Re: Proof of stake instead of proof of work

[Dusty]

Doesn't checkpointing prevent that?

Checkpointing is a centralized solution.

The network should work well even without them.

[1715444852]

1715444852

[1715444852]

1715444852

[AnonyMint]

Proof-of-stake will never remain decentralized:

https://bitcointalk.org/index.php?topic=558316.msg6501774#msg6501774

Send all proof-of-stake currencies to the trashcan.

[ThePurplePlanet]

I've got an idea, and I'm wondering if it's been discussed/ripped apart here yet:

I'm wondering if as bitcoins become more widely distributed, whether a transition from a proof of work based system to a proof of stake one might happen.  What I mean by proof of stake is that instead of your "vote" on the accepted transaction history being weighted by the share of computing resources you bring to the network, it's weighted by the number of bitcoins you can prove you own, using your private keys.

For those that don't want to be actively verifying transactions, and so that not all private keys need to be facing the network, votes could be delegated to other addresses via some kind of nonstandard Bitcoin transaction.  In this way, voting power would accumulate with trusted delegates instead of miners.  New bitcoins and transaction fees could be randomly and periodically distributed to delgates, weighted by the number of votes they've accumulated, thereby incentivising diversity of the delegates and direct voters.

If the implementation could be done, it proved to maintain at least a similar level of privacy and trustworthiness, and it only minimally complicated the UX, I'm thinking that a proof of stake based fork could out-compete a proof of work one due to much lower transaction fees, since its network wouldn't need to support the cost of the miners' computing resources.  (Note that the vote delegation scheme has bandwith/storage overhead that would offset these savings by some amount which would hopefully be relatively small.)

Some other potential improvements this system could offer:

• Possibly quicker, more definite confirmation of transactions, depending on how it can be implemented.
  
• The "voting power" may be more trustworty, since it would accumulate in a bottom-up fashion via a network of trust, instead of in the somewhat arbitrary way it accumulates now.  (Note the potential problem of vote-buying here.)
• It would remove the physical point of failure of bitcoin mining equipment, which can be confiscated or made illegal to run.
• It could be used to provide stakeholders a means of making their voices heard (via the delegated voting system it establishes) when it comes to proposals for software updates and protocol changes.

Anyway, I just wanted to throw the idea out here to see if there are any obvious reasons why it couldn't be implemented, and to hopefully spark a discussion amongst those better qualifi me.

Cheers.

The idea of PoS after full adoption is interesting. Don't forget that currently all PoS approach suffer from the nothing at stake problem. If the longest chain is based on biggest stake hashing an early adopter that sold can recreate the chain from the begging and reverse his sale. Also it easy to double spend instant transaction since someone can keep trying without losing the stake. Still many questions s unanswered by PoS proponents that need to resolved. As of now no solution is addressing these problems.

[bitbadgerPoS]

I have proposed a solution which I believe would eliminate some of the problems with existing PoS systems.  I call it Proof-of-Connection.

https://bitcointalk.org/index.php?topic=553414

Basically, this system requires "ping" transactions to be submitted to the network at random intervals.  A wallet node must be connected to the network in order to receive the trigger for these transactions, and to be able to send them.  Upon successful inclusion of these PoC transactions into a block, that address's Stake-Days are reduced to 0, but their stake earnings are paid out to them in the coinbase transaction for that block.  Of course, mining a PoS/PoC block will also reset your Stake-Days to 0.  Most importantly, your Stake-Days will ALSO be reduced to 0 if you DON'T send the PoC transaction in a timely manner.  So you will not be able to let your coins lie dormant and and let your Stake-Days accumulate without being connected to the network.  You MUST be actively connected in order for your stake to accumulate.

I believe that this effectively prevents the Stake Accumulation problem.  No matter what, your Stake-Days will be reduced to 0 on a regular, random basis.  This should require a true 51% coin holdings in order to successfully pull off a 51% attack.

