Something at stake - proof of stake alternative

[sasha35625]

I've been thinking about ways to secure POS against "Nothing at stake" type of attacks. I don't think that Nothing at stake problem kills all POS coins off. Reality shows they are relatively fine, albeit with various tricks, which in a way do not make them completely decentralized.

As far as I understand the science behind distributed consensus POS coins cannot guarantee asynchronous consensus, that is there's a possibility of  successful fork. It manifests itself in so-called "Nothing at stake" argument, which states that since it costs nothing to generate a block for a POS miner to hedge his bets he would mine on all the competing chains that he can find. He just does not loose anything by mining on all the chains, but if he prefers to stay on the main chain he could loose mining fees if the competing chain wins, so it makes sense for him to mine on both.

Bitcoin and POW coins solve this by bringing an external factor into the game, namely computational power the miners possess.
Miner can't afford to mine on the wrong chain since he looses money he paid for his ASIC and electricity. So there's something at stake for him, which makes POW coins inherently more stable.

This is a serious theoretical argument and it has to be probably dealt with.

So, what could be at stake for a POS miner? In real world systems such as NXT a rogue miner would be penalized if he chooses to mine on a fork, the main chain wouldn't allow him to mine on it. Could we dig deeper and make the miner actually pay for his mining with the coin he mines? That would be in a way analogous to investing in ASIC's and electricity when dealing with Bitcoin, with the difference of paying for everything with the coin to be mined.

If we somehow manage to do that we will obtain a self-contained cryptocurrency with a very low energy consumption and no need for fancy asic's, which prevents miners from mining on all forks they can find by its construction.

One way to do it would be the following:

• The miner pays a mining "initiation" fee ("Bet")  by sending a payment to a special "initiation" address.
• Miner address is selected from the miners' pool, that is from the addresses who made initiation payments
  The probability for the miner to generate a block is equal to SHA256(prevhash + address + timestamp) <=   Bet / diff,
  where prevhash is the hash of the previous block, address is the miner address, Bet is the fee the miner paid to participate, diff is current adjustable difficulty
  
• Let's suppose that mining is for transaction fees only, that is the miner gets to collect the transaction fees. So his mining profit depends on the bet he made and the fees collected in the block. If the miner chooses not to mine due to his bet being less than he profit he collects from the fees, he is penalized by the network, and is unable to mine. The bet is considered to be spent.
• If the miner decides to do make another bet he has to make a new initiation payment.

Network is able to understand when a given miner has to produce a new block, the system is deterministic (check NXT cryptocurrency forging algo for example). So if in due time there's no block generated by the miner his bet is considered to be spent. So he'd better mine a block even if the bonus he collects is less than the bet he made.

So the average bet miners make turns out to be dependent on average block size, average transaction value and average time between blocks, which is adjustable the usual way through varying difficulty. We obtain a network of gambling miners, where bets they make prevent them from mining on forks, since if a fork doesn't beat the main chain his fee (which has been made on the main chain) is lost.

TLTR:

POS system is proposed where a miner has to make a bet before being eligible to generate a block; miner's profit is equal to (fees generated in the block - miner's bet);  miners who choose not to mine a block are penalized and their bet is considered to be spent.

[gmaxwell]

This is not addressing the fundamental limitation which is that 'bet' is entirely internal to the system, which means that nothing preventsthe people with the keys from going back and replaying the history, even years after long after they've sold their coins and exited the system... and the resulting forged and legitimate chains are indistinguishable to a new participant.

I feel like you read the snazzy "nothing at stake" words and then stopped thinking before finding out in detail what they actually meant.

If you're going to invoke POW with POS you can try, but it's very difficult to end up with a result where the security doesn't simply reduce to one or the other (or worse, since POS signers can prevent new entrants from joining into mining in most designs; the admissions freeness of POW is potentially lost).

[Ix]

This is not addressing the fundamental limitation which is that 'bet' is entirely internal to the system, which means that nothing preventsthe people with the keys from going back and replaying the history, even years after long after they've sold their coins and exited the system... and the resulting forged and legitimate chains are indistinguishable to a new participant.

