PoS vs PoW

[jl777]

And it seems that you are admitting that in the absence of an attack, there is not much difference. So the difference is the cost to conduct an attack.

So, what would it cost to buy half the hashrate for bitcoin?

James

P.S. Another twist that makes this not so trivial is that once the attacker has accumulated a large stake, he has a large stake! And now his decisions to attack need to take into account the cost to his stake.

I am saying that no matter the cost of acquiring stake, the attack cost is still a constant. In POW, the attack cost is superlinear.

In addition, POS is not proof of current stake, it is proof of historical stake - at time X there is a proof that you owned Y stake. This means you can buy a bunch of coins, keep the keys, sell the stake and then use the historical proof to produce fake, valid chains.

A properly designed PoS avoids history attacks

[1715448172]

1715448172

[1715448172]

1715448172

[monsterer]

A properly designed PoS avoids history attacks

Bandaids on a broken system.

[jl777]

P.S. Another twist that makes this not so trivial is that once the attacker has accumulated a large stake, he has a large stake! And now his decisions to attack need to take into account the cost to his stake.

That's not really true, all you need is "proof" that at one point you had a large amount of stake. Things like NXT get around this problem by time-locking changes and blah blah blah.
You can, of course, add enough rules to make a PoS currency kind of work, but that's not really surprising because their security model isn't novel. If you're willing to give up trustless decentralized consensus then there are much better ways than PoS to make a digital currency..

My point is that PoS has evolved from the initial attempts and it is becoming almost as secure as PoW. I do agree that PoW is more secure than PoS, but at a great cost. I am an agnostic as far as PoS vs PoW, each has cases where it is better than the other, ie neither dominates the other. This tells me the true solution is not yet.

As far as your claim about PoS needing to give up being trustless and decentralized, you seem to be just saying stuff without any proof.

As near as I can tell PoW and PoW are roughly equivalent in its trustlessness and decentralizedness. Of course you are probably much smarter than me, so I await some sort of logical set of statements that shows that PoS leads to centralization

James

[amaclin]

In POW, the attack cost is superlinear.

If the hashrate in bitcoin drops x4 times comparing the current values... What would be the cost of attack?  

[jl777]

A properly designed PoS avoids history attacks

Bandaids on a broken system.

Was the first PoW implementation perfect?

Why is it that anybody can potentially change the txid of an unrelated transaction in bitcoin?

Nothing is perfect.

James

[monsterer]

If the hashrate in bitcoin drops x4 times comparing the current values... What would be the cost of attack?  

Superlinear in the number of blocks

[monsterer]

Was the first PoW implementation perfect?

Why is it that anybody can potentially change the txid of an unrelated transaction in bitcoin?

Nothing is perfect.

James

I quite agree. However, you must accept that you cannot have cost free block production without cost free chain attacks.

[DumbFruit]

As far as your claim about PoS needing to give up being trustless and decentralized, you seem to be just saying stuff without any proof.

As near as I can tell PoW and PoW are roughly equivalent in its trustlessness and decentralizedness. Of course you are probably much smarter than me, so I await some sort of logical set of statements that shows that PoS leads to centralization

James

See "4.3 'Long-Range' versus 'Short-Range' Attacks"
https://download.wpsoftware.net/bitcoin/pos.pdf

"... new nodes joining the network, and nodes that appear online after a very long time, would not have the consensus algorithm reliably protecting them. Fortunately, for them, the solution is simple: the first time they sign up, and every time they stay offline for a very very long time, they need only get a recent block hash from a friend, a blockchain explorer, or simply their software provider, and paste it into their blockchain client as a “checkpoint”. They will then be able to securely update their view of the current state from there."
https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/

In other words, it's not just my claim that they need to give up trustless decentralized consensus, that's a pretty well accepted fact at this point.

[jl777]

Was the first PoW implementation perfect?

Why is it that anybody can potentially change the txid of an unrelated transaction in bitcoin?

Nothing is perfect.

James

I quite agree. However, you must accept that you cannot have cost free block production without cost free chain attacks.

I agree that once the attacker gets a 50% stake, then its game over for a PoS (unless the attacker starts to care about the coin he owns), while a PoW could eventually work its way out of such domination, ie cex-io had >50% for a while, but not anymore.

In PoW an attacker with >50% of hashrate might not care at all about the coin, this wont be the case for PoS

But to say it costs nothing to attack PoW is disingenuous. More accurate is "after you spend a lot of money, you can dominate a PoW without any incremental costs"

But it all seems like this is about which system would be more resilient under a massive attack scenario. The truth is that no blockchain is safe from a massive attack today, so to be debating about which one is less broken is not so productive. Hopefully we can make a system that is able to withstand any sort of attack.

James

[amaclin]

If the hashrate in bitcoin drops x4 times comparing the current values... What would be the cost of attack?  

Superlinear in the number of blocks

Sure?
Hashrate drops x4 -- This means that 3/4 of current ASICs have been switched off because they are unprofitable to their owners.
How much the obsolete ASIC costs on market?
I think ~nothing.
How much money should you have to collect enough obsolete hardware for 51% attack?  

[jl777]

As far as your claim about PoS needing to give up being trustless and decentralized, you seem to be just saying stuff without any proof.

