I will start to detail the flaws in each type of consensus system.
Proof-of-StakeIn the thread I quoted from, we had a recent discussion about Proof-of-Stake systems with monsterer, smooth and others.
To summarize, Proof-of-Stake (including Masternodes of Dash and Casper's consensus-by-betting):
- centralizes control according to stake, which is a finite resource
- stakes (or even deposits) aren't permanent because they can be sold (withdrawn), thus historic security is indefensible
- one could profit from attacking the coin by shorting it while never needing to sell your stake
- even 0.1% stake can attack the coin because block solutions are exclusive to some stake holder so the stake holder can delay transactions[1]
- can be attacked with less than 50% of the stake, by having more Sybil attack peers to lie to newly online stake peers which are syncing to the network (see quote of monster near bottom of this post)
- attacking the coin is a one-time cost of stake that sustains forever, whereas for Proof-of-Work the attacker must continue to expend resources on mining to maintain an attack[2]
- there is no way to distribute new coins (must distribute proportional to stake in order to be fair thus effectively no change in coin distribution)
- smooth also added the very clever point that in the case Proof-of-Stake devolves to a computation contest for computing Nothing-at-Stake game theory, then this is perhaps a Proof-of-Work system in disguise (and I add but it might still also have some of the bad traits of Proof-of-Stake as well)
- PoS usually pays dividends to stake holders (and even relays a percentage to the developers thus must register as a Money Transmitter with FinCEN) thus arguably creating investment securities under the Howey test and thus must be registered with the SEC or face possible jail time. I argue this impacts the resilience.
- PoS doesn't scale nor provide transaction fault tolerance because it is synchronous queue of confirmation nodes, only one of which can confirm for each block
| [1] | Another scenario is DDoS attack other stake holders when their turn to mine a block, then jack up your transaction fees sky high when its your turn to mine a block. Note this has many variants as follows:
I do not think the following is possible in dPoS (I'm not sure about other forms of PoS), because delegates cannot change or set transaction fees by themselves. Transaction fees can only be changed by committee members which are elected by stakeholder vote. Not including a transaction because it doesn't have a certain amount in transaction fees seems silly, because the next honest delegate will do so and the honest delegate will get whatever fees are associated with the transaction. They would basically be giving up free money, putting a big red flag on their witness campaign, and it would be very likely that would get them voted out. Part of the incentive for delegates to stay honest is the future income of blocks produced in the future, although as I stated earlier... even if they are dishonest there is not much they can do other than withhold transactions from blocks (and the transaction would be included in the next block produce by an honest delegate.) The way I understand it, DPoS' main weakness is that all consensus algorithms suffer from.. a 51% attack. [1] Another scenario is DDoS attack other stake holders when their turn to mine a block, then jack up your transaction fees sky high when its your turn to mine a block.
You forgot my point that the attacker can short the coin. And that delaying transactions is an attack that could cause the share price to crater. Or DDoS attack all the others and then force all transactions on to your block. This is the problem with PoS and DPOS, because the ordering of who will mine is known before the transactions are sent. That is a major flaw compared to PoW. |
| [2] | Except when top-down society is the attacker it loses this advantage over Proof-of-Stake. |
| [3] | The other flaw of PoS, and especially DPOS and Dash masternodes (as pointed out by smooth et al) is you are paying yourselves via the shares from an enterprise that issued unregistered investment securities and which also requires each stakeholder to register as a money transmitter with FinCIN. I can't fathom how you convinced yourself that you are not going to jail in the future or end having to lick the boots of the SEC as Erik Voorhees did to wiggle out of jail time.
|
Some have argued that one would need to buyout the stake of the others in order to attack, thus implying it would be a good speculation for investors. But an insecure or centralizing paradigm for money is not going to inspire nor enable adoption, thus like all the altcoins the price is likely to perpetually decline after the initial hype pump moonshoot and crash. If we are just talking about mining each other, in a zero-sum greater fool game, then I am not interested. I am okay with profiting on speculation if there is some fundamental value for society created in the process, not just fooling others.
