Proof of Stake Bitcoin?

[monsterer2]

Here's the problem bitcoin's proof of waste tries to solve:

"show me that, amongst X different possible states of consensus, consensus proposal "A" is the unique right one, even if I wasn't there, and even if I don't trust ANYBODY".  Moreover, "show me that just any other entity like me, not trusting anyone, and not having been online when these decisions were made either, will come to the same conclusion that it was A, and not B, even if that other person is presented another collection Y of possible states of consensus.".

That is indeed correct. And, in fact, any consensus design which doesn't have this condition at it's core is utterly pointless, because once you remove any of these conditions, you might as well just use Visa, which is much faster and more widely accepted than any cryptocurrency.

[1715512723]

1715512723

[1715512723]

1715512723

[1715512723]

1715512723

[1715512723]

1715512723

[klamz]

What do we think about PoW and PoS hybrids like LUX and others?

I think they do a good job of mitigating the risks and downsides of each of the two methods.

[dinofelis]

Here's the problem bitcoin's proof of waste tries to solve:

"show me that, amongst X different possible states of consensus, consensus proposal "A" is the unique right one, even if I wasn't there, and even if I don't trust ANYBODY".  Moreover, "show me that just any other entity like me, not trusting anyone, and not having been online when these decisions were made either, will come to the same conclusion that it was A, and not B, even if that other person is presented another collection Y of possible states of consensus.".

That is indeed correct. And, in fact, any consensus design which doesn't have this condition at it's core is utterly pointless, because once you remove any of these conditions, you might as well just use Visa, which is much faster and more widely accepted than any cryptocurrency.

And as I said, the only fully secure proof of that is a proof of waste of more than half of humanity's resources.

Because if not, the other half may be used to produce that famous B.   How do you know that in fact, bitmain doesn't have 8 times the amount of mining hardware they have sold on the market, in a secret place somewhere, ready to be switched on to produce a "false" block chain ?  Maybe they get subventions from the Chinese government to screw bitcoin, who knows ? 

If you tell me "people would see it" then you've shown that *in reality* you are counting on people's past online presence to have "old copies of the block chain".  If you count on old fixed points of the block chain in Core's software, then you'trusting Core's digital signatures.  So the sole proof that is fully secure is if you have a document, a block chain that proves more than half of the worlds' resources wasted on it.  Otherwise, it is not secure and a "B type document" may be made.

But this is entirely idiotic.  After all, how are you going to check that in a trustless way ?
Are you going to build your own silicon foundry and make your own chips by your own design to make your own computer ?  Are you going to write your own operating system and writing your own bitcoin software to verify it ?  Because if not, you're trusting some entity.  You're trusting Intel, your computer OEM, Linus Thorwalds' signature if you install linux (you're not using Windows or Mac, are you ??),  you trust the world's assessments you find on the internet of the world's capacity in electricity, you trust miner hardware specifications, etc...

Hey, how come that you trust the genesis block ?  Because it is written in software that some dudes signed with their signatures on centralized Github ?  Maybe it is not the right one !  Maybe what that piece of software tells you, is actually not the "true" bitcoin block chain !  Who knows !  You trusted Core's signatures ?

So you're not doing something trustless.  If you try, you starve before you get half way.

So wasting humanities resources on a mirage of absolute trustlessness that you can't have in any case, is complete and utter madness.  Good for the asylum.

In reality, you have to trust some entities.  You have to trust some signatures.  You have to trust some functionality.  Blind trust in one entity is not good enough.  But if you can find several indications, at different places, that you have most probably the right data set, that's good enough to be practical.  

For instance, if there are a few hundred resources scattered all over the world that give you the same hash list of block headers, and if you can be online some time and see that some tracks of block headers do correspond to what they publish, that's good enough to have trust that you have the right block chain.  It cannot be 2 or 3 websites.  But if you have a few hundreds of them, and you "know" them by digital signature for a while, you can assume that they are not all "sybils surrounding you".  You start to build your "social cercle" in that environment, you start to know peers.  And after sufficient time, as with real people, you start to put some partial trust in them.  If all of them tell you the same thing independently, then you can accept that as the truth.  Like with everything else: if sufficient sources tell you something, you take it as real.   Because that's the practical compromise between blind trust and the madness of full trustlessness.

