Raystonn (OP)
|
|
April 02, 2015, 06:19:23 PM |
|
Some of Bitcoin's competitors use a Proof of Stake model to attempt to achieve distributed consensus. This paper now definitively proves that distributed consensus is broken in Proof of Stake algorithms. https://download.wpsoftware.net/bitcoin/new-pos.pdfIt is possible, by requiring stake to be bonded for many consecutive blocks, and by choosing signers using randomness extracted by long-past (in blocktime) blocks, to force the attacks described above to rewrite long stretches of history. This is often described as “preventing short-range attacks”. It is clear that this does not address the costless simulation issue; after all, if it’s easy to change history, it’s easy to change long stretches of history. However, proponents argue that since for an honestly-created history, long stretches of blocktime correspond to long stretches of real time, any revision of so much history is sure to contradict the history as remembered by participants in the system. Thus such an attack would be detected, recognized as an attack, and the new history rejected.
If this is implemented correctly, there is no problem with this, except that it changes the trust model from that of Bitcoin. New users who encounter multiple histories are no longer able to distinguish them on their own; they need to ask existing participants in the network (which may include friends and family, large corporate entities with reputations to maintain, public websites, etc.) which history they know to be the true one. This is not a distributed consensus! It is a different sort of consensus, which may be formed amongst always-online peers in a decentralized way, but depends on trust for new users and temporarily offline ones. It is correspondingly vulnurable to legal pressure, attacks on “trusted” entities, and network attacks. I don't recommend anyone trust their funds to any network using Proof of Stake. Actual methods of attack are published in this paper. It's just a matter of time.
|
|
|
|
SmoothCurves
|
|
April 02, 2015, 06:53:40 PM |
|
POW > POS is one of those things that I instinctively felt was right.
|
|
|
|
ssmc2
Legendary
Offline
Activity: 2002
Merit: 1040
|
|
April 02, 2015, 07:26:19 PM |
|
I prefer proof of steak.
|
|
|
|
|
Raystonn (OP)
|
|
April 02, 2015, 07:31:49 PM |
|
So your counter argument is you prefer to wait until someone has actually implemented the described attacks before taking action? Nothing in your link from January counters this paper released days ago.
|
|
|
|
HeliKopterBen
|
|
April 02, 2015, 08:07:28 PM |
|
So your counter argument is you prefer to wait until someone has actually implemented the described attacks before taking action? Nothing in your link from January counters this paper released days ago. Ok. Go ahead and break it. You have nothing at stake and nothing to loose. Don't talk about it. Do it... and if you dont, then you yourself have proven that it can't be done.
|
Counterfeit: made in imitation of something else with intent to deceive: merriam-webster
|
|
|
Raystonn (OP)
|
|
April 02, 2015, 08:15:01 PM |
|
So your counter argument is you prefer to wait until someone has actually implemented the described attacks before taking action? Nothing in your link from January counters this paper released days ago. Ok. Go ahead and break it. You have nothing at stake and nothing to loose. Don't talk about it. Do it... and if you dont, then you yourself have proven that it can't be done. So if I personally lack the ability to implement the described attacks (and I'm not going to volunteer whether or not this is true), or I refuse to perform the attacks on moral grounds, then the attacks cannot be done by others? Your faith in my skills is appreciated, but the latter can be seen as an invalid argument. The attacks are certainly still possible by others regardless of my own moral objections.
|
|
|
|
HeliKopterBen
|
|
April 02, 2015, 08:42:48 PM |
|
So your counter argument is you prefer to wait until someone has actually implemented the described attacks before taking action? Nothing in your link from January counters this paper released days ago. Ok. Go ahead and break it. You have nothing at stake and nothing to loose. Don't talk about it. Do it... and if you dont, then you yourself have proven that it can't be done. So if I personally lack the ability to implement the described attacks (and I'm not going to volunteer whether or not this is true), or I refuse to perform the attacks on moral grounds, then the attacks cannot be done by others? Your faith in my skills is appreciated, but the latter can be seen as an invalid argument. The attacks are certainly still possible by others regardless of my own moral objections. Im still waiting for you or someone to break it to prove it can be done. Morally, someone should go ahead and break it to save the POS guys before they dump more time and money into it. The same can be said for POW and mining centralization. If it can be broken, then someone needs to go ahead and break it to save us all a lot of trouble. So far, I have seen a bunch theoretical attacks (all costly) against both POW and POS (and DPOS) and I have yet to see a successful attack on a major scale, at least at current rates of adoption. The real test will come at higher rates of adoption when the stakes are much higher and attackers have a much larger incentive to try to break the system. Both POW and POS will have to prove their resiliency with another order of magnitude or higher increase in the rate of adoption, and I believe both systems will prove resilient.