Furthermore, the PoC concept can be used to implement a rough time-synchronization enforcement.  In this paradigm, the timestamp can be moved forward a small amount, but never backwards.  The timestamp of the most recently generated block will serve as a reference to all connected nodes.  By sending the PoC transactions, nodes indicate their acceptance of this timestamp, and start counting up from that point.  It is understood that transactions not matching the current timestamp within X allowed variance, will be discarded.  It is understand that new blocks not matching the current timestamp within X allowed variance, will be discarded.  This is needed because of the way that PoS mining works.  The nonce used for block generation is based on the timestamp.  One nonce per second.  If people are able to manipulate time and create blocks with timestamp (nonce) far out into the future, it essentially turns into a PoW coin, because people could increment the seconds an arbitrary length of time until they find a block.  If their hardware is very fast, it would be easy to mine block after block.  A basic sanity check on the timestamp prevents this from occurring, and the only way to implement a basic timestamp sanity check is to require some level of clock synchronization.

If two competing blocks with roughly the same timestamp are generated, the one with more Stake-Days Destroyed will be chosen.  (Note, as is discussed in the linked thread, Stake-Days are not destroyed when simply sending coins in a standard transaction, as in Peercoin.)

A further refinement (not yet posted in the linked thread) is that the successful miner/minter of a block will obtain transaction fees based not only on the standard transactions, but also on the PoC transactions included in their block.  This incentivizes them not to discard PoC transactions.  These fees are true transaction fees for standard transactions, but the PoC transaction fees are generated in the coinbase transaction.  Yes, this means that somebody with a tiny amount of coins could potentially earn a multiple of their current holdings through transaction fees.  However, they would have to be very lucky, as their Stake-Days will always be very small, thus raising their effective PoS mining difficulty.

[coopbody]

I think it can not be called replacement, the development direction of POW in future will likely will be force output to computing projects intentionally, and can produce results, will only stay a part to ensure the network running.
This may be a good direction for the future, the road is own pow coin.

[ChuckOne]

Doesn't checkpointing prevent that?

Checkpointing is a centralized solution.

The network should work well even without them.

Yeah. That is the reason why Bitcoin uses checkpointing: https://bitcointalk.org/index.php?topic=558316.msg6520315#msg6520315

[ChuckOne]

No, both PoS and PoW allow everyone to participate in exact proportion to their resources.

No: you can't buy coins of the chain you want to mine if they are not for sale, whatever are your resources.

While you can build how many hashing power you want if you have the resources, and nobody, nobody, can't stop you.

The difference is quite abysmal.

Yes, but in another sense than you think.

Hashing power can be introduce at will and without any control of the network. That is pretty bad IMHO.

Stake cannot be introduced afterwards AND if so the network controls it and can react.

[hashman]

Hashing power can be introduce at will and without any control of the network. That is pretty bad IMHO.

There was a coin where the network had no control concerning newly added hashing power.  It was called liquidcoin.  Typically a difficulty adjustment algorithm takes care of that  

[ChuckOne]

There was a coin where the network had no control concerning newly added hashing power.  It was called liquidcoin.  Typically a difficulty adjustment algorithm takes care of that  

Takes care of what? The difficulty cannot change the proportion of consensus power within one network.

[gmaxwell]

Yeah. That is the reason why Bitcoin uses checkpointing

No, if you'd bothered to do some research you'd find out that checkpoints solve a number of boring DOS attack weaknesses which are better— though less simply— solved with a more intelligent fetching architecture. They also solve some initialization isolation attacks, which are better solved with threshold difficulty. I expect that once we've merged headers first we'll drastically reduce or eliminate the role they play in the reference software.

[ChuckOne]

No, if you'd bothered to do some research you'd find out that checkpoints solve a number of boring DOS attack weaknesses which are better— though less simply— solved with a more intelligent fetching architecture. They also solve some initialization isolation attacks, which are better solved with threshold difficulty. I expect that once we've merged headers first we'll drastically reduce or eliminate the role they play in the reference software.

What is your opinion about that paper if referenced?

(http://www.links.org/files/decentralised-currencies.pdf)

[ThePurplePlanet]

No, if you'd bothered to do some research you'd find out that checkpoints solve a number of boring DOS attack weaknesses which are better— though less simply— solved with a more intelligent fetching architecture. They also solve some initialization isolation attacks, which are better solved with threshold difficulty. I expect that once we've merged headers first we'll drastically reduce or eliminate the role they play in the reference software.

