Re: Proof of stake instead of proof of work

[telepatheic]

The Blockchain (proper noun) is the "best" chain (of blocks containing digital signatures) that originates from the Genesis Block (proper noun).  A proper noun refers to a "unique entity."  A chain of blocks that does not originate from the Genesis Block cannot be the Blockchain by definition.  

Whilst true, SPV nodes have no way of validating the genesis block so they can only work when we assume the greatest difficulty chain segment is bitcoin (regardless of which genesis block the chain originates from).

[gmaxwell]

Whilst true, SPV nodes have no way of validating the genesis block

wtf, no. Of course they know and validate the genesis block, it's part of the definition of the coin. They would ignore a greater work chain that disagrees with the genesis block.

[DeathAndTaxes]

The Blockchain (proper noun) is the "best" chain (of blocks containing digital signatures) that originates from the Genesis Block (proper noun).  A proper noun refers to a "unique entity."  A chain of blocks that does not originate from the Genesis Block cannot be the Blockchain by definition.  

Whilst true, SPV nodes have no way of validating the genesis block so they can only work when we assume the greatest difficulty chain segment is bitcoin (regardless of which genesis block the chain originates from).

Why do you think that?  SPV clients are hardcoded with the contents of the genesis block just like any other node.  There is no difference between the two.  If you are following a chain which doesn't begin with the Bitcoin genesis block you are not part of the Bitcoin network.

SPV clients still validate the block headers. To validate block one requires knowing the correct hash for the previous block (block zero = genesis block).  Technically an SPV client could be hardcoded with just the genesis block hash, but an SPV client already must have the ability to compute the current block difficulty, perform block hashing, and validate that the block hash is smaller than the target so you don't really save anything by hardcoding the hash instead of the contents.

Part of the problem may come from shorthand language.  "Longest chain" doesn't just mean the chain with the most difficulty, it means the chain of valid blocks with the most difficulty.  An invalid block can't extend the chain.  "Valid" for Bitcoin means a variety of checks including the prior block hash and by extension that necessitates that the chain begin from the genesis block.  While you are correct that currently one could skip the genesis block validation that was never part of Satoshi's security design and it may not be true in the future (another coin could someday have more computing power).  SPV are no different than full nodes in this respect.  Given how trivially easy it is to verify the genesis block (and the added DOS hardening that adds) there is no reason to skip this check.

[ChuckOne]

Consensus about the Genesis Block is more a question for linguistics than computer science.  Just like gold is that shiny yellow metal with atomic number 79, the Genesis Block is that collection of bytes with the message "The Times 03/Jan/2009 Chancellor on brink of second bailout for banks" encoded and with hash 00000000839a8e6886ab5951d76f411475428afc90947ee320161bbf18eb6048.  

Where did you get this hash from? From your memory?

Both gold and the Blockchain have certain properties, as shown below.  Arguments like "if we all agree to start calling different things bitcoin, the blockchain and the genesis block, then that's all that matters," is again linguistics:  people could start calling the alloy of copper and zinc (i.e, brass) "gold" instead.  If everyone does this, then its name might eventually become "gold."  But this will never happen because it is useful for words to have specific meanings, and even if it did happen it doesn't change the fact that "gold" (copper/zinc) still isn't gold (element 79).  

'renaming' is a logical tool. We call it substitution and it is necessary to abstract things and make things comparable and re-usable. It furthermore helps focusing the mind when thinking about the bigger picture.

I am not saying we should call gold copper and vice versa but I say it could be helpful to use the term metal.

[Peter R]

Both gold and the Blockchain have certain properties, as shown below.  Arguments like "if we all agree to start calling different things bitcoin, the blockchain and the genesis block, then that's all that matters," is again linguistics:  people could start calling the alloy of copper and zinc (i.e, brass) "gold" instead.  If everyone does this, then its name might eventually become "gold."  But this will never happen because it is useful for words to have specific meanings, and even if it did happen it doesn't change the fact that "gold" (copper/zinc) still isn't gold (element 79).  

