Re: Proof of stake instead of proof of work

[jonald_fyookball]

Hello.

Excuse the bump, but I would like an update on what
happened to these proposals.

Why hasn't the community decided to implement a
proof-of-stake element to guard against attacks?

Have other implementation proposals been written
besides the 2 in the wiki?

What would the drawbacks be from using POS.

Thanks.

[grau]

POS has its own very serious problem:

Someone with a stake can spend it to mine any number of forks simultaneously.

In contrast POW can only be created on alternatives if computing capacity is split between them. This forces convergence while POS does not.

[jonald_fyookball]

Hmm... thanks.

POS is something I'm
just starting to learn about.

Perhaps you could expand on this.

Is what you are saying inherent to POS
in general, or just the implementations
suggested?

In POW, the longest-chain-wins is used
to force convergence.  Couldn't something
similar be used with POS, but POS is still used
to determine who wins the blocks?

Sorry if my reasoning is convoluted, this
is a new area for me.

[grau]

The consensus IS that the longest chain wins.

Length being defined as work spent to create it in case of POW.

If you would replace work with stake then the same stake could be expended at any alternate continuation of the current highest block at no cost, hence the whole consensus falters.

There might be useful areas for stake and people do explore that, but unlikely successful as an alternative to work.

[jonald_fyookball]

no one is saying replace entirely. hmm ok I will have to think about it.  thx.

[Meni Rosenfeld]

POS has its own very serious problem:

Someone with a stake can spend it to mine any number of forks simultaneously.

In contrast POW can only be created on alternatives if computing capacity is split between them. This forces convergence while POS does not.

If you examine the designs listed in the wiki, you'll see they're both resilient to this.

In my system, if a stakeholder signs two conflicting blocks, evidence of this is referenced and the voting weight of his address is reset. (Moving to a new address also resets voting weight, until it accumulates weight again).

The same cannot be said about the alts that pass for PoS these days.

[Dusty]

That idea is good, very good.

Anyway PoS limits the partecipation to an oligopoly, while PoW is open to everybody, without distinction.

They are two very, very different models.

[Meni Rosenfeld]

That idea is good, very good.

Anyway PoS limits the partecipation to an oligopoly, while PoW is open to everybody, without distinction.

They are two very, very different models.

No, both PoS and PoW allow everyone to participate in exact proportion to their resources.

[jonald_fyookball]

POS has its own very serious problem:

Someone with a stake can spend it to mine any number of forks simultaneously.

In contrast POW can only be created on alternatives if computing capacity is split between them. This forces convergence while POS does not.

If you examine the designs listed in the wiki, you'll see they're both resilient to this.

In my system, if a stakeholder signs two conflicting blocks, evidence of this is referenced and the voting weight of his address is reset. (Moving to a new address also resets voting weight, until it accumulates weight again).

The same cannot be said about the alts that pass for PoS these days.

Why then, do you think we haven't adopted it yet?

[Dusty]

No, both PoS and PoW allow everyone to participate in exact proportion to their resources.

No: you can't buy coins of the chain you want to mine if they are not for sale, whatever are your resources.

While you can build how many hashing power you want if you have the resources, and nobody, nobody, can't stop you.

The difference is quite abysmal.

[Meni Rosenfeld]

No, both PoS and PoW allow everyone to participate in exact proportion to their resources.

No: you can't buy coins of the chain you want to mine if they are not for sale, whatever are your resources.

While you can build how many hashing power you want if you have the resources, and nobody, nobody, can't stop you.

The difference is quite abysmal.

I should clarify that when I talk about PoS I mean only as a synchronization method. Every coin that uses PoS synchronization also needs some issuance method, and the best known issuance method is PoW. The problem with the PoS coins we see today is that they think that by using PoS they don't need PoW, so they use a broken issuance method instead.

For a proper PoS coin that uses PoW issuance, everyone can participate in "the game" by acquiring hashrate normally and minting new coins.

If you move forward in time past the original distribution, it is true what you say that to participate you need someone to sell you coins. But in practice coins are being sold on the market, so this is only a problem if someone tries to acquire a large amount - and that's not really a problem, since the most likely person to do this is an attacker. Therefore, I consider the difficulty to acquire a large voting power quickly an advantage.

POS has its own very serious problem:

Someone with a stake can spend it to mine any number of forks simultaneously.

In contrast POW can only be created on alternatives if computing capacity is split between them. This forces convergence while POS does not.

If you examine the designs listed in the wiki, you'll see they're both resilient to this.

In my system, if a stakeholder signs two conflicting blocks, evidence of this is referenced and the voting weight of his address is reset. (Moving to a new address also resets voting weight, until it accumulates weight again).

The same cannot be said about the alts that pass for PoS these days.

Why then, do you think we haven't adopted it yet?

1. It's too big a change.
2. It doesn't work well with merged mining and alternative uses of the blockchain (a la colored coins).

[Dusty]

2. It doesn't work well with merged mining and alternative uses of the blockchain (a la colored coins).

I'm interested in understanding more on this point (why PoS is incompatible with colored coins), can you please elaborate?

Thanks

[Jori]

POS has its own very serious problem:

Someone with a stake can spend it to mine any number of forks simultaneously.

In contrast POW can only be created on alternatives if computing capacity is split between them. This forces convergence while POS does not.