[monsterer2]

Because if not, the other half may be used to produce that famous B.   How do you know that in fact, bitmain doesn't have 8 times the amount of mining hardware they have sold on the market, in a secret place somewhere, ready to be switched on to produce a "false" block chain ?  Maybe they get subventions from the Chinese government to screw bitcoin, who knows ? 

We've discussed this before. There is a competition to mine; it is more profitable to mine than it is to sit on mining hardware, therefore you can be pretty sure this isn't the case.

Hey, how come that you trust the genesis block ?  Because it is written in software that some dudes signed with their signatures on centralized Github ?  Maybe it is not the right one !  Maybe what that piece of software tells you, is actually not the "true" bitcoin block chain !  Who knows !  You trusted Core's signatures ?

You don't have to. If you're presented with two candidate blockchains with different genesis blocks, the one you accept is the longer chain of PoW. PoS cannot use this feature because block production is costless, therefore its trivial to produce myriad candidate blockchains which only online nodes can distinguish from the true blockchain.

[dinofelis]

Because if not, the other half may be used to produce that famous B.   How do you know that in fact, bitmain doesn't have 8 times the amount of mining hardware they have sold on the market, in a secret place somewhere, ready to be switched on to produce a "false" block chain ?  Maybe they get subventions from the Chinese government to screw bitcoin, who knows ?  

We've discussed this before. There is a competition to mine; it is more profitable to mine than it is to sit on mining hardware, therefore you can be pretty sure this isn't the case.

If you're talking about trustlessness, you cannot include hypotheses like this.   After all, this is very well not true, especially when there are possibilities to short bitcoin outside of the system.  It may very well be profitable to kill bitcoin, because, as you say, there's competition in the larger market too.  If bitmain has a long-ranging plan to kill bitcoin (say, because the Chinese gov wants it to and has convincing arguments), it is NOT going to join the competition with its extra hardware, because it would like to take bitcoin by surprise.  And they can even make a big benefit in the market if they know when they will do it.  Game theory arguments with limited game rules are not a solution to trustlessness.  Trustlessness is a lure.  It is a mirage.  It doesn't exist.  From the moment you have to use such arguments, your system is in any case not watertight.  

As such, having hundreds or thousands of "on line consensus spectators" see the consensus arrive, and sign it, and not accepting any form of major "rewind" is a more secure practical way of doing things for much less effort.  If you think that major exchanges all over the world are going to accept a major rewind for instance, together with all online amateur users, exactly when YOU were offline, that's just as improbable.  Because of the same reasons of game theory, benefits and losses.
And we'll not need to waste earth's electricity.

[dinofelis]

You don't have to. If you're presented with two candidate blockchains with different genesis blocks, the one you accept is the longer chain of PoW.

So I take it that if ethereum overtakes bitcoin one day, and is still on PoW, you will think that ethereum is bitcoin now because it is a document that proves more PoW ?  And you're quite frustrated that you've been had with former transactions that do not exist on the unique ledger with most PoW ?

And you realize that all this talk on this forum, all the code signed by Core, and all the rest was just a big fraud, and the real bitcoin is made by software from Switzerland ? Or do you nevertheless trust some digital signatures and "old stuff" you've seen when you were on line ?

[monsterer2]

If you're talking about trustlessness, you cannot include hypotheses like this.   After all, this is very well not true, especially when there are possibilities to short bitcoin outside of the system.  It may very well be profitable to kill bitcoin, because, as you say, there's competition in the larger market too.

To use PoS proponents mostly commonly used counter argument to this claim - why would anyone with huge stocks of highly expensive mining hardware risk making all their inventory worthless by carrying out this attack?

Even if they somehow make this a profitable attack, their chances of pulling it off are minimal because they still need to outpace the rest of the world in producing the longest chain.

[sirtim20]

I think so! With the popularity of online currency I definitely believe in your statement... May we all benefit in this new trends...

[dinofelis]

If you're talking about trustlessness, you cannot include hypotheses like this.   After all, this is very well not true, especially when there are possibilities to short bitcoin outside of the system.  It may very well be profitable to kill bitcoin, because, as you say, there's competition in the larger market too.

To use PoS proponents mostly commonly used counter argument to this claim - why would anyone with huge stocks of highly expensive mining hardware risk making all their inventory worthless by carrying out this attack?

Even if they somehow make this a profitable attack, their chances of pulling it off are minimal because they still need to outpace the rest of the world in producing the longest chain.