'renaming' is a logical tool. We call it substitution and it is necessary to abstract things and make things comparable and re-usable. It furthermore helps focusing the mind when thinking about the bigger picture.

I am not saying we should call gold copper and vice versa but I say it could be helpful to use the term metal.

I think what it comes down to is objective versus subjective reality.  Your argument seems ridiculous to me [actually I don't even understand what you are saying], but I think that's because I believe in objective reality.  Do you believe that reality exists outside our perception of it?

I think it is the same thing with proof of work versus proof of stake.  Consensus in a proof-of-work system is tethered to objective reality (the best valid chain criteria).  Consensus in a proof-of-stake system comes entirely from within the system and thus without a tether to the physical world; solving forks like the one you just had with V1.1.3 requires a subjective decision to be made.  I suppose you still come to consensus, but the consensus may not reflect objective reality (but I don't think PoS supporters believe in objective reality so perhaps this point is not important to them).  

I think perhaps a PoS-like system could be designed to agree on objective reality, but I think it would need some tether to the physical world.  Maybe people could measure radio emissions from the sun, for instance, and use this as the tether.  

Consensus about the Genesis Block is more a question for linguistics than computer science.  Just like gold is that shiny yellow metal with atomic number 79, the Genesis Block is that collection of bytes with the message "The Times 03/Jan/2009 Chancellor on brink of second bailout for banks" encoded and with hash 00000000839a8e6886ab5951d76f411475428afc90947ee320161bbf18eb6048.  

Where did you get this hash from? From your memory?

If I remember the thing about the Chancellor and the Bailouts and if I have that one number memorized (block hash), then I can personally verify whether a genesis block is The Genesis Block.  The analogy to gold holds once again: if I remember that gold is shiny and yellow and if I have it's atomic number memorized, then I can personally verify whether a metal is Gold.  


If you don't believe in objective reality, then what happened in the past becomes popular opinion rather than fact.  But I think if the past is rewritable based on popular opinion, then it will be rewritten.  And then this starts sounding like Winston Smith's job at the Ministry of Truth in George Orwell's novel 1984.

[DeathAndTaxes]

A recent 51% attack on a PoS coin.
https://bitcointalk.org/index.php?topic=483847.0

Granted it is a small coin, from a clueless developer but it does illustrate one common misconception.  A common argument from PoS supporters is that obtaining 51% of the money supply would be nearly impossible however that isn't the requirement.  The attacker only needs 51% of the network stake which will be some fraction of the total money supply.  In the case of "Coin2" it looks like the money supply is ~60M NC2, and the active network stake was ~10M NC2.  It only required the attacker to obtain >10M NC2 (~16% of the money supply) to attack the network and that assumes the 10M network stake didn't contain any of the attackers coins.   The attacker can make the network appear more secure than it is by adding to the network stake prior to the attack.  We don't know exactly how much of the 10M network stake was held by the attacker but lets say it was 6M NC2 that means the effective security was only 4M coins (~6% of the money supply).  

Once the attacker had more than 51% of the network stake, he executed an a double spend against mintpal (an exchange) resulting in a loss for the exchange (customers) of 22M NC2.  

The network stake will never be more than a fraction of the total money supply as coins used for staking are essentially locked capital.  A coin with 100% of the money supply being used as a stake would require 100% of the coins to be in hot wallets not being used for anything else (no cold storage, no transactions, no economic activity).   Looking at other PoS coins the network stake tends to be somewhere in the range of 20% to 30% of the money supply.  

The "fix" from the developers is a centralized seizure of the network and reboot.  While that can "work" for a small pump and dump altcoin with no future it obviously is not viable for any crypto currency to be taken seriously.  Centralized security for a decentralized network is an oxymoron.

[Peter R]

Centralized security for a decentralized network is an oxymoron.

And believing that it's not an oxymoron is doublethink.  

[jonald_fyookball]

Peter... no its not because we need a tether to physical world.  Hashes are mathematical.  Its simply because pow acts as a timestamp.

[ChuckOne]

[...]

I understand you have no idea of logic.

