PoS vs PoW

[jl777]

So if a new PoW node is bootstrapping and it is only connecting to sybil nodes that have created a totally fictional (but technically accurate) blockchain, there is some magic that PoW node can do that PoS cannot do?

I cannot imagine any such thing is possible

James

Producing a totally fictional blockchain is computationally equivalent to outpacing the network. Not impossible, but it requires 51% of the hashing power of the network to produce a chain longer than the best chain.

How so?
You can just make the hashrate constant and very low. Remember this is totally fictional chain, so the real network has nothing to do with it. I am pretty sure that with a bit of tweaking, you can generate blocks very quickly and still have it pass all the PoW verifications

If the only chain a new node sees is this one, then i dont see how it can differentiate it from the real chain, which it cant connect to in this hypothetical.

James

You're correct that in a hypothetical scenario where a user has no access to any other valid peer then it obviously can't validate it's version of events with a peer.
However, PoW can trivially bootstrap itself in the face of an overwhelming majority of hostile nodes. All it needs to find is a single node with proof that it has a blockchain with greater work on it and it's good to go. The valid chain has the most work. No human intervention required.
PoS cannot bootstrap itself in this manner. Even when there are valid nodes available, you would have to find somebody you trust and manually add a checkpoint.

PoW does have an easier time, but what do you think of querying 50%+ of nodes during bootstrap?
What trust is needed in that case?

The valid nodes would all be on the same chain and the attacker a different chain, the assumption is that the attacker chain has less weight from genesis than the main chain (otherwise the attacker's chain would technically be the main chain).

And why cant a PoS node validate the main chain? If there is a requirement that all nodes eligible for staking have a registered pubkey, then for each block, the bootstrapping node can calculate which account should have generated a block. Granted there wont be a way to know which nodes published the blocks that it could have, but this is also an issue for PoW as it would be possible for a fake PoW chain to have omitted valid hashes and in the absence of them in the blockchain, the bootstrapping node wont have a way to know it existed.

I think the bootstrapping PoS node is in a similar situation. Mathematically, it can rank the winning block being 1st, 2nd, 198th on the list of eligible accounts to stake. So if it is always the 1st, then there is no issue and if there is some crazy low account with a block, it would be detectable and require some additional correlations.

I am not saying it is easy, but if all the nodes are in consensus, then PoS vs PoW does not seem to matter so much. And resolving attack scenarios is a messy complex thing, regardless of how new coins are minted.

James

[monsterer]

PoW does have an easier time, but what do you think of querying 50%+ of nodes during bootstrap?
What trust is needed in that case?

It is prone to sybil attack - the cost of pretending to be N nodes is tiny, so you can pretend to be 50% of the nodes on the network at very little cost.

[jl777]

PoW does have an easier time, but what do you think of querying 50%+ of nodes during bootstrap?
What trust is needed in that case?

It is prone to sybil attack - the cost of pretending to be N nodes is tiny, so you can pretend to be 50% of the nodes on the network at very little cost.

Is any PoW needed to be a node on a network? I thought PoW is only used to create new blocks

Tier Nolan is proposing a QoS to create a PoW requirement to be a node, but to my knowledge this is not done yet. I have added such an anti-ddos to supernet protocol, but being a node on the network is independent from generating new blocks, so it has no relation to whether a coin is PoW or PoS or if it isnt even a coin

[monsterer]

Is any PoW needed to be a node on a network? I thought PoW is only used to create new blocks

Tier Nolan is proposing a QoS to create a PoW requirement to be a node, but to my knowledge this is not done yet. I have added such an anti-ddos to supernet protocol, but being a node on the network is independent from generating new blocks, so it has no relation to whether a coin is PoW or PoS or if it isnt even a coin

No POW is need to be a node. Not sure what your point is?

You were suggesting that querying 50% of the network is trustless, because that is a majority - however, that is prone to sybil attack, since pretending to be a node costs nothing.

[jl777]

Is any PoW needed to be a node on a network? I thought PoW is only used to create new blocks

Tier Nolan is proposing a QoS to create a PoW requirement to be a node, but to my knowledge this is not done yet. I have added such an anti-ddos to supernet protocol, but being a node on the network is independent from generating new blocks, so it has no relation to whether a coin is PoW or PoS or if it isnt even a coin

No POW is need to be a node. Not sure what your point is?

You were suggesting that querying 50% of the network is trustless, because that is a majority - however, that is prone to sybil attack, since pretending to be a node costs nothing.

