Proof that Proof of Stake is either extremely vulnerable or totally centralised

[nexern]

pow isn't bad in general but a monetary based incentive model doesn't work. it may on the paper, in theory
but you have to deal with humans here and they have totally different demands (mostly accumulation driven).
i mean, is there really any doubt that this model already lead into a very unhealthy centralization?

perhaps for those denying reality, granted, but assuming this centralization is the case you have to accept
that pow is much, much more vulnerable by bad actors than other models. i am talking not about the weird
double spending scenarious contructed here, which are nonsense simple due to a horrible risk/reward ratio.
i you just think a minute about the details necessary to initiate an attack (real world) it comes clear nobody
would do this just for some doublespends but they would, if the goal is to create controlled mayhem.

taking this into account you can ask yourself now what gives you more confidence for a multi-billion
ecosystem. pos, where an attacker has to reveal his intention by positioning building* to get the majority
thru a very expensive asymptotically nearing or a handfull powerlines driven by an even smaller number
of miners?

well, for me this is a no-brainer. sad how things are evolved but i would bet the probability an attacker
could get the control on pos by buying old gen keys is magnitude smaller than satoshi is heavily pissed off
how things are going and therefore switching his 1mio btc stash into ethereum.

*silent positioning building is pretty hard, even in traditional markets, where most parts of the books
are closed but in crypto this much harder since most data is visible and many tracking tools already
looking exactly for those kind of pattern.

[1714101646]

1714101646

[1714101646]

1714101646

[1714101646]

1714101646

[funkenstein]

pow isn't bad in general but a monetary based incentive model doesn't work. it may on the paper, in theory
but you have to deal with humans here and they have totally different demands (mostly accumulation driven).
i mean, is there really any doubt that this model already lead into a very unhealthy centralization?

Absolutely there is doubt.  There are what 15 million bitcoins worth of doubt.  Most of the value of PoS coins also is also based on that doubt as well, as PoW is the underlying creation of the tokens which are then staked.  I see no signs of unhealthy centralization as of yet, though this doesn't mean we shouldn't be concerned it could happen in the future and consider how to avoid / be ready. 

perhaps for those denying reality, granted, but assuming this centralization is the case you have to accept
that pow is much, much more vulnerable by bad actors than other models.

What are these attacks on PoW coins which you refer?  Curious. 

taking this into account you can ask yourself now what gives you more confidence for a multi-billion
ecosystem. pos, where an attacker has to reveal his intention by positioning building* to get the majority
thru a very expensive asymptotically nearing or a handfull powerlines driven by an even smaller number
of miners?

*silent positioning building is pretty hard, even in traditional markets, where most parts of the books
are closed but in crypto this much harder since most data is visible and many tracking tools already
looking exactly for those kind of pattern.

Show me some tracking tools that could figure out that one person had control of any amount of hashpower or stakepower.  If they don't choose to reveal anything about the keys they control, we know nothing. 

well, for me this is a no-brainer. sad how things are evolved but i would bet the probability an attacker
could get the control on pos by buying  old gen keys is magnitude smaller than satoshi is heavily pissed off
how things are going and therefore switching his 1mio btc stash into ethereum.

lol!  well certainly this is true if the coin has a max_depth_reorg parameter. 

[kushti]

This is an very informal proof, because I wanted it to be as readable as possible for the majority of readers. I hope this will finally show why Proof of Stake (PoS) is not a viable consensus design.

Ok, now please provide a formal proof for minority of readers who can't understand an informal one (e.g. me).

[jl777]

This is an very informal proof, because I wanted it to be as readable as possible for the majority of readers. I hope this will finally show why Proof of Stake (PoS) is not a viable consensus design.

Ok, now please provide a formal proof for minority of readers who can't understand an informal one (e.g. me).

@kushti i think the logic used in this thread is that given that we assume A inevitably leads to B, since A is self-evident, then B is too.

It is hard to argue with that sort of logic as it allows to prove conclusively that B is true, it doesnt matter what B is, just as long as A is self-evident.

Like this:

We will assume that above absolute zero temperatures it is inevitable that the moon is made of cheese.

Since we are not all frozen at absolute zero, it is clear that the moon is made of cheese.

