Proof that Proof of Stake is either extremely vulnerable or totally centralised

[Zin-Zang]

monsterer lack of understanding of what is required is mind blowing.
Long range attacks are more complicated that what has been mentioned.

Have you even read the OP? This attack is not long range, its short range - below your precious reorg depth limit.

Even the most pessimistic cost assessment puts this attack at 3% stake.

All of the previous mentions were talking about getting old keys , weeks or months old, and people such as yourself claimed faking the time stamp meant there was no time limit preventing a long range attack, whether you came out and said it , it was implied.

Exactly how many blocks do you think a short range attack can be?
10?  20?  30? 40?  100?

FYI: Double Spends
Bitcoin Gold ,PoW only,  22 blocks were rewritten
Bottlecaps   , PoW/PoS,  66 blocks were rewritten

 

[d5000]

Combining Consensus methods does not combine their strengths , it combines their weakness.

I know this theory, but I don't agree. If you design the algorithm well, then at least you'll have a consensus method which is similarly secure, but with a more complex attack strategy required, e.g.: the original Slasher algorithm, or even easier: simply require 1 PoS block each 5 PoW blocks, keep the PoS reward low (like in Peercoin) and increase the PoW reward by 1/5 to increase the incentive to mine and thus the hashrate with a similar supply inflation.

If you have 51% and stake 6% , you are now only at 45% until the dormant period has passed, and the other 49% now outstakes you until their % drops below yours.

You could stake with several addresses, each one owning 0,5% in this situation, or even 0,1%, so almost nothing gets blocked. The only chance you have to avoid this is to employ an algorithm which benefits bigger staking addresses in a disproportionate way, but this would even be worse - with the exception of there being several big whales stopping you.

Addresses are irrelevant,
once staked PoS coins go dormant for a preset time, anywhere from 24 hours to 90 days depending on the specs.

OK, instead of addresses I should have written UTXOs ("coins").

monsterer lack of understanding of what is required is mind blowing.

No, he's basically right, but I think he underestimates the complexity of the attack. If he launches it as a short-range attack, then it's very similar to a regular 51% attack as your only realistic chance is to buy the coins yourself and then sell them, which should be very expensive.

It could be possible and relatively cheap with stake pools, however. That's why I don't like LPoS and similar approaches.

[Zin-Zang]

If you have 51% and stake 6% , you are now only at 45% until the dormant period has passed, and the other 49% now outstakes you until their % drops below yours.

You could stake with several addresses, each one owning 0,5% in this situation, or even 0,1%, so almost nothing gets blocked. The only chance you have to avoid this is to employ an algorithm which benefits bigger staking addresses in a disproportionate way, but this would even be worse - with the exception of there being several big whales stopping you.

Addresses are irrelevant,
once staked PoS coins go dormant for a preset time, anywhere from 24 hours to 90 days depending on the specs.

OK, instead of addresses I should have written UTXOs ("coins").

Hmm,
ok, you're not getting it.

It does not matter, how many address you split your 51% into,
it can be in 1 or 1 million , no difference.
It is the total % that matters.

Rest of the network is staking 49% of the total coins,  You are using your 51% to dominate the network and stake every block and refusing the allow new transactions in the block, once 3% of your coins have staked, (again it does not matter if 1 address or 1 million),
those 3% of your coins go dormant for a specified time.  So now the rest of the network have 49% and you only have 48%, so the others can now stake a block over you and include all of the transactions you blocked.

In truth it is not even that easy , as blocks with different coin amount can stake on one and then the other and as long as the network is not exceeding it's transaction capacity , doubtful anyone even notices.

Now you could attempt a double spend with your 51%, but as long as enough confirmations are required, the double spend would fail.

