PoS is far inferior to PoW - why are so many people advocating switching to PoS

[cryptogeeknext]

Yes, you need to invest in both cases, only with PoW you can invest your intellect and time to create a breakthrough in mining technology (basically in your garage), while in PoS system you need to convince the incumbents to sell their stakes to you. See the difference?

I'm now thinking that something like proof of activity or proof of importance might be more relevant in the long term. Considering the decline in the number of Bitcoin's full nodes, if you're rewarded for just running a node that's already a step in the right direction, however the exact algorithms need to be studied more closely.

building otherwise useless hardware can hardly be the reason to call pow superior

Shooting alien monsters in a video game is pretty much useless too, but that's what sells graphics cards.
And manufacturers are fighting with each other, exploring various options to make them even faster.

Who knows maybe PoW mining will create enough incentive to finally get humanity beyond silicon electronics. Maybe we will see advancements with graphene or photonics sooner with PoW than without. What about an incentive to develop new sources of energy, solar or geothermal, PoW might be that incentive.

The bottom line is that with PoW a neutral algorithm judges the innovation, in PoS - corruptible humans and entrenched interests do the judgement, and so far they have been instrumental in suppressing anything that challenges them.

Even though on the surface two schemes might seem somewhat similar, they are fundamentally different:
PoW - neutrality, freedom of innovation, hacker mentality, equality of opportunity, game of skills
PoS - entrenched interests, corruptible humans, oppression, inheritance of wealth, game of luck

[1714122638]

1714122638

[1714122638]

1714122638

[1714122638]

1714122638

[1714122638]

1714122638

[devphp]

Who?

What happens after 10 1440 block "jumps" and it hits the "limit"?

No, don't ask me. You claim that there are centralized checkpoints or whatever you claim there is, prove the flaws, it's your job.

It's not a "flaw", it's a checkpoint every 14400 blocks, which equates to 10 days. So if your server goes offline for longer than that, then you need to download the chain from a trusted party, which usually comes from nxtcrypto.org or nxtbase.com. Did I read something wrong?

Why do you read the code from a few months ago by the way?
Here is the latest release for analysis:
https://bitbucket.org/JeanLucPicard/nxt/src

[tromp]

Alice wants to attack the blockchain.
She owns private keys of 400 accounts totalling to 75% of the stake.
She is planning to rewrite the history from block 5'000.
Legit chain is at block 5'300 (less than 720).
Cumulative difficulty at block 5'000 is 8'000'000.
Cumulative difficulty at block 5'300 is 9'000'000.
How many SHA256 operations in average it's necessary to do to find a branch where cumulative difficulty at block 5'300 is at least 9'000'001?
Hint: Blocks from 5'000 to 5'300 were forged by 100% of the stake.
Without a detailed further explanation of the so called Nothing at Stake 'problem', further discussion is quite useless.

Well, first of all, if Alice has 75% of stake, then the simplest attack would be in the future:
just fork and keep both branches as equal in cumulative difficulty as possible, never letting
one get too far ahead of the other. Thus, there will never be consensus. In fact, for this attack,
one needs only 51%. Or even much less if other stakeholders work on both branches.

But for argument's sake, let's  consider the original challenge. The math is pretty tricky, but let me
sketch the rough idea of an attack.

The regular history developed by picking, at each block, the minimum delay among the stakeholders.
This delay has some probability distribution and some expectation which is the average block interval.

If you reduce the stakeholders to 75%, then the distribution will shift to longer delays.
BUT, Alice is not limited to single-step extensions. She can compute a huge tree of all possible
k-step extensions. With 400 accounts, this tree will have 400^k leaves, and require roughly that
many SHA256 computations. But for large enough k, one would expect one of these leaves to have
a path with an unusually small sum of k delays, less than k times the average delay for all stakeholders.

The question is, how big a k do you need. And this obviously depends on both the number of accounts,
and percentage of stake held by Alice. For the given numbers, I expect a small k like 4 would suffice,
but this needs to be worked out in detail.

In that case, to cover 300 blocks, you'd need to compute 75 trees of 400^4 leaves each, for a rough
total of 75*400^4 = 1.92*10^12 SHA256s, well within the realms of feasibility.

For k larger than 6 this attack would become quite infeasible, but it's not clear to what percentage of stake
that corresponds, unless one goes through the math...