What is your opinion about that paper if referenced?

(http://www.links.org/files/decentralised-currencies.pdf)

 What you are referring is a Proof of stake problem and not proof of work.

Assume the current mining infrastructure for bitcoin is 1 billion. Say the attacker buys 1.1 billion worth of equipment. For someone to make a profit is to be able to sell 12 million coins on the markets and recover more than 1.1 billion (plus something to cover the hashing power that came from transactions). So the rational attacker needs to take the expected profit into account. Bitcoin has much less liquidity to even recover 200million.

On top of that long term this is not an issue when transaction rewards are higher than block rewards because the attacker does not gain from transactions hashing power .


On the other hand for proof of stake , an early adopter can have let's say 10% and sells that early. Now let's say the current minting stake of a proof of stake coin is 5%. It means that the early adopter who sold and doesn't care about the pos coin creates a parallel chain that eventually will be stronger than the current chain. In a decentralized consensus system you have to accept the stronger chain. That the early adopter produced. In particular any group of people that sold can gather and produce a stronger chain and profit . and this attack has zero cost for early adopters that sold. Whatever the attacker gains from selling is a net profit.

Anyone can create a bitundo type of pool gather investors who sold the coin and have X+1 stake where X is the current stake hashing and attack. That will be pure profit and someone might do it.

 Compare that with the pow attacker who possibly will have a loss due to the equipment cost and amount he can recover.

[ChuckOne]

What is your opinion about that paper if referenced?

(http://www.links.org/files/decentralised-currencies.pdf)

 What you are referring is a Proof of stake problem and not proof of work.

The paper is about Bitcoin. So, it is definitely about proof of work.

[ChuckOne]

This is a problem at any stake. Random coalitions to alter the past can be formed at no cost to those colluding.
Checkpointing is not an alternative to decentralized consensus but central override of it.

The same works for Bitcoin, too.

Why do you insist on defining a mining rig differently from a PoS token?

If bitcoin miners collude, they could alter the past.
If Nxt forgers collude, they could alter the past.

I see no difference.

[DeathAndTaxes]

This is a problem at any stake. Random coalitions to alter the past can be formed at no cost to those colluding.
Checkpointing is not an alternative to decentralized consensus but central override of it.

The same works for Bitcoin, too.

You misunderstand.  The risk isn't that someone could attack the network, it is that they could attack the network with no cost.

Imagine bitcoin worked using a PoS.  An early adopter had acquired 1M BTC at one time in the past but over time he lost/sold/spent/transferred them.   Today he has no bitcoins but the blockchain contains a history of a time when he did have 1M BTC.  If the amount of the stake being used is <1M BTC he could rewrite history not by using coins he has today (a real cost), not by buying millions of mining rigs (a real cost) but by using the history of the coins he once had (no cost).  He has absolutely nothing at risk and nothing to lose.   If he and potentially others decided to attack the network they would rewrite the blockchain starting from when they had a larger stake, creating a parallel history where they didn't lose/sell/spend/transfer the coins. 

They can attack the network based on what they had (but no longer do) in the past.  There is nothing at risk and no cost to the attack.  THAT is the PoS problem.  

If bitcoin miners collude, they could alter the past.

Sure they can, however there is a cost to that attack and there is something at risk which they lose if they fail.  With PoS you can attack the network for "free" using something you had but no longer do.  It is very hard to secure against an attack where the attacker can do so at any time without any cost and without any risk.

[AsymmetricInformation]

Imagine bitcoin worked using a PoS.  An early adopter had acquired 1M BTC at one time in the past but over time he lost/sold/spent/transferred them.   Today he has no bitcoins but the blockchain contains a history of a time when he did have 1M BTC.  If the amount of the stake being used is <1M BTC he could rewrite history not by using coins he has today (a real cost), not by buying millions of mining rigs (a real cost) but by using the history of the coins he once had (no cost).  He has absolutely nothing at risk and nothing to lose.   If he and potentially others decided to attack the network they would rewrite the blockchain starting from when they had a larger stake, creating a parallel history where they didn't lose/sell/spend/transfer the coins. 