* The real question becomes how long can you dominate the blocks, which is tricky to discern since PoS coins have different blockspeeds & recovery times before staking.  For a Double Spend you have to be able to dominate long enough to exceed the number of confirmations required for a normal send to an exchange.
Which that means usually for PoS coin anywhere from 20 to 200 confirmations. *

PoW in comparison is easy to dominate if you have 51% of the mining capacity , because you maintain the 51% the entire time and go lower Only if more ASICS are added to the mining Pools. Much easier to calculate and much easy to dominate a PoW coin.
Bitcoin is only safe because the Chinese miners already have ~70%, and at the current point of time, they believe it would cost them more if they abused it.
But that is a belief , not an iron clad rule, and under certain circumstances their alliances could change, and then bitcoin goes from being the most secure to the least secure literally overnight. The people that believe the store of value nonsense, will be in for a rude awakening.

[d5000]

Well, let's have an example (with a "chain trust" based coin):

You're staking with 21 UTXOs of 1% each and 1 UTXO of 30% of the total staking capacity each (51% total).
You want to trick an exchange, double spending some coins, and need a fake chain of 21 blocks.
Now you double-spend. Then you privately mint the 21 blocks with the relatively small 1% stakes.
Block 22 is crucial, because there you must trick the other nodes into a re-org. So for block 22, you use the 30% stake, to boost chain trust. Now you publish the fake chain. The 30% stake now gets "dormant", but after the fake chain was published, you don't need any stakes to be "live" because you already tricked the other nodes to use your fake chain.

You have a high probability that your chain becomes the longest chain (with most chain-trust) then, because the accumulated stake in the fake chain is exactly 51% and the rest of the nodes only can accumulate 49% on the "honest chain", because they also are affected by the "dormant stake" rule.

If not (there is a certain probability for it), you can repeat the attack after all the "dormant" periods have expired. There is zero cost for that. There is a high probability that you eventually will succeed.

[Zin-Zang]

Well, let's have an example (with a "chain trust" based coin):

You're staking with 21 UTXOs of 1% each and 1 UTXO of 30% of the total staking capacity each (51% total).
You want to trick an exchange, double spending some coins, and need a fake chain of 21 blocks.
Now you double-spend. Then you privately mint the 21 blocks with the relatively small 1% stakes.
Block 22 is crucial, because there you must trick the other nodes into a re-org. So for block 22, you use the 30% stake, to boost chain trust. Now you publish the fake chain. The 30% stake now gets "dormant", but after the fake chain was published, you don't need any stakes to be "live" because you already tricked the other nodes to use your fake chain.

You have a high probability that your chain becomes the longest chain (with most chain-trust) then, because the accumulated stake in the fake chain is exactly 51% and the rest of the nodes only can accumulate 49% on the "honest chain", because they also are affected by the "dormant stake" rule.

If not (there is a certain probability for it), you can repeat the attack after all the "dormant" periods have expired. There is zero cost for that. There is a high probability that you eventually will succeed.

Good, now you see the dormant period.  

And the Attacker has to wait for the dormant period to elapse,
but if the Proof of stake coin uses coin age he also has to wait for the maximum coin age, so time wise he has to wait anywhere from 20 to 90 days for maximum coin weight for his next attempt. (Depend on the coins specs, some have unlimited coin age, some limit it to between a max 20 to 90 day weight.)

Which as you surmised, he can attempt a double spend again at the optimal time.
But unlike PoW , what he can Never do , is maintain 51% control and block transactions from being added to the blockchain indefinitely.

So that negates the transactions censorship danger from PoS 51% attacks that is almost certain with PoW 51% attacks.

So for PoS the only real threat is the double spend, which can be blocked by increasing the required transactions confirmations or to be 100% certain waiting until the confirmation # exceeds the rolling checkpoint blocking all reorgs.

To be honest , all PoS coin could institute a 1 hour rolling checkpoint and be guarantee no doublespend after 1 hour.
(Ending the only threat a 51% attack poses toward a PoS coin.)

PoW coins could do the same as rolling checkpoints are a easy way to block reorgs while staying decentralized.
However it still would not protect a PoW coin from a 51% attack where the attacker goal was blocking new transactions from entering the chain.

* Another reason Proof of Stake is a superior consensus method to Proof of Work. *  
 

[d5000]

but if the Proof of stake coin uses coin age he also has to wait for the maximum coin age, so time wise he has to wait anywhere from 20 to 90 days for maximum coin weight for his next attempt.[...]
But unlike PoW , what he can Never do , is maintain 51% control and block transactions from being added to the blockchain indefinitely.

