Proof of Stake Bitcoin?

[dinofelis]

PoW has been shown, in bitcoin, to centralize, and we know the economic reason for that: "economies of scale".  

No. PoW in bitcoin has shown to be a trustless, reliable proxy for elapsed time.

Yes, and nobody needs that.  One only needs ORDER, not "real world time proxies".  You need the order of spendings, in order to exclude the double spend, and to certify the first spending.  In bitcoin, if these are more than a few times 10 minutes apart, that's usually considered definitive.  But *any* mechanism that comes to a consensus that transaction A came before transaction B is good enough.  You don't need real world time for that.  You only need order.  

- cryptographically not very secure.  Indeed, the cryptographic security resides solely in the need for an external attacker to do a *similar* amount of work than was needed to generate the security in the first place.

Firstly, 'cryptographic security' is the wrong term for what you are trying to describe. Secondly the security of a PoW chain is not based on doing a 'similar' amount of work, but to do more work than the rest of the miners in the network combined. That is indeed, 'vastly' more work.

No, that is not vastly more work.  If I make a digital signature, I can do that with a smart phone using a few mW during a few seconds.  In order to FAKE that digital signature, even the NSA with all its supercomputers, can't.  So the effort of the attacker (here, the NSA) is so vastly more important than the effort the "good guy" (me) had to do, that it is simply practically not feasible.  This is the core of cryptography: the good guy (with the key) can do something easily that the bad guy without the key cannot even dream of doing with all the computation power in the world.  It is sufficient to show that one single digital signature has been faked without the key, and one considers that scheme as broken.

In proof of work, if you do slightly more work than the "good guys" (that is, the ensemble of miners that were working "honestly"), you won.  It is sufficient that you have proven, say, 50% more hashes than the "good guys" your chain will take over.  With a digital signature, that is not "50% more", but 2^128 times more or so.

But that is what a crypto currency should be: entirely determined by its owners.  It is very strange to have a crypto currency that is depending on an external industry, and of which the users are not making up the consensus.  A PoW coin is very much exposed to an external attack, while a PoS coin is cryptographically secure against an external attack.  It can of course suffer *internal* attacks.

Again, you're misusing 'cryptographically secure' and even if we take your intended meaning, your statement is still wrong as PoS coins are vulnerable to a much broader range of attacks than PoW coins, both external and internal. Please see this thread for details:

They are only vulnerable to attacks from the inside, that is, from their owners, and then it depends exactly on the PoS scheme used.  They cannot be attacked from the outside, from someone who doesn't have any stake in the system and never owned some stash.  As to the exact attacks that are possible, that depends on the precise implementation of the PoS scheme.

Yes, PoS can be attacked by its owners.  Which is obvious, because that's what a crypto currency is about: the owners should be the master of what's going to happen, of the rules, and of everything.  But it cannot be attacked from the outside because it is cryptographically simply unfeasible if you don't possess any of the signing keys.

There is a paper describing a provably secure PoS chain, but even the author concedes that it can only be that way if a majority of honest nodes remain online. This is not a very resilient design, especially in the face of power cuts, wars and 'force majeure'.

PoW can even be attacked with all users offline, because the PoW stake holders have nothing to do with the coin.  If tomorrow, the Chinese government confiscates most of the mining equipment, bitcoin is in the hands of the Chinese government.  With a PoS coin, that's simply impossible.

The thing is that all these theoretical attacks are way beyond the normal use case: by the time these attacks become possible, the use case of the coin has already crumbled.  If you first need to obtain 15% of the stash of a coin before you can attack it, you could do already much more harm in the market than you would by setting up a rather improbable attack.   We now have 4 people in the world that, via a simple phone call and an agreement, could attack bitcoin, and they don't even need to possess it.  They won't, because it is their business.  If you own 15% of a coin, you won't set up an attack.

Don't get me wrong, I'm not saying that bitcoin is a success - the network is congested beyond usability, but PoW remains the only trustless solution to the byzantine generals problem.

I think PoW proved that it failed, by economies of scale.  If 4 people can decide to attack the system, even if they won't, I think that I can rest my case.  If this system is considered safe, then PoS should be considered safe too for all practical purposes, even though theoretical attacks are possible.  

The real, initial problem with PoS was that one thought that it wouldn't *converge*.  That semi-honest players wouldn't find the same consensus.  The "nothing at stake" issue.  

That, from a certain level of investment onward, you can break the system, is obvious, but we saw that with PoW in practice.  4 guys (and maybe they are the same guy !!) can collude, and kill bitcoin tomorrow if they want to.  Simply, they don't want to.