I've solved this problem with the Decrits Consensus Algorithm by using long-term active stakes and maintaining the history of those stakes with sign in/out messages. Historical stake holders creating fake chains cannot appear to be legitimate because they cannot sign out honest stake holders. Even without this, the worst case scenario is creating a developer checkpoint to prevent deep history rewriting - the exact same mechanism bitcoin uses.

(or worse, since POS signers can prevent new entrants from joining into mining in most designs; the admissions freeness of POW is potentially lost).

POW pools can prevent new entrants from joining into mining as well and it generally requires the same sort of principle (more than 50% of the stake/work). It would be quite easy for several pool owners totalling more than 50% of POW to prevent anyone else from providing POW.

Do you have any arguments that actually don't also apply to bitcoin?

[ArticMine]

...
Do you have any arguments that actually don't also apply to bitcoin?

Yes. It can be summarized in one word: Derivatives.

The issue here is that stake does not equal exposure and it is very easy to have a large stake and zero or negative exposure. The reason this has not yet become an issue with POS coins is that none of them have evolved to the point where a significant derivatives market has developed, even to the degree that exists today with Bitcoin and Litecoin. It is today possible to control 10000 USD worth of XBT or 5000 USD worth of LTC with 500 USD margin. I leave it to the reader to determine how much EUR, or gold one can control with 500 USD in margin at a typical FX broker.

My take remains that POS can only work in a highly regulated market and even there, if the regulators are not on the ball we get the near financial disaster that occurred in 2008. After all the typical large wall street bank is ultimately governed by proof of stake. It is called one share = one vote.

Edit: Size of derivatives markets: http://www.bis.org/statistics/derstats.htm

[Ix]

Yes. It can be summarized in one word: Derivatives.

Yes, as the arguments against POS are accepted as defeated, we must invent newer and even less relevant but more convoluted arguments to protect proof of waste.

[ArticMine]

Yes. It can be summarized in one word: Derivatives.

Yes, as the arguments against POS are accepted as defeated, we must invent newer and even less relevant but more convoluted arguments to protect proof of waste.

Rather than call Proof of Stake, Proof of Scam, I will instead let Conrad Black make the case. http://en.wikipedia.org/wiki/Conrad_Black

[Daedelus]

I love these threads, always so much certainty mixed in with the vagueness 

[smooth]

Yes. It can be summarized in one word: Derivatives.

Yes, as the arguments against POS are accepted as defeated, we must invent newer and even less relevant but more convoluted arguments to protect proof of waste.

There is nothing new about this argument. If it seems so to you, then you haven't done your homework at all.

[Ix]

[insert internet troll picture with with overlaid text stating: "My argument? You don't know 'bout my argument!"]

Anyways...

[true-asset]

What do you guys think of the particular type of Staked Proof of Work we are working on? :  https://docs.google.com/document/d/1LzY_dQz4jVDrHZq6BawSzT9rNRx_CaZou_fpEcu6CU4/edit?usp=sharing (ignore the Polychains part - that is really a separate technology).

[mitastanila]

How about this ? This is a project i am involved in. So please rewiew Smiley

http://coinsrace.com/

1 month, 5 days, 15 hours, 16 minutes, and 35 seconds until mining starts.

Instant Payments
No Electricity costs
No Hardware Setup costs
No Maintenance costs
24/7 Free Support

X15 Algorithm
Block discovery: every 2 minutes
80 coins per block reward
Total amount 2 Billion coins
Block retarget time on every block
Proof of Work
Proof of Stake reward 8%
(and decreasing every year by 1% until reaching 1% yearly)

[sasha35625]

This is not addressing the fundamental limitation which is that 'bet' is entirely internal to the system, which means that nothing preventsthe people with the keys from going back and replaying the history, even years after long after they've sold their coins and exited the system... and the resulting forged and legitimate chains are indistinguishable to a new participant.

I feel like you read the snazzy "nothing at stake" words and then stopped thinking before finding out in detail what they actually meant.

