Proof-of-stake is more decentralized, efficient and secure than PoW- white paper

[Cryddit]

Also more reorgs means it's easier for Mallory to cause a reorg whenever it suits his nefarious purposes.  Want to double spend your coins?  Spend them, cause a reorg, spend them again, done. 

[Come-from-Beyond]

A reorg is a reorg, meaning not everyone is on the same page (consensus) as far as the blockchain history,
and that's a bad thing, regardless of how the blocks of transactions are being chained together (Pow or Pos).

Is it the only reasoning you are able to provide?

[Cryddit]

A reorg is a reorg, meaning not everyone is on the same page (consensus) as far as the blockchain history,
and that's a bad thing, regardless of how the blocks of transactions are being chained together (Pow or Pos).

Is it the only reasoning you are able to provide?

Umm, it seems like pretty sound reasoning to me.  much, much better reasoning than the ten words of yours I just quoted. 

I accept as an axiom that the purpose of the block chain protocol is to come to a shared consensus about what actually happened and what therefore can happen next. 

A reorg means that consensus is not shared -- therefore meaning, for the time that it persists, the purpose of the block chain protocol is not being fulfilled. 

Because a lack of shared consensus is a condition that enables people to double spend, or allows people who have been paid to have those payments undone and be deprived of their money, I characterize this failure as a "security failure." 

This is crystal clear.  Are you trolling, or just stupid?

[LiQio]

It is not backed by, but indicated by energy consumption and chip R&D investment

If there is any demand for a certain coin, people will use the lowest possible cost to get that coin, that will eventually drive the mining cost close to buying cost

Imagine that a PoS coin cost 3 cents to mine but cost $3 to buy, then everyone will mine it instead of buy it, and they will sell the mined coin immediately to cash in a 99% gain. The value of PoS coin thus will stay forever at 3 cents

".. indicated .." -> this is economical nonsense

This is basic economy behavior, people always seek the lowest possible cost to get a coin, and the arbitraging will eventually make the cost close to coin's market price. The demand can go down, thus cause the cost to shrink, but the cost and price should always be close to each other

"If there is any demand..." -> what if something cannot be mined, how is the price determined?

A technical barrier to prevent others from entering competition? The cryptocurrencies are open source, the technology itself is free. PoS coin will be cloned to many tastes if it shows slightest sign of usefulness. Just like email, it could be useful but will not be valuable since value only exists where scarcity exists

If you take over the government, you can make a law to make people only use your PoS coin, then it will have value without cost, just like fiat money. But in a market driven environment, you can't create money out of thin air, money's value will always be close to their production cost

In fact PoS coin are more like a company's stock, whose value is backed by company's earnings and dividend. And I haven't seen any PoS coin are generating positive cash flow since the stake holders are not doing any business operation

Please answer the question: "what if something cannot be mined, how is the price determined?"
(Let's forget about PoS or PoW for the moment)

Unless forced by government like fiat money, price is always decided by supply and demand. If the coin can not be mined, the demand will drop quickly, since the most important character of cryptocurrency is that people can create money by themselves

In fact that's also a concern for bitcoin when most of the coins are mined, by then transaction fee will take over. With a larger block size, I foresee that transaction fee will rise to the same level as block reward in 20 years

I'm sorry, but you are obviously not interested in any kind of discussion that takes us a step further:

"If the coin can not be mined, the demand will drop quickly, since the most important character of cryptocurrency is that people can create money by themselves".

Why else would you state such things as facts 

And thanks for the supply and demand lecture that's of course a true statement but also another head-shot for our discussion.

johnyj wish you all the best and hope the box you're living in grows over time.

[jonald_fyookball]

A reorg is a reorg, meaning not everyone is on the same page (consensus) as far as the blockchain history,
and that's a bad thing, regardless of how the blocks of transactions are being chained together (Pow or Pos).

Is it the only reasoning you are able to provide?

To address your point:

More reorgs = weaker security is correct... for PoW. For PoS you are supposed to provide reasoning that proves your claim.

...it is the only reasoning required.

I'm not sure how much elaboration is possible, as this is a fundamental concept.
Reorgs are the manifestation of the breakdown of distributed consensus
in a blockchain and should be ideally minimized both in frequency and in severity.

[Fatov]

Bitcoin won't be switching to a POS system any time soon, too many people love their POW and their miners, especially the ones with millions invested. If you want a POS system just hoard Peercoin.

We must support btc i dont care miners
At fact, i prefer pow but we need a halving soon haha

[Come-from-Beyond]

This is crystal clear.  Are you trolling, or just stupid?