As near as I can tell PoW and PoW are roughly equivalent in its trustlessness and decentralizedness. Of course you are probably much smarter than me, so I await some sort of logical set of statements that shows that PoS leads to centralization

James

See "4.3 'Long-Range' versus 'Short-Range' Attacks"
https://download.wpsoftware.net/bitcoin/pos.pdf

"... new nodes joining the network, and nodes that appear online after a very long time, would not have the consensus algorithm reliably protecting them. Fortunately, for them, the solution is simple: the first time they sign up, and every time they stay offline for a very very long time, they need only get a recent block hash from a friend, a blockchain explorer, or simply their software provider, and paste it into their blockchain client as a “checkpoint”. They will then be able to securely update their view of the current state from there."
https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/

In other words, it's not just my claim that they need to give up trustless decentralization, that's a pretty well accepted fact at this point.

Well sorry to give a counterexample, but what if when you are joining the network after a long time (or for the first time) to query a massive amount of nodes? In the case of an attacker conducting a massive sybil/eclipse attack, then both PoW and PoW will have a difficult time to find the right chain.

So you might accept one example from a hypothetical because it reinforces the conclusion you want, but I prefer to analyze the details a bit deeper.

If all nodes are queried, then how is it not decentralized? (of course, you can make it a bit more efficient and just query enough nodes to get to a confidence level that you are comfortable with)

James

[monsterer]

But to say it costs nothing to attack PoW is disingenuous. More accurate is "after you spend a lot of money, you can dominate a PoW without any incremental costs"

I think you mean POS there.

Anyway, the point is, the attack cost is a constant. Once you have acquired stake X which gives you Y probability of producing a block, you can go on using that probability to produce double spent transactions, forever at zero cost.

X does not need to be 50% in order to cause a serious problem.

[trinaldao]

Trying to understand how proof of stake vs proof workS...
also would like to hear opinions and strategies from people who walk the pos walk...

many thanks! 

POW is good for Long life coin , because very hard to produce newcoin, you must rent Rig or build yopur own rig to mining it
and at POS is best choice for short life coin, you can profit more and more (if you stake at first time) i think POS coin is like ponzi scheme

[monsterer]

If all nodes are queried, then how is it not decentralized? (of course, you can make it a bit more efficient and just query enough nodes to get to a confidence level that you are comfortable with)

This has got sybil attack written all over it.

[jl777]

If all nodes are queried, then how is it not decentralized? (of course, you can make it a bit more efficient and just query enough nodes to get to a confidence level that you are comfortable with)

This has got sybil attack written all over it.

if a PoW node is sybil attacked, how does it defeat the sybils?
Are you saying that if a PoW node bootstrapping is surrounded by only sybil nodes, it has a way to notice this?

[monsterer]

if a PoW node is sybil attacked, how does it defeat the sybils?
Are you saying that if a PoW node bootstrapping is surrounded by only sybil nodes, it has a way to notice this?

With POW a node can easily verify that the POW is correct - that negates sybil attack.

[jl777]

if a PoW node is sybil attacked, how does it defeat the sybils?
Are you saying that if a PoW node bootstrapping is surrounded by only sybil nodes, it has a way to notice this?

With POW a node can easily verify that the POW is correct - that negates sybil attack.

really?

So if a new PoW node is bootstrapping and it is only connecting to sybil nodes that have created a totally fictional (but technically accurate) blockchain, there is some magic that PoW node can do that PoS cannot do?

I cannot imagine any such thing is possible

James

[monsterer]

So if a new PoW node is bootstrapping and it is only connecting to sybil nodes that have created a totally fictional (but technically accurate) blockchain, there is some magic that PoW node can do that PoS cannot do?

I cannot imagine any such thing is possible

James

Producing a totally fictional blockchain is computationally equivalent to outpacing the network. Not impossible, but it requires 51% of the hashing power of the network to produce a chain longer than the best chain.

[jl777]

So if a new PoW node is bootstrapping and it is only connecting to sybil nodes that have created a totally fictional (but technically accurate) blockchain, there is some magic that PoW node can do that PoS cannot do?

I cannot imagine any such thing is possible

James

Producing a totally fictional blockchain is computationally equivalent to outpacing the network. Not impossible, but it requires 51% of the hashing power of the network to produce a chain longer than the best chain.

How so?
You can just make the hashrate constant and very low. Remember this is totally fictional chain, so the real network has nothing to do with it. I am pretty sure that with a bit of tweaking, you can generate blocks very quickly and still have it pass all the PoW verifications

If the only chain a new node sees is this one, then i dont see how it can differentiate it from the real chain, which it cant connect to in this hypothetical.

James

[DumbFruit]

So if a new PoW node is bootstrapping and it is only connecting to sybil nodes that have created a totally fictional (but technically accurate) blockchain, there is some magic that PoW node can do that PoS cannot do?

I cannot imagine any such thing is possible

James

Producing a totally fictional blockchain is computationally equivalent to outpacing the network. Not impossible, but it requires 51% of the hashing power of the network to produce a chain longer than the best chain.

How so?
You can just make the hashrate constant and very low. Remember this is totally fictional chain, so the real network has nothing to do with it. I am pretty sure that with a bit of tweaking, you can generate blocks very quickly and still have it pass all the PoW verifications

If the only chain a new node sees is this one, then i dont see how it can differentiate it from the real chain, which it cant connect to in this hypothetical.

James

You're correct that in a hypothetical scenario where a user has no access to any other valid peer then it obviously can't validate it's version of events with a peer.
However, PoW can trivially bootstrap itself in the face of an overwhelming majority of hostile nodes. All it needs to find is a single node with proof that it has a blockchain with greater work on it and it's good to go. The valid chain has the most work. No human intervention required.
PoS cannot bootstrap itself in this manner. Even when there are valid nodes available, you would have to find somebody you trust and manually add a checkpoint.