The point is that if you have to apply this kind of arguments, your system is, in the end, not as secure as you may want to believe, and hence the necessity of its monstrous waste, and even its danger to human economy, not justified.  If we need to risk to blow up human economy to avoid something, that can in fact in principle happen, but of which you argue that the attacker will not be motivated and it will not happen in practice, I call bullshit.  Because PoS like systems are also, for all practical purposes, secure (especially those that are based on on-line no-rewind principles).  In fact, these systems are even more secure for all practical purposes, from the moment that there are sufficient "slightly-to-be-trusted" entities online, because in that case, no attack is even possible.

If it is necessary for a system to waste GW of electricity as its fundamental "security" principle, as compared to systems that can be made as economical as technologically possible, there's no justification for that huge waste, which engenders a lot of OTHER problems, like the power concentration (the centralization of decision).  A PoS system that gets as centralized as bitcoin's PoW structure would economically be useless in any case, because it would mean that the majority of coins are held by just a few participants.  If that's the case, they can play amongst themselves, which is their good right, and the others will leave.  It is then a closed club, and they play their greater-fool game amongst themselves.  If we would be 10 people to possess 99% of a crypto currency, that currency would be worthless in the market.  Well, bitcoin's PoW is for 99% in the hands of 10 deciders.  To have a similar distribution in PoS, 99% of the coins would have to be in the hands of 10 entities, at which point, they can have it.  

Another problem with PoW is that you get a separation between the users/stake holders on one side, and the "consensus industry" on the other.  Users have to ask the consensus industry to please include their transaction, and have to pay that industry.  PoS kind of systems are do-it-yourself systems, where the users decide amongst themselves, with no need for an external industry.

The cost of a PoW system makes the system leak value.  What's wasted on PoW is value extracted from the system.  It is not even a zero-sum game, it is a lossy negative-sum game, because piles of waste have to be bought with inflation and fees.

And all these problems, plus the ecological/economical danger and damage of converting limited resources into huge quantities of waste do not even give us an absolute cryptographic guarantee of security.  In fact, an attack is even provably effective: use 3 times more resources, and you can blow up the system for sure.  There's not even a DOUBT that the attack will work, it will work FOR SURE.

Let us suppose bitcoin at $10 000, and let us suppose current technology, and mining equilibrium, that is: cost of waste = mining reward.  Let us assume total block reward + fees 20 BTC.  Let us assume antminer S9 hardware: 0.1 J/GH, $5000 per 13 TH/s.  Let us assume electricity price $0.1 per KWhr.

20 BTC per block is $200 000 per 10 minutes, is $1.2 M per hour.  It means one has to waste 12 GWhr per hour to arrive at a cost of $1.2M per hour.  If all this were smoked up in electricity, we would need to burn 12 GW.  But of course, hardware needs to be paid too.  We can take it that the life time of hardware is 2 years (I'm nice here: who is still competitive with 2 year old miners ?).  The price of an "antminer-hour" in hardware is hence: 5000/(2*8760) = $0.28  ; the power used in one hour is 1.3 KWhr which is a cost of $0.13.
Running an antminer for an hour hence costs $0.41.  The number of antminers needed hence to waste $1.2 M in electricity and hardware is grossly 3 million.  We need 3 million antminers to be at equilibrium.  We hence have an equilibrium power consumption of about:
4 GW, and a hash rate of about 39 million TH/s (twice the actual rate).

The total hardware investment is hence $15 billion dollars over two years.  Well, with a budget of $45 billion, you can successfully attack bitcoin.  You will have almost 3 times the hash rate, so you can redo the chain 3 times faster than it is advancing, giving you a net factor of 2.  You will have to consume 12 GW for the time of the attack.  Suppose you want to redo the last two months.  That will be scary enough, no ?  All transactions of the last two months erased, what do you think ? Funny idea, no ?  You will have to run for a month to do that.  One month at 12 GW will cost you grossly $0.8 billion in electricity, say $1 billion.

For the price of $46 billion dollars, bitcoin is entirely destroyed.  You publish a higher PoW chain that has totally screwed up the last 3 months, one month from now.  The big peak included in December !  My attack is guaranteed to work.

In reality, cost would be half of that, because bitcoin is now out of equilibrium as we saw.  Hash rate is only 20 million TH/s while equilibrium is 40 million TH/s.  So right now, destroying bitcoin could be done for $23 billion.  Which I can get out of the market by shorting bitcoin.