If the 4 most important mining pools decide to reduce their hash rate in the building of the new chain, and use 80% of their hash power to overdo an older piece of chain, reversing transactions of last week, next week we have broken bitcoin with an orphaned prong a week long.

The point is that in PoW, you don't know how much invisible potential PoW hardware is available to an attacker.  In PoS, you know: it is the amount of stash.  Nobody knows if someone is not stealthily collecting mining hardware without using it, so without pushing the difficulty upward, and to switch it on in the frame of an attack.   This is especially the case in the case of large price swings on the market.  If tomorrow, bitcoin tumbles a factor of 5 in the market, and miners "switch off hardware" because it is wasteful, there's a huge potential of hardware ready to be used for an attack.

So all these attacks are just as well theoretically possible with PoW.  PoW is just as theoretically broken as PoS.  In reality, they won't happen, because they need big players to kill their own investment in one way or another ; and these big players can do that also in the market if they want to.  From that PoV, PoS is more logical.  An outside attacker might want to invest in the killing of a coin more probably than an insider.

[1714821289]

1714821289

[1714821289]

1714821289

[1714821289]

1714821289

[dinofelis]

If I understand correctly, the transaction fees is what are the earnings of miners in a POW system. So, how can you make POW system exist with zero transaction fees in future - when bitcoin is mainstream and used as a payments system in future ?

In a coin without tail emission, that is, in a coin where there will only be a finite given number of coins from a certain time onward, yes.  In coins that continue to emit coins (tail emission, like ethereum, monero and the likes), mining is paid for by inflation, like it still mostly is for bitcoin.  Bitcoin's mining has always been paid by inflation until now.  It is only since last year that fees start to be a sizeable fraction of the mining revenue, still smaller than inflation, but nevertheless appreciable.  In a few times 4 years, however, the inflation will be so much reduced that it are the fees that have to pay for the joke.

Note that this is equivalent: the whole of the bitcoin ecosystem is "leaking value" at the rate of mining resource waste.  In the beginning, the price is paid by people POSSESSING bitcoin, through inflation ; towards later times, this is paid by people USING bitcoin, through fees.

In a PoS system, there is no such value leak.  The system can hold its value.  A PoW system leaks value because of the necessary economical waste in proof of work.

[monsterer2]

Yes, and nobody needs that.  One only needs ORDER, not "real world time proxies".  

And how do you think you arrive at the order? Without reliable time-stamping, you don't and cant. It is the building block upon which all this is based.

In proof of work, if you do slightly more work than the "good guys" (that is, the ensemble of miners that were working "honestly"), you won.  It is sufficient that you have proven, say, 50% more hashes than the "good guys" your chain will take over.  With a digital signature, that is not "50% more", but 2^128 times more or so.

'Slightly more' work than the rest of the network is vastly more work than solving a single block.

They are only vulnerable to attacks from the inside, that is, from their owners, and then it depends exactly on the PoS scheme used.  They cannot be attacked from the outside, from someone who doesn't have any stake in the system and never owned some stash.  As to the exact attacks that are possible, that depends on the precise implementation of the PoS scheme.

If I pay 100% of staking, stake-owners to send a transaction to themselves at at precisely 12:00pm next monday, whichever chain I choose would be stalled forever. That's a fairly obvious external 'attack'.

PoW can even be attacked with all users offline, because the PoW stake holders have nothing to do with the coin.  If tomorrow, the Chinese government confiscates most of the mining equipment, bitcoin is in the hands of the Chinese government.  With a PoS coin, that's simply impossible.

Sorry, that's just plainly incorrect. If the chinese government confiscates all mining equipment in china, bitcoin blocks will slow down as the rest of the world gradually takes up the slack. On the other hand, if some force confiscates all the staking stake from a PoS chain, the chain is dead forever barring a hard fork.

[dinofelis]

Yes, and nobody needs that.  One only needs ORDER, not "real world time proxies". 

And how do you think you arrive at the order? Without reliable time-stamping, you don't and cant. It is the building block upon which all this is based.

Order is simply a consensus.  It has not much to do with time.  In fact, transactions don't even need to be time-ordered.  If there are no double-spends, their order is automatic.  I could give you all the individual transactions in the bitcoin block chain in a random order, and you could be able to put them in order again.  They form a strictly ordered graph.  They don't need any time stamp.  They don't even need an indicated order, they order themselves.

