Proof-of-stake is more decentralized, efficient and secure than PoW- white paper

[LiQio]

PS: Speaking of Meni Rosenfeld, since I read the following I tend to put him in the category of FUD spreaders with an agenda as well:
"So they [BCNext] went with a centralized issuing, where the coin's creator gets all the proceeds from the issuing. Of course, this means the currency is not decentralized.
Probably, the creator wanted to get rich quick, and this contributed to the decision."
(source http://bitcoin.stackexchange.com/questions/36675/what-prevented-nxt-from-being-distributed-the-same-way-bitcoins-are )

I've added my answer to that question.

Cool, thanks Come-from-Beyond.

@NeuCoin people: This is your thread, didn't you want to "defend" your whitepaper?!
(Or are you currently busy reading up on other PoS implementations than the one of Peercoin  )


(I'm leaving now...)

[Mikestang]

Also, the inefficiency adds an intrinsic value to bitcoin - the cost to mine it.  Although the current value far surpasses this cost, it was this cost of inefficiency that gave bitcoin it's initial "value", and it is this cost that will ensure that bitcoin always has a value.

Now, this (bold) is dead wrong. (Assuming that you speak of a value > 0)

Well, the argument and counter point you put together are air tight, thanks for the contribution.  You reply is a good example of 0 value. 

[jonald_fyookball]

I had (and still have) pretty much the same opinion as Meni Rosenfield about BCNext.  So if he's a FUD spreader, then so am I.

Anyway, the security of a PoW block chain is largely a matter of the miners expending a resource to support exactly one version of the block chain, which they cannot also use to support a different version of the block chain.  That is, they're committing a finite resource and, at the same time, showing that it is not also being used elsewhere.

That's really hard to match with a PoS system.  Locking up coins for a given number of rounds doesn't really provide security for the chain.

The only finite "stake flavored" resource I can come up with is transactions - and that's true only if the transactions cannot be played into both forks by an attacker.  If the transactions have to "stake" a recent block and are not valid in any chain that does not include that block, then they become a finite resource that can't also be used in support of a different branch.  An attacker could still try spending the same coins in both branches of the fork, and waiting for confirmation would be a lot more important because the tx you get won't be valid unless the branch it's staked in becomes the accepted branch.

Anyway, given all that -- the TxOuts that were created before the fork and used in transactions staked in blocks after the fork, can be counted as a resource spent in support of that branch.

The major advantage is that if an attacker tries to build an attack chain in secret, with everybody else in the world staking their tx in the visible block chain, he literally has to have a greater stake than everybody who makes a transaction while he's working or it's not going to work.  That's a guarantee ALMOST as good as PoW.  

But the tx being valid only in one branch of the fork opens up all kinds of games that attackers can play.  And while mining effort is very stable because miners mine at about the same rate whenever they've got their stuff turned on, Transactions as Proof of Stake is very sensitive to the timing of large spends, and a big spend in a fork that's nine blocks behind can force a reorg.  

So, although I think it's secure against VERY long forks, it's pretty horrible for deciding forks in a very short time the way PoW mining does.  So you'd have to use it in combination with something else.  

One thing about this is that it's the people making transactions who secure the block chain, so they deserve their part of the payment for securing the block chain.  The people who actually form blocks?  They can continue to form blocks by PoW or something, also contributing to the security of the block chain. They'll be needed until transaction volume gets high enough that it starts to be at least a little bit "steady" for purposes of short-term resolving stuff.  Thing is, that makes PoW necessary for YEARS, not weeks, and it only makes sense if the coin actually gets used.  It might work for Bitcoin at this point; but no alt that isn't seeing widespread actual use could sustain it.

Good post.  I'm curious how this idea of transactions would work
and how it is "almost as good as Pow".   Can't an attacker create
many chains that look like they have transactions (sent to one's self)
or how would the mechanics of this play out?  What is meant by
staking a certain block, and couldnt that be done retroactively
by an attacker at no cost?

[Cryddit]

Good post.  I'm curious how this idea of transactions would work
and how it is "almost as good as Pow".   Can't an attacker create
many chains that look like they have transactions (sent to one's self)
or how would the mechanics of this play out?  What is meant by
staking a certain block, and couldnt that be done retroactively
by an attacker at no cost?