Now, $46 billion is quite an amount of money, but less than bitcoin's market cap.   I might short $50 billion in the futures market.  There will be a lot of takers of my offer for bitcoin at $20.  My expenses are covered.  But I might get subventions from states, and, most likely, even from climate change actions.  After all, I'm going to blow a big electricity waster to pieces.  This is not an "impossible" attack at all.

The argument that "it most probably won't happen because miner incentive" is very, very, very weak as compared to all the problems it brings.

There is of course something that might save bitcoin from such a devastating blow: people might restore the block chain before the attack was published, .... from a trusted source with a digital signature !  Say, a few Core devs that publish the "correct" block chain tag in an urgency release of the Core code.... mmmm...  maybe digital signatures of trusted entities is not such a bad idea, is it ?  

[monsterer2]

If it is necessary for a system to waste GW of electricity as its fundamental "security" principle, as compared to systems that can be made as economical as technologically possible, there's no justification for that huge waste, which engenders a lot of OTHER problems, like the power concentration (the centralization of decision).

The justification is asymptoticly secure, trustless, decentralisation. Take it or leave it.

PoS gives you none of that security model, and is slower than visa, making it an exercise in utter futility.

[Anti-Cen]

Not at all.  Read it.  It is about the amount of waste produced by a successful PoW asset, eating up a significant part of earth's economy in electricity and hardware to produce waste and nothing else.  It has nothing to do with money, but all with Proof of Waste.

Could not agree more and mining is even worse but for saying this we get called trolls around here even if our logic
is perfectly obvious and we lay out our reasons for not agreeing with the vicar of the church

[Anonymous Kid]

Not at all.  Read it.  It is about the amount of waste produced by a successful PoW asset, eating up a significant part of earth's economy in electricity and hardware to produce waste and nothing else.  It has nothing to do with money, but all with Proof of Waste.

Could not agree more and mining is even worse but for saying this we get called trolls around here even if our logic
is perfectly obvious and we lay out our reasons for not agreeing with the vicar of the church

Why do I get the feeling that you and dinofellis are the same person? 

[dinofelis]

Why do I get the feeling that you and dinofellis are the same person?  

Nope.  Anti-cen has visibly the same relatively critical opinion as I do on PoW, but we're not the same person.  People can be different persons, and share an opinion.  Alas, it is impossible to prove that we're not the same, and the irony is that that's why Satoshi used PoW as a way to try to dismantle Sybils.  We're touching here the fundamental reasons of all these things.

Unfortunately, it didn't work, which is exactly why PoW fails.  It didn't work in the following sense: Satoshi presented PoW as a way to "make sybilling the network" expensive.  He presented PoW in his paper as a way so that each participant (human participant) would have "one vote".  He used "CPU" as a proxy for "human", with the idea that you could cheat a little bit, by using not one, but 10 CPU for instance, and get 10 votes, but if you wanted to have 10 000 votes, that would become quite expensive.  However, in Satoshi's presentation of things, votes didn't need to be EXACTLY right.  What Satoshi needed was that there were SUFFICIENT different voters, even if some had more weight than others ; as long as the majority wouldn't be in the hands of a small colluding club.  Whether Joe had 3 votes or 100 votes didn't matter, if in total there were 1 million votes.  The majority, that is to say, 500 000 votes, would still be distributed over enough different non-colluding entities for the system to acquire trustlessness by decentralization.

Trustlessness by decentralization is the brilliant idea behind bitcoin (which turned out to fail, exactly because PoW failed).  It is the game-theoretical "super-Nash" equilibrium, where the equilibrium is "follow the common set of rules", and where, contrary to a simple Nash equilibrium, which takes potentially a simple collusion of two players to be broken (in the typical example, the Prisoner's Dilemma, if the two prisoners collude, they can leave their Nash equilibrium), in this "super-Nash" equilibrium, it takes a collusion of majority of many, many players to be able to be broken ; which is so impractical to be done, that we can assume that every player stays in the equilibrium (that every player follows the same rule set).  This is the inverse "tragedy of the commons".

Satoshi said that one couldn't count on "different IP addresses" to do so, because it would be quite easy for an attacker to become the single controlling human of a large majority of IP numbers.  That's why "one node one vote" wasn't possible (and this is also why all this nonsense of "decentralization by full nodes" is bullshit: bitcoin was designed not to take this into account!) However, "holding the majority of CPU voting" would be much harder to do, which is why Satoshi presented PoW as a fairly robust way to defend against "having a majority of voting power in the hands of a small clique".