I think formally it would be: Assume A -> B and A is true, therefore B is true

James

[Mashuri]

This is an very informal proof, because I wanted it to be as readable as possible for the majority of readers. I hope this will finally show why Proof of Stake (PoS) is not a viable consensus design.

Ok, now please provide a formal proof for minority of readers who can't understand an informal one (e.g. me).

@kushti i think the logic used in this thread is that given that we assume A inevitably leads to B, since A is self-evident, then B is too.

It is hard to argue with that sort of logic as it allows to prove conclusively that B is true, it doesnt matter what B is, just as long as A is self-evident.

Like this:

We will assume that above absolute zero temperatures it is inevitable that the moon is made of cheese.

Since we are not all frozen at absolute zero, it is clear that the moon is made of cheese.

I think formally it would be: Assume A -> B and A is true, therefore B is true

James

Well then the burden is to prove A. Why is it assumed "self evident"?

[jl777]

This is an very informal proof, because I wanted it to be as readable as possible for the majority of readers. I hope this will finally show why Proof of Stake (PoS) is not a viable consensus design.

Ok, now please provide a formal proof for minority of readers who can't understand an informal one (e.g. me).

@kushti i think the logic used in this thread is that given that we assume A inevitably leads to B, since A is self-evident, then B is too.

It is hard to argue with that sort of logic as it allows to prove conclusively that B is true, it doesnt matter what B is, just as long as A is self-evident.

Like this:

We will assume that above absolute zero temperatures it is inevitable that the moon is made of cheese.

Since we are not all frozen at absolute zero, it is clear that the moon is made of cheese.

I think formally it would be: Assume A -> B and A is true, therefore B is true

James

Well then the burden is to prove A. Why is it assumed "self evident"?

Because it is in the OP, so it has to be true

[monsterer]

This is an very informal proof, because I wanted it to be as readable as possible for the majority of readers. I hope this will finally show why Proof of Stake (PoS) is not a viable consensus design.

Ok, now please provide a formal proof for minority of readers who can't understand an informal one (e.g. me).

What don't you understand?

[kushti]

What don't you understand?

What you have provided is not a proof at all. We can go into meaningless and long discussions, and that crap is not what you can get by providing a (formal) proof. So please provide a real (i.e. formal) proof.

[monsterer]

What you have provided is not a proof at all. We can go into meaningless and long discussions, and that crap is not what you can get by providing a (formal) proof. So please provide a real (i.e. formal) proof.

The only point of disagreement in general has been centered on the difficulty of acquiring a majority of recent private keys. That is sadly unprovable.

[ustin]

Sorry for necroposting, but my considerations was moderated to AltCoins board and drown.
So, the problem simplifies to needing trusted third-party for checkpointing POS network and it is preferable to be independent from developer (because in this scenario most presumable evil is near coin developer).
Please follow https://bitcointalk.org/index.php?topic=2895120 - is this conception implementable?

[Ucy]

Everything about PoS is creepy though. Where in the Universe is creating Value without Energy possible?
Well, I don't know much about the technical side of PoS but I have a feeling it'll be massively Centralized by government and the elites. Won't be surprised if this is the original goal.



Wonder if there are maths that support the PoS concept? Is stuff like that even possible in real World without burning massive amount of Energy.

[ustin]

Everything about PoS is creepy though.

Wonder if there are maths that support the PoS concept? Is stuff like that even possible in real World without burning massive amount of Energy.

All depends of consensus.
So, records in various registries are not costs anything, but trusting them is result of consensus.
Question is cost of possibitily to change it in hindsight.

Blockchain is immutable by cryptographics only within consensus agreement borders.
I can build alternate branch of bitcoin in my kitchen, but it will be only satisfied to my kitchen consensus, no one of widespreaded nodes approve my branch. It means, that main chain is shielded by computer work in single consensus concept of bitcoin network.

POS consensus is so less harmful, but vulnerable for a number of attacks, which can be simplified in majority to absence independent trusted authority inside network, as i can see. If we can verify some checkpoint independently, we can prevent, in particular, subj historical attack.