[Daedelus]

Alice wants to attack the blockchain.
She owns private keys of 400 accounts totalling to 75% of the stake.
She is planning to rewrite the history from block 5'000.
Legit chain is at block 5'300 (less than 720).
Cumulative difficulty at block 5'000 is 8'000'000.
Cumulative difficulty at block 5'300 is 9'000'000.
How many SHA256 operations in average it's necessary to do to find a branch where cumulative difficulty at block 5'300 is at least 9'000'001?
Hint: Blocks from 5'000 to 5'300 were forged by 100% of the stake.
Without a detailed further explanation of the so called Nothing at Stake 'problem', further discussion is quite useless.

Well, first of all, if Alice has 75% of stake, then the simplest attack would be in the future:
just fork and keep both branches as equal in cumulative difficulty as possible, never letting
one get too far ahead of the other. Thus, there will never be consensus. In fact, for this attack,
one needs only 51%. Or even much less if other stakeholders work on both branches.

But for argument's sake, let's  consider the original challenge. The math is pretty tricky, but let me
sketch the rough idea of an attack.

The regular history developed by picking, at each block, the minimum delay among the stakeholders.
This delay has some probability distribution and some expectation which is the average block interval.

If you reduce the stakeholders to 75%, then the distribution will shift to longer delays.
BUT, Alice is not limited to single-step extensions. She can compute a huge tree of all possible
k-step extensions. With 400 accounts, this tree will have 400^k leaves, and require roughly that
many SHA256 computations. But for large enough k, one would expect one of these leaves to have
a path with an unusually small sum of k delays, less than k times the average delay for all stakeholders.

The question is, how big a k do you need. And this obviously depends on both the number of accounts,
and percentage of stake held by Alice. For the given numbers, I expect a small k like 4 would suffice,
but this needs to be worked out in detail.

In that case, to cover 300 blocks, you'd need to compute 75 trees of 400^4 leaves each, for a rough
total of 75*400^4 = 1.92*10^12 SHA256s, well within the realms of feasibility.

For k larger than 6 this attack would become quite infeasible, but it's not clear to what percentage of stake
that corresponds, unless one goes through the math...

I like you tromp   I'll add some detail that will mean you have to change this when I have double checked it. And we can go from there. I'll probably start a new thread, to get away from these baseless generalised assertions.

N.B. just so I know, are you familiar with the Nxt Forging algo at all? Doesn't matter if you aren't.

[ChuckOne]

I'm not familiar with nxt assets, I was referring to POS in general. Having ANY POS whatsoever discourages spending and thus kills adoption. Having no POS encourages spending, because your money will be worth less than it is tommorow. Alt-coins are supposed to be just that, coins, a currency. If you dont want your currency to devalue you invest it somewhere(get interest at a bank, buy stocks w/e), you shouldn't expect the act of holding to be rewarded.

Please explain.

[gatra]

Alice wants to attack the blockchain.
She owns private keys of 400 accounts totalling to 75% of the stake.
She is planning to rewrite the history from block 5'000.
Legit chain is at block 5'300 (less than 720).
Cumulative difficulty at block 5'000 is 8'000'000.
Cumulative difficulty at block 5'300 is 9'000'000.
How many SHA256 operations in average it's necessary to do to find a branch where cumulative difficulty at block 5'300 is at least 9'000'001?
Hint: Blocks from 5'000 to 5'300 were forged by 100% of the stake.
Without a detailed further explanation of the so called Nothing at Stake 'problem', further discussion is quite useless.

Well, first of all, if Alice has 75% of stake, then the simplest attack would be in the future:
just fork and keep both branches as equal in cumulative difficulty as possible, never letting
one get too far ahead of the other. Thus, there will never be consensus. In fact, for this attack,
one needs only 51%. Or even much less if other stakeholders work on both branches.

But for argument's sake, let's  consider the original challenge. The math is pretty tricky, but let me
sketch the rough idea of an attack.

The regular history developed by picking, at each block, the minimum delay among the stakeholders.
This delay has some probability distribution and some expectation which is the average block interval.

If you reduce the stakeholders to 75%, then the distribution will shift to longer delays.
BUT, Alice is not limited to single-step extensions. She can compute a huge tree of all possible
k-step extensions. With 400 accounts, this tree will have 400^k leaves, and require roughly that
many SHA256 computations. But for large enough k, one would expect one of these leaves to have
a path with an unusually small sum of k delays, less than k times the average delay for all stakeholders.

The question is, how big a k do you need. And this obviously depends on both the number of accounts,
and percentage of stake held by Alice. For the given numbers, I expect a small k like 4 would suffice,
but this needs to be worked out in detail.

In that case, to cover 300 blocks, you'd need to compute 75 trees of 400^4 leaves each, for a rough
total of 75*400^4 = 1.92*10^12 SHA256s, well within the realms of feasibility.

For k larger than 6 this attack would become quite infeasible, but it's not clear to what percentage of stake
that corresponds, unless one goes through the math...