What attack could potentially be launched from mining multiple forks simultaneously? What would be the potential gain of someone doing that?

[grau]

The block chain is all about creating consensus on a history of events, by requiring miner to vote on any alternative continuation of history with a sacrifice of a their limited resource.

Stake is simply not a limited resource on the alternate continuation of the present but equally existent in any of them. Therefore deploying stake (alone) is not suitable to enforce consensus.

The exploit is that someone with enough stake can unwind the history again and again at no cost until the continuation is the way he likes it. This obviously destroys the utility of the whole system.

[Chillin_with_beer]

Doesn't checkpointing prevent that? At some point in time the resources will be distributed enough to turn the checkpointing off. After that point, it will be extremely expensive to aquire 51% of the coins (and attack your own stake).

[hashman]

If you give out the new money to those who have the most already, you only exacerbate the problem of unequal distribution of wealth.  Haven't we learned our lesson there yet?   

 

[grau]

This is a problem at any stake. Random coalitions to alter the past can be formed at no cost to those colluding.
Checkpointing is not an alternative to decentralized consensus but central override of it.

[benjyz]

Interesting discussion and a great thread.  It would be good to track the original concepts of PoS and all the proposals that have been made, expanding on https://en.bitcoin.it/wiki/Proof_of_Stake

problems mentioned in this thread were

1) bandwith problem (Mike Hearn)
2) issuance problem (Meni Rosenfeld)
3) parallel vote problem (grau)

The block chain is all about creating consensus on a history of events, by requiring miner to vote on any alternative continuation of history with a sacrifice of a their limited resource.

Yes. Of course this assumes that hashing power is in fact distributed. Which turns out is a big problem. The tie to hashing power is not some kind of natural law. It only is if one assumes that PoW is the only possibility to secure a blockchain.

The exploit is that someone with enough stake can unwind the history again and again at no cost until the continuation is the way he likes it. This obviously destroys the utility of the whole system.

I would distinguish between a 51% stake attack and failed consensus.

51% stake attack depends on the fact that others would not know somebody would have acquired that stake. Assume a PoS coin has a 1B$ marketcap. Now the attacker needs to buy 500M$ worth of coins. Such a cornering of the market would be quickly noticed in many different ways. On the other hand if 5 people own 100M$ each and meet in a room, they could corner the market in a much more subtle way. If 100 people with 10M$ would collude that would not stay a secret for too long. So there is a very interesting dynamic there ([3]).

This argument should be distinguished from the PoW tied to the history of the chain (failed consensus). Some ideas exist to tackle failed consensus, for example by randomizing the vote. Daniel Larimer recently suggested a delegation of vote (delegated PoS). Slasher was an earlier idea to tackle this [2] (which turns out to be not workable AFAIK).

[1] http://bitshares.org/security/delegated-proof-of-stake.php
[2] http://blog.ethereum.org/2014/01/15/slasher-a-punitive-proof-of-stake-algorithm/
[3] Actually when the biggest bankers of the USA got together in 2008 that was a very real 51% attack. It helps if the secretary of the treasury is a former banking CEO.

[TierNolan]

Doesn't checkpointing prevent that? At some point in time the resources will be distributed enough to turn the checkpointing off. After that point, it will be extremely expensive to aquire 51% of the coins (and attack your own stake).

That's not why checkpointing exists (or at least not the only reason it persists).

The latest checkpoint is for block 279000.  This is the 6th of January.  

A reversal back to the 6th of January would be pretty devastating anyway.

Checkpoints give other advantages.

First, you don't need to verify the signatures for any transactions before the checkpoint.  This makes initial downloads faster.

Second, once you have downloaded the main chain, you can ignore any forks that happen before the last checkpoint.  This protects against an attack where an attacker sends you lots of low difficulty blocks.

If the node sent 1MB blocks from 1 to 1000, you node would have to store and forward them.  There would be no way to tell that they aren't from the main chain.  All nodes on the network would have to store them, just in case.  Generating these blocks would be easy, since they could be difficulty 1 headers.

With checkpoints, nodes can just ignore them and definitely not forward them.

The signature speed benefit doesn't require the checkpoint to be a hard checkpoint.  It could be advisory.  A block with a known hash at a particular height has been verified.

If the checkpoint was soft, then nodes could enter safe-mode if the main chain doesn't contain the checkpoint.  Miners would still mine the longest chain though, in order to prevent network splits.

The block spam attack is greatly weakened by headers first.  You don't actually download the blocks until you have verified the full header chain.  This means spamming 1MB blocks doesn't work.  If you send 1000 difficulty 1 blocks, then it only costs the receiver 80kB.  The receiver wouldn't even need to store them to disk.  

Even smaller proofs can be achieved using the "high hash highway" system.  This allows a short proof that your chain has a high POW.  A new node could just ask all peers to prove that their chain has high POW and then download from the one(s) with the highest proof.

[benjyz]

Random coalitions to alter the past can be formed at no cost to those colluding.

It is however not clear at all what the cost of collusion is, very much depending on the system. The Byzantine general problem assumes there is a (small) fixed number of generals. Presumably the soldiers under the command of a general are not colluding. In Lamport's model there is no cost of communication between generals. The fact that the plans are also tied to the history makes the situation much more complicated.