rpietila Altcoin Observer

[Peter R]

If mining goes to PoS the cost tends to zero.  

If the cost to secure the network tends to zero, then the cost to attack the network tends to zero is well. 

The is the essence of the "nothing-at-stake" problem with PoS that, despite claims to the contrary, remains unsolved (and IMO very likely unsolvable). 

[devphp]

If the cost to secure the network tends to zero, then the cost to attack the network tends to zero is well. 

The is the essence of the "nothing-at-stake" problem with PoS that, despite claims to the contrary, remains unsolved (and IMO very likely unsolvable). 

In PoS every currency unit is a small mining rig, and they are all created at Genesis block and it costs nothing. You don't have to make new regular capital investments into hardware, at least not significant ones, as for PoS any old computer will do that can run a wallet and the currency units inside the wallet do the mining. So the cost of securing the network is minimal, not zero, but perhaps 1-2% of the cost of the PoW network.

Cost of the attack of the PoS network is larger than cost of the attack on PoW network, as it's easier to buy hardware than to buy 51% currency units in existance in a PoS system, as that would drive the price billions and billions high.

[r0ach]

The is the essence of the "nothing-at-stake" problem with PoS that, despite claims to the contrary, remains unsolved (and IMO very likely unsolvable).  

I believe it might be solvable.  Satoshi relies on the idea of the majority of people being "honest miners" for the system to function.  A reputation system can be used to solve some of these problems since it is nothing more than a ledger of "honest miners".  I'm not really a fan of Invictus or NXT, but both systems seem to be moving towards experimenting with that solution.

[dewdeded]

DarkCoin delayed again ...

[Peter R]

If the cost to secure the network tends to zero, then the cost to attack the network tends to zero is well.  

The is the essence of the "nothing-at-stake" problem with PoS that, despite claims to the contrary, remains unsolved (and IMO very likely unsolvable).  

In PoS every currency unit is a small mining rig, and they are all created at Genesis block and it costs nothing. You don't have to make new regular capital investments into hardware, at least not significant ones, as for PoS any old computer will do that can run a wallet and the currency units inside the wallet do the mining. So the cost of securing the network is minimal, not zero, but perhaps 1-2% of the cost of the PoW network.

Cost of the attack of the PoS network is larger than cost of the attack on PoW network, as it's easier to buy hardware than to buy 51% currency units in existance in a PoS system, as that would drive the price billions and billions high.

No one has proven that it is possible to solve the "nothing-at-stake" problem.  In fact it is becoming clear that any PoX-type system can be attacked if the attacker holds 51% of the critical resource X (X = W for PoW and X = S for PoS).  It is easy to calculate the cost of an attack on PoW (it is the cost to acquire 51% of the hash power).  But what is the cost to attack a PoS system?  

Do you understand the "nothing-at-stake" problem (aka the "history re-write" problem)?

[klee]

If the cost to secure the network tends to zero, then the cost to attack the network tends to zero is well.  

The is the essence of the "nothing-at-stake" problem with PoS that, despite claims to the contrary, remains unsolved (and IMO very likely unsolvable).  

In PoS every currency unit is a small mining rig, and they are all created at Genesis block and it costs nothing. You don't have to make new regular capital investments into hardware, at least not significant ones, as for PoS any old computer will do that can run a wallet and the currency units inside the wallet do the mining. So the cost of securing the network is minimal, not zero, but perhaps 1-2% of the cost of the PoW network.

Cost of the attack of the PoS network is larger than cost of the attack on PoW network, as it's easier to buy hardware than to buy 51% currency units in existance in a PoS system, as that would drive the price billions and billions high.

No one has proven that it is possible to solve the "nothing-at-stake" problem.  In fact it is becoming clear that any PoX-type system can be attacked if the attacker holds 51% of the critical resource X (X = W for PoW and X = S for PoS).  It is easy to calculate the cost of an attack on PoW (it is the cost to acquire 51% of the hash power).  But what is the cost to attack a PoS system?  

Do you understand the "nothing-at-stake" problem (aka the "history re-write" problem)?

So why is this not already happening?

If you know how to kill it why don't you do so?

Honest questions..

[Peter R]

So why is this not already happening?

Partly because there are no decentralized PoS coins that are alive.