Well, it failed.  PoW IS in the hands of a small clique.  3 entities have majority, to be precise.  You can see it in the hash rate distribution of the mining pools.  Worse: even though we KNOW this now, there's nothing we can do about it.  The "majority vote by CPU" IS now in the hands of a few, and yes, they really do have control over the majority of CPU, even more so than would have been the case with IP numbers.

It is quite funny that Satoshi presented PoW as a way to avoid Sybils in his paper, and nevertheless was able in 2008 to explain that "mining would be left to specialists with farms of specialized hardware".  There's a slight contradiction here, because that is already admitting that his PoW system would not be a good approximation of "one human, one vote" by "one CPU one vote".  It is true that Satoshi seems to have thought that it would nevertheless be "hundreds or thousands" of "specialists", not 10, or 4.  However, that by itself doesn't make sense: the same dynamics (economies of scale) that would bring the "home CPU vote" into the "hands of specialists with farms" would continue to bring together "specialists with farms" into a few big farms.   His position simply doesn't make sense.

The fundamental reason why his "making sybilling the network expensive" didn't make sense, is that in his system, the more you sybil, the higher your costs, but also the higher your rewards !   His explanation that it would, nevertheless, remain profitable to "play by the rules" even if you have majority (that there's no reason to attack the network, while you can profit from your hash rate) is begging the question.  Remember the super-Nash equilibrium.  If you have majority, you DICTATE THE RULES.  Of course you will be following your own, dictated rules !   The error in all this is that if you reward voters, there's no way to remain decentralized, because all difficulties and costs of sybilling are compensated.  However, PoW requires compensation because it generates economic waste by definition.

All this is lies and deception.  This is why it works so well.  Like world religions.  They too, started out often with some good intentions.

I wouldn't mind this, if it weren't so wasteful.

[KpopLord]

DO you guys ever think that bitcoin will do proof of stake? Just wanted to get some peoples insights on this.

I can see this as a problem in the future. Why would bitcoin need POS?

[dinofelis]

The justification is asymptoticly secure, trustless, decentralisation. Take it or leave it.

Well, it fails on decentralization already, and "asymptotically" means wasting more than half of human's resources.  
It is true that it solves trustless UNIQUENESS if we waste more than half of humanity's resources.  But it doesn't even guarantee that that unique document has been made according to the rules.  You cannot have it both ways: if the document is unique, you have to accept it.  You cannot put another requirement, because it is unique.  If you can put another requirement to select amongst possible candidates, obviously, it is not going to be unique.  So PoW only proves trustless uniqueness if that's the sole condition.
If tomorrow, the single entity that has more than half of world's power, decides to produce a unique document with the most PoW that has entirely different rules than bitcoin, you still have to accept it as the "unique true consensus".  Like I said, if ever it is the ethereum block chain, you would have to accept that bitcoin is now ethereum, and your bitcoin addresses are worthless.

Because if you are presented with different block chains, and the ethereum block chain contains more proof of economic waste than what people used to call the bitcoin block chain, according to your rule, you have to accept the ethereum block chain as the sole true consensus document ; if it contains a proof that more than half of human's resources have been wasted on it, you know that there cannot be any other such document around, and you have your unique consensus.  Too bad your addresses of your coins don't work on it.

If you are going to say: it is the highest PoW chain "within a certain set of documents that satisfy other rules" then you have the ambiguity from the moment there are forks.  Suppose that BCH overtakes the BTC chain.  Is bitcoin then from one day to another BCH, and should we reject BTC as a false document ?  No, of course not.  They are different crypto currencies.

The foolishness of uniqueness of PoW breaks down entirely when there's a crypto currency market.  Because there's no such thing as uniqueness.

[monsterer2]

Well, it fails on decentralization already, and "asymptotically" means wasting more than half of human's resources.

The power law of economics says that anything which has a profit motive will centralise. But, there is no other way (yet discovered) to achieve a nash equilibrium than establishing a profit motive, so we're stuck with it.

I believe there is a way to achieve more decentralisation than we have in blockchains currently, still using PoW, but that's another post.

Because if you are presented with different block chains, and the ethereum block chain contains more proof of economic waste than what people used to call the bitcoin block chain, according to your rule, you have to accept the ethereum block chain as the sole true consensus document

Are you honestly saying that the LCR rule doesn't distinguish between blockchains? Obviously it only functions within a single blockchain and yes, clients can tell the difference between an ethereum chain and a bitcoin one.