Right.  An attacker can play all sorts of silly-buggers with a TaPoS system in the short run; that's why I can't recommend it on its own.  So, yes, I'm envisioning a system with PoW mining as well, and the people making transactions getting paid for block chain security in the same ratio against the block subsidy that their transactions are counted relative to PoW mining for purposes of resolving blocks.  That's why "almost" as good as PoW.  

A TaPoS system becomes secure only when the "law of large numbers" means that the number of tx per block gets huge and starts to be a fairly constant amount -- the way mining effort is in a PoW system.

Staking a certain block means that when Alice sends Bob 5 coins, she gets paid a "stake security payment" amounting to interest on those 5 coins if she specifies ("stakes") a  very recent block that the transaction then depends on. The transaction has that block ID recorded in it, and isn't valid in any block chain that doesn't include the block Alice staked.

In the case of a block chain fork, TaPoS counts in favor of the fork that has the most coins spent - specifically in txOuts created before the fork and used in transactions staked after the fork.  If more than half the coins that were in existence as of a certain block have been spent - even once - in transactions staked after that block, then no reorg can EVER dislodge that block.  

That's a stronger guarantee than PoW can really make.  Although the combined hashing effort that's gone into the chain makes it impossible in practice that a reorg could ever undo more than ten or fifteen blocks, there's no mathematical guarantee.  In theory, a new block chain could emerge tomorrow that undoes every transaction back to the beginning.  It'll never happen, but there isn't a mathematical guarantee the way there is with a TaPoS system.  

In the short run, if there's a reorg that goes back before the staked block, Alice's payment to Bob disappears.  Bob is looking for (or waiting for) the stake block to be at least 6 blocks in the past to protect him from a reorg that reaches back past the transaction's stake block, the same way that in a PoW system it's wise to wait at least 6 blocks after the payment to protect you from a reorg that happens after the transaction.  

So if Bob wants to be extra-sure he gets paid, he protects himself from a reorg that goes back six blocks by demanding that Alice stake earlier.  He might just check some monitor to make sure there's no known fork in progress and that'll be it.  If Alice is just paying for coffee, he may let her stake the very last block, the same way coffee shops in a PoW system don't wait for the next block for confirmation.  

One nice thing about a TaPoS system is that miners are motivated to include all the tx they can; that makes their block the 'best block' if two are found and prevents it from getting orphaned.

[jonald_fyookball]

Good post.  I'm curious how this idea of transactions would work
and how it is "almost as good as Pow".   Can't an attacker create
many chains that look like they have transactions (sent to one's self)
or how would the mechanics of this play out?  What is meant by
staking a certain block, and couldnt that be done retroactively
by an attacker at no cost?

Right.  An attacker can play all sorts of silly-buggers with a TaPoS system in the short run; that's why I can't recommend it on its own.  So, yes, I'm envisioning a system with PoW mining as well, and the people making transactions getting paid for block chain security in the same ratio against the block subsidy that their transactions are counted relative to PoW mining for purposes of resolving blocks.  That's why "almost" as good as PoW.  

The obvious question is what happens when the subsidies end...then you're left with a pure TaPos. 

A TaPoS system becomes secure only when the "law of large numbers" means that the number of tx per block gets huge and starts to be a fairly constant amount -- the way mining effort is in a PoW system.

Staking a certain block means that when Alice sends Bob 5 coins, she gets paid a "stake security payment" amounting to interest on those 5 coins if she specifies ("stakes") a  very recent block that the transaction then depends on. The transaction has that block ID recorded in it, and isn't valid in any block chain that doesn't include the block Alice staked.

In the case of a block chain fork, TaPoS counts in favor of the fork that has the most coins spent - specifically in txOuts created before the fork and used in transactions staked after the fork.  If more than half the coins that were in existence as of a certain block have been spent - even once - in transactions staked after that block, then no reorg can EVER dislodge that block.  

Yeah but how do you implement that so you balance the TaPoS count with the proof of work.  You add some security by introducing an element, yet
take it away with the other hand by diminishing/diluting the requirements of PoW longest chain.