I must be stupid because there is a whitepaper that proves the opposite to "more chains = weaker security" and I can't get how adding "more reorgs" in the middle changes things so drastically.

[koubiac]

I'm not particular familiar with NXT or various implementations, i'm speaking in terms
of general principles.  Based on the whitepaper, there's a complex calculation involving
the UXTOs and the block headers of previous blocks. I still don't see how that prevents
"grinding" or using computational power to build a chain.

If it is difficult to compute, isn't that almost becoming proof of work and everything
that goes along with it?  (If its difficult to compute for an "average" computer,
wouldnt an ASIC do it easily?)

The issue with discussion about grinding is that as long as you don't go into specifics it's difficult to really make progress!!!
I didn't say it was "difficult" to compute but that grinding was made extremely inefficient.
An order of magnitude, is that an attacker with 1 ASIC miner (1TH/S) would need ~33% of the mining coins to perform a 51% attack while an attacker with the entire hash rate of the bitcoin network (~300PH/S) would need ~30%. That's what ennificient means.
The advantage you can get through grinding is highly non-linear.

More generally, it's difficult to answer objections about grinding if the argument specify through which parameter you are trying to grind.

You seem to be saying that it is not difficult to build a chain of 1 block, but it
difficult to build a chain of many blocks under this implementation.  
What exactly makes that possible?  I haven't seen any explanation of that assertion,
if that's what is being claimed.

What is difficult (actually probabilistically impossible without large portion of the coins) is to build a chain that is longer than the main chain at any point.
Let me explain, using a relatively simple example:
Unlike in PoW, building a chain in PoS doesn't take time. You could create a fork and know practically immediately what the trust of your fork will be X days from now.
Let's imagine you've got 10% of the coins. What is the probability that you'll be longer than the main chain after it has built 10 blocks? The answer is ~10^-6

From that, you'd be tempted to conclude that you can try again ("grind") many times and that at some point you'll win, because after all 10^6 attempts is nothing even for a laptop.
However, and that's where specifying what you grind through is important, the only way to "try" more than once is to change the kernel of your 10% of coins mining. The best way to do that is to change the parameters of the kernel inherited form the UTXO by sending all the coins to the fork. That's when the minimum stake age kicks in. It will prevent these stakes from mining for 1.6 days (in NeuCoin's case) so the attacker's fork will basically be "losing" 1.6 days worth of blocks he could've mined had his stakes been allowed to.

This period during which he cannot mine is devastating for his performance. It's similar to starting 1.6 days behind in PoW. With 10% the probability to succeed is null.

Maybe another thing I should point out is that nodes do not accept blocks created with a proof that has a timestamp too far in the future (otherwise forking would obviously be trivial).








Maybe I'm missing something, but it sounds like a self-defeating argument:

"We'll prevent this from turning into proof of work by making it really
hard to compute." 

[johnyj]

johnyj wish you all the best and hope the box you're living in grows over time.

Sure nowadays everyone want to be the stake holder and rule others, but the real world does not work that way, since users are also getting smarter each day. In a free market, you either take huge risk or putting huge amount of resources to get some value in return, no shortcut  

[koubiac]

Although "the value of a good tends to its production cost" is not wrong in many cases you cannot reverse the argument. Production cost compromises a lot more than electricity. Wasting energy doesn't produce value. And Bitcoin mining means wasting a lot of energy (to secure the network and to distribute coins) as soon as we observe that the same result can be generated using other (less costly) methods. It is possible that PoS can fill the gap here (and that's probably also the reason why loads of Legendary members and even Bitcoin developers spread FUD about PoS).

poS has been discussed deeply by Bitcoin developers and it might be possible in the future to incorporate an element of PoS but so far I don't think there are any implementations suggested that improve overall security.  Even when I asked Meni R. who's PoW/PoS implementation is on the Bitcoin wiki, he basically said it wasn't going to work.

That's also how I understand it - IMO sad for Bitcoin. Too many smart people start to discover PoS, Bitcoin developers should change direction (again IMO).

PS: Speaking of Meni Rosenfeld, since I read the following I tend to put him in the category of FUD spreaders with an agenda as well:
"So they [BCNext] went with a centralized issuing, where the coin's creator gets all the proceeds from the issuing. Of course, this means the currency is not decentralized.
Probably, the creator wanted to get rich quick, and this contributed to the decision."
(source http://bitcoin.stackexchange.com/questions/36675/what-prevented-nxt-from-being-distributed-the-same-way-bitcoins-are )

I don't think we are in agreement actually.