Point is I don't want to work on bullshit that I know won't be adopted by the world.
My upthread argument is that if Bitcoin loses DECENTRALIZATION then it no longer has the autonomous property of cash. Thus it loses much of its advantages as compared to fiat currency.
Also realize that DECENTRALIZATION is a key aspect to gaining adoption, because no one is going to trust it (e.g. have a self life / store-of-value function) if they think some group can take control of the coin. This is why I think Proof-of-Stake coins can never gain wide adoption.
Proof-of-work has a better chance because it requires 50% control to fail (or as low as 25 - 35% with selfish mining). But as I explained upthread, Proof-of-work is also failing economically because it costs $16 per transaction in electricity to mine it and mining is becoming ever more and more centralized over time. I have proposed some ideas to improve these problems (potentially fix them).
Proof of stake is biggest innovation in crypto since invention of bitcoin.
Proof of stake creates more problems than it solves. I'm quoting from another post of mine, but here are several attacks which are not present in POW:
I would add the following POS attacks to your list:
* Custodial stake
Exchanges and other large services which store user funds in their own wallets gather a very large stake, which often would give them majority power of POS block generation if they were to abuse it.
* Chain freeze
Once a majority stake holder becomes the dominant block producer, they can withhold all blocks forever, bringing the entire chain to a permanent halt, correctable only with a hard fork.
* Shorting attack
A whale takes out a large short of a POS coin at the same time he buys an equal portion of stake, such that his overall position is neutral.
He then uses his stake to double spend by creating blocks continuously (whenever he is permitted to do so) thereby driving the price of the currency down until he is ready to close his short in profit.
In addition, I would say the chief disadvantage of POS over POW is that the security model in POS is much weaker than POW; block generation probability/cost is a constant in the amount of stake you own, whereas in POW the cost of block generation is super linear in the number of blocks. This makes attacking a POS chain cost free under the shorting attack described above.
ref:
https://bitcointalk.org/index.php?topic=1316024.msg13489124#msg13489124
PoS(hit) can never be secure, because if it has a functioning markets (which it must in order to be widely adopted and liquid), then one can borrow stake, attack the coin (
which requires much less than 51% to for example delay transactions by some N blocks where N is a function of percentage of coin supply held), and then pay back the borrowed coin with cheaply bought coin as the price collapses due to attacks. You could simultaneously short it (i.e. which you did when you borrowed the coins, but sell some for fiat before you attack) for profits. Also PoS can't distribute new coins, thus eventually the coin supply shrinks asymptotically to 0.
With PoW, your borrowed mining hashrate would eventually reach end of contract and the coin would repair itself. And you'd need much closer to 51% to do damage. You would hope to be able to purchase the coin at cheap prices, wait for it to rise back up and then sell it for fiat to pay back your loan. Much less plausible.
However if you are up against the
corrupt State that charges cost of PoW mining to the collective, then we're screwed with profitable PoW also, except I have the idea to use the unprofitable PoW of every person's computer in the world (with latency preventing them from farming out to ASIC), which seems might be even too much of an expense for China to hide the subsidization of.
Also PoS can't distribute new coins, thus eventually the coin supply shrinks asymptotically to 0.
You are wrong here. There are PoS variants that distribute new coins.
No variants can. And the last time you debated me, I defeated you on every single point. Are we going to have to do it again?
See Bitshares, genius.
Again the point is that with PoS, there is no FAIR or EQUITABLE way to distribute new coins that doesn't mimic the proportionality of the existing stakes, thus this is the same as the divisibility that is already built into the existing coins. No new distribution was achieved, just offsetting inflation.
If you have any other gimick in mind, please cite it specifically, so I can identify the flaw for you. You have been hoodwinked.
The amount of say you get in the company is compared to the amount of stake that you own. Corporations have been thriving on such practices for years now. Executives get nice stock options and benefits and the larger shareholders have more say, yet all stakeholders profit (if it is a well ran business of course.) If that is known before someone invests in a company/cryptocurrency that whoever has more stake will get more say in the company, then it is ridiculous to call it not fair.