The only thing one needs some "consensus state momentary pictures" is that one needs arbitration of double-spends.  One needs to come to consensus over which of two spendings is going to be part of the "accepted truth".  This doesn't even need to be the one with the earliest real-time stamp.  It is a random decision, but that random decision needs to be part of a consensus.  If there are no double spends, the consensus is automatic.  If there are double spends, we need to come to a consensus of which one to retain as the 'real one'.  It sounds like obvious that it should be the first in real time, but it doesn't have to.
It is only after this consensus is reached, that one can be certain about one's balance.  Up until the moment of global consensus, when transactions are pending, there could be double spendings, and one cannot know which one will be part of the next consensus.

The consensus images need to be ordered concerning transaction graphs.  They do not even need to be ordered between disjoint transaction subtrees.  Of course, when sub trees mix, there needs to be a logical order between the last "unsynchronized consensus" on each sub tree, and the first one after the mix.  In other words, the consensus pictures need to have a similar order than the ordered graph of transactions.

But that's all that is needed; order.  Not "real world time".  Of course, IF you tag real world time to transactions, you automatically get an ordering.  And IF you tag real world time to consensus pictures, they are of course also automatically ordered.  But it is not a necessary condition.

In proof of work, if you do slightly more work than the "good guys" (that is, the ensemble of miners that were working "honestly"), you won.  It is sufficient that you have proven, say, 50% more hashes than the "good guys" your chain will take over.  With a digital signature, that is not "50% more", but 2^128 times more or so.

'Slightly more' work than the rest of the network is vastly more work than solving a single block.

It is slightly more work than was needed to make the piece of block chain you want to overdo.  (and hey, you even get the new block rewards too).  If I want to overdo 10 weeks of block chain, I'll need somewhat more proof of work than 10 weeks of block chain building.  The question is in how much time I can do this.  But the amount of *work* is not related to the RATE of my work.  If I had the hardware to do 100 times the rate of work that is really spent on the block chain right now, I wouldn't need to spend much more actual WORK.  I could do it in a day or so (10 weeks of block chain).  In order to avoid this, one needs to make sure that nobody is accumulating hardware capacity without using it.  Bitcoin is only protected if one can make sure nobody has a significant amount of unused hardware.  If one has a huge pile of unused hardware, one can switch it on and outperform the existing system with not much more proof of work than was put into it.

So bitcoin's ultimate protection is not by proof of work, but by proof-of-non-existence-of-unused-hardware.  See, the attack of piling up unused hardware is obvious in PoW.

They are only vulnerable to attacks from the inside, that is, from their owners, and then it depends exactly on the PoS scheme used.  They cannot be attacked from the outside, from someone who doesn't have any stake in the system and never owned some stash.  As to the exact attacks that are possible, that depends on the precise implementation of the PoS scheme.

If I pay 100% of staking, stake-owners to send a transaction to themselves at at precisely 12:00pm next monday, whichever chain I choose would be stalled forever. That's a fairly obvious external 'attack'.

That really depends on the PoS algorithm.  It would be a stupid algorithm that doesn't allow staking.  Normally, a good PoS algorithm ORDERS the staking candidates according to things like actual current stake, previous stakers, and pseudo-random numbers calculated from the previous accepted consensus, and extra weights for coin age and so on, and then gives priority to that staker that actually proposes a consensus and is highest on the list.  So there is always a highest staker on the list of those that propose a consensus.  All possible previous states should always accept a single valid staker amongst all proposed stakes.

PoW can even be attacked with all users offline, because the PoW stake holders have nothing to do with the coin.  If tomorrow, the Chinese government confiscates most of the mining equipment, bitcoin is in the hands of the Chinese government.  With a PoS coin, that's simply impossible.

Sorry, that's just plainly incorrect. If the chinese government confiscates all mining equipment in china, bitcoin blocks will slow down as the rest of the world gradually takes up the slack. On the other hand, if some force confiscates all the staking stake from a PoS chain, the chain is dead forever barring a hard fork.

I meant: the Chinese government confiscates all mining equipment to use it as an attack on bitcoin, not to stop it from running.  As I said, there shouldn't be any staking stake.  There's just proposed consensus solutions by those who stake, and a PoS algorithm, known to everyone, indicates, amongst the propositions, which one is the accepted winner.  If there's only one proposition, obviously that single proposition wins.

You can say: hey but what happens if a higher-ordered staker propagates a past consensus decision then ?  Well, if in the mean time, new consensus decisions arrived on top of the previously accepted one, it's done, he lost his chance to stake.  As such of course, you can get divergent histories, but a good PoS algorithm also has a global branch preference, which is essentially a pseudo-random number.  If you are, as a staker, confronted to two branches, you should stake on the one with the highest "global preference", even if you are to be a staker on the lower one.  This is the solution to the "nothing at stake" problem: there should also be a pseudo-random cumulative weight of each branch: obviously one will win.