If his attempt fails, his stake won't be blocked, because his chain wouldn't be selected at all. It's as if the attack didn't happen. So he doesn't have to wait.

Where you're right is that with a majority as low as 51% it is probably difficult to control a chain permanently. But that only applies if the other 49% all mint actively. With two thirds of the active stake it should be possible to control the chain permanently and censor transactions, regardless of dormant periods.

Now even with "only" 51% the attack can do a lot of harm. The attacker can try to attack/double-spend again and again. No exchange would be safe, and so the coin would be probably delisted from all exchanges until the 51% scenario ceases - or exchanges would have to set, as you wrote, the confirmation threshold to 100% of the reorg limit, which are typically days. If the attacker doesn't sell his coins because his intention is to destroy it (e.g. because he short-sold coins before) then the only way to stop that scenario (that makes the coin de facto unusable) is a complicated hard fork "tainting" all UTXOs that have been part of the attack and block all tainted UTXOs.

To be honest , all PoS coin could institute a 1 hour rolling checkpoint and be guarantee no doublespend after 1 hour.
(Ending the only threat a 51% attack poses toward a PoS coin.)

At a first glance this approach looks good - but why is no PoS coin doing that? I think that it's possible this approach could add attack vectors for limited short-range attacks using network disruptions to confuse badly-connected nodes.

However it still would not protect a PoW coin from a 51% attack where the attacker goal was blocking new transactions from entering the chain.

A miner with 51% of the hashrate would not get all blocks, so he also cannot censor transactions.

[Zin-Zang]

but if the Proof of stake coin uses coin age he also has to wait for the maximum coin age, so time wise he has to wait anywhere from 20 to 90 days for maximum coin weight for his next attempt.[...]
But unlike PoW , what he can Never do , is maintain 51% control and block transactions from being added to the blockchain indefinitely.

If his attempt fails, his stake won't be blocked, because his chain wouldn't be selected at all. It's as if the attack didn't happen. So he doesn't have to wait.

Valid Point , But he is failing so no one cares.  
If he does succeed , then he has to wait 20 to 90 days before another optimal window is open to try again, if coin age is involved.
Giving the community time to take steps to block future attempts, thru required increased confirmations or rolling checkpoints (decentralized) or even a checkpoint server (centralized) depending on their opinion of the value of decentralization.

PoW miner has no such wait period and can run continuous succeeding attacks with no wait time.
Unless the PoW community required increased confirmations or rolling checkpoints (decentralized) or even a checkpoint server (centralized).
But the PoW attacker can get in many more attacks before a PoW community could protect itself.

Where you're right is that with a majority as low as 51% it is probably difficult to control a chain permanently.
But that only applies if the other 49% all mint actively. With two thirds of the active stake it should be possible to control the chain permanently and censor transactions, regardless of dormant periods.

It does not have to be all of the other 49%, with every stake , more of our attacker coins go dormant until whatever the other amount is, exceeds his.
He can not indefinitely block transactions unless he owns all of the coins, which if he did no one else would care, as no one else owns any.  
I don't care if the guy own 80% of a proof of stake coin, by combining all of my coins into a single block, and using max coin age, I could get 1 block added per dormant period and he can't stop me therefore including my transactions in the blockchain.
He has to spread his coins thin trying to block every single opportunity , and all I have to do is focus all of my coins into a single block that can pierce his efforts, with the help of coin age.    

Now even with "only" 51% the attack can do a lot of harm. The attacker can try to attack/double-spend again and again. No exchange would be safe, and so the coin would be probably delisted from all exchanges until the 51% scenario ceases - or exchanges would have to set, as you wrote, the confirmation threshold to 100% of the reorg limit, which are typically days. If the attacker doesn't sell his coins because his intention is to destroy it (e.g. because he short-sold coins before) then the only way to stop that scenario (that makes the coin de facto unusable) is a complicated hard fork "tainting" all UTXOs that have been part of the attack and block all tainted UTXOs.