This doesn't make sense to me. All 400^k possibilities are very very likely to have less cumulative difficulty than the main chain, because 75% < 100%
The attack will probably fail. This attack does not make sense to me.

However, imagine she had 51% some 200 blocks ago, and sat on it, without staking. Then, she can stake them on a parallel, attack chain. The attack chain will have stake 51% > 49%, so it is very very likely to succeed just doing it the normal way, minimizing the delay, which requires only minimal hashrate. Be it 6, 200, or 720 blocks. This attack makes sense and does not need hashrate.

[cryptogeeknext]

I'm not familiar with nxt assets, I was referring to POS in general. Having ANY POS whatsoever discourages spending and thus kills adoption. Having no POS encourages spending, because your money will be worth less than it is tommorow. Alt-coins are supposed to be just that, coins, a currency. If you dont want your currency to devalue you invest it somewhere(get interest at a bank, buy stocks w/e), you shouldn't expect the act of holding to be rewarded.

Please explain.

I think more correct assessment is that by holding PoS coins you are eligible to receive interest, while PoW coins don't give you any interest explicitly, but rather from scarcity/inflation mechanisms, which may vary from one coin to another.

EDIT:

Even though on the surface two schemes might seem somewhat similar, they are fundamentally different:
PoW - neutrality, freedom of innovation, hacker mentality, equality of opportunity, game of skills
PoS - entrenched interests, corruptible humans, oppression, inheritance of wealth, game of luck

Pick your flavor of the future.

[DumbFruit]

Why do you read the code from a few months ago by the way?
Here is the latest release for analysis:
https://bitbucket.org/JeanLucPicard/nxt/src

I didn't know there were two repositories. But anyway, it's the same damn thing;
https://bitbucket.org/JeanLucPicard/nxt/src/88073b26bd65e89ddb074181c5f50f6701e7b177/src/java/nxt/peer/GetMilestoneBlockIds.java?at=master

Did I incorrectly describe the purpose of Milestones?

[tromp]

All 400^k possibilities are very very likely to have less cumulative difficulty than the main chain, because 75% < 100%

You're not appreciating how the statistics work out here.

75% being less than 100% just means that the delay distribution is shifted to the right.
But sampling from a huge number like 400^k means you'll get much further into the left-tail
of this shifted distribution, so you can easily beat the unshifted average.

[tromp]

N.B. just so I know, are you familiar with the Nxt Forging algo at all? Doesn't matter if you aren't.

Somewhat familiar. Every stake-holder computes some delay that is more or less inversely proportional
to their stake. They can announce the next block after waiting that many seconds.

[sadface]

I'm not familiar with nxt assets, I was referring to POS in general. Having ANY POS whatsoever discourages spending and thus kills adoption. Having no POS encourages spending, because your money will be worth less than it is tommorow. Alt-coins are supposed to be just that, coins, a currency. If you dont want your currency to devalue you invest it somewhere(get interest at a bank, buy stocks w/e), you shouldn't expect the act of holding to be rewarded.

Please explain.

I think more correct assessment is that by holding PoS coins you are eligible to receive interest, while PoW coins don't give you any interest explicitly, but rather from scarcity/inflation mechanisms, which may vary from one coin to another.

EDIT:

Even though on the surface two schemes might seem somewhat similar, they are fundamentally different:
PoW - neutrality, freedom of innovation, hacker mentality, equality of opportunity, game of skill
PoS - entrenched interests, corruptible humans, oppression, inheritance of wealth, game of luck

Pick your flavor of the future.

you don't receive interest in nxt

[devphp]

Why do you read the code from a few months ago by the way?
Here is the latest release for analysis:
https://bitbucket.org/JeanLucPicard/nxt/src

I didn't know there were two repositories. But anyway, it's the same damn thing;
https://bitbucket.org/JeanLucPicard/nxt/src/88073b26bd65e89ddb074181c5f50f6701e7b177/src/java/nxt/peer/GetMilestoneBlockIds.java?at=master

Did I incorrectly describe the purpose of Milestones?

The purpose of this milestones code is "an optimization to speed up finding out what is the last common block you share with a peer." (c) JeanLucPicard

[gatra]

All 400^k possibilities are very very likely to have less cumulative difficulty than the main chain, because 75% < 100%

You're not appreciating how the statistics work out here.

75% being less than 100% just means that the delay distribution is shifted to the right.
But sampling from a huge number like 400^k means you'll get much further into the left-tail
of this shifted distribution, so you can easily beat the unshifted average.