And finally, there shouldn't be any reward for staking.  It should be a voluntary act.  That would avoid people to want to disrupt the staking, just to get the rewards.

[monsterer2]

Order is simply a consensus.  It has not much to do with time.  In fact, transactions don't even need to be time-ordered.  If there are no double-spends, their order is automatic.

If there were no double spends, we don't need a blockchain, or bitcoin or anything fancy. But guess what?

But that's all that is needed; order.  Not "real world time".  Of course, IF you tag real world time to transactions, you automatically get an ordering.  And IF you tag real world time to consensus pictures, they are of course also automatically ordered.  But it is not a necessary condition.

Trustless ordering cannot occur without a unforgeable proxy for elapsed time.

In order to avoid this, one needs to make sure that nobody is accumulating hardware capacity without using it.  Bitcoin is only protected if one can make sure nobody has a significant amount of unused hardware.  If one has a huge pile of unused hardware, one can switch it on and outperform the existing system with not much more proof of work than was put into it.

So bitcoin's ultimate protection is not by proof of work, but by proof-of-non-existence-of-unused-hardware.  See, the attack of piling up unused hardware is obvious in PoW.

No one piles up unused hardware because there exists a competition to mine; mining is, on average, more profitable than attacking the network, that is the key of why PoW is superior to PoS.

That really depends on the PoS algorithm.  It would be a stupid algorithm that doesn't allow staking.

No it doesn't depend on the PoS algorithm; block producers are elected by stake, and to prevent that election happening repeatedly as stake moves around (creating attack vectors), stake must be bonded in some way by preventing new blocks from being produced right away. So if you send your stake to yourself, you're subject to that bonding period. If everyone does that, no one can produce a block and the network stalls, forever.

[dinofelis]

But that's all that is needed; order.  Not "real world time".  Of course, IF you tag real world time to transactions, you automatically get an ordering.  And IF you tag real world time to consensus pictures, they are of course also automatically ordered.  But it is not a necessary condition.

Trustless ordering cannot occur without a unforgeable proxy for elapsed time.

The order doesn't need to be the one of real time.  Any order is good enough from the moment that it is an order.  Any set can be ordered.  One simply needs a consensus on the order, that's all.

And then there is of course obvious "real time ordering" on the long term.  The problem with all these false attacks is that one wants a system that can prove to a newcomer that it was ordered in real time before.  That's not needed.  A newcomer just accepts the next consensus, without asking questions about the past.  It is to a newcomer, as if the starting point, the "genesis block" if you want bitcoin speak, was published at the next consensus he will be aware of, and needs to accept that.  There's no need to dig into the past.

And yes, of course, once you're in the system, you have to remain attentive to the new consensus decisions.  If you're absent (if you are a long time off line), you cannot say anything.  You accept the new truth when you're online again, as if you were a newcomer.  Of course you have to stay on line, or trust your peers the time you're absent.  It is a silly idea to want to be able to prove to you that during your absence, everything happened according to the rules.

So the long-term real-time order is evident, because you were there, or you accept the truth from those that were there.  There's no way we will come back to the consensus decisions of yesterday.  Wanting to prove that, is what makes all these things difficult for no reason.   The consensus of yesterday is fixed once and for all, simply because you were there.  You're not going to wind back.   The consensus of today can still be discussed, but by tomorrow, that one will be fixed forever.  Simply  by those that were online.  The only thing that is needed for this to come to global consensus, is that there's sufficient communication between all participants during a lapse of one day.  Well, that is obviously the case.  There won't be a "split of the internet in large chunks for more than a few hours", so there won't, for all practical purposes, be entirely different histories when they are connected back ; and if there are, there's a simple rule to decide which one is to be accepted, on the basis of a pseudo-random number.

As I said, one is making this thing much more complicated on the grounds of unrealistic requirements, such as the need to prove that the system behaved well in the long past.  For all practical purposes, nobody cares.  Everyone accepts the state of yesterday, no matter how it got there, like everyone accepts what was printed in the newspaper yesterday, as being the thing that was printed in the newspaper yesterday.  We're not going to accept to re-write history "if we were there", and the others shouldn't care.  If you weren't there, you shouldn't have anything to say.  So it is normal that only those on-line decide about how this is advancing, and there, real-time order is evident if it is slow enough to account for every form of network delay.  You can think that one day is good enough.  Which is why there isn't any difficulty to consider that day by day, there are historical points of no return.  The block chain starts yesterday.  Every day.  How it got there, is of no importance any more.

