a Modern Reification of Proof-of-Stake which is Secure, Fair and Decentralized

[rexzhao]

Greetings!

In the past 18 month, we've been struggled to design a pure PoS algorithm which is truly secure, and fully decentralized.

Many of you may know, that most PoS algorithms out there are not secure, or not fully decentralized. It's really not an easy task to fulfill these two requirements at the same time.

But we found a beautiful solution at last. We write an white paper about the algorithm, and we also make it into a new coin.

We deeply believe that PoS is a very good direction, and we hope there will be more people knowing about our algorithm(LF-PoS), and more discussions about it.

This thread can be used for algorithm discussion. We'll be on the forum every two days or so.

Thank you very much for your time!

========================================

About security:
Please have a look at the "Infeasibility of Private-Chain Attack" section of our white paper, there's a discussion that why PoS must NOT compare with infinite long branches. There're a lot more things to talk about security, we'll update this post later.

About decentralization:

• PeerCoin has a centralized checkpoint broadcasting mechanism(ref);
• Nxt has a hard coded chain switch limitation (720, ref) to prevent private chain attack which sacrifices decentralization. Here's a great article talks about this matter(section 4.3, “Long-Range” versus “Short-Range” Attacks).

[box0214]

doesnt NXT have a POS algo that already works? why not fork nxt to adopt everything they have in their system and modify it with your algo?

i feel every coin is trying to do similar things while we see that the one major coin has much of these "wants" tackled. why waste time making your own from scratch when you can just fork nxt and you'll have almost everything u wanted and call it your own coin. then maybe focus on working on more innovative stuff than reinventing the wheel. my 2 cents.

[Ix]

i feel every coin is trying to do similar things while we see that the one major coin has much of these "wants" tackled. why waste time making your own from scratch when you can just fork nxt and you'll have almost everything u wanted and call it your own coin. then maybe focus on working on more innovative stuff than reinventing the wheel. my 2 cents.

Maybe we're actually just at the "controlling fire" stage, and the wheel inventor hasn't even been born yet? Looks to me like the LibreFortune team has enough new ideas that any existing protocol would be constraining.

[box0214]

i feel every coin is trying to do similar things while we see that the one major coin has much of these "wants" tackled. why waste time making your own from scratch when you can just fork nxt and you'll have almost everything u wanted and call it your own coin. then maybe focus on working on more innovative stuff than reinventing the wheel. my 2 cents.

Maybe we're actually just at the "controlling fire" stage, and the wheel inventor hasn't even been born yet? Looks to me like the LibreFortune team has enough new ideas that any existing protocol would be constraining.

not sure what u mean "controlling fire". care to elaborate?

[TaunSew]

Instead of contributing to an existing project, which fits those requirements, OP would rather just create some new coin and give himself a hefty 50% premine - we see this like almost everyday on Bitcointalk.    


BTW the white paper does not go into any detail why this thing would be more decentralized than other PoS algos.  All I am seeing is a vague proposition for a new style of distribution but that does not mean it would be more decentralized than prominent PoS and PoS variant projects.

[rexzhao]

doesnt NXT have a POS algo that already works? why not fork nxt to adopt everything they have in their system and modify it with your algo?

i feel every coin is trying to do similar things while we see that the one major coin has much of these "wants" tackled. why waste time making your own from scratch when you can just fork nxt and you'll have almost everything u wanted and call it your own coin. then maybe focus on working on more innovative stuff than reinventing the wheel. my 2 cents.

Guess we'll have to write some more to compare with existing PoS algorithms. But for now, please have a look at the "Infeasibility of Private-Chain Attack" section of our white paper, there's a discussion that why PoS must NOT compare with infinite long branches.

About decentralization:
PeerCoin has a centralized checkpoint broadcasting mechanism(ref);
Nxt has a hard coded chain switch limitation (720, ref) to prevent private chain attack which sacrifices decentralization. Here's a great article about this matter(section 4.3, “Long-Range” versus “Short-Range” Attacks).