It's not they believe that PoS can work and
they are ignoring it to keep the status quo.
They just don't believe it can work, and
I can see why (see my previous posts in this thread).

I deeply doubt that given the very limited understanding of PoS that Bitcoin developers have.
The very fact that when asked about PoS in his reddit AMA, Gavin simply provided a link to Andrew Poelstra's paper (Distributed consensus from PoS is impossible) which provides no solid proof whatsoever makes it very hard to believe that they are totally unbiased.

[jonald_fyookball]

@koubiac,

You say that the only way for the attacker to try again
is to change the kernel, but if their attack fails
(chain is not accepted), then why can't they try
again with the same kernel?

@come-from-beyond, maybe you are not stupid; there is a
certain cognitive bias that causes us to lend more credibility
to white papers, but if you post the link to the paper
and point out what section it is in, I'll take a look.

[Totaldice]

I'm not a big fan of Proof of stake because it just makes the richest even richer, not a ton of room for competition.

[koubiac]

@koubiac,
You say that the only way for the attacker to try again
is to change the kernel, but if their attack fails
(chain is not accepted), then why can't they try
again with the same kernel?

Because if he tries again with the same kernel, he will produce exactly the same branch.
I'm not sure if this is clear or not. The hash being deterministic, the only way to try again (i.e. to try to obtain a different outcome) is to change the kernel.

[koubiac]

I'm not a big fan of Proof of stake because it just makes the richest even richer, not a ton of room for competition.

I can't wrap my head around why this idea is so widespread. Maybe a detailed post should be written about it.
What do you mean by "it makes the richest richer"?
People earn coins according to the capital they've invested in the currency (be it in mining hardware or coins). How would you distribute a coin differently?
If anything, PoW is less democratic because people with access to capital enjoy high economies of scale, which by the way is the main reason why small Bitcoin miners are have been going out of business.

[jonald_fyookball]

@koubiac,
You say that the only way for the attacker to try again
is to change the kernel, but if their attack fails
(chain is not accepted), then why can't they try
again with the same kernel?

Because if he tries again with the same kernel, he will produce exactly the same branch.
I'm not sure if this is clear or not. The hash being deterministic, the only way to try again (i.e. to try to obtain a different outcome) is to change the kernel.

No, you are not clear.

Look, an attacker can build any number
of DIFFERENT "branches" or chains very quickly.

Whether this so-called "kernel" changes
as a result of the various permutations of
transactions and blocks he's put together,
or whether it remains the same because the staking UTXOs
are the same, really doesn't matter.

Why doesn't it matter?

It doesn't matter because if the chain isn't accepted, the attacker
still has his UTXOs and can try again.

So either way, you do not need to change your UTXO set to
try more than once. The only way to force that would be to start having stakeholders
penalizing other stakeholders if they spot a false chain being broadcast, but
that opens a whole new can of worms, issues, and attack vectors.

The bottom line is that if the attack chain isn't accepted, you still
have your stake age, and there's nothing stopping you from trying again.

EDIT: The fact that the "hashes are deterministic" is really saying
nothing at all.  That always is the case.  How could they be random?
(Who would be generating the random numbers and how would they
be verified?)  So yes, you would need to change the attacking
chain to get a different outcome against a different main chain,
but there's nothing stopping you from doing that.

[mrcashking]

I'm not a big fan of Proof of stake because it just makes the richest even richer, not a ton of room for competition.

What do you mean by "it makes the richest richer"?
People earn coins according to the capital they've invested in the currency

There you have it you have basically answered your own question haven't you?

This is the cycle of life though the rich will always get richer whether crypto or in fiat the world has been designed for it to do exactly that.

An oligopoly of corporate miners has taken control of the Bitcoin network - decentralization is gone. << I agree to this and now see it as no different to the private bankers who have the power to print money, it is the same centralized power they both have.

I would like a mix of POW for a long period but that uses HDD like burst or you are able to mine from your computer longer then changes to POS when the chance has been given for a lot of different people to accumulate.

[Cryddit]

The bottom line is that if the attack chain isn't accepted, you still
have your stake age, and there's nothing stopping you from trying again.

And that, in a nutshell, is why deciding chain priority by "coin days destroyed" is a basically broken idea.

It gives the attacker the opportunity to generate more priority in the attack chain, simply by spending the double-spent coins at a later point in the attack chain.

[lucasjkr]

I'm not a big fan of Proof of stake because it just makes the richest even richer, not a ton of room for competition.

As opposed to mining farms, which are developed and owned by the destitute?