In order to avoid this, one needs to make sure that nobody is accumulating hardware capacity without using it.  Bitcoin is only protected if one can make sure nobody has a significant amount of unused hardware.  If one has a huge pile of unused hardware, one can switch it on and outperform the existing system with not much more proof of work than was put into it.

So bitcoin's ultimate protection is not by proof of work, but by proof-of-non-existence-of-unused-hardware.  See, the attack of piling up unused hardware is obvious in PoW.

No one piles up unused hardware because there exists a competition to mine; mining is, on average, more profitable than attacking the network, that is the key of why PoW is superior to PoS.

That is an assumption about the attacker that you shouldn't make.  Of course, *within the system*, mining correctly is mostly profitable.  Not because of technical reasons, but because otherwise, you crash the market.  However, for an external attacker, you cannot know what are the motives.  As I said, piling up hardware without using it, and hence, without pushing up the difficulty, can be profitable if the market wouldn't crash.  When you orphan a big chunk of chain, you do not increase the difficulty, and you do reap in the block rewards of the chain you redo.  It may be profitable to buy hardware and pile it up (or just rent it) to do such an attack, rather than to pump up the difficulty by competing.  I think that the past total cost of bitcoin's yearly mining was about $2 billion.  Let us assume that $1 billion is in hardware costs, and $1 billion in mining costs.  Suppose now that an attacker piles up for $3 billion worth of mining equipment.  He has hence 3 times the total hash power of bitcoin.  However, he will use that hardware to redo last year's chain.  Yes, the whole last year's chain.  That will take him grossly 3-4 months to do so, while nobody knows about it.  He will use about the same amount of energy to do so, which is grossly in our case, $1 billion (the total mining cost last year was $2 billion, we put $1 billion in hardware, and $1 billion in energy).  So his total cost is $4 billion.  But now he publishes his chain, orphans the 1 year + 4 months of previous block chain, and hence reaps in the 60 000 block's rewards plus fees, and all reversals of all payments he did last year.  At the current price of bitcoin, $10 000, that would bring him already $9 billion of profits from the rewards only.  Add to that reversed transactions and all other things he can do with rewriting history and he's a winner.

Of course, in reality, bitcoin would be done.  So, for a total cost of $4 billion, someone external to the system can bring the whole thing down by redoing a whole year worth of history.  But even better now.  Suppose the guy shorts bitcoin for $20 billion in cash.  I think his $ 4 billion are well-spent.  

That really depends on the PoS algorithm.  It would be a stupid algorithm that doesn't allow staking.

No it doesn't depend on the PoS algorithm; block producers are elected by stake, and to prevent that election happening repeatedly as stake moves around (creating attack vectors), stake must be bonded in some way by preventing new blocks from being produced right away. So if you send your stake to yourself, you're subject to that bonding period. If everyone does that, no one can produce a block and the network stalls, forever.

You cannot elect a block producer by stake, because you don't know if he's willing to stake.  You simply give an ordering those that do stake, to decide which one of the proposed competing consensus solutions is to be accepted.  If there's only one node online, of course that node will do all consensus decisions by himself repeatedly.  Any other design would be crazy.  If you are the genesis block creator, of course you stake all by yourself all the time until you have sent coins to someone else.  How could a PoS system even bootstrap if what you say is unavoidable ?  If you did recently stake, of course, that diminishes your priority to stake.  But if you are the only one, of course, even low priority, you can stake.  It is just that if there is a higher staker on the list that stakes, this one is to be preferred to stake on top.  So the NEXT staker is going to stake on top of the highest priority staker that did stake.  In case there is, because of network delays, a split that goes further than one last staker, another algorithm determines the FORK priority, which is cumulative over the different blocks, and indicates what prong the next staker should prefer.  A priori, the only way in which there can be a split is when two different stakers decide to stake within the time lapse of network propagation time between them ; the "ping" say.  When the chain splits because of this, most nodes will be aware of it within a few times the network propagation time.  The idea is that if such a split occurs, then all participants wait for a few times the network propagation delay to make sure everyone has the two prongs before continuing.   An algorithm them makes clear which of the prongs is to be continued.  If ever one finds out that two prongs continue to exist, the waiting time is doubled before staking.  When it is seen that the right prong grows, the waiting time is diminished again.

Again, there shouldn't be staker rewards, it should be a voluntary and altruistic act "of confirmation of mempool" and of "random choice of double spends received up to a point".  This avoids continuous staking on the losing prong with the hopes that it will take over.  If your transaction is within a single consensus which is old enough, and you haven't seen a competing prong, and you get from your on-line peers sufficient confirmation that they haven't seen any, then you can start to assume that your transaction has gotten into the irreversible consensus.

