Re: Proof of stake instead of proof of work

[Peter R]

Peter, thinking about your "tether to the physical world" concept a bit more...

It is in fact time as a property of the physical world that is the key here.  
Nodes communicate to each other in the real physical world,
which includes time as a dimension, and time itself does seem
physical.  In other words, we cannot capture it or measure
it using mathematics alone.

However, we can mathematically express sequence.

Proof of work takes time which is why it works.
It is the time between blocks being so much bigger
than the time between state changes that makes
distributed consensus possible.  

The idea was actually inspired by your thread about the need to ensure that the time period for consensus events is much greater than the time scale at which complexity enters the network.  I still think you could take this idea further….

Perhaps "tether to the physical world" was too broad a statement.  I actually meant some way to agree on the sequence of events that came from outside the system itself--some way that was tied to objective reality.  This is why I referred to radio emissions from the sun (which I think was gmaxwell's idea).  

[ChuckOne]

What I said was completely true.

Come one. An IF-clause is true in most cases because I consider you an intelligent person. But that IF-clause of yours does not answer my question.

You question was of a personal rather than technical nature, and directly answering a question like that is usually a bad idea.  If I had said "yes, I have the genesis hash memorized" you may have called my a liar and I would have no way to prove myself.  If I had said "no" you would have used it as an argument to further blur reality.  

Well, not true at all.

I would have said this:

You had answered YES => "Well, so where did you read it?" If you had answered then 'from trusted hardware/software', go to NO.

You had answered NO => "I assume, you copied it form trusted hardware/software. So, where did the trusted hardware/software got it from?"


Well, and as this point, I got you.

Where does the trust come from? => code review, belief, opinions of your friends etc. etc.

[jonald_fyookball]

Peter, thinking about your "tether to the physical world" concept a bit more...

It is in fact time as a property of the physical world that is the key here.  
Nodes communicate to each other in the real physical world,
which includes time as a dimension, and time itself does seem
physical.  In other words, we cannot capture it or measure
it using mathematics alone.

However, we can mathematically express sequence.

Proof of work takes time which is why it works.
It is the time between blocks being so much bigger
than the time between state changes that makes
distributed consensus possible.  

The idea was actually inspired by your thread about the need to ensure that the time period for consensus events is much greater than the time scale at which complexity enters the network.  I still think you could take this idea further….

Perhaps "tether to the physical world" was too broad a statement.  I actually meant some way to agree on the sequence of events that came from outside the system itself--some way that was tied to objective reality.  This is why I referred to radio emissions from the sun (which I think was gmaxwell's idea).  

Broad yes, but you're absolutely right....time IS physical.  ....(but sequence is not.)

This is somewhat counterintuitive and not immediately obvious because
In everyday experience, time seems like an abstraction, yet when
you try to express it in purely quantitative terms, you see it isn't simply
an abstraction.  It is a dimension of state changes in the physical world.

 I'll try to think more on it.

[Peter R]

What I said was completely true.

Come one. An IF-clause is true in most cases because I consider you an intelligent person. But that IF-clause of yours does not answer my question.

You question was of a personal rather than technical nature, and directly answering a question like that is usually a bad idea.  If I had said "yes, I have the genesis hash memorized" you may have called my a liar and I would have no way to prove myself.  If I had said "no" you may have used it as an argument to further blur reality.  

Well, not true at all.

I would have said this:

You had answered YES => "Well, so where did you read it?" If you had answered then 'from trusted hardware/software', go to NO.

You had answered NO => "I assume, you copied it form trusted hardware/software. So, where did the trusted hardware/software got it from?"

Again what I said was true.  I said you may have called me a liar.  And you may have (in fact you still might and maybe I am).  How do I know what you actually would have done if I had done something different?  

Nevertheless, my answer to your next set of questions goes back to my gold analogy: how do I know that a piece of metal is gold?  Should I just believe what I've come to know over the course of my life that gold is yellow, shinny, dense, atomic #79, etc?  What if it's not?  What if everyone is lying to me?  

What if cats are actually dogs and dogs are actually cats!!