You are also assuming that everyone votes in their best interest only and not the company's best interest, which is not always the case. If you go have a look at what each paid witness is doing for Bitshares then it becomes clear it is not the case.
You mean either:
- Larger stakeholders get more (either because they can outvote the smaller ones, or because the smaller ones are somehow convinced the coin will gain more value if they give away their coins).
- Corporations are created, new shares are created, production in this economy makes these shares more valuable, minority shareholders agree to give more shares to those who run or work for the company.
I assume you mean #2, since #1 is idiotic.
But by definition the shares have to be non-fungible with shares of other corporations. So unless you make Bitshares one corporation for every productive venture, then the new shares can't be Bitshares.
So there is the flaw. You can't have one corporation that produces everything for the world. It lacks degrees-of-freedom. It is same as tying yourself to your sister and trying to each go about your daily life tied together.
Dumb shit like this is why I do not respect the Larimer incest.
Bitshares ... people will even stab or murder each other eventually ... It's also going to have elements of corporate fascism
Following is written by
David Mazières a PhD professor at Stanford who is the
Chief Scientist at Stellar.
An alternative to proof of work is proof of stake [King and Nadal 2012], in which
consensus depends on parties that have posted collateral. Like proof of work, rewards
encourage rational participants to obey the protocol; some designs additionally penal-
ize bad behavior [Buterin 2014; Davarpanah et al. 2015]. Proof of stake opens the pos-
sibility of so-called “nothing at stake” attacks, in which parties that previously posted
collateral but later cashed it in and spent the money can go back and rewrite history
from a point where they still had stake. To mitigate such attacks, systems effectively
combine proof of stake with proof of work—scaling down the required work in pro-
portion to stake—or delay refunding collateral long enough for some other (sometimes
informal) consensus mechanism to establish an irreversible checkpoint.
With PoS/PoI/DPoS a sybil attack can come without any notice and with potentially much cheaper costs. (No, an attacker need not have to "buy" coins to attack, They can create an exchange/bank that pays interest/dividends to corner a good chunk of coins 5-30% needed depending upon the algo, Or they can create a popular wallet with a backdoor, Or they can compromise several large bagholders computers, Or a few large holders could short and attack their own coin, ect..)
These are social engineering attacks, of course. I guess the equivalent in POW would be to 'borrow' someone's server farm.
Some of it does involve Social engineering, yes. The distinction between PoW and PoS/PoI/DPoS is that several of these attack vectors cannot be accomplished with PoW. With PoW all you can do is steal the account holders coins with a mtgox, ponzi scheme, or when a large bagholder is compromised. With PoS you can also attack the network and steal other peoples coins as well. Additionally, a compromised wallet cannot attack the network with a 51% attack with PoW as in PoS.
I suppose one could social engineer their way into Ant-pools mine and covertly reflash the firmware on all the miners. This attack would be much more difficult to do because large farms have multiple engineers who look over things and they have to constantly check their equipment and have large incentives to keep ontop of everything because of razor thin profit margins.
It is no surprise that many PoS coins use checkpoints to add another security layer which is essentially centralization by a few developers approval. Checkpoints don't prevent these attacks just narrow the window of attack which is absolutely no problem. Developers Like Vitalik have studied these security weaknesses long and hard and despite desperately wanting to use some form of TaPoS for security still have not found an acceptable solution to mitigate these threats.
[...]
I am 7 minutes into the video, and Vlad Zamfir (developer of Casper) has already not underst00d that proof-of-stake has externalities. I mentioned that to jl777 today:
You have no economically viable attack.
Only of we ignore externalities (external economic motivation). The same applies to
the erroneous claim that proof-of-stake is as secure as proof-of-work.
Just because something is possible, that doesnt mean it is certain to happen, especially when it is economically non-viable.
As non-viable as Nxt being controlled by a dictator and Bitshares being controlled by two centralized exchanges.