The developers of PoS coins either sign blocks as valid (e.g., Peercoin) or create new "updates" with checkpoints (e.g., Nxt).  In other words, they solve the history-rewrite problem by acting as a central authority.  

If you know how to kill it why don't you do so?

https://yourlogicalfallacyis.com/burden-of-proof

I said that no one had proved that the "nothing-at-stake" problem can be solved--I never said that it was unsolvable (although this is my opinion).  Until it can be proved to be impossible, I must accept that it may be possible (and I do).

Honest questions..

Considering that you wrote "if you know how to kill it," when I never made that claim, and then employed a logical fallacy "why don't you do so?" (burden of proof), I disagree: they weren't really honest questions.

[aminorex]

If mining goes to PoS the cost tends to zero.  

If the cost to secure the network tends to zero, then the cost to attack the network tends to zero is well. 

The is the essence of the "nothing-at-stake" problem with PoS that, despite claims to the contrary, remains unsolved (and IMO very likely unsolvable). 

Coins are a stake.  Coins are not nothing when they have purchasing power.  Is your concern that it is too easy to dominate purchasing power for a small currency?  That makes sense when the market cap is low, but if you boostrap with PoW, to achieve market cap which is indefeasible in practice, then the problem is solved, is it not?

[aminorex]

I believe it might be solvable.  Satoshi relies on the idea of the majority of people being "honest miners" for the system to function.  

I would prefer to say the majority are unable to effectively coordinate collusion.

It's a big difference philosophically, although perhaps not in practice.

[Peter R]

If mining goes to PoS the cost tends to zero.  

If the cost to secure the network tends to zero, then the cost to attack the network tends to zero is well. 

The is the essence of the "nothing-at-stake" problem with PoS that, despite claims to the contrary, remains unsolved (and IMO very likely unsolvable). 

Coins are a stake.  Coins are not nothing when they have purchasing power.  Is your concern that it is too easy to dominate purchasing power for a small currency?  That makes sense when the market cap is low, but if you boostrap with PoW, to achieve market cap which is indefeasible in practice, then the problem is solved, is it not?

That's not the nothing-at-stake problem. 

The attacker can attack the network using private keys that controlled coins in the past.  He creates an attack chain starting from a point in the currently-dominant chain where those coins were valid to create a new attack chain.  It is called "nothing at stake" because if the attack fails the already-spent coins he used to launch the attack simply remain worthless. 

[devphp]

Because there are no decentralized PoS coins that are alive.

The developers of PoS coins either sign blocks as valid (e.g., Peercoin) or create new "updates" with checkpoints (e.g., Nxt).  In other words, they solve the history-rewrite problem by acting as a central authority. 

I believe in NXT checkpoints exist only to force users to upgrade when there are new core features added to the software (mandatory upgrades), as they require most of the forgers to upgrade to keep network consistent and with no forks. But that is only because NXT is being developed actively. Once most core features are implemented, no checkpoints would be required, that's my understanding of it.

There is no "nothing-at-stake" problem. No entity can ever buy 51% of the coins in existance, hence PoS system is protected immensely better than PoW system. The cost of attack on a PoS system, once it's out of its infancy and has a large number of nodes, is infinite. The more coins you buy to carry out this attack, the higher the price gets, before long everyone and their mother will be buying that coin driving the price thru the roof, and you'll exhaust your fiat resources long before you can gain anything like 51% of the coins.

[Peter R]

There is no "nothing-at-stake" problem. No entity can ever buy 51% of the coins in existance.

The attacker needs 51% of coins the existed at some point in the past.  He can attack the network with 0% of the coins that are currently considered as valid. That's why it's called "nothing at stake": he can attack the network using coins that were already spent!

[devphp]

The attacker needs 51% of coins the existed at some point in the past.  He can attack the network with 0% of the coins that are currently considered as valid. That's why it's called "nothing at stake": he can attack the network using coins that were already spent!

Can you provide technical explanation of this attack?

[Peter R]

The attacker needs 51% of coins the existed at some point in the past.  He can attack the network with 0% of the coins that are currently considered as valid. That's why it's called "nothing at stake": he can attack the network using coins that were already spent!

Can you provide technical explanation of this attack?

