Bitcoin's Proof of Work Validated and Vindicated

[Raystonn]

Some of Bitcoin's competitors use a Proof of Stake model to attempt to achieve distributed consensus.  This paper now definitively proves that distributed consensus is broken in Proof of Stake algorithms.
https://download.wpsoftware.net/bitcoin/new-pos.pdf

It is possible, by requiring stake to be bonded for many consecutive blocks, and by choosing signers
using randomness extracted by long-past (in blocktime) blocks, to force the attacks described above
to rewrite long stretches of history. This is often described as “preventing short-range attacks”.
It is clear that this does not address the costless simulation issue; after all, if it’s easy to change
history, it’s easy to change long stretches of history. However, proponents argue that since for
an honestly-created history, long stretches of blocktime correspond to long stretches of real time,
any revision of so much history is sure to contradict the history as remembered by participants in
the system. Thus such an attack would be detected, recognized as an attack, and the new history
rejected.

If this is implemented correctly, there is no problem with this, except that it changes the trust
model from that of Bitcoin. New users who encounter multiple histories are no longer able to
distinguish them on their own; they need to ask existing participants in the network (which may
include friends and family, large corporate entities with reputations to maintain, public websites,
etc.) which history they know to be the true one. This is not a distributed consensus! It is a different
sort of consensus, which may be formed amongst always-online peers in a decentralized way, but
depends on trust for new users and temporarily offline ones. It is correspondingly vulnurable to
legal pressure, attacks on “trusted” entities, and network attacks.

I don't recommend anyone trust their funds to any network using Proof of Stake.  Actual methods of attack are published in this paper.  It's just a matter of time.

[1714194331]

1714194331

[1714194331]

1714194331

[1714194331]

1714194331

[SmoothCurves]

POW > POS is one of those things that I instinctively felt was right.

[ssmc2]

I prefer proof of steak.

[HeliKopterBen]

And the counter argument:

http://bytemaster.bitshares.org/article/2015/01/08/Nothing-at-Stake-Nothing-to-Fear/?r=bytemaster

Until POS or DPOS is completely broken these issues are just theoretical and I don't think POS (or DPOS) or POW can be broken... at least no one has proven it yet. 

[Raystonn]

And the counter argument:

http://bytemaster.bitshares.org/article/2015/01/08/Nothing-at-Stake-Nothing-to-Fear/?r=bytemaster

Until POS or DPOS is completely broken these issues are just theoretical and I don't think POS (or DPOS) or POW can be broken... at least no one has proven it yet. 

So your counter argument is you prefer to wait until someone has actually implemented the described attacks before taking action?
Nothing in your link from January counters this paper released days ago.

[HeliKopterBen]

And the counter argument:

http://bytemaster.bitshares.org/article/2015/01/08/Nothing-at-Stake-Nothing-to-Fear/?r=bytemaster

Until POS or DPOS is completely broken these issues are just theoretical and I don't think POS (or DPOS) or POW can be broken... at least no one has proven it yet. 

So your counter argument is you prefer to wait until someone has actually implemented the described attacks before taking action?
Nothing in your link from January counters this paper released days ago.

Ok.  Go ahead and break it.  You have nothing at stake and nothing to loose.  Don't talk about it.  Do it... and if you dont, then you yourself have proven that it can't be done.

[Raystonn]

And the counter argument:

http://bytemaster.bitshares.org/article/2015/01/08/Nothing-at-Stake-Nothing-to-Fear/?r=bytemaster

Until POS or DPOS is completely broken these issues are just theoretical and I don't think POS (or DPOS) or POW can be broken... at least no one has proven it yet. 

So your counter argument is you prefer to wait until someone has actually implemented the described attacks before taking action?
Nothing in your link from January counters this paper released days ago.

Ok.  Go ahead and break it.  You have nothing at stake and nothing to loose.  Don't talk about it.  Do it... and if you dont, then you yourself have proven that it can't be done.

So if I personally lack the ability to implement the described attacks (and I'm not going to volunteer whether or not this is true), or I refuse to perform the attacks on moral grounds, then the attacks cannot be done by others?
Your faith in my skills is appreciated, but the latter can be seen as an invalid argument.  The attacks are certainly still possible by others regardless of my own moral objections.