[monsterer2]

It is a silly idea to want to be able to prove to you that during your absence, everything happened according to the rules.

I can't continue having this discussion if you truly believe that statement to be true.

[dinofelis]

It is a silly idea to want to be able to prove to you that during your absence, everything happened according to the rules.

I can't continue having this discussion if you truly believe that statement to be true.

If you want to adhere to that, your system is unduly complicated.  

And look, this is EXACTLY what something like the LN is trying to achieve.  You don't have to know what happened in a channel, from the outside.  You don't want to know whether they screwed one-another or not.  You only see the final balance on the block chain.  You don't care what happened in those channels, and whether they did it according to the rules.   What matters is the end balance.

I could even say: this is already the case in bitcoin.  Nobody records the mempool for you if you aren't online.  Miners are supposed to be online.  Yes, PoW allows you to do "offline mining", like in my example, where you do offline mining of a whole year worth of block chain, just to overthrow all that has been done online during a year.  But that's a bad feature of PoW.  

The whole desire to have a system that has "its own offline clock" that can be checked, and to allow someone that has been absent for a whole year, to re-vote everything, is what makes the crypto consensus mechanism unduly heavy, and even prone to attacks that have no reason to exist if you take them to real time online.

After all, the only thing consensus is about, is an agreed-upon decision of what transactions are to be considered valid at a certain point in time, and to come to consensus that all competing transactions after that point in time, will be considered double spends.  That's something that can be judged "on the moment" by those online.  That's way easier.  The only thing that needs to be taken into account, is that due to network delays, if ever there are competing double spends, which one is the one we pick to be the true one.  After a few minutes, we can clearly declare that we've seen all sensible candidates, and pick one in a way everyone will agree upon.  Those that weren't there, simply have to accept that decision.

What screws up most consensus mechanisms, is that there's a reward for proposing consensus.  That complicates matters, because you can develop strategies to obtain the reward.  But if there's no reward, and there shouldn't be any, it is an almost trivial matter if you can take the decision within an online network.

We only have to "confirm the mempool" from time to time.  If you don't get a reward for that, you're not going to compete to do so.  You will do so if others don't, because you have stakes in the good functioning of the system.  If someone else stakes the mem pool slightly differently from you, that doesn't matter much, you can just as well accept his consensus as yours ; it is only a matter of a "symmetry-breaking agreed-upon rule" to decide between you and that other guy, which one is the one to be preferred.

[Katashi]

DO you guys ever think that bitcoin will do proof of stake? Just wanted to get some peoples insights on this.

No.

Unless there was an update through Bitcoins final development there wouldn’t be any PoS implemented into Bitcoin because there’s already altcoins that feature that concept. There wouldn’t be any point for Bitcoin to get a PoS coded into it because Bitcoin is already capped at 21 million coins.

Plus, if there was a PoS code placed into Bitcoin then the transactions within Bitcoin’s Blockchain would be cluttered because there isn’t that many miners that can keep up with the competitive mining difficulty that Bitcoin has.

If you are spending 0.0001 Bitcoin for transactions you would have to spend much more to get your transactions confirmed.

Agree on you sir, i believe this would be a very bad idea to put BITCOIN in "Proof of stake". Not mentioning it's effect to the miners but the whole effect for the whole BTC users. I mean we all hate transaction delays as of now most of us are really complaining to it now imagine when this things happen. And the additional transaction fee will not be a very good thing to add with. But who knows those thing are uncontrollable factor, Let's just hope POS will not be implemented for BTC.

[Anti-Cen]

The real opposing force would be miners, true. They have invested over a few million bucks to rake in huge amount of profits every day just to let it go that easily. Besides, switching over to PoS means that consensus wise, people who have the fatter wallets would have the most voice over a certain issue/development that the coin might face in the future.

I cannot stand PoW and you raise a good point and I am working on something were server-side wallets become distributed across several
nodes and was kind of thinking about making the "Miners" or wallet nodes bid to host wallets using gas and then getting a fine paid in "Gas" if they
did not deliver the goods, time out, cheat or attack other nodes.

into the mix I might even throw a small sprinkling of this new thing called "trust" where nodes with good up times and good speeds are
invited to become members of the coordinators team so a human can be contacted within the network anonymously without taking control
and maybe I will give users a say in whats happening by allowing them to vote and not just reserving this privilege for "Miners"

Yes "power to the people" without fat cats and miners taking over.