DeathAndTaxes is probably the clearest writer on this topic.  I suggest you read his comments from the "PoS vs PoW" thread starting with this one:

You misunderstand.  The risk isn't that someone could attack the network, it is that they could attack the network with no cost.

Imagine bitcoin worked using a PoS.  An early adopter had acquired 1M BTC at one time in the past but over time he lost/sold/spent/transferred them.   Today he has no bitcoins but the blockchain contains a history of a time when he did have 1M BTC.  If the amount of the stake being used is <1M BTC he could rewrite history not by using coins he has today (a real cost), not by buying millions of mining rigs (a real cost) but by using the history of the coins he once had (no cost).  He has absolutely nothing at risk and nothing to lose.   If he and potentially others decided to attack the network they would rewrite the blockchain starting from when they had a larger stake, creating a parallel history where they didn't lose/sell/spend/transfer the coins.  

They can attack the network based on what they had (but no longer do) in the past.  There is nothing at risk and no cost to the attack.  THAT is the PoS problem.  

If bitcoin miners collude, they could alter the past.

Sure they can, however there is a cost to that attack and there is something at risk which they lose if they fail.  With PoS you can attack the network for "free" using something you had but no longer do.  It is very hard to secure against an attack where the attacker can do so at any time without any cost and without any risk.

Section 5 of Andytoshi's paper tries to address this too, but not in as much detail as DeathAndTaxes:

https://download.wpsoftware.net/bitcoin/asic-faq.pdf

[devphp]

I suppose the NXT network will reject those 'parallel' blocks they create as invalid, but you should probably refer to the NXT developers to get a detailed explanation on their forum.

[aminorex]

There is no "nothing-at-stake" problem. No entity can ever buy 51% of the coins in existance.

The attacker needs 51% of coins the existed at some point in the past.  He can attack the network with 0% of the coins that are currently considered as valid. That's why it's called "nothing at stake": he can attack the network using coins that were already spent!

CPoS certainly fixes that.

[r0ach]

DeathAndTaxes is probably the clearest writer on this topic.  

It seems like to me that any implementation of block chain pruning, would in effect, create a decentralized checkpoint that could be leveraged to solve the "nothing at stake", past coins being used to attack the network issue in PoS.  Why does NOBODY talk about this?

[Peter R]

There is no "nothing-at-stake" problem. No entity can ever buy 51% of the coins in existance.

The attacker needs 51% of coins the existed at some point in the past.  He can attack the network with 0% of the coins that are currently considered as valid. That's why it's called "nothing at stake": he can attack the network using coins that were already spent!

CPoS certainly fixes that.

My hunch is no.  I think it just obfuscates the problem.  DeathAndTaxes (and others like Gmaxwell, DannyHamilton, Grau, etc) are better at dissecting the fine details.

I, on the other hand, look at the problem from a macro perspective.  My theory is that it is impossible to create an objective decentralized time-stamp server without a tether to the physical world.  You see, proof of work translates a physical fact (energy expenditure) to a mathematical fact (entropy removed from block header).  This is PoW's tether to the physical world.  With PoS, all the rewards and expenses come from within the system itself.  It is my belief that it is not possible that such a system can remain objective with respect to physical reality.

I can't prove my hypothesis, however.  

[Peter R]

DeathAndTaxes is probably the clearest writer on this topic.  

It seems like to me that any implementation of block chain pruning, would in effect, create a decentralized checkpoint that could be leveraged to solve the "nothing at stake", past coins being used to attack the network issue in PoS.  Why does NOBODY talk about this?

Perhaps I am not following.  Pruning isn't at all like a checkpoint.  Can you explain in more detail what you mean?

Satoshi describes how blockchain pruning works in Section 7 of the original white paper.  Transactions are hashed into a Merkle tree, allowing for blockchain pruning without breaking the block's hash.  It is actually quite mind-blowing how this works.  Take a look: https://bitcoin.org/bitcoin.pdf

[aminorex]

My theory is that it is impossible to create an objective decentralized time-stamp server without a tether to the physical world.  

CPoS has plenty of physical grounding in its timestamping.  Anyhow, the obvious solution is to disallow rollbacks.  Doesn't really matter how you get there.  

Anyhow, I should read more about PoS before I make myself look even more foolish than I usually do.