[HeliKopterBen]

And the counter argument:

http://bytemaster.bitshares.org/article/2015/01/08/Nothing-at-Stake-Nothing-to-Fear/?r=bytemaster

Until POS or DPOS is completely broken these issues are just theoretical and I don't think POS (or DPOS) or POW can be broken... at least no one has proven it yet. 

So your counter argument is you prefer to wait until someone has actually implemented the described attacks before taking action?
Nothing in your link from January counters this paper released days ago.

Ok.  Go ahead and break it.  You have nothing at stake and nothing to loose.  Don't talk about it.  Do it... and if you dont, then you yourself have proven that it can't be done.

So if I personally lack the ability to implement the described attacks (and I'm not going to volunteer whether or not this is true), or I refuse to perform the attacks on moral grounds, then the attacks cannot be done by others?
Your faith in my skills is appreciated, but the latter can be seen as an invalid argument.  The attacks are certainly still possible by others regardless of my own moral objections.

Im still waiting for you or someone to break it to prove it can be done.  Morally, someone should go ahead and break it to save the POS guys before they dump more time and money into it.  The same can be said for POW and mining centralization.  If it can be broken, then someone needs to go ahead and break it to save us all a lot of trouble.  So far, I have seen a bunch theoretical attacks (all costly) against both POW and POS (and DPOS) and I have yet to see a successful attack on a major scale, at least at current rates of adoption.  The real test will come at higher rates of adoption when the stakes are much higher and attackers have a much larger incentive to try to break the system.  Both POW and POS will have to prove their resiliency with another order of magnitude or higher increase in the rate of adoption, and I believe both systems will prove resilient.

[Peter R]

Im still waiting for you or someone to break it to prove it can be done….

It's already been broken:

From https://download.wpsoftware.net/bitcoin/alts.pdf , page 15

Failures. It is not well-advertised, but in fact there has never been an example of a cryptocurrency achieving distributed consensus by proof-of-stake. The prototypical proof-of-stake currency, Peercoin, depends on developer signatures to determine block validity: that is, its consensus is not distributed. The same fate has befallen other nominally-PoS currencies such as Blackcoin. In its initial incarnation, NXT was susceptible to a trivial stake-grinding attack (to be described below) and could not achieve any consensus. Since becoming closed-source17 while spamming technically- illiterate claims at popular conferences, it has fallen out of scope of this document.

In fact, Peercoin was originally intended to drop the developer signatures once stake had been distributed. They attempted this once and were immediately attacked by stake-grinding. They quietly removed their text showing intention to drop developer signatures and added a small PoW to make stake-grinding less trivial.

Finally, it should be mentioned that developer-signed blocks are known in the PoS community as checkpoints. This is a very misleading name because it is already used to describe an anti-denial-of-service measure of Bitcoin’s peer-to-peer network; Bitcoin’s checkpoints have nothing whatsoever to do with consensus. Therefore claims by PoS advocates that “Bitcoin has checkpoints too” are simply false.

Without developer-signed blocks, Peercoin is easily attacked; with developer-signed blocks, Peercoin is not decentralized.  

PoS proponents may next argue that by layering some complexity on top of the basic PoS structure, that they've solved this problem too.  Yet they can never seem to rigorously analyze the security of the resulting system.  For example, the Satoshi white paper convincingly shows that "Bitcoin is secure provided at least 51% of the hashing power is honest." What is the analogous statement for PoS or DPoS?  Can that statement be proved?

[HeliKopterBen]

Without developer-signed blocks, Peercoin is easily attacked; with developer-signed blocks, Peercoin is not decentralized.  

PoS proponents may next argue that by layering some complexity on top of the basic PoS structure, that they've solved this problem too.  Yet they can never seem to rigorously analyze the security of the resulting system.  

I was mostly referring to bitshares and DPOS. 

Quoting Larimer:

In the case of BitShares, every 101 blocks (17 minutes) represents a rolling checkpoint that has been approved by all delegates. There is never any reason to consider alternative chains more than 17 minutes old. In fact, the client is unable to resolve forks longer than about 4 hours without manual intervention.

