Proof-of-stake is more decentralized, efficient and secure than PoW- white paper

[koubiac]

But none of these time intervals happen in real time or matter to the attacker
in a PoS.  They can all be spoofed...You can always broadcast a false chain
and that has always been the problem with PoS.

(Only PoW is resistant to time manipulations because it takes real time
to do the work.)

Can someone explain to me what is really new here?

Hi jonald,

I'd love to go into details about the grinding attack.
Could you clarify a few points for me before we dig in so that I don't paraphrase the paper.
1/What do you mean by "creating a false chain"? Creating a competing chain? I'm not sure what "false" means here.
2/What do you mean by "time intervals can all be spoofed". Of course, the attacker doesn't have to "redo the work" if he can reuse some previously create proofs but in this case his fork (at the beginning) will be a subset of the mainchain.

More generally, could you please provide a detailed description of how you would conduct such an attack (even a high level explanation would be great)
thanks !

[Ron~Popeil]

POW and POS both have relative advantanges and disadvantages. The inherent weakness I see in POS is that new capital doesn't flow in as readily because your stake multiplies on its own. The weakness with POW is massive power consumption and ever increasing expense if you mine.

As a late comer to crypto currency bitcoin is much more difficult to accumulate in an appreciable amount. Add the downward pressure of mined coins being sold constantly and the ever present fraud that goes on and it is a risky investment.

Personally I collect and hold bitcoin and clams. If i had to choose I would hold just bitcoin but I think both hve their place in the crypto world.   

[anti-scam]

I don't believe that proof-of-stake is necessarily appropriate for Bitcoin but I do completely agree with:

Bitcoin holders are reluctant to debate competitive alternatives to PoW such as PoS and trusted nodes (like Ripple, despite its nearly $1B market cap).

It seems like every new technological innovation being pioneered by other cryptocoins is categorically rejected for implementation in Bitcoin almost immediately. It also seems like most of the people behind Bitcoin are also on the board of dozens of projects designed to replace it. If Bitcoin does end up failing, I think that the failure will be entirely social, a refusal to adapt and innovate. This is something that anybody interested in the project should be worried about.

[Come-from-Beyond]

http://www.links.org/files/decentralised-currencies.pdf claims that cryptocurrencies with unknown "miners" are flawed. Unlike PoW, PoS coins do know who the "miners" are.

[jonald_fyookball]

But none of these time intervals happen in real time or matter to the attacker
in a PoS.  They can all be spoofed...You can always broadcast a false chain
and that has always been the problem with PoS.

(Only PoW is resistant to time manipulations because it takes real time
to do the work.)

Can someone explain to me what is really new here?

Hi jonald,

I'd love to go into details about the grinding attack.
Could you clarify a few points for me before we dig in so that I don't paraphrase the paper.
1/What do you mean by "creating a false chain"? Creating a competing chain? I'm not sure what "false" means here.
2/What do you mean by "time intervals can all be spoofed". Of course, the attacker doesn't have to "redo the work" if he can reuse some previously create proofs but in this case his fork (at the beginning) will be a subset of the mainchain.

More generally, could you please provide a detailed description of how you would conduct such an attack (even a high level explanation would be great)
thanks !

There is some mechanism to decide who gets
to stake the next block.

In PoW, you must solve be the first to
solve a puzzle.  In PoS, you need only
meet certain conditions with your stake.
(And those conditions must be flexible
enough to ensure that blocks come out
in a timely manner -- should the chosen
participant not mint the block, an alternate
must be quickly selected).

Forcing a reorganization by broadcasting
a longer chain is the same mechanism
whether one is attempting a double spend
or simply trying to garner transaction
fees.

As the paper, says, grinding refers
to "cheaply searching the blockspace to find blocks
that direct history in their favor".

So a false chain is any other chain than
the main chain -- it is one that you forked
from a previous point on the main chain,
either for the purposes of double spending,
or gaining fees.

As far as spoofing the time intervals,
lets say you want to start a chain
"from 200 minutes ago".  You can have
a computer calculate an alternate
chain that supposedly started 200 minutes
ago in a few seconds, and broadcast
that in realtime right now.  Nodes receiving that
would not know that the blocks on
the false chain weren't really
built 200 minutes ago.

Nodes must accept the longest chain,
otherwise you will loose consensus and
risk a fork in the blockchain.

You won't always be able to achieve this,
but occassionally you will, and since
the cost is minimal, why not try it?

Of course, if everyone starts doing that,
you are back to the issue of using
competing computing resources, and thus
energy costs will rise to the level of
marginal profitability, which is the
very thing that PoS claims to avoid.