Consensus about the Genesis Block is more a question for linguistics than computer science.  Just like gold is that shiny yellow metal with atomic number 79, the Genesis Block is that collection of bytes with the message "The Times 03/Jan/2009 Chancellor on brink of second bailout for banks" encoded and with hash 00000000839a8e6886ab5951d76f411475428afc90947ee320161bbf18eb6048.  

Where did you get this hash from? From your memory?

If I remember the thing about the Chancellor and the Bailouts and if I have that one number memorized (block hash), then I can personally verify whether a genesis block is The Genesis Block.  The analogy to gold holds once again: if I remember that gold is shiny and yellow and if I have it's atomic number memorized, then I can personally verify whether a metal is Gold.  

Damn Peter. What is the matter in answering that simple question?

(But I see that you are able to abstract - well done)

[Eadeqa]

 While that can "work" for a small pump and dump altcoin with no future it obviously is not viable for any crypto currency to be taken seriously.  Centralized security for a decentralized network is an oxymoron.

Nxt doesn't have centralized points. It's PoS algorithm is different than all perrcoin clones, well according to CfB -- one of the main developer.

[telepatheic]

Why do you think that?  SPV clients are hardcoded with the contents of the genesis block just like any other node.  There is no difference between the two.  If you are following a chain which doesn't begin with the Bitcoin genesis block you are not part of the Bitcoin network.

Ok, I've got the wrong definition of SPV. The actual definition means they check blocks back to the genesis block.

In reality, bitcoinj (the most common SPV client) only downloads headers since the last checkpoint (included in a file shipped with the client). I was under the impression that this meant that by definition SPV clients don't have to check all the blocks just enough to have confidence that they are on the real chain.

[ChuckOne]

Nxt doesn't have centralized points. It's PoS algorithm is different than all perrcoin clones, well according to CfB -- one of the main developer.

It is. I have looked through the code. The point in the Nxt forging algo is the determinism that outperforms any other PoS blockchain.

Peercoin uses another definition of stake:
 - Nxt: Stake = NXT
 - Peercoin: Stake = PPC x time

[jonald_fyookball]

I would refer the nxt enthusiasts back to this:

Is it still trivially easy to fork, even if we are not using Peercoin's method?  What if we are using NXT which uses a more deterministic method of selecting which node creates the next blocks.
Probably less trivial?  ...and could this solve the issue of attacking isolated node?

I have not seen anything which shows how deterministic vs random selection makes it more difficult for an attacker to produce an reorg (I assume you mean reorganization not fork).  It is an interesting idea and it does ensure that a node either maliciously or inadvertently a node doesn't creates a stake and then fail to produce blocks.  When a node should create the next block but doesn't the value of its stake is reduced to zero.  Still in this case the attacker is going to produce blocks and deterministic or random if an attacker has 51% of the stake it will produce the longest chain in the long run. 

I was unable to come up with a good response to this...maybe he is correct or maybe y'all have an answer.

[jonald_fyookball]

Peter, thinking about your "tether to the physical world" concept a bit more...

It is in fact time as a property of the physical world that is the key here. 
Nodes communicate to each other in the real physical world,
which includes time as a dimension, and time itself does seem
physical.  In other words, we cannot capture it or measure
it using mathematics alone.

However, we can mathematically express sequence.

Proof of work takes time which is why it works.
It is the time between blocks being so much bigger
than the time between state changes that makes
distributed consensus possible. 

[ChuckOne]

Is it still trivially easy to fork, even if we are not using Peercoin's method?  What if we are using NXT which uses a more deterministic method of selecting which node creates the next blocks.
Probably less trivial?  ...and could this solve the issue of attacking isolated node?

The advantage is that a bad guy has to outperform the legit chain in terms of cumulative difficulty.

With less than 51%, that is highly unlikely or expensive ( works like mining: finding the the right block chain by trying out billions of them ).
With more than 51%, well you know the answer.

With TF, we can push the limit to ~90%. Well, as we know that is just a nice number. 100% is the theory but the world is not perfect => 90%.