Delegates are voted in by majority stake.  Some delegates are developers but being a developer is not required to run a delegate node, only gaining enough votes by stakeholders is required.  Once every delegate has signed a block, then that block becomes a checkpoint.

For example, the Satoshi white paper convincingly shows that "Bitcoin is secure provided at least 51% of the hashing power is honest." What is the analogous statement for PoS or DPoS?  Can that statement be proved?

Bitshares is secure provided 51% of stake is honest.

[BitcoinNewbie15]

I prefer proof of steak.

yum, that looks great!

[Peter R]

Bitshares is secure provided 51% of stake is honest.

But what exactly do you mean by "stake"?  For example, if I controlled 51% of the stake in the genesis block, could I take over the network? If the answer is no, then the statement "Bitshares is secure provided 51% of stake is honest" is incomplete.  

With PoW, it's very easy to define what we mean by "work," because work relates to a physical quantity.  

[HeliKopterBen]

But what exactly do you mean by "stake"?  For example, if I controlled 51% of the stake in the genesis block, could I take over the network? If the answer is no, then the statement "Bitshares is secure provided 51% of stake is honest" is incomplete.  

Any stake older than 101 blocks before the current block is irrelevant in bitshares, just as any work performed prior to 6 blocks before the current block is irrelevant in bitcoin, as a general guideline.

With PoW, it's very easy to define what we mean by "work," because work relates to a physical quantity.  

Work is defined by hash rate.  Stake is defined by number of units of the native currency.  Both are quantifiable.

[Raystonn]

But what exactly do you mean by "stake"?  For example, if I controlled 51% of the stake in the genesis block, could I take over the network? If the answer is no, then the statement "Bitshares is secure provided 51% of stake is honest" is incomplete.  

Any stake older than 101 blocks before the current block is irrelevant in bitshares, just as any work performed prior to 6 blocks before the current block is irrelevant in bitcoin, as a general guideline.

With PoW, it's very easy to define what we mean by "work," because work relates to a physical quantity.  

Work is defined by hash rate.  Stake is defined by number of units of the native currency.  Both are quantifiable.

Number of units of native currency you have when, exactly?  You could gather a large stake, spend your coins, then go back to when you had the large stake and work from there again.

[Raystonn]

See, this is one of the big problems with Proof of Stake.  There will forever be a block that shows a large stakeholder as having that huge stake.  If you go for checkpoints, not only do you likely lose your decentralization, but now you are saying every block after the last checkpoint cannot be trusted.  You are in effect saying we need to wait for a block to be incorporated into a checkpoint to be confirmed.  This means a) true confirmations take a very long time, and b) this network isn't very decentralized.

There is no way to go back in time in a Proof of Work network and reclaim the hashrate you had to confirm a new block.  All Proof (Work, i.e. hashrate) must be made new as it is based in the real world, and not on something in the blockchain.

[Peter R]

But what exactly do you mean by "stake"?  For example, if I controlled 51% of the stake in the genesis block, could I take over the network? If the answer is no, then the statement "Bitshares is secure provided 51% of stake is honest" is incomplete.  

Any stake older than 101 blocks before the current block is irrelevant in bitshares, just as any work performed prior to 6 blocks before the current block is irrelevant in bitcoin, as a general guideline.

When I asked you to define exactly what you mean by "stake," the definition you gave included a new term: "the current block."  

But how do you come to consensus on what is the "current block"?  Since producing PoS blocks is not costly like PoW, if I control 51% of the stake in the genesis block, I can create a new transaction history just as long/complex as yours, with a new--and different--current block.  So again, the statement "Bitshares is secure provided 51% of stake is honest" is incomplete because you haven't defined what stake you're talking about.  Note that in PoW it's easy to define the current block: it's the block at the tip of the valid chain with the greatest cumulative work.  

Andrew's done a good job explaining these subtle issues in the paper cited by Raystonn in the OP.

[ensurance982]

Yeah I keep on hearing about people claiming that PoS isn't working but they often can't seem to give a clear explanation on why it actually isn't... I think PoW is the best way to really makes things most equal for everyone involved!