Not really,
Bottlecaps is a prime example, it was 51% attacked multiple times,
all they did was reimburse Cryptopia for the double spend coins, and as of today it is still trading there,
with increased required confirmations to 200 and running a checkpoint server.
(They could have done a rolling checkpoint and stayed decentralized, but they choose a centralized solution.)

To be honest , all PoS coin could institute a 1 hour rolling checkpoint and be guarantee no doublespend after 1 hour.
(Ending the only threat a 51% attack poses toward a PoS coin.)

At a first glance this approach looks good - but why is no PoS coin doing that? I think that it's possible this approach could add attack vectors for limited short-range attacks using network disruptions to confuse badly-connected nodes.

I think the fear is that an attacker could focus his attack specially trying to fork the network into more than one branch.
Without the ability to reorg , all of the ones caught on the wrong fork , would have to redownload a blockchain, kind of a pain.
Easy ways to mitigate this is choose random times or allow set times in the wallets to block reorgs between a time range of between 1 hour to 2 days.
This way the attacker has no idea where to focus a fork splitting attack. Also the wallet designer could include a manual Allow Reorg Button , that lets the client reorg from any time, if they were forked so they don't have to redownload the blockchain from scratch.

*FYI: Blackcoin choose ~8.3 hours for their no reorg limit.*
Currently the lowest one, AFAIK.

However it still would not protect a PoW coin from a 51% attack where the attacker goal was blocking new transactions from entering the chain.

A miner with 51% of the hashrate would not get all blocks, so he also cannot censor transactions.

http://redpinata-development.com/bitcoin-academy/index.php/reader/items/non-technical-overview.html

Since the network always accepts the longest chain, he would end up in creating every new confirmation and getting full control over the blockchain.
But what harm can he possibly do?
He now has the power to successfully exercise double spending attacks and to censor transactions.

If a block gets added with a transaction , he does not like, he just overwrites the block by not including it in his longer chain.  
Look at the video : VIDEO: Nightmare of 51% Attack - part 2  in the above redpinata link.
PoW 51% Attacker can exclude all transactions.

PoS 51% Attacker can not because of the built in dormant period.  

Bitcoin itself had 24 blocks (6 hours) overwritten by a over 51% consensus in March 2013.
https://bitcoinmagazine.com/articles/bitcoin-network-shaken-by-blockchain-fork-1363144448/
Article by Vitalik Buterin

“safe mode alerted us there’s a problem

Interesting enough Bitcore devs killed the alert system, so the alert that warned everyone in March 2013 is no longer possible.

[d5000]

If he does succeed , then he has to wait 20 to 90 days before another optimal window is open to try again, if coin age is involved.

True, but the problem with coin-age is that it's very easy to accumulate 51% of the active stake with much less "real stake", which makes the attack cheaper. From what I know, the PoS trend since 2014 is to refrain from coin-age for the "weight" of a stake (e.g. NXT, Blackcoin).

It's basically a tradeoff: With coin-age it may be more difficult to launch continuous attacks, but it's much easier to launch a single double-spend attack. You have to decide what is worse - a single successful attack may already make people lose confidence in the coin and bury it deep in the "shitcoin" hole.

PoW miner has no such wait period and can run continuous succeeding attacks with no wait time.

But he has to pay for the electricity all the time.

I don't care if the guy own 80% of a proof of stake coin, by combining all of my coins into a single block, and using max coin age, I could get 1 block added per dormant period and he can't stop me therefore including my transactions in the blockchain.

OK, you may have a point here. depending on the length of the "dormancy" period. But there have to be some actively minting whales for that. (Maybe Anonymint could find some trick here, however )

Bottlecaps is a prime example, it was 51% attacked multiple times,
all they did was reimburse Cryptopia for the double spend coins, and as of today it is still trading there,
with increased required confirmations to 200 and running a checkpoint server.

(They could have done a rolling checkpoint and stayed decentralized, but they choose a centralized solution.)

But only with an extremely long confirmation time, and that was my point. Bottlecaps is a very small coin and not really used for something useful. It's simply a pennystock for gambling on exchanges, so nobody cares about it requiring so many confirmations. A coin with real merchants and clients waiting for goods and services wouldn't be able to recover "as a currency" without a hard fork.

