and not the total coins.

Exactly.  The percentage of mining from other people would drop to zero in a false chain that the attacker generates on his own through grinding.  It would have to, by definition, since the attacker must create the entire chain.  However, since no one really knows who owns what coins, the network would not be able to tell the difference except that perhaps there is a longer time than usual between blocks.  

Then, you might propose restricting chains with too long gaps between blocks.

Let's explore this idea further:  say you have a rule that says every minute I'm doing to cut in half the hash value or requirement to forge a new block. So if you have a ten percent stake, you have a ten percent chance.  after two minutes it's twenty, after three minutes it's forty, and after four minutes it's eighty.  So based on that, let's say it's taking you 3.5 minutes between blocks.  (Keep in mind these spaces of 3.5 minutes would be time stamps only for the attacker, not real gaps of time.)

So if I broadcast a false chain, all the blocks are going to about 3.5 minutes apart in their time stamps.

You might consider, say, a weighted function that decreases the chain's "effective length" when using the longest chain rule.  For example, we divide each block by the number of minutes, so that a block taking 3 minutes instead of 1 only counts for a third of a block. So now you would need a chain 3.5 times as long.  

But then attackers could simply build longer chains.  

You could in turn, prevent this from occurring in long range attacks
by creating an additional rule that the time stamps can't be
too far in the future, but it doesn't prevent shorter term grinding
attacks from older coins.

One idea I've seen to prevent these kinds of PoS attacks is Vitalik Buterin's suggestion of using security deposits, but even that doesn't solve the problem
because you can just attack once you get your deposit back, so it may lessen the frequency of attacks, similar to the 200 minute rule proposed here, but I don't think it stops them.

You also have to be careful with these kinds of rules and not making them too restrictive so you don't risk losing distributed consensus (blockchain fork) or the network halting because no chain is valid when an edge case arises involving low miner participation, ddos, etc, as well as opening up new attack vectors.  I don't think there is any free lunch.

[koubiac]

Exactly.  The percentage of mining from other people would drop to zero in a false chain that the attacker generates on his own through grinding.  It would have to, by definition, since the attacker must create the entire chain.  However, since no one really knows who owns what coins, the network would not be able to tell the difference except that perhaps there is a longer time than usual between blocks. 

Ok I think the reason why we had a hard time understanding each other is because you're talking about an entirely different implementation of PoS than that derived from Peercoin.
I guess it's closer to NXT's protocol although I'm not particularly familiar with it.

Explaining in details how NeuCoin's (and Peercoin's) implementation works would be too long to do here but you can take a look at the white paper (sections 3.1 to 3.2 starting page 13) if you want more details.

However, it's not possible to grind through stakes the way you described. Basically, the kernel (which is the equivalent of the stake modifier in Peercoin) is designed in way that prevents you from grinding in a efficient manner. This is explained in details in sections 3.3.3 of the white paper.

One idea I've seen to prevent these kinds of PoS attacks is Vitalik Buterin's suggestion of using security deposits, but even that doesn't solve the problem

I thought Vitalik's suggestion of using security deposits were linked to the problem of users mining on multiple branches in case of a network fork, not of attackers trying to rewrite history. I should go take another look at his post

If you find some time to read the technical part of the white paper I'd love to get your feedback on the attacks and whether you think there are more efficient attack vectors.

[uvt9]

Here we go again.

[Come-from-Beyond]

In other words, can you "mine" with a permanently air gapped wallet?

Yes.

[jonald_fyookball]

Exactly.  The percentage of mining from other people would drop to zero in a false chain that the attacker generates on his own through grinding.  It would have to, by definition, since the attacker must create the entire chain.  However, since no one really knows who owns what coins, the network would not be able to tell the difference except that perhaps there is a longer time than usual between blocks.  

Ok I think the reason why we had a hard time understanding each other is because you're talking about an entirely different implementation of PoS than that derived from Peercoin.
I guess it's closer to NXT's protocol although I'm not particularly familiar with it.

Explaining in details how NeuCoin's (and Peercoin's) implementation works would be too long to do here but you can take a look at the white paper (sections 3.1 to 3.2 starting page 13) if you want more details.

However, it's not possible to grind through stakes the way you described. Basically, the kernel (which is the equivalent of the stake modifier in Peercoin) is designed in way that prevents you from grinding in a efficient manner. This is explained in details in sections 3.3.3 of the white paper.
 

I'm not particular familiar with NXT or various implementations, i'm speaking in terms
of general principles.  Based on the whitepaper, there's a complex calculation involving
the UXTOs and the block headers of previous blocks. I still don't see how that prevents
"grinding" or using computational power to build a chain.

If it is difficult to compute, isn't that almost becoming proof of work and everything
that goes along with it?  (If its difficult to compute for an "average" computer,
wouldnt an ASIC do it easily?)

You seem to be saying that it is not difficult to build a chain of 1 block, but it
difficult to build a chain of many blocks under this implementation.  
What exactly makes that possible?  I haven't seen any explanation of that assertion,
if that's what is being claimed.

(Please note that even with proof of work, building a longer chain technically
isn't exponentially more difficult than building a shorter chain. It only
becomes exponentially more unlikely to execute a successful 51%
attack because of the diminishing probablity that you can keep up in a
LINEAR fashion in real time with the main chain)

Maybe I'm missing something, but it sounds like a self-defeating argument:

"We'll prevent this from turning into proof of work by making it really
hard to compute." 

[achimsmile]

you have to prove that you control private keys with a "balance"

It is enough to prove that an account "leased" you his minting/forging power.