 

[Cryddit]

I don't think you can possibly add anything that counts without making the thing that counts for EVERYTHING at the moment count for less than everything.

From my notes on how this is supposed to work:  

txSpend = total txouts that existed before fork, used in tx staked after fork

hashes = proof of work since fork
stake payments counted for security = the amount of the txSpend set times the interest rate for the full age of the txOuts or the *MEDIAN* age of the txOuts whichever is less. 

Priority = Hashes * (Block subsidy awarded + stake payments)

So while there are no tx, priority is exactly like Proof-of-work.  When there are a few, TaPoS becomes essentially a tie-breaker deciding which of two recent blocks gets orphaned.  But as block subsidies gradually get smaller and the stake awards gradually get proportionally bigger, TaPoS becomes the dominant consideration in resolving forks.  

It's an interesting experiment that I think I'm going to do in an altcoin, and which I think somebody *HAS* to do in an altcoin before it would be responsible to even propose it for Bitcoin.   Assuming stake payments at some economically sane rate like ten percent annually, and a constant mining award, it would be about eight years before transactions counted for as much as mining.  Or you could think of that as a "reward halving time" of eight years for the miners if you'd rather - relative to the entire money supply that would be equivalent.

Yes, I am a mad scientist.  I propose running an experiment on human beings.  Would you like to be a test subject?

[jonald_fyookball]

All very interesting ideas.
 
I think the idea of alternating blocks of PoS and PoW
might be fruitful, but again, it needs to be implemented
correctly, and again one of the issue is how do you issue
the blocks.

I'm also in favor of alt coin promoters writing and publishing
simulation and testing software proving the security of their
coin if they think they have a better idea.
Just publishing a white paper with some fancy formulas
is "fine" if you're trying to look good but at the end
of the day, it has to stand up to scrutiny.  That's
probably why most of the "serious" developers aren't
even reading these threads.

Real value will prove itself.

Ironically, someone recently published a PoS reseach paper with software
(I think they called themselves "consensus research" or something),
and they actually showed that the nothing-at-stake
attack was real and that even with a 1% stake,
an attacker can cause problems.  Several PoS
proponents then inverted their conclusions on this forum, claiming
that it proved how safe PoS is! lol.

[Cryddit]

PoS as usually implemented means "Piece of Shit."  Excuse my language, but it's simply bad protocol design.  Those guys who have a brief mining period, or an IPO, or whatever, aren't distributing it to enough people for any kind of PoS to be stable, let alone the broken kind of PoS they're implementing where people just lock up coins for the ability to form blocks and get paid for that.  

One person's locked-up coins do not matter when you're deciding security for ALL of the users.  If you're going to measure stake you have to do it in a way that counts everybody's or you'll have someone preparing an attack chain in secret.  And you have to have a very wide distribution before the law of large numbers statistically smooths out the amount of stake observed per block. And you have to pay the people who are providing security (that is to say, everybody who makes transactions).  The people doing PoW are doing security for PoW block chains so the block subsidy to them is appropriate.  But if you're counting everybody's stake, you have to distribute payments to people according to how much security everybody contributes to the chain. 

Finally, and most crucially, you have to have a limited finite resource (in TaPoS, the transactions committed to one side of the fork or the other) that cannot go to both branches of a fork, or else you have the nothing-at-stake problem.  

Proof of stake doesn't have to be anywhere near that bad.  

[Daedelus]

Ironically, someone recently published a PoS reseach paper with software
(I think they called themselves "consensus research" or something),
and they actually showed that the nothing-at-stake
attack was real and that even with a 1% stake,
an attacker can cause problems.  Several PoS
proponents then inverted their conclusions on this forum, claiming
that it proved how safe PoS is! lol.

Dispite going over their findings several times, you choose to see what you want to see. Concensus Research themselves say the 1% attack described by Vitalik is garbage. You claim to understand but you only refer to their 3rd published paper which suits your opinion if you ignore everything else they said. And you have thr gall to accuse others of inverting!   

This being the 5-6th time we have discussed this same thing, it is obvious this is some kind of religious debate to you. So I'll leave it to others to repeat themselves and re-rake over old ground.