I think the fear is that an attacker could focus his attack specially trying to fork the network into more than one branch.

Agree here, but I have to investigate more.

Easy ways to mitigate this is choose random times or allow set times in the wallets to block reorgs between a time range of between 1 hour to 2 days.

Would all clients block the same reorgs? Hm, looks complicated.

Also the wallet designer could include a manual Allow Reorg Button , that lets the client reorg from any time, if they were forked so they don't have to redownload the blockchain from scratch.

Possible, but I don't like this solution - I think a client which does the "button click" automatically would be more popular, and then you have no reorg protection anymore.

*FYI: Blackcoin choose ~8.3 hours for their no reorg limit.*
Currently the lowest one, AFAIK.

Interesting, thanks. They're one of the more interesting "traditional" PoS coins out there.

Since the network always accepts the longest chain, he would end up in creating every new confirmation and getting full control over the blockchain.

OK, here it seems you're right, my bad. While others can find blocks, the dominant miner/attacker would simply orphan them. In this case PoS has a point.

I am however not sure if there is really no way to censor transactions with PoS coins. I have read something somewhere, but have to search it, I think it was a post by Anonymint.

[einax_oliver]

I think modern POS (like Casper, or deligated POS) have a solution on the majority of the issues described by OP.  Casper (should) effectively punish malicious actors if hard fork occurs, and delegated POS makes it nearly impossible for a malicious actor to gain enough support to be voted into validator position. They both have their issues (like major centralization of DPOS) but my strong belief they should be developed and tested at scale anyway.

check out Casper docs for more info https://github.com/ethereum/wiki/wiki/Proof-of-Stake-FAQs

[Zin-Zang]

PoW miner has no such wait period and can run continuous succeeding attacks with no wait time.

But he has to pay for the electricity all the time.

True, but to mount a successful 51% attack , he is already showing an access to extreme financial resources.
And he could double spend early to offset the costs.
In the VIDEO: Nightmare of 51% Attack - part 2 ,
http://redpinata-development.com/bitcoin-academy/index.php/reader/items/non-technical-overview.html
It is explained how the ASIC manufacturers could profit by 51% making all of the blocks.
Governments & Large Corporations would have the financial resources to pull off an extended 51% attack.

I don't care if the guy own 80% of a proof of stake coin, by combining all of my coins into a single block, and using max coin age, I could get 1 block added per dormant period and he can't stop me therefore including my transactions in the blockchain.

OK, you may have a point here. depending on the length of the "dormancy" period. But there have to be some actively minting whales for that.
(Maybe Anonymint could find some trick here, however )

Bottlecaps is a prime example, it was 51% attacked multiple times,
all they did was reimburse Cryptopia for the double spend coins, and as of today it is still trading there,
with increased required confirmations to 200 and running a checkpoint server.

(They could have done a rolling checkpoint and stayed decentralized, but they choose a centralized solution.)

But only with an extremely long confirmation time, and that was my point. Bottlecaps is a very small coin and not really used for something useful. It's simply a pennystock for gambling on exchanges, so nobody cares about it requiring so many confirmations. A coin with real merchants and clients waiting for goods and services wouldn't be able to recover "as a currency" without a hard fork.

We always heard that to be the case, but as long as the double spend only had a few victims, I am not so certain.
If it were fiat , it would be akin to someone using counterfeit money to buy good or services.
In real life , No one reimburses the person that sold his car for counterfeit money ,
they just try and arrest the guy who did the counterfeiting and only give back the car , if they catch the counterfeiter, and track down the car.
Replacing the doublespend amount with a hard fork implies a centralized authority making that decision,
a truly decentralized resource such as gold , no one makes the pretense that stolen gold will be replaced unless the person that stole it is apprehended.
It is funny, we want crypto to be decentralized, but we also want centralized protections.

I think the fear is that an attacker could focus his attack specially trying to fork the network into more than one branch.

Agree here, but I have to investigate more.