One question is how to find and automate this authority, and it was  proposition to bind POS blockchain to other blockchains, that I wish to discuss

[cloud.runner]

Instead of Proof of Stake, I would like to vote for Proof of Work. It is not only for creating blocks, but also for making consensus, which is a great advantage.

[monsterer2]

ironic that Proof of Anti-stake may work
the idea is, that user destroys it's coins and by doing so confirms a block

Doesn't work because to burn stake you must send a transaction, and you cannot come to a consensus on the current set of valid transactions by sending more transactions, it's a chicken and egg problem.

I did some analysis on it a while back, and long story short, it degenerates into PoS.

[yj1190590]

I've found a solution in an other post for this problem that might help.
https://bitcointalk.org/index.php?topic=3603859.msg36995026#msg36995026

First of all the reorganizition is designed to prevent forks. Under normal circumstances,  some stakeholders would be active(trading or mining) in both branches (caused by NaS too) if there appears a fork. According to the probability there will be similar stake proportion of "double-active" users between both branches.

But if the branch is a fake chain built by the attackers, they will be disproportionate —— the proportion mentioned above in the mainchain will be much less than that in the fake one, unless you have bought every account, which is impossible. Under this circumstance, the branch should never be accepted no matter how long it is. This operation is also nessesary to prevent some group of users from getting extra advantage by unfair means when forks come.

By the way, the situation you have mentioned:"any syncing node querying at random will find his fake nodes with fake history" could be resolved by controling the p2p links——

each node only needs to build connection with a certain number of nodes with the fastest response speed.

The attacker needs to try through a lot of past blocks so that the longer range he seeks, the better chance he would success. But the longer range he starts the fork, the more obvious the disproportion will be. I think that might increase the difficulty you launch an attack, after all you gain those private keys by "buying".

[AnnSerg77]

I have 3 q. How many possible staking inputs do these addresses have?
What is the min/max staking age of this coin?
How long a chain will they need to create to be longer?

[inashed]

Would change anything if two miners were picked by proof of stake or proof of hold (lowest amount of coin wallet had at some point of time at the last X days is the stake), and then select the real miner between those 2 miners by using proof of work?

[metro.software]

ironic that Proof of Anti-stake may work
the idea is, that user destroys it's coins and by doing so confirms a block

Doesn't work because to burn stake you must send a transaction, and you cannot come to a consensus on the current set of valid transactions by sending more transactions, it's a chicken and egg problem.

I did some analysis on it a while back, and long story short, it degenerates into PoS.

Perhaps coins can be burned on a POW sidechain, e.g. Litecoin.
I guess in this scenario Proof-of-Sacrifice would work.

[desmodiAN]

2. He uses these historical keys to generate a new chain of history starting just before the keys were emptied and which is longer in cumulative difficulty than the canonical chain. He can do this first time with 100% probability since he has a majority of historical stake

Read about finality in proof of stake. a once written and accepted block cannot be exchanged or rewritten. only with a big financial loss of 2/3rds of all validators.

"
The intention is to make 51% attacks extremely expensive, so that even a majority of validators working together cannot roll back finalized blocks without undertaking an extremely large economic loss — a loss so large that a successful attack would likely on net increase the price of the underlying cryptocurrency as the market would more strongly react to the reduction in total coin supply than it would to the need for an emergency hard fork to correct the attack
"

vitalik continued with an example of the loss:
"
A fully "finalized" block is one where > 2/3 of Casper validators will lose their entire deposits if the block ends up being not in the main chain (estimate this at being ~2-20 million ETH depending on how many people stake).
"

...

[Traxo]

ironic that Proof of Anti-stake may work
the idea is, that user destroys it's coins and by doing so confirms a block

Doesn't work because to burn stake you must send a transaction, and you cannot come to a consensus on the current set of valid transactions by sending more transactions, it's a chicken and egg problem.

@anonymint says that your conclusion is not quite right or let's say it's incomplete.
After sufficient time the TaPoS combined with burning has inertia because users don't want to have the tokens reverted by a fork.
So essentially it's a more decentralized variant of checkpointing.
Will not help objectify consensus in the short-range case though.

I had relayed what @anonymint wrote about proof-of-stake:
https://gist.github.com/shelby3/e0c36e24344efba2d1f0d650cd94f1c7#oligarchy-if-pos-is-functioning