[dinofelis]

The power law of economics says that anything which has a profit motive will centralise. But, there is no other way (yet discovered) to achieve a nash equilibrium than establishing a profit motive, so we're stuck with it.

This is the error: there's no *monetary* profit motive necessary to get a Nash equilibrium.  As you say, monetary profit centralizes by economies of scale which result, as you say, in a power law distribution.   There's no reason to motivate people to participate in consensus.  They can.  They don't have to.  If they don't, they accept others to vote in their place.  If that goes "wrong", their problem.   The motivation is to keep your share, or to risk that others will push you out of the consensus.  If that happens, too bad for you.  You weren't there.  You've lost your stash because you failed to be online ?  Your problem, not mine.  So, fear of missing consensus is a good motivation.

Are you honestly saying that the LCR rule doesn't distinguish between blockchains? Obviously it only functions within a single blockchain and yes, clients can tell the difference between an ethereum chain and a bitcoin one.

They can only tell the difference because they trust or were online.  They have to trust the signatures of the "true" rule manifest (usually a piece of software).

If there's a Martian visiting earth, how is that Martian going to know what is the true bitcoin block chain if he's not going to trust anyone and never was online before ?  He'll look at all block chains around, and find the one with the highest PoW in economic waste.  "that must the unique true consensus document".  From the moment you require OTHER extra rules, as I said, you have to trust those who said it were the right rules, or you must have been there when they were established, or you must trust someone that was there when they were established.

If someone saw bitcoin's protocol in early 2010, left for Jupiter for 8 years and came back, and imagine that BCH has more PoW, he would say that the true bitcoin ledger is BCH, and BTC is a tentative to fraud.

If someone had seen just Satoshi's paper in 2008, only remembering "maximum PoW", left for Saturn, and came back, realizing that rules may have changed completely, and ethereum would prove more PoW, he'd say that the only true ledger is the ethereum ledger, and all the rest is fraud.

In order to "know" that it isn't so, he will have to use and trust recent online information, or they "had to be there".

Other example.  Suppose that earth is hit by a catastrophe and for 500 years, we're back in the middle ages, even though the legend of bitcoin is orally transmitted.  500 years from now, technology is again developed, and some people go to look after that Satoshi of the Round Table and his trustless Ledger, some ledgers are finally discovered.  Which one is the "true" one ?  If the rule "maximum PoW" is recognized as the sole unique totally trustless rule, if ever the ethereum chain has more PoW to it, it will be said that it was bitcoin.

Finally "trustlessness and money" is an oxymoron. Money is about belief in value.  If you don't trust anyone, you don't believe that others believe in money.

[monsterer2]

This is the error: there's no *monetary* profit motive necessary to get a Nash equilibrium.  As you say, monetary profit centralizes by economies of scale which result, as you say, in a power law distribution.   There's no reason to motivate people to participate in consensus.  They can.  They don't have to.  If they don't, they accept others to vote in their place.  If that goes "wrong", their problem.   The motivation is to keep your share, or to risk that others will push you out of the consensus.  If that happens, too bad for you.  You weren't there.  You've lost your stash because you failed to be online ?  Your problem, not mine.  So, fear of missing consensus is a good motivation.

There isn't a way to achieve one without it. Without a profit motive, the rational behaviour to maximise gains is to attack the system, this is the opposite of a nash equilibrium.

They can only tell the difference because they trust or were online.  They have to trust the signatures of the "true" rule manifest (usually a piece of software).

No, they don't need to do anything. Their client, which can be offline, then online, will always know whether it is being presented with a candidate blockchain on the right hard fork, in the right blockchain.

You seem to be suggesting that the attack vector is to convince someone who's never had a bitcoin, or ethereum client before to install an impostor client. This is a social engineering attack, not a technical one.

[dinofelis]

There isn't a way to achieve one without it. Without a profit motive, the rational behaviour to maimise gains is to attack the system, this is the opposite of a nash equilibrium.

You cannot attack a system that doesn't rewind.  But for that, you simply need online presence, or trust other online presence not to wind back.  It is much much easier to assume that there will be online systems that don't rewind, or remain online yourself, than to want to reach a Nash equilibrium with "offline rules".  There's no long-term Nash equilibrium to be reached if decisions are never rewound.  The only attack possible would consist in a "sustained split of the internet".