Ok, this is a different attack vector. The math is tricky and it's probably not worth it: we agreed that if you have that stake you can attack without hashrate!

still, for the sake of argument (http://xkcd.com/1432/):

ok, but each block is independent, you are in disadvantage on every block, and you want more cummulative difficulty after k blocks. On every block that you select any account of yours that is not the one with lowest delay, you get farther away from your goal expecting to offset that with "good luck" in following blocks. With a large sample you can expect to get lucky, but on each block that you don't use the optimal (minimal delay) account you need even more luck to catch up.
I still think that beating the unshifted average is not that easy and it could happen that in all your branches you end up with less cummulative difficulty. In NXT the target gets larger as time since last block passes by, so doing a simulation would be much easier than calculating. Still, my point is: if you have that stake you can attack without hashrate!

Regarding the other attack that someone posted a link to: they mention bruteforcing the private key in order to get a public key that will forge in the future. You can forge 1440 blocks after setting the public key, and you can't reorg more than 720 so it doesn't work. If you remove that limitation, yes, it's an attack that requires big amounts of hashrate.

So, I concede there are attacks that utilize lots of hashrate. However, I'll say it again: if you have that stake you can attack without hashrate!

[DumbFruit]

The purpose of this milestones code is "an optimization to speed up finding out what is the last common block you share with a peer." (c) JeanLucPicard

But requesting milestones from peers only checks back 1440 blocks for 10 "jumps", so if the closest common milestone is further than that, then it would just be unable to find a common block. That would happen either because it had forked 14400 blocks ago, or because the peers had gotten 14400 blocks ahead.
At which point, as far as I can tell, the client needs to start over with a node that is passed to him from the NxT domains. That seems like a pretty clear "checkpoint" in all but name.

Although, the server "won't allow" forks after 720 blocks, so I guess it only looks for older milestones in case the server was just offline for less than 10 days. I don't really understand the point of that rule, since all it seems to accomplish is making forks permanent.

I need to see how this thing isn't getting drowned in orphans. Ostensibly it's because no large stakeholder has bothered to try to mess with it. That's the goal, I know, but good grief, if I wanted to trust rich people that much I'd stay with fiat.

[devphp]

The purpose of this milestones code is "an optimization to speed up finding out what is the last common block you share with a peer." (c) JeanLucPicard

But requesting milestones from peers only checks back 1440 blocks for 10 "jumps", so if the closest common milestone is further than that, then it would just be unable to find a common block. That would happen either because it had forked 14400 blocks ago, or because the peers had gotten 14400 blocks ahead.
At which point, as far as I can tell, the client needs to start over with a node that is passed to him from the NxT domains. That seems like a pretty clear "checkpoint" in all but name.

Although, the server "won't allow" forks after 720 blocks, so I guess it only looks for older milestones in case the server was just offline for less than 10 days. I don't really understand the point of that rule, since all it seems to accomplish is making forks permanent.

I need to see how this thing isn't getting drowned in orphans. Ostensibly it's because no large stakeholder has bothered to try to mess with it. That's the goal, I know, but good grief, if I wanted to trust rich people that much I'd stay with fiat.

There are no "NXT domains", there are peers which all share a copy of the blockchain. If you think all the blockchain is downloaded from one centralized service, well, you need to check your facts again. Installing the client, downloading the blockchain, and looking at the peers tab would be one simple way of doing it.

[DumbFruit]

There are no NXT domains, there are peers which all share a copy of the blockchain. If you think all the blockchain is downloaded from one centralized service, well, you need to check your facts again. Installing the client, downloading the blockchain, and looking at the peers tab would be one simple way of doing it.

When you first download the client, NXT domains provide a "random" list of peers. We don't really know if they're random and they're only on their list to begin with because they've decided to trust them.

There's no particular reason why we couldn't see several large stake chains because forgers can forge on multiple chains without any problem.

There's nothing that I see that can automatically move nodes to a valid chain. If you happen to be on the "forked" chain, then eventually you just need to reinstall the server and load up the node from the "right" ones, which seems to be determined by whichever nodes the NXT domains point you to.

[Jean-Luc]

The purpose of this milestones code is "an optimization to speed up finding out what is the last common block you share with a peer." (c) JeanLucPicard

But requesting milestones from peers only checks back 1440 blocks for 10 "jumps", so if the closest common milestone is further than that, then it would just be unable to find a common block.

Wrong. This happens in a while(true) loop. It will just request the next 10 milestone blocks, and keep going back until Genesis if no common block is found.

At which point, as far as I can tell, the client needs to start over with a node that is passed to him from the NxT domains.

If it cannot download the blockchain from the current peer, it will switch to another peer. Peers exchange their known peers lists with each other all the time, there is no mechanism that will lock your node to only download from certain peers, let alone from hardcoded Nxt domains.