[ChuckOne]

You question was of a personal rather than technical nature, and directly answering a question like that is usually a bad idea.  If I had said "yes, I have the genesis hash memorized" you may have called my a liar and I would have no way to prove myself.  If I had said "no" you would have used it as an argument to further blur reality.  

Well, not true at all.

I would have said this:

You had answered YES => "Well, so where did you read it?" If you had answered then 'from trusted hardware/software', go to NO.

You had answered NO => "I assume, you copied it form trusted hardware/software. So, where did the trusted hardware/software got it from?"


Well, and as this point, I got you.

Where does the trust come from? => code review, belief, opinions of your friends etc. etc.

Here, I can show you substitution and abstraction:

 - substitute each red you by each item of this list [ChuckOne, Peter R, jonald_fyookball, Mr. Obama, ...] and you will see that it is applicable to each of them

 - abstract from that list [ChuckOne, Peter R, jonald_fyookball, Mr. Obama, ...] to Blockchain Network User

The logical conclusion here is:

A Blockchain Network User needs to verify or trust the software he uses anyway no matter if PoW or PoS.

[jonald_fyookball]

What I said was completely true.

Come one. An IF-clause is true in most cases because I consider you an intelligent person. But that IF-clause of yours does not answer my question.

You question was of a personal rather than technical nature, and directly answering a question like that is usually a bad idea.  If I had said "yes, I have the genesis hash memorized" you may have called my a liar and I would have no way to prove myself.  If I had said "no" you would have used it as an argument to further blur reality.  

Well, not true at all.

I would have said this:

You had answered YES => "Well, so where did you read it?" If you had answered then 'from trusted hardware/software', go to NO.

You had answered NO => "I assume, you copied it form trusted hardware/software. So, where did the trusted hardware/software got it from?"


Well, and as this point, I got you.

Where does the trust come from? => code review, belief, opinions of your friends etc. etc.

Chuck, based on your responses, you do not seem to be making a distinction between an initial release of software as a "centralized authority" and a checkpoint that was later announced for users of an existing cryptocurrency.

[ChuckOne]

Nevertheless, my answer to your next set of questions goes back to my gold analogy: how do I know that a piece of metal is gold?  Should I just believe what I've come to know over the course of my life that gold is yellow, shinny, dense, atomic #79, etc?  What if it's not?  What if everyone is lying to me?  

What if cats are actually dogs and dogs are actually cats!!

Yes, everybody is lying to you.

So, I assume you always build your software yourself AND before that, you look through the code.

But still, how do you verify that hash? Where does it come from initially?

[ChuckOne]

Chuck, based on your responses, you do not seem to be making a distinction between an initial release of software as a "centralized authority" and a checkpoint that was later announced for users of an existing cryptocurrency.

Exactly, because I cannot prove the past.

From an abstract point of view, it makes no difference if the block height is 0 or if it is X when currently being at X+T and T is huge.

One could use a client using X as a checkpoint (for whatever reason) and have no problem at all.
One could use a client using 0 as a checkpoint (for whatever reason) and have no problem at all.

One could use client using X as a checkpoint (for whatever reason) and be on a fork.
One could use client using 0 as a checkpoint (for whatever reason) and be on a fork.

Substitute X and 0 with whatever symbol you see fit. They are equivalent.

EDIT: And here you see again, you have to verify or trust the last checkpoint.

[Peter R]

Chuck, based on your responses, you do not seem to be making a distinction between an initial release of software as a "centralized authority" and a checkpoint that was later announced for users of an existing cryptocurrency.

This discussion about the genesis block being a "checkpoint" is pure nonsense because it is as much a part of the definition of bitcoin as the protocol, the 21 million coins, the digital signature algorithm, etc, etc.  

If you say things like "how do you know cats aren't dogs a genesis block is The Genesis Block," you could also say "how do you know that bitcoin has a 21 million coin limit?  How do you know that bitcoin uses ECDSA?  How do you know that you know?

If you deny objective reality and if you refuse to accept that words have specific meanings, then debates devolves into mush like this one has.  

[DeathAndTaxes]

A Blockchain Network User needs to verify or trust the software he uses anyway no matter if PoW or PoS.