Easy ways to mitigate this is choose random times or allow set times in the wallets to block reorgs between a time range of between 1 hour to 2 days.

Would all clients block the same reorgs? Hm, looks complicated.

That is the trick , all clients would not block the same reorgs, (So it does need enough confirmations to be safe from a normal reorg)
it would make it incredibly complicated to focus an attack to fork a coin, if you don't know where to focus your attack.
So far no one has attacked blackcoin reorg limit, so we have little history to calculate the best settings.

*FYI: Blackcoin choose ~8.3 hours for their no reorg limit.*
Currently the lowest one, AFAIK.

Interesting, thanks. They're one of the more interesting "traditional" PoS coins out there.

Since the network always accepts the longest chain, he would end up in creating every new confirmation and getting full control over the blockchain.

OK, here it seems you're right, my bad. While others can find blocks, the dominant miner/attacker would simply orphan them. In this case PoS has a point.

I am however not sure if there is really no way to censor transactions with PoS coins. I have read something somewhere, but have to search it, I think it was a post by Anonymint.

There is only 1 way to Censor a Proof of Stake coin Transactions for an extended period,
but it is not 51% attack , it is 100% control of the full nodes, (Which is almost impossible)
the attacker has to control every single full node in existence as such he be able to accept or block whatever he wished.
But the same hold true for if an attacker controlled every single node on a PoW network,
he basically controls the consensus rules since their would be no competing viewpoints.
If that happens either coin is completely centralized to his rule system.

100% Full Node Domination can only be carried out by a collusion of the World's Governments.
If even 1 small country opted out of the collusion , the rest would fail in the attempt.

I think modern POS (like Casper, or deligated POS) have a solution on the majority of the issues described by OP.  Casper (should) effectively punish malicious actors if hard fork occurs, and delegated POS makes it nearly impossible for a malicious actor to gain enough support to be voted into validator position. They both have their issues (like major centralization of DPOS) but my strong belief they should be developed and tested at scale anyway.

check out Casper docs for more info https://github.com/ethereum/wiki/wiki/Proof-of-Stake-FAQs

Casper is a Frankenstein of proof of stake design, trying to fix @nas , when @nas is not even a real problem.
(Just a myth to scare the newbies. No one that really understands PoS is worried about @nas in the least.)
Ethereum will be crushed by it's insane blockchain bloat or its full nodes dominated by rich elite.
Vitalik's interference with multiple hard forks has proven eth to be centralized.

Delegated Proof of Stake , opens up the possibility of corruption of the Delegates nodes.
We have to look no further than the US political system to see that delegates only rule leads to disaster.  
As the Delegates vote in favor of their personal self interests and ignore the Greater Good.
We have over 200 years of proven history that delegate rule is corruptible.

[d5000]

We always heard that to be the case, but as long as the double spend only had a few victims, I am not so certain.
If it were fiat , it would be akin to someone using counterfeit money to buy good or services.
In real life , No one reimburses the person that sold his car for counterfeit money ,
they just try and arrest the guy who did the counterfeiting and only give back the car , if they catch the counterfeiter, and track down the car.

Well, if I have spent lots of time and money to attack a PoS currency, then I would try to scam all existing exchanges for the maximum amount. That would cause heavy disruptions and in most cases, delistings.

Replacing the doublespend amount with a hard fork implies a centralized authority making that decision,
a truly decentralized resource such as gold , no one makes the pretense that stolen gold will be replaced unless the person that stole it is apprehended.
It is funny, we want crypto to be decentralized, but we also want centralized protections.

A hard fork is not centralized per se, it can be the voluntary decision of the majority of the economic actors invested in the currency, in the case of a PoS coin, to run another client. While in past hard forks (ETH/ETC as the prime example) a kind of "leadership" led to the hard fork, that's not mandatory at all. It's enough if all merchants and exchanges simply use the new client.

Anyway, that would be a point against PoS, not for PoS.