OK, so query 60%, or 70% or 90% at some point you have to admit that the sybils are detected (unless the entire network is sybils)

[monsterer]

OK, so query 60%, or 70% or 90% at some point you have to admit that the sybils are detected (unless the entire network is sybils)

If this policy is valid, why bother with any proof of stake at all in the main protocol? All you'd need would be to validate transactions against 60%, 70% or 90% of the nodes in the network, and bob's your uncle?

[DumbFruit]

PoW does have an easier time, but what do you think of querying 50%+ of nodes during bootstrap?
What trust is needed in that case?

The valid nodes would all be on the same chain and the attacker a different chain, the assumption is that the attacker chain has less weight from genesis than the main chain (otherwise the attacker's chain would technically be the main chain).

You still would not need any trust as a PoW cryptocurrency. Even if you started up your client and you happened to query 100% nodes at the time and they were all the wrong chain, the node can self-correct once it receives a block from the proper chain that reveals that higher work is occurring. It would reorganize and be fine from that point on.
Proof of Stake can't do that. If it gets bootstrapped without any kind of checkpoint then it will simply be wrong until a human intervenes. A new bootstrapping Proof of Stake software cannot detect a Sybil attack.

And why cant a PoS node validate the main chain? If there is a requirement that all nodes eligible for staking have a registered pubkey, then for each block, the bootstrapping node can calculate which account should have generated a block.

Sure, yes. If you have a centralized authority that keeps a register of valid pubkey's, then as long as you can trust that authority, you'll be able to bootstrap the correct PoS blockchain.

Granted there wont be a way to know which nodes published the blocks that it could have, but this is also an issue for PoW as it would be possible for a fake PoW chain to have omitted valid hashes and in the absence of them in the blockchain, the bootstrapping node wont have a way to know it existed.

Again, of course a PoW blockchain can't figure out it's wrong if it never communicates with valid nodes, but once it does it can reorganize itself based purely on whichever chain has the most work.

I think the bootstrapping PoS node is in a similar situation. Mathematically, it can rank the winning block being 1st, 2nd, 198th on the list of eligible accounts to stake. So if it is always the 1st, then there is no issue and if there is some crazy low account with a block, it would be detectable and require some additional correlations.

I am not saying it is easy, but if all the nodes are in consensus, then PoS vs PoW does not seem to matter so much. And resolving attack scenarios is a messy complex thing, regardless of how new coins are minted.

It is not only messy with Proof of Stake, it's impossible without breaking the fundamental security model that Proof of Work has.

As an aside, I find that Proof of Work deals with attacks in ways that are elegant and very well understood whereas Proof of Stake is replete with ad-hoc rules and behaviors that I find highly arbitrary and difficult to follow, but your mileage may vary I guess.

[jl777]

OK, so query 60%, or 70% or 90% at some point you have to admit that the sybils are detected (unless the entire network is sybils)

If this policy is valid, why bother with any proof of stake at all in the main protocol? All you'd need would be to validate transactions against 60%, 70% or 90% of the nodes in the network, and bob's your uncle?

this is only needed for bootstrap

[jl777]

PoW does have an easier time, but what do you think of querying 50%+ of nodes during bootstrap?
What trust is needed in that case?

The valid nodes would all be on the same chain and the attacker a different chain, the assumption is that the attacker chain has less weight from genesis than the main chain (otherwise the attacker's chain would technically be the main chain).

You still would not need any trust as a PoW cryptocurrency. Even if you started up your client and you happened to query 100% nodes at the time and they were all the wrong chain, the node can self-correct once it receives a block from the proper chain that reveals that higher work is occurring. It would reorganize and be fine from that point on.
Proof of Stake can't do that. If it gets bootstrapped without any kind of checkpoint then it will simply be wrong until a human intervenes. A new bootstrapping Proof of Stake software cannot detect a Sybil attack.

And why cant a PoS node validate the main chain? If there is a requirement that all nodes eligible for staking have a registered pubkey, then for each block, the bootstrapping node can calculate which account should have generated a block.

Sure, yes. If you have a centralized authority that keeps a register of valid pubkey's, then as long as you can trust that authority, you'll be able to bootstrap the correct PoS blockchain.

Granted there wont be a way to know which nodes published the blocks that it could have, but this is also an issue for PoW as it would be possible for a fake PoW chain to have omitted valid hashes and in the absence of them in the blockchain, the bootstrapping node wont have a way to know it existed.

Again, of course a PoW blockchain can't figure out it's wrong if it never communicates with valid nodes, but once it does it can reorganize itself once that communicate does occur based purely on whichever chain has the most work.