[DumbFruit]

The purpose of this milestones code is "an optimization to speed up finding out what is the last common block you share with a peer." (c) JeanLucPicard

But requesting milestones from peers only checks back 1440 blocks for 10 "jumps", so if the closest common milestone is further than that, then it would just be unable to find a common block.

Wrong. This happens in a while(true) loop. It will just request the next 10 milestone blocks, and keep going back until Genesis if no common block is found.

Ok, so I misread it. The milestones just save time finding a shared block, but the client doesn't allow forks further than 720 blocks, so it's kind of a moot point anyway. "Whichever chain has the most people using it" is the ultimate arbitrator.

At which point, as far as I can tell, the client needs to start over with a node that is passed to him from the NxT domains.

If it cannot download the blockchain from the current peer, it will switch to another peer. Peers exchange their known peers lists with each other all the time, there is no mechanism that will lock your node to only download from certain peers, let alone from hardcoded Nxt domains.

But how do you know which one is an appropriate blockchain when the the stakers can stake on any particular chain? It seems to me that you'd see your server has forked, and so you look at which fork most people are on and switch over, in the meantime any transactions that you had on your blockchain are reversed. Which is pretty much the same effect as if your chain reorganized.
Sure, the peer lists change, but the first peers you see point you to the chain that you're going to end up downloading. The "chain with the most stake" doesn't really work, because again, anyone could make a NxT chain with more stake on it, and a few people could do it even with the genesis block you're currently using.

[phillipsjk]

wtf? No! Nothing requires extreme amounts of computing in POS. That's the point of POS

https://bitcointalk.org/index.php?topic=303898.msg3372610#msg3372610

A few posts later...

Let's suppose you have 10% of stake and an alien's computer stolen from Area 51.  Odds to generate 60 block long chain at the rate of 1 block a minute are very small (something like 1/10000000000000...)  

If you can cycle through enough adresses per minute to generate a hits that are 9 times lower than the average hit...

Guys, where do u get these numbers from?

Anyway, what is necessary to generate accounts that will hit the target within 1 minute timeframe in average (necessary to outpace benevolent miners) will always be a function of how much stake the attacker deploys. You seem to have forgotten this

1. Generate a private key (~0 ms)
2. Calculate a public key (~0.005 ms on a high-end CPU, numbers taken from http://ed25519.cr.yp.to/)
3. Sign the generation signature of a previous block (~0.005 ms)
4. Calculate SHA-256 of the signature (~0 ms, sorry for disassembling the Nxt byte-code )
5. Compare first 8 bytes to the target (~0 ms)
6. Repeat #4 and #6 lot of times (~???, whole Bitcoin network would hit the target in a few milliseconds)

So 1 CPU will loop thru say 0.001 key/sec. We can't run a botnet with 1 million computers to get 1000 key/sec coz this task CAN NOT be parallelized. Each iteration requires data from the previous one.

Conclusion: we will have problems only if someone uses a quantum/alien computer, until that noone can succeed at such the attack.

What are you talking about? Sucess is not binary here. You don't need an exact match, just the ability to select a match that is better than average.

Even if it takes 1 complete second to do one interation of 4 and 5, the system is still in deep trouble.
Suppose there are two coinholders, one with 90% and the other with 10%.
Without manipulation, the guy with 90% will find blocks once every 67 seconds on average and the guy with 10% will find blocks once every 600 seconds.

Suppose the guy with 10% has time to test out 9 different addresses per minute. Each address will have a different waiting time. Picking the best among these nine candidates is sufficient to boost 10% stake up to the mining power of 90% stake.
If you can do 90 iterations per minute, then you can attack with 1%; 900 with 0.01%

Your estimate of 0.01 ms per iteration suggests that a successful attack could be pulled off with 1.67×10^-9% stake. What is that? 100 or 200 satoshi.

Obviously, this is not acceptable. Attackers should have to hold more than a few satoshis in order to mount a successful attack.

As for which PoS coin: Nxt.

Edit: it appears that was before the rolling re-org limit and maturity rules were decided on

Quote relevant to recent discussion about botnet of seed-nodes:

For new people downloading the blockchain, you have to allow them to designate trusted sources manually. Otherwise,  some asshole can send them a long irreversible chain, preventing them from catching up to the rest of the network.

[LiQio]

wtf? No! Nothing requires extreme amounts of computing in POS. That's the point of POS

https://bitcointalk.org/index.php?topic=303898.msg3372610#msg3372610

...
A few posts later...
...

And if we continue reading another few posts?

Edit: Thanks for adding the "Edit"