Also Vlad doesn't seem to fully appreciate that a validator will not be betting against himself if he bets against his historic validation:
To summarize, Proof-of-Stake (including Masternodes of Dash and Casper's consensus-by-betting):
- stakes (or even deposits) aren't permanent because they can be sold (withdrawn), thus historic security is indefensible
Also around the 22 - 23 minute point Vlad makes a reasonable point that having no block reward incentivizes miners to not do game theories that would destroy transaction rate, but he is wrong to assume that is the only possibility. For example a cartel on mining could limit block sizes and thus drive transaction fees higher. Also he is incorrect to imply that proof-of-stake is orthogonal to monetary policy because proof-of-stake can only distribute coins proportionally to stake, which thus the same as no distribution. Vlad has so many myopias, I don't have time to comment on all of them. The myopias are pervasive through the entire interview.
Btw, the interviewing female seems to be quite intelligent. I'm shocked because first female I've seen in crypto currencies and she seems to be a quick thinker.
Also, how can a PoS coin be attacked using this? Does this mean that PoS coins are more secure as atomic altcoins than PoW?
Unlike hashrate (electricity), stake only has to be purchased once and attack forever, so therefor rental prices for stake should be much lower (since stake costs less than hashrate).
"stake costs less than hashrate" this appears to be the same as saying donuts cost less than springs.
Sometimes the stake required to attack will cost more than hashrate and vice versa. So it all depends on the specific coins being talked about.
I am making a mathematical asymptotic argument similar conceptually to the arguments about Big O and Big Theta computational complexity classes (wherein at any particular/small values the conclusion might be opposite of the asymptotic reality). The point is mathematical structure in that stake only has to be purchased once, whereas electricity has to be paid continuously. Thus in terms of mathematical structure (all other variables the same, e.g. market cap, etc), then hashrate will be structurally more expensive than stake. Stake is not as secure as hashrate because stake is paid once for an eternal attack and hashrate must be paid continuously else the attack ends (is finite in duration). In short, stake enables an infinite duration attack (at no extra cost) and
thus stake is free and hashrate is finite and thus it is not free. If you don't believe that, then just consider that one can short a PoS coin (thus recovering the cost of the stake making it less than free) and the market is likely to sell off the coin during any stake-based attack because the market understands the only way to overcome the attack is to fork the coin. Whereas with PoW, the market may ignore the attack because it will be ephemeral unless the attacker can profit from the attack enough to pay for the ongoing cost of the electricity.
This is the fundamental reason that PoS is not secure. Apparently
some PoS coins have been attacked with stake, and the common case are the exchanges which control huge amounts of stake.
And I am not thinking it is so easy to cause deep reorgs at will. It could be that the DE for low security coins needs to be done over longer periods of time and in small increments, ie overlapped micropayment channels.
I presume I did not adequately explain the economic argument. The point is that once you incentivize profitable PoW attacks, the attacker can now sustain an attack indefinitely (or the DE is abandoned). Thus there is no longer period of time which is sufficient (from a mathematical structural perspective, although there might be particular cases that are secure, you can't state them with equations that enable reliable decisions). I understand you want to find some reasonable middle ground, but I presume you would play with fire if you pursued this similar to those who argued that PoS was an acceptable middle ground (yet even today we see that Bitshares' DPOS is probably controlled by a few exchanges and I think someone told me Nxt is controlled by a dictator).
I comprehend and am aware of the stance that says nothing is perfect and choose some practical middle ground. But I argue we can do better than some muddled middle ground where for example Bitcoin is already controlled by a Chinese mining cartel that has 65% of the hashrate and is provably lying about the Great Firewall of China being a hindrance for them (their motivation is obviously to make higher profits with higher transaction fees by constraining block size). This outcome
I predicted in 2013, even I nailed
in 2013 the block size as the specific failure mode, and everyone was
arguing at that time that I was loony. Their % of the hashrate will increase on the next block reward halving this year, because the marginally profitable miners are the first to go (and I suspect the Chinese mining cartel is getting subsidized electricity with political connections/corruption).