[nachoig]

Looking to NeuCoin's documentation I found this:



This is a serious concern in a POS coin. Two entities with 2/3 of all coins?

Also, there's a lot of bullshit, like the issue about Bitcoin's popularity (with a graphic comparing active users of Candy Crush with Bitcoin, which clearly show they don't understand Bitcoin, being experimental, still can't achieve that level of users), ICO instead of IPO, a lot of marketing about micropayments as if this is really a new thing, restrictions about your rights to decide what you can do with your own coins, hemisphere-oriented dates, false claims about the relation between Bitcoin halving rewards and transaction fees, claims you need to have 51% of all coins to do a 51% attack instead 51% of staking coins,  ...


http://www.neucoin.org/en/wiki/

After the creation of proof-of-activity and proof-of-capacity schemes I think there is no reason to create new proof-of-stake coins.

I like proof of activity the best.  

In POW we are saying whoever can waste the most electricity should get the honor of forming a block, but that doesn't really help the network.

In proof of capacity, we are saying that whoever can waste the most hard drive space should get the honor of forming a block, but again that doesn't really help the network.

In POS, we are saying that who every directly invested in the network gets the honor to produce the next block.  So in a way a person is in someways contributing to the network.  Way better than the above two options.

But in proof of activity a person that is the most active in the network gets the honor to produce the next block.  It basically is a return to proof of work, except the work now is not some random arbitrary and pointless work but instead work done in the ecosystem that is strengthening it.  

Proof-of-capacity allows a cheap mining-way without these false claims about "ASIC-resistance".

In proof-of-work or in proof-of-capacity you are a direct investor in the coin too. If you start to abuse with your hash power, the price of the coin will go down, which affects your rewards.

I agree about POA, because it rewards you for running a node. Even if it doesn't give an economic return, contributing to the security of network is very simple and cheap, you can do this even with a Raspberry Pi. Even better, in opposite to POS, it can be used to distribution.

The only merit which I can see in proof-of-stake is for creating a more cheap way to securing the network. But in a very questionable way. In order to minting and profit, you need to have a lot of coins in an unlocked wallet at an online computer. Sounds very good at the security point, doesn't it? Also, it doesn't work as a distribution model and makes the spending of the coin an uninteresting thing.

People also forgets why Bitcoin needs to be proof-of-work. If Bitcoin was born as POS-only, it would be dead, because there would be no way to distribute the coins. How would be possible to buy bitcoins at the beggining, specially from unknown entities?

I like proof of activity the best.  

Except it isn't a "proof". Proof-of-activity, proof-of-resource, proof-of-storage or similar are all misnomers. There can't be "proof" of these things, all of these can be forged; only spent CPU power can algorithmically be proven because it boils down to pure physical entropy at the end of the day. Also MaidSafe use the term proof-of-resource but in reality their security mechanism is a node-ranking system which does introduce a degree of trust.

The proof is cryptographic. Or not.

[koubiac]

@koubiac,
You say that the only way for the attacker to try again
is to change the kernel, but if their attack fails
(chain is not accepted), then why can't they try
again with the same kernel?

Because if he tries again with the same kernel, he will produce exactly the same branch.
I'm not sure if this is clear or not. The hash being deterministic, the only way to try again (i.e. to try to obtain a different outcome) is to change the kernel.

No, you are not clear.

Look, an attacker can build any number
of DIFFERENT "branches" or chains very quickly.

Whether this so-called "kernel" changes
as a result of the various permutations of
transactions and blocks he's put together,
or whether it remains the same because the staking UTXOs
are the same, really doesn't matter.

Why doesn't it matter?

It doesn't matter because if the chain isn't accepted, the attacker
still has his UTXOs and can try again

Of course the attacker can try as many times as he wants I never said the contrary, what I'm saying is that he will never succeed

So either way, you do not need to change your UTXO set to
try more than once.

EDIT: The fact that the "hashes are deterministic" is really saying
nothing at all.  That always is the case.  How could they be random?
(Who would be generating the random numbers and how would they
be verified?)  So yes, you would need to change the attacking
chain to get a different outcome against a different main chain,
but there's nothing stopping you from doing that.

I guess we're having a hard time understanding each other!

Let's do it differently, if you want give me some hypothesis: total UTXOs the attacker owns, what kind of attack he want to conduct (i.e. how far behind the attacker starts his fork) etc. and I will prove you mathematically that he will never succeed if he doesn't own a very large portion of the mining coin.
The fact that he can try many times doesn't help him.
Otherwise, maybe you could describe how the attacker tries many times and what he does to get different outcomes cause that's the part that's unclear to me in your explanation.