|
Counterfeit: made in imitation of something else with intent to deceive: merriam-webster
|
|
|
Peter R
Legendary
Offline
Activity: 1162
Merit: 1007
|
|
April 02, 2015, 10:20:55 PM Last edit: April 02, 2015, 11:10:33 PM by Peter R |
|
Im still waiting for you or someone to break it to prove it can be done….
It's already been broken: From https://download.wpsoftware.net/bitcoin/alts.pdf , page 15 Failures. It is not well-advertised, but in fact there has never been an example of a cryptocurrency achieving distributed consensus by proof-of-stake. The prototypical proof-of-stake currency, Peercoin, depends on developer signatures to determine block validity: that is, its consensus is not distributed. The same fate has befallen other nominally-PoS currencies such as Blackcoin. In its initial incarnation, NXT was susceptible to a trivial stake-grinding attack (to be described below) and could not achieve any consensus. Since becoming closed-source17 while spamming technically- illiterate claims at popular conferences, it has fallen out of scope of this document. In fact, Peercoin was originally intended to drop the developer signatures once stake had been distributed. They attempted this once and were immediately attacked by stake-grinding. They quietly removed their text showing intention to drop developer signatures and added a small PoW to make stake-grinding less trivial. Finally, it should be mentioned that developer-signed blocks are known in the PoS community as checkpoints. This is a very misleading name because it is already used to describe an anti-denial-of-service measure of Bitcoin’s peer-to-peer network; Bitcoin’s checkpoints have nothing whatsoever to do with consensus. Therefore claims by PoS advocates that “Bitcoin has checkpoints too” are simply false. Without developer-signed blocks, Peercoin is easily attacked; with developer-signed blocks, Peercoin is not decentralized. PoS proponents may next argue that by layering some complexity on top of the basic PoS structure, that they've solved this problem too. Yet they can never seem to rigorously analyze the security of the resulting system. For example, the Satoshi white paper convincingly shows that "Bitcoin is secure provided at least 51% of the hashing power is honest." What is the analogous statement for PoS or DPoS? Can that statement be proved?
|
|
|
|
HeliKopterBen
|
|
April 02, 2015, 11:45:05 PM |
|
Without developer-signed blocks, Peercoin is easily attacked; with developer-signed blocks, Peercoin is not decentralized.
PoS proponents may next argue that by layering some complexity on top of the basic PoS structure, that they've solved this problem too. Yet they can never seem to rigorously analyze the security of the resulting system.
I was mostly referring to bitshares and DPOS. Quoting Larimer: In the case of BitShares, every 101 blocks (17 minutes) represents a rolling checkpoint that has been approved by all delegates. There is never any reason to consider alternative chains more than 17 minutes old. In fact, the client is unable to resolve forks longer than about 4 hours without manual intervention. Delegates are voted in by majority stake. Some delegates are developers but being a developer is not required to run a delegate node, only gaining enough votes by stakeholders is required. Once every delegate has signed a block, then that block becomes a checkpoint. For example, the Satoshi white paper convincingly shows that "Bitcoin is secure provided at least 51% of the hashing power is honest." What is the analogous statement for PoS or DPoS? Can that statement be proved?
Bitshares is secure provided 51% of stake is honest.
|
Counterfeit: made in imitation of something else with intent to deceive: merriam-webster
|
|
|
BitcoinNewbie15
Sr. Member
Offline
Activity: 574
Merit: 296
Bitcoin isn't a bubble. It's the pin!
|
|
April 03, 2015, 12:14:02 AM |
|
I prefer proof of steak. yum, that looks great!
|
|
|
|
Peter R
Legendary
Offline
Activity: 1162
Merit: 1007
|
|
April 03, 2015, 12:14:27 AM |
|
Bitshares is secure provided 51% of stake is honest.