You can make the reasonable argument that the insecurity of the proposed cut & choose algorithm only impacts those altcoins without CLTV and thus it is better than no DE for those coins. In that case, maybe I can agree with that. But do fully acknowledge the Pandora's box security threat so enabled (but at least isolated to those who trade for those altcoins). Thus I don't think it will be a very popular case, if proper disclosures are made. Who would trade BTC for an altcoin where they might lose their funds due to an attack (particularly even a long-range lie-in-wait attack) and where the developers of that altcoin are unable to add the CLTV op code.
I am not conviced by general statements, especially when they have counterexamples that prove they are incorrect. I can easily name many PoS coins that are more expensive to obtain stake enough to attack against a set of PoW coins whose hashrate is lower.
Of course there are scenarios where a PoW coin pays less % of debasement to mining thus requires less cost for a short-term attack than a PoS coin with a huge market cap. This is primarily because Satoshi's PoW design is incorrect. I have a solution to this by making mining unprofitable so that no debasement is paid for mining.
Both the current PoS and PoW designs are flawed. That is one of the major innovations I am working on.
Sorry, general scare statements dont work on me.
The generative essence statement I made upthread was referring to the fact that given no reference point, DE would not be secure,. Without a reference point, nothing can be proven about crypto currency (e.g. double-spends can't be prevented, etc), thus the requirement for a reference point is essential (even Satoshi's PoW suffers from the fact that it is probabilistic and
didn't solve the Byzantine General's Problem because it can't identify an attack from a non-attack because the longest chain rule is self-referential). I can make such a general statement and be 100% certain there is no possible exception, because it is a fundamental inviolable mathematical structural issue.
The reference points are provided by my upthread "Coin Days Destroyed" suggestion a few days ago and the point yesterday in this thread about hard-coding the destination addresses in the CLTV. In order words, those reference points do not depend on future confirmations, but are past history (the age of the UXTOs being spent) and future invariants (the hard-coded destinations).
I was
just starting treatment for fatty liver disease over the past 2 days (along with running around getting a diagnosis and other foggy brain matters) so apologies that only this morning did I feel alert enough to write a coherent explanation such as this.
Only specific failure cases, which can then be generalized and solutions usually devised. I know that if I just say, sure in theory it wont work and dont push for a solution, then it would limit things to BTC <-> LTC and gradually more and more, so at worst it is a slow process, but we dont have to outrun the bear, we just need to be more secure than a CE.
There is a distinction between theory and inviolable mathematical structure. I will give you another example that I learned when I started to teach myself cryptography over the past 3 years. That is zero knowledge proofs are impossible without an asymmetric trap door function, i.e. they can't be done with hash functions. That is not theory. It is an inviolable fact due to the mathematical structure.
NXT PoS limits any reorgs to 720 blocks, so for NXT if the timeout is set above 720 blocks, then it will be beyond the reach of any attack.
That seems reasonable since checkpoints are required in PoS due to people selling their stake and then doing a long-range attack with stake they no longer own based on reorganization of historical transactions that create stake. Anyone who is buying NXT should hopefully understand the tradeoffs of a PoS system (centralized governance, advantage of less electrical consumption, my arguments against PoS in my prior post, etc).
Couldnt any coin use data from the BTC blockchain from some hours in the past to create a backstop from massive reorg? By using the massive PoW of BTC, a PoS or weaker PoW would get an externally verifiable reference? Why couldnt that be used as the generative essence you say is required?
[...]
But maybe I misunderstood your objection and the above has a fatal flaw?
I assume you mean writing some meta-data into the stronger block chain, that the weaker block chain could refer to as evidence. The hindrance is that
decentralized block chains have no external reference point. There is no way to enforce that a particular block in one chain came before a block (nor within some # of blocks after a block) on another chain. Block chains are self-referential, and that is precisely why we need CLTV to implement decentralized exchange. It is also why Blockstream's side chains have security which is as weak as the weakest side chain (because a reorganization in one chain erases coins that have already been reserved in other chains for maintaining the one-to-one exchange peg), which is btw why afaics Side chains are implausible (hopefully this post won't get deleted by the moderator, hehe).