If you're going to invoke POW with POS you can try, but it's very difficult to end up with a result where the security doesn't simply reduce to one or the other (or worse, since POS signers can prevent new entrants from joining into mining in most designs; the admissions freeness of POW is potentially lost).

Yes, I want to understand whether it's possible to create a system which "eats its own dogfood", without any external factors.
Theoretically it does not seem to be the case, due to FLP result, but I think this is more of a limitation not a strict ban, as Bitcoin shows.

You can't mine in the proposed setup without coins, so your argument of replaying history does not quite apply here.

[sasha35625]

One more point - I hear a lot that POS is unsustainable, but don't forget that POW is probably as much unsustainable from purely theoretical point of view. But both POW and pure POS coins exist and refuse to die easily.
Some academic thought should be here, there are not so many articles about asynchronous consensus and crypto yet.

[achimsmile]

This is not addressing the fundamental limitation which is that 'bet' is entirely internal to the system, which means that nothing preventsthe people with the keys from going back and replaying the history, even years after long after they've sold their coins and exited the system... and the resulting forged and legitimate chains are indistinguishable to a new participant.

• Incentive for n@s attack: A few million USD
• "nothing prevents people to do it."
• No one has tried and succeeded until now

It might not be an a priori argument, but those 3 sentences together look paradox to me.

[sasha35625]

https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/
Probably you've seen this, the latest on Stake from Vitalik Buterin. The proposed solution is check-pointing actually.
He mentioned something similar to what is proposed here, but discards it since he considers a security deposit, not a bet.

[benjamin_bit]

https://bitcointalk.org/index.php?topic=871576.0

Take a look at this thread, which covers the same topic.
Essentially to resolve nothing at stake, you need to prohibit all forms of txns among POS miners.
You do not need checkpoints.
I discuss the theory behind this. It sounds very restrictive, but there are some ways of loosening it up.

[Daedelus]

Just so you don't miss it benjamin_bit...

https://nxtforum.org/consensus-research/multibranch-forging-approach/

First findings of the POS research group.

[jabo38]

Yes. It can be summarized in one word: Derivatives.

Yes, as the arguments against POS are accepted as defeated, we must invent newer and even less relevant but more convoluted arguments to protect proof of waste.

hahahahaha, proof of work could really be called proof of waste. 

[achimsmile]

My take remains that POS can only work in a highly regulated market and even there, if the regulators are not on the ball we get the near financial disaster that occurred in 2008. After all the typical large wall street bank is ultimately governed by proof of stake. It is called one share = one vote.

To me it seems to work right here right now, in an unregulated market. Would you say that Nxt, peercoin, etc. do not "work", or would you say that they are situated in a regulated market?

The whole point of PoS in crypto is that the wallstreet PoS in the sense of 1 share = 1 vote is centralized. Who guarantees that my shares are not diluted (ok, some cryptos sadly inflate supply as well)? If the management does something illegal, the company that I invested in could be taken down by the government, etc.

[Este Nuno]

...
Do you have any arguments that actually don't also apply to bitcoin?

Yes. It can be summarized in one word: Derivatives.

The issue here is that stake does not equal exposure and it is very easy to have a large stake and zero or negative exposure. The reason this has not yet become an issue with POS coins is that none of them have evolved to the point where a significant derivatives market has developed, even to the degree that exists today with Bitcoin and Litecoin. It is today possible to control 10000 USD worth of XBT or 5000 USD worth of LTC with 500 USD margin. I leave it to the reader to determine how much EUR, or gold one can control with 500 USD in margin at a typical FX broker.

My take remains that POS can only work in a highly regulated market and even there, if the regulators are not on the ball we get the near financial disaster that occurred in 2008. After all the typical large wall street bank is ultimately governed by proof of stake. It is called one share = one vote.

Edit: Size of derivatives markets: http://www.bis.org/statistics/derstats.htm

I don't understand how derivatives apply in a PoS system. Having 'control' of paper money in a closed system like a brokerage is not the same as actually having that cryptographic currency to stake.

Individuals 'leasing' stake to other individuals though sounds like a big problem to me. And any community that allows such a market to develop is probably making a big mistake since it could greatly lower the cost of an attack.