[rexzhao]

Instead of contributing to an existing project, which fits those requirements, OP would rather just create some new coin and give himself a hefty 50% premine - we see this like almost everyday on Bitcointalk.    


BTW the white paper does not go into any detail why this thing would be more decentralized than other PoS algos.  All I am seeing is a vague proposition for a new style of distribution but that does not mean it would be more decentralized than prominent PoS and PoS variant projects.

Because the change is too fundamental. Btw, I have updated the post to reflect your discussions.

[tss]

Instead of contributing to an existing project, which fits those requirements, OP would rather just create some new coin and give himself a hefty 50% premine - we see this like almost everyday on Bitcointalk.    


BTW the white paper does not go into any detail why this thing would be more decentralized than other PoS algos.  All I am seeing is a vague proposition for a new style of distribution but that does not mean it would be more decentralized than prominent PoS and PoS variant projects.

why contribute to an existing project where you already dumped all of the pre/ninja mine?  there's no money in that.  NEW NEW NEW.  this coin is going to be the bitcoin killer.  get my drift?

[patmast3r]

Care to explain how a hard coded rewrite limit (you stated 720 for NXT) sacrifices decentralization ? What has one todo with the other ?

I'm assuming you're refering to this

New  users  who  encounter  multiple  histories  are  no  longer  able  to
distinguish them on their own; they need to ask existing participants in the network (which may
include friends and family, large corporate entities with reputations to maintain, public websites,
etc.) which history they know to be the true one. This is not a distributed consensus! It is a different
sort of consensus, which may be formed amongst always-online peers in a decentralized way, but
10
depends on trust for new users and temporarily offline ones.  It is correspondingly vulnurable to
legal pressure, attacks on “trusted” entities, and network attacks.

?

This makes no sense to me. I'm no expert but if having to trust existing peers is a bad thing then were are new peers supposed to get the chain from if not from existing peers ?
Also I'm not even sure the assumption behind this criticism is accurate. I believe there are ways for nodes to calculate which chain is "better" (in BTC it's simply the longer chain afaik). There are score systems for that in place. I believe both NXT and NEM have something like that so every peer can determine on it's own which "history" is better.

[rexzhao]

Care to explain how a hard coded rewrite limit (you stated 720 for NXT) sacrifices decentralization ? What has one todo with the other ?

I'm assuming you're refering to this

New  users  who  encounter  multiple  histories  are  no  longer  able  to
distinguish them on their own; they need to ask existing participants in the network (which may
include friends and family, large corporate entities with reputations to maintain, public websites,
etc.) which history they know to be the true one. This is not a distributed consensus! It is a different
sort of consensus, which may be formed amongst always-online peers in a decentralized way, but
10
depends on trust for new users and temporarily offline ones.  It is correspondingly vulnurable to
legal pressure, attacks on “trusted” entities, and network attacks.

?

This makes no sense to me. I'm no expert but if having to trust existing peers is a bad thing then were are new peers supposed to get the chain from if not from existing peers ?
Also I'm not even sure the assumption behind this criticism is accurate. I believe there are ways for nodes to calculate which chain is "better" (in BTC it's simply the longer chain afaik). There are score systems for that in place. I believe both NXT and NEM have something like that so every peer can determine on it's own which "history" is better.

Hi, a nice question indeed!

The real problem is, without a careful design, anyone with very few coins could fake a better chain (a chain has a better score) that switches long ago, with very little effort. In PoW, this is impossible; but in PoS, this is possible. We have some discussion on this topic in section 4.1.2, 4.1.3, and 4.4.4. Hope they help.

If some bad guys control a lot of peers, new peers and temporarily offline peers will not be able to distinguish solely by block chain data. They have to continuously confirm with some "famous" nodes, and those nodes together become the "center" of the network.

The beauty of Bitcoin (or PoW) and LibreFortune is, peers can make sure which is the real main chain solely by block chain data. They do not trust peers, they download data from other peers, validate by themselves, and then make their own decision, whenever they are new peers, or temporarily offline ones.