@TPTB_need_war another way to think about why PoS isn't as secure as PoW in general:
PoS does not reinforce historical consensus. Every subsequent block in a PoW chain makes the history below it more secure because the cost of reversing it is superlinear in the number of blocks built on top. In PoS, this is not the case, the cost of producing a block is a constant, therefore the cost of reversing history is a constant.
so with a 51% + selfish mining attack you would be able to unwind all hist tx in PoS? (with minor costs)
You can arbitrarily re-write history in PoS with <50%; I can produce a valid candidate chain longer than the canonical chain for a constant cost, whcih I then present to nodes which are syncing with the network who are unable to distinguish this objectively from the canonical chain.
edit: Since the cost of providing such information is very small, I can dominate the network with peers containing instances of my fake chain such that any syncing node querying peers at random would find a majority of my fake nodes.
I've added this to
the post about PoS on the first page of the thread. You've pointed out that PoS can be Sybil attacked achieving an attack with less than 50% of the stake when the majority of the stake is not always online. In other words, PoS is only secure as a federation, not decentralized consensus.
More about checkpoints:
NXT PoS limits any reorgs to 720 blocks, so for NXT if the timeout is set above 720 blocks, then it will be beyond the reach of any attack.
That seems reasonable since checkpoints are required in PoS due to people selling their stake and then doing a long-range attack with stake they no longer own based on reorganization of historical transactions that create stake. Anyone who is buying NXT should hopefully understand the tradeoffs of a PoS system (centralized governance, advantage of less electrical consumption, my arguments against PoS in my prior post, etc).
It seems cut & choose with a fee is an appropriate DE protocol for any proof-of-stake coins with frequent checkpoints (that don't support CLTV), which in NXT's case appears to be enforced by nodes that are always online and can form objective reality from the chain they've seen while being online. In other words (an issue which we have discussed and identified in the linked threads I mentioned in my prior post), NXT's 720 block rule is ambiguous to nodes who've recently come online (they don't know which chain was first to appear and can be lied to by a node that has always been online, i.e. propagation is not objective reality to offline nodes), but afaik with proof-of-stake typically there are a more permanent set of nodes (dictators or elected delegates in Bitshare's DPoS) who control the chain, i.e. the coins are essentially centralized. Yesterday
monsterer pointed out how PoS can be controlled with even less than 50% of the hashrate, so kudos to monsterer for articulating our prior insight with more clarity on the weakness of PoS.
So an imperfect DE protocol is arguably appropriate for an imperfect decentralized consensus algorithm. Seems befitting and allows you James to monetize your work, since PoS coins are still quite popular for the time being (and with hubris I will joke that they will need DE to trade for my superior consensus algorithm invisible vaporcoin).
So what I am saying is I think you can monetize. I don't know how to monetize with the dual CLTV technically sound protocol (with my suggested "coin age" filtering improvement to squelch jamming attacks), as it seems to not require a fee.
Cut & choose seems to be inappropriate for proof-of-work coins due to the longer-range lie-in-wait rented hashrate attack on the probabilistic longest-chain-rule (LCR), unless they too are essentially centralized and have some frequent checkpoints generated by some form (either concentrated hashrate in always online nodes/pools that enforce checkpoints or lead developers who release checkpoints frequently) of centralized control.
You can tell how much stake is used in creating a POS chain.
No you can't if stake has been sold and purchased, because the order of those transactions in time is entirely arbitrary and controlled by whom ever is claiming to have the stake now.
That is why PoS requires checkpoints and always online nodes with > 50% of the stake (who all agree with each other due to Nash equilibrium[1]) to avoid a Sybil attack.
[1] but the Nash equilibrium doesn't exist if one can earn more profit by shorting the coin or attacking an exchange, etc.. PoS is a mess that requires centralization. Note that Satoshi's PoW is also a mess that also centralizes as well due to the economics of mining+verification and wastes a lot of electricity (
Bitcoin is already controlled by the Chinese mining cartel), so it is sort of stalemate at this point which explains the popularity of PoS (other reason PoS is popular is it is technically easier to implement and it is much superior for controlling P&D schemes and top-down governance).