[dinofelis]

Besides, switching over to PoS means that consensus wise, people who have the fatter wallets would have the most voice over a certain issue/development that the coin might face in the future.

That will always be the case in an open, anonymous, permissionless system.  The only way to avoid that, is by using "one man (woman, animal, ...) , one vote", and then you need to rely on real-world identities, issued by, well, centrally controlled identity-issuers.  How else do you associate one single human being to one pseudonymous identity on an open network ?  From the moment the network is open and anonymous, sybil sock puppets are possible.  Whatever proxy you use for "person", be it a CPU, an IP address, a smart phone IMEI, a phone number, .... you have the double problem that:
1) there are centrally controlled entities that ISSUE these things and/or
2) the fatter your wallet, the more of them you can afford.

Within a crypto currency system, however, it seems normal that the stake holders can vote according to their stake, in the same way that share holders can vote according to their share.   It would mean that the more vested interest you have in the system, the more you have to say about the system.  In any case, in a value-carrying token system, if a majority of tokens are in the hands of a colluding group, you better get out right away in any case.

With PoW, you get a combination of fatter wallets and better energy and hardware opportunities to be the voting key distribution.

[aleksej996]

That will always be the case in an open, anonymous, permissionless system.  The only way to avoid that, is by using "one man (woman, animal, ...) , one vote", and then you need to rely on real-world identities, issued by, well, centrally controlled identity-issuers.  How else do you associate one single human being to one pseudonymous identity on an open network ?  From the moment the network is open and anonymous, sybil sock puppets are possible.  Whatever proxy you use for "person", be it a CPU, an IP address, a smart phone IMEI, a phone number, .... you have the double problem that:
1) there are centrally controlled entities that ISSUE these things and/or
2) the fatter your wallet, the more of them you can afford.

Within a crypto currency system, however, it seems normal that the stake holders can vote according to their stake, in the same way that share holders can vote according to their share.   It would mean that the more vested interest you have in the system, the more you have to say about the system.  In any case, in a value-carrying token system, if a majority of tokens are in the hands of a colluding group, you better get out right away in any case.

With PoW, you get a combination of fatter wallets and better energy and hardware opportunities to be the voting key distribution.

PoS allows past stake holders to have same amount of power. That means early adopters retain complete power forever.
Also you can see that those past stake holders could have a lot less (even nothing) to lose by trying to revert the blockchain.

[dinofelis]

PoS allows past stake holders to have same amount of power. That means early adopters retain complete power forever.
Also you can see that those past stake holders could have a lot less (even nothing) to lose by trying to revert the blockchain.

Not really.  It depends on the exact PoS implementation.  I think I'm going to write up my arguments instead of partially typing them in forum posts.

[dinofelis]

I would like to draw one's attention to the thread I have elsewhere, which points to a fundamental problem with PoW.  

That is, for the proponents of PoW, what's the vision on that ?

https://bitcointalk.org/index.php?topic=2847680

[monsterer2]

I would like to draw one's attention to the thread I have elsewhere, which points to a fundamental problem with PoW.  

That is, for the proponents of PoW, what's the vision on that ?

https://bitcointalk.org/index.php?topic=2847680

Largely a very long rant about money being the root of all evil, isn't it?

[dinofelis]

Largely a very long rant about money being the root of all evil, isn't it?

Not at all.  Read it.  It is about the amount of waste produced by a successful PoW asset, eating up a significant part of earth's economy in electricity and hardware to produce waste and nothing else.  It has nothing to do with money, but all with Proof of Waste.

BTW, couldn't resist: https://ideas.repec.org/p/edn/esedps/110.html

[monsterer2]

Largely a very long rant about money being the root of all evil, isn't it?

Not at all.  Read it.  It is about the amount of waste produced by a successful PoW asset, eating up a significant part of earth's economy in electricity and hardware to produce waste and nothing else.  It has nothing to do with money, but all with Proof of Waste.

BTW, couldn't resist: https://ideas.repec.org/p/edn/esedps/110.html

Truely trustless, decentralised technologies will always be slower and more wasteful than centralised alternatives, that's a fact I don't dispute.

[Anti-Cen]

If I understand correctly, the transaction fees is what are the earnings of miners in a POW system. So, how can you make POW system exist with zero transaction fees in future - when bitcoin is mainstream and used as a payments system in future ?