[jonald_fyookball]

Ironically, someone recently published a PoS reseach paper with software
(I think they called themselves "consensus research" or something),
and they actually showed that the nothing-at-stake
attack was real and that even with a 1% stake,
an attacker can cause problems.  Several PoS
proponents then inverted their conclusions on this forum, claiming
that it proved how safe PoS is! lol.

Dispite going over their findings several times, you choose to see what you want to see. Concensus Research themselves say the 1% attack described by Vitalik is garbage. You claim to understand but you only refer to their 3rd published paper which suits your opinion if you ignore everything else they said. And you have thr gall to accuse others of inverting!   

This being the 5-6th time we have discussed this same thing, it is obvious this is some kind of religious debate to you. So I'll leave it to others to repeat themselves and re-rake over old ground.

Never read any of the other papers, and not going to debate this with you again.  Feel free to post the link to the white papers and let readers make up their own mind.

[Daedelus]

Finally, and most crucially, you have to have a limited finite resource (in TaPoS, the transactions committed to one side of the fork or the other) that cannot go to both branches of a fork, or else you have the nothing-at-stake problem.  

Why do you think this? What if "mining on all branches you see" in POS actually made the network more,  not less, secure?

[Daedelus]

Ironically, someone recently published a PoS reseach paper with software
(I think they called themselves "consensus research" or something),
and they actually showed that the nothing-at-stake
attack was real and that even with a 1% stake,
an attacker can cause problems.  Several PoS
proponents then inverted their conclusions on this forum, claiming
that it proved how safe PoS is! lol.

Dispite going over their findings several times, you choose to see what you want to see. Concensus Research themselves say the 1% attack described by Vitalik is garbage. You claim to understand but you only refer to their 3rd published paper which suits your opinion if you ignore everything else they said. And you have thr gall to accuse others of inverting!    

This being the 5-6th time we have discussed this same thing, it is obvious this is some kind of religious debate to you. So I'll leave it to others to repeat themselves and re-rake over old ground.

Never read any of the other papers, and not going to debate this with you again.  Feel free to post the link to the white papers and let readers make up their own mind.

There is no debate   see if you Cryddit to agree that your position is reasonable, given the evidence.  Or if he/she thinks you have a severe case if cherry picking to prop up your own ingrained beliefs.  That would be interesting to see..

[jonald_fyookball]

My position on what exactly?  Cryddit stated several times that most PoS has issues.
He's proposing PoW + TaPos.  Not sure what your point is.


 

[Cryddit]

Finally, and most crucially, you have to have a limited finite resource (in TaPoS, the transactions committed to one side of the fork or the other) that cannot go to both branches of a fork, or else you have the nothing-at-stake problem.  

Why do you think this? What if "mining on all branches you see" in POS actually made the network more,  not less, secure?

Have you invented a protocol in which it does? If so I'd be genuinely interested in how it works. Remember, the primary point of block chain protocol is to swiftly and impartially come to a shared consensus of what version of history we believe.  If someone says "all of them" then by any methodology we understand now, it doesn't help much. 

[Daedelus]

Did Concensus Research say the 1% stake attack is feasible or BS? The bit about inverting things was my point.

Did Concensus Research say Nothing @stake was something to worry about or that it was completely overblown BS (I'm paraphrasing   ) again, the bit about inverting was my point.

[Daedelus]

Finally, and most crucially, you have to have a limited finite resource (in TaPoS, the transactions committed to one side of the fork or the other) that cannot go to both branches of a fork, or else you have the nothing-at-stake problem.  

Why do you think this? What if "mining on all branches you see" in POS actually made the network more,  not less, secure?

Have you invented a protocol in which it does? If so I'd be genuinely interested in how it works. Remember, the primary point of block chain protocol is to swiftly and impartially come to a shared consensus of what version of history we believe.  If someone says "all of them" then by any methodology we understand now, it doesn't help much. 

I haven't, no  but research (with published models to review their findings) say they "mining on every chain" is a benefit to the network as the number of branches you see grows expontially with time and so tends towards proof of work when trying to "simply build a longer chain". As the nothing at stake criticisms haven't progressed beyond vague words and hand waving, Concensus Research defined 4 different definitions, based on the forum debates.