The point about checkpoints is that when your protocol depends upon them for security purposes, you might as well just throw the whole thing in the bin and use a 100% centralised service, which will be exactly as secure and a lot faster, cheaper and easier to use.
Bit harsh.. There are many other benefits to a decentralised system, that 'needing-one-32-byte-checkpoint-at-first-logon' doesn't screw up.
Decentralized nodes provide DDoS resistance, higher availability and uptime. But a centralized controller can provide decentralized nodes. The significant advantages of decentralization derives from decentralizing control so that failure modes are removed that revolve around disagreements or vested interests.
You can see that PoS has no Nash equilibrium unless it is controlled by one "winner take all".
I'm with spartacusrex. The ultimate test is for someone to pull of one of these (theoretical) attacks and catastrophically and irreparably damage the network in some way, or at least prove that one of the attacks can be used to consistently and successfully attack the network and/or individual users. Until this test is completed, I'm going to assume that POS and other variations (DPOS) is sufficiently secure.
Also, it would be in everyone's best interest if POS was broken sooner rather than later while valuations are low. So please, if you have a guaranteed attack, go ahead and do it and prove POS useless.
PoS systems have already been attacked, I believe it was by an exchange. But that is not even the main point, which apparently you are also not cognisant of.
The main point is that the centralization required to obtain a Nash equilibrium in PoS is the attack. A centralized system is a political and vested interest leverage against everyone who uses the system. For example, the centralized control can veto feature changes, such as how the Chinese mining cartel has vetoed a block size increase for Bitcoin so they can ostensibly force transaction fees high to fatten their profits.
Still waiting.................
The ill-informed hubris that n00bs slobber on threads is incredulous.
The 50% attacks have already occurred numerous times for PoS and PoW coins. You are just blinded because you are not looking at all forms of "attack". Typical myopia of n00bs (non-experts) who haven't conceptualized all the issues thoroughly. Live and breathe this stuff for years as monsterer, smooth, and myself have and then you may start to have the foresight that we have. We would simply appreciate a bit more respect for the effort we have invested.
I am respectful to those who respect those who invest effort. This is called a meritocracy. I put the mirror in the face of weekend warriors who disrespect those who have done their homework.
Well you don't need to find historical keys (in order to rewrite the history of PoS block chains), when you can make them for nearly 0 cost.
Simply buy and sell on an exchange, and your cost will only be the spread.
Then short the coin, and start attacking.
Obviously this doesn't apply to illiquid meaningless microfloat altcoins. We are talking about whether PoS is viable for a mainstream decentralized coin. Not.
For a centralized coin, then anything works, you don't even need PoS nor PoW (except to fool people with).
max reorg depth in NXT is 720 blocks
Checkpoints are centralization.
For a centralized coin, then anything works, you don't even need PoS nor PoW (except to fool people with).
If we don't have decentralization, then the entire plot has been lost.
Do you need an example? Here you go (remember the Chinese mining cartel allegedly controls 65% of the Bitcoin hashrate):
https://www.reddit.com/r/btc/comments/48nnaw/the_truth_comes_out_core_devs_have_convinced/
Bitshares instant transactions aren't reliable, because there is only one designated confirmation node for each block period, so the performance of blocks can vary.
Poor performers get voted out, and are no longer permitted to form blocks. Only historically reliable block producers are allowed to mine.
Then it is not decentralized, permissionless. A permissionless system should be able to scale while still permitting slower nodes. In short, yeah you can guarantee anything with total control, but you also insure a power vacuum which is winner-take-all. It is an
Iron Law of Political Economics.
But even your reply is technically ignorant, because the point I was making is that no one can guarantee that a node performs well 100% of the time. Nothing on the internet is perfectly reliable. The fault tolerance must be built into the system by allowing many nodes to confirm transactions simultaneously, not a synchronous queue as is Proof-of-Stake's idiotic design.
...
Btw, proof-of-stake will never scale out user adoption, because it is a vested interest paradigm, and thus will be destroyed by its stake holders. No stake holder (in any context or business model) allows a competitor to profit. Only permissionless, decentralized systems scale.