I think the bootstrapping PoS node is in a similar situation. Mathematically, it can rank the winning block being 1st, 2nd, 198th on the list of eligible accounts to stake. So if it is always the 1st, then there is no issue and if there is some crazy low account with a block, it would be detectable and require some additional correlations.

I am not saying it is easy, but if all the nodes are in consensus, then PoS vs PoW does not seem to matter so much. And resolving attack scenarios is a messy complex thing, regardless of how new coins are minted.

It is not only messy with Proof of Stake, it's impossible without breaking the fundamental security model that Proof of Work has.

As an aside, I find that Proof of Work deals with attacks in ways that are elegant and very well understood whereas Proof of Stake is replete with ad-hoc rules and behaviors that I find highly arbitrary and difficult to follow, but your mileage may vary I guess.

what if the PoS network uses a PoW network as the trusted authority? Then as long as the PoW network is secure, the PoS can bootstrap using data from the PoW network

Maybe this hybrid mode is a good way to get the security of PoW in a PoS chain

[monsterer]

what if the PoS network uses a PoW network as the trusted authority? Then as long as the PoW network is secure, the PoS can bootstrap using data from the PoW network

Maybe this hybrid mode is a good way to get the security of PoW in a PoS chain

This has been suggested before (https://bitcointalk.org/index.php?topic=1170713.msg12325428#msg12325428), but, of course, it only prevents re-orgs longer than the POW block interval.

...and this surely calls into question the point of having a POS chain at all.

[monsterer]

this is only needed for bootstrap

I would suggest that there is no difference between a synced node and a bootstrapping node in terms of consensus design.

[Flyskyhigh]

Not all PoS is the same, and if it's not done right it will have security flaws.

That said, PoS is like mining without mining gear or extra electricity, and that is why I like it. I used to be a Bitcoin miner for PoW but I am not anymore. You can eventually make more via PoS minting than with PoW mining. Essentially, Your coins are the miners. Think of it that way.

[LiQio]

@monsterer et al.

Theory is one thing but what about empirical data:

- are there any PoW coins that have been killed by external attacks? (I believe BCX killed some, but don't know any details)
- are there any PoS coins that have been killed by external attacks (N@S, history rewriting, etc.)?

[defaced]

@monsterer et al.

Theory is one thing but what about empirical data:

- are there any PoW coins that have been killed by external attacks? (I believe BCX killed some, but don't know any details)
- are there any PoS coins that have been killed by external attacks (N@S, history rewriting, etc.)?

How do we define a block chain death?

[monthlyemployee1]

Not all PoS is the same, and if it's not done right it will have security flaws.

That said, PoS is like mining without mining gear or extra electricity, and that is why I like it. I used to be a Bitcoin miner for PoW but I am not anymore. You can eventually make more via PoS minting than with PoW mining. Essentially, Your coins are the miners. Think of it that way.

PoS is nearly worthless because you do not need to make any kind of initial investment to start mining.

[forzendiablo]

PoS is more secure imo

[LiQio]

@monsterer et al.

Theory is one thing but what about empirical data:

- are there any PoW coins that have been killed by external attacks? (I believe BCX killed some, but don't know any details)
- are there any PoS coins that have been killed by external attacks (N@S, history rewriting, etc.)?

How do we define a block chain death?

Good question. I used the word "killed" pretty ingenuously. What I wanted to imply was, that after a malicious third party interference the coin lost a massive amount of value, a massive amount of trust, market cap dropped big time and didn't restore after weeks, etc.

Let's collect some evidence first in this brainstorming phase and try to define "block chain death" later.

[Mickeyb]

We often hear that the POS is less secure than POW because of the Nothing at Stake problematic. At least, this is the only reasoning against the POS by the POW people. Well this and the initial distribution problem, but I don't really see this as problem at all.

We can all see that the Ethereum will switch much sooner to POS than expected, in about a year, while their network will stall and switch will be unavoidable in about 16 months, the latest.

Vitalik claims that he has solved this Nothing at Stake problem!!
What are your thoughts about this?
Thanks!

[monsterer]

Vitalik claims that he has solved this Nothing at Stake problem!!
What are your thoughts about this?
Thanks!

Unless you expend some limited resource when producing a block, you have not addressed the key problem with POS.

[Mickeyb]

Vitalik claims that he has solved this Nothing at Stake problem!!
What are your thoughts about this?
Thanks!

Unless you expend some limited resource when producing a block, you have not addressed the key problem with POS.

Do you mind expending your explanation? This is very interesting topic to me.
Are you trying to say that his claims that he solved NaS problem permanently are not right?