But what exactly do you mean by "stake"? For example, if I controlled 51% of the stake in the genesis block, could I take over the network? If the answer is no, then the statement "Bitshares is secure provided 51% of stake is honest" is incomplete. With PoW, it's very easy to define what we mean by "work," because work relates to a physical quantity.
|
|
|
|
HeliKopterBen
|
|
April 03, 2015, 02:27:57 AM |
|
But what exactly do you mean by "stake"? For example, if I controlled 51% of the stake in the genesis block, could I take over the network? If the answer is no, then the statement "Bitshares is secure provided 51% of stake is honest" is incomplete.
Any stake older than 101 blocks before the current block is irrelevant in bitshares, just as any work performed prior to 6 blocks before the current block is irrelevant in bitcoin, as a general guideline. With PoW, it's very easy to define what we mean by "work," because work relates to a physical quantity. Work is defined by hash rate. Stake is defined by number of units of the native currency. Both are quantifiable.
|
Counterfeit: made in imitation of something else with intent to deceive: merriam-webster
|
|
|
Raystonn (OP)
|
|
April 03, 2015, 02:50:38 AM |
|
But what exactly do you mean by "stake"? For example, if I controlled 51% of the stake in the genesis block, could I take over the network? If the answer is no, then the statement "Bitshares is secure provided 51% of stake is honest" is incomplete.
Any stake older than 101 blocks before the current block is irrelevant in bitshares, just as any work performed prior to 6 blocks before the current block is irrelevant in bitcoin, as a general guideline. With PoW, it's very easy to define what we mean by "work," because work relates to a physical quantity. Work is defined by hash rate. Stake is defined by number of units of the native currency. Both are quantifiable. Number of units of native currency you have when, exactly? You could gather a large stake, spend your coins, then go back to when you had the large stake and work from there again.
|
|
|
|
Raystonn (OP)
|
|
April 03, 2015, 03:03:39 AM |
|
See, this is one of the big problems with Proof of Stake. There will forever be a block that shows a large stakeholder as having that huge stake. If you go for checkpoints, not only do you likely lose your decentralization, but now you are saying every block after the last checkpoint cannot be trusted. You are in effect saying we need to wait for a block to be incorporated into a checkpoint to be confirmed. This means a) true confirmations take a very long time, and b) this network isn't very decentralized.
There is no way to go back in time in a Proof of Work network and reclaim the hashrate you had to confirm a new block. All Proof (Work, i.e. hashrate) must be made new as it is based in the real world, and not on something in the blockchain.
|
|
|
|
Peter R
Legendary
Offline
Activity: 1162
Merit: 1007
|
|
April 03, 2015, 03:08:52 AM Last edit: April 03, 2015, 05:35:39 AM by Peter R |
|
But what exactly do you mean by "stake"? For example, if I controlled 51% of the stake in the genesis block, could I take over the network? If the answer is no, then the statement "Bitshares is secure provided 51% of stake is honest" is incomplete.
Any stake older than 101 blocks before the current block is irrelevant in bitshares, just as any work performed prior to 6 blocks before the current block is irrelevant in bitcoin, as a general guideline. When I asked you to define exactly what you mean by "stake," the definition you gave included a new term: "the current block." But how do you come to consensus on what is the "current block"? Since producing PoS blocks is not costly like PoW, if I control 51% of the stake in the genesis block, I can create a new transaction history just as long/complex as yours, with a new--and different--current block. So again, the statement "Bitshares is secure provided 51% of stake is honest" is incomplete because you haven't defined what stake you're talking about. Note that in PoW it's easy to define the current block: it's the block at the tip of the valid chain with the greatest cumulative work. Andrew's done a good job explaining these subtle issues in the paper cited by Raystonn in the OP.
|
|
|
|
ensurance982
|
|
April 03, 2015, 07:48:59 PM |
|
Yeah I keep on hearing about people claiming that PoS isn't working but they often can't seem to give a clear explanation on why it actually isn't... I think PoW is the best way to really makes things most equal for everyone involved!
|
We Support Currencies: BTC, LTC, USD, EUR, GBP
|
|
|
|