That is true.  It is an assumption in the security model.  Of course you are stuck on the idea that the genesis block can be forged (because you are trying to support a logical fallacy) that you ignore far obvious examples of why this is true.   If the attacker has compromised your node (hardware, operating system, node software) then you have no assurance you are part of the network at all.  The attacker could steal your private keys, the attacker could have you generate weak private keys, the attacker could feed you false information ("yes block 123 is valid and contains your payment" when no such block or transaction even exists), the attacker could simply wait until you obtain a desired amount of wealth and then transfer it to an address he controls.  You can't assume any level of security.  If your node is compromised then you have no security at all.

So yes the security model assumes that the node (not just the client software, but hardware, operating system, and connectivity to the network at large) is secure.  
It also assumes the cryptographic primitives used are cryptographically strong.
It also assumes the implementation makes no errors which weaken that security (duplicate k values in signing as an example).
It also assumes that no malicious entity have >50% of the critical resource (computing power and/or stake).

None of those assumptions are different for Pos vs PoW so they are irrelevant for a topic called "Proof of stake instead of proof of work".  The one notable difference between PoS & PoW is that an attacker can use something he had at one time but no longer has to attack the network.   This is commonly called the "PoS problem" but I think "history attack" is more descriptive.   Taking a step back this is possible for PoS (and possibly other as of yet developed systems) due to the fact that what is being secured is also what is being used to secure it.  The irreversibility of blockchain is being secured by records of the same blockchain*.  In other words we are assuming the blockchain can't be modified because based on records in the blockchain not being modified.  This property allows an attacker to reduce the cost and risk of an attack by selling off the stake and using the prior record of it to perform the attack.

Saying that one can simply disregard the longest chain by knowing which chain is correct by "code review" or "opinion of friends" is a logical fallacy.  If you can disregard the longest chain, and pick a chain because it is "better" despite being equally valid, different, and shorter then you don't need PoS or PoW to begin with.  You can just use your "code review" and "opinion of your friends" to determine the best chain at any point in time.   Of course "opinion of friends" expanded to a global scale would be to connect to all known peers and ask them which chain is best.  The issue is that the security model is weak and subject to sybill attack.   The very reason PoW of PoS is used is because reaching a consensus based on what a majority of nodes think is weak.  Can't you see the logical fallacy?

1) Chains may contain equally valid but different sets of transactions.
2) We can't just have nodes vote on the best chain as this is subject to a sybill attack and in a decentralized trustless network there is no known solution.
3) The solution is to have miners force a consensus using a critical resource (stake of computing power).
4) When a node has two competing chains that are both equally valid the chain which is the longest* is the best chain.

now here comes your fallacy
5) When the longest chain is "bad" we can just disregard it by asking our peers which one is the best which is a contradiction of #2.  

If it were true the security model would simply be
1) Chains may contain equally valid but different sets of transactions.
2) When a node has two competing equally valid chains it asks its peers which one is the "best".

If you believe #5 is valid then the proof of work/stake is utterly pointless.  You only follow it when it otherwise is in agreement on what you believe is best but when it disagrees with that you consult your peers.  If that was a valid solution then just skip the pointless interim steps and just consult with your peers.



* Side note when writing this an idea occurred to me of using the stake in a PoW blockchain to secure a different an alternate blockchain.  I have no idea if this has any merit but when writing this, it occurred to me that this might not have have the "PoW" problem.

[jonald_fyookball]

Chuck, based on your responses, you do not seem to be making a distinction between an initial release of software as a "centralized authority" and a checkpoint that was later announced for users of an existing cryptocurrency.

Exactly, because I cannot prove the past.

So you admit that.

I think this is the heart of the matter and source of the disagreement.

From an abstract point of view, it makes no difference if the block height is 0 or if it is X when currently being at X+T and T is huge.

One could use a client using X as a checkpoint (for whatever reason) and have no problem at all.
One could use a client using 0 as a checkpoint (for whatever reason) and have no problem at all.

One could use client using X as a checkpoint (for whatever reason) and be on a fork.
One could use client using 0 as a checkpoint (for whatever reason) and be on a fork.

Substitute X and 0 with whatever symbol you see fit. They are equivalent.

EDIT: And here you see again, you have to verify or trust the last checkpoint.