There is only 1 way to Censor a Proof of Stake coin Transactions for an extended period,
but it is not 51% attack , it is 100% control of the full nodes, (Which is almost impossible)

I'm sure that with a very high supermajority (95% e.g.) it would be possible to censor transactions even with longer dormant periods -  the longer the "dormant period" is, the higher has to be the supermajority. The attacker would have to ensure that he always has enough active (non-dormant) stake to orphan blocks found by the honest minters. But that's mainly theoretical, in what you're right is that 67% is only enough if the dormant period is pretty short, and such an attack should be prohibitively expensive.

A problem that could arise, however, is that the attacker could increase his stake when he succeeds double-spending. He double-spends and with the coins he sold (scamming the exchange) simply re-buys coins "honestly" at other exchanges. He would need plenty of sockpuppets, but there may be still plenty of relatively anonymous ways to buy the coins (and if he's working for a government, he can use "real fake identities"). So once he has 51%, he probably is likely to increase his stake until he gets a supermajority - or the honest minters hard fork away in an ETH/ETC manner.

Regarding DPoS and similar approaches, we mainly agree - with the exception of Cardano which really looks interesting.

[Wind_FURY]

What about the argument that exchanges will become like banks by encouraging the users to deposit their POS coins in exchanges for a share of the block rewards?

Wouldn't that be centralizing and dangerous for the safety of those coins at the same time?

[d5000]

What about the argument that exchanges will become like banks by encouraging the users to deposit their POS coins in exchanges for a share of the block rewards?

Wouldn't that be centralizing and dangerous for the safety of those coins at the same time?

Yep. Big exchanges (above all, if one of them is "dominant"), stake pools (the scenario you describe is basically one), and other services with access to a large part of the coins being able to stake, are dangerous for Proof of Stake coins.

PoS coins need a relatively big group of non-colluding whales to work well. However, that should be no problem once the coin matures (Bitcoin's distribution would be fine, imo).

[Wind_FURY]

But if you want to stake you have to buy coins from the "stake holders". I believe that makes it less "permissionless" and more centralized than a coin that utilizes Proof of Work as a "block finding" mechanism.

[d5000]

But if you want to stake you have to buy coins from the "stake holders". I believe that makes it less "permissionless" and more centralized than a coin that utilizes Proof of Work as a "block finding" mechanism.

Normally, a cryptocurrency which has some value should be used as a means to pay for goods and services, and be listed at exchanges. So there will always be a way to "enter" the coin ecosystem, at least for small amounts.

There can be a problem, however, if there is a group of colluding whales with a supermajority of the stake wanting to control the currency. If they cooperate to block every intent to buy a substantial amount of the stake (e.g. more than 20%), then they can keep their control even if other users occasionally find a block (if the block contains a transaction they don't like, they simply orphan it). This is easier in models with a reduced validator set, like DPoS - an example for such a collusion are the "mafia-like" structures in Lisk; while there is currently no censorship there (I think) it's possible that it could occur.

However, this problem is not only solved by Proof of Work. Another mechanism that could be employed is Proof of Capacity/Space, where new participants cannot be censored by coin holders. It has, however, a (weaker) Nothing-at-Stake problem.

[Wind_FURY]

Yes, I have heard of Proof of Capacity/Space and Burstcoin/Spacemint, but it too has its own set of problems besides the "Nothing-at-Stake" problem. It might stem from a misunderstanding of the economics of cryptocurrencies. I may be biased, but Bitcoin is valuable because it is expensive to attack, modify, it is provably scarce, and because of its very high energy requirement, it's very secure.

Proof of Capacity/Space might be a good mining alternative but it would not produce coins of "high value" because hard drives are common, mining it is cheap, and little effort is made to mine it.

[d5000]

Proof of Capacity/Space might be a good mining alternative but it would not produce coins of "high value" because hard drives are common, mining it is cheap, and little effort is made to mine it.

But only if there are few people mining it. If a Proof-of-space coin got mature and it was competitive to mine it, then there will be also a high attack cost. You won't mine anything with your "free HD space" in this case, just as you won't mine anything with your CPU in the current Bitcoin network.

A bigger problem of Proof-of-space is in my opinion that "HD minting" can always be "simulated" with Proof of work (similar to the "stake grinding" problem of some PoS coins). Once a proof-of-space coin becomes harder to mine, it's possible that it will simply transition into a "de facto PoW coin".