[patmast3r]

Care to explain how a hard coded rewrite limit (you stated 720 for NXT) sacrifices decentralization ? What has one todo with the other ?

I'm assuming you're refering to this

New  users  who  encounter  multiple  histories  are  no  longer  able  to
distinguish them on their own; they need to ask existing participants in the network (which may
include friends and family, large corporate entities with reputations to maintain, public websites,
etc.) which history they know to be the true one. This is not a distributed consensus! It is a different
sort of consensus, which may be formed amongst always-online peers in a decentralized way, but
10
depends on trust for new users and temporarily offline ones.  It is correspondingly vulnurable to
legal pressure, attacks on “trusted” entities, and network attacks.

?

This makes no sense to me. I'm no expert but if having to trust existing peers is a bad thing then were are new peers supposed to get the chain from if not from existing peers ?
Also I'm not even sure the assumption behind this criticism is accurate. I believe there are ways for nodes to calculate which chain is "better" (in BTC it's simply the longer chain afaik). There are score systems for that in place. I believe both NXT and NEM have something like that so every peer can determine on it's own which "history" is better.

Hi, a nice question indeed!

The real problem is, without a careful design, anyone with very few coins could fake a better chain (a chain has a better score) that switches long ago, with very little effort. In PoW, this is impossible; but in PoS, this is possible. We have some discussion on this topic in section 4.1.2, 4.1.3, and 4.4.4. Hope they help.

If some bad guys control a lot of peers, new peers and temporarily offline peers will not be able to distinguish solely by block chain data. They have to continuously confirm with some "famous" nodes, and those nodes together become the "center" of the network.

The beauty of Bitcoin (or PoW) and LibreFortune is, peers can make sure which is the real main chain solely by block chain data. They do not trust peers, they download data from other peers, validate by themselves, and then make their own decision, whenever they are new peers, or temporarily offline ones.

I do not think the first two statements are true and I'm pretty sure - as I pointed out - that the last statement holds true for POS aswell.

Temporarily offline peers and new peers will be able to tell which chain is the better chain only with blockchain data in POS. I'm not sure how exactly those scores are calculated (and it probably varies between implementations) but i'm positive that it's of absolutely no relevance from which peer it comes from. If a peer were to fetch "bad" data then it wouldn't have to verify with some "famous" node. Any none evil node would be enough.
If you're talking about the initial sync mostly happening from well known peers...well...you're gonna need well known peers in any p2p network or how are you planning on letting peers find each other ?

[rexzhao]

........

I do not think the first two statements are true and I'm pretty sure - as I pointed out - that the last statement holds true for POS aswell.

Temporarily offline peers and new peers will be able to tell which chain is the better chain only with blockchain data in POS. I'm not sure how exactly those scores are calculated (and it probably varies between implementations) but i'm positive that it's of absolutely no relevance from which peer it comes from. If a peer were to fetch "bad" data then it wouldn't have to verify with some "famous" node. Any none evil node would be enough.
If you're talking about the initial sync mostly happening from well known peers...well...you're gonna need well known peers in any p2p network or how are you planning on letting peers find each other ?

Guess I have to say things are not that optimistic in PoS. I might give you an example of attacking an ill formed PoS design for illustration purpose in the near future.

One question you might think right now is: Why PeerCoin needs to broadcast checkpoint regularly? Why NXT have that kind of restriction while Bitcoin does not?

[patmast3r]

Guess I have to say things are not that optimistic in PoS. I might give you an example of attacking an ill formed PoS design for illustration purpose in the near future.

That would be great!

One question you might think right now is: Why PeerCoin needs to broadcast checkpoint regularly? Why NXT have that kind of restriction while Bitcoin does not?

I'm not saying NXT and similar systems don't need those restrictions. I'm saying I don't see the problem with having those restrictions and how it's supposed to lead to centralization.