Isolated nodes? The same problem everywhere. Solvable only by real-world interaction.

I mean what do you expect? A node that cannot interact with the legit part of the network. How should a node become aware of the things going on on the legit part of the network? IF it can become aware of them, it is not an isolated node anymore.

[Peter R]

Consensus about the Genesis Block is more a question for linguistics than computer science.  Just like gold is that shiny yellow metal with atomic number 79, the Genesis Block is that collection of bytes with the message "The Times 03/Jan/2009 Chancellor on brink of second bailout for banks" encoded and with hash 00000000839a8e6886ab5951d76f411475428afc90947ee320161bbf18eb6048.  

Where did you get this hash from? From your memory?

If I remember the thing about the Chancellor and the Bailouts and if I have that one number memorized (block hash), then I can personally verify whether a genesis block is The Genesis Block.  The analogy to gold holds once again: if I remember that gold is shiny and yellow and if I have it's atomic number memorized, then I can personally verify whether a metal is Gold.  

Damn Peter. What is the matter in answering that simple question?

(But I see that you are able to abstract - well done)

What I said was completely true.  You question was of a personal rather than technical nature, and directly answering a question like that is usually a bad idea.  If I had said "yes, I have the genesis hash memorized" you may have called my a liar and I would have no way to prove myself.  If I had said "no" you may have used it as an argument to further blur reality.  

[ChuckOne]

Peter, thinking about your "tether to the physical world" concept a bit more...

It is in fact time as a property of the physical world that is the key here. 

Interesting. Nxt is highly sensitive to unsynchronized clocks. It looks like we have found Peter's tether to the physical world.

[DeathAndTaxes]

With TF, we can push the limit to ~90%. Well, as we know that is just a nice number. 100% is the theory but the world is not perfect => 90%.

You know this how?  Correct me if I am wrong but the source code for TF have not been publicly released or peer reviewed.

With more than 51%, well you know the answer.

It is also important to keep in mind that it is not 51% of the money supply, it is 51% of the coins actively used as the network stake which for NXT and PPC right now is ~30% and there is no guarantee that the 30% all belongs to honest actors.  

As a complete hypothetical (not intended to represent any specific coin or implementation) lets consider a virtual currency, xCoin which has 100M xCoins outstanding and is secured by PoS.  The naive assumption (and often repeated by proponents) is that it would take >50M xCoins to attack the network but that is never the case.  Lets assume the network stake is 25M xCoins and that means at most it would require an attacker to have >25M xCoins.  Still even that is unrealistic because it assumes all 25M xCoins currently used as stake are "good" minters.  It would be effective for an attacker as he acquires the coins necessary to attack the network to contribute to the security of the network, and thus raise difficulty, lower the relative reward for staking and discourage additional contributions to network stake.  So lets assume that the attacker actually has 10M of the 25M xCoins in the current network stake.  This means the security of the network is only 15M xCoins.  To 51% the network would require not >50M xCoins, or even >25M xCoins but only >15M xCoins (and this hypothetical attacker already has 10M xCoins). 

Most PoS coins to date have had ~20% of 30% of the money supply used for the network stake however none of them have any significant economic activity.  As economic activity rises it is probable the percentage of the money supply remaining in high age hot wallets in order to contribute to the stake will decline not increase.  So if the example xCoin ever become an economic success the stake might only be 15% of the oustanding coins and even that may include the stake of bad actors.

[jonald_fyookball]

With more than 51%, well you know the answer.

With TF, we can push the limit to ~90%. Well, as we know that is just a nice number. 100% is the theory but the world is not perfect => 90%.

Really? How ?  Thx..

[jonald_fyookball]

Peter, thinking about your "tether to the physical world" concept a bit more...

It is in fact time as a property of the physical world that is the key here. 

Interesting. Nxt is highly sensitive to unsynchronized clocks. It looks like we have found Peter's tether to the physical world.

Don't know all the details of NXT but I discussed all this with DeathandTaxes in this very thread.  I agree there are other ways to deal with time but PoW is the most robust.