They can attack the network based on what they had (but no longer do) in the past.  There is nothing at risk and no cost to the attack.  THAT is the PoS problem.

Beautifully explained, as always.

[ChuckOne]

They can attack the network based on what they had (but no longer do) in the past.  There is nothing at risk and no cost to the attack.  THAT is the PoS problem.  

Okay, I got that. However, calling it a problem is a rather bold claim. I would call it a property of PoS.

(No matter if PoS or PoW)
How would want to be on that fork anyway? In doing so, they would destroy every single bit of confidence in that very cryptocurrency.

[DeathAndTaxes]

Okay, I got that. However, calling it a problem is a rather bold claim. I would call it a property of PoS.

It is more than a "property" it is an as of yet unresolved problem.  There is no security in PoS unless it is resolved.

(No matter if PoS or PoW)

Um, well no. I can't mine using computing power I no longer have (but did have at one point in the past).

How would want to be on that fork anyway? In doing so, they would destroy every single bit of confidence in that very cryptocurrency.

The cost to the attacker is absolutely zero.  If he can gain anything more than zero he has everything to gain and nothing to lose.   It would destroy confidence in the PoS currency you are correct especially when it happens over and over and over without end.  That is why it is the Pos problem.

[ChuckOne]

Okay, I got that. However, calling it a problem is a rather bold claim. I would call it a property of PoS.

It is more than a "property" it is an as of yet unresolved problem.  There is no security in PoS unless it is resolved.

Let me restate my question. Why should a node 100000 blocks ahead accept a blockchain re-organisation?

(No matter if PoS or PoW)

Um, well no. I can't mine using computing power I no longer have (but did have at one point in the past).

Our mining rigs destroy themselves? I doubt it.

How would want to be on that fork anyway? In doing so, they would destroy every single bit of confidence in that very cryptocurrency.

The cost to the attacker is absolutely zero.  If he can gain anything more than zero he has everything to gain and nothing to lose.   It would destroy confidence in the PoS currency you are correct especially when it happens over and over and over without end.  That is why it is the Pos problem.

Well, as I said this is true for PoS and PoW. Trying to destroy would definitely diminish confidence in the cryptocurrency as such no matter if PoS or PoW.

Your statement about 'no cost' is true as well.

However, the huge advantage of PoS is: the network controls the consensus power and the network can punish the bad guys. I would call this the PoW problem as the consensus power can easily be introduced from outside without any control whatsoever.

[jubalix]

This is a problem at any stake. Random coalitions to alter the past can be formed at no cost to those colluding.
Checkpointing is not an alternative to decentralized consensus but central override of it.

The same works for Bitcoin, too.

You misunderstand.  The risk isn't that someone could attack the network, it is that they could attack the network with no cost.

Imagine bitcoin worked using a PoS.  An early adopter had acquired 1M BTC at one time in the past but over time he lost/sold/spent/transferred them.   Today he has no bitcoins but the blockchain contains a history of a time when he did have 1M BTC.  If the amount of the stake being used is <1M BTC he could rewrite history not by using coins he has today (a real cost), not by buying millions of mining rigs (a real cost) but by using the history of the coins he once had (no cost).  He has absolutely nothing at risk and nothing to lose.   If he and potentially others decided to attack the network they would rewrite the blockchain starting from when they had a larger stake, creating a parallel history where they didn't lose/sell/spend/transfer the coins.  

They can attack the network based on what they had (but no longer do) in the past.  There is nothing at risk and no cost to the attack.  THAT is the PoS problem.  

If bitcoin miners collude, they could alter the past.

Sure they can, however there is a cost to that attack and there is something at risk which they lose if they fail.  With PoS you can attack the network for "free" using something you had but no longer do.  It is very hard to secure against an attack where the attacker can do so at any time without any cost and without any risk.

does this quite follow?

To POS mine you have to have the coins now in your possession. The fact that you have spent them [according to your senerio] means you can not longer mine with them in a proper POS setup. Eg, spent coins, for you can not anymore accumulate  coin age.

Thus your mining power = 0.

on another point, NXT appears to be 100% POS and has not been forked or hacked by anyone to date. Further it Appears that the network swiftly punishes miner that try to undertake dubious activity, like producing dogey blocks.