I'm not sure what the 200 minute buffer
zone applies to (new coins staking?),
but that really doesn't solve the issue,
as you can keep trying to attack with
old coins, or you can attack less frequenly
(every 200 minutes) with coins you just
bought and sold.  In addition, I believe
it opens additional attack vectors based
on older stake participants rejecting
newer participants.

Again, this kind of thing has always
been a problem with PoS coins.  
I just don't see how neucoin is anything new.

disclaimer: I'm not an expert and I could certainly
be wrong, but I would like someone to
explain why I am wrong.

[nachoig]

After the creation of proof-of-activity and proof-of-capacity schemes I think there is no reason to create new proof-of-stake coins.

[Bit_Happy]

But none of these time intervals happen in real time or matter to the attacker
in a PoS.  They can all be spoofed...You can always broadcast a false chain
and that has always been the problem with PoS.

(Only PoW is resistant to time manipulations because it takes real time
to do the work.)

Can someone explain to me what is really new here?

Hi jonald,

I'd love to go into details about the grinding attack.
Could you clarify a few points for me before we dig in so that I don't paraphrase the paper.
1/What do you mean by "creating a false chain"? Creating a competing chain? I'm not sure what "false" means here.
2/What do you mean by "time intervals can all be spoofed". Of course, the attacker doesn't have to "redo the work" if he can reuse some previously create proofs but in this case his fork (at the beginning) will be a subset of the mainchain.

More generally, could you please provide a detailed description of how you would conduct such an attack (even a high level explanation would be great)
thanks !

There is some mechanism to decide who gets
to stake the next block.

In PoW, you must solve be the first to
solve a puzzle.  In PoS, you need only
meet certain conditions with your stake.
(And those conditions must be flexible
enough to ensure that blocks come out
in a timely manner -- should the chosen
participant not mint the block, an alternate
must be quickly selected).

Forcing a reorganization by broadcasting
a longer chain is the same mechanism
whether one is attempting a double spend
or simply trying to garner transaction
fees.

As the paper, says, grinding refers
to "cheaply searching the blockspace to find blocks
that direct history in their favor".

So a false chain is any other chain than
the main chain -- it is one that you forked
from a previous point on the main chain,
either for the purposes of double spending,
or gaining fees.

As far as spoofing the time intervals,
lets say you want to start a chain
"from 200 minutes ago".  You can have
a computer calculate an alternate
chain that supposedly started 200 minutes
ago in a few seconds, and broadcast
that in realtime right now.  Nodes receiving that
would not know that the blocks on
the false chain weren't really
built 200 minutes ago.

Nodes must accept the longest chain,
otherwise you will loose consensus and
risk a fork in the blockchain.

You won't always be able to achieve this,
but occassionally you will, and since
the cost is minimal, why not try it?

Of course, if everyone starts doing that,
you are back to the issue of using
competing computing resources, and thus
energy costs will rise to the level of
marginal profitability, which is the
very thing that PoS claims to avoid.

I'm not sure what the 200 minute buffer
zone applies to (new coins staking?),
but that really doesn't solve the issue,
as you can keep trying to attack with
old coins, or you can attack less frequenly
(every 200 minutes) with coins you just
bought and sold.  In addition, I believe
it opens additional attack vectors based
on older stake participants rejecting
newer participants.

Again, this kind of thing has always
been a problem with PoS coins.  
I just don't see how neucoin is anything new.

disclaimer: I'm not an expert and I could certainly
be wrong, but I would like someone to
explain why I am wrong.

I like the unusual formatting, since it makes your post look like poetry.
Were you on a phone (very small screen) typing it?

[jonald_fyookball]

No, that's just how I post. 
It's an old habit to try to
make emails more readable.

[jabo38]

After the creation of proof-of-activity and proof-of-capacity schemes I think there is no reason to create new proof-of-stake coins.

I like proof of activity the best.  

In POW we are saying whoever can waste the most electricity should get the honor of forming a block, but that doesn't really help the network.

In proof of capacity, we are saying that whoever can waste the most hard drive space should get the honor of forming a block, but again that doesn't really help the network.

In POS, we are saying that who every directly invested in the network gets the honor to produce the next block.  So in a way a person is in someways contributing to the network.  Way better than the above two options.

But in proof of activity a person that is the most active in the network gets the honor to produce the next block.  It basically is a return to proof of work, except the work now is not some random arbitrary and pointless work but instead work done in the ecosystem that is strengthening it.  

[jabo38]

After the creation of proof-of-activity and proof-of-capacity schemes I think there is no reason to create new proof-of-stake coins.

In the end, there is always more room for improvement.