Example:
Account A has a balance of 1M
Account B has a balance of 0

I make an offline transaction from my air gapped account A, saying that account B can generate blocks with the power of account A. Account A was never online and account B can now mint/forge with the power of 1M, without actually having access to the funds.

I do this all the time, it's pretty easy, just a few clicks required.

[Come-from-Beyond]

So, what stops you from leasing your forging power to multiple people or leasing your forging power then selling the coins? When does the system check if the forging funds actually exist?

Couldn't I sell my wallet file (offchain) and continue to forge while not actually owning any "stake" as long as the new owner doesn't move the coins via the chain?

Maybe someone could point me to an easy to understand yet in depth explanation of forging?

You seem to found a fatal flaw in leased forging!

PS: Don't read about forging! It's like virus - today you read about forging, tomorrow you sell your bitcoins, the day after tomorrow you start recruiting new zealots into PoS religion.

[Come-from-Beyond]

Actually, it is really simple and easy, it is the major problem of PoS...

...with coin-age.

[Come-from-Beyond]

I would genuinely like to understand it better, if only to increase my awareness. No links? I guess I'm being lazy and should search for the info myself.

Sorry, your post looked trollish because tricks that you mentioned are easily counteracted.

PS: https://wiki.nxtcrypto.org/wiki/Forging

[achimsmile]

So, what stops you from leasing your forging power to multiple people or leasing your forging power then selling the coins? When does the system check if the forging funds actually exist?

Couldn't I sell my wallet file (offchain) and continue to forge while not actually owning any "stake" as long as the new owner doesn't move the coins via the chain?

Maybe someone could point me to an easy to understand yet in depth explanation of forging?

You can sign the transaction offline, but you have to broadcast it to the network as well. (Sorry I did not mention it explicitly)
If you broadcast two leasing transactions successfully, the network will see both and cancel one.
If you only sign the transaction offline and don't broadcast, it will have no effect, as the network does not know about it.
If you sell your stake during leasing, the leased forging power will decrease by the spent amount.

Also see: http://wiki.nxtcrypto.org/wiki/Account_Leasing

[spartacusrex]

It is not backed by, but indicated by energy consumption and chip R&D investment

If there is any demand for a certain coin, people will use the lowest possible cost to get that coin, that will eventually drive the mining cost close to buying cost

Imagine that a PoS coin cost 3 cents to mine but cost $3 to buy, then everyone will mine it instead of buy it, and they will sell the mined coin immediately to cash in a 99% gain. The value of PoS coin thus will stay forever at 3 cents

".. indicated .." -> this is economical nonsense

This is basic economy behavior, people always seek the lowest possible cost to get a coin, and the arbitraging will eventually make the cost close to coin's market price. The demand can go down, thus cause the cost to shrink, but the cost and price should always be close to each other

"If there is any demand..." -> what if something cannot be mined, how is the price determined?

A technical barrier to prevent others from entering competition? The cryptocurrencies are open source, the technology itself is free. PoS coin will be cloned to many tastes if it shows slightest sign of usefulness. Just like email, it could be useful but will not be valuable since value only exists where scarcity exists

If you take over the government, you can make a law to make people only use your PoS coin, then it will have value without cost, just like fiat money. But in a market driven environment, you can't create money out of thin air, money's value will always be close to their production cost


In fact PoS coin are more like a company's stock, whose value is backed by company's earnings and dividend. And I haven't seen any PoS coin are generating positive cash flow since the stake holders are not doing any business operation

I'm starting to think that this is the REAL issue..

Whether 'it is' or 'is not' possible to get a secure POS blockchain working, Jhonnyj's argument is 'META' to all that.

He's saying that the price of the coin is fixed at,..'will tend to', what it costs a miner to make it. And in POS, this is always a small number, by design.

And before you jump in and say, 'You need a lot of POS coins to MINE that POS coin!'.., there's seems to be a self-referential issue to that statement that makes it negate-itself.. [Cough] If you see what I mean.. Like a snake eating it's tail..

What I mean is, the security of a POS network is dependant on the trustworthiness of the majority of Stakeholders.

I could run a POS network amongst people I know and trust, the members of my village maybe, and it would probably be MORE secure than any other POS coin out there, for me and my friends... Since it costs nothing 'in the REAL world' to run the network securely, just stake in my virtual coin.

The real 'Benefit' from one POS coin to another might be acceptance, not security. How many people accept a certain POS coin .. ?

There would need to be a way of exchanging all these coins for each other, or fiat,  or whatever, on some mega-exchange, but then, hey presto..

..

Maybe that's what will happen.. We'll just have thousands and thousands of different POS coins.. All exchanging for each other..

Come on CfB..  ..

Do POS coins break the basic Economic tenant that says - 'The value of a good tends to its production cost'.. ?

And

Does it even matter if the Price of a POS coin IS set to it's production cost.. Just need a lot of coins.. ?

[Daedelus]

Why do you think "the value of a good tends to its production cost" applies universally? How do you account for things being perceived as 'sexy' or 'incredibly useful' or 'making things effortless or a fraction of the cost"?

You assume consumers are 100% rational and are not influenced by such things?

[spartacusrex]

Why do you think "the value of a good tends to its production cost" applies universally? How do you account for things being perceived as 'sexy' or 'incredibly useful' or 'making things effortless or a fraction of the cost"?

You assume consumers are 100% rational and are not influenced by such things?

Sexxy POS !? I Like..

I AM saying that POS can be incredibly useful. But can it be valuable ?

I don't even know if the value matters, if we can understand just quite how useful it could be..