I think PoW is total junk and just like mining it keeps Intel, AMD and big oil rich but PoS is just I've got more money than you but you cannot touch it anyway
but what if maybe the miners were made to deposit some BTC much like happens with what the banker hubs are doing in the Lightning network and they
got a fine from the deposit if they started to be naughty boys.

implied trust is a hard one to nail down but maybe a cluster of coordinators  could police the miners and the miners police the coordinators and
dish out fines or something like that is worth investigating    

[dinofelis]

Truely trustless, decentralised technologies will always be slower and more wasteful than centralised alternatives, that's a fact I don't dispute.

Wasteful to the point of using up a significant portion of earth's energy ?

The problem PoW tries to solve in bitcoin is bordering on the limit of madness and can indeed only solve it if it wastes provably more than half of human's resources.  As such, it solves a problem that needs not to be solved, because it is self-defying.

Here's the problem bitcoin's proof of waste tries to solve:

"show me that, amongst X different possible states of consensus, consensus proposal "A" is the unique right one, even if I wasn't there, and even if I don't trust ANYBODY".  Moreover, "show me that just any other entity like me, not trusting anyone, and not having been online when these decisions were made either, will come to the same conclusion that it was A, and not B, even if that other person is presented another collection Y of possible states of consensus.  The only condition is that both X and Y do contain the "right" consensus A.".

Bitcoin's PoW system has indeed found a way to solve this entirely idiotic problem: it is that consensus proposal that has shown most proof of waste, and that it is not possible that anyone ever has wasted more than the one that wrote proposal A.

With that rule, I don't need any trust in nothing.  I only need to find a document that is cryptographically linked to the biggest proof of waste, and if that document contains a proof of more waste than half of human's resources, I know that this document is unique. Simply because no other human has ever been capable of making another such document: there weren't sufficient resources on earth to do so.

From the moment that document A contains a HUGE amount of proof of waste, but humanity has still more resources, I cannot be sure that no document B exists that has MORE waste to it ; but if it has been wasting more than half of human's resources, this document must be unique.  There is no other way.

This is indeed, the ultimate solution to the consensus problem, that allows someone that doesn't trust ANYBODY, and HASN'T BEEN THERE during the consensus decision, to know that this is the unique consensus.

Moreover, proof of waste is unique in this respect, because no other cryptographic technique can hold and do the same.  Anything based upon digital signatures will require me to trust the owner(s) of those keys, and by definition, I don't want to.  And if you don't use more than half of human's economic output, you don't really know if some entity didn't put in more proof of waste, to override the "true" consensus.

But this is pure lunacy.  Needing more than half of human's economic output to be able to prove to Joe the Cavemen that doesn't trust anyone and never was online that his ledger is the true one, is silliness to the point of being criminal.

This is why, in practice, you have to relax some of these absolute consensus proof requirements.  And if you bring this down to something much more reasonable, the so-called advantages of proof of waste melt away.   In our society, total trustlessness is ridiculous.   People use devices they didn't design themselves, they didn't check the functioning, they install software they trust, they use name spaces they trust, they use digital signatures of entities they trust....
You cannot base your system on total trustlessness. There is a right balance to be found between cryptographic protections against scammers, and trust you can have.  Otherwise you run into ridiculous and potentially dangerous systems, excluding reasonable solutions on the basis of religious dogmas.

Proof of waste is such a case.

If, however, you relax the condition that consensus must be proven without any form of trust to someone that wasn't there when the decision was taken, you can reach reasonably solid consensus decisions without ANY waste.  That means that you have to accept to be "online" when consensus is reached, OR that you have to accept some form of trust in those that were online when consensus was reached.  This will hurt dogma's, but it is in practice just as workable, and you don't have to use a big part of human's resources to do so: a smart phone can do it.  That trade off is worth while, because in any case, all the rest of our human existence is also needing trust.

Note also that PoW trustlessness doesn't even need decentralization any more.  Indeed, like is almost the case in bitcoin, the consensus DECISION is taken by 3 or 4 mining pools holding majority, and at best, by some 10 mining pools making most of the chain.  PoW only serves to prove that that decision is graved in stone, not that it was taken according to some or other rule set.  PoW only proves the uniqueness of the document, and hence of the consensus, not that its rule set was respected.  At this moment, bitcoin's consensus decision based on PoW is quite more centralized, as I said jokingly, than the Euro, that needs 15 ministers to come to agreement.

[X7]

DO you guys ever think that bitcoin will do proof of stake? Just wanted to get some peoples insights on this.

A lot of the hype that you see around with all the new blockchain applications are people trying to securely scale and solve the PoS problem.

- It is unlikely bitcoin would do PoS, but I cannot see the future - perhaps in some future the miners become evil and attack the network and the nodes change the algo?

Unlikely man.