You seem an open minded person take a look here: https://bitcointalk.org/index.php?topic=897488.0

Keep an eye out for the paper on multibranch forging ("mining every chain you see")

[johnyj]

It is not backed by, but indicated by energy consumption and chip R&D investment

If there is any demand for a certain coin, people will use the lowest possible cost to get that coin, that will eventually drive the mining cost close to buying cost

Imagine that a PoS coin cost 3 cents to mine but cost $3 to buy, then everyone will mine it instead of buy it, and they will sell the mined coin immediately to cash in a 99% gain. The value of PoS coin thus will stay forever at 3 cents

".. indicated .." -> this is economical nonsense

This is basic economy behavior, people always seek the lowest possible cost to get a coin, and the arbitraging will eventually make the cost close to coin's market price. The demand can go down, thus cause the cost to shrink, but the cost and price should always be close to each other

"If there is any demand..." -> what if something cannot be mined, how is the price determined?

A technical barrier to prevent others from entering competition? The cryptocurrencies are open source, the technology itself is free. PoS coin will be cloned to many tastes if it shows slightest sign of usefulness. Just like email, it could be useful but will not be valuable since value only exists where scarcity exists

If you take over the government, you can make a law to make people only use your PoS coin, then it will have value without cost, just like fiat money. But in a market driven environment, you can't create money out of thin air, money's value will always be close to their production cost

In fact PoS coin are more like a company's stock, whose value is backed by company's earnings and dividend. And I haven't seen any PoS coin are generating positive cash flow since the stake holders are not doing any business operation

Please answer the question: "what if something cannot be mined, how is the price determined?"
(Let's forget about PoS or PoW for the moment)

Unless forced by government like fiat money, price is always decided by supply and demand. If the coin can not be mined, the demand will drop quickly, since the most important character of cryptocurrency is that people can create money by themselves

In fact that's also a concern for bitcoin when most of the coins are mined, by then transaction fee will take over. With a larger block size, I foresee that transaction fee will rise to the same level as block reward in 20 years

[jonald_fyookball]

Finally, and most crucially, you have to have a limited finite resource (in TaPoS, the transactions committed to one side of the fork or the other) that cannot go to both branches of a fork, or else you have the nothing-at-stake problem.  

Why do you think this? What if "mining on all branches you see" in POS actually made the network more,  not less, secure?

Have you invented a protocol in which it does? If so I'd be genuinely interested in how it works. Remember, the primary point of block chain protocol is to swiftly and impartially come to a shared consensus of what version of history we believe.  If someone says "all of them" then by any methodology we understand now, it doesn't help much. 

I haven't, no  but research (with published models to review their findings) say they "mining on every chain" is a benefit to the network as the number of branches you see grows expontially with time and so tends towards proof of work when trying to "simply build a longer chain". As the nothing at stake criticisms haven't progressed beyond vague words and hand waving, Concensus Research defined 4 different definitions, based on the forum debates.

You seem an open minded person take a look here: https://bitcointalk.org/index.php?topic=897488.0

Keep an eye out for the paper on multibranch forging ("mining every chain you see")

With all due respect, if you're only understanding the nothing-at-stake issue as "vague words and hand waving", perhaps you do not really understand those criticisms?  I say that because to me, those criticisms are clear and logical. 

Regarding multiple chains, the simplest way to put it is: more chains = more reorgs = weaker security.

[Come-from-Beyond]

Regarding multiple chains, the simplest way to put it is: more chains = more reorgs = weaker security.

More reorgs = weaker security is correct... for PoW. For PoS you are supposed to provide reasoning that proves your claim.

[jonald_fyookball]

Regarding multiple chains, the simplest way to put it is: more chains = more reorgs = weaker security.

More reorgs = weaker security is correct... for PoW. For PoS you are supposed to provide reasoning that proves your claim.

A reorg is a reorg, meaning not everyone is on the same page (consensus) as far as the blockchain history,
and that's a bad thing, regardless of how the blocks of transactions are being chained together (Pow or Pos).