The unneeded difficulties caused is that one wants to prove in a trustless way to an offline participant that the consensus decision has to be unique.  That is devoid of any real-world meaning as I tried to explain.  In practice, nobody does so for anything else.  If I'm online, and I just record the successive online hashes of successive consensus decisions published by half-trusted peers, I don't need any proxy of past time (I was there) and I won't rewind (I know the hashes of consensus).  As my attacker cannot know what different peers I check, he cannot present me any consistent alternative history, even if I leave my online presence for a short while.  And that goes for most participants.  I can find them later, because they have unique keys, somewhat akin to a web of trust with mutually signed public PGP keys.  When using the network, I will learn about more and more network nodes, and learn to half-trust them.  Some will go, some will come.  I will regularly check their histories with mine (we will in any case all be voting over the last consensus when we are online).  It would be extremely difficult, for an attacker, to convince me of another history even if I were offline for a while.  And if I got tricked because I'm offline, my fault.  Let the attacker win.

They can only tell the difference because they trust or were online.  They have to trust the signatures of the "true" rule manifest (usually a piece of software).

No, they don't need to do anything. Their client, which can be offline, then online, will always know whether it is being presented with a candidate blockchain on the right hard fork, in the right blockchain.

You seem to be suggesting that the attack vector is to convince someone who's never had a bitcoin, or ethereum client before to install an impostor client. This is a social engineering attack, not a technical one.

Absolutely not.  As that agent who doesn't trust anyone cannot distinguish between both and doesn't trust any digital signature, how is he to make the difference ?  He won't believe the name "bitcoin core" (obviously).  He won't believe the name "ethereum".  He won't believe anything signed or published.  There is no such thing as "imposter" in a trustless system.    He will only cryptographically find out that some ledger includes more proof of economic waste than the other.    He will only find suggestions in software "out there" that seems to work with certain ledgers, and not with others.  He can establish that some ledgers contain "remarkable results".

I don't have to tell you that when you have a pair of numbers, one of which is the pre-image through hashcash of a near-zero number, that that pair of numbers is remarkable.  I can suggest you to look at that pair of numbers with different hash functions, and if you find out that the hashcash function maps one of the numbers on a very small number, that in itself is a remarkable feat.  In as much as you can establish yourself that the hashcash function is not reversible, and in as much as you can figure out yourself how much electronics and electricity it would take to find that remarkable pair, you can estimate how much wasted economical effort went into this, without having to know in advance that you should look at "hashcash".  

So you simply find ledgers.  You have no client.  But you find different clients on the internet.  You don't trust their authors.  But you see that some ledgers you find, "work" with some clients, and not with others. You can easily map untrusted ledgers to untrusted clients.  Through analysis of these clients, you realize that some ledgers contain "remarkable pair of numbers".  You can estimate the relative efforts that have been wasted to find those.  From that, you determine the highest-PoW ledger, and automatically, the client that goes with it.

If it turns out that amongst all untrusted ledgers you found, the one with the most remarkable pair of numbers, was the ethereum chain, and you found that the untrusted ethereum client "worked" with it, then that must be the right ledger and client.

The absolute trustless cryptographic unique signature is the discovery of that document (ledger) that contains that remarkable couple of numbers that has needed most economic effort wasted to find it.  In order to find out how remarkable it is (and hence, how much effort was wasted on it to find it), you can use untrusted SUGGESTIONS, but you don't have to trust them.  The document is moreover sufficiently complex to allow you to discover, amongst all possible suggestions, the only pieces of code that actually work with the uniquely tagged ledger of maximum waste.  That must be the "rule set" then, the right "client".

[monsterer2]

You cannot attack a system that doesn't rewind.  But for that, you simply need online presence, or trust other online presence not to wind back.

You're basically saying: without double spends, we don't need a blockchain. Guess what?

As soon as you bring trust into the equation, you throw away the security model, making all the other sacrifices that go along with using a cryptocurrency over the banking system, pointless.

Absolutely not.  As that agent who doesn't trust anyone cannot distinguish between both and doesn't trust any digital signature, how is he to make the difference ?  

He doesn't need to care. Either one of these two conditions is true:

a) He has a client installed on his machine, which knows the chain it expects to receive, offline or online, doesn't matter
b) He doesn't have a client in the first place

The only aspect of trust here is that he trusts his existing client to be correct, or he locates the genuine client if he never had it to start with.