[jabo38]

MtGox would have dominated a PoS-version of Bitcoin quite exclusively back then.

Centralized exchanges is so 2014...

I feel like by the end of 2015 the community will really have some exchanges that will not run with the money because they are either 1) insured so even if the money disappears, it is just repaid, or 2) the exchanges are designed in a way that it is unpractical to steal the money because the exchange was designed from the ground up to not be able to steal money, and even the few weaknesses where it could be exploited would be pointless because it is in the exchanges interest in the long run to not act maliciously.

[inBitweTrust]

But in proof of activity a person that is the most active in the network gets the honor to produce the next block.  It basically is a return to proof of work, except the work now is not some random arbitrary and pointless work but instead work done in the ecosystem that is strengthening it.  

Interesting --
http://eprint.iacr.org/2014/452.pdf

[Amph]

you forgot that in pow, there is the halving, which will lead at the end to an increase in price because of less supply and more demand

in pos no one will buy anymore because he/she can generate coins without any effort, free money for them

i didn't forget halvings i just don't want to wait years for coin generation to be low enough that it doesnt hurt the price anymore and when that happens we get bigger risk of 51% as many miners switch off machines

of course someone will buy, the same who are buying now except they will be buying from our hoarded coins + 1% interest instead of miners who dump at any price

i could agree that halving structure isn't ideal as it is right now, 4 years between halving is too much, satoshi didn't take that into account maybe, it should have been 2 years max or even one year, the sooner bitcoin enter in the "fees phase" the better

[cambda]

What about terrible initial distribution of coins in Proof-of-stake ? About the security, in order to stake new coins you must have unlocket wallet, so basicaly the least secure option to keep your coins.

[spartacusrex]

POS vs POW!!

Again!!!

hmm..

I did ask a few question in the Neucoin https://bitcointalk.org/index.php?topic=1003488.0 thread but no answers were forthcoming..

For me, there are issues with POS that many choose to ignore, or are ignorant about, simply because they think POW is wasteful..

I repeat :

1) Much is made of the 'wasted' and 'costly' electricity used to run the POW mining rigs.. People seem to think this number can increase 'INDEFINITELY' and somehow consume ALL the power in the world. LOL. This simply is not the case. The miners will spend what they can make from mining, they can't spend more.. or go out of business. The Market will determine what this will be. Personally, I don't see it as an issue, at all. The amount of energy Bitcoin mining uses is literally PEANUTS in the bigger scheme of things.  

Can someone explain a couple of POS queries.. ?

2) What if all the coins in a POS system are distributed evenly, the dream!, so that there are very few, if any, whales. Everyone thinks they have an insignificant amount, for mining purposes, but in truth they are ALL minnows. Who would mine ? Can't just lock up your funds if you are living hand to mouth..

3) If 10% of the stakeholders mine in POS, since I think 100% or even 50% seems unlikely, does that mean you need 5.1% to perform a 51% attack ?

4) In POS, can energy be expended searching more chain branches to find a valid chain on which you make more money ? If this is the case, won't future miners just spend money and expend energy until they spend slightly less than 1 block makes (same as POW) ?

5) Is this true : If a Cartel of POS stakeholders ever reach 51%.. That's it.. They can never be overtaken if they choose not to be. In POW this is not the case.

Thank you..

[herzmeister]

I like proof of activity the best.  

Except it isn't a "proof". Proof-of-activity, proof-of-resource, proof-of-storage or similar are all misnomers. There can't be "proof" of these things, all of these can be forged; only spent CPU power can algorithmically be proven because it boils down to pure physical entropy at the end of the day. Also MaidSafe use the term proof-of-resource but in reality their security mechanism is a node-ranking system which does introduce a degree of trust.

[Come-from-Beyond]

I like proof of activity the best.  

Except it isn't a "proof". Proof-of-activity, proof-of-resource, proof-of-storage or similar are all misnomers. There can't be "proof" of these things, all of these can be forged; only spent CPU power can algorithmically be proven because it boils down to pure physical entropy at the end of the day. Also MaidSafe use the term proof-of-resource but in reality their security mechanism is a node-ranking system which does introduce a degree of trust.

You refuted one bold claim with another...

[herzmeister]

which one of my claims you think is bold?

[Come-from-Beyond]

which one of my claims you think is bold?

only spent CPU power can algorithmically be proven because it boils down to pure physical entropy at the end of the day

[herzmeister]

yes; in the sense that any other approach requires you to know more information about a node in one way or another if you want to prevent sibyl attacks, so that you know you can trust them (you could see proof-of-stake as just some anonymized form of trust). And the thing with trust is...