 
I think its irrelevant.  The key difference is that
one is a "contract/agreement" where all the rules of the game
are laid out at the very beginning (i.e. genesis block), and the other
one , has participants that can change the rules as they go along.

Can you not see a difference?

[DeathAndTaxes]

From an abstract point of view, it makes no difference if the block height is 0 or if it is X when currently being at X+T and T is huge.

Of course it does.  The hash of block 0 will never change.  I can print it out, put it in my safe and verify that network starts from the same genesis block a century from now.  The hash of X will change periodically and may not be consistent among all nodes.  For NXT it changes twice a day.   If you can't see the difference in the level of verification of a single universal static value which is hardcoded into the client (and if the client is insecure/flawed/noncompliant you have already broken a basic security assumption of all cryptocurrencies) and a locally computed value which is continually changing and may not be consistent for all nodes then well then you just don't want to see.

One could use client using 0 as a checkpoint (for whatever reason) and be on a fork.

The "for whatever reason" makes it a true but pointless statement.  If your node is secure and compliant then you verify the best chain independently UNLESS the protocol has local checkpoints as that behavior is non deterministic.  With a network which needs local checkpoints, you can never independently verify that you are on the best chain. That is a huge problem for a network which is designed for facilitate commerce without a trusted third party.

So to replace it with a meaningful distinction:
Given a secure and compliant node, and a protocol that uses does not local checkpoint rules, then your node can independently verify the best chain.
Given a secure and compliant node, and a protocol that uses does local checkpoint rules, then your node can not independently verify the best chain.

That will be my last post because honestly at this point if you don't see it, then it simply means you don't want to see it.

[ChuckOne]

Exactly, because I cannot prove the past.

So you admit that.

Did I state it otherwise? If so, excuse that, please.

I think its irrelevant.  The key difference is that
one is a "contract/agreement" where all the rules of the game
are laid out at the very beginning (i.e. genesis block), and the other
one , has participants that can change the rules as they go along.

Can you not see a difference?

Well, technically speaking, no. If it works like a checkpoint, looks like a checkpoint, it is a checkpoint.

I understand where you coming from. However, things change over time. So does the notion/definition of Bitcoin. I cannot tell you what Bitcoin will be in 2000 years from now. But it has to change if the community wants it to survive. It is like evolution.

I mean, take you as an example. At least your family, your friends, your neighbors etc. call you with the same name as they did 1, 2, 3, 4, 5 years ago. But is it what they call really you? You changed over time. Your identity card works like a checkpoint. However, it verifies your older self. However, it might work for many people as a checkpoint. Your "genesis block" is your birth certificate and it works like a checkpoint, too.

If it works like a checkpoint, looks like a checkpoint, it is a checkpoint.


Okay, I am out for today. Cya later guys.

[jonald_fyookball]

Exactly, because I cannot prove the past.

So you admit that.

Did I state it otherwise? If so, excuse that, please.

I think its irrelevant.  The key difference is that
one is a "contract/agreement" where all the rules of the game
are laid out at the very beginning (i.e. genesis block), and the other
one , has participants that can change the rules as they go along.

Can you not see a difference?

Well, technically speaking, no. If it works like a checkpoint, looks like a checkpoint, it is a checkpoint.

I understand where you coming from. However, things change over time. So does the notion/definition of Bitcoin. I cannot tell you what Bitcoin will be in 2000 years from now. But it has to change if the community wants it to survive. It is like evolution.

I mean, take you as an example. At least your family, your friends, your neighbors etc. call you with the same name as they did 1, 2, 3, 4, 5 years ago. But is it what they call really you? You changed over time. Your identity card works like a checkpoint. However, it verifies your older self. However, it might work for many people as a checkpoint. Your "genesis block" is your birth certificate and it works like a checkpoint, too.

If it works like a checkpoint, looks like a checkpoint, it is a checkpoint.


Okay, I am out for today. Cya later guys.

Maybe DeathandTaxes is right...maybe you just don't want to see the difference.

I've leave you with 3 analogies that might help convey what we are trying to
communicate to you.