(I'm also a big Bitcoin fan, because it's - by far - the most decentralized cryptocurrency, but I think simply one has to be open for alternative approaches to problems arising from the current way it works, e.g. energy consumption. Imo, if really some algorithm is found that provably can rival the current PoW in terms of security and is more efficient, Bitcoin should adopt it.)

[Wind_FURY]

Proof of Capacity/Space might be a good mining alternative but it would not produce coins of "high value" because hard drives are common, mining it is cheap, and little effort is made to mine it.

But only if there are few people mining it. If a Proof-of-space coin got mature and it was competitive to mine it, then there will be also a high attack cost. You won't mine anything with your "free HD space" in this case, just as you won't mine anything with your CPU in the current Bitcoin network.

But you said it yourself, there is a Nothing at Stake problem. What's to stop miners from colluding and also continue the timestamping process on a split chain, or multiple split chains.

A bigger problem of Proof-of-space is in my opinion that "HD minting" can always be "simulated" with Proof of work (similar to the "stake grinding" problem of some PoS coins). Once a proof-of-space coin becomes harder to mine, it's possible that it will simply transition into a "de facto PoW coin".

Can you explain how? What is stake grinding?

(I'm also a big Bitcoin fan, because it's - by far - the most decentralized cryptocurrency, but I think simply one has to be open for alternative approaches to problems arising from the current way it works, e.g. energy consumption.

What would you propose and how would you propose it to be implemented?

Imo, if really some algorithm is found that provably can rival the current PoW in terms of security and is more efficient, Bitcoin should adopt it.)

It is easier said than done. The Core developers would have already done it if positives outweigh the negatives. Plus mining has become very efficient through the continued development of ASICs. CPU and GPU mining are far less efficient in my opinion.

[d5000]

But you said it yourself, there is a Nothing at Stake problem. What's to stop miners from colluding and also continue the timestamping process on a split chain, or multiple split chains.

Nothing-at-stake is difficult to use profitably in an attack. In this aspect, PoS and PoC are not very different. Their main difference is that a PoC coin allows new users to become validators (even big ones) at any time because existing coin holders have no influence on validation. Existing miners can collude, like they can do in Proof of Work.

However, I wrote that the N@S problem at PoC is "weaker" than in PoS because there is a mining cost, and this is due to hard drives failing rapidly. A massive HDD mining farm would have continuously costs based on HDD failure. That means that if you mine on alternative chains (you must calculate different hashes with your HDDs) you'll have an additional cost. However, this cost + the electricity consumption of the HDDs, in relation to market cap, is probably much lower of the cost to mine an attack chain with PoW. So it's not free to attack the coin via N@S, like in Proof of Stake, but much cheaper than via PoW.

Can you explain how? What is stake grinding?

In some older Proof of Stake currencies, computing operations can be used to influence the pseudo-random selection process of the minter that finds a block. That means that if you have plenty of computing power you can (slightly) increase your chances to find blocks compared to a minter with the same stake but less computing power. This is called "stake grinding". A similar effect occurs in Proof of Space/Capacity: Instead of reading the hashes from the disk, you use your CPU/GPU/ASIC to calculate it.

What would you propose and how would you propose it to be implemented?

There is much more research on PoS or PoC needed, so I don't call for immediate action, only for a bit more openness.

It is easier said than done. The Core developers would have already done it if positives outweigh the negatives. Plus mining has become very efficient through the continued development of ASICs. CPU and GPU mining are far less efficient in my opinion.

No, this has no effect. The variable which influences energy-efficiency is not "effectiveness" of the algorithm, but the equation "attack cost/energy consumption" (the lower the energy consumption needed to reach a high attack cost, the higher the "energy-efficiency").

CPU and GPU mining do not differ from ASIC mining significantly regarding this equation. Only if a more efficient technology becomes available (e.g. new ASICs) all older technologies become less energy-efficient. But if no ASIC has been developed for algorithm X, coins with this algorithm are not less effective than a coin with algorithm Y mined by ASICs (with a similar market cap/reward scheme).