ANALOGY #1:

Take the game of basketball... imagine a new league was standard by Michael Jordan.
He sits in the stands every game, and he's allowed to change things at will.
He can, in the middle of the game, decide a basket is worth 7 points.  Or
he can role back the score.  Whatever he feels like that day.  Do you think
people would take that league as seriously as the NBA?

ANALOGY #2:

Imagine you have a mortgage on a house.  Would you rather have a fixed
rate mortgage, and know what your monthly payment is before you
sign the loan... Or would you rather have a variable rate loan where
it could be anything?

ANALOGY #3:

Do you negotiate a business contract before or after the work is done?
Do you come to a conensus upfront, before anyone has committed
any time, energy, money, and other resources,... or do you just let
the chips fall where they might, and come to an agreement later?

----

The point is, when you're talking about consensus, you're talking about
agreement among human beings.   Nearly everyone prefers to buy into a system
that is predictable and has fixed rules and parameters...  rather than
a system where it can be changed later.

[Brangdon]

The network stake will never be more than a fraction of the total money supply as coins used for staking are essentially locked capital.  A coin with 100% of the money supply being used as a stake would require 100% of the coins to be in hot wallets not being used for anything else (no cold storage, no transactions, no economic activity).

I don't believe that is true for Nxt. Especially with leased forging. ("Forging" is what Nxt calls mining.) Leased forging delegates the forging power of one node to another, leave the source address unable to forge. However, the source address still owns the coins and they can still be spent - spending them reduces the effective forging power of the other node. There's a transaction that sets this up, and then the network remembers the lease and takes it into account when calculating forging powers.

Once leased, the source address no longer needs to be online. Your stake isn't locked capital. You can still spend it and be economically active. You can keep your stake in cold storage and still use it for forging.

[dogisland]

The network stake will never be more than a fraction of the total money supply as coins used for staking are essentially locked capital.  A coin with 100% of the money supply being used as a stake would require 100% of the coins to be in hot wallets not being used for anything else (no cold storage, no transactions, no economic activity).

I don't believe that is true for Nxt. Especially with leased forging. ("Forging" is what Nxt calls mining.) Leased forging delegates the forging power of one node to another, leave the source address unable to forge. However, the source address still owns the coins and they can still be spent - spending them reduces the effective forging power of the other node. There's a transaction that sets this up, and then the network remembers the lease and takes it into account when calculating forging powers.

Once leased, the source address no longer needs to be online. Your stake isn't locked capital. You can still spend it and be economically active. You can keep your stake in cold storage and still use it for forging.

This makes the situation worse does it not ? Now NXT owners will lease their coins to a handful of operators to earn fees.

These operators would be perfectly placed to mount an attack. They would have a % of the POS coins and they can mount a double spend attack with pretty much zero risk as identified by DaT.

It would be nice to get a clear statement from the NXT guys as to wether this is possible or not.

 

[Brangdon]

This makes the situation worse does it not ? Now NXT owners will lease their coins to a handful of operators to earn fees.

These operators would be perfectly placed to mount an attack. They would have a % of the POS coins and they can mount a double spend attack with pretty much zero risk as identified by DaT.

It's similar to the situation with Bitcoin hashing pools. A few hashing pools together control over 51% of the hashing power, so that becomes a vulnerability for Bitcoin. The difference is that it's easier to set up a forging pool than a hashing pool, so hopefully we will have more of them, and the power will be less centralised. But yes, leased forging makes it feasible to gain a large fraction of forging power for little financial outlay, and that's something the community needs to be vigilant about (much as how the Bitcoin needs to be vigilant about hashing pools).

(Nxt has the additional danger that forging power is effectively moved around by transactions, and the node that forges a block gets to choose which transactions they include, so they could reject transactions that transfer forging power away from themselves. That is why forging leases are temporary, so they will eventually expire even if no transactions get processed. I'm not sure that's enough. In this regard a hashing pool is more responsive, because nothing can stop an individual hasher from withdrawing from a rogue pool immediately.)

I don't think most of DaT's comments apply to Nxt, because it's such a different algorithm not based on coin-days destroyed. For example, it doesn't use checkpoints so all the discussion of those is irrelevant. Unfortunately I don't understand Nxt's algorithm too well myself; and even if I did, they plan to change it to something called "transparent forging" in a few months, and the details of that are being kept secret for fear of clones.

[hashman]

Thanks ChuckOne for keeping the discussion going and those posters who have helped educate me on this issue.  I have to side with those who argue the genesis block is a checkpoint of sorts.  But that is a semantic argument isn't it?  To derail more meaningful discussion?   

Indeed it looks like the goalposts have changed in this discussion.  In my opinion the proof of stake proponents still need to pursue the goal of showing us one way in which proof of stake is necessary or helpful.  So far it looks to me like the only way it is helpful is to make an economic distribution which is more unfair.  Of course, more unfair is good if you are on the right side of the fence. 

Instead of trying to explain what problem PoS tries to solve, the discussion has been around just how bad the various other security holes introduced by PoS are. 

The argument that PoS is somehow more energy efficient is false.  Either you allow your miners (forgers) to expend as much energy to mine as they like (as e.g. BTC and PPC do and perhaps NXT as well if this talk of SHA256 guesses in forging is true)..   or you don't.  If you are allowing miners / forgers to expend as much energy as they like, they might spend a lot if they so choose.  Hardly a problem in need of a solution is it.   

As to proof of stake somehow being more immune to 51% attack the discussion has basically been around how much more vulnerable it is than proof of work.  A lot more vulnerable?  Or just a little bit.  In any case there isn't really a problem here either because all participants know of the possibility of a double spend attack and associated costs and can wait for an amount of confirmations that they choose accordingly. 



 

[DeathAndTaxes]

As to proof of stake somehow being more immune to 51% attack the discussion has basically been around how much more vulnerable it is than proof of work.  A lot more vulnerable?  Or just a little bit.  In any case there isn't really a problem here either because all participants know of the possibility of a double spend attack and associated costs and can wait for an amount of confirmations that they choose accordingly.

Careful.  The number of confirmations increases the confidence that the chain can't be reversed IF the attacker has a minority of the critical resource.  This is the same for both PoW and Pos and likely any other PoX systems to be created.   If the attacker has a majority of the critical resources then it is a mathematical certainty that the attacker will eventually produce the longest chain so 6, 100, 5,000 confirmations is insufficient to ensure that a transaction can't be reversed.   

[ThePurplePlanet]

This makes the situation worse does it not ? Now NXT owners will lease their coins to a handful of operators to earn fees.

These operators would be perfectly placed to mount an attack. They would have a % of the POS coins and they can mount a double spend attack with pretty much zero risk as identified by DaT.

It's similar to the situation with Bitcoin hashing pools. A few hashing pools together control over 51% of the hashing power, so that becomes a vulnerability for Bitcoin. The difference is that it's easier to set up a forging pool than a hashing pool, so hopefully we will have more of them, and the power will be less centralised. But yes, leased forging makes it feasible to gain a large fraction of forging power for little financial outlay, and that's something the community needs to be vigilant about (much as how the Bitcoin needs to be vigilant about hashing pools).

(Nxt has the additional danger that forging power is effectively moved around by transactions, and the node that forges a block gets to choose which transactions they include, so they could reject transactions that transfer forging power away from themselves. That is why forging leases are temporary, so they will eventually expire even if no transactions get processed. I'm not sure that's enough. In this regard a hashing pool is more responsive, because nothing can stop an individual hasher from withdrawing from a rogue pool immediately.)

I don't think most of DaT's comments apply to Nxt, because it's such a different algorithm not based on coin-days destroyed. For example, it doesn't use checkpoints so all the discussion of those is irrelevant. Unfortunately I don't understand Nxt's algorithm too well myself; and even if I did, they plan to change it to something called "transparent forging" in a few months, and the details of that are being kept secret for fear of clones.

Doesnt matter what you call it ... coin days destroyed, stake lending or transparent forging. The fact is that stake holders who owned and sold their stake they can repeat the same method and produce an alternate chain of the PoS coin and claim their stake back by showing more stake power. Old stake owners will always have an incentive to do that because of profit.

Add to the fact that increased economic activity will reduce the stake used for minting (which is already very low for PoS coins) and thus lower % of stake used to secure current chain it is a recipe for long-term disaster or